We have a Java application for Google App Engine. We use custom Google domains and SSL support. A recent security audit found two issues that we need to solve regarding the SSL configuration:
1) The server-side SSL / TLS endpoint is configured to allow weak SSL / TLS encryption packets. In particular: block ciphers with a block size of 112 bits - DES, 3DES and Cipher, which use block ciphers (for example, AES, 3DES) in CBC mode.
2) The server / side SSL / TLS endpoint is configured to allow connections using the TLS protocol version 1.0 ("TLSv1.0"), which contains known flaws
Looking at App Engine docs, I find that both of them go beyond the control of the App Engine environment. Therefore, we cannot change them unless we add another loadbalancer or SSL termination point before the App Engine (possibly CloudFlare or our own custom instance, for example)
My question is, is there a way to control SSL and TLS settings in App Engine, and if not, is this the best alternative for placing CloudFlare (or another proxy) in front of it?
Or, if there is a reasonable defense / explanation for these security weaknesses from Google, I can use this to protect the current configuration that Google has for App Engine applications.
source share