All geek questions in one place

Does the Google App Engine support 256-bit SSL certificates?

I installed the certificate for the Google App Engine project using virtual IP (VIP) as described here: https://developers.google.com/appengine/docs/ssl

The certificate will use 256-bit encryption if the server supports it, but currently uses 128-bit encryption. Is there anyway to force it to use 256-bit encryption? I could not find anything in the documentation or anywhere else.

+4
source share
2 answers

App Engine Team Word:

"We only accept certificates with RSA keys with a minimum size of 1024 bits.

Only the verification identifier is used in the certificate, and the data connection over the SSL channel is encrypted using the "best" symmetric cipher, usually supported between the client and the server.

Our servers support a whole bunch of symmetric ciphers, but we prefer AES128 over AES256. If the client only supports AES256, we will use this. "

+5
source

The handshake protocol and the symmetric cipher are selected by the server after the client presents a list of valid ciphers; Google does not offer a way to change your encryption settings.

App Engine seems to prefer RC4-SHA (which pretty much everything TLS 1.0 knows will be available) with RSA key exchange. This was probably chosen to speed up handshakes (non-ephemeral Diffie-Hellman handshakes up to 2x faster ), minimize CPU usage and as a mitigating control for BEAST attacks against TLS 1.0 + CBC AES .

You do not sacrifice any significant security because of the choice of RC4-SHA, although it is interesting that they do not use the ephemeral Diffie-Hellman or ECDHE key exchange for perfect direct secrecy , taking into account public statements about the use of their other properties.

+6
source

Source: https://habr.com/ru/post/1438505/

More articles:


All Articles