Hi guys,
In GCP Load Balancer there were SSL Policy settings. In there, we can set the minimum TLS up until 1.2 only but not 1.3
I have tried to create custom profile by selecting only below ciphers that exclusively designed for TLS 1.3 but failed
Any ideas?
Thanks
Hi azzi,
are you trying to configure an ssl policy whit tls 1.3? I’ve tried different command from Gemini but all of them fails. Then I take a look at the Google docs (https://cloud.google.com/load-balancing/docs/ssl-policies-concepts)) and I find this:
“You can use an SSL policy to configure the minimum TLS version and SSL features that are enabled in the load balancer”. It also says:
“For example, if a load balancer is configured with a minimum TLS version of 1.2, a handshake with a modern client that supports TLS 1.3 selects TLS 1.3”
So it’s not possible to directly configure the load balancer to only accept tls1.3, but if you configure the ssl policies with tls1.2 (for example with MODERN profile) the connection from client that uses tls1.2 is managed whit tls 1.3.
Hope it can help,
Amato
Dear LovedCloud,
Thanks for your help, but the thing is our requirement strictly only allow TLS 1.3 and reject TLS 1.2 below. With the option that you gave, legacy client still can connect with TLS 1.2 even though modern client already in TLS 1.3
Regards,
Azzi
We have the same requirements. Here is what is happening:
docker@WL-24XK9C3:~$ curl -kv https://xxx:443
* Trying xxx:443...
* Connected to xxx (xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
Redacted info
* SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x55ef035fbeb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: xxx
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
< content-type: text/plain
< via: 1.1 google
< cache-control: private, no-store
< date: Wed, 05 Jun 2024 08:28:48 GMT
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
* TLSv1.2 (IN), TLS header, Supplemental data (23):
Hello from TLS server!
TLS Version: TLSv1.2
Cipher Suite: ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
* Connection #0 to host xxx left intact
Connection from: ('ProxyIP', 38364)
TLS Version: TLSv1.2
Cipher: ('ECDHE-RSA-AES256-GCM-SHA384', 'TLSv1.2', 256)
Received: GET / HTTP/1.1
host: xxxx
user-agent: curl/7.81.0
accept: */*
x-cloud-trace-context: fd3d80758a20311a0bd14a718325c4cb/8118919407871389423
x-forwarded-proto: https
via: 1.1 google
x-forwarded-for: xxxx
Our backend is restricted to Tls1.3 and it rejects LB’s request. Kindly post the solution if you happen to find one