June 2018 was the deadline for discontinuing the use of TLS 1.0, ( https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls) and after that date numerous audit tools point the use of TLS 1.0 and 1.1 as alerts. It is now July 2021, 3 years passed the deadline, and it seems App Engine is still using both. A number of GAE users have asked how disabling old TLS versions could be achieved, but the answers they got are not quite satisfactory. Some say "you should create a ticket with GCP, but you will have to have a support subscription first" ( https://serverfault.com/questions/1003762/how-to-disable-tls-1-0-for-google-app-engine or https://stackoverflow.com/questions/58073141/how-to-update-tls-version).
Others say the solution is to set up an SSL policy, which would only be possible after using Cloud Load Balancing and serverless NEGS. That would be a lot of trouble, plus added costs, for the sole purpose of making our GAE based application compliant with 2018 guidelines. But these are just end-user advice given on SO, I would be happy to get the official word from GCP on that matter. It is quite unusual to see GAE being 3 years late on a security related issue. Thank you for your input, -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/468f1aeb-0563-4546-ac3e-a3faf9d09739n%40googlegroups.com.
