To increase security, starting in March 2025, support for Transport Layer Security (TLS) version 1.1 and earlier is deprecated. Update your application settings in the App Engine standard environment to use TLS version 1.2 and later, along with a corresponding secure set of cipher suites.
When you select the latest TLS version, App Engine automatically blocks insecure traffic, without requiring you to configure a global external Application Load Balancer to route requests to your application.
For new applications you create after March 2025, App Engine only allows secure traffic with TLS version 1.2 and later, with supported cipher suites, by default. To upgrade your existing applications to use only TLS version 1.2 and later, follow the instructions in this guide.
Supported TLS versions and cipher suites
The security of TLS connections depends on the negotiated cipher suite, a combination of cryptographic algorithms. These cipher suites are identified by IANA values, as detailed in the following table:
| TLS version | IANA value | Cipher suite |
|---|---|---|
| TLS v1.3 | 0x1301 | TLS_AES_128_GCM_SHA256 |
| 0x1302 | TLS_AES_256_GCM_SHA384 | |
| 0x1303 | TLS_CHACHA20_POLY1305_SHA256 | |
| TLS v1.2 | 0xCCA9 | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 |
| 0xCCA8 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | |
| 0xC02B | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | |
| 0xC02F | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | |
| 0xC02C | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | |
| 0xC030 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | |
| 0xC009 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | |
| 0xC013 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | |
| 0xC00A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | |
| 0xC014 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
Update the TLS versions allowed for your app
You can update the TLS version using the Google Cloud console or the gcloud CLI. For tool-specific steps, click the tab for your preferred tool:
Console
In the Google Cloud console, go to the App Engine Settings page:
In the Application settings tab, click Edit application settings.
From the SSL Policy list, select TLS 1.2+ (Modern ciphers). This selection only allows TLS version 1.2 and later, with modern cipher suites. This is the secure default option for all new applications. if you want to allow less secure TLS versions, such as 1.0 and later, select TLS 1.0+ (Obsolete). However, we recommend that you update your applications to use the latest supported TLS version.
Click Save.
gcloud
When you create or update your application, use the --ssl-policy flag to
specify the minimum permitted TLS version.
To set a minimum TLS version while creating your app:
gcloud app create --ssl-policy=TLS_VERSION
To set a minimum TLS version while updating your app:
gcloud app update --ssl-policy=TLS_VERSION
Replace TLS_VERSION with TLS_VERSION_1_2. This only allows TLS versions
1.2 and later, with modern cipher suites. This is the secure default option
for all new applications. If you want to allow less secure TLS versions,
such as, 1.0 and later, replace TLS_VERSION with TLS_VERSION_1_0. However, we recommend that you update your
applications to use the latest supported TLS version.
Disable custom TLS versions and ciphers
If you update your application settings to use TLS version 1.2 and later, App Engine automatically blocks all insecure traffic using TLS version 1.1 and earlier.
If you use Cloud Load Balancing and serverless NEGS to route traffic to your App Engine application, you can disable a TLS version or cipher by defining an SSL security policy. Specify the TLS versions and ciphers that HTTPS or SSL connections can use.
What's next
To verify and manage SSL certificates, see Secure custom domains with SSL.
To enable Cloud Load Balancing to manage incoming requests to your custom domain, see Migrate App Engine custom domain to Cloud Load Balancing.