Using SSL Policies

SSL policies give you the ability to control the features of SSL that your SSL proxy or HTTPS load balancer negotiates. In this document, the term "SSL" refers to both the SSL and TLS protocols.

By default, HTTPS load balancing and SSL proxy load balancing use a set of SSL features that provides good security and wide compatibility. Some applications require more control over which SSL versions and ciphers are used for their HTTPS or SSL connections. You can define SSL policies to control the features of SSL that your load balancer negotiates.

The following example shows how connections from clients are established and terminated at a Google Cloud Platform HTTPS or SSL load balancer.

Client connections in an HTTPS or SSL proxy load balancer  (click to enlarge)
Client connections in an HTTPS or SSL proxy load balancer (click to enlarge)

You can use an SSL policy to configure the minimum TLS version and SSL features that are enabled in an HTTPS or SSL proxy load balancer. SSL policies affect connections between clients and the HTTPS or SSL proxy load balancer (connection 1 in the illustration). SSL policies do not affect the connections between the load balancer and the backends (connection 2).

Defining an SSL policy

To define an SSL policy, you specify a minimum TLS version and a profile. The profile selects a set of SSL features to enable in the load balancer. Three Google-managed profiles allow you to specify the level of compatibility appropriate for your application. A fourth custom profile allows you to select SSL features individually.

The three pre-configured profiles are as follows:

  • COMPATIBLE: Allows the broadest set of clients, including those which support only out-of-date SSL features, to negotiate SSL with the load balancer.
  • MODERN: Supports a wide set of SSL features, allowing modern clients to negotiate SSL.
  • RESTRICTED: Supports a reduced set of SSL features, intended to meet stricter compliance requirements.

The SSL policy also specifies the minimum version of the TLS protocol that clients can use to establish a connection. A profile can also restrict the versions of TLS that the load balancer can negotiate. For example, ciphers enabled in the RESTRICTED profile are only supported by TLS 1.2. Choosing the RESTRICTED profile effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version.

Feature support

HTTPS and SSL proxy load balancers do not support SSL versions 3.0 or earlier. The following table describes the feature support for each TLS/SSL version.

TLS/SSL Version Feature Support
TLS 1.0, 1.1, or 1.2 Settings in SSL policies that control cipher suites apply to client connections.
QUIC Settings in SSL policies do not control cipher selection.
SSL 3.0 or earlier Not applicable. Not supported by HTTPS and SSL proxy load balancers.

Ensure that you review the Known Issues section regarding the behavior of load balancers that have no SSL policy set.

Feature support for pre-configured profiles

The following table lists the available SSL policy features for each pre-configured profile. All of the features control whether particular cipher suites can be used, and apply only to client connections using TLS version 1.2 or earlier, not to clients using QUIC.

Feature In COMPATIBLE profile In MODERN profile In RESTRICTED profile
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Feature Updates

From time to time, Google may update the set of features enabled in the COMPATIBLE, MODERN, and RESTRICTED profiles, as well as which features are configurable in a CUSTOM profile. Google will do this as we remove support for older SSL capabilities and as we add support for newer ones.

When Google adds features that enhance SSL capabilities, we may choose to enable them immediately in the COMPATIBLE, MODERN, and RESTRICTED profiles, so that SSL policies that select those profiles will take advantage of the new features. If your policy selects the CUSTOM profile, however, you must modify the policy’s settings in order to use added features.

We will provide advance notice when we remove the ability to control a feature (either forcing it on or forcing it off for all policies), just as we do with other API features, except when removing the control is necessary for security reasons.

Caveats

Disabling particular SSL versions or ciphers could result in some clients, particularly older clients, being unable to connect to your proxy using HTTPS or SSL. Disabling a sufficiently broad selection of ciphers in the CUSTOM profile could result in no clients being able to negotiate HTTPS.

An SSL certificate associated with your load balancer uses either an ECDSA or an RSA digital signature. The pre-defined profiles are compatible with both types of certificate signatures. A custom profile should enable ciphers that are compatible with the digital signature used by your load balancer's certificates.

The features that control cipher suites apply only to client connections that use TLS version 1.2 and earlier. They do not control cipher selection in connections that use QUIC.

Working with SSL policies

You can enable SSL policies using the gcloud command line tool when you create an HTTPS or SSL load balancer or at any time after you create the load balancer.

    gcloud beta compute ssl-policies create NAME \
      --profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM \
      [--min-tls-version 1.0|1.1|1.2] \
      [--custom-features FEATURES]

Creating SSL policies

You can create SSL policies with Google-managed profiles or with a custom profile.

Creating an SSL policy with a Google-managed profile

The following creates an SSL policy with the MODERN profile:

    gcloud beta compute ssl-policies create my_ssl_policy \
       --profile MODERN --min-tls-version 1.0

You see the following:

    Created                         [https://www.googleapis.com/compute/beta/projects/project/global/sslpolicies/policy_name].
    PROFILE       MIN_TLS_VERSION
    MODERN        TLS_1_0

    ENABLED FEATURES:
    TLS_ECDHE_ECDSA_CHACHA20_POLY1305
    TLS_ECDHE_RSA_CHACHA20_POLY1305
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Creating an SSL policy with a custom profile

The following creates an SSL policy with the CUSTOM profile with a minimum TLS version of 1.2 and features TLS_ECDHE_ECDSA_CHACHA20_POLY1305 and TLS_ECDHE_RSA_CHACHA20_POLY1305.

When you create an SSL policy with the CUSTOM profile, only the features you specify in the create command are supported. Other features are not supported.

    gcloud beta compute ssl-policies create my_custom_ssl_policy \
      --profile CUSTOM --min-tls-version 1.2 \
      --custom-features "TLS_ECDHE_ECDSA_CHACHA20_POLY1305,"\
    "TLS_ECDHE_RSA_CHACHA20_POLY1305"

Listing SSL policy features

To list available features in SSL policies:

    gcloud beta compute ssl-policies list-available-features

Modifying SSL policies

To modify an existing SSL policy, pass any or all of the flags corresponding to the fields you want to update. Unspecified fields are not updated.

If you update the features, previously-enabled features are deleted and replaced with the new features you specify.

    gcloud beta compute ssl-policies update NAME \
      [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] \
      [--min-tls-version 1.0|1.1|1.2] \
      [--custom-features FEATURES]

Deleting SSL policies

To delete an SSL policy, you must first ensure that it is not referenced by any target HTTPS proxy or target SSL proxy. You can then delete the SSL policy:

    gcloud beta compute ssl-policies delete NAME

Creating a target SSL proxy or HTTPS proxy with an SSL policy

You can create a target SSL proxy with an SSL policy:

    gcloud beta compute target-ssl-proxies create NAME \
      --backend-service BACKEND_SERVICE_NAME \
      --ssl-certificate SSL_CERTIFICATE_NAME \
      [--ssl-policy SSL_POLICY_NAME]

You can create a target HTTPS proxy with an SSL policy:

    gcloud beta compute target-https-proxies create NAME \
      --ssl-certificate SSL_CERTIFICATE_NAME \
      --url-map URL_MAP_NAME \
      [--ssl-policy SSL_POLICY_NAME]

Updating an existing target SSL proxy or HTTPS proxy

You can attach an existing SSL policy to an SSL proxy or HTTPS load balancer:

gcloud beta compute target-ssl-proxies update NAME \
  --ssl-policy SSL_POLICY_NAME | --clear-ssl-policy
gcloud beta compute target-https-proxies update NAME \
  --ssl-policy SSL_POLICY_NAME | --clear-ssl-policy

If you provide the --clear-ssl-policy flag in the update command, the SSL policy is removed from the proxy. If you do not provide the --ssl-policy flag or the --clear-ssl-policy flag in the target proxy update (for example, when updating SSL certificate) the SSL policy will be unchanged.

Limits

  • You can configure a maximum of 10 SSL policies per project.
  • You cannot configure more than one SSL policy per proxy.

Known issues

Load balancers that have no SSL Policy set presently allow four cipher suites to be used that are not usable when an SSL Policy is enabled. These cipher suites are:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256

Google is deprecating support for these cipher suites. Over time they will no longer be supported with any load balancers.

Send feedback about...

Compute Engine Documentation