Using SSL Policies

SSL policies give you the ability to control the features of SSL that your SSL proxy or HTTPS load balancer negotiates. In this document, the term "SSL" refers to both the SSL and TLS protocols.

For more information on how SSL policies work, see SSL Policy Concepts.

Working with SSL policies

You can enable SSL policies using the gcloud command line tool when you create an HTTPS or SSL load balancer or at any time after you create the load balancer.

    gcloud compute ssl-policies create NAME \
      --profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM \
      [--min-tls-version 1.0|1.1|1.2] \
      [--custom-features FEATURES]

Creating SSL policies

You can create SSL policies using the Console or gcloud command-line tool when you create an HTTPS or SSL load balancer or at any time after you create the load balancer.

You can create SSL policies with Google-managed profiles or with a custom profile.

Syntax with the gcloud command-line tool

The gcloud command-line tool uses the following syntax to create SSL policies:

    gcloud compute ssl-policies create NAME \
      --profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM \
      [--min-tls-version 1.0|1.1|1.2] \
      [--custom-features FEATURES]

Creating an SSL policy with a Google-managed profile

Console


To create an SSL policy with a Google-managed profile, use these instructions:

  1. Go to the SSL policies page in the Google Cloud Platform Console.
    Go to the SSL policies page
  2. Click Create policy. You see the Create policy page.
  3. Enter a Name.
  4. Select a Minimum TLS Version.
  5. Under Profile, select Compatible, Modern, or Restricted. The Enabled features and Disabled features for the profile are displayed on the right side of the page.
  6. If there is a load balancer to which you want to attach the policy, click Add target and select a forwarding rule as the target of the SSL policy. If desired, add more targets.
  7. Click Create.

gcloud


The general syntax is:

    gcloud compute ssl-policies create [SSL_POLICY] \
       --profile [COMPATIBLE|MODERN|RESTRICTED]   \
       --min-tls-version 1.0|1.1|1.2

The following creates an SSL policy with the MODERN profile:

    gcloud compute ssl-policies create my_ssl_policy \
       --profile MODERN    \
       --min-tls-version 1.0

You see the following:

Created                             [https://www.googleapis.com/compute/v1/projects/project/global/sslpolicies/policy_name].
PROFILE       MIN_TLS_VERSION
MODERN        TLS_1_0

ENABLED FEATURES:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Creating an SSL policy with a custom profile

Console


To create an SSL policy with a custom profile, use these instructions:

  1. Go to the SSL policies page in the Google Cloud Platform Console.
    Go to the SSL policies page
  2. Click Create policy. You see the Create policy page.
  3. Enter a Name.
  4. Select a Minimum TLS Version.
  5. Under Profile, select Custom. All features are shown as Disabled features on the right side of the page.
  6. In the list of Features, select each cipher suite you want to enable. The cipher suites you enable are listed as Enabled features.
  7. If there is a load balancer to which you want to attach the policy, click Add target and select a forwarding rule as the target of the SSL policy. If desired, add more targets.
  8. Click Create.

gcloud


The following creates an SSL policy with the CUSTOM profile with a minimum TLS version of 1.2 and features TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.

When you create an SSL policy with the CUSTOM profile, only the features you specify in the create command are supported. Other features are not supported.

    gcloud compute ssl-policies create my_custom_ssl_policy \
      --profile CUSTOM --min-tls-version 1.2 \
      --custom-features "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,"\
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"

Listing SSL policy features

You can list all SSL policy features using the Console or the gcloud command line tool.

Console


  1. Go to the SSL policies page in the Google Cloud Platform Console.
    Go to the SSL policies page
  2. Click the name of the policy whose features you want to see. The enabled and disabled cipher suites are listed on the right side of the page.

gcloud


To list available features in SSL policies:

    gcloud compute ssl-policies list-available-features

Modifying SSL policies

You can edit SSL policies using the Console or the gcloud command line tool.

Console


  1. Go to the SSL policies page in the Google Cloud Platform Console.
    Go to the SSL policies page
  2. Click the name of the policy you want to modify.
  3. Click EDIT.
  4. Make any changes you want.
  5. Click Save.

gcloud


To modify an existing SSL policy, pass any or all of the flags corresponding to the fields you want to update. Unspecified fields are not updated.

If you update the features, previously-enabled features are deleted and replaced with the new features you specify.

    gcloud compute ssl-policies update NAME \
      [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] \
      [--min-tls-version 1.0|1.1|1.2] \
      [--custom-features FEATURES]

Creating a target SSL proxy or HTTPS proxy with an SSL policy

You can create a target SSL proxy with an SSL policy:

    gcloud compute target-ssl-proxies create NAME \
      --backend-service BACKEND_SERVICE_NAME \
      --ssl-certificate SSL_CERTIFICATE_NAME \
      [--ssl-policy SSL_POLICY_NAME]

You can create a target HTTPS proxy with an SSL policy:

    gcloud compute target-https-proxies create NAME \
      --ssl-certificate SSL_CERTIFICATE_NAME \
      --url-map URL_MAP_NAME \
      [--ssl-policy SSL_POLICY_NAME]

Attaching an existing SSL policy to an existing target SSL proxy or HTTPS proxy

You can use the Console or the gcloud command-line tool to attach an existing SSL policy to an existing target SSL proxy or HTTPS proxy.

Console


  1. Go to the Load balancing page in the Google Cloud Platform Console.
    Go to the Load balancing page
  2. Click the name of the HTTPS or SSL load balancer you want to modify.
  3. Click EDIT.
  4. Click Frontend configuration.
  5. Click the frontend where you want to assign a new or different SSL policy.
  6. Under SSL policy, select the SSL policy to update.
  7. Select a different SSL policy.
  8. Click Done.
  9. Click Update. The Load balancer details page is displayed.

gcloud


Use these commands to attach an existing SSL policy to an SSL proxy or HTTPS load balancer:

gcloud compute target-ssl-proxies update NAME \
  --ssl-policy SSL_POLICY_NAME

gcloud compute target-https-proxies update NAME \
  --ssl-policy SSL_POLICY_NAME

If you do not provide the --ssl-policy flag or the --clear-ssl-policy flag in a target proxy update (for example, when updating an SSL certificate) the SSL policy will be unchanged. The --clear-ssl-policy flag is described in Deleting an SSL policy from an existing target SSL proxy or HTTPS proxy.

Deleting an SSL policy from an existing target SSL proxy or HTTPS proxy

You can use the Console or gcloud command-line tool to delete an SSL policy from an existing target SSL proxy or target HTTPS proxy.

Console


  1. Go to the Load balancing page in the Google Cloud Platform Console.
    Go to the Load balancing page
  2. Click the name of the HTTPS or SSL load balancer you want to modify.
  3. Click EDIT.
  4. Click Frontend configuration.
  5. Click the frontend from which you want to delete the SSL policy.
  6. Under SSL policy, select the SSL policy to update.
  7. Select a different SSL policy.
  8. Click Done.
  9. Click Update. The Load balancer details page is displayed.

gcloud


Use these commands to remove an SSL policy from an SSL proxy or HTTPS load balancer, where NAME is the name of the target SSL or HTTPS proxy. If you do not attach a different SSL policy to the target proxy, the load balancer uses the default SSL policy. Using the --clear-ssl-policy flag is equivalent to replacing an SSL policy with the default SSL policy.

gcloud compute target-ssl-proxies update NAME \
  --clear-ssl-policy

gcloud compute target-https-proxies update NAME \
  --clear-ssl-policy

When you provide the --clear-ssl-policy flag in the update command, the SSL policy is removed from the proxy.

If you do not provide the --clear-ssl-policy flag or the--ssl-policy flag in the target proxy update (for example, when updating an SSL certificate) the SSL policy will be unchanged. The --ssl-policy flag is described in Attaching an existing SSL policy to an existing target SSL proxy or HTTP proxy.

Limits

  • You can configure a maximum of 10 SSL policies per project.
  • You cannot configure more than one SSL policy per proxy.

Known issues

Load balancers that have no SSL Policy set presently allow four cipher suites to be used that are not usable when an SSL Policy is enabled. These cipher suites are:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256

Google is deprecating support for these cipher suites. Over time they will no longer be supported with any load balancers.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Load Balancing