For the past few days, I've been battling with the issue of upgrading the TLS version for a few cloud-run apps, the plan is to set the minimum version to v1.2 as required by slack, After a lot of trial and error, I got it fixed and I will be discussing the procedures in this blog post.
What is TLS?
TLS (Transport Layer Security) is a cryptographic protocol developed to provide communication security over a network, it is widely adopted to facilitate privacy and data over the internet network. TLS is used in securing HTTPS, which means that HTTPS(Hypertext Transfer Protocol Secure) uses TLS to ensure data integrity over the internet.
It was earlier called SSL, which was later changed to TLS in 1999.
Our current setup
We have three(3) cloud run services;
- A website
- A REST API endpoints
- Slack bot
This procedures requires that we:
- Reserve an external static IP Address
- Setup Load balancer
- Create certificate
- Create an SSL Policy
- Setup Network endpoint group
- Create an A record to map the cloud run app(in our case, yours could be cloud functions, app engine, etc) domain with the IP Address reserved in step 1
Reserve an external static IP Address
An idea approach will be to reserve external static IP Addresses for each of the services, alongside with load balancer which tends to cost us more, so instead we reserve an IP address to be used for all.
Create a load balancer
Load balancing refers to an efficient approach to distributing incoming network traffic across a group of backend servers,server farm or server pool.
Setting up a load balancer allows us to configure other steps listed above.
Click on HTTPS
Make sure global load balancing (classic) is selected
Setup frontend that distribute traffic
The frontend configuration of the load balancer requires that you specified a reserved IP address, protocol type, certificate and SSL policy.This is the most important part of the load balancing as you need to carefully provides the appropriate information for all the required fields as seen in the screenshots below.
Select the IP Address you reserved earlier
Click on create policy to create if you havenβt done that before
You need to specify your TLS minimum version for the new SSL policy.
Click on backend configuration, when you're done with the frontend.
Click on create backend configuration and create new backend service or select if you already have one.
Create network endpoint group
A network endpoint group (NEG) is a configuration that specifies group of backend services, it is common used for deploying service in container.
At this point, you need to select your serverless network type, in my own case, its cloud run.
By selecting the serverless NEG type, it should list out your current app running.
Finally π, You can decide to create multiple backend for multiple services depending on your setup, which should give you something related to this or just have a single backend service.
Setup A record for DNS mapping
How to check the TLS version
Install a cli tool called nmap, and run
nmap --script ssl-enum-ciphers -p 443 domainname.com
Your output should be... viola π
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| compressors:
| NULL
| cipher preference: client
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| cipher preference: client
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 2.83 seconds
I'm sure you might be surprised to see TLSv1.3 by default,π Yes!, that's because google adds it for every certificate at the time of writing this post.
Thanks for reading βοΈ
Top comments (0)