API Gateway needs to be able to configure TLS ciphers [182485037]

Assigned

Feature Request

Status Update

No update yet.

Description

le...@acxiom.com

created issue #1

Mar 11, 2021 09:44PM

This will create a public issue which anybody can view and comment on.

Please provide as much information as possible. At least, this should include a description of your issue and steps to reproduce the problem. If possible please provide a summary of what steps or workarounds you have already tried, and any docs or articles you found (un)helpful.

Problem you have encountered:
There is no way to turn on / off specific ciphers on the API gateway requiring fronting with a LB / SSL proxy. This is especially an issue as any security scanning will fail as TLS 1.0, 3DES etc are enabled by default

What you expected to happen:
To have the option to configure either specific ciphers or choose a policy (as is the case with LBs)

Steps to reproduce:
create and configure an API gateway, run a security scan that tests accepted ciphers

Other information (workarounds you have tried, documentation consulted, etc):
Reviewing the API Gateway documentation there is no mention of controls or policies to alter which ciphers are accepted

Comments

br...@google.com <br...@google.com> #2Aug 23, 2021 10:31PM

Hi, thanks for this report. I will share this with you about Benefits Cloud Load Balancer, where explains the benefits of using GCLBs. In the doc Defining an SSL :

To define an SSL policy, you specify a minimum TLS version and a profile. The profile selects a set of SSL features to enable in the load balancer. Three Google-managed profiles let you specify the level of compatibility appropriate for your application. A fourth custom profile lets you select SSL features individually.

The SSL policy also specifies the minimum version of the TLS protocol that clients can use to establish a connection. A profile can also restrict the versions of TLS that the load balancer can negotiate.

The current workaround is to use LBS to configure TLS ciphers.

le...@gmail.com <le...@gmail.com> #3Aug 25, 2021 10:08AM

Hello,

The Workaround of using a load balancer is what we now have in place, however this incurs additional cost and doesn't change the fact that from an out of the box security posture the API Gateway, as a product, is insecure and will fail most security audits in it's current state.

br...@google.com <br...@google.com> #4Aug 30, 2021 09:33PM

Assigned to gc...@google.com.

Thanks for your message. I understand, given this, this feature request has been forwarded to the API Gateway management team so that they may evaluate it. There is no timeline or implementation guarantee for feature requests. All communication regarding this feature request is to be done here.

Issue 182485037

Description

Issue summary

Comments

br...@google.com <br...@google.com> #2Aug 23, 2021 10:31PM

le...@gmail.com <le...@gmail.com> #3Aug 25, 2021 10:08AM

br...@google.com <br...@google.com> #4Aug 30, 2021 09:33PM

Add comment

Issue metadata