SSL policies for SSL and TLS protocols

In this document, the term SSL refers to both the SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols.

SSL policies specify the set of SSL features that Google Cloud load balancers use when negotiating SSL with clients. For example, you can use an SSL policy to define the minimum TLS version and features that every client must support in order to send traffic to your load balancer.

The following load balancers support global SSL policies:

  • Global external Application Load Balancer
  • Classic Application Load Balancer
  • Cross-region internal Application Load Balancer
  • Global external proxy Network Load Balancer
  • Classic proxy Network Load Balancer

The following load balancers support regional SSL policies:

  • Regional external Application Load Balancer
  • Regional internal Application Load Balancer

By default, these load balancers use a set of SSL features that provide good security and wide compatibility. Some applications require more control over which SSL versions and ciphers are used for their HTTPS or SSL connections. You can define SSL policies to specify the set of SSL features that your load balancer uses when negotiating SSL with clients.

The following example shows how connections from clients are established and terminated at a load balancer.

Client connections in external Application Load Balancers or external proxy Network Load Balancers.
Client connections in external Application Load Balancers or external proxy Network Load Balancers (click to enlarge).

You can use an SSL policy to configure the minimum TLS version and SSL features that are enabled in the load balancer. SSL policies affect connections between clients and the load balancer (Connection-1 in the illustration). SSL policies don't affect the connections between the load balancer and the backends (Connection-2).

Defining an SSL policy

To define an SSL policy, you specify a minimum TLS version and a profile. The profile selects a set of SSL features to enable in the load balancer.

Three pre-configured Google-managed profiles let you specify the level of compatibility appropriate for your application. The three pre-configured profiles are as follows:

  • COMPATIBLE. Allows the broadest set of clients, including clients that support only out-of-date SSL features, to negotiate SSL with the load balancer.
  • MODERN. Supports a wide set of SSL features, allowing modern clients to negotiate SSL.
  • RESTRICTED. Supports a reduced set of SSL features, intended to meet stricter compliance requirements.

A fourth CUSTOM profile lets you select SSL features individually.

The SSL policy also specifies the minimum version of the TLS protocol that clients can use to establish a connection.

Note that a profile can indirectly restrict the versions of TLS that the load balancer can negotiate. For example, ciphers enabled in the RESTRICTED profile are only supported by TLS 1.2; choosing the RESTRICTED profile therefore effectively disallows clients from using TLS 1.0 and 1.1, even if the SSL policy's minimum TLS version allows them.

If you don't choose one of the three pre-configured profiles or create a custom SSL policy, your load balancer uses the default SSL policy. The default SSL policy is equivalent to an SSL policy that uses the COMPATIBLE profile with a minimum TLS version of TLS 1.0.

You can attach an SSL policy to more than one target proxy. You cannot configure more than one SSL policy for a particular target proxy. Any changes made to SSL policies don't alter or interrupt existing load balancer connections.

Cloud Load Balancing does not support SSL versions 3.0 or earlier. The following table describes the feature support for each TLS/SSL version.

TLS/SSL version Feature support
TLS 1.0, 1.1, or 1.2 Settings in SSL policies control cipher suites applied to client connections.
TLS 1.3 Settings in SSL policies don't control cipher selection. TLS 1.3 supports TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, and TLS_CHACHA20_POLY1305_SHA256 ciphers only.
QUIC Settings in SSL policies don't control cipher selection.
SSL 3.0 or earlier Not applicable. Not supported by Cloud Load Balancing.

During each TLS handshake, the client indicates the highest TLS protocol version that it supports. The server is required to select the highest protocol version supported by the client and server and allowed by the server configuration. For example, if a load balancer is configured with a minimum TLS version of 1.2, a handshake with a modern client that supports TLS 1.3 selects TLS 1.3. A handshake with an earlier client that supports only TLS 1.2 uses TLS 1.2. A handshake with an even earlier client that supports only TLS 1.1 fails.

The following table lists the available SSL policy features for each pre-configured profile. All of the features control whether particular cipher suites can be used, and apply only to client connections that use TLS version 1.2 or earlier, not to clients that use QUIC.

IANA value Feature In COMPATIBLE profile In MODERN profile In RESTRICTED profile
0xCCA9 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
0xCCA8 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
0xC02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
0xC02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
0xC02C TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
0xC009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
0xC013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
0xC00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
0xC014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
0x009C TLS_RSA_WITH_AES_128_GCM_SHA256
0x009D TLS_RSA_WITH_AES_256_GCM_SHA384
0x002F TLS_RSA_WITH_AES_128_CBC_SHA
0x0035 TLS_RSA_WITH_AES_256_CBC_SHA
0x000A TLS_RSA_WITH_3DES_EDE_CBC_SHA

Feature updates

We reserve the right to update the set of features enabled in the COMPATIBLE, MODERN, and RESTRICTED profiles, as well as which features are configurable in a CUSTOM profile. We do this as we remove support for older SSL capabilities and as we add support for newer ones.

When we add features that enhance SSL capabilities, we may enable them immediately in the COMPATIBLE, MODERN, and RESTRICTED profiles so that SSL policies that select those profiles can use the new features. However, if your policy selects the CUSTOM profile, you must modify the policy's settings to use the added features.

Limitations

  • Disabling particular SSL versions or ciphers could result in some older clients being unable to connect to your proxy by using HTTPS or SSL. Disabling a sufficiently broad selection of ciphers in the CUSTOM profile could result in no clients being able to negotiate HTTPS.

  • An SSL certificate associated with your load balancer uses either an ECDSA or an RSA digital signature. The predefined profiles are compatible with both types of certificate signatures. A custom profile should enable ciphers that are compatible with the digital signature used by your load balancer's certificates.

  • The features that control cipher suites apply only to client connections that use TLS version 1.2 and earlier. They don't control cipher selection in connections that use QUIC or TLS 1.3.

What's next