I received this email from Google today: [Action Advised] Opt-in to allow only secure TLS 1.2+ traffic in your App Engine applications

I have several projects. I tried in a "testing" project but after I enabled only TLS 1.2+ traffic, all my requests to the website failed: "Error: Bad Request - The request was malformed."

My projects are in App Engine Standard environment. (Python)

Since I tested only on "testing" projects, the website are accessed using ...".appspot" URLs. (No custom domain used nor custom SSL certificates)

What could be the problem? I tried from a recent Macbook with the latest version of Chrome/Firefox or Safari.

I received this email from Google today: [Action Advised] Opt-in to allow only secure TLS 1.2+ traffic in your App Engine applications

I have several projects. I tried in a "testing" project but after I enabled only TLS 1.2+ traffic, all my requests to the website failed: "Error: Bad Request - The request was malformed."

My projects are in App Engine Standard environment. (Python)

Since I tested only on "testing" projects, the website are accessed using ...".appspot" URLs. (No custom domain used nor custom SSL certificates)

What could be the problem? I tried from a recent Macbook with the latest version of Chrome/Firefox or Safari.

• google-app-engine
• tls1.2

• 1 I tried this. I don't have any issues with the custom domain. I get a 400 Bad Request error when I try to access static urls for the appspot domain. The home page (on appspot) loads but because of the issues with the static urls, the css isn't correctly loaded. Will have to look further into this later. – NoCommandLine Commented Mar 17 at 15:58
• I'm also seeing this when accessing one of my App Engine apps via an appspot hostname from Chrome 133.0.6943.184 after requiring TLS 1.2+. Oddly enough, my other App Engine apps don't exhibit the problem, and I'm able to connect to the problematic site using Go's HTTP client code. In all cases, Chrome says it's using QUIC, X25519MLKEM768, and AES_128_GCM. I think my broken app is older than my other ones, so I suspect something is broken internally on Google's side. I don't know of any functional channels for reporting App Engine issues to Google. – derat Commented Mar 17 at 16:33
• @derat your other working app engine apps are using appspot or a custom domain? However, here there is the issue tracker ticket: issuetracker.google/issues/80295154 – Blodhgard Commented Mar 17 at 16:38
• @Blodhgard: One is using a custom domain and the other is using appspot. Oddly, the one with the custom domain also returns a 400 if I access it via its appspot hostname instead. I have no idea what's different between the broken apps and the one that works via appspot -- just confirmed that it's requiring 1.2+. I thought it could be linked to the GAE runtime (I'm using a mix of go121 and go122 across apps), but that doesn't seem to be a determining factor either. – derat Commented Mar 17 at 16:42
• 1 Today the TLS option in the Settings disappeared. Also the guide in the Google doc disappeared. Probably there was an error on Google side. – Blodhgard Commented Mar 18 at 8:34

1 Answer 1

It seems that the Google Cloud engineering team has temporarily rolled back the changes to the TLS protocol versions for the App Engine Standard and Flexible Environments. They may send another email regarding the update. At this time, I would suggest keeping an eye on the issue tracker link you shared in the comments or review the Google App Engine release notes for the most recent updates.