We have a Java app on Google App Engine. We use Google's custom domains and SSL support. A recent security audit has found two issues that we need to resolve relating to the SSL configuration:

1) The server-side SSL/TLS endpoint is configured to allow weak SSL/TLS cipher suites. Specifically: block ciphers having block size of 112 bits - DES, 3DES and Cipher suites that use block ciphers (e.g. AES, 3DES) in CBC mode.

2) The server-side SSL/TLS endpoint is configured to allow connections using TLS protocol version 1.0 ("TLSv1.0"), which contains known weaknesses

Looking at the App Engine docs, I believe both of these are outside the scope of control we have over the App Engine environment. So we cannot change them unless we put a different loadbalancer or SSL termination point in front of App Engine (Maybe CloudFlare, or our own custom instance for example)

My question is, is there any way to control the SSL and TLS settings in App Engine, and if not, is the best alternative to put CloudFlare (or other proxy) in front of it?

Or, if there is a reasonable defence/explanation of these security weaknesses from Google, I could use that to defend the current configuration Google has for App Engine apps.

I heard back from two incredibly helpful GCE engineers, the gist of it is:

"the settings are shared with the servers serving most Google services, balancing client compatibility with modern best practices"

"[App Engine] runs our standard GFE configuration"

"While we deprecate what we can, we have to balance that with compatibility. Modern browsers do not allow the configuration of a TLS connection to be downgraded and so supporting older protocols like TLS 1.0 doesn't affect them."

So basically, it's good enough for Google, and their security teams are making those security choices based on a number of factors - as they see fit they will deprecate the older versions.