PCI Compliant HTTPS load balancer option
Can we please get a check-box or way to configure so that we don't need to keep dealing with exceptions and complaints from the scanners when following the https://cloud.google.com/solutions/pci-dss guide due to HTTPS load balancers supporting things like "Medium Strength Cipher Suites" and "TLS Version 1.0" or unremoveable HTTP Proxy headers. All of which are heavily discouraged by PCI DSS.
Looks like this is in progress.
SSL policies give you the ability to control the features of SSL that your HTTPS load balancer negotiates with HTTPS clients.
By default, HTTPS load balancing uses a set of SSL features that provides good security and wide compatibility. Some applications require more control over which SSL versions and ciphers are used for their HTTPS or SSL connections. You can define SSL policies that control the features of SSL that your load balancer negotiates and associate an SSL policy with your target HTTPS proxy.
The link to the feature goes to a 404 (https://cloud.google.com/compute/docs/load-balancing/http/compute/docs/load-balancing/ssl-policies), but hey it's a start.
A year later, and another failing renewal scan because of TLS 1.0 and 3DES being supported with no way to disable them.
Now only 6 months remaining before TLS 1.0 _must_ be disabled as per the PCI spec (aka 2/3 of the time available to get this done since opening the request has now passed!). At this rate will have to consider migration in case GCP doesn't get it done in time. Can't wait around until the last minute the find ourselves knowingly non compliant.
From https://groups.google.com/forum/#!topic/gce-discussion/Df8f6OPE4X8 "There are no future plans that can be provided on this matter". What?
Grant Fribbens commented
I have some PCI scans currently fail when checking the Google HTTPS load balancers as they have many ports open which are found. This option should also make sure that only the ports which are being used should be left open
Does Google not consider PCI compliance a priority? Amazon addressed this over 6 years ago.