Suggested standards for TLS clients
- While TLS 1.0 is sufficient we suggest upgrading to TLS 1.2 now.
- A server name indication (SNI) extension should be included in the handshake containing the domain that’s being connected to.
- The cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 should be supported with P-256 and uncompressed points. Please note this cipher suite is available in TLS 1.2 only.
- The certificates in https://pki.google.com/roots.pem should be trusted.
- Certificate handling should support DNS Subject Alternative Names and those SANs may include a single wildcard as the left-most label in the name.
To make testing easy, weâ€™ve set up https://cert-test.sandbox.google.com, which requires the first 3 standards above to be met in order to make a successful connection (note: this host is slightly over-restrictive, requiring TLS 1.2). If your TLS client canâ€™t connect to that host, update your libraries or configuration.