Reject handshakes with bad TLS protocols and ciphers (#970)

* Reject handshakes with bad TLS protocols and ciphers * Fix protocols * make cipher suite list static and fix tests * Delete unnecessary line * Add start time configuration for enforcement * small format fix * Add multiple ciphersuite test * fix gradle lint * fix indentation
2025-04-29 11:37:51 +02:00 · 2021-03-03 15:47:42 -05:00 · 2021-03-03 15:47:42 -05:00 · af50677612
commit af50677612
parent 7aa7bad986
13 changed files with 292 additions and 12 deletions
--- a/networking/build.gradle
+++ b/networking/build.gradle
@ -28,6 +28,7 @@ dependencies {
  compile deps['org.bouncycastle:bcpkix-jdk15on']
  compile deps['org.bouncycastle:bcprov-jdk15on']
  compile project(':util')
+  compile project(':common')

  runtime deps['com.google.flogger:flogger-system-backend']
  runtime deps['io.netty:netty-tcnative-boringssl-static']
@ -38,9 +39,11 @@ dependencies {
  testCompile deps['org.junit.jupiter:junit-jupiter-params']
  testCompile deps['org.bouncycastle:bcpkix-jdk15on']
  testCompile deps['org.bouncycastle:bcprov-jdk15on']
+  testCompile project(path: ':common', configuration: 'testing')

  annotationProcessor deps['com.google.dagger:dagger-compiler']
  testAnnotationProcessor deps['com.google.dagger:dagger-compiler']
+  compile 'joda-time:joda-time:2.9.2'
 }

 // Make testing artifacts available to be depended up on by other projects.
--- a/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java
+++ b/networking/src/main/java/google/registry/networking/handler/SslServerInitializer.java
@ -19,6 +19,7 @@ import static google.registry.util.X509Utils.getCertificateHash;

 import com.google.common.collect.ImmutableList;
 import com.google.common.flogger.FluentLogger;
+import google.registry.util.Clock;
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelFuture;
 import io.netty.channel.ChannelHandler.Sharable;
@ -29,6 +30,7 @@ import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
 import io.netty.handler.ssl.SslHandler;
 import io.netty.handler.ssl.SslProvider;
+import io.netty.handler.ssl.SupportedCipherSuiteFilter;
 import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
 import io.netty.util.AttributeKey;
 import io.netty.util.concurrent.Future;
@ -41,6 +43,7 @@ import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPublicKey;
 import java.util.function.Supplier;
 import javax.net.ssl.SSLSession;
+import org.joda.time.DateTime;

 /**
 * Adds a server side SSL handler to the channel pipeline.
@ -66,6 +69,29 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
  public static final AttributeKey<Promise<X509Certificate>> CLIENT_CERTIFICATE_PROMISE_KEY =
      AttributeKey.valueOf("CLIENT_CERTIFICATE_PROMISE_KEY");

+  /**
+   * The list of cipher suites that are currently acceptable to create a successful handshake.
+   *
+   * <p>This list includes all of the current TLS1.3 ciphers and a collection of TLS1.2 ciphers with
+   * no known security vulnerabilities. Note that OpenSSL uses a separate nomenclature for the
+   * ciphers internally but the IANA names listed here will be transparently translated by the
+   * OpenSSL provider (if used), so there is no need to include the OpenSSL name variants here. More
+   * information about these cipher suites and their OpenSSL names can be found at ciphersuite.info.
+   */
+  private static final ImmutableList ALLOWED_TLS_CIPHERS =
+      ImmutableList.of(
+          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+          "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+          "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+          "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+          "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+          "TLS_AES_128_GCM_SHA256",
+          "TLS_AES_256_GCM_SHA384",
+          "TLS_CHACHA20_POLY1305_SHA256",
+          "TLS_AES_128_CCM_SHA256",
+          "TLS_AES_128_CCM_8_SHA256");
+
  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
  private final boolean requireClientCert;
  // TODO(jianglai): Always validate client certs (if required).
@ -76,13 +102,19 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
  private final Supplier<PrivateKey> privateKeySupplier;
  private final Supplier<ImmutableList<X509Certificate>> certificatesSupplier;
  private final ImmutableList<String> supportedSslVersions;
+  // TODO(sarahbot): Remove this variable and its check after enforcement start date has passed.
+  private final ImmutableList<String> oldSupportedSslVersions;
+  private final DateTime enforcementStartTime;
+  private final Clock clock;

  public SslServerInitializer(
      boolean requireClientCert,
      boolean validateClientCert,
      SslProvider sslProvider,
      Supplier<PrivateKey> privateKeySupplier,
-      Supplier<ImmutableList<X509Certificate>> certificatesSupplier) {
+      Supplier<ImmutableList<X509Certificate>> certificatesSupplier,
+      DateTime enforcementStartTime,
+      Clock clock) {
    logger.atInfo().log("Server SSL Provider: %s", sslProvider);
    checkArgument(
        requireClientCert || !validateClientCert,
@ -94,10 +126,16 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
    this.certificatesSupplier = certificatesSupplier;
    this.supportedSslVersions =
        sslProvider == SslProvider.OPENSSL
-            ? ImmutableList.of("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")
-            // JDK support for TLS 1.3 won't be available until 2020-07-14 at the earliest.
+            ? ImmutableList.of("TLSv1.3", "TLSv1.2")
+            // JDK support for TLS 1.3 won't be available until 2021-04-20 at the earliest.
            // See: https://java.com/en/jre-jdk-cryptoroadmap.html
+            : ImmutableList.of("TLSv1.2");
+    this.oldSupportedSslVersions =
+        sslProvider == SslProvider.OPENSSL
+            ? ImmutableList.of("TLSv1.3", "TLSv1.2", "TLSv1.1", "TLSv1")
            : ImmutableList.of("TLSv1.2", "TLSv1.1", "TLSv1");
+    this.enforcementStartTime = enforcementStartTime;
+    this.clock = clock;
  }

  @Override
@ -109,8 +147,15 @@ public class SslServerInitializer<C extends Channel> extends ChannelInitializer<
            .sslProvider(sslProvider)
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .clientAuth(requireClientCert ? ClientAuth.REQUIRE : ClientAuth.NONE)
-            .protocols(supportedSslVersions)
+            .protocols(
+                enforcementStartTime.isBefore(clock.nowUtc())
+                    ? supportedSslVersions
+                    : oldSupportedSslVersions)
+            .ciphers(
+                enforcementStartTime.isBefore(clock.nowUtc()) ? ALLOWED_TLS_CIPHERS : null,
+                SupportedCipherSuiteFilter.INSTANCE)
            .build();
+
    logger.atInfo().log("Available Cipher Suites: %s", sslContext.cipherSuites());
    SslHandler sslHandler = sslContext.newHandler(channel.alloc());
    if (requireClientCert) {
--- a/networking/src/test/java/google/registry/networking/handler/SslServerInitializerTest.java
+++ b/networking/src/test/java/google/registry/networking/handler/SslServerInitializerTest.java
@ -23,6 +23,7 @@ import static google.registry.networking.handler.SslServerInitializer.CLIENT_CER

 import com.google.common.base.Suppliers;
 import com.google.common.collect.ImmutableList;
+import google.registry.testing.FakeClock;
 import google.registry.util.SelfSignedCaCertificate;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.ChannelInitializer;
@ -42,13 +43,16 @@ import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
+import java.util.Collections;
 import java.util.Date;
+import java.util.List;
 import java.util.stream.Stream;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSession;
+import org.joda.time.DateTime;
 import org.junit.jupiter.api.extension.RegisterExtension;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
@ -97,19 +101,29 @@ class SslServerInitializerTest {
        validateClientCert,
        sslProvider,
        Suppliers.ofInstance(privateKey),
-        Suppliers.ofInstance(ImmutableList.copyOf(certificates)));
+        Suppliers.ofInstance(ImmutableList.copyOf(certificates)),
+        DateTime.parse("2021-04-01T16:00:00Z"),
+        new FakeClock(DateTime.parse("2021-05-01T16:00:00Z")));
  }

  private ChannelHandler getClientHandler(
      SslProvider sslProvider,
      X509Certificate trustedCertificate,
      PrivateKey privateKey,
-      X509Certificate certificate) {
+      X509Certificate certificate,
+      String protocol,
+      List<String> cipher) {
    return new ChannelInitializer<LocalChannel>() {
      @Override
      protected void initChannel(LocalChannel ch) throws Exception {
        SslContextBuilder sslContextBuilder =
-            SslContextBuilder.forClient().trustManager(trustedCertificate).sslProvider(sslProvider);
+            SslContextBuilder.forClient()
+                .trustManager(trustedCertificate)
+                .sslProvider(sslProvider)
+                .ciphers(cipher);
+        if (protocol != null) {
+          sslContextBuilder.protocols(protocol);
+        }
        if (privateKey != null && certificate != null) {
          sslContextBuilder.keyManager(privateKey, certificate);
        }
@ -127,6 +141,14 @@ class SslServerInitializerTest {
    };
  }

+  private ChannelHandler getClientHandler(
+      SslProvider sslProvider,
+      X509Certificate trustedCertificate,
+      PrivateKey privateKey,
+      X509Certificate certificate) {
+    return getClientHandler(sslProvider, trustedCertificate, privateKey, certificate, null, null);
+  }
+
  @ParameterizedTest
  @MethodSource("provideTestCombinations")
  void testSuccess_swappedInitializerWithSslHandler(SslProvider sslProvider) throws Exception {
@ -137,7 +159,9 @@ class SslServerInitializerTest {
            false,
            sslProvider,
            Suppliers.ofInstance(ssc.key()),
-            Suppliers.ofInstance(ImmutableList.of(ssc.cert())));
+            Suppliers.ofInstance(ImmutableList.of(ssc.cert())),
+            DateTime.parse("2021-04-01T16:00:00Z"),
+            new FakeClock(DateTime.parse("2021-05-01T16:00:00Z")));
    EmbeddedChannel channel = new EmbeddedChannel();
    ChannelPipeline pipeline = channel.pipeline();
    pipeline.addLast(sslServerInitializer);
@ -172,6 +196,174 @@ class SslServerInitializerTest {
    assertThat(sslSession.getPeerCertificates()).asList().containsExactly(serverSsc.cert());
  }

+  @ParameterizedTest
+  @MethodSource("provideTestCombinations")
+  void testFailure_cipherNotAccepted(SslProvider sslProvider) throws Exception {
+    SelfSignedCaCertificate serverSsc = SelfSignedCaCertificate.create(SSL_HOST);
+    LocalAddress localAddress = new LocalAddress("CIPHER_NOT_ACCEPTED_" + sslProvider);
+
+    nettyExtension.setUpServer(
+        localAddress, getServerHandler(true, true, sslProvider, serverSsc.key(), serverSsc.cert()));
+    SelfSignedCaCertificate clientSsc =
+        SelfSignedCaCertificate.create(
+            "CLIENT",
+            Date.from(Instant.now().minus(Duration.ofDays(2))),
+            Date.from(Instant.now().plus(Duration.ofDays(1))));
+    nettyExtension.setUpClient(
+        localAddress,
+        getClientHandler(
+            sslProvider,
+            serverSsc.cert(),
+            clientSsc.key(),
+            clientSsc.cert(),
+            "TLSv1.2",
+            Collections.singletonList("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA")));
+
+    verifySslException(
+        nettyExtension.getServerChannel(),
+        channel -> channel.attr(CLIENT_CERTIFICATE_PROMISE_KEY).get().get(),
+        SSLHandshakeException.class);
+  }
+
+  @ParameterizedTest
+  @MethodSource("provideTestCombinations")
+  void testSuccess_someCiphersNotAccepted(SslProvider sslProvider) throws Exception {
+    SelfSignedCaCertificate serverSsc = SelfSignedCaCertificate.create(SSL_HOST);
+    LocalAddress localAddress = new LocalAddress("SOME_CIPHERS_NOT_ACCEPTED_" + sslProvider);
+
+    nettyExtension.setUpServer(
+        localAddress,
+        new SslServerInitializer<LocalChannel>(
+            true,
+            true,
+            sslProvider,
+            Suppliers.ofInstance(serverSsc.key()),
+            Suppliers.ofInstance(ImmutableList.of(serverSsc.cert())),
+            DateTime.parse("2021-04-01T16:00:00Z"),
+            new FakeClock(DateTime.parse("2021-05-01T16:00:00Z"))));
+    SelfSignedCaCertificate clientSsc =
+        SelfSignedCaCertificate.create(
+            "CLIENT",
+            Date.from(Instant.now().minus(Duration.ofDays(2))),
+            Date.from(Instant.now().plus(Duration.ofDays(1))));
+    nettyExtension.setUpClient(
+        localAddress,
+        getClientHandler(
+            sslProvider,
+            serverSsc.cert(),
+            clientSsc.key(),
+            clientSsc.cert(),
+            "TLSv1.2",
+            ImmutableList.of(
+                "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+                "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", // Only accepted cipher
+                "TLS_RSA_WITH_AES_256_CBC_SHA")));
+
+    SSLSession sslSession = setUpSslChannel(nettyExtension.getClientChannel(), serverSsc.cert());
+    nettyExtension.assertThatMessagesWork();
+
+    assertThat(sslSession.getLocalCertificates()).asList().containsExactly(clientSsc.cert());
+    assertThat(sslSession.getPeerCertificates()).asList().containsExactly(serverSsc.cert());
+    assertThat(sslSession.getCipherSuite()).isEqualTo("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
+  }
+
+  @ParameterizedTest
+  @MethodSource("provideTestCombinations")
+  void testSuccess_cipherNotAccepted_beforeEnforcementDate(SslProvider sslProvider)
+      throws Exception {
+    SelfSignedCaCertificate serverSsc = SelfSignedCaCertificate.create(SSL_HOST);
+    LocalAddress localAddress = new LocalAddress("CIPHER_ACCEPTED_BEFORE_DATE_" + sslProvider);
+
+    nettyExtension.setUpServer(
+        localAddress,
+        new SslServerInitializer<LocalChannel>(
+            true,
+            true,
+            sslProvider,
+            Suppliers.ofInstance(serverSsc.key()),
+            Suppliers.ofInstance(ImmutableList.of(serverSsc.cert())),
+            DateTime.parse("2021-04-01T16:00:00Z"),
+            new FakeClock(DateTime.parse("2021-03-01T16:00:00Z"))));
+    SelfSignedCaCertificate clientSsc =
+        SelfSignedCaCertificate.create(
+            "CLIENT",
+            Date.from(Instant.now().minus(Duration.ofDays(2))),
+            Date.from(Instant.now().plus(Duration.ofDays(1))));
+    nettyExtension.setUpClient(
+        localAddress,
+        getClientHandler(
+            sslProvider,
+            serverSsc.cert(),
+            clientSsc.key(),
+            clientSsc.cert(),
+            "TLSv1.2",
+            Collections.singletonList("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA")));
+
+    SSLSession sslSession = setUpSslChannel(nettyExtension.getClientChannel(), serverSsc.cert());
+    nettyExtension.assertThatMessagesWork();
+
+    assertThat(sslSession.getLocalCertificates()).asList().containsExactly(clientSsc.cert());
+    assertThat(sslSession.getPeerCertificates()).asList().containsExactly(serverSsc.cert());
+  }
+
+  @ParameterizedTest
+  @MethodSource("provideTestCombinations")
+  void testFailure_protocolNotAccepted(SslProvider sslProvider) throws Exception {
+    SelfSignedCaCertificate serverSsc = SelfSignedCaCertificate.create(SSL_HOST);
+    LocalAddress localAddress = new LocalAddress("PROTOCOL_NOT_ACCEPTED_" + sslProvider);
+
+    nettyExtension.setUpServer(
+        localAddress, getServerHandler(true, true, sslProvider, serverSsc.key(), serverSsc.cert()));
+    SelfSignedCaCertificate clientSsc =
+        SelfSignedCaCertificate.create(
+            "CLIENT",
+            Date.from(Instant.now().minus(Duration.ofDays(2))),
+            Date.from(Instant.now().plus(Duration.ofDays(1))));
+    nettyExtension.setUpClient(
+        localAddress,
+        getClientHandler(
+            sslProvider, serverSsc.cert(), clientSsc.key(), clientSsc.cert(), "TLSv1.1", null));
+
+    verifySslException(
+        nettyExtension.getServerChannel(),
+        channel -> channel.attr(CLIENT_CERTIFICATE_PROMISE_KEY).get().get(),
+        SSLHandshakeException.class);
+  }
+
+  @ParameterizedTest
+  @MethodSource("provideTestCombinations")
+  void testSuccess_protocolNotAccepted_beforeEnforcementDate(SslProvider sslProvider)
+      throws Exception {
+    SelfSignedCaCertificate serverSsc = SelfSignedCaCertificate.create(SSL_HOST);
+    LocalAddress localAddress = new LocalAddress("PROTOCOL_ACCEPTED_BEFORE_DATE_" + sslProvider);
+
+    nettyExtension.setUpServer(
+        localAddress,
+        new SslServerInitializer<LocalChannel>(
+            true,
+            true,
+            sslProvider,
+            Suppliers.ofInstance(serverSsc.key()),
+            Suppliers.ofInstance(ImmutableList.of(serverSsc.cert())),
+            DateTime.parse("2021-04-01T16:00:00Z"),
+            new FakeClock(DateTime.parse("2021-03-01T16:00:00Z"))));
+    SelfSignedCaCertificate clientSsc =
+        SelfSignedCaCertificate.create(
+            "CLIENT",
+            Date.from(Instant.now().minus(Duration.ofDays(2))),
+            Date.from(Instant.now().plus(Duration.ofDays(1))));
+    nettyExtension.setUpClient(
+        localAddress,
+        getClientHandler(
+            sslProvider, serverSsc.cert(), clientSsc.key(), clientSsc.cert(), "TLSv1.1", null));
+
+    SSLSession sslSession = setUpSslChannel(nettyExtension.getClientChannel(), serverSsc.cert());
+    nettyExtension.assertThatMessagesWork();
+
+    assertThat(sslSession.getLocalCertificates()).asList().containsExactly(clientSsc.cert());
+    assertThat(sslSession.getPeerCertificates()).asList().containsExactly(serverSsc.cert());
+  }
+
  @ParameterizedTest
  @MethodSource("provideTestCombinations")
  void testFailure_clientCertExpired(SslProvider sslProvider) throws Exception {
--- a/proxy/src/main/java/google/registry/proxy/EppProtocolModule.java
+++ b/proxy/src/main/java/google/registry/proxy/EppProtocolModule.java
@ -50,6 +50,7 @@ import javax.inject.Named;
 import javax.inject.Provider;
 import javax.inject.Qualifier;
 import javax.inject.Singleton;
+import org.joda.time.DateTime;

 /** A module that provides the {@link FrontendProtocol} used for epp protocol. */
@Module
@ -159,11 +160,19 @@ public final class EppProtocolModule {
  @Provides
  @EppProtocol
  static SslServerInitializer<NioSocketChannel> provideSslServerInitializer(
+      ProxyConfig config,
      SslProvider sslProvider,
      Supplier<PrivateKey> privateKeySupplier,
-      Supplier<ImmutableList<X509Certificate>> certificatesSupplier) {
+      Supplier<ImmutableList<X509Certificate>> certificatesSupplier,
+      Clock clock) {
    return new SslServerInitializer<>(
-        true, false, sslProvider, privateKeySupplier, certificatesSupplier);
+        true,
+        false,
+        sslProvider,
+        privateKeySupplier,
+        certificatesSupplier,
+        DateTime.parse(config.tlsEnforcementStartTime),
+        clock);
  }

  @Provides
--- a/proxy/src/main/java/google/registry/proxy/ProxyConfig.java
+++ b/proxy/src/main/java/google/registry/proxy/ProxyConfig.java
@ -48,6 +48,7 @@ public class ProxyConfig {
  public WebWhois webWhois;
  public HttpsRelay httpsRelay;
  public Metrics metrics;
+  public String tlsEnforcementStartTime;

  /** Configuration options that apply to GCS. */
  public static class Gcs {
--- a/proxy/src/main/java/google/registry/proxy/WebWhoisProtocolsModule.java
+++ b/proxy/src/main/java/google/registry/proxy/WebWhoisProtocolsModule.java
@ -21,6 +21,8 @@ import dagger.multibindings.IntoSet;
 import google.registry.networking.handler.SslServerInitializer;
 import google.registry.proxy.Protocol.FrontendProtocol;
 import google.registry.proxy.handler.WebWhoisRedirectHandler;
+import google.registry.util.Clock;
+import google.registry.util.DateTimeUtils;
 import io.netty.channel.ChannelHandler;
 import io.netty.channel.socket.nio.NioSocketChannel;
 import io.netty.handler.codec.http.HttpServerCodec;
@ -133,8 +135,15 @@ public final class WebWhoisProtocolsModule {
  static SslServerInitializer<NioSocketChannel> provideSslServerInitializer(
      SslProvider sslProvider,
      Supplier<PrivateKey> privateKeySupplier,
-      Supplier<ImmutableList<X509Certificate>> certificatesSupplier) {
+      Supplier<ImmutableList<X509Certificate>> certificatesSupplier,
+      Clock clock) {
    return new SslServerInitializer<>(
-        false, false, sslProvider, privateKeySupplier, certificatesSupplier);
+        false,
+        false,
+        sslProvider,
+        privateKeySupplier,
+        certificatesSupplier,
+        DateTimeUtils.END_OF_TIME,
+        clock);
  }
 }
--- a/proxy/src/main/java/google/registry/proxy/config/default-config.yaml
+++ b/proxy/src/main/java/google/registry/proxy/config/default-config.yaml
@ -8,6 +8,9 @@
 # GCP project ID
 projectId: your-gcp-project-id

+# Time to begin enforcement of TLS versions and cipher suites.
+tlsEnforcementStartTime: "2021-04-01T16:00:00Z"
+
 # OAuth scope that the GoogleCredential will be constructed with. This list
 # should include all service scopes that the proxy depends on.
 gcpScopes:
--- a/proxy/src/main/java/google/registry/proxy/config/proxy-config-alpha.yaml
+++ b/proxy/src/main/java/google/registry/proxy/config/proxy-config-alpha.yaml
@ -1 +1,4 @@
 # Add environment-specific proxy configuration here.
+
+# Time to begin enforcement of TLS versions and cipher suites.
+tlsEnforcementStartTime: "1970-01-01T00:00:00Z"
--- a/proxy/src/main/java/google/registry/proxy/config/proxy-config-crash-canary.yaml
+++ b/proxy/src/main/java/google/registry/proxy/config/proxy-config-crash-canary.yaml
@ -1 +1,4 @@
 # Add environment-specific proxy configuration here.
+
+# Time to begin enforcement of TLS versions and cipher suites.
+tlsEnforcementStartTime: "1970-01-01T00:00:00Z"
--- a/proxy/src/main/java/google/registry/proxy/config/proxy-config-crash.yaml
+++ b/proxy/src/main/java/google/registry/proxy/config/proxy-config-crash.yaml
@ -1 +1,4 @@
 # Add environment-specific proxy configuration here.
+
+# Time to begin enforcement of TLS versions and cipher suites.
+tlsEnforcementStartTime: "1970-01-01T00:00:00Z"
--- a/proxy/src/main/java/google/registry/proxy/config/proxy-config-local.yaml
+++ b/proxy/src/main/java/google/registry/proxy/config/proxy-config-local.yaml
@ -1 +1,4 @@
 # Add environment-specific proxy configuration here.
+
+# Time to begin enforcement of TLS versions and cipher suites.
+tlsEnforcementStartTime: "1970-01-01T00:00:00Z"
--- a/proxy/src/main/java/google/registry/proxy/config/proxy-config-sandbox-canary.yaml
+++ b/proxy/src/main/java/google/registry/proxy/config/proxy-config-sandbox-canary.yaml
@ -1 +1,4 @@
 # Add environment-specific proxy configuration here.
+
+# Time to begin enforcement of TLS versions and cipher suites.
+tlsEnforcementStartTime: "1970-01-01T00:00:00Z"
--- a/proxy/src/main/java/google/registry/proxy/config/proxy-config-sandbox.yaml
+++ b/proxy/src/main/java/google/registry/proxy/config/proxy-config-sandbox.yaml
@ -1 +1,4 @@
 # Add environment-specific proxy configuration here.
+
+# Time to begin enforcement of TLS versions and cipher suites.
+tlsEnforcementStartTime: "1970-01-01T00:00:00Z"