- TLS 1.2 must be supported.
- A Server Name Indication (SNI) extension must be included in the handshake and must contain the domain that's being connected to.
- The cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 must be supported with P-256 and uncompressed points.
- At least the certificates in https://pki.google.com/roots.pem must be trusted.
- Certificate handling must be able to support DNS Subject Alternative Names and those SANs may include a single wildcard as the left-most label in the name.
In order to make testing as easy as possible we have set up https://cert-test.sandbox.google.com, which requires points 1–3 to be met in order to make a successful connection. Thus, if your TLS client can’t connect to that host then you need to update your libraries or configuration.
No longer serving a cross-sign to Equifax
At the moment the certificate chains that Google properties serve most often include a cross-sign from our CA, GeoTrust, to our previous CA, Equifax. This allows clients that only trust our previous CA to continue to function. However, this cross-sign is only a transitional workaround for such clients and we will be removing it in the future. Clients that include our required set of root CAs (at https://pki.google.com/roots.pem) will not be affected, but any that don’t include the needed GeoTrust root may stop working.