1. Concepts
   1. SSL policies provide the ability to control the features of SSL that SSL proxy or HTTPS load balancer negotiates with clients
   2. The term "SSL" refers to both the SSL and TLS protocols
   3. By default, HTTPS load balancing and SSL proxy load balancing use a set of SSL features that provides good security and wide compatibility
   4. Some applications require more control over which SSL versions and ciphers are used for their HTTPS or SSL connections
   5. SSL policies can be defined to control the features of SSL that a load balancer negotiates with clients
   6. SSL policy can be used to configure the minimum TLS version and SSL features that are enabled in an HTTPS or SSL proxy load balancer
   7. SSL policies affect connections between clients and the HTTPS or SSL proxy load balancer
   8. SSL policies do not affect the connections between the load balancer and the backends
2. Definition
   1. To define an SSL policy, specify a minimum TLS version and a profile
   2. The profile selects a set of SSL features to enable in the load balancer
   3. Three Google-managed profiles allow users to specify the level of compatibility appropriate for applications
   4. A fourth custom profile allows users to select SSL features individually
3. Profiles
   1. COMPATIBLE: Allows the broadest set of clients, including those which support only out-of-date SSL features, to negotiate SSL with the load balancer
   2. MODERN: Supports a wide set of SSL features, allowing modern clients to negotiate SSL
   3. RESTRICTED: Supports a reduced set of SSL features, intended to meet stricter compliance requirements
   4. The SSL policy also specifies the minimum version of the TLS protocol that clients can use to establish a connection
   5. A profile can also restrict the versions of TLS that the load balancer can negotiate
   6. Ciphers enabled in the RESTRICTED profile are only supported by TLS 1.2
   7. Choosing the RESTRICTED profile effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version
   8. If one of the three pre-configured profiles is not selected, create a custom SSL policy
   9. The default policy is equivalent to an SSL policy that uses the COMPATIBLE profile with a minimum TLS version of TLS 1.0
   10. You can attach an SSL policy to more than one proxy
   11. You cannot configure more than one SSL policy for a particular proxy
   12. HTTPS and SSL proxy load balancers do not support SSL versions 3.0 or earlier
4. Caveats
   1. Disabling particular SSL versions or ciphers could result in some clients, particularly older clients, being unable to connect to the proxy using HTTPS or SSL
   2. Disabling a sufficiently broad selection of ciphers in the CUSTOM profile could result in no clients being able to negotiate HTTPS
   3. The features that control cipher suites apply only to client connections that use TLS version 1.2 and earlier
   4. They do not control cipher selection in connections that use QUIC