BlogCompanySecurity advisory for Logjam vulnerability

Published on May 21, 2015

2 min read

Security advisory for Logjam vulnerability

Find information from GitLab relating to the recently announced Logjam vulnerability which allows an attacker to do a man-in-the-middle attack!

Marin JankovskiMarin Jankovski

A recently announced Logjam vulnerability allows an attacker to do a man-in-the-middle attack, allowing them to downgrade a TLS connection to 512-bit DH parameters. More details on what that is and means can be found on openssl blog.

Impact on GitLab

GitLab is using, by default, up-to-date SSL ciphers:

  • Export Cipher Suites are not used.
  • Elliptic-Curve Diffie-Hellman ciphers are used
  • By default, 1024-bit DH groups are used

This means that GitLab is safe in principle. When using 1028-bit DH groups there is a small chance that an attacker with nation-state resources could be eavesdropping.

If you find this insufficient for your GitLab installation, you can generate 2048-bit DH groups and enable the ssl_dhparam option in NGINX config.

Params can be generated with:

openssl dhparam -out dhparams.pem 2048

After the dhparams.pem file has been generated you will need to tell Nginx where the file is located:

GitLab installations using omnibus-gitlab packages

For packages version 7.11.0 and up.

Place the dhparams.pem file in /etc/gitlab/ssl/ directory.

In /etc/gitlab/gitlab.rb, enable the following setting:

nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparams.pem"

and do sudo gitlab-ctl reconfigure.

More information can be found in the omnibus-gitlab nginx documentation.

Workaround for packages prior to version 7.11.0

Place the dhparams.pem file in /etc/gitlab/ssl/ directory.

In /etc/gitlab/gitlab.rb, enable the following setting:

nginx['custom_gitlab_server_config'] = "ssl_dhparam /etc/gitlab/ssl/dhparams.pem;\n"

and run sudo gitlab-ctl reconfigure.

GitLab installations from source

Place the generated dhparams.pem in a suitable location, for example /etc/nginx/ssl/dhparams.pem.

In GitLab nginx config find ssl_dhparam config and set it to ssl_dhparam /etc/nginx/ssl/dhparams.pem;.

Reload your nginx config.

Impact on GitLab.com

GitLab.com is using 1028-bit DH groups. Due to incompatibilities with older Java-based clients we haven't enabled 2048-bit DH params yet as this would prevent some people from using GitLab.com. We are looking into ways to keep a good SSLlabs score and allowing users with older Java-base clients to use GitLab.com.

We are examining the impact of this and we will update this blog post once we have more information.

Ready to get started?

See what your team could do with a unified DevSecOps Platform

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert