A recently announced Logjam vulnerability allows an attacker to do a man-in-the-middle attack, allowing them to downgrade a TLS connection to 512-bit DH parameters. More details on what that is and means can be found on openssl blog.
Impact on GitLab
GitLab is using, by default, up-to-date SSL ciphers:
Export Cipher Suites
are not used.Elliptic-Curve Diffie-Hellman
ciphers are used- By default, 1024-bit DH groups are used
This means that GitLab is safe in principle. When using 1028-bit DH groups there is a small chance that an attacker with nation-state resources could be eavesdropping.
If you find this insufficient for your GitLab installation, you can generate 2048-bit DH groups and enable the ssl_dhparam
option in NGINX config.
Params can be generated with:
openssl dhparam -out dhparams.pem 2048
After the dhparams.pem
file has been generated you will need to tell Nginx where the file is located:
GitLab installations using omnibus-gitlab packages
For packages version 7.11.0 and up.
Place the dhparams.pem
file in /etc/gitlab/ssl/
directory.
In /etc/gitlab/gitlab.rb
, enable the following setting:
nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparams.pem"
and do sudo gitlab-ctl reconfigure
.
More information can be found in the omnibus-gitlab nginx documentation.
Workaround for packages prior to version 7.11.0
Place the dhparams.pem
file in /etc/gitlab/ssl/
directory.
In /etc/gitlab/gitlab.rb
, enable the following setting:
nginx['custom_gitlab_server_config'] = "ssl_dhparam /etc/gitlab/ssl/dhparams.pem;\n"
and run sudo gitlab-ctl reconfigure
.
GitLab installations from source
Place the generated dhparams.pem
in a suitable location, for example /etc/nginx/ssl/dhparams.pem
.
In GitLab nginx config find ssl_dhparam
config and set it to ssl_dhparam /etc/nginx/ssl/dhparams.pem;
.
Reload your nginx config.
Impact on GitLab.com
GitLab.com is using 1028-bit DH groups. Due to incompatibilities with older Java-based clients we haven't enabled 2048-bit DH params yet as this would prevent some people from using GitLab.com. We are looking into ways to keep a good SSLlabs score and allowing users with older Java-base clients to use GitLab.com.
We are examining the impact of this and we will update this blog post once we have more information.