Security advisory for smtp settings

Marin Jankovski
Mar 17, 2015

In GitLab 7.8.x, smtp settings example file contained the line openssl_verify_mode: 'none'. This meant that mail server TLS certificate wasn't verified by GitLab.

Confusion came from assumption that none is the default value when TLS is enabled and that it behaved the same as when the setting is omited. In contact with Rails team member we've learned omiting openssl_verify_mode defaults to peer.

If you have installation from source, smtp enabled, TLS enabled and the above setting we advise you to change the setting to openssl_verify_mode: 'peer'.

Installations using omnibus packages are not affected.

Install GitLab on your own server in 2 minutes

Browse all posts

For the latest and most detailed news follow @gitlab on Twitter. Future blog posts suggestions.