May 21, 2015 - Marin Jankovski

Security advisory for Logjam vulnerability

A recently announced Logjam vulnerability allows an attacker to do a man-in-the-middle attack, allowing them to downgrade a TLS connection to 512-bit DH parameters. More details on what that is and means can be found on openssl blog.

Impact on GitLab

GitLab is using, by default, up-to-date SSL ciphers:

  • Export Cipher Suites are not used.
  • Elliptic-Curve Diffie-Hellman ciphers are used
  • By default, 1024-bit DH groups are used

This means that GitLab is safe in principle. When using 1028-bit DH groups there is a small chance that an attacker with nation-state resources could be eavesdropping.

If you find this insufficient for your GitLab installation, you can generate 2048-bit DH groups and enable the ssl_dhparam option in NGINX config.

Params can be generated with:

openssl dhparam -out dhparams.pem 2048

After the dhparams.pem file has been generated you will need to tell Nginx where the file is located:

GitLab installations using omnibus-gitlab packages

For packages version 7.11.0 and up.

Place the dhparams.pem file in /etc/gitlab/ssl/ directory.

In /etc/gitlab/gitlab.rb, enable the following setting:

nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparams.pem"

and do sudo gitlab-ctl reconfigure.

More information can be found in the omnibus-gitlab nginx documentation.

Workaround for packages prior to version 7.11.0

Place the dhparams.pem file in /etc/gitlab/ssl/ directory.

In /etc/gitlab/gitlab.rb, enable the following setting:

nginx['custom_gitlab_server_config'] = "ssl_dhparam /etc/gitlab/ssl/dhparams.pem;\n"

and run sudo gitlab-ctl reconfigure.

GitLab installations from source

Place the generated dhparams.pem in a suitable location, for example /etc/nginx/ssl/dhparams.pem.

In GitLab nginx config find ssl_dhparam config and set it to ssl_dhparam /etc/nginx/ssl/dhparams.pem;.

Reload your nginx config.

Impact on is using 1028-bit DH groups. Due to incompatibilities with older Java-based clients we haven't enabled 2048-bit DH params yet as this would prevent some people from using We are looking into ways to keep a good SSLlabs score and allowing users with older Java-base clients to use

We are examining the impact of this and we will update this blog post once we have more information.

Install GitLab in 2 minutes

With Ubuntu, Debian, CentOS, openSUSE, and Raspbian packages or from source

Install GitLab Now

Try GitLab Enterprise Edition risk-free for 30 days.

No credit card required. Have questions? Contact us.