May 21, 2015 - Marin Jankovski

Security advisory for Logjam vulnerability

A recently announced Logjam vulnerability allows an attacker to do a man-in-the-middle attack, allowing them to downgrade a TLS connection to 512-bit DH parameters. More details on what that is and means can be found on openssl blog.

Impact on GitLab

GitLab is using, by default, up-to-date SSL ciphers:

  • Export Cipher Suites are not used.
  • Elliptic-Curve Diffie-Hellman ciphers are used
  • By default, 1024-bit DH groups are used

This means that GitLab is safe in principle. When using 1028-bit DH groups there is a small chance that an attacker with nation-state resources could be eavesdropping.

If you find this insufficient for your GitLab installation, you can generate 2048-bit DH groups and enable the ssl_dhparam option in NGINX config.

Params can be generated with:

openssl dhparam -out dhparams.pem 2048

After the dhparams.pem file has been generated you will need to tell Nginx where the file is located:

GitLab installations using omnibus-gitlab packages

For packages version 7.11.0 and up.

Place the dhparams.pem file in /etc/gitlab/ssl/ directory.

In /etc/gitlab/gitlab.rb, enable the following setting:

nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparams.pem"

and do sudo gitlab-ctl reconfigure.

More information can be found in the omnibus-gitlab nginx documentation.

Workaround for packages prior to version 7.11.0

Place the dhparams.pem file in /etc/gitlab/ssl/ directory.

In /etc/gitlab/gitlab.rb, enable the following setting:

nginx['custom_gitlab_server_config'] = "ssl_dhparam /etc/gitlab/ssl/dhparams.pem;\n"

and run sudo gitlab-ctl reconfigure.

GitLab installations from source

Place the generated dhparams.pem in a suitable location, for example /etc/nginx/ssl/dhparams.pem.

In GitLab nginx config find ssl_dhparam config and set it to ssl_dhparam /etc/nginx/ssl/dhparams.pem;.

Reload your nginx config.

Impact on GitLab.com

GitLab.com is using 1028-bit DH groups. Due to incompatibilities with older Java-based clients we haven't enabled 2048-bit DH params yet as this would prevent some people from using GitLab.com. We are looking into ways to keep a good SSLlabs score and allowing users with older Java-base clients to use GitLab.com.

We are examining the impact of this and we will update this blog post once we have more information.

For the latest and most detailed news follow @gitlab on Twitter. Future blog posts suggestions.

Install GitLab in 2 minutes

With Ubuntu, Debian, CentOS and Raspbian packages or from source

Install GitLab Now

Try GitLab Enterprise Edition risk-free for 30 days.

No credit card required. Have questions? Contact us.