Blog Company Security advisory for Logjam vulnerability
May 21, 2015
2 min read

Security advisory for Logjam vulnerability

Find information from GitLab relating to the recently announced Logjam vulnerability which allows an attacker to do a man-in-the-middle attack!

Blog fallback hero

A recently announced Logjam vulnerability allows an attacker to do a man-in-the-middle attack, allowing them to downgrade a TLS connection to 512-bit DH parameters. More details on what that is and means can be found on openssl blog.

Impact on GitLab

GitLab is using, by default, up-to-date SSL ciphers:

  • Export Cipher Suites are not used.
  • Elliptic-Curve Diffie-Hellman ciphers are used
  • By default, 1024-bit DH groups are used

This means that GitLab is safe in principle. When using 1028-bit DH groups there is a small chance that an attacker with nation-state resources could be eavesdropping.

If you find this insufficient for your GitLab installation, you can generate 2048-bit DH groups and enable the ssl_dhparam option in NGINX config.

Params can be generated with:

openssl dhparam -out dhparams.pem 2048

After the dhparams.pem file has been generated you will need to tell Nginx where the file is located:

GitLab installations using omnibus-gitlab packages

For packages version 7.11.0 and up.

Place the dhparams.pem file in /etc/gitlab/ssl/ directory.

In /etc/gitlab/gitlab.rb, enable the following setting:

nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparams.pem"

and do sudo gitlab-ctl reconfigure.

More information can be found in the omnibus-gitlab nginx documentation.

Workaround for packages prior to version 7.11.0

Place the dhparams.pem file in /etc/gitlab/ssl/ directory.

In /etc/gitlab/gitlab.rb, enable the following setting:

nginx['custom_gitlab_server_config'] = "ssl_dhparam /etc/gitlab/ssl/dhparams.pem;\n"

and run sudo gitlab-ctl reconfigure.

GitLab installations from source

Place the generated dhparams.pem in a suitable location, for example /etc/nginx/ssl/dhparams.pem.

In GitLab nginx config find ssl_dhparam config and set it to ssl_dhparam /etc/nginx/ssl/dhparams.pem;.

Reload your nginx config.

Impact on GitLab.com

GitLab.com is using 1028-bit DH groups. Due to incompatibilities with older Java-based clients we haven't enabled 2048-bit DH params yet as this would prevent some people from using GitLab.com. We are looking into ways to keep a good SSLlabs score and allowing users with older Java-base clients to use GitLab.com.

We are examining the impact of this and we will update this blog post once we have more information.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

New to GitLab and not sure where to start?

Get started guide

Learn about what GitLab can do for your team

Talk to an expert