A recently announced Logjam vulnerability allows an attacker to do a man-in-the-middle attack, allowing them to downgrade a TLS connection to 512-bit DH parameters. More details on what that is and means can be found on openssl blog.

Impact on GitLab

GitLab is using, by default, up-to-date SSL ciphers:

This means that GitLab is safe in principle. When using 1028-bit DH groups there is a small chance that an attacker with nation-state resources could be eavesdropping.

If you find this insufficient for your GitLab installation, you can generate 2048-bit DH groups and enable the ssl_dhparam option in NGINX config.

Params can be generated with:

openssl dhparam -out dhparams.pem 2048

After the dhparams.pem file has been generated you will need to tell Nginx where the file is located:

GitLab installations using omnibus-gitlab packages

For packages version 7.11.0 and up.

Place the dhparams.pem file in /etc/gitlab/ssl/ directory.

In /etc/gitlab/gitlab.rb, enable the following setting:

nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparams.pem"

and do sudo gitlab-ctl reconfigure.

More information can be found in the omnibus-gitlab nginx documentation.

Workaround for packages prior to version 7.11.0

Place the dhparams.pem file in /etc/gitlab/ssl/ directory.

In /etc/gitlab/gitlab.rb, enable the following setting:

nginx['custom_gitlab_server_config'] = "ssl_dhparam /etc/gitlab/ssl/dhparams.pem;\n"

and run sudo gitlab-ctl reconfigure.

GitLab installations from source

Place the generated dhparams.pem in a suitable location, for example /etc/nginx/ssl/dhparams.pem.

In GitLab nginx config find ssl_dhparam config and set it to ssl_dhparam /etc/nginx/ssl/dhparams.pem;.

Reload your nginx config.

Impact on GitLab.com

GitLab.com is using 1028-bit DH groups. Due to incompatibilities with older Java-based clients we haven't enabled 2048-bit DH params yet as this would prevent some people from using GitLab.com. We are looking into ways to keep a good SSLlabs score and allowing users with older Java-base clients to use GitLab.com.

We are examining the impact of this and we will update this blog post once we have more information.

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license

Try the GitLab DevOps Platform for free for 30 days

Achieve higher productivity, faster and secure deployments

Start your free trial Maybe later