As we announced in our October 15 blog post, GitLab's plan to discontinue support for TLS 1.0 and 1.1 on GitLab.com and in our GitLab API by December 15, 2018 is on track. At the time of our announcement, we provided a link to this public issue that is being used to track progress of this initiative and provide updates to the GitLab community.
In addition, part of our commitment to our community is to provide a vehicle through which to test your integrations, API tokens, and browsers, in an effort to minimize any potential operational disruptions.
How to test for potential disruptions
Our efforts to minimize any potential operational disruptions to GitLab.com and GitLab API users while discontinuing support for TLS 1.0 and TLS 1.1 include making our canary production environment available for TLS 1.2 compatibility testing. The environment has been configured to support TLS 1.2 only, and should be used to test your integrations and browsers.
API tokens or scripting
To test integrations that use API tokens or scripting, please point them to a base URL of canary.gitlab.com.
To test any of your browsers, please test using canary.gitlab.com/help or another URL related to your project or group.
Please carry out testing to ensure that your connections are successful using this endpoint prior to December 15, 2018. If your integrations are affected and you need additional support, please email the GitLab Security Team at firstname.lastname@example.org.
As always, we will continue to monitor TLS 1.0 and 1.1 vulnerabilities and will adapt our timeline as required to mitigate protocol-level issues if they arise. Updates to timelines will be posted to our Twitter feed and tracked in this public issue. Additionally, GitLab.com users who have opted to receive security alert emails from GitLab will receive status updates regarding the this deprecation process. If you have any questions, please reach out to the Security Team by emailing email@example.com.
Identified client incompatibilities
The majority of traffic should be unaffected by the discontinuation of support for TLS versions 1.0 and 1.1. Currently, the vast majority of the requests to GitLab.com are using up-to-date clients with support for TLS 1.2. While there are a few remaining clients that we believe will be affected (see below), most of these can be updated to work with TLS 1.2.
Git-Credential-Manager-for-Windows prior to 1.14.0
Versions prior to 1.14.0 of Git-Credential-Manager-for-Windows do not support TLSv1.2. This can be addressed by updating to v1.14.0.
Git on Red Hat 5, < 6.8, and < 7.2
Users running Red Hat 5 are advised to upgrade to a newer version of the operating system as Red Hat does not have a point release planned for 5 that supports TLS 1.2. Git clients shipped with Red Hat 6 and 7 did not support TLSv1.2, which can be remediated by updating to versions 6.8 and 7.2 respectively.
JGit/Java releases < JDK 8
Versions of the JDK 6 and prior do not support TLSv1.2. We advise users of JDK <= 6 to upgrade to a newer version of the JDK.
The latest version of Visual Studio 2017 supports TLSv1.2. Users not running the latest version are advised to upgrade.