Published on: May 21, 2015
2 min read
Find information from GitLab relating to the recently announced Logjam vulnerability which allows an attacker to do a man-in-the-middle attack!

A recently announced Logjam vulnerability allows an attacker to do a man-in-the-middle attack, allowing them to downgrade a TLS connection to 512-bit DH parameters. More details on what that is and means can be found on openssl blog.
GitLab is using, by default, up-to-date SSL ciphers:
Export Cipher Suites are not used.
Elliptic-Curve Diffie-Hellman ciphers are used
By default, 1024-bit DH groups are used
This means that GitLab is safe in principle. When using 1028-bit DH groups there is a small chance that an attacker with nation-state resources could be eavesdropping.
If you find this insufficient for your GitLab installation, you can generate
2048-bit DH groups and enable the ssl_dhparam option in NGINX config.
Params can be generated with:
openssl dhparam -out dhparams.pem 2048
After the dhparams.pem file has been generated you will need to tell Nginx
where the file is located:
For packages version 7.11.0 and up.
Place the dhparams.pem file in /etc/gitlab/ssl/ directory.
In /etc/gitlab/gitlab.rb, enable the following setting:
nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparams.pem"
and do sudo gitlab-ctl reconfigure.
More information can be found in the omnibus-gitlab nginx documentation.
Workaround for packages prior to version 7.11.0
Place the dhparams.pem file in /etc/gitlab/ssl/ directory.
In /etc/gitlab/gitlab.rb, enable the following setting:
nginx['custom_gitlab_server_config'] = "ssl_dhparam
/etc/gitlab/ssl/dhparams.pem;\n"
and run sudo gitlab-ctl reconfigure.
Place the generated dhparams.pem in a suitable location, for example
/etc/nginx/ssl/dhparams.pem.
In GitLab nginx config find ssl_dhparam config and set it to ssl_dhparam /etc/nginx/ssl/dhparams.pem;.
Reload your nginx config.
GitLab.com is using 1028-bit DH groups. Due to incompatibilities with older Java-based clients we haven't enabled 2048-bit DH params yet as this would prevent some people from using GitLab.com. We are looking into ways to keep a good SSLlabs score and allowing users with older Java-base clients to use GitLab.com.
We are examining the impact of this and we will update this blog post once we have more information.