Mar 17, 2015 - Marin Jankovski

Security advisory for smtp settings

Learn more about security advisory for smtp settings for GitLab Community Edition (CE) and Enterprise Edition (EE)

In GitLab 7.8.x, smtp settings example file contained the line openssl_verify_mode: 'none'. This meant that mail server TLS certificate wasn't verified by GitLab.

Confusion came from assumption that none is the default value when TLS is enabled and that it behaved the same as when the setting is omitted. In contact with Rails team member we've learned omitting openssl_verify_mode defaults to peer.

If you have installation from source, smtp enabled, TLS enabled and the above setting we advise you to change the setting to openssl_verify_mode: 'peer'.

Installations using omnibus packages are not affected.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

Share your feedback

Take GitLab for a spin

See what your team could do with The DevSecOps Platform.

Get free trial

Have a question? We're here to help.

Talk to an expert
Edit this page View source