Skip to content

GitLab

Pricing
Talk to an expert

/

Help
Projects Groups Snippets
Sign up now
Login
Sign in / Register

S Security Department Meta Project
Project information
- Project information
- Activity
- Labels
- Members
Repository
- Repository
- Files
- Commits
- Branches
- Tags
- Contributors
- Graph
- Compare
- Locked Files
Issues 29
- Issues 29
- List
- Boards
- Service Desk
- Milestones
- Iterations
- Requirements
Merge requests 1
- Merge requests 1
CI/CD
- CI/CD
- Pipelines
- Jobs
- Schedules
- Test Cases
Deployments
- Deployments
- Environments
- Releases
Packages and registries
- Packages and registries
- Container Registry
Monitor
- Monitor
- Incidents
Analytics
- Analytics
- Value stream
- CI/CD
- Code review
- Insights
- Issue
- Repository
Snippets
- Snippets
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards

Collapse sidebar

GitLab.com
GitLab Security Department
Security Department Meta Project
Issues
#202

Closed

Open

Issue created Sep 25, 2018 by Kathy Wang @kathyw14 of 14 checklist items completed14/14 checklist items

Deprecate support for TLS 1.0 and TLS 1.1

Currently, GitLab.com supports Transport Layer Security (TLS) 1.0 and TLS 1.1. There have been many serious security issues reported with TLS 1.0 and TLS 1.1, including but not limited to Heartbleed.

In addition, from a security compliance standpoint, the PCI DSS 3.1 standard mandates changes for TLS. This mandate is to exclude Secure Sockets Layer (SSL) 3.0, TLS 1.0, and some ciphers supported by TLS 1.1 from protocols supporting strong cryptography.

At GitLab, we take security very seriously, and we are always looking to raise the bar. The reality of it is that TLS 1.0 and TLS 1.1 support should have been deprecated a while ago, so we will be following the timeline outlined below to complete this initiative.

Our intent in creating this timeline is to minimize any potential operational disruptions to GitLab.com customers while deprecating TLS 1.0 and TLS 1.1 to improve the security posture of GitLab.com

By end of 2018

2018 Phase 1 (Complete this phase by end of October 15, 2018)

Blog post to announce the deprecation and timeline. /cc @gl-security
Twitter feed announcement, pointing to blog post. /cc @borivoje @sumenkovic
Opt-in email notification to GitLab.com users. /cc @aoetama
Communicate this initiative and timeline to all of GitLab, including Sales and Marketing. /cc @gl-security

2018 Phase 2 (Complete this phase by end of November 15, 2018)

Production tests (need more details). /cc @skarbek @jarv @dawsmith
- Possible tools to use:
  - TLSSLed https://tools.kali.org/information-gathering/tlssled
  - sslyze https://github.com/nabla-c0d3/sslyze
  - testssl.sh https://testssl.sh/
  - sslscan https://github.com/rbsec/sslscan
  - nmap ssl-enum-ciphers https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
Quality testing gitlab-org/gitlab-ee#7794. /cc @meks
Blog post to follow up on status of deprecation rollout (e.g., any changes in timeline or not). /cc @gl-security
Twitter feed announcement, pointing to blog post. /cc @borivoje @sumenkovic
Opt-in email notification to GitLab.com users. /cc @aoetama
Communicate latest timeline and status to all of GitLab, including Sales and Marketing. /cc @gl-security

2018 Phase 3 (Complete this phase by end of December 15, 2018)

Twitter feed announcement to give status of deprecation. /cc @borivoje @sumenkovic
Blog post to announce the deprecation rollout completion. /cc @gl-security
Opt-in email notification to GitLab.com users. /cc @aoetama
Communicate latest timeline and status to all of GitLab, including Sales and Marketing. /cc @gl-security

/cc @lyle @tatkins @tcooney @edjdev @sytses @glopezfernandez @Finotto @meks @mmcb @jordan_goodwin

Edited Dec 19, 2018 by Melissa Farber

Assignee

Assign to

Time tracking