Skip to content

GitLab Next

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
S
Security Department Meta Project
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 22
    • Issues 22
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
    • Iterations
  • Merge requests 2
    • Merge requests 2
  • Requirements
    • Requirements
    • List
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI/CD
    • Code Review
    • Insights
    • Issue
    • Repository
    • Value Stream
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.com
  • GitLab Security Department
  • Security Department Meta Project
  • Issues
  • #202

Closed
Open
Created Sep 25, 2018 by Kathy Wang@kathyw14 of 14 tasks completed14/14 tasks

Deprecate support for TLS 1.0 and TLS 1.1

Currently, GitLab.com supports Transport Layer Security (TLS) 1.0 and TLS 1.1. There have been many serious security issues reported with TLS 1.0 and TLS 1.1, including but not limited to Heartbleed.

In addition, from a security compliance standpoint, the PCI DSS 3.1 standard mandates changes for TLS. This mandate is to exclude Secure Sockets Layer (SSL) 3.0, TLS 1.0, and some ciphers supported by TLS 1.1 from protocols supporting strong cryptography.

At GitLab, we take security very seriously, and we are always looking to raise the bar. The reality of it is that TLS 1.0 and TLS 1.1 support should have been deprecated a while ago, so we will be following the timeline outlined below to complete this initiative.

Our intent in creating this timeline is to minimize any potential operational disruptions to GitLab.com customers while deprecating TLS 1.0 and TLS 1.1 to improve the security posture of GitLab.com

By end of 2018

2018 Phase 1 (Complete this phase by end of October 15, 2018)

  • Blog post to announce the deprecation and timeline. /cc @gl-security
  • Twitter feed announcement, pointing to blog post. /cc @borivoje @sumenkovic
  • Opt-in email notification to GitLab.com users. /cc @aoetama
  • Communicate this initiative and timeline to all of GitLab, including Sales and Marketing. /cc @gl-security

2018 Phase 2 (Complete this phase by end of November 15, 2018)

  • Production tests (need more details). /cc @skarbek @jarv @dawsmith
    • Possible tools to use:
      • TLSSLed https://tools.kali.org/information-gathering/tlssled
      • sslyze https://github.com/nabla-c0d3/sslyze
      • testssl.sh https://testssl.sh/
      • sslscan https://github.com/rbsec/sslscan
      • nmap ssl-enum-ciphers https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
  • Quality testing gitlab-org/gitlab-ee#7794. /cc @meks
  • Blog post to follow up on status of deprecation rollout (e.g., any changes in timeline or not). /cc @gl-security
  • Twitter feed announcement, pointing to blog post. /cc @borivoje @sumenkovic
  • Opt-in email notification to GitLab.com users. /cc @aoetama
  • Communicate latest timeline and status to all of GitLab, including Sales and Marketing. /cc @gl-security

2018 Phase 3 (Complete this phase by end of December 15, 2018)

  • Twitter feed announcement to give status of deprecation. /cc @borivoje @sumenkovic
  • Blog post to announce the deprecation rollout completion. /cc @gl-security
  • Opt-in email notification to GitLab.com users. /cc @aoetama
  • Communicate latest timeline and status to all of GitLab, including Sales and Marketing. /cc @gl-security

/cc @lyle @tatkins @tcooney @edjdev @sytses @glopezfernandez @Finotto @meks @mmcb @jordan_goodwin

Edited Dec 19, 2018 by Melissa Farber
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None