Skip to content

GitLab Next

Projects
Groups
Snippets
Help

Loading...
Help
Sign in / Register

Security Department Meta Project

Project overview
Repository
Issues 22
Merge requests 2
- Merge requests 2
Requirements
CI/CD
Operations
Packages & Registries
Analytics
Snippets
- Snippets
Members
- Members
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards

Collapse sidebar

GitLab.com
GitLab Security Department
Security Department Meta Project
Issues
#202

Closed

Open

Created Sep 25, 2018 by Kathy Wang @kathyw14 of 14 tasks completed14/14 tasks

Deprecate support for TLS 1.0 and TLS 1.1

Currently, GitLab.com supports Transport Layer Security (TLS) 1.0 and TLS 1.1. There have been many serious security issues reported with TLS 1.0 and TLS 1.1, including but not limited to Heartbleed.

In addition, from a security compliance standpoint, the PCI DSS 3.1 standard mandates changes for TLS. This mandate is to exclude Secure Sockets Layer (SSL) 3.0, TLS 1.0, and some ciphers supported by TLS 1.1 from protocols supporting strong cryptography.

At GitLab, we take security very seriously, and we are always looking to raise the bar. The reality of it is that TLS 1.0 and TLS 1.1 support should have been deprecated a while ago, so we will be following the timeline outlined below to complete this initiative.

Our intent in creating this timeline is to minimize any potential operational disruptions to GitLab.com customers while deprecating TLS 1.0 and TLS 1.1 to improve the security posture of GitLab.com

By end of 2018

2018 Phase 1 (Complete this phase by end of October 15, 2018)

Blog post to announce the deprecation and timeline. /cc @gl-security
Twitter feed announcement, pointing to blog post. /cc @borivoje @sumenkovic
Opt-in email notification to GitLab.com users. /cc @aoetama
Communicate this initiative and timeline to all of GitLab, including Sales and Marketing. /cc @gl-security

2018 Phase 2 (Complete this phase by end of November 15, 2018)

Production tests (need more details). /cc @skarbek @jarv @dawsmith
- Possible tools to use:
  - TLSSLed https://tools.kali.org/information-gathering/tlssled
  - sslyze https://github.com/nabla-c0d3/sslyze
  - testssl.sh https://testssl.sh/
  - sslscan https://github.com/rbsec/sslscan
  - nmap ssl-enum-ciphers https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
Quality testing gitlab-org/gitlab-ee#7794. /cc @meks
Blog post to follow up on status of deprecation rollout (e.g., any changes in timeline or not). /cc @gl-security
Twitter feed announcement, pointing to blog post. /cc @borivoje @sumenkovic
Opt-in email notification to GitLab.com users. /cc @aoetama
Communicate latest timeline and status to all of GitLab, including Sales and Marketing. /cc @gl-security

2018 Phase 3 (Complete this phase by end of December 15, 2018)

Twitter feed announcement to give status of deprecation. /cc @borivoje @sumenkovic
Blog post to announce the deprecation rollout completion. /cc @gl-security
Opt-in email notification to GitLab.com users. /cc @aoetama
Communicate latest timeline and status to all of GitLab, including Sales and Marketing. /cc @gl-security

/cc @lyle @tatkins @tcooney @edjdev @sytses @glopezfernandez @Finotto @meks @mmcb @jordan_goodwin

Edited Dec 19, 2018 by Melissa Farber

Assignee

Assign to

None

Milestone

None

Assign milestone

Time tracking

None

Due date

None