Deprecate support for TLS 1.0 and TLS 1.1
Currently, GitLab.com supports Transport Layer Security (TLS) 1.0 and TLS 1.1. There have been many serious security issues reported with TLS 1.0 and TLS 1.1, including but not limited to Heartbleed.
In addition, from a security compliance standpoint, the PCI DSS 3.1 standard mandates changes for TLS. This mandate is to exclude Secure Sockets Layer (SSL) 3.0, TLS 1.0, and some ciphers supported by TLS 1.1 from protocols supporting strong cryptography.
At GitLab, we take security very seriously, and we are always looking to raise the bar. The reality of it is that TLS 1.0 and TLS 1.1 support should have been deprecated a while ago, so we will be following the timeline outlined below to complete this initiative.
Our intent in creating this timeline is to minimize any potential operational disruptions to GitLab.com customers while deprecating TLS 1.0 and TLS 1.1 to improve the security posture of GitLab.com
By end of 2018
2018 Phase 1 (Complete this phase by end of October 15, 2018)
- Blog post to announce the deprecation and timeline. /cc @gl-security
- Twitter feed announcement, pointing to blog post. /cc @borivoje @sumenkovic
- Opt-in email notification to GitLab.com users. /cc @aoetama
- Communicate this initiative and timeline to all of GitLab, including Sales and Marketing. /cc @gl-security
2018 Phase 2 (Complete this phase by end of November 15, 2018)
-
Production tests (need more details). /cc @skarbek @jarv @dawsmith
- Possible tools to use:
- TLSSLed https://tools.kali.org/information-gathering/tlssled
- sslyze https://github.com/nabla-c0d3/sslyze
- testssl.sh https://testssl.sh/
- sslscan https://github.com/rbsec/sslscan
- nmap ssl-enum-ciphers https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
- Possible tools to use:
- Quality testing gitlab-org/gitlab-ee#7794. /cc @meks
- Blog post to follow up on status of deprecation rollout (e.g., any changes in timeline or not). /cc @gl-security
- Twitter feed announcement, pointing to blog post. /cc @borivoje @sumenkovic
- Opt-in email notification to GitLab.com users. /cc @aoetama
- Communicate latest timeline and status to all of GitLab, including Sales and Marketing. /cc @gl-security
2018 Phase 3 (Complete this phase by end of December 15, 2018)
- Twitter feed announcement to give status of deprecation. /cc @borivoje @sumenkovic
- Blog post to announce the deprecation rollout completion. /cc @gl-security
- Opt-in email notification to GitLab.com users. /cc @aoetama
- Communicate latest timeline and status to all of GitLab, including Sales and Marketing. /cc @gl-security
/cc @lyle @tatkins @tcooney @edjdev @sytses @glopezfernandez @Finotto @meks @mmcb @jordan_goodwin