2015-05-21-security-advisory-for-logjam-vulnerability.html.md 2.66 KB
Newer Older
Robert Speicher's avatar
Robert Speicher committed
1 2 3 4
---
title: Security advisory for Logjam vulnerability
date: 2015-05-21
author: Marin Jankovski
5
categories: company
Robert Speicher's avatar
Robert Speicher committed
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71
---

A recently announced [Logjam vulnerability](https://weakdh.org/) allows an attacker to do a man-in-the-middle attack, allowing them to downgrade a TLS connection to 512-bit DH parameters. More details on what that is and means can be [found on openssl blog](https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/).

<!--more-->

### Impact on GitLab

GitLab is using, by default, up-to-date SSL ciphers:

* `Export Cipher Suites` are not used.
* `Elliptic-Curve Diffie-Hellman` ciphers are used
* By default, 1024-bit DH groups are used

This means that GitLab is safe in principle. When using 1028-bit DH groups there is a small chance that an attacker with nation-state resources could be eavesdropping.

If you find this insufficient for your GitLab installation, you can generate 2048-bit DH groups and enable the `ssl_dhparam` option in NGINX config.

Params can be generated with:

```bash
openssl dhparam -out dhparams.pem 2048
```

After the `dhparams.pem` file has been generated you will need to tell Nginx where the file is located:

#### GitLab installations using omnibus-gitlab packages

*For packages version 7.11.0 and up.*

Place the `dhparams.pem` file in `/etc/gitlab/ssl/` directory.

In `/etc/gitlab/gitlab.rb`, enable the following setting:

```ruby
nginx['ssl_dhparam'] = "/etc/gitlab/ssl/dhparams.pem"
```

and do `sudo gitlab-ctl reconfigure`.

More information can be [found in the omnibus-gitlab nginx documentation](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/7-11-stable/doc/settings/nginx.md#using-custom-ssl-ciphers).

*Workaround for packages prior to version 7.11.0*

Place the `dhparams.pem` file in `/etc/gitlab/ssl/` directory.

In `/etc/gitlab/gitlab.rb`, enable the following setting:

```ruby
nginx['custom_gitlab_server_config'] = "ssl_dhparam /etc/gitlab/ssl/dhparams.pem;\n"
```
and run `sudo gitlab-ctl reconfigure`.

#### GitLab installations from source

Place the generated `dhparams.pem` in a suitable location, for example `/etc/nginx/ssl/dhparams.pem`.

In GitLab nginx config find `ssl_dhparam` config and set it to `ssl_dhparam /etc/nginx/ssl/dhparams.pem;`.

Reload your nginx config.

### Impact on GitLab.com

GitLab.com is using 1028-bit DH groups. Due to incompatibilities with older Java-based clients we haven't enabled 2048-bit DH params yet as this would prevent some people from using GitLab.com. We are looking into ways to keep a good SSLlabs score and allowing users with older Java-base clients to use GitLab.com.

We are examining the impact of this and we will update this blog post once we have more information.