Skip to content
Snippets Groups Projects
Verified Commit 19f62503 authored by Brendan Lynch's avatar Brendan Lynch Committed by GitLab
Browse files

Merge branch 'docs-openssl3-upgrade-guide-ref' into 'master'

Reference OpenSSL 3 guide in 17.7 upgrade changes

See merge request !166244



Merged-by: default avatarBrendan Lynch <blynch@gitlab.com>
Approved-by: Dilan Orrino's avatarDilan Orrino <dorrino@gitlab.com>
Reviewed-by: default avatarAchilleas Pipinellis - OOO until November 25th (parental leave) <axil@gitlab.com>
Co-authored-by: default avatarAchilleas Pipinellis <axil@gitlab.com>
Co-authored-by: default avatarHossein Pursultani <hpursultani@gitlab.com>
parents b32e61e0 9f0040ad
No related branches found
No related tags found
2 merge requests!170053Security patch upgrade alert: Only expose to admins 17-4,!166244Reference OpenSSL 3 guide in 17.7 upgrade changes
Pipeline #1468355185 passed
......@@ -181,14 +181,19 @@ For more information, see [issue 480328](https://gitlab.com/gitlab-org/gitlab/-/
## 17.7.0
- The [Linux Package](https://docs.gitlab.com/omnibus/) upgrades OpenSSL from v1.1.1w to v3.0.0.
### OpenSSL 3 upgrade
NOTE:
Before upgrading to GitLab 17.7, use the [OpenSSL 3 guide](https://docs.gitlab.com/omnibus/settings/ssl/openssl_3.html)
to identify and assess the compatibility of your external integrations.
- The Linux package upgrades OpenSSL from v1.1.1w to v3.0.0.
- Cloud Native GitLab (CNG) already upgraded to OpenSSL 3 in GitLab 16.7.0. If you are using Cloud Native GitLab, no
action is needed. However, note that [Cloud Native Hybrid](../../administration/reference_architectures/index.md#recommended-cloud-providers-and-services) installations
use the Linux packages for stateful components, such as Gitaly. For those components, you will need to verify
the TLS versions, ciphers, and certificates that are used work with the security level changes discussed below.
With the upgrade to OpenSSL version 3:
With the upgrade to OpenSSL 3:
- GitLab requires TLS 1.2 or higher for all outgoing and incoming TLS connections.
- TLS/SSL certificates must have at least 112 bits of security. RSA, DSA, and DH keys shorter than 2048 bits, and ECC keys shorter than 224 bits are prohibited.
......@@ -199,17 +204,25 @@ considered secure. GitLab will fail to connect to services using TLS
1.0 or 1.1 with a `no protocols available` error message.
In addition, OpenSSL 3 increased the [default security level from level 1 to 2](https://docs.openssl.org/3.0/man3/SSL_CTX_set_security_level/#default-callback-behaviour),
raising the number of bits of security from 80 to 112. For example,
a certificate signed with an RSA key can use RSA-2048 but not RSA-1024. GitLab
will fail to connect to a service that uses a certificate signed with insufficient
bits with a `certificate key too weak` error message.
raising the minimum number of bits of security from 80 to 112. As a result,
certificates signed with RSA and DSA keys shorter than 2048 bits and ECC keys
shorter than 224 bits are prohibited.
GitLab will fail to connect to a service that uses a certificate signed with
insufficient bits with a `certificate key too weak` error message. For more
information, see the [certificate requirements](../../security/tls_support.md#certificate-requirements).
All components that are shipped with the Linux package are compatible with
OpenSSL 3. Therefore, you only need to verify the services and integrations that
are not part of the GitLab package and are ["external"](https://docs.gitlab.com/omnibus/settings/ssl/openssl_3.html#identifying-external-integrations).
SSH keys are not affected by this upgrade. OpenSSL sets
security requirements for TLS, not SSH. [OpenSSH](https://www.openssh.com/) and
[`gitlab-sshd`](../../administration/operations/gitlab_sshd.md) have their
own configuration settings for the allowed cryptographic algorithms.
Check the [GitLab documentation for the upgrade to OpenSSL 3](https://docs.gitlab.com/omnibus/settings/ssl/openssl_3.html) to ensure compatibility with your instance.
Check the [GitLab documentation on securing your installation](../../security/index.md)
for more details.
## 17.5.0
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment