Investigate if/how Import TLS use follows/recommends best practice
See https://gitlab.com/gitlab-org/manage/import/backend/discussion/-/issues/9 for context
TLS protects confidentiality and integrity of information as it is transmitted. It is a common requirement in compliance frameworks (see references below).
Proposal
- Identify what versions (or lack thereof) of TLS are permitted in Import / Export network requests (see also https://gitlab.com/gitlab-org/manage/import/backend/discussion/-/issues/11)
- Also identify whether invalid/expired/untrusted/self-signed certificates are rejected
- Identify if there is a legitimate use-case for weak TLS (e.g. self-hosted GitLab talking to a legacy ____ on premise, or enterprise proxies intercepting and resigning requests). (Product / Solution Architects might know)
- Decide a path forward, e.g.:
- Creating issues to document the risk
- Creating issues to allow administrator configuration of TLS version enforcement
- Creating issues to hard-code TLS version enforcement
- e.g. in integrations like AWS, or GitHub, where we know they'll have the latest TLS
Progress
Import Source | Sources supports plaintext HTTP? | Source supports TLS < v1.2? | Source supports weak ciphers? | Expired certificates rejected? | Improperly signed certificates rejected? |
---|---|---|---|---|---|
GitLab.com | |||||
GitLab self-hosted 1 | Yes, it's the default | ||||
GitHub.com | |||||
GitHub Enterprise (self-hosted) |
- Custom certificates are supported in omnibus. We should accept ones that are properly installed, and reject ones that aren't.
References
- https://gitlab.com/gitlab-com/gl-security/security-research/cryptographic-standards
- https://about.gitlab.com/handbook/engineering/security/security-assurance/security-compliance/guidance/cryptographic-protections.html
- https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection
Edited by Nick Malcolm