Default to TLSv1.3 in Nginx config (!113083) · Merge requests · GitLab.org / GitLab

Jörg Behrmann requested to merge behrmann/gitlab:tls13default into master Feb 28, 2023

What does this MR do and why?

This only enables TLSv1.3 in the Nginx config and removes the DH-parameter setting as well as the SSL ciphers setting for source installations, bringing the config into line with the "modern" preset of the Mozilla SSL Configurator.

These changes make the Nginx configuration easier to understand and less error-prone since it has fewer knobs that can be turned. The changes require a minimum of OpenSSL 1.1, but this is compatible with GitLab itself. The minimum browser versions (Firefox 63 and Chrome 70) are far below anything browser vendors support.

I'm aware that this will also need accompanying changes in Omnibus, but I wanted to open this here first for discussion. Also, source installations are more flexible and an easier testbed for changes like these.

How to set up and validate locally

Install GitLab from source
Change the Nginx configuration according to this MR

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Feb 28, 2023 by Jörg Behrmann

Default to TLSv1.3 in Nginx config

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports