Weak Nginx cipher introduced in 14.2
Summary
!5513 (merged) introduced AES256-GCM-SHA384
as an additional Nginx Cipher because:
This means, if we don't have at least one cipher using RSA for key exchange, users who use a Classic Load Balancer in AWS with certificate provided by ACM will see connections being dropped suddenly after upgrading to 14.1 (because we removed it in !5461 (merged)). This MR adds one such key back to cater to those users.
This cipher doesn't support forward secrecy and is therefore widely recognized as "weak".
Steps to reproduce
- Install Gitlab with the help of Omnibus
- Use https://www.ssllabs.com/ssltest/analyze.html
- Check result
What is the current bug behavior?
Weak cipher (AES256-GCM-SHA384) is used by default for all installations.
What is the expected correct behavior?
Weak cipher (AES256-GCM-SHA384) is only used for customers which need it (probably only AWS Classic Load Balancer customers). They need to configure this manually.
Relevant logs
Relevant logs
Details of package version
Provide the package version installation details
14.6.4-ee.0
Environment details
- Operating System: Ubuntu 20.04
- Installation Target: OpenStack/KVM/QEMU
- Installation Type: Prod instance
- Is there any other software running on the machine: No
- Is this a single or multiple node installation? Single
- Resources
- CPU: 8
- Memory total: 32GB