Default to TLSv1.3 for Nginx
What does this MR do?
This is the accompanying MR to gitlab!113083 (merged)
This only enables TLSv1.3 in the Nginx config and removes the DH-parameter setting as well as the SSL ciphers setting for source installations, bringing the config into line with the "modern" preset of the Mozilla SSL Configurator.
These changes make the Nginx configuration easier to understand and less error-prone since it has fewer knobs that can be turned. The changes require a minimum of OpenSSL 1.1, but this is compatible with GitLab itself. The minimum browser versions (Firefox 63 and Chrome 70) are far below anything browser vendors support.
I'm aware that this will also need accompanying changes in Omnibus, but I wanted to open this here first for discussion. Also, source installations are more flexible and an easier testbed for changes like these.
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion
Required
-
Merge Request Title, and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com -
Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks -
trigger-packagehas a green pipeline running against latest commit
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Tests added -
Integration tests added to GitLab QA -
Equivalent MR/issue for the GitLab Chart opened