In GitLab 17.5, the version of OpenSSL for Linux packages will be updated to OpenSSL 3. This upgrade changes the types of SSL connections the GitLab server can create and receive.
Which GitLab instances are impacted and how?
For self-managed users, all outbound connections from the GitLab instance will need to meet the minimum requirements of TLS 1.2 or above, along with at least 112-bit encryption for TLS certificates. Outbound connections not meeting this standard will fail. We recommend checking configured external integrations to ensure they are compatible with these minimum standards.
Inbound TLS connections to the GitLab server already require TLS 1.2 by default, as of GitLab 12.0.
Steps to take to address this change
Admins should take proactive measures to check your current external integration's TLS settings. Ensure you are using at least TLS 1.2 or above for external connections, and that your encryption is 112-bit. For those who are unsure how to verify your compliance with OpenSSL 3 for these external connections, you can follow this OpenSSL 3 upgrade guide in our documentation.
If you are unable to update your version of TLS in time, we recommend you remain on GitLab 17.4 until you can change the TLS configuration of external integrations.
It is possible to configure OpenSSL Version 3 to support insecure connections, however, we do not recommend doing so as it reduces the security posture of your instance and overrides default settings.
Why this change is being made
Typically, we would not make this change outside of a major release, however, we feel this change should be made more quickly in the interest of security. GitLab removed TLS connection support older than 1.2 in 2018 for GitLab.com, and all inbound connections for self-managed in 12.0.
We discovered this change impacted outbound connections with limited customer impact in 17.3, so we opted to delay the move to OpenSSL 3 to GitLab 17.5 as a result. With OpenSSL 1.1.1 now also end of life, we believe the upgrade in 17.5 is the best balance of user experience and good security practices.
Keep your instances up to date
The GitLab team understands the potential impact this change may have, and we are committed to assisting our users in any way possible to ensure a smooth update process. We value your security and are constantly working towards improving it with every release.
As always, we highly recommend keeping your GitLab instance up-to-date with the latest releases to ensure you have access to the most advanced features and security updates. This upcoming OpenSSL 3 update is just one example of how crucial it is to stay current with our software.
In addition, we understand that staying compliant with TLS versions and encryption standards can be a daunting task for self-managed users. That's why we offer extensive documentation and resources on our website to help guide you through the process. Our community forum is also a great place to ask questions and get support from other users who have gone through similar updates.
