Merge branch 'update_ssl_ciphers' into 'master'

Update ssl ciphers Removing all DHE suites from Nginx template SSL ciphers. This will deny forward secrecy for Android 2.3.7, Java 6 and OpenSSL 0.9.8. but will give A+ rating on SSL labs. Google sites also do not have DHE suites, [source](https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy) > Google's sites, for example, tend to not have any DHE suites in their configuration. [2013] See merge request !814

Merge branch 'update_ssl_ciphers' into 'master'
Update ssl ciphers Removing all DHE suites from Nginx template SSL ciphers. This will deny forward secrecy for Android 2.3.7, Java 6 and OpenSSL 0.9.8. but will give A+ rating on SSL labs. Google sites also do not have DHE suites, [source](https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy) > Google's sites, for example, tend to not have any DHE suites in their configuration. [2013] See merge request !814
9522a710 · Dmitriy Zaporozhets · 73007291 · 86d35ed3 · 9522a710 · 9522a710
Commit 9522a710 authored Jun 15, 2015 by Dmitriy Zaporozhets
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletion

CHANGELOG CHANGELOG +1 -0

lib/support/nginx/gitlab-ssl lib/support/nginx/gitlab-ssl +1 -1

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,6 +4,7 @@ v 7.13.0 (unreleased)
  - Remove project visibility icons from dashboard projects list
  - Rename "Design" profile settings page to "Preferences".
  - Allow users to customize their default Dashboard page.
+  - Update ssl_ciphers in Nginx example to remove DHE settings. This will deny forward secrecy for Android 2.3.7, Java 6 and OpenSSL 0.9.8

 v 7.12.0 (unreleased)
  - Fix post-receive errors on a push when an external issue tracker is configured (Stan Hu)

--- a/lib/support/nginx/gitlab-ssl
+++ b/lib/support/nginx/gitlab-ssl
@@ -73,7 +73,7 @@ server {
  ssl_certificate_key /etc/nginx/ssl/gitlab.key;

  # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;