Merge branch 'sh-backport-openssl-3-docs-17-2' into '17-2-stable-ee'

Improve OpenSSL 3 upgrading warning notes See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/165587 Merged-by: Stan Hu <stanhu@gmail.com> Approved-by: Eduardo Sanz García <esanz-garcia@gitlab.com>

Merge branch 'sh-backport-openssl-3-docs-17-2' into '17-2-stable-ee'
ad886c0b · Stan Hu · GitLab · 5ba96f11 · 7bae819e · ad886c0b
Unverified Commit ad886c0b authored 5 months ago by Stan Hu Committed by GitLab 5 months ago
--- a/data/deprecations/17-5-deprecated-openssl-1.yml
+++ b/data/deprecations/17-5-deprecated-openssl-1.yml
- title: 'Support for OpenSSL version 1' # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
+- title: 'TLS 1.0 and 1.1 are deprecated' # (required) Clearly explain the change, or planned change. For example, "The `confidential` field for a `Note` is deprecated" or "CI/CD job names will be limited to 250 characters."
  announcement_milestone: '17.4' # (required) The milestone when this feature was first announced as deprecated.
  removal_milestone: '17.5' # (required) The milestone when this feature is planned to be removed
  breaking_change: false # (required) Change to false if this is not a breaking change.
@@ -6,7 +6,11 @@
  stage: systems # (required) String value of the stage that the feature was created in. e.g., Growth
  issue_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164512
  body: | # (required) Do not modify this line, instead modify the lines below.
-    Long term support (LTS) for [OpenSSL version 1.1.1 ended in September 2023](https://endoflife.date/openssl).
+    Long term support (LTS) for [OpenSSL version 1.1.1 ended in September 2023](https://endoflife.date/openssl). Therefore, OpenSSL 3 will be the default in GitLab 17.5.
  
-    Therefore, we have deprecated support for incoming OpenSSL version 1 (TLS 1.0 or 1.1) connections to GitLab and will remove support in GitLab 17.5.
-    External integrations such as LDAP servers and webhooks must use OpenSSL version 3 (TLS 1.2).
+    With the upgrade to OpenSSL 3:
+
+    - GitLab requires TLS 1.2 or higher for all outgoing and incoming TLS connections.
+    - TLS/SSL certificates must have at least 112 bits of security. RSA, DSA, and DH keys shorter than 2048 bits, and ECC keys shorter than 224 bits are prohibited.
+
+    See the [GitLab 17.5 changes](https://docs.gitlab.com/ee/update/versions/gitlab_17_changes.html#1750) for more details.
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -774,7 +774,7 @@ This is one small step towards moving away from CI/CD templates in preference of
  
 <div class="deprecation " data-milestone="17.5">
  
-### Support for OpenSSL version 1
+### TLS 1.0 and 1.1 are deprecated
  
 <div class="deprecation-notes">
 - Announced in GitLab <span class="milestone">17.4</span>
@@ -782,10 +782,14 @@ This is one small step towards moving away from CI/CD templates in preference of
 - To discuss this change or learn more, see the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164512).
 </div>
  
-Long term support (LTS) for [OpenSSL version 1.1.1 ended in September 2023](https://endoflife.date/openssl).
+Long term support (LTS) for [OpenSSL version 1.1.1 ended in September 2023](https://endoflife.date/openssl). Therefore, OpenSSL 3 will be the default in GitLab 17.5.
  
-Therefore, we have deprecated support for incoming OpenSSL version 1 (TLS 1.0 or 1.1) connections to GitLab and will remove support in GitLab 17.5.
-External integrations such as LDAP servers and webhooks must use OpenSSL version 3 (TLS 1.2).
+With the upgrade to OpenSSL 3:
+
+- GitLab requires TLS 1.2 or higher for all outgoing and incoming TLS connections.
+- TLS/SSL certificates must have at least 112 bits of security. RSA, DSA, and DH keys shorter than 2048 bits, and ECC keys shorter than 224 bits are prohibited.
+
+See the [GitLab 17.5 changes](https://docs.gitlab.com/ee/update/versions/gitlab_17_changes.html#1750) for more details.
  
 </div>
 </div>

--- a/doc/update/versions/gitlab_17_changes.md
+++ b/doc/update/versions/gitlab_17_changes.md
@@ -119,7 +119,24 @@ For more information, see the:
  
 ## 17.5.0
  
- OpenSSL version 3 (TLS 1.2) is required for all incoming connections to GitLab, such as from LDAP servers and webhooks.
+With the upgrade to OpenSSL version 3:
+
+- GitLab requires TLS 1.2 or higher for all outgoing and incoming TLS connections.
+- TLS/SSL certificates must have at least 112 bits of security. RSA, DSA, and DH keys shorter than 2048 bits, and ECC keys shorter than 224 bits are prohibited.
+
+Older services, such as LDAP and Webhook servers, may still use TLS
+1.1. However, TLS 1.0 and 1.1 have reached end-of-life and are no longer
+considered secure. GitLab will fail to connect to services using TLS
+1.0 or 1.1 with a `no protocols available` error message.
+
+In addition, OpenSSL 3 increased the [default security level from level 1 to 2](https://docs.openssl.org/3.0/man3/SSL_CTX_set_security_level/#default-callback-behaviour),
+raising the number of bits of security from 80 to 112. For example,
+a certificate signed with an RSA key can use RSA-2048 but not RSA-1024. GitLab
+will fail to connect to a service that uses a certificate signed with insufficient
+bits with a `certificate key too weak` error message.
+
+Check the [GitLab documentation on securing your installation](../../security/index.md).
+for more details.
  
 ## 17.1.0