Merge branch 'remove_tlsv1' into 'master'

Remove TLSv1 from the list of accepted protocols.

Closes #2666

See merge request !1910

CHANGELOG.md

@@ -10,6 +10,7 @@ omnibus-gitlab repository.
 - Add option to pass EXTERNAL_URL during installation d0f30ef2
   * Saves users from manually editing gitlab.rb just to set the URL and hence
     makes installation process easier
+- Remove TLSv1 from the list of accepted ssl protocols
 - Moved the settings handling into the package cookbook and reduced code duplication in settings
 - Remove geo_bulk_notify_worker_cron 44def4b5

doc/settings/nginx.md

@@ -531,7 +531,7 @@ server {
       error_page 418 = @gitlab-workhorse;
       return 418;
   }
-  
+
   # Build artifacts should be submitted to this location
   location ~ /api/v4/jobs/[0-9]+/artifacts {
       client_max_body_size 0;
@@ -677,6 +677,21 @@ Make sure you don't have the `proxy_set_header` configuration in
 `nginx['custom_gitlab_server_config']` settings and instead use the
 ['proxy_set_headers'](https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl) configuration in your `gitlab.rb` file.
+##### javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
+
+Starting with GitLab 10, the omnibus-gitlab package no longer supports TLSv1 protocol by default.
+This can cause connection issues with some older Java based IDE clients when interacting with
+your GitLab instance.
+We strongly urge you to upgrade ciphers on your server, similar to what was mentioned
+in [this user comment](https://gitlab.com/gitlab-org/gitlab-ce/issues/624#note_299061).
+
+If it is not possible to make this server change, you can default back to the old
+behavour by changing the values in your `/etc/gitlab/gitlab.rb`:
+
+```
+nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
+```
+
 [recipes-web]: https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server
 [selinuxmod]: https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache#selinux-modifications
 [http2 protocol]: https://tools.ietf.org/html/rfc7540

files/gitlab-config-template/gitlab.rb.template

@@ -808,7 +808,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 ##! **Recommended by: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
 ##!                   https://cipherli.st/**
-# nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
+# nginx['ssl_protocols'] = "TLSv1.1 TLSv1.2"
 ##! **Recommended in: https://nginx.org/en/docs/http/ngx_http_ssl_module.html**
 # nginx['ssl_session_cache'] = "builtin:1000  shared:SSL:10m"

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -562,7 +562,7 @@ default['gitlab']['nginx']['ssl_certificate'] = "/etc/gitlab/ssl/#{node['fqdn']}
 default['gitlab']['nginx']['ssl_certificate_key'] = "/etc/gitlab/ssl/#{node['fqdn']}.key"
 default['gitlab']['nginx']['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
 default['gitlab']['nginx']['ssl_prefer_server_ciphers'] = "on"
-default['gitlab']['nginx']['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+default['gitlab']['nginx']['ssl_protocols'] = "TLSv1.1 TLSv1.2" # recommended by https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
 default['gitlab']['nginx']['ssl_session_cache'] = "builtin:1000  shared:SSL:10m" # recommended in http://nginx.org/en/docs/http/ngx_http_ssl_module.html
 default['gitlab']['nginx']['ssl_session_timeout'] = "5m" # default according to http://nginx.org/en/docs/http/ngx_http_ssl_module.html
 default['gitlab']['nginx']['ssl_dhparam'] = nil # Path to dhparam.pem