Remove TLSv1 support from defaults

We've kept TLSv1 in the list of defaults for a long while. The reason for this was that old Java IDE's would not be able to function with GitLab. However, the time has moved on and so should we.

I propose we remove TLSv1 from the list of default protocols for GitLab 10.

/cc @gitlab-build-team @joshlambert

marked this issue as related to gitlab-com/infrastructure#599

added Scheduled label

I think this is a good idea. Can we validate the Java IDE's though to see when they added support? I assume we will be retaining TLS v1.1 for now.

I tried to find details on Eclipse and EGit, as well as I imagine IntelliJ but had a hard time confirming when support was added.

@joshlambert I tried to find that too but it is nearly impossible. But to make it clear, we should just remove it from defaults and write documentation on how the issue manifests itself. Users will still be able to change the setting (unless they are GitLab.com users).

@marin maybe we could just quick grab Eclipse w/ EGit and Intellij (or whatever other tools were problematic) and validate?

I think it would be good to know ahead of time what trouble to expect here, and what guidance we can provide. For example, if you upgrade to X.Y.Z version it will work.

@mydigitalself, adding you for the GitLab.com perspective.

In a nutshell, we still by default allow TLSv1 which is a security concern. We tried to disable 2 years ago, but pushback from users of Java IDE's was strong as apparently they didn't support TLSv1.1 yet.

For security reasons we'd like to try to take the opportunity with 10.0 and turn off TLSv1. Obviously on-prem users have the benefit of being able to simply flip it back on again.

We should also probably document changing the setting here: https://docs.gitlab.com/omnibus/settings/configuration.html

@joshlambert thanks for the heads-up, I think we should just include a note about that in the deprecations section of the 10.0 blogpost.

I tested Eclipse Oxygen and IntelliJ 2017.2.

• With IntelliJ I was able to checkout, modify, and push to a repo with TLSv1 disabled. (1.1 minimum)
• With Eclipse I kept getting errors, but it seemed more project related than anything else. Eclipse was able to connect and retrieve the branches of my repo, so TLS did work.

Did I miss any other popular Java IDE's? I think these are the main two from my recollection.

Maybe Netbeans?

mentioned in merge request !1910 (merged)

closed via merge request !1910 (merged)

closed via commit 65224ad5

mentioned in commit 65224ad5