Default to TLSv1.3 in Nginx config
What does this MR do and why?
This only enables TLSv1.3 in the Nginx config and removes the DH-parameter setting as well as the SSL ciphers setting for source installations, bringing the config into line with the "modern" preset of the Mozilla SSL Configurator.
These changes make the Nginx configuration easier to understand and less error-prone since it has fewer knobs that can be turned. The changes require a minimum of OpenSSL 1.1, but this is compatible with GitLab itself. The minimum browser versions (Firefox 63 and Chrome 70) are far below anything browser vendors support.
I'm aware that this will also need accompanying changes in Omnibus, but I wanted to open this here first for discussion. Also, source installations are more flexible and an easier testbed for changes like these.
How to set up and validate locally
- Install GitLab from source
- Change the Nginx configuration according to this MR
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.