We are running Gitlab 15.6.0 with registry enabled, and currently we have these ciphers:
Host is up (0.0020s latency). PORT STATE SERVICE 4567/tcp open tram | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | compressors: | NULL | cipher preference: client |_ least strength: A
We have a very old client, a production server, that can’t be upgraded right now, that support only these ciphers:
We are trying to add these new (old?) ciphers to /etc/gitlab/gitlab.rb, but everytime we try, the nginx component refuses to start, wit the following error:
2023/02/03 23:45:12 [emerg] 3127668#0: SSL_CTX_set_cipher_list("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)
We tried with nginx[“ssl_ciphers”], pages_nginx[“ssl_ciphers”] and registry_nginx[“ssl_ciphers”], but the final result is the same.
The error message is pretty obvious, but what we can do to actually be able to add these ciphers?
NOTE: our gitlab is not exposed on internet; it is accessible from the corporate LAN only, so security is not a concern in our context.
Thanks for any help.