Adding extra ciphers to registry


We are running Gitlab 15.6.0 with registry enabled, and currently we have these ciphers:

Host is up (0.0020s latency).

4567/tcp open  tram
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A

We have a very old client, a production server, that can’t be upgraded right now, that support only these ciphers:


We are trying to add these new (old?) ciphers to /etc/gitlab/gitlab.rb, but everytime we try, the nginx component refuses to start, wit the following error:

2023/02/03 23:45:12 [emerg] 3127668#0: SSL_CTX_set_cipher_list("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match)

We tried with nginx[“ssl_ciphers”], pages_nginx[“ssl_ciphers”] and registry_nginx[“ssl_ciphers”], but the final result is the same.

The error message is pretty obvious, but what we can do to actually be able to add these ciphers?

NOTE: our gitlab is not exposed on internet; it is accessible from the corporate LAN only, so security is not a concern in our context.

Thanks for any help.