I’m not quite clear what does the move to OpenSSL 3, announced for GitLab 17.7, mean, because I couldn’t find this info in the documentation. We run GitLab CE on Amazon Linux 2, which has OpenSSL 1.0. Does this mean that we’ll need to migrate to another OS with OpenSSL 3 before upgrading to 17.7? In other words, is there dependency on system level OpenSSL?
When I enter admin mode I get
so I though OpenSSL version 3 was a requirement from 17.5?
It’s quite pointless that we even get that, as we terminate SSL on a pair of load-balancers in front of GitLab, and all the traffic it sees is unencrypted (but comes from one of the load-balancers).
My instance says 17.7 and the docs say that it was postponed from 17.5 to 17.7.
We also use an LB in front of GitLab and terminate TLS there, but the traffic is still encrypted between GitLab and LB.
OpenSSL is shipped in the GitLab Omnibus packages, not on system level, thus no OS upgrade required. When upgrading GitLab, OpenSSL 3 will be automatically provided as well.
The impact is explained in this blog post GitLab Linux package being upgraded to OpenSSL 3 in GitLab 17.7 and documentation Upgrading to OpenSSL 3 | GitLab
TL;DR - older clients (think: an API script, a webhook, etc.) that only support TLSv1.1 or before won’t be able to proceed with a TLS handshake with the GitLab server. And when certificates are used, and weak ciphers key algorithms are detected, it will fail as well. The docs provide methods to verify and test the impact.
3 Likes
Starting with the fact that I know CentOS 7 is EOL, get off of it, etc. 
I have a backlog of things we’re modernizing but just for scheduling: will my local, omnibus-based GitLab installation on CentOS 7 fail to upgrade if I haven’t moved it to linux8 by 17.7 in December?
As EL7 is no longer supported, there most likely won’t be a Gitlab 17.7 for CentOS 7 or any EL7 variant. Although they do seem to still be providing packages for EL7 as per here: gitlab/gitlab-ce - Results for 'gitlab-ce-17' and el/7 in gitlab/gitlab-ce that search is for gitlab-ce, but gitlab-ee will be the same. I’ve no idea what Gitlab’s EOL for EL7 packages will be, but I think OpenSSL 3 on EL7 might be problematic.
Gitlab aside, since there are no updates to EL7 it’s a security risk, it’s been EOL since June 2024 so over 4 months ago.
You would prob find it easier to install EL8 alongside your CentOS and use the Gitlab backup/restore procedures to restore it on the new server.
The GitLab Omnibus project and issues are a good place to search for package update plans. Issues · GitLab.org / omnibus-gitlab · GitLab I’ve searched for centos 7 and found the following:
- Stop building CentOS 7 packages (#8714) · Issues · GitLab.org / omnibus-gitlab · GitLab
- Deprecate support for Oracle Linux 7 (#8746) · Issues · GitLab.org / omnibus-gitlab · GitLab
- Deprecate support for Scientific Linux 7 (#8745) · Issues · GitLab.org / omnibus-gitlab · GitLab
Currently, the milestone is set for 17.6 which targets the November release (17.5 is October, this week Thursday).
1 Like
Thanks for the info, folks! I’m on track to get things moved to EL8 in the next couple of weeks (it’s one of the last remaining things we’re moving from 7 to 8), but we’re a small shop so I just like to know my options just in case. I appreciate the info and links.
1 Like