Hi!
We have an installation of GitLab Community Edition [v17.4.2] on a Debian 12 server.
We updated the configuration for nginx in the config file /etc/gitlab/gitlab.rb, but it seems not all of the properties are actually applied (or not allowed or supported?).
The relevant configuration looks like this:
nginx['enable'] = true
nginx['ssl_ciphers'] = "ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:ECDHE-RSA-ARIA256-GCM-SHA384:DHE-RSA-ARIA256-GCM-SHA384:!DSS"
nginx['ssl_prefer_server_ciphers'] = "on"
nginx['ssl_protocols'] = "TLSv1.3 TLSv1.2"
nginx['ssl_ecdh_curve'] = "secp384r1"
nginx['ssl_conf_command'] = "Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
Now the TLS versions and the allowed ciphers are applied to the effective nginx config in /var/opt/gitlab/nginx/conf.
But the curve is not. There is not line with ssl_ecdh_curve in the effective nginx config.
Also, i don’t know how the nginx configuration
ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
to restrict TLS v1.3 ciphers would be used here or if that is even possible.
Also when I check our site on the qualys ssl lab I can see that the TLSv1.3 cipher TLS_AES_128_GCM_SHA256 is allowed (which we would want to exclude) and that the elliptic curve x25519 is used (instead of secp384r1).
According to the documentation (https://docs.gitlab.com/17.4/ee/security/hardening_configuration_recommendations.html) about hardening it should be possible to at least set ssl_ecdh_curve.
I just wanted to ask if these two things are simply not possible or if I’m doing something wrong here?
Thank you for your help!