I upgraded to 14.1.1, and my API calls from the PowerShell cmdlet Invoke-RestMethod on Server 2012 R2 stopped working. Through investigation, I found that only TLS1.2 and TLS1.3 are enabled in 14.1.1, so I proceeded to enable TLS1.2 in Server 2012 R2 (not enabled by default and TLS1.3 not supported). I then ran into a cipher problem, finding that the two ciphers below (displayed for TLS1.2 when scanned with ssllabs.com) were only supported in Server 2016 and higher:
So then I examined the TLS Cipher Suites in Windows 8.1 section (TLS Cipher Suites in Windows 8.1 - Win32 apps | Microsoft Docs), cross referencing this list with an examination of the system using IISCrypto and also the results of /usr/bin/openssl ciphers -v | grep TLSv1.2 on the Gitlab server. It appears that the cipher below is the only candidate supported by Server 2012 R2 and the Gitlab server:
So then I updated the /etc/gitlab/gitlab.rb file with the following:
nginx[‘ssl_ciphers’] = “ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256”
And followed that with a sudo gitlab-ctl reconfigure && sudo gitlab-ctl hup nginx.
I checked the /var/opt/gitlab/nginx/conf/gitlab-http.conf file and confirmed the cipher was showing there.
# GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256'; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_session_timeout 1d;
Just to make sure I wasn’t crazy, I temporarily enabled TLS1.1 via /etc/gitlab/gitlab.rb, did a reconfigure and hup nginx, confirmed the gitlab-http.conf file was showing the change, and then re-ran my scans. To my surprise, TLS1.1 still didn’t show as an enabled protocol!
However, when I uncomment nginx[‘ssl_prefer_server_ciphers’] and set it to “on”, the scans do reflect “server order” which seems to imply the changes I am making are indeed finding their way to the running nginx web server instance. But I am at a loss as to why I cannot get the cipher I need to become available. Is there something I am missing?