Merge branch 'docs-openssl3-upgrade-guide-ref' into 'master'

Reference OpenSSL 3 guide in 17.7 upgrade changes See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/166244 Merged-by: Brendan Lynch <blynch@gitlab.com> Approved-by: Dilan Orrino <dorrino@gitlab.com> Reviewed-by: Achilleas Pipinellis - OOO until November 25th (parental leave) <axil@gitlab.com> Co-authored-by: Achilleas Pipinellis <axil@gitlab.com> Co-authored-by: Hossein Pursultani <hpursultani@gitlab.com>

Merge branch 'docs-openssl3-upgrade-guide-ref' into 'master'
19f62503 · Brendan Lynch · GitLab · b32e61e0 · 9f0040ad · 19f62503
--- a/doc/update/versions/gitlab_17_changes.md
+++ b/doc/update/versions/gitlab_17_changes.md
@@ -181,14 +181,19 @@ For more information, see [issue 480328](https://gitlab.com/gitlab-org/gitlab/-/
 ## 17.7.0
- The [Linux Package](https://docs.gitlab.com/omnibus/) upgrades OpenSSL from v1.1.1w to v3.0.0.
+### OpenSSL 3 upgrade
+NOTE:
+Before upgrading to GitLab 17.7, use the [OpenSSL 3 guide](https://docs.gitlab.com/omnibus/settings/ssl/openssl_3.html)
+to identify and assess the compatibility of your external integrations.
+- The Linux package upgrades OpenSSL from v1.1.1w to v3.0.0.
 - Cloud Native GitLab (CNG) already upgraded to OpenSSL 3 in GitLab 16.7.0. If you are using Cloud Native GitLab, no
  action is needed. However, note that [Cloud Native Hybrid](../../administration/reference_architectures/index.md#recommended-cloud-providers-and-services) installations
  use the Linux packages for stateful components, such as Gitaly. For those components, you will need to verify
  the TLS versions, ciphers, and certificates that are used work with the security level changes discussed below.
-With the upgrade to OpenSSL version 3:
+With the upgrade to OpenSSL 3:
 - GitLab requires TLS 1.2 or higher for all outgoing and incoming TLS connections.
 - TLS/SSL certificates must have at least 112 bits of security. RSA, DSA, and DH keys shorter than 2048 bits, and ECC keys shorter than 224 bits are prohibited.
@@ -199,17 +204,25 @@ considered secure. GitLab will fail to connect to services using TLS
 1.0 or 1.1 with a `no protocols available` error message.
 In addition, OpenSSL 3 increased the [default security level from level 1 to 2](https://docs.openssl.org/3.0/man3/SSL_CTX_set_security_level/#default-callback-behaviour),
-raising the number of bits of security from 80 to 112. For example,
+raising the minimum number of bits of security from 80 to 112. As a result,
-a certificate signed with an RSA key can use RSA-2048 but not RSA-1024. GitLab
+certificates signed with RSA and DSA keys shorter than 2048 bits and ECC keys
-will fail to connect to a service that uses a certificate signed with insufficient
+shorter than 224 bits are prohibited.
-bits with a `certificate key too weak` error message.
+GitLab will fail to connect to a service that uses a certificate signed with
+insufficient bits with a `certificate key too weak` error message. For more
+information, see the [certificate requirements](../../security/tls_support.md#certificate-requirements).
+All components that are shipped with the Linux package are compatible with
+OpenSSL 3. Therefore, you only need to verify the services and integrations that
+are not part of the GitLab package and are ["external"](https://docs.gitlab.com/omnibus/settings/ssl/openssl_3.html#identifying-external-integrations).
 SSH keys are not affected by this upgrade. OpenSSL sets
 security requirements for TLS, not SSH. [OpenSSH](https://www.openssh.com/) and
 [`gitlab-sshd`](../../administration/operations/gitlab_sshd.md) have their
 own configuration settings for the allowed cryptographic algorithms.
-Check the [GitLab documentation for the upgrade to OpenSSL 3](https://docs.gitlab.com/omnibus/settings/ssl/openssl_3.html) to ensure compatibility with your instance.
+Check the [GitLab documentation on securing your installation](../../security/index.md)
+for more details.
 ## 17.5.0