Having the browser set to TLS 1.2 and 1.3 and limited to these strong cipher suites:
ecdhe_ecdsa_aes_256_gcm_sha384
ecdhe_ecdsa_aes_256_sha
ecdhe_ecdsa_chacha20_poly1305_sha256
ecdhe_rsa_aes_256_gcm_sha384
ecdhe_rsa_aes_256_sha
ecdhe_rsa_chacha20_poly1305_sha256
the connection with gitlab.labs.nic.cz fails:
Secure Connection Failed
An error occurred during a connection to gitlab.labs.nic.cz. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
Thus would appreciate that when the certificates gets renewed there would be support for those cipher suites.
In my book it is but I would prefer this thread not going into a discussion about it but rather have the cipher suite support on the domain in question, similar to what is available on this forum.
SHA
The Secure Hash Algorithm [SHS] is defined in FIPS PUB 180-2. It
produces a 20-byte output. Note that all references to SHA
(without a numerical suffix) actually use the modified SHA-1
algorithm.
AFAIK, it is widely used and probably mandatory from already stated RFC about TLS1.2. Also, as you can see, even SSLLabs is ok with your two SHA1 cipher suites.
Gitlab server is not managed by Turris team in CZ.NIC and as I said, I have reported them the issue about potentially weak cipher suites.