diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-02-24 09:44:55 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-03-16 09:01:34 +0000 |
commit | 391dda6057e72fe789b8f193ae837d67725b82da (patch) | |
tree | 9cdad7e794b5b0d1448cba91975c1d29a727bbf8 | |
parent | f57142c3347f4d3d8df0f7bb1c6933bf58e9d4f3 (diff) | |
download | gnutls-tmp-ban-sha1.tar.gz |
doc updatetmp-ban-sha1
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | NEWS | 10 |
1 files changed, 10 insertions, 0 deletions
@@ -42,6 +42,15 @@ See the end for copying conditions. gnutls_x509_crt_set_serial(), will fail on input considered to be invalid in RFC5280. +** libgnutls: SHA1 was removed from the trusted set of hashes. Verification + and other operations relying on SHA1 is now considered insecure and will + fail, unless flags intended to enable broken algorithms are set. This + can be reverted on compile time with the configure flag --enable-sha1-support. + +** libgnutls: Introduced the %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1 + priority string options. These allows enabling all broken and SHA1-based signature + algorithms in certificate verification, respectively. + ** certtool: the option '--load-ca-certificate' can now accept PKCS#11 URLs in addition to files. @@ -52,6 +61,7 @@ See the end for copying conditions. gnutls_x509_crt_set_flags: Added GNUTLS_X509_CRT_FLAG_IGNORE_SANITY: Added GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS: Added +GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1: Added GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS: Added |