doc updatetmp-ban-sha1

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-02-24 09:44:55 +0100
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2017-03-16 09:01:34 +0000
commit: 391dda6057e72fe789b8f193ae837d67725b82da (patch)
tree: 9cdad7e794b5b0d1448cba91975c1d29a727bbf8
parent: f57142c3347f4d3d8df0f7bb1c6933bf58e9d4f3 (diff)
download: gnutls-tmp-ban-sha1.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 81ada20690..aef8df2de1 100644
--- a/NEWS
+++ b/NEWS
@@ -42,6 +42,15 @@ See the end for copying conditions.
    gnutls_x509_crt_set_serial(), will fail on input considered to be invalid
    in RFC5280.
 
+** libgnutls: SHA1 was removed from the trusted set of hashes. Verification
+   and other operations relying on SHA1 is now considered insecure and will
+   fail, unless flags intended to enable broken algorithms are set. This
+   can be reverted on compile time with the configure flag --enable-sha1-support.
+
+** libgnutls: Introduced the %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1
+   priority string options. These allows enabling all broken and SHA1-based signature
+   algorithms in certificate verification, respectively.
+
 ** certtool: the option '--load-ca-certificate' can now accept PKCS#11
    URLs in addition to files.
 
@@ -52,6 +61,7 @@ See the end for copying conditions.
 gnutls_x509_crt_set_flags: Added
 GNUTLS_X509_CRT_FLAG_IGNORE_SANITY: Added
 GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS: Added
+GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1: Added
 GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS: Added
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-02-24 09:44:55 +0100
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2017-03-16 09:01:34 +0000
commit	391dda6057e72fe789b8f193ae837d67725b82da (patch)
tree	9cdad7e794b5b0d1448cba91975c1d29a727bbf8
parent	f57142c3347f4d3d8df0f7bb1c6933bf58e9d4f3 (diff)
download	gnutls-tmp-ban-sha1.tar.gz