doc update

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-02-24 09:44:55 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-03-16 15:47:10 +0100
commit: f313fd45f01c8520b78908c926cf3bf735cacc5b (patch)
tree: 3e6aa3d38e060c89eb0e8864f41143120467d3d1 /NEWS
parent: a95400aaaf0a19cad9215a6e7767146bd689ff73 (diff)
download: gnutls-f313fd45f01c8520b78908c926cf3bf735cacc5b.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 81ada20690..aef8df2de1 100644
--- a/NEWS
+++ b/NEWS
@@ -42,6 +42,15 @@ See the end for copying conditions.
    gnutls_x509_crt_set_serial(), will fail on input considered to be invalid
    in RFC5280.
 
+** libgnutls: SHA1 was removed from the trusted set of hashes. Verification
+   and other operations relying on SHA1 is now considered insecure and will
+   fail, unless flags intended to enable broken algorithms are set. This
+   can be reverted on compile time with the configure flag --enable-sha1-support.
+
+** libgnutls: Introduced the %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1
+   priority string options. These allows enabling all broken and SHA1-based signature
+   algorithms in certificate verification, respectively.
+
 ** certtool: the option '--load-ca-certificate' can now accept PKCS#11
    URLs in addition to files.
 
@@ -52,6 +61,7 @@ See the end for copying conditions.
 gnutls_x509_crt_set_flags: Added
 GNUTLS_X509_CRT_FLAG_IGNORE_SANITY: Added
 GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS: Added
+GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1: Added
 GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS: Added
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-02-24 09:44:55 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-03-16 15:47:10 +0100
commit	f313fd45f01c8520b78908c926cf3bf735cacc5b (patch)
tree	3e6aa3d38e060c89eb0e8864f41143120467d3d1 /NEWS
parent	a95400aaaf0a19cad9215a6e7767146bd689ff73 (diff)
download	gnutls-f313fd45f01c8520b78908c926cf3bf735cacc5b.tar.gz