From bf4c4f9cd5c5b2539dc6a1afb0e8265d169c4727 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 14 Apr 2021 15:38:46 +0200 Subject: [PATCH] Reword changelog entry for removal of SHA-1 from the default TLS configuration. Signed-off-by: Mateusz Starzyk --- ChangeLog.d/remove_allow_sha1_in_certificates | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/ChangeLog.d/remove_allow_sha1_in_certificates b/ChangeLog.d/remove_allow_sha1_in_certificates index 9d5cd53fb..e3d16ef87 100644 --- a/ChangeLog.d/remove_allow_sha1_in_certificates +++ b/ChangeLog.d/remove_allow_sha1_in_certificates @@ -1,8 +1,7 @@ Removals - * Remove optional SHA-1 in the default TLS configuration for certificate - signing. This feature was ment to be available only temporarily. - Users are expected to use SHA-2 instead, since SHA-1 is currently - considered a security risk. + * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES + compile-time option, which was off by default. Users should not trust + certificates signed with SHA-1 due to the known attacks against SHA-1. If needed, SHA-1 cerificate can still be used by providing custom verification profile to mbedtls_x509_crt_verify_with_profile function in x509_crt.h, or mbedtls_ssl_conf_cert_profile function in ssl.h.