summaryrefslogtreecommitdiff
path: root/NEWS
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@redhat.com>2017-02-24 09:44:55 +0100
committerNikos Mavrogiannopoulos <nmav@redhat.com>2017-03-16 15:47:10 +0100
commitf313fd45f01c8520b78908c926cf3bf735cacc5b (patch)
tree3e6aa3d38e060c89eb0e8864f41143120467d3d1 /NEWS
parenta95400aaaf0a19cad9215a6e7767146bd689ff73 (diff)
downloadgnutls-f313fd45f01c8520b78908c926cf3bf735cacc5b.tar.gz
doc update
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS10
1 files changed, 10 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 81ada20690..aef8df2de1 100644
--- a/NEWS
+++ b/NEWS
@@ -42,6 +42,15 @@ See the end for copying conditions.
gnutls_x509_crt_set_serial(), will fail on input considered to be invalid
in RFC5280.
+** libgnutls: SHA1 was removed from the trusted set of hashes. Verification
+ and other operations relying on SHA1 is now considered insecure and will
+ fail, unless flags intended to enable broken algorithms are set. This
+ can be reverted on compile time with the configure flag --enable-sha1-support.
+
+** libgnutls: Introduced the %VERIFY_ALLOW_BROKEN and %VERIFY_ALLOW_SIGN_WITH_SHA1
+ priority string options. These allows enabling all broken and SHA1-based signature
+ algorithms in certificate verification, respectively.
+
** certtool: the option '--load-ca-certificate' can now accept PKCS#11
URLs in addition to files.
@@ -52,6 +61,7 @@ See the end for copying conditions.
gnutls_x509_crt_set_flags: Added
GNUTLS_X509_CRT_FLAG_IGNORE_SANITY: Added
GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS: Added
+GNUTLS_VERIFY_ALLOW_SIGN_WITH_SHA1: Added
GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS: Added