doc update

author: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-03-01 12:51:47 +0100
committer: Nikos Mavrogiannopoulos <nmav@redhat.com> 2017-03-02 16:03:27 +0100
commit: ed8810c4bbfec66f4ae7f144e291ce54c66e6a4d (patch)
tree: 79390d59b07a7af0a33396eeffe5011d5e76754b /NEWS
parent: a4c8d3e5577e0d0ac67f2b7ba1550d504f47ab11 (diff)
download: gnutls-ed8810c4bbfec66f4ae7f144e291ce54c66e6a4d.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 5630900e52..b4a9aa4089 100644
--- a/NEWS
+++ b/NEWS
@@ -23,12 +23,19 @@ See the end for copying conditions.
    list. It has to be explicitly enabled, e.g., with a string like
    "NORMAL:+3DES-CBC".
 
+** libgnutls: PKIX certificates with unknown critical extensions are rejected
+   on verification with status GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS. This
+   behavior can be overriden by providing the flag GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS
+   to verification functions. Resolves gitlab issue #177.
+
 ** certtool: the option '--load-ca-certificate' can now accept PKCS#11
    URLs in addition to files.
 
 ** API and ABI modifications:
 gnutls_x509_crt_set_flags: Added
 GNUTLS_X509_CRT_FLAG_IGNORE_SANITY: Added
+GNUTLS_CERT_UNKNOWN_CRIT_EXTENSIONS: Added
+GNUTLS_VERIFY_IGNORE_UNKNOWN_CRIT_EXTENSIONS: Added
 
 
 * Version 3.5.7 (released 2016-12-8)
author	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-03-01 12:51:47 +0100
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>	2017-03-02 16:03:27 +0100
commit	ed8810c4bbfec66f4ae7f144e291ce54c66e6a4d (patch)
tree	79390d59b07a7af0a33396eeffe5011d5e76754b /NEWS
parent	a4c8d3e5577e0d0ac67f2b7ba1550d504f47ab11 (diff)
download	gnutls-ed8810c4bbfec66f4ae7f144e291ce54c66e6a4d.tar.gz