Move some details from ChangeLog to migration guide
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
parent
57e93e5296
commit
e756306dd6
2 changed files with 17 additions and 11 deletions
13
ChangeLog
13
ChangeLog
|
@ -49,16 +49,9 @@ Removals
|
|||
* Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
|
||||
compile-time option, which was off by default. Users should not trust
|
||||
certificates signed with SHA-1 due to the known attacks against SHA-1.
|
||||
If needed, SHA-1 cerificate can still be used by providing custom
|
||||
verification profile to mbedtls_x509_crt_verify_with_profile function
|
||||
in x509_crt.h, or mbedtls_ssl_conf_cert_profile function in ssl.h.
|
||||
Example of custom verification profile, supporting SHA-1:
|
||||
const mbedtls_x509_crt_profile mbedtls_x509_crt_custom = {
|
||||
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ),
|
||||
0xFFFFFFF, /* Any PK alg */
|
||||
0xFFFFFFF, /* Any curve */
|
||||
2048
|
||||
};
|
||||
If needed, SHA-1 cerificates can still be verified by using a custom
|
||||
verification profile.
|
||||
|
||||
* Removed deprecated things in psa/crypto_compat.h. Fixes #4284
|
||||
* Removed deprecated functions from hashing modules. Fixes #4280.
|
||||
* Remove PKCS#11 library wrapper. PKCS#11 has limited functionality,
|
||||
|
|
|
@ -75,7 +75,20 @@ If you used to enable `MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES` in your
|
|||
`config.h`, first please take a moment to consider whether you really still
|
||||
want to accept certificates signed with SHA-1 as those are considered insecure
|
||||
and no CA has issued them for a while. If you really need to allow SHA-1 in
|
||||
certificates, please set up a custom profile as explained in the ChangeLog.
|
||||
certificates, please set up a custom profile as follows:
|
||||
|
||||
```
|
||||
const mbedtls_x509_crt_profile mbedtls_x509_crt_custom = {
|
||||
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
|
||||
MBEDTLS_X509_ID_FLAG( /* other hash */ ) /* | etc */,
|
||||
0xFFFFFFF, /* Or specific PK algs */
|
||||
0xFFFFFFF, /* Or specific curves */
|
||||
2048 /* Or another RSA min bitlen */
|
||||
};
|
||||
```
|
||||
Then pass it to `mbedtls_x509_crt_verify_with_profile()` if you're verifying
|
||||
a certificate chain directly, or to `mbedtls_ssl_conf_cert_profile()` if the
|
||||
verification happens during a TLS handshake.
|
||||
|
||||
Remove the certs module from the library
|
||||
----------------------------------------
|
||||
|
|
Loading…
Reference in a new issue