bf4c4f9cd5
from the default TLS configuration. Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
14 lines
720 B
Text
14 lines
720 B
Text
Removals
|
|
* Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
|
|
compile-time option, which was off by default. Users should not trust
|
|
certificates signed with SHA-1 due to the known attacks against SHA-1.
|
|
If needed, SHA-1 cerificate can still be used by providing custom
|
|
verification profile to mbedtls_x509_crt_verify_with_profile function
|
|
in x509_crt.h, or mbedtls_ssl_conf_cert_profile function in ssl.h.
|
|
Example of custom verification profile, supporting SHA-1:
|
|
const mbedtls_x509_crt_profile mbedtls_x509_crt_custom = {
|
|
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ),
|
|
0xFFFFFFF, /* Any PK alg */
|
|
0xFFFFFFF, /* Any curve */
|
|
2048
|
|
};
|