ChangeLog.d/remove_allow_sha1_in_certificates - third_party/github/ARMmbed/mbedtls - Git at Google

 Removals
    * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
      compile-time option, which was off by default. Users should not trust
      certificates signed with SHA-1 due to the known attacks against SHA-1.
      If needed, SHA-1 cerificate can still be used by providing custom
      verification profile to mbedtls_x509_crt_verify_with_profile function
      in x509_crt.h, or mbedtls_ssl_conf_cert_profile function in ssl.h.
      Example of custom verification profile, supporting SHA-1:
      const mbedtls_x509_crt_profile mbedtls_x509_crt_custom = {
          MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ),
          0xFFFFFFF, /* Any PK alg    */
          0xFFFFFFF, /* Any curve     */
          2048
      };
	Removals
	* Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
	compile-time option, which was off by default. Users should not trust
	certificates signed with SHA-1 due to the known attacks against SHA-1.
	If needed, SHA-1 cerificate can still be used by providing custom
	verification profile to mbedtls_x509_crt_verify_with_profile function
	in x509_crt.h, or mbedtls_ssl_conf_cert_profile function in ssl.h.
	Example of custom verification profile, supporting SHA-1:
	const mbedtls_x509_crt_profile mbedtls_x509_crt_custom = {
	MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ),
	0xFFFFFFF, /* Any PK alg */
	0xFFFFFFF, /* Any curve */
	2048
	};