Removals | |
* Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES | |
compile-time option, which was off by default. Users should not trust | |
certificates signed with SHA-1 due to the known attacks against SHA-1. | |
If needed, SHA-1 cerificate can still be used by providing custom | |
verification profile to mbedtls_x509_crt_verify_with_profile function | |
in x509_crt.h, or mbedtls_ssl_conf_cert_profile function in ssl.h. | |
Example of custom verification profile, supporting SHA-1: | |
const mbedtls_x509_crt_profile mbedtls_x509_crt_custom = { | |
MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ), | |
0xFFFFFFF, /* Any PK alg */ | |
0xFFFFFFF, /* Any curve */ | |
2048 | |
}; |