commit e756306dd663e7fa29cfbf4672b9779cc1ea4bb7
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Apr 26 10:08:29 2021 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue May 04 11:36:33 2021 +0200
tree 72ccf101c345e08fb7b1bd1e8e612761881bee98
parent 57e93e5296d890bdfe4ef8c2ff873fef6625c3d8

Move some details from ChangeLog to migration guide

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index 3571910..8f952b7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -49,16 +49,9 @@
    * Remove the MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
      compile-time option, which was off by default. Users should not trust
      certificates signed with SHA-1 due to the known attacks against SHA-1.
-     If needed, SHA-1 cerificate can still be used by providing custom
-     verification profile to mbedtls_x509_crt_verify_with_profile function
-     in x509_crt.h, or mbedtls_ssl_conf_cert_profile function in ssl.h.
-     Example of custom verification profile, supporting SHA-1:
-     const mbedtls_x509_crt_profile mbedtls_x509_crt_custom = {
-         MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ),
-         0xFFFFFFF, /* Any PK alg    */
-         0xFFFFFFF, /* Any curve     */
-         2048
-     };
+     If needed, SHA-1 cerificates can still be verified by using a custom
+     verification profile.
+
    * Removed deprecated things in psa/crypto_compat.h. Fixes #4284
    * Removed deprecated functions from hashing modules. Fixes #4280.
    * Remove PKCS#11 library wrapper. PKCS#11 has limited functionality,