Update document for default security level change

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16760)
author: Matt Caswell <matt@openssl.org> 2021-10-06 15:08:43 +0100
committer: Dmitry Belyavskiy <beldmit@gmail.com> 2021-10-09 19:57:02 +0200
commit: a4c4090c21058a75e8bf1ffcc469b6d9755c55ce (patch)
tree: f83040b47ad0cf642a9d56e893e3697ef10f3ac1 /CHANGES.md
parent: 61cab65029e787d59d3f3138e0160adb8df85f99 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md
index 963289ca09..4902332206 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -24,6 +24,15 @@ OpenSSL 3.1
 
 ### Changes between 3.0 and 3.1 [xx XXX xxxx]
 
+ * The default SSL/TLS security level has been changed from 1 to 2. RSA,
+   DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys
+   of 160 bits and above and less than 224 bits were previously accepted by
+   default but are now no longer allowed. By default TLS compression was
+   already disabled in previous OpenSSL versions. At security level 2 it cannot
+   be enabled.
+
+   *Matt Caswell*
+
  * The SSL_CTX_set_cipher_list family functions now accept ciphers using their
    IANA standard names.
author	Matt Caswell <matt@openssl.org>	2021-10-06 15:08:43 +0100
committer	Dmitry Belyavskiy <beldmit@gmail.com>	2021-10-09 19:57:02 +0200
commit	a4c4090c21058a75e8bf1ffcc469b6d9755c55ce (patch)
tree	f83040b47ad0cf642a9d56e893e3697ef10f3ac1 /CHANGES.md
parent	61cab65029e787d59d3f3138e0160adb8df85f99 (diff)