diff options
author | Matt Caswell <matt@openssl.org> | 2020-03-09 09:05:27 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-03-11 14:56:05 +0000 |
commit | 63fa6f2e4ba7641fd5f10c70eaa0c3a4b42e124c (patch) | |
tree | cc72e2f7ac427de5ec93dfbad01b6a051721f814 /CHANGES | |
parent | 004f570821b1a92cbb733d8e03b54223231bfac3 (diff) |
Revert "Stop accepting certificates signed using SHA1 at security level 1"
This reverts commit 68436f0a8964e911eb4f864bc8b31d7ca4d29585.
The OMC did not vote in favour of backporting this to 1.1.1, so this
change should be reverted.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11282)
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 12 |
1 files changed, 0 insertions, 12 deletions
@@ -21,18 +21,6 @@ resolve symbols with longer names. [Richard Levitte] - *) X509 certificates signed using SHA1 are no longer allowed at security - level 1 and above. - In TLS/SSL the default security level is 1. It can be set either - using the cipher string with @SECLEVEL, or calling - SSL_CTX_set_security_level(). If the leaf certificate is signed with SHA-1, - a call to SSL_CTX_use_certificate() will fail if the security level is not - lowered first. - Outside TLS/SSL, the default security level is -1 (effectively 0). It can - be set using X509_VERIFY_PARAM_set_auth_level() or using the -auth_level - options of the apps. - [Kurt Roeckx] - *) Corrected the documentation of the return values from the EVP_DigestSign* set of functions. The documentation mentioned negative values for some errors, but this was never the case, so the mention of negative values |