diff --git a/ChangeLog b/ChangeLog
index ad1f572..cea282a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,6 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
-= mbed TLS 1.3.x branch released xxxx-xx-xx
+= mbed TLS 1.3.20 released xxxx-xx-xx
 
 Security
    * Add exponent blinding to RSA private operations as a countermeasure
@@ -8,15 +8,19 @@
      https://arxiv.org/abs/1702.08719v2.
      Found and fix proposed by Michael Schwarz, Samuel Weiser, Daniel Gruss,
      Clémentine Maurice and Stefan Mangard.
+   * Wipe stack buffers in RSA private key operations
+     (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt).
+     Found by Laurent Simon.
+   * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a
+     potential Bleichenbacher/BERserk-style attack.
+   * Remove support for X509 certificates signed with MD5.
+     Issue raised by Harm Verhagen
 
 Bugfix
    * Disable use of extensions for SSLv3, previously causing the
      "SSLv3 with extensions" test from ssl-opt.sh to fail.
    * Fix insufficient support for signature-hash-algorithm extension,
      resulting in compatibility problems with Chrome. Found by hfloyrd. #823
-   * Wipe stack buffers in RSA private key operations
-     (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt).
-     Found by Laurent Simon.
    * Accept empty trusted CA chain in authentication mode
      SSL_VERIFY_OPTIONAL. Fixes #864. Found by jethrogb.
    * Fix implementation of ssl_parse_certificate
@@ -34,6 +38,9 @@
    * Clarify ECDSA documentation and improve the sample code to avoid
      misunderstandings and potentially dangerous use of the API. Pointed out
      by Jean-Philippe Aumasson.
+   * Add new config.h flag POLARSSL_X509_MIN_VERIFY_MD_ALG to set the minimum
+     hash accepted when verifying certificate chains. Defaults to SHA1, which
+     means SHA1 is accepted but MD5 and below are rejected.
 
 = mbed TLS 1.3.19 branch released 2017-03-08
 
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 498fc5b..60d96ec 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -2366,6 +2366,29 @@
 /* X509 options */
 //#define POLARSSL_X509_MAX_INTERMEDIATE_CA   8   /**< Maximum number of intermediate CAs in a verification chain. */
 
+/**
+ * \def POLARSSL_X509_MIN_VERIFY_MD_ALG
+ *
+ * Minimal hash algorithm accepted in X.509 chain verification.
+ *
+ * The value should be one of the enumerations in md_type_t defined in md.h
+ * Only algorithms with a value equal or higher are accepted.
+ *
+ * typedef enum {
+ *      POLARSSL_MD_NONE=0,
+ *      POLARSSL_MD_MD2,
+ *      POLARSSL_MD_MD4,
+ *      POLARSSL_MD_MD5,
+ *      POLARSSL_MD_SHA1,
+ *      POLARSSL_MD_SHA224,
+ *      POLARSSL_MD_SHA256,
+ *      POLARSSL_MD_SHA384,
+ *      POLARSSL_MD_SHA512,
+ *      POLARSSL_MD_RIPEMD160,
+ *  } md_type_t;
+ */
+//#define POLARSSL_X509_MIN_VERIFY_MD_ALG  POLARSSL_MD_SHA1
+
 /* \} name SECTION: Module configuration options */
 
 #include "check_config.h"
diff --git a/library/rsa.c b/library/rsa.c
index 1cdf0d6..ca8f688 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1472,7 +1472,7 @@
 {
     int ret;
     size_t len, siglen, asn1_len;
-    unsigned char *p, *end;
+    unsigned char *p, *p0, *end;
     unsigned char buf[POLARSSL_MPI_MAX_SIZE];
     md_type_t msg_md_alg;
     const md_info_t *md_info;
@@ -1504,7 +1504,11 @@
             return( POLARSSL_ERR_RSA_INVALID_PADDING );
         p++;
     }
-    p++;
+    p++; /* skip 00 byte */
+
+    /* We've read: 00 01 PS 00 where PS must be at least 8 bytes */
+    if( p - buf < 11 )
+        return( POLARSSL_ERR_RSA_INVALID_PADDING );
 
     len = siglen - ( p - buf );
 
@@ -1523,24 +1527,30 @@
 
     end = p + len;
 
-    // Parse the ASN.1 structure inside the PKCS#1 v1.5 structure
-    //
+    /*
+     * Parse the ASN.1 structure inside the PKCS#1 v1.5 structure.
+     * Insist on 2-byte length tags, to protect against variants of
+     * Bleichenbacher's forgery attack against lax PKCS#1v1.5 verification.
+     */
+    p0 = p;
     if( ( ret = asn1_get_tag( &p, end, &asn1_len,
             ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
         return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-
-    if( asn1_len + 2 != len )
+    if( p != p0 + 2 || asn1_len + 2 != len )
         return( POLARSSL_ERR_RSA_VERIFY_FAILED );
 
+    p0 = p;
     if( ( ret = asn1_get_tag( &p, end, &asn1_len,
             ASN1_CONSTRUCTED | ASN1_SEQUENCE ) ) != 0 )
         return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-
-    if( asn1_len + 6 + hashlen != len )
+    if( p != p0 + 2 || asn1_len + 6 + hashlen != len )
         return( POLARSSL_ERR_RSA_VERIFY_FAILED );
 
+    p0 = p;
     if( ( ret = asn1_get_tag( &p, end, &oid.len, ASN1_OID ) ) != 0 )
         return( POLARSSL_ERR_RSA_VERIFY_FAILED );
+    if( p != p0 + 2 )
+        return( POLARSSL_ERR_RSA_VERIFY_FAILED );
 
     oid.p = p;
     p += oid.len;
@@ -1554,13 +1564,16 @@
     /*
      * assume the algorithm parameters must be NULL
      */
+    p0 = p;
     if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_NULL ) ) != 0 )
         return( POLARSSL_ERR_RSA_VERIFY_FAILED );
-
-    if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_OCTET_STRING ) ) != 0 )
+    if( p != p0 + 2 )
         return( POLARSSL_ERR_RSA_VERIFY_FAILED );
 
-    if( asn1_len != hashlen )
+    p0 = p;
+    if( ( ret = asn1_get_tag( &p, end, &asn1_len, ASN1_OCTET_STRING ) ) != 0 )
+        return( POLARSSL_ERR_RSA_VERIFY_FAILED );
+    if( p != p0 + 2 || asn1_len != hashlen )
         return( POLARSSL_ERR_RSA_VERIFY_FAILED );
 
     if( memcmp( p, hash, hashlen ) != 0 )
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 16a29b5..0bf4dea 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -76,6 +76,10 @@
 #endif /* !_WIN32 || EFIX64 || EFI32 */
 #endif
 
+#if !defined(POLARSSL_X509_MIN_VERIFY_MD_ALG)
+#define POLARSSL_X509_MIN_VERIFY_MD_ALG  POLARSSL_MD_SHA1
+#endif
+
 /* Implementation that should never be optimized out by the compiler */
 static void polarssl_zeroize( void *v, size_t n ) {
     volatile unsigned char *p = v; while( n-- ) *p++ = 0;
@@ -1435,6 +1439,18 @@
     return( (int) ( size - n ) );
 }
 
+/*
+ * Check md_alg against profile
+ * Return 0 if md_alg acceptable for this profile, -1 otherwise
+ */
+static int x509_check_md_alg( md_type_t md_alg )
+{
+    if( md_alg >= POLARSSL_X509_MIN_VERIFY_MD_ALG )
+        return( 0 );
+
+    return( -1 );
+}
+
 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
 int x509_crt_check_key_usage( const x509_crt *crt, int usage )
 {
@@ -1543,6 +1559,15 @@
 #endif
 
         /*
+         * Check if CRL is signed with a valid MD
+         */
+        if( x509_check_md_alg( crl_list->sig_md ) != 0 )
+        {
+            flags |= BADCRL_NOT_TRUSTED;
+            break;
+        }
+
+        /*
          * Check if CRL is correctly signed by the trusted CA
          */
         md_info = md_info_from_type( crl_list->sig_md );
@@ -1789,6 +1814,18 @@
      */
     *flags |= BADCERT_NOT_TRUSTED;
 
+    /*
+     * Check if certificate is signed with a valid MD
+     */
+    if( x509_check_md_alg( child->sig_md ) != 0 )
+    {
+        *flags |= BADCERT_NOT_TRUSTED;
+        /*
+         * not signed with a valid MD, no need to check trust_ca
+         */
+        trust_ca = NULL;
+    }
+
     md_info = md_info_from_type( child->sig_md );
     if( md_info == NULL )
     {
@@ -1926,6 +1963,12 @@
     if( x509_time_future( &child->valid_from ) )
         *flags |= BADCERT_FUTURE;
 
+    /*
+     * Check if certificate is signed with a valid MD
+     */
+    if( x509_check_md_alg( child->sig_md ) != 0 )
+        *flags |= BADCERT_NOT_TRUSTED;
+
     md_info = md_info_from_type( child->sig_md );
     if( md_info == NULL )
     {
diff --git a/tests/suites/test_suite_rsa.data b/tests/suites/test_suite_rsa.data
index e4bc89e..57843e3 100644
--- a/tests/suites/test_suite_rsa.data
+++ b/tests/suites/test_suite_rsa.data
@@ -134,6 +134,10 @@
 depends_on:POLARSSL_SHA512_C:POLARSSL_PKCS1_V15
 rsa_pkcs1_verify:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":RSA_PKCS_V15:POLARSSL_MD_SHA512:1536:16:"a59d9b7269b102b7be684ec5e28db79992e6d3231e77c90b78960c2638b35ef6dbdac1ac59e7249d96d426e7f99397eabc6b8903fe1942da580322b98bafacd81bb911c29666f83886a2a2864f3552044300e60cedd5a8c321c43e280413dc41673c39a11b98a885486f8187a70f270185c4c12bc48a1968305269776c070ef69d4913589a887c4d0f5e7dd58bd806d0d49a14a1762c38665cef4646ff13a0cd29c3a60460703c3d051d5b28c660bffb5f8bd43d495ffa64175f72b8abe5fddd":16:"11":"0b4d96f411c727a262d6d0ade34195b78603551061917d060f89add47b09dfe8715f4f9147d327dc25e91fe457e5d1a2f22cd8fe6fe8e29d2060658307c87a40640650fef3d4b289a6c3febc5a100b29a8b56623afb29fd3c13ea372bf3c638c1db25f8bd8c74c821beec7b5affcace1d05d056a6c2d3035926c7a268df4751a54bc20a6b8cfd729a7cba309ae817daccbef9950a482cf23950a8ca1d3a13ddb7d8d0f87ad5587d4d9ebe19fe93457597a7bdd056c2fd4cea7d31e4a0e595a7b":0
 
+RSA PKCS1 Verify v1.5 padding too short
+depends_on:POLARSSL_SHA1_C:POLARSSL_PKCS1_V15
+rsa_pkcs1_verify:"AABBCC03020100FFFFFFFFFF1122330A0B0CCCDDDDDDDDDD":RSA_PKCS_V15:POLARSSL_MD_SHA1:1024:16:"9292758453063D803DD603D5E777D7888ED1D5BF35786190FA2F23EBC0848AEADDA92CA6C3D80B32C4D109BE0F36D6AE7130B9CED7ACDF54CFC7555AC14EEBAB93A89813FBF3C4F8066D2D800F7C38A81AE31942917403FF4946B0A83D3D3E05EE57C6F5F5606FB5D4BC6CD34EE0801A5E94BB77B07507233A0BC7BAC8F90F79":16:"10001":"6edd56f397d9bc6d176bbe3d80946fc352ad6127b85b1d67d849c0a38cbde7222c5fafbb18dcef791178a8e15f5c8cd91869f8ca4b758c46ce3e229bf666d2e3e296544351bcb5db7e0004f6c0800f76a432071297e405759d4324d1cf1c412758be93a39f834e03dee59e28ac571ce2b0b3c8fe639979f516223b54027340a5":POLARSSL_ERR_RSA_INVALID_PADDING
+
 RSA PKCS1 Sign #1 (SHA512, 1536 bits RSA)
 depends_on:POLARSSL_SHA512_C:POLARSSL_PKCS1_V15
 rsa_pkcs1_sign:"59779fd2a39e56640c4fc1e67b60aeffcecd78aed7ad2bdfa464e93d04198d48466b8da7445f25bfa19db2844edd5c8f539cf772cc132b483169d390db28a43bc4ee0f038f6568ffc87447746cb72fefac2d6d90ee3143a915ac4688028805905a68eb8f8a96674b093c495eddd8704461eaa2b345efbb2ad6930acd8023f870":RSA_PKCS_V15:POLARSSL_MD_SHA512:1536:16:"c8c67df894c882045ede26a9008ab09ea0672077d7bc71d412511cd93981ddde8f91b967da404056c39f105f7f239abdaff92923859920f6299e82b95bd5b8c959948f4a035cbd693ad83014294d349813d1ad57911a6355d0731fe3a034e9db":16:"f15147d0e7c04a1e3f37adde802cdc610999bf7ab0088434aaeda0c0ab3910b14d2ce56cb66bffd97552195fae8b061077e03920814d8b9cfb5a3958b3a82c2a7fc97e55db5978b47a922156eb8a3e55c06a54a45d1670abdfb995489c4d0051":16:"bd429bb7c3b00bbea19ba664c0f8172d1a73c3cfa05e2ed656d570c1590918bb7e372ed25e2cd71395ba0a9b1a30f3ee012ffb0546cab8e3581fe3e23f44ab57a8aee9717e71a936a580fa8572d450fb00339a6f6704b717df0c149a465bab768c61500cd93b61113ff3e4389167f7b2c8e3c0da2d4765286bee555b0bcb4998f59b14fad03180a17c8b4f69bcd1234f4ae85950137665ac2ba80b55cc9b1aafb454b83771aa755acd2a00e93ddb65e696dbed8bdca69fb5e0c5c2097b9cfe4b":16:"3":"93b6fa99485c116ca6efdd4202ea1cf49f4c6345fae692584413743ce5b65510e8e4690aee9a19ea1ff10d57f22aa3548d839f28a8525a34354e9e58e0f3947e056ce2554e21bf287e220b98db3b551258cd42b495e5d1a3bbc83c9d1a02f2a300ef6d866ea75108e44ebb3e16b47df2f6de28feb2be3874dbbf21599451082d86e9f2f462575a8185c69aa1f1fcb6a363c5d71aeba2103449eaf3845285291148d5f78d1646b8dc95cbcc4082f987d948b0e7d4e80b60595f8a7517584e1643":0
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 717cd6f..7920fc6 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -417,11 +417,11 @@
 
 X509 Certificate verification #12 (Valid Cert MD4 Digest)
 depends_on:POLARSSL_MD4_C:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
-x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/cert_md4.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
 
 X509 Certificate verification #13 (Valid Cert MD5 Digest)
 depends_on:POLARSSL_MD5_C:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
-x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"NULL"
+x509_verify:"data_files/cert_md5.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_NOT_TRUSTED:"NULL"
 
 X509 Certificate verification #14 (Valid Cert SHA1 Digest)
 depends_on:POLARSSL_SHA1_C:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
@@ -723,6 +723,14 @@
 depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECP_C:POLARSSL_ECP_DP_SECP256R1_ENABLED:POLARSSL_ECP_DP_SECP384R1_ENABLED:POLARSSL_SHA1_C:POLARSSL_SHA256_C
 x509_verify:"data_files/server5.crt":"data_files/test-ca2_cat-past-invalid.crt":"data_files/crl-ec-sha1.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCERT_EXPIRED:"NULL"
 
+X509 Certificate verification #88 (MD4 CRL)
+depends_on:POLARSSL_SHA256_C:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
+x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl_md4.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_NOT_TRUSTED:"NULL"
+
+X509 Certificate verification #89 (MD5 CRL)
+depends_on:POLARSSL_SHA256_C:POLARSSL_PEM_PARSE_C:POLARSSL_SHA1_C:POLARSSL_RSA_C:POLARSSL_PKCS1_V15
+x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl_md5.pem":"NULL":POLARSSL_ERR_X509_CERT_VERIFY_FAILED:BADCRL_NOT_TRUSTED:"NULL"
+
 X509 Certificate verification callback: trusted EE cert
 depends_on:POLARSSL_PEM_PARSE_C:POLARSSL_ECDSA_C:POLARSSL_SHA256_C:POLARSSL_ECP_DP_SECP256R1_ENABLED
 x509_verify_callback:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:"depth 0 - serial 53\:A2\:CB\:4B\:12\:4E\:AD\:83\:7D\:A8\:94\:B2 - subject CN=selfsigned, OU=testing, O=PolarSSL, C=NL\n"