SHA-1 deprecation: allow it in key exchange
By default, keep allowing SHA-1 in key exchange signatures. Disabling
it causes compatibility issues, especially with clients that use
TLS1.2 but don't send the signature_algorithms extension.
SHA-1 is forbidden in certificates by default, since it's vulnerable
to offline collision-based attacks.
diff --git a/ChangeLog b/ChangeLog
index 3befcad..265205c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,12 +4,9 @@
Security
- * SHA-1 deprecation: remove it from the default allowed hash
- algorithms for certificate verification and TLS 1.2 handshake
- signatures. It can be turned back on at compile time with
- MBEDTLS_TLS_DEFAULT_ALLOW_SHA1 or explicitly with ssl_conf functions.
- * Removed RIPEMD-160 from the default hash algorithms for
- certificate verification.
+ * Removed SHA-1 and RIPEMD-160 from the default hash algorithms for
+ certificate verification. SHA-1 can be turned back on with a compile-time
+ option if needed.
Bugfix
* Remove invalid use of size zero arrays in ECJPAKE test suite.