X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=doc%2Fdoc-txt%2FGnuTLS-FAQ.txt;h=ab4e5aaa6a88e549304923d5d75c2a271feef939;hb=8768d5483a5894400ae1f70cda1beb44ed9b087c;hp=897087582a8793b1696eb74034334e16d448fa94;hpb=42bfef1e908fe60f8a7a86e66616b51702f1c0fb;p=exim.git

diff --git a/doc/doc-txt/GnuTLS-FAQ.txt b/doc/doc-txt/GnuTLS-FAQ.txt
index 897087582..ab4e5aaa6 100644
--- a/doc/doc-txt/GnuTLS-FAQ.txt
+++ b/doc/doc-txt/GnuTLS-FAQ.txt
@@ -6,7 +6,7 @@ Using Exim 4.80+ with GnuTLS
 (3) I'm seeing:
     "(gnutls_handshake): A TLS packet with unexpected length was received"
     Why?
-(4) What's the deal with MD5?
+(4) What's the deal with MD5?  (And SHA-1?)
 (5) What happened to gnutls_require_kx / gnutls_require_mac /
     gnutls_require_protocols?
 (6) What's the deal with tls_dh_max_bits?  What's DH?
@@ -89,8 +89,8 @@ option fixes the problem, this was the cause.  See Q6.
 
 
 
-(4): What's the deal with MD5?
-------------------------------
+(4): What's the deal with MD5?  (And SHA-1?)
+--------------------------------------------
 
 MD5 is a hash algorithm.  Hash algorithms are used to reduce a lot of data
 down to a fairly short value, which is supposed to be extremely hard to
@@ -119,6 +119,10 @@ the ongoing costs of proving a trust relationship, such as providing
 revocation protocols.  This is just another of those ongoing costs you have
 already paid for.
 
+The same has happened to SHA-1: there are real-world collision attacks against
+SHA-1, so SHA-1 is mostly defunct in certificates.  GnuTLS no longer supports
+its use in TLS certificates.
+
 
 
 (5): ... gnutls_require_kx / gnutls_require_mac / gnutls_require_protocols?