DKIM: disallow default acceptance of sha1 for verify

[exim.git] / doc / doc-docbook / spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index c0c7bdc80e487e02d6c89a0a2d336020a0b700a2..c8b999c9f6201f17bdccf6b9681828a96e57661f 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15113,15 +15113,20 @@ to handle IPv6 literal addresses.
 
 
 .new
-.option dkim_verify_hashes main "string list" "sha256 : sha512 : sha1"
+.option dkim_verify_hashes main "string list" "sha256 : sha512"
 .cindex DKIM "selecting signature algorithms"
 This option gives a list of hash types which are acceptable in signatures,
 and an order of processing.
 Signatures with algorithms not in the list will be ignored.
 
-Note that the presence of sha1 violates RFC 8301.
-Signatures using the rsa-sha1 are however (as of writing) still common.
-The default inclusion of sha1 may be dropped in a future release.
+Acceptable values include:
+.code
+sha1
+sha256
+sha512
+.endd
+
+Note that the acceptance of sha1 violates RFC 8301.
 
 .option dkim_verify_keytypes main "string list" "ed25519 : rsa"
 This option gives a list of key types which are acceptable in signatures,
@@ -17737,12 +17742,12 @@ The value of this option is expanded and indicates the source of DH parameters
 to be used by Exim.
 
 .new
-&*Note: This option is ignored for GnuTLS version 3.6.0 and later.
-The library manages parameter negitiation internally.
+This option is ignored for GnuTLS version 3.6.0 and later.
+The library manages parameter negotiation internally.
 .wen
 
 &*Note: The Exim Maintainers strongly recommend,
-for other TLS braries,
+for other TLS library versions,
 using a filename with site-generated
 local DH parameters*&, which has been supported across all versions of Exim.  The
 other specific constants available are a fallback so that even when