X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/8d68e115fc6f226cd2cdcea02adb358df5afb361..d901e231acd1917d24b688cbd7823efc2bed45c4:/doc/doc-txt/GnuTLS-FAQ.txt?ds=inline

diff --git a/doc/doc-txt/GnuTLS-FAQ.txt b/doc/doc-txt/GnuTLS-FAQ.txt
index 766e27927..ab4e5aaa6 100644
--- a/doc/doc-txt/GnuTLS-FAQ.txt
+++ b/doc/doc-txt/GnuTLS-FAQ.txt
@@ -6,7 +6,7 @@ Using Exim 4.80+ with GnuTLS
 (3) I'm seeing:
     "(gnutls_handshake): A TLS packet with unexpected length was received"
     Why?
-(4) What's the deal with MD5?
+(4) What's the deal with MD5?  (And SHA-1?)
 (5) What happened to gnutls_require_kx / gnutls_require_mac /
     gnutls_require_protocols?
 (6) What's the deal with tls_dh_max_bits?  What's DH?
@@ -89,8 +89,8 @@ option fixes the problem, this was the cause.  See Q6.
 
 
 
-(4): What's the deal with MD5?
-------------------------------
+(4): What's the deal with MD5?  (And SHA-1?)
+--------------------------------------------
 
 MD5 is a hash algorithm.  Hash algorithms are used to reduce a lot of data
 down to a fairly short value, which is supposed to be extremely hard to
@@ -119,6 +119,10 @@ the ongoing costs of proving a trust relationship, such as providing
 revocation protocols.  This is just another of those ongoing costs you have
 already paid for.
 
+The same has happened to SHA-1: there are real-world collision attacks against
+SHA-1, so SHA-1 is mostly defunct in certificates.  GnuTLS no longer supports
+its use in TLS certificates.
+
 
 
 (5): ... gnutls_require_kx / gnutls_require_mac / gnutls_require_protocols?
@@ -300,7 +304,7 @@ NORMAL.)  See Q8.
 The current documentation, for the most recent release of GnuTLS, is available
 online at:
 
-  http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html
+  http://www.gnutls.org/manual/html_node/Priority-Strings.html
 
 Beware that if you are not using the most recent GnuTLS release then this
 documentation will be wrong for you!  You should find the "info" documentation