commit e756306dd663e7fa29cfbf4672b9779cc1ea4bb7
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Apr 26 10:08:29 2021 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue May 04 11:36:33 2021 +0200
tree 72ccf101c345e08fb7b1bd1e8e612761881bee98
parent 57e93e5296d890bdfe4ef8c2ff873fef6625c3d8

Move some details from ChangeLog to migration guide

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

docs/3.0-migration-guide.md

diff --git a/docs/3.0-migration-guide.md b/docs/3.0-migration-guide.md
index 9bcaa0d..b487541 100644
--- a/docs/3.0-migration-guide.md
+++ b/docs/3.0-migration-guide.md
@@ -75,7 +75,20 @@
 `config.h`, first please take a moment to consider whether you really still
 want to accept certificates signed with SHA-1 as those are considered insecure
 and no CA has issued them for a while. If you really need to allow SHA-1 in
-certificates, please set up a custom profile as explained in the ChangeLog.
+certificates, please set up a custom profile as follows:
+
+```
+const mbedtls_x509_crt_profile mbedtls_x509_crt_custom = {
+    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
+    MBEDTLS_X509_ID_FLAG( /* other hash */ ) /* | etc */,
+    0xFFFFFFF,  /* Or specific PK algs */
+    0xFFFFFFF,  /* Or specific curves */
+    2048        /* Or another RSA min bitlen */
+};
+```
+Then pass it to `mbedtls_x509_crt_verify_with_profile()` if you're verifying
+a certificate chain directly, or to `mbedtls_ssl_conf_cert_profile()` if the
+verification happens during a TLS handshake.
 
 Remove the certs module from the library
 ----------------------------------------