<a href="/pkg/net/#UDPAddr.AddrPort"><code>UDPAddr.AddrPort</code></a>.
</p>
+<h3 id="tls10">TLS 1.0 and 1.1 disabled by default client-side</h3>
+
+<p><!-- CL 359779, golang.org/issue/45428 -->
+ If <a href="/pkg/crypto/tls/#Config.MinVersion"><code>Config.MinVersion</code></a>
+ is not set, it now defaults to TLS 1.2 for client connections. Any safely
+ up-to-date server is expected to support TLS 1.2, and browsers have required
+ it since 2020. TLS 1.0 and 1.1 are still supported by setting
+ <code>Config.MinVersion</code> to <code>VersionTLS10</code>.
+ The server-side default is unchanged at TLS 1.0.
+</p>
+
+<p>
+ The default can be temporarily reverted to TLS 1.0 by setting the
+ <code>GODEBUG=tls10default=1</code> environment variable.
+ This option will be removed in Go 1.19.
+</p>
+
+<h3 id="sha1">Rejecting SHA-1 certificates</h3>
+
+<p><!-- CL 359777, golang.org/issue/41682 -->
+ <code>crypto/x509</code> will now
+ reject certificates signed with the SHA-1 hash function. This doesn't
+ apply to self-signed root certificates. Practical attacks against SHA-1
+ <a href="https://shattered.io/">have been demonstrated since 2017</a> and publicly
+ trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
+</p>
+
+<p>
+ This can be temporarily reverted by setting the
+ <code>GODEBUG=x509sha1=1</code> environment variable.
+ This option will be removed in Go 1.19.
+</p>
+
<h3 id="minor_library_changes">Minor changes to the library</h3>
<p>
</dd>
</dl><!-- bytes -->
+<dl id="crypto/elliptic"><dt><a href="/pkg/crypto/elliptic/">crypto/elliptic</a></dt>
+ <dd>
+ <p><!-- CL 320071, CL 320072, CL 320074, CL 361402, CL 360014 -->
+ The <a href="/pkg/crypto/elliptic#P224"><code>P224</code></a>,
+ <a href="/pkg/crypto/elliptic#P384"><code>P384</code></a>, and
+ <a href="/pkg/crypto/elliptic#P521"><code>P521</code></a> curve
+ implementations are now all backed by code generated by the
+ <a href="https://github.com/mmcloughlin/addchain">addchain</a> and
+ <a href="https://github.com/mit-plv/fiat-crypto">fiat-crypto</a>
+ projects, the latter of which is based on a formally-verified model
+ of the arithmetic operations. They now use safer complete formulas
+ and internal APIs. P-224 and P-384 are now approximately four times
+ faster. All specific curve implementations are now constant-time.
+ </p>
+
+ <p>
+ Operating on invalid curve points (those for which the
+ <code>IsOnCurve</code> method returns false, and which are never returned
+ by <a href="/pkg/crypto/elliptic#Unmarshal"><code>Unmarshal</code></a> or
+ a <code>Curve</code> method operating on a valid point) has always been
+ undefined behavior, can lead to key recovery attacks, and is now
+ unsupported by the new backend. If an invalid point is supplied to a
+ <code>P224</code>, <code>P384</code>, or <code>P521</code> method, that
+ method will now return a random point. The behavior might change to an
+ explicit panic in a future release.
+ </p>
+ </dd>
+</dl><!-- crypto/elliptic -->
+
<dl id="crypto/tls"><dt><a href="/pkg/crypto/tls/">crypto/tls</a></dt>
<dd>
<p><!-- CL 325250 -->