Mention old_where in README

Lukasa · Lukasa · commit 80d603f8fac4 · 2015-11-15T21:00:23.000Z
diff --git a/README.rst b/README.rst
@@ -8,7 +8,7 @@ of TLS hosts. It has been extracted from the `Requests`_ project.
 Installation
 ------------
 
-`certifi` is available on PyPI. Simply install it with `pip`::
+``certifi`` is available on PyPI. Simply install it with ``pip``::
 
     $ pip install certifi
 
@@ -24,5 +24,23 @@ To reference the installed CA Bundle, you can use the built-in function::
 
 Enjoy!
 
+1024-bit Root Certificates
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Browsers and certificate authorities have concluded that 1024-bit keys are
+unacceptably weak for certificates, particularly root certificates. For this
+reason, Mozilla has removed any weak (i.e. 1024-bit key) certificate from its
+bundle, replacing it with an equivalent strong (i.e. 2048-bit or greater key)
+certifiate from the same CA. Because Mozilla removed these certificates from
+its bundle, ``certifi`` removed them as well.
+
+Unfortunately, old versions of OpenSSL (less than 1.0.2) sometimes fail to
+validate certificate chains that use the strong roots. For this reason, if you
+fail to validate a certificate using the ``certifi.where()`` mechanism, you can
+intentionally re-add the 1024-bit roots back into your bundle by calling
+``certifi.old_where()`` instead. This is not recommended in production: if at
+all possible you should upgrade to a newer OpenSSL. However, if you have no
+other option, this may work for you.
+
 .. _`Certifi`: http://certifi.io/en/latest/
 .. _`Requests`: http://docs.python-requests.org/en/latest/
