whatsnew/3.13: add note for disabling VERIFY_X509_STRICT

Author: woodruffw

Doc/whatsnew/3.13.rst

@@ -127,6 +127,16 @@ Other Language Changes
 * The :func:`ssl.create_default_context` API now includes
   :data:`ssl.VERIFY_X509_PARTIAL_CHAIN` and :data:`ssl.VERIFY_X509_STRICT`
   in its default flags.
+
+  .. note::
+
+   :data:`ssl.VERIFY_X509_STRICT` may reject pre-:rfc:`5280` or malformed
+   certificates that the underlying OpenSSL implementation otherwise would
+   accept. While disabling this is not recommended, you can do so using::
+
+      ctx = ssl.create_default_context()
+      ctx.verify_flags &= ~ssl.VERIFY_X509_STRICT
+
   (Contributed by William Woodruff in :gh:`112389`.)
 
 New Modules