diff --git a/ChangeLog b/ChangeLog
index 6c64707e6a..ca6f444e09 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Sun Jun 10 10:27:34 2012  Martin Bosslet  <Martin.Bosslet@googlemail.com>
+
+	* NEWS: Add note about the new private key export behavior.
+
 Sun Jun 10 10:24:51 2012  Tanaka Akira  <akr@fsij.org>
 
 	* process.c (rb_exec_async_signal_safe): exported.
diff --git a/NEWS b/NEWS
index 7a67533b1e..f51398e948 100644
--- a/NEWS
+++ b/NEWS
@@ -131,6 +131,13 @@ with all sufficient information, see the ChangeLog file.
     also allows to programmatically decline (client) renegotiation attempts.
   * Support for "0/n" splitting of records as BEAST mitigation via
     OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS.
+  * OpenSSL requires passwords for decrypting PEM-encoded files to be at least
+    four characters long. This led to awkward situations where an export with
+    a password with fewer than four characters was possible, but accessing the
+    file afterwards failed. OpenSSL::PKey::RSA, OpenSSL::PKey::DSA and
+    OpenSSL::PKey::EC therefore now enforce the same check when exporting a
+    private key to PEM with a password - it has to be at least four characters
+    long.
 
 === Language changes
 === Compatibility issues (excluding feature bug fixes)