Note about RestfulService SSL verification in upgrading guide

docs/en/changelogs/3.1.0.md

@@ -22,6 +22,7 @@
  * Deny URL access if `Controller::$allowed_actions` is undefined
  * Removed support for "*" rules in `Controller::$allowed_actions`
  * Removed support for overriding rules on parent classes through `Controller::$allowed_actions`
+ * `RestfulService` verifies SSL peers by default
  * Editing of relation table data (`$many_many_extraFields`) in `GridField`
  * Optional integration with ImageMagick as a new image manipulation backend
  * Support for PHP 5.4's built-in webserver
@@ -174,6 +175,17 @@ in order to reduce the boilerplate code required to get a model editable in the
 Note: GridField is already relying on the permission checks performed
 through the CMS controllers, providing a simple level of security.
 
+### RestfulService verifies SSL peers by default
+
+This makes the implementation "secure by default", by removing
+the call to `curl_setopt(CURLOPT_SSL_VERIFYPEER, false)`.
+Failing to validate SSL peers makes HTTP requests vulnerable to man in the middle attacks.
+The underlying `curl` library relies on the operating system for the resulting CA certificate
+verification. On some systems (mainly Windows), these certificates are not available on
+a standard PHP installation, and need to be added manually through `CURLOPT_CAINFO`.
+Although it is not recommended, you can restore the old insecure behaviour with
+the following configuration: `RestfulService::set_default_curl_option(CURLOPT_SSL_VERIFYPEER, false)`.
+
 ### Other
 
  * `TableListField`, `ComplexTableField`, `TableField`, `HasOneComplexTableField`, `HasManyComplexTableField` and `ManyManyComplexTableField` have been removed from the core and placed into a module called "legacytablefields" located at https://github.com/silverstripe-labs/legacytablefields