mirror of
https://github.com/moparisthebest/wget
synced 2024-07-03 16:38:41 -04:00
[svn] Consolidated SSL/TLS entries.
This commit is contained in:
hniksic
parent
2870af116f
commit
0640c88e3c
66
NEWS
66
NEWS
@ -17,25 +17,6 @@ majority of modern Unixes, as well as MS Windows.
|
||||
IPv4 and IPv6 respectively. Note that IPv6 support has not yet been
|
||||
tested on Windows.
|
||||
|
||||
** Talking to SSL servers over proxies now actually works. Previous
|
||||
versions of Wget erroneously sent GET requests for SSL URLs. Wget
|
||||
1.10 utilizes the CONNECT method designed for this purpose.
|
||||
|
||||
** SSL/TLS downloads now attempt to verify the server's certificate
|
||||
against the recognized certificate authorities. The CA certificates
|
||||
are searched for at the default locations compiled into the OpenSSL
|
||||
library, and can be overridden with the `--ca-certificate' and
|
||||
`--ca-directory' options. Wget now also checks that the common name
|
||||
presented by the certificate corresponds to the host name in the URL.
|
||||
|
||||
Although verifying the certificates provides more secure downloads, it
|
||||
*will* break interoperability with some sites that worked with
|
||||
previous versions, particularly those using self-signed, expired, or
|
||||
otherwise invalid certificates. If you encounter "certificate
|
||||
verification" errors or ones saying that "common name doesn't match
|
||||
requested host name" and are convinced of the site's authenticity, you
|
||||
can use `--no-check-certificate' to bypass the verification.
|
||||
|
||||
** Microsoft's proprietary "NTLM" method of HTTP authentication is now
|
||||
supported. This authentication method is undocumented and only used
|
||||
by IIS. Note that *proxy* authentication is not supported in this
|
||||
@ -49,6 +30,37 @@ the file. That way the downloaded file never shrinks, and download
|
||||
retries from servers without support for partial downloads work even
|
||||
when downloading to stdout.
|
||||
|
||||
** SSL/TLS changes:
|
||||
|
||||
*** SSL/TLS downloads now attempt to verify the server's certificate
|
||||
against the recognized certificate authorities. This requires CA
|
||||
certificates to have been installed in a location visible to the
|
||||
OpenSSL library. If this is not the case, you can get the bundle
|
||||
yourself from a source you trust (for example, the bundle extracted
|
||||
from Mozilla available at http://curl.haxx.se/docs/caextract.html),
|
||||
and point Wget to the PEM file using the `--ca-certificate'
|
||||
command-line option or the corresponding `.wgetrc' command.
|
||||
|
||||
*** Secure downloads now verify that the host name in the URL matches
|
||||
the "common name" in the certificate presented by the server.
|
||||
|
||||
*** Although the above checks provide more secure downloads, they
|
||||
unavoidably break interoperability with some sites that worked with
|
||||
previous versions, particularly those using self-signed, expired, or
|
||||
otherwise invalid certificates. If you encounter "certificate
|
||||
verification" errors or complaints that "common name doesn't match
|
||||
requested host name" and are convinced of the site's authenticity, you
|
||||
can use `--no-check-certificate' to bypass both checks.
|
||||
|
||||
*** Talking to SSL/TLS servers over proxies now actually works.
|
||||
Previous versions of Wget erroneously sent GET requests for https
|
||||
URLs. Wget 1.10 utilizes the CONNECT method designed for this
|
||||
purpose.
|
||||
|
||||
*** The SSL/TLS-related options have been redesigned and, for the
|
||||
first time, documented in the manual. The old, undocumented, options
|
||||
are no longer supported.
|
||||
|
||||
** Passive FTP is now the default FTP transfer mode. Use
|
||||
`--no-passive-ftp' or specify `passive_ftp = off' in your init file to
|
||||
revert to the old behavior.
|
||||
@ -75,12 +87,12 @@ be used to revert to the old behavior.
|
||||
** The new option `--protocol-directories' instructs Wget to also use
|
||||
the protocol name as a directory component of local file names.
|
||||
|
||||
** Many options that previously unconditionally set or unset various
|
||||
flags are now boolean options that can be invoked as either `--OPTION'
|
||||
or `--no-OPTION'. Options that required an argument "on" or "off"
|
||||
have also been changed this way, but they still accept the old syntax
|
||||
for backward compatibility. For example, instead of `--glob=off' you
|
||||
can write `--no-glob'.
|
||||
** Options that previously unconditionally set or unset various flags
|
||||
are now boolean options that can be invoked as either `--OPTION' or
|
||||
`--no-OPTION'. Options that required an argument "on" or "off" have
|
||||
also been changed this way, but they still accept the old syntax for
|
||||
backward compatibility. For example, instead of `--glob=off' you can
|
||||
write `--no-glob'.
|
||||
|
||||
Allowing `--no-OPTION' for every `--OPTION' and the other way around
|
||||
is useful because it allows the user to override non-default behavior
|
||||
@ -93,10 +105,6 @@ information, such as whether the user has authenticated, in session
|
||||
cookies. With this option multiple Wget runs are treated as a single
|
||||
browser session.
|
||||
|
||||
** SSL/TLS-related options have been redesigned and documented. Refer
|
||||
to the manual for details. The old, undocumented, options are no
|
||||
longer supported.
|
||||
|
||||
** Wget now supports the --ftp-user and --ftp-password command
|
||||
switches to set username and password for FTP, and the --user and
|
||||
--password command switches to set username and password for both FTP
|
||||
|
||||
Loading…
Reference in New Issue
Block a user