diff --git a/doc/ChangeLog b/doc/ChangeLog index 29eadb24..e87ae3ca 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,8 @@ +2005-05-11 Hrvoje Niksic + + * wget.texi (HTTPS (SSL/TLS) Options): Explain certificate + checking in more detail. + 2005-05-08 Hrvoje Niksic * texi2pod.pl.in: Allow an "EXAMPLES" section. diff --git a/doc/wget.texi b/doc/wget.texi index aace0ec0..1ed21555 100644 --- a/doc/wget.texi +++ b/doc/wget.texi @@ -1369,9 +1369,26 @@ quite rare. @cindex SSL certificate, check @item --no-check-certificate -Don't check the server certificate against the available client -authorities. If this is not specified, Wget will break the SSL -handshake if the server certificate is not valid. +Don't check the server certificate against the available certificate +authorities. Also don't require the URL host name to match the common +name presented by the certificate. + +As of Wget 1.10, the default is to verify the server's certificate +against the recognized certificate authorities, breaking the SSL +handshake and aborting the download if the verification fails. +Although this provides more secure downloads, it does break +interoperability with some sites that worked with previous Wget +versions, particularly those using self-signed, expired, or otherwise +invalid certificates. This option forces an ``insecure'' mode of +operation that turns the certificate verification errors into warnings +and allows you to proceed. + +If you see errors involving ``certificate verify failed'' or ``common +name doesn't match requested host name'', you need to use this option +to proceed with the download. @emph{Only use this option if you are +otherwise convinced of the site's authenticity, or if you don't care +about the certificate validity.} It is almost always a bad idea to +use this option when transmitting confidential or important data. @cindex SSL certificate @item --certificate=@var{file}