+
+If the server is using session cookies to track user authentication,
+the above will not work because @samp{--save-cookies} will not save
+them (and neither will browsers) and the @file{cookies.txt} file will
+be empty. In that case use @samp{--keep-session-cookies} along with
+@samp{--save-cookies} to force saving of session cookies.
+@end table
+
+@node HTTPS (SSL/TLS) Options
+@section HTTPS (SSL/TLS) Options
+
+@cindex SSL
+To support encrypted HTTP (HTTPS) downloads, Wget must be compiled
+with an external SSL library, currently OpenSSL. If Wget is compiled
+without SSL support, none of these options are available.
+
+@table @samp
+@cindex SSL protocol, choose
+@item --secure-protocol=@var{protocol}
+Choose the secure protocol to be used. Legal values are @samp{auto},
+@samp{SSLv2}, @samp{SSLv3}, and @samp{TLSv1}. If @samp{auto} is used,
+the SSL library is given the liberty of choosing the appropriate
+protocol automatically, which is achieved by sending an SSLv2 greeting
+and announcing support for SSLv3 and TLSv1. This is the default.
+
+Specifying @samp{SSLv2}, @samp{SSLv3}, or @samp{TLSv1} forces the use
+of the corresponding protocol. This is useful when talking to old and
+buggy SSL server implementations that make it hard for OpenSSL to
+choose the correct protocol version. Fortunately, such servers are
+quite rare.
+
+@cindex SSL certificate, check
+@item --no-check-certificate
+Don't check the server certificate against the available certificate
+authorities. Also don't require the URL host name to match the common
+name presented by the certificate.
+
+As of Wget 1.10, the default is to verify the server's certificate
+against the recognized certificate authorities, breaking the SSL
+handshake and aborting the download if the verification fails.
+Although this provides more secure downloads, it does break
+interoperability with some sites that worked with previous Wget
+versions, particularly those using self-signed, expired, or otherwise
+invalid certificates. This option forces an ``insecure'' mode of
+operation that turns the certificate verification errors into warnings
+and allows you to proceed.
+
+If you encounter ``certificate verification'' errors or ones saying
+that ``common name doesn't match requested host name'', you can use
+this option to bypass the verification and proceed with the download.
+@emph{Only use this option if you are otherwise convinced of the
+site's authenticity, or if you really don't care about the validity of
+its certificate.} It is almost always a bad idea not to check the
+certificates when transmitting confidential or important data.
+
+@cindex SSL certificate
+@item --certificate=@var{file}
+Use the client certificate stored in @var{file}. This is needed for
+servers that are configured to require certificates from the clients
+that connect to them. Normally a certificate is not required and this
+switch is optional.
+
+@cindex SSL certificate type, specify
+@item --certificate-type=@var{type}
+Specify the type of the client certificate. Legal values are
+@samp{PEM} (assumed by default) and @samp{DER}, also known as
+@samp{ASN1}.
+
+@item --private-key=@var{file}
+Read the private key from @var{file}. This allows you to provide the
+private key in a file separate from the certificate.
+
+@item --private-key-type=@var{type}
+Specify the type of the private key. Accepted values are @samp{PEM}
+(the default) and @samp{DER}.
+
+@item --ca-certificate=@var{file}
+Use @var{file} as the file with the bundle of certificate authorities
+(``CA'') to verify the peers. The certificates must be in PEM format.
+
+Without this option Wget looks for CA certificates at the
+system-specified locations, chosen at OpenSSL installation time.
+
+@cindex SSL certificate authority
+@item --ca-directory=@var{directory}
+Specifies directory containing CA certificates in PEM format. Each
+file contains one CA certificate, and the file name is based on a hash
+value derived from the certificate. This is achieved by processing a
+certificate directory with the @code{c_rehash} utility supplied with
+OpenSSL. Using @samp{--ca-directory} is more efficient than
+@samp{--ca-certificate} when many certificates are installed because
+it allows Wget to fetch certificates on demand.
+
+Without this option Wget looks for CA certificates at the
+system-specified locations, chosen at OpenSSL installation time.
+
+@cindex entropy, specifying source of
+@cindex randomness, specifying source of
+@item --random-file=@var{file}
+Use @var{file} as the source of random data for seeding the
+pseudo-random number generator on systems without @file{/dev/random}.
+
+On such systems the SSL library needs an external source of randomness
+to initialize. Randomness may be provided by EGD (see
+@samp{--egd-file} below) or read from an external source specified by
+the user. If this option is not specified, Wget looks for random data
+in @code{$RANDFILE} or, if that is unset, in @file{$HOME/.rnd}. If
+none of those are available, it is likely that SSL encryption will not
+be usable.
+
+If you're getting the ``Could not seed OpenSSL PRNG; disabling SSL.''
+error, you should provide random data using some of the methods
+described above.
+
+@cindex EGD
+@item --egd-file=@var{file}
+Use @var{file} as the EGD socket. EGD stands for @dfn{Entropy
+Gathering Daemon}, a user-space program that collects data from
+various unpredictable system sources and makes it available to other
+programs that might need it. Encryption software, such as the SSL
+library, needs sources of non-repeating randomness to seed the random
+number generator used to produce cryptographically strong keys.
+
+OpenSSL allows the user to specify his own source of entropy using the
+@code{RAND_FILE} environment variable. If this variable is unset, or
+if the specified file does not produce enough randomness, OpenSSL will
+read random data from EGD socket specified using this option.
+
+If this option is not specified (and the equivalent startup command is
+not used), EGD is never contacted. EGD is not needed on modern Unix
+systems that support @file{/dev/random}.