Please send GNU Wget bug reports to <bug-wget@gnu.org>.
\f
+* Changes in Wget 1.11.
+
+** The "lockable boolean" argument type is no longer supported. It
+was only used by the passive_ftp .wgetrc setting. If you're running
+broken scripts or Perl modules that unconditionally specify
+`--passive-ftp' and your firewall disallows it, you can override them
+by replacing wget with a script that execs wget "$@" --no-passive-ftp.
+\f
* Changes in Wget 1.10.
-** Downloading files greater than 2GB, also known as "large files",
-now works on systems that support them. This includes most modern
-Unix variants, as well as Windows.
+** Downloading files larger than 2GB, sometimes referred to as "large
+files", now works on systems that support them. This includes the
+majority of modern Unixes, as well as MS Windows.
** IPv6 is now supported by Wget. Unlike the experimental code in
-1.9, this version has no problems with dual-family systems. The new
-flags `--inet4' and `--inet6' (or `-4' and `-6' for short) force the
-use of IPv4 and IPv6 respectively. Unfortunately the IPv6 support
-still does not work on Windows.
-
-** Talking to SSL servers over proxies now actually works. Previous
-versions of Wget erroneously sent GET requests for SSL URLs. Wget
-1.10 utilizes the CONNECT method designed for this purpose.
+1.9, this version supports dual-family systems. The new flags
+`--inet4' and `--inet6' (or `-4' and `-6' for short) force the use of
+IPv4 and IPv6 respectively. Note that IPv6 support has not yet been
+tested on Windows.
** Microsoft's proprietary "NTLM" method of HTTP authentication is now
supported. This authentication method is undocumented and only used
retries from servers without support for partial downloads work even
when downloading to stdout.
+** SSL/TLS changes:
+
+*** SSL/TLS downloads now attempt to verify the server's certificate
+against the recognized certificate authorities. This requires CA
+certificates to have been installed in a location visible to the
+OpenSSL library. If this is not the case, you can get the bundle
+yourself from a source you trust (for example, the bundle extracted
+from Mozilla available at http://curl.haxx.se/docs/caextract.html),
+and point Wget to the PEM file using the `--ca-certificate'
+command-line option or the corresponding `.wgetrc' command.
+
+*** Secure downloads now verify that the host name in the URL matches
+the "common name" in the certificate presented by the server.
+
+*** Although the above checks provide more secure downloads, they
+unavoidably break interoperability with some sites that worked with
+previous versions, particularly those using self-signed, expired, or
+otherwise invalid certificates. If you encounter "certificate
+verification" errors or complaints that "common name doesn't match
+requested host name" and are convinced of the site's authenticity, you
+can use `--no-check-certificate' to bypass both checks.
+
+*** Talking to SSL/TLS servers over proxies now actually works.
+Previous versions of Wget erroneously sent GET requests for https
+URLs. Wget 1.10 utilizes the CONNECT method designed for this
+purpose.
+
+*** The SSL/TLS-related options have been redesigned and, for the
+first time, documented in the manual. The old, undocumented, options
+are no longer supported.
+
** Passive FTP is now the default FTP transfer mode. Use
`--no-passive-ftp' or specify `passive_ftp = off' in your init file to
revert to the old behavior.
** The new option `--protocol-directories' instructs Wget to also use
the protocol name as a directory component of local file names.
-** Many options that previously unconditionally set or unset various
-flags are now boolean options that can be invoked as either `--OPTION'
-or `--no-OPTION'. Options that required an argument "on" or "off"
-have also been changed this way, but they still accept the old syntax
-for backward compatibility. For example, instead of `--glob=off' you
-can write `--no-glob'.
+** Options that previously unconditionally set or unset various flags
+are now boolean options that can be invoked as either `--OPTION' or
+`--no-OPTION'. Options that required an argument "on" or "off" have
+also been changed this way, but they still accept the old syntax for
+backward compatibility. For example, instead of `--glob=off' you can
+write `--no-glob'.
Allowing `--no-OPTION' for every `--OPTION' and the other way around
is useful because it allows the user to override non-default behavior
projects / wget / blobdiff