+** SSL/TLS downloads now attempt to verify the server's certificate
+against the recognized certificate authorities. The CA certificates
+are searched for at the default locations compiled into the OpenSSL
+library, and can be overridden with the `--ca-certificate' and
+`--ca-directory' options. Wget now also checks that the common name
+presented by the certificate corresponds to the host name in the URL.
+
+Although verifying the certificates provides more secure downloads, it
+*will* break interoperability with some sites that worked with
+previous versions, particularly those using self-signed, expired, or
+otherwise invalid certificates. If you see errors involving
+"certificate verify failed" or "common name doesn't match requested
+host name" and are still convinced of the site's authenticity, you
+need to use `--no-check-certificate' to bypass the verification.
+