[svn] Mention that the server's certificate is now verified by default.

diff --git a/NEWS b/NEWS
index 16d8640215d2edcfc82072dc009b55ed53f70458..c8e8b7bd97bf744857281900e8f2eb4cb9c568d0 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,21 @@ tested on Windows.
 versions of Wget erroneously sent GET requests for SSL URLs.  Wget
 1.10 utilizes the CONNECT method designed for this purpose.
 
 versions of Wget erroneously sent GET requests for SSL URLs.  Wget
 1.10 utilizes the CONNECT method designed for this purpose.
 

+** SSL/TLS downloads now attempt to verify the server's certificate
+against the recognized certificate authorities.  The CA certificates
+are searched for at the default locations compiled into the OpenSSL
+library, and can be overridden with the `--ca-certificate' and
+`--ca-directory' options.  Wget now also checks that the common name
+presented by the certificate corresponds to the host name in the URL.
+
+Although verifying the certificates provides more secure downloads, it
+*will* break interoperability with some sites that worked with
+previous versions, particularly those using self-signed, expired, or
+otherwise invalid certificates.  If you see errors involving
+"certificate verify failed" or "common name doesn't match requested
+host name" and are still convinced of the site's authenticity, you
+need to use `--no-check-certificate' to bypass the verification.
+

 ** Microsoft's proprietary "NTLM" method of HTTP authentication is now
 supported.  This authentication method is undocumented and only used
 by IIS.  Note that *proxy* authentication is not supported in this
 ** Microsoft's proprietary "NTLM" method of HTTP authentication is now
 supported.  This authentication method is undocumented and only used
 by IIS.  Note that *proxy* authentication is not supported in this