+2005-05-11 Hrvoje Niksic <hniksic@xemacs.org>
+
+ * wget.texi (HTTPS (SSL/TLS) Options): Explain certificate
+ checking in more detail.
+
2005-05-08 Hrvoje Niksic <hniksic@xemacs.org>
* texi2pod.pl.in: Allow an "EXAMPLES" section.
@cindex SSL certificate, check
@item --no-check-certificate
-Don't check the server certificate against the available client
-authorities. If this is not specified, Wget will break the SSL
-handshake if the server certificate is not valid.
+Don't check the server certificate against the available certificate
+authorities. Also don't require the URL host name to match the common
+name presented by the certificate.
+
+As of Wget 1.10, the default is to verify the server's certificate
+against the recognized certificate authorities, breaking the SSL
+handshake and aborting the download if the verification fails.
+Although this provides more secure downloads, it does break
+interoperability with some sites that worked with previous Wget
+versions, particularly those using self-signed, expired, or otherwise
+invalid certificates. This option forces an ``insecure'' mode of
+operation that turns the certificate verification errors into warnings
+and allows you to proceed.
+
+If you see errors involving ``certificate verify failed'' or ``common
+name doesn't match requested host name'', you need to use this option
+to proceed with the download. @emph{Only use this option if you are
+otherwise convinced of the site's authenticity, or if you don't care
+about the certificate validity.} It is almost always a bad idea to
+use this option when transmitting confidential or important data.
@cindex SSL certificate
@item --certificate=@var{file}