From: hniksic <devnull@localhost>
Date: Wed, 11 May 2005 08:31:28 +0000 (-0700)
Subject: [svn] Mention that the server's certificate is now verified by default.
X-Git-Tag: v1.13~1052
X-Git-Url: http://sjero.net/git/?p=wget;a=commitdiff_plain;h=646a9e10dc10ada67968afd2f9671a7455d85782

[svn] Mention that the server's certificate is now verified by default.
---

diff --git a/NEWS b/NEWS
index 16d86402..c8e8b7bd 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,21 @@ tested on Windows.
 versions of Wget erroneously sent GET requests for SSL URLs.  Wget
 1.10 utilizes the CONNECT method designed for this purpose.
 
+** SSL/TLS downloads now attempt to verify the server's certificate
+against the recognized certificate authorities.  The CA certificates
+are searched for at the default locations compiled into the OpenSSL
+library, and can be overridden with the `--ca-certificate' and
+`--ca-directory' options.  Wget now also checks that the common name
+presented by the certificate corresponds to the host name in the URL.
+
+Although verifying the certificates provides more secure downloads, it
+*will* break interoperability with some sites that worked with
+previous versions, particularly those using self-signed, expired, or
+otherwise invalid certificates.  If you see errors involving
+"certificate verify failed" or "common name doesn't match requested
+host name" and are still convinced of the site's authenticity, you
+need to use `--no-check-certificate' to bypass the verification.
+
 ** Microsoft's proprietary "NTLM" method of HTTP authentication is now
 supported.  This authentication method is undocumented and only used
 by IIS.  Note that *proxy* authentication is not supported in this