From: hniksic <devnull@localhost>
Date: Wed, 11 May 2005 08:44:43 +0000 (-0700)
Subject: [svn] Explain certificate checking in more detail.
X-Git-Tag: v1.13~1051
X-Git-Url: http://sjero.net/git/?p=wget;a=commitdiff_plain;h=7bde96291266063517cc9e179879f24971d157f3

[svn] Explain certificate checking in more detail.
---

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 29eadb24..e87ae3ca 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,8 @@
+2005-05-11  Hrvoje Niksic  <hniksic@xemacs.org>
+
+	* wget.texi (HTTPS (SSL/TLS) Options): Explain certificate
+	checking in more detail.
+
 2005-05-08  Hrvoje Niksic  <hniksic@xemacs.org>
 
 	* texi2pod.pl.in: Allow an "EXAMPLES" section.
diff --git a/doc/wget.texi b/doc/wget.texi
index aace0ec0..1ed21555 100644
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -1369,9 +1369,26 @@ quite rare.
 
 @cindex SSL certificate, check
 @item --no-check-certificate
-Don't check the server certificate against the available client
-authorities.  If this is not specified, Wget will break the SSL
-handshake if the server certificate is not valid.
+Don't check the server certificate against the available certificate
+authorities.  Also don't require the URL host name to match the common
+name presented by the certificate.
+
+As of Wget 1.10, the default is to verify the server's certificate
+against the recognized certificate authorities, breaking the SSL
+handshake and aborting the download if the verification fails.
+Although this provides more secure downloads, it does break
+interoperability with some sites that worked with previous Wget
+versions, particularly those using self-signed, expired, or otherwise
+invalid certificates.  This option forces an ``insecure'' mode of
+operation that turns the certificate verification errors into warnings
+and allows you to proceed.
+
+If you see errors involving ``certificate verify failed'' or ``common
+name doesn't match requested host name'', you need to use this option
+to proceed with the download.  @emph{Only use this option if you are
+otherwise convinced of the site's authenticity, or if you don't care
+about the certificate validity.}  It is almost always a bad idea to
+use this option when transmitting confidential or important data.
 
 @cindex SSL certificate
 @item --certificate=@var{file}