[svn] Consolidated SSL/TLS entries.

This commit is contained in:
hniksic 2005-05-14 11:12:51 -07:00
parent 2870af116f
commit 0640c88e3c

66
NEWS
View File

@ -17,25 +17,6 @@ majority of modern Unixes, as well as MS Windows.
IPv4 and IPv6 respectively. Note that IPv6 support has not yet been
tested on Windows.
** Talking to SSL servers over proxies now actually works. Previous
versions of Wget erroneously sent GET requests for SSL URLs. Wget
1.10 utilizes the CONNECT method designed for this purpose.
** SSL/TLS downloads now attempt to verify the server's certificate
against the recognized certificate authorities. The CA certificates
are searched for at the default locations compiled into the OpenSSL
library, and can be overridden with the `--ca-certificate' and
`--ca-directory' options. Wget now also checks that the common name
presented by the certificate corresponds to the host name in the URL.
Although verifying the certificates provides more secure downloads, it
*will* break interoperability with some sites that worked with
previous versions, particularly those using self-signed, expired, or
otherwise invalid certificates. If you encounter "certificate
verification" errors or ones saying that "common name doesn't match
requested host name" and are convinced of the site's authenticity, you
can use `--no-check-certificate' to bypass the verification.
** Microsoft's proprietary "NTLM" method of HTTP authentication is now
supported. This authentication method is undocumented and only used
by IIS. Note that *proxy* authentication is not supported in this
@ -49,6 +30,37 @@ the file. That way the downloaded file never shrinks, and download
retries from servers without support for partial downloads work even
when downloading to stdout.
** SSL/TLS changes:
*** SSL/TLS downloads now attempt to verify the server's certificate
against the recognized certificate authorities. This requires CA
certificates to have been installed in a location visible to the
OpenSSL library. If this is not the case, you can get the bundle
yourself from a source you trust (for example, the bundle extracted
from Mozilla available at http://curl.haxx.se/docs/caextract.html),
and point Wget to the PEM file using the `--ca-certificate'
command-line option or the corresponding `.wgetrc' command.
*** Secure downloads now verify that the host name in the URL matches
the "common name" in the certificate presented by the server.
*** Although the above checks provide more secure downloads, they
unavoidably break interoperability with some sites that worked with
previous versions, particularly those using self-signed, expired, or
otherwise invalid certificates. If you encounter "certificate
verification" errors or complaints that "common name doesn't match
requested host name" and are convinced of the site's authenticity, you
can use `--no-check-certificate' to bypass both checks.
*** Talking to SSL/TLS servers over proxies now actually works.
Previous versions of Wget erroneously sent GET requests for https
URLs. Wget 1.10 utilizes the CONNECT method designed for this
purpose.
*** The SSL/TLS-related options have been redesigned and, for the
first time, documented in the manual. The old, undocumented, options
are no longer supported.
** Passive FTP is now the default FTP transfer mode. Use
`--no-passive-ftp' or specify `passive_ftp = off' in your init file to
revert to the old behavior.
@ -75,12 +87,12 @@ be used to revert to the old behavior.
** The new option `--protocol-directories' instructs Wget to also use
the protocol name as a directory component of local file names.
** Many options that previously unconditionally set or unset various
flags are now boolean options that can be invoked as either `--OPTION'
or `--no-OPTION'. Options that required an argument "on" or "off"
have also been changed this way, but they still accept the old syntax
for backward compatibility. For example, instead of `--glob=off' you
can write `--no-glob'.
** Options that previously unconditionally set or unset various flags
are now boolean options that can be invoked as either `--OPTION' or
`--no-OPTION'. Options that required an argument "on" or "off" have
also been changed this way, but they still accept the old syntax for
backward compatibility. For example, instead of `--glob=off' you can
write `--no-glob'.
Allowing `--no-OPTION' for every `--OPTION' and the other way around
is useful because it allows the user to override non-default behavior
@ -93,10 +105,6 @@ information, such as whether the user has authenticated, in session
cookies. With this option multiple Wget runs are treated as a single
browser session.
** SSL/TLS-related options have been redesigned and documented. Refer
to the manual for details. The old, undocumented, options are no
longer supported.
** Wget now supports the --ftp-user and --ftp-password command
switches to set username and password for FTP, and the --user and
--password command switches to set username and password for both FTP