diff -urN lynx2-8-4-dist/WWW/Library/Implementation/HTTP.c lynx2-8-4/WWW/Library/Implementation/HTTP.c
--- lynx2-8-4-dist/WWW/Library/Implementation/HTTP.c	Sat Jul 14 21:06:16 2001
+++ lynx2-8-4/WWW/Library/Implementation/HTTP.c	Thu Aug  1 19:51:42 2002
@@ -73,6 +73,7 @@
 
 #ifdef USE_SSL
 PUBLIC SSL_CTX * ssl_ctx = NULL;	/* SSL ctx */
+PUBLIC int ssl_okay;
 
 PRIVATE void free_ssl_ctx NOARGS
 {
@@ -80,6 +81,29 @@
 	SSL_CTX_free(ssl_ctx);
 }
 
+PRIVATE int HTSSLCallback(int preverify_ok, X509_STORE_CTX *x509_ctx)
+{
+    char msg[256];
+
+    if (preverify_ok || ssl_okay)
+	return 1;
+
+#if NOTDEFINED
+    snprintf(msg, 256, "SSL error:%s-Continue?",
+	     X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_ctx)));
+    if (! HTConfirmDefault(msg, TRUE))
+	return 0;
+#else
+    if (! HTConfirmDefault("Error verifying SSL certificate - Continue?",
+	    TRUE))
+	return 0;
+#endif /* NOTDEFINED */
+
+    /* Once the user has said okay once, just go on from then on */
+    ssl_okay = 1;
+    return 1;
+}
+
 PUBLIC SSL * HTGetSSLHandle NOARGS
 {
     if (ssl_ctx == NULL) {
@@ -94,9 +118,11 @@
 	ssl_ctx = SSL_CTX_new(SSLv23_client_method());
 	SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
 	SSL_CTX_set_default_verify_paths(ssl_ctx);
+	SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, HTSSLCallback);
 #endif /* SSLEAY_VERSION_NUMBER < 0x0800 */
 	atexit(free_ssl_ctx);
     }
+    ssl_okay = 0;
     return(SSL_new(ssl_ctx));
 }
 
@@ -386,6 +412,11 @@
   char *connect_host = NULL;	/* The host being proxied */
   SSL * handle = NULL;		/* The SSL handle */
   char SSLprogress[256];	/* progress bar message */
+  char ssl_dn[256];
+  char *cert_host;
+  char *ssl_host;
+  char *p;
+  char msg[256];
 #if SSLEAY_VERSION_NUMBER >= 0x0900
   BOOL try_tls = TRUE;
 #endif /* SSLEAY_VERSION_NUMBER >= 0x0900 */
@@ -554,20 +585,24 @@
 	  goto done;
 #endif /* SSLEAY_VERSION_NUMBER >= 0x0900 */
       }
-      sprintf(SSLprogress,"Secure %d-bit %s (%s) HTTP connection",SSL_get_cipher_bits(handle,NULL),SSL_get_cipher_version(handle),SSL_get_cipher(handle));
-      _HTProgress(SSLprogress);
 
-#ifdef NOTDEFINED
-      if (strcmp(HTParse(url, "", PARSE_HOST),
-		 strstr(X509_NAME_oneline(
-			X509_get_subject_name(
-				handle->session->peer)),"/CN=")+4)) {
-	  HTAlert("Certificate is for different host name");
-	  HTAlert(strstr(X509_NAME_oneline(
-			 X509_get_subject_name(
-				handle->session->peer)),"/CN=")+4);
+      X509_NAME_oneline(X509_get_subject_name(SSL_get_peer_certificate(handle)),
+	  ssl_dn, 256);
+      cert_host = strstr(ssl_dn, "/CN=") + 4;
+      if ((p = strchr(cert_host, '/')) != NULL)
+	  *p = '\0';
+      ssl_host = HTParse(url, "", PARSE_HOST);
+      if (strcmp(ssl_host, cert_host)) {
+	snprintf(msg, 256, "SSL error:host(%s)!=cert(%s)-Continue?", ssl_host,
+	    cert_host);
+	if (! HTConfirmDefault(msg, TRUE)) {
+	    status = HT_NOT_LOADED;
+	    goto done;
+	}
       }
-#endif /* NOTDEFINED */
+
+      sprintf(SSLprogress,"Secure %d-bit %s (%s) HTTP connection",SSL_get_cipher_bits(handle,NULL),SSL_get_cipher_version(handle),SSL_get_cipher(handle));
+      _HTProgress(SSLprogress);
   }
 #endif /* USE_SSL */