Um, GNU wget does check the key, and it requires the lengthy `--no-check-certificate` to disable it.

Perhaps busybox wget doesn't check the key? But if you're using busybox, that's a whole other can of worms.

Wget does not validate certificates by default because there's no CA bundle provided with wget. It does check for /etc/ssl/cert.pem, but it doesn't provide one. So you have to provide one or set up /etc/ssl/certs/ as OpenSSL libraries expect.

Curl does provide a CA bundle (/usr/share/curl/ca-bundle.crt) and by default libcurl validates certs against it.

cURL doesn't provide a CA bundle any more [1], it's the job of your OS to provide this. As I understand it, all tools that provide SSL support will fail safe if there are no root CAs on your system. [1] http://curl.haxx.se/docs/sslcerts.html

Though, to be fair:

    $ pacman -Qi ca-certificates | grep 'Required By'
    Required By    : ca-certificates-java  curl  glib-networking  neon  qca  qt4

Note that curl is on that list but wget isn't.

Pacman lists ca-certificates as an optional requirement of wget: https://www.archlinux.org/packages/extra/x86_64/wget/

But the point halfasleep is making is important: Don't assume either wget or curl will validate your SSL connection because it may not have been set up by your OS/distribution.

I wasn't that wrong then. ;)

They do still provide a bundle[1] though, for cases where you need it (eg homebrew's curl-ca-bundle package).

  [1]: http://curl.haxx.se/docs/caextract.html

Wget has the --no-check-certificate flag, I've had to use it to work with self-signed certs before.

Touché!