diff -Naurp links-2.2.orig//https.c links-2.2//https.c
--- links-2.2.orig//https.c
+++ links-2.2//https.c
@@ -25,8 +25,40 @@
 
 #ifdef HAVE_SSL
 
+#define VERIFY_DEPTH	10
+
 SSL_CTX *context = NULL;
 
+static int verify_cert(int code, X509_STORE_CTX *context)
+{
+	int error, depth;
+
+	error = X509_STORE_CTX_get_error(context);
+	depth = X509_STORE_CTX_get_error_depth(context);
+
+	if (depth > VERIFY_DEPTH) {
+		error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+		code = 0;
+	}
+
+	if (!code) {
+		/* Judge self signed certificates as acceptable. */
+		if (error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
+				error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
+			code = 1;
+		} else {
+			fprintf(stderr, "Verification failure: %s\n",
+						X509_verify_cert_error_string(error));
+			if (depth > VERIFY_DEPTH) {
+				fprintf(stderr, "Excessive depth %d, set depth %d.\n",
+							depth, VERIFY_DEPTH);
+			}
+		}
+	}
+
+	return code;
+} /* verify_cert */
+
 SSL *getSSL(void)
 {
 	if (!context) {
@@ -40,8 +72,10 @@ SSL *getSSL(void)
 		}
 		SSLeay_add_ssl_algorithms();
 		context = SSL_CTX_new(SSLv23_client_method());
-		SSL_CTX_set_options(context, SSL_OP_ALL);
+		SSL_CTX_set_options(context, SSL_OP_NO_SSLv2 | SSL_OP_ALL);
+		SSL_CTX_set_mode(context, SSL_MODE_AUTO_RETRY);
 		SSL_CTX_set_default_verify_paths(context);
+		SSL_CTX_set_verify(context, SSL_VERIFY_PEER, verify_cert);
 /* needed for systems without /dev/random, but obviously kills security. */
 		/*{
 			char pool[32768];