--- links-2.15/https.c	2017-11-21 20:23:53.000000000 +0100
+++ links-2.15/https.c.new	2018-04-30 11:59:14.311345880 +0200
@@ -29,6 +29,8 @@
 #define LINKS_CRT_FILE		links.crt
 #endif
 
+#define VERIFY_DEPTH	10
+
 #ifdef HAVE_BUILTIN_SSL_CERTIFICATES
 #include "certs.inc"
 #define N_SSL_CONTEXTS	2
@@ -98,6 +100,36 @@
 
 #endif
 
+static int verify_cert(int code, X509_STORE_CTX *context)
+{
+	int error, depth;
+
+	error = X509_STORE_CTX_get_error(context);
+	depth = X509_STORE_CTX_get_error_depth(context);
+
+	if (depth > VERIFY_DEPTH) {
+		error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+		code = 0;
+	}
+
+	if (!code) {
+		/* Judge self signed certificates as acceptable. */
+		if (error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
+				error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
+			code = 1;
+		} else {
+			fprintf(stderr, "Verification failure: %s\n",
+						X509_verify_cert_error_string(error));
+			if (depth > VERIFY_DEPTH) {
+				fprintf(stderr, "Excessive depth %d, set depth %d.\n",
+							depth, VERIFY_DEPTH);
+			}
+		}
+	}
+
+	return code;
+} /* verify_cert */
+
 #if defined(HAVE_SSL_CERTIFICATES) && (defined(DOS) || defined(OS2) || defined(WIN) || defined(OPENVMS))
 static int ssl_set_private_paths(SSL_CTX *ctx)
 {
@@ -299,9 +331,11 @@
 #ifndef SSL_OP_NO_COMPRESSION
 #define SSL_OP_NO_COMPRESSION	0
 #endif
-		SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_COMPRESSION);
+		SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_ALL | SSL_OP_NO_COMPRESSION);
 #ifdef SSL_MODE_ENABLE_PARTIAL_WRITE
-		SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
+		SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_AUTO_RETRY);
+#else
+		SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
 #endif
 #ifdef SSL_CTX_set_min_proto_version
 #if defined(SSL3_VERSION)
@@ -317,6 +351,7 @@
 		if (!idx) {
 			if (ssl_set_private_paths(ctx))
 				SSL_CTX_set_default_verify_paths(ctx);
+			SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cert);
 		} else {
 #ifdef HAVE_BUILTIN_SSL_CERTIFICATES
 			ssl_load_private_certificates(ctx);