aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2019-02-26 18:06:51 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2019-02-26 18:06:51 +0000
commit851f7386fd78b9787f4f6669ad271886a2a003f1 (patch)
tree952920d27fdcd105b7f77b6e5fef3fedae8f74ea /doc
parent8c3f9abd70b3f447a4795c1b00b386b044fb322d (diff)
downloadsrc-851f7386fd78b9787f4f6669ad271886a2a003f1.tar.gz
src-851f7386fd78b9787f4f6669ad271886a2a003f1.zip
Import OpenSSL 1.1.1b.vendor/openssl/1.1.1b
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=344595 svn path=/vendor-crypto/openssl/1.1.1b/; revision=344596; tag=vendor/openssl/1.1.1b
Diffstat (limited to 'doc')
-rw-r--r--doc/HOWTO/certificates.txt2
-rw-r--r--doc/HOWTO/proxy_certificates.txt2
-rw-r--r--doc/fingerprints.txt2
-rw-r--r--doc/man1/ca.pod6
-rw-r--r--doc/man1/ciphers.pod2
-rw-r--r--doc/man1/cms.pod10
-rw-r--r--doc/man1/dgst.pod6
-rw-r--r--doc/man1/ec.pod6
-rw-r--r--doc/man1/enc.pod2
-rw-r--r--doc/man1/genpkey.pod6
-rw-r--r--doc/man1/ocsp.pod2
-rw-r--r--doc/man1/pkcs12.pod5
-rw-r--r--doc/man1/pkcs8.pod2
-rw-r--r--doc/man1/req.pod2
-rw-r--r--doc/man1/s_client.pod30
-rw-r--r--doc/man1/s_server.pod29
-rw-r--r--doc/man1/smime.pod2
-rw-r--r--doc/man1/storeutl.pod2
-rw-r--r--doc/man1/verify.pod2
-rw-r--r--doc/man1/x509.pod4
-rw-r--r--doc/man3/ASN1_INTEGER_get_int64.pod2
-rw-r--r--doc/man3/ASYNC_WAIT_CTX_new.pod8
-rw-r--r--doc/man3/ASYNC_start_job.pod2
-rw-r--r--doc/man3/BIO_new_CMS.pod2
-rw-r--r--doc/man3/BN_generate_prime.pod4
-rw-r--r--doc/man3/BN_rand.pod3
-rw-r--r--doc/man3/BN_security_bits.pod2
-rw-r--r--doc/man3/BUF_MEM_new.pod2
-rw-r--r--doc/man3/CMS_get0_type.pod9
-rw-r--r--doc/man3/CONF_modules_load_file.pod12
-rw-r--r--doc/man3/CRYPTO_get_ex_new_index.pod4
-rw-r--r--doc/man3/CTLOG_STORE_get0_log_by_id.pod2
-rw-r--r--doc/man3/DH_size.pod2
-rw-r--r--doc/man3/DTLS_get_data_mtu.pod2
-rw-r--r--doc/man3/DTLS_set_timer_cb.pod2
-rw-r--r--doc/man3/DTLSv1_listen.pod6
-rw-r--r--doc/man3/EC_GROUP_copy.pod4
-rw-r--r--doc/man3/EVP_DigestInit.pod8
-rw-r--r--doc/man3/EVP_DigestSignInit.pod2
-rw-r--r--doc/man3/EVP_DigestVerifyInit.pod2
-rw-r--r--doc/man3/EVP_EncryptInit.pod2
-rw-r--r--doc/man3/EVP_PKEY_CTX_ctrl.pod5
-rw-r--r--doc/man3/EVP_PKEY_CTX_new.pod2
-rw-r--r--doc/man3/EVP_PKEY_asn1_get_count.pod4
-rw-r--r--doc/man3/EVP_PKEY_decrypt.pod2
-rw-r--r--doc/man3/EVP_PKEY_derive.pod2
-rw-r--r--doc/man3/EVP_PKEY_encrypt.pod2
-rw-r--r--doc/man3/EVP_PKEY_get_default_digest_nid.pod2
-rw-r--r--doc/man3/EVP_PKEY_keygen.pod2
-rw-r--r--doc/man3/EVP_PKEY_new.pod9
-rw-r--r--doc/man3/EVP_PKEY_print_private.pod2
-rw-r--r--doc/man3/EVP_PKEY_sign.pod2
-rw-r--r--doc/man3/EVP_PKEY_verify.pod2
-rw-r--r--doc/man3/EVP_PKEY_verify_recover.pod2
-rw-r--r--doc/man3/EVP_SignInit.pod2
-rw-r--r--doc/man3/HMAC.pod4
-rw-r--r--doc/man3/OPENSSL_init_crypto.pod48
-rw-r--r--doc/man3/OPENSSL_malloc.pod8
-rw-r--r--doc/man3/OPENSSL_secure_malloc.pod2
-rw-r--r--doc/man3/OSSL_STORE_INFO.pod2
-rw-r--r--doc/man3/OSSL_STORE_LOADER.pod2
-rw-r--r--doc/man3/OSSL_STORE_SEARCH.pod2
-rw-r--r--doc/man3/OSSL_STORE_expect.pod2
-rw-r--r--doc/man3/OSSL_STORE_open.pod2
-rw-r--r--doc/man3/PEM_read_bio_ex.pod2
-rw-r--r--doc/man3/PEM_write_bio_CMS_stream.pod2
-rw-r--r--doc/man3/PEM_write_bio_PKCS7_stream.pod2
-rw-r--r--doc/man3/PKCS12_parse.pod3
-rw-r--r--doc/man3/PKCS7_sign.pod4
-rw-r--r--doc/man3/PKCS7_sign_add_signer.pod2
-rw-r--r--doc/man3/RAND_bytes.pod2
-rw-r--r--doc/man3/RIPEMD160_Init.pod4
-rw-r--r--doc/man3/RSA_get0_key.pod1
-rw-r--r--doc/man3/RSA_padding_add_PKCS1_type_1.pod7
-rw-r--r--doc/man3/RSA_size.pod2
-rw-r--r--doc/man3/SSL_CIPHER_get_name.pod14
-rw-r--r--doc/man3/SSL_COMP_add_compression_method.pod5
-rw-r--r--doc/man3/SSL_CONF_CTX_new.pod2
-rw-r--r--doc/man3/SSL_CONF_CTX_set1_prefix.pod2
-rw-r--r--doc/man3/SSL_CONF_CTX_set_flags.pod2
-rw-r--r--doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod2
-rw-r--r--doc/man3/SSL_CONF_cmd.pod18
-rw-r--r--doc/man3/SSL_CONF_cmd_argv.pod2
-rw-r--r--doc/man3/SSL_CTX_add1_chain_cert.pod2
-rw-r--r--doc/man3/SSL_CTX_config.pod2
-rw-r--r--doc/man3/SSL_CTX_dane_enable.pod2
-rw-r--r--doc/man3/SSL_CTX_get0_param.pod2
-rw-r--r--doc/man3/SSL_CTX_set0_CA_list.pod4
-rw-r--r--doc/man3/SSL_CTX_set1_curves.pod4
-rw-r--r--doc/man3/SSL_CTX_set1_verify_cert_store.pod2
-rw-r--r--doc/man3/SSL_CTX_set_ctlog_list_file.pod4
-rw-r--r--doc/man3/SSL_CTX_set_default_passwd_cb.pod2
-rw-r--r--doc/man3/SSL_CTX_set_info_callback.pod16
-rw-r--r--doc/man3/SSL_CTX_set_mode.pod13
-rw-r--r--doc/man3/SSL_CTX_set_msg_callback.pod3
-rw-r--r--doc/man3/SSL_CTX_set_num_tickets.pod8
-rw-r--r--doc/man3/SSL_CTX_set_options.pod6
-rw-r--r--doc/man3/SSL_CTX_set_record_padding_callback.pod6
-rw-r--r--doc/man3/SSL_CTX_set_security_level.pod2
-rw-r--r--doc/man3/SSL_CTX_set_session_ticket_cb.pod4
-rw-r--r--doc/man3/SSL_CTX_set_split_send_fragment.pod4
-rw-r--r--doc/man3/SSL_CTX_set_ssl_version.pod4
-rw-r--r--doc/man3/SSL_CTX_set_tlsext_status_cb.pod4
-rw-r--r--doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod2
-rw-r--r--doc/man3/SSL_SESSION_free.pod2
-rw-r--r--doc/man3/SSL_SESSION_get0_cipher.pod4
-rw-r--r--doc/man3/SSL_SESSION_get0_hostname.pod4
-rw-r--r--doc/man3/SSL_SESSION_get0_id_context.pod2
-rw-r--r--doc/man3/SSL_SESSION_get_protocol_version.pod4
-rw-r--r--doc/man3/SSL_SESSION_has_ticket.pod4
-rw-r--r--doc/man3/SSL_SESSION_is_resumable.pod2
-rw-r--r--doc/man3/SSL_SESSION_set1_id.pod2
-rw-r--r--doc/man3/SSL_export_keying_material.pod5
-rw-r--r--doc/man3/SSL_extension_supported.pod2
-rw-r--r--doc/man3/SSL_get_all_async_fds.pod4
-rw-r--r--doc/man3/SSL_get_error.pod17
-rw-r--r--doc/man3/SSL_get_version.pod2
-rw-r--r--doc/man3/SSL_key_update.pod6
-rw-r--r--doc/man3/SSL_read.pod2
-rw-r--r--doc/man3/SSL_read_early_data.pod4
-rw-r--r--doc/man3/SSL_set1_host.pod2
-rw-r--r--doc/man3/SSL_shutdown.pod4
-rw-r--r--doc/man3/SSL_want.pod3
-rw-r--r--doc/man3/SSL_write.pod2
-rw-r--r--doc/man3/UI_create_method.pod5
-rw-r--r--doc/man3/UI_new.pod5
-rw-r--r--doc/man3/X509_NAME_ENTRY_get_object.pod3
-rw-r--r--doc/man3/X509_STORE_CTX_new.pod4
-rw-r--r--doc/man3/X509_STORE_CTX_set_verify_cb.pod3
-rw-r--r--doc/man3/X509_STORE_new.pod2
-rw-r--r--doc/man3/X509_STORE_set_verify_cb_func.pod7
-rw-r--r--doc/man3/X509_VERIFY_PARAM_set_flags.pod8
-rw-r--r--doc/man3/X509_get0_signature.pod10
-rw-r--r--doc/man3/X509_get_serialNumber.pod5
-rw-r--r--doc/man3/X509_get_subject_name.pod4
-rw-r--r--doc/man3/X509_sign.pod8
-rw-r--r--doc/man3/d2i_PrivateKey.pod18
-rw-r--r--doc/man3/i2d_CMS_bio_stream.pod2
-rw-r--r--doc/man3/i2d_PKCS7_bio_stream.pod2
-rw-r--r--doc/man5/config.pod9
-rw-r--r--doc/man7/ct.pod4
141 files changed, 378 insertions, 290 deletions
diff --git a/doc/HOWTO/certificates.txt b/doc/HOWTO/certificates.txt
index c2efdca8dc1a..cfd2bdabb130 100644
--- a/doc/HOWTO/certificates.txt
+++ b/doc/HOWTO/certificates.txt
@@ -106,5 +106,5 @@ some applications, you don't even have to do that.
By now, you have your certificate and your private key and can start
using applications that depend on it.
---
+--
Richard Levitte
diff --git a/doc/HOWTO/proxy_certificates.txt b/doc/HOWTO/proxy_certificates.txt
index 18b3e0340f1d..2936cd6e518b 100644
--- a/doc/HOWTO/proxy_certificates.txt
+++ b/doc/HOWTO/proxy_certificates.txt
@@ -315,5 +315,5 @@ certificates checked properly, using the code above:
SSL_CTX_set_cert_verify_callback(s_ctx, my_X509_verify_cert, &needed_rights);
---
+--
Richard Levitte
diff --git a/doc/fingerprints.txt b/doc/fingerprints.txt
index 2cb74aec2778..51e76c8f71b9 100644
--- a/doc/fingerprints.txt
+++ b/doc/fingerprints.txt
@@ -18,7 +18,7 @@ uid Richard Levitte <richard@opensslfoundation.com>
uid Richard Levitte <levitte@openssl.org>
uid Richard Levitte <richard@openssl.com>
-pub 2048R/0E604491 2013-04-30
+pub 2048R/0E604491 2013-04-30
Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491
uid Matt Caswell <matt@openssl.org>
uid Matt Caswell <frodo@baggins.org>
diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod
index e998eabf8358..7385a00941ea 100644
--- a/doc/man1/ca.pod
+++ b/doc/man1/ca.pod
@@ -230,7 +230,7 @@ The section of the configuration file containing certificate extensions
to be added when a certificate is issued (defaults to B<x509_extensions>
unless the B<-extfile> option is used). If no extension section is
present then, a V1 certificate is created. If the extension section
-is present (even if it is empty), then a V3 certificate is created. See the:w
+is present (even if it is empty), then a V3 certificate is created. See the
L<x509v3_config(5)> manual page for details of the
extension section format.
@@ -475,7 +475,7 @@ the B<-selfsign> command line option.
Note that it is valid in some circumstances for certificates to be created
without any subject. In the case where there are multiple certificates without
-subjects this does not count as a duplicate.
+subjects this does not count as a duplicate.
=item B<serial>
@@ -753,7 +753,7 @@ L<config(5)>, L<x509v3_config(5)>
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
index 3aea982384ec..faf9e538146a 100644
--- a/doc/man1/ciphers.pod
+++ b/doc/man1/ciphers.pod
@@ -762,7 +762,7 @@ The B<-V> option for the B<ciphers> command was added in OpenSSL 1.0.0.
The B<-stdname> is only available if OpenSSL is built with tracing enabled
(B<enable-ssl-trace> argument to Configure) before OpenSSL 1.1.1.
-The B<-convert> was added in OpenSSL 1.1.1.
+The B<-convert> option was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man1/cms.pod b/doc/man1/cms.pod
index 60ee3b505e1e..72cd9b5d4e9e 100644
--- a/doc/man1/cms.pod
+++ b/doc/man1/cms.pod
@@ -724,14 +724,14 @@ No revocation checking is done on the signer's certificate.
The use of multiple B<-signer> options and the B<-resign> command were first
added in OpenSSL 1.0.0.
-The B<keyopt> option was first added in OpenSSL 1.0.2.
+The B<keyopt> option was added in OpenSSL 1.0.2.
-Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.0.2.
+Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.
-The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added
-to OpenSSL 1.0.2.
+The use of non-RSA keys with B<-encrypt> and B<-decrypt>
+was added in OpenSSL 1.0.2.
-The -no_alt_chains options was first added to OpenSSL 1.0.2b.
+The -no_alt_chains option was added in OpenSSL 1.0.2b.
=head1 COPYRIGHT
diff --git a/doc/man1/dgst.pod b/doc/man1/dgst.pod
index 47e163b17001..66a6697eb10e 100644
--- a/doc/man1/dgst.pod
+++ b/doc/man1/dgst.pod
@@ -230,12 +230,12 @@ prior to verification.
=head1 HISTORY
-The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0
-The FIPS-related options were removed in OpenSSL 1.1.0
+The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
+The FIPS-related options were removed in OpenSSL 1.1.0.
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man1/ec.pod b/doc/man1/ec.pod
index 0b836603cab1..4d368e20ae19 100644
--- a/doc/man1/ec.pod
+++ b/doc/man1/ec.pod
@@ -101,10 +101,6 @@ Prints out the public, private key components and parameters.
This option prevents output of the encoded version of the key.
-=item B<-modulus>
-
-This option prints out the value of the public key component of the key.
-
=item B<-pubin>
By default, a private key is read from the input file. With this option a
@@ -197,7 +193,7 @@ L<ecparam(1)>, L<dsa(1)>, L<rsa(1)>
=head1 COPYRIGHT
-Copyright 2003-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2003-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man1/enc.pod b/doc/man1/enc.pod
index 2136a9497849..a3e0b03b2000 100644
--- a/doc/man1/enc.pod
+++ b/doc/man1/enc.pod
@@ -417,7 +417,7 @@ certain parameters. So if, for example, you want to use RC2 with a
=head1 HISTORY
-The default digest was changed from MD5 to SHA256 in Openssl 1.1.0.
+The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man1/genpkey.pod b/doc/man1/genpkey.pod
index fa62973abdd9..202e531c7e07 100644
--- a/doc/man1/genpkey.pod
+++ b/doc/man1/genpkey.pod
@@ -319,9 +319,9 @@ Generate an ED448 private key:
=head1 HISTORY
The ability to use NIST curve names, and to generate an EC key directly,
-were added in OpenSSL 1.0.2. The ability to generate X25519 keys was added in
-OpenSSL 1.1.0. The ability to generate X448, ED25519 and ED448 keys was added in
-OpenSSL 1.1.1.
+were added in OpenSSL 1.0.2.
+The ability to generate X25519 keys was added in OpenSSL 1.1.0.
+The ability to generate X448, ED25519 and ED448 keys was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man1/ocsp.pod b/doc/man1/ocsp.pod
index c9feef8f0e47..736055b1b669 100644
--- a/doc/man1/ocsp.pod
+++ b/doc/man1/ocsp.pod
@@ -486,7 +486,7 @@ to a second file.
=head1 HISTORY
-The -no_alt_chains options was first added to OpenSSL 1.1.0.
+The -no_alt_chains option was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man1/pkcs12.pod b/doc/man1/pkcs12.pod
index 3389e595fed7..6f890c120f3c 100644
--- a/doc/man1/pkcs12.pod
+++ b/doc/man1/pkcs12.pod
@@ -154,7 +154,8 @@ Don't attempt to verify the integrity MAC before reading the file.
Prompt for separate integrity and encryption passwords: most software
always assumes these are the same so this option will render such
-PKCS#12 files unreadable.
+PKCS#12 files unreadable. Cannot be used in combination with the options
+-password, -passin (if importing) or -passout (if exporting).
=back
@@ -381,7 +382,7 @@ L<pkcs8(1)>
=head1 COPYRIGHT
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man1/pkcs8.pod b/doc/man1/pkcs8.pod
index 9c923b87c939..b079885d2fc7 100644
--- a/doc/man1/pkcs8.pod
+++ b/doc/man1/pkcs8.pod
@@ -305,7 +305,7 @@ L<gendsa(1)>
=head1 HISTORY
-The B<-iter> option was added to OpenSSL 1.1.0.
+The B<-iter> option was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man1/req.pod b/doc/man1/req.pod
index c76d63d6fd81..a9b5b1690a5c 100644
--- a/doc/man1/req.pod
+++ b/doc/man1/req.pod
@@ -502,7 +502,7 @@ The actual permitted field names are any object identifier short or
long names. These are compiled into OpenSSL and include the usual
values such as commonName, countryName, localityName, organizationName,
organizationalUnitName, stateOrProvinceName. Additionally emailAddress
-is include as well as name, surname, givenName initials and dnQualifier.
+is included as well as name, surname, givenName, initials, and dnQualifier.
Additional object identifiers can be defined with the B<oid_file> or
B<oid_section> options in the configuration file. Any additional fields
diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod
index fa5cb0a92da1..81d516ace146 100644
--- a/doc/man1/s_client.pod
+++ b/doc/man1/s_client.pod
@@ -100,6 +100,7 @@ B<openssl> B<s_client>
[B<-dtls1>]
[B<-dtls1_2>]
[B<-sctp>]
+[B<-sctp_label_bug>]
[B<-fallback_scsv>]
[B<-async>]
[B<-max_send_frag>]
@@ -190,14 +191,17 @@ Use IPv6 only.
=item B<-servername name>
Set the TLS SNI (Server Name Indication) extension in the ClientHello message to
-the given value. If both this option and the B<-noservername> are not given, the
-TLS SNI extension is still set to the hostname provided to the B<-connect> option,
-or "localhost" if B<-connect> has not been supplied. This is default since OpenSSL
-1.1.1.
+the given value.
+If B<-servername> is not provided, the TLS SNI extension will be populated with
+the name given to B<-connect> if it follows a DNS name format. If B<-connect> is
+not provided either, the SNI is set to "localhost".
+This is the default since OpenSSL 1.1.1.
-Even though SNI name should normally be a DNS name and not an IP address, this
-option will not make the distinction when parsing B<-connect> and will send
-IP address if one passed.
+Even though SNI should normally be a DNS name and not an IP address, if
+B<-servername> is provided then that name will be sent, regardless of whether
+it is a DNS name or not.
+
+This option cannot be used in conjuction with B<-noservername>.
=item B<-noservername>
@@ -489,6 +493,14 @@ Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
available where OpenSSL has support for SCTP enabled.
+=item B<-sctp_label_bug>
+
+Use the incorrect behaviour of older OpenSSL implementations when computing
+endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
+older broken implementations but breaks interoperability with correct
+implementations. Must be used in conjunction with B<-sctp>. This option is only
+available where OpenSSL has support for SCTP enabled.
+
=item B<-fallback_scsv>
Send TLS_FALLBACK_SCSV in the ClientHello.
@@ -811,12 +823,12 @@ L<SSL_CTX_set_max_pipelines(3)>
=head1 HISTORY
-The B<-no_alt_chains> option was first added to OpenSSL 1.1.0.
+The B<-no_alt_chains> option was added in OpenSSL 1.1.0.
The B<-name> option was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod
index f4c4eda35313..c4c014fdc18b 100644
--- a/doc/man1/s_server.pod
+++ b/doc/man1/s_server.pod
@@ -98,6 +98,7 @@ B<openssl> B<s_server>
[B<-no_comp>]
[B<-comp>]
[B<-no_ticket>]
+[B<-num_tickets>]
[B<-serverpref>]
[B<-legacy_renegotiation>]
[B<-no_renegotiation>]
@@ -172,6 +173,7 @@ B<openssl> B<s_server>
[B<-dtls1>]
[B<-dtls1_2>]
[B<-sctp>]
+[B<-sctp_label_bug>]
[B<-no_dhe>]
[B<-nextprotoneg val>]
[B<-use_srtp val>]
@@ -558,7 +560,14 @@ OpenSSL 1.1.0.
=item B<-no_ticket>
-Disable RFC4507bis session ticket support.
+Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
+is negotiated. See B<-num_tickets>.
+
+=item B<-num_tickets>
+
+Control the number of tickets that will be sent to the client after a full
+handshake in TLSv1.3. The default number of tickets is 2. This option does not
+affect the number of tickets sent after a resumption handshake.
=item B<-serverpref>
@@ -677,6 +686,14 @@ Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
available where OpenSSL has support for SCTP enabled.
+=item B<-sctp_label_bug>
+
+Use the incorrect behaviour of older OpenSSL implementations when computing
+endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
+older broken implementations but breaks interoperability with correct
+implementations. Must be used in conjunction with B<-sctp>. This option is only
+available where OpenSSL has support for SCTP enabled.
+
=item B<-no_dhe>
If this option is set then no DH parameters will be loaded effectively
@@ -817,18 +834,18 @@ unknown cipher suites a client says it supports.
L<SSL_CONF_cmd(3)>, L<sess_id(1)>, L<s_client(1)>, L<ciphers(1)>
L<SSL_CTX_set_max_send_fragment(3)>,
L<SSL_CTX_set_split_send_fragment(3)>,
-L<SSL_CTX_set_max_pipelines(3)>
+L<SSL_CTX_set_max_pipelines(3)>
=head1 HISTORY
-The -no_alt_chains option was first added to OpenSSL 1.1.0.
+The -no_alt_chains option was added in OpenSSL 1.1.0.
-The -allow-no-dhe-kex and -prioritize_chacha options were first added to
-OpenSSL 1.1.1.
+The
+-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man1/smime.pod b/doc/man1/smime.pod
index 0acdd08254a5..7f224fdc5e9d 100644
--- a/doc/man1/smime.pod
+++ b/doc/man1/smime.pod
@@ -510,7 +510,7 @@ structures may cause parsing errors.
The use of multiple B<-signer> options and the B<-resign> command were first
added in OpenSSL 1.0.0
-The -no_alt_chains options was first added to OpenSSL 1.1.0.
+The -no_alt_chains option was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man1/storeutl.pod b/doc/man1/storeutl.pod
index 083f0282469e..a8d82bfb612b 100644
--- a/doc/man1/storeutl.pod
+++ b/doc/man1/storeutl.pod
@@ -119,7 +119,7 @@ L<openssl(1)>
=head1 HISTORY
-B<openssl> B<storeutl> was added to OpenSSL 1.1.1.
+The B<openssl> B<storeutl> app was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man1/verify.pod b/doc/man1/verify.pod
index b67890af3c34..63ba850b915d 100644
--- a/doc/man1/verify.pod
+++ b/doc/man1/verify.pod
@@ -762,7 +762,7 @@ L<x509(1)>
=head1 HISTORY
-The B<-show_chain> option was first added to OpenSSL 1.1.0.
+The B<-show_chain> option was added in OpenSSL 1.1.0.
The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
is silently ignored.
diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod
index 547da5da2368..7878753414da 100644
--- a/doc/man1/x509.pod
+++ b/doc/man1/x509.pod
@@ -173,7 +173,7 @@ options. See the B<TEXT OPTIONS> section for more information.
=item B<-noout>
-This option prevents output of the encoded version of the request.
+This option prevents output of the encoded version of the certificate.
=item B<-pubkey>
@@ -925,7 +925,7 @@ the old form must have their links rebuilt using B<c_rehash> or similar.
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/ASN1_INTEGER_get_int64.pod b/doc/man3/ASN1_INTEGER_get_int64.pod
index d0a6a3c810a1..9b73290742d4 100644
--- a/doc/man3/ASN1_INTEGER_get_int64.pod
+++ b/doc/man3/ASN1_INTEGER_get_int64.pod
@@ -119,7 +119,7 @@ L<ERR_get_error(3)>
ASN1_INTEGER_set_int64(), ASN1_INTEGER_get_int64(),
ASN1_ENUMERATED_set_int64() and ASN1_ENUMERATED_get_int64()
-were added to OpenSSL 1.1.0.
+were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/ASYNC_WAIT_CTX_new.pod b/doc/man3/ASYNC_WAIT_CTX_new.pod
index 204280210e04..e4d809c08fd1 100644
--- a/doc/man3/ASYNC_WAIT_CTX_new.pod
+++ b/doc/man3/ASYNC_WAIT_CTX_new.pod
@@ -127,10 +127,10 @@ L<crypto(7)>, L<ASYNC_start_job(3)>
=head1 HISTORY
-ASYNC_WAIT_CTX_new, ASYNC_WAIT_CTX_free, ASYNC_WAIT_CTX_set_wait_fd,
-ASYNC_WAIT_CTX_get_fd, ASYNC_WAIT_CTX_get_all_fds,
-ASYNC_WAIT_CTX_get_changed_fds, ASYNC_WAIT_CTX_clear_fd were first added to
-OpenSSL 1.1.0.
+ASYNC_WAIT_CTX_new(), ASYNC_WAIT_CTX_free(), ASYNC_WAIT_CTX_set_wait_fd(),
+ASYNC_WAIT_CTX_get_fd(), ASYNC_WAIT_CTX_get_all_fds(),
+ASYNC_WAIT_CTX_get_changed_fds() and ASYNC_WAIT_CTX_clear_fd()
+were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/ASYNC_start_job.pod b/doc/man3/ASYNC_start_job.pod
index 21b77a96b95e..9bd1044b266a 100644
--- a/doc/man3/ASYNC_start_job.pod
+++ b/doc/man3/ASYNC_start_job.pod
@@ -317,7 +317,7 @@ L<crypto(7)>, L<ERR_print_errors(3)>
ASYNC_init_thread, ASYNC_cleanup_thread,
ASYNC_start_job, ASYNC_pause_job, ASYNC_get_current_job, ASYNC_get_wait_ctx(),
ASYNC_block_pause(), ASYNC_unblock_pause() and ASYNC_is_capable() were first
-added to OpenSSL 1.1.0.
+added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/BIO_new_CMS.pod b/doc/man3/BIO_new_CMS.pod
index b06c224f7180..f8d4c3bde6ee 100644
--- a/doc/man3/BIO_new_CMS.pod
+++ b/doc/man3/BIO_new_CMS.pod
@@ -61,7 +61,7 @@ L<CMS_encrypt(3)>
=head1 HISTORY
-BIO_new_CMS() was added to OpenSSL 1.0.0
+The BIO_new_CMS() function was added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/BN_generate_prime.pod b/doc/man3/BN_generate_prime.pod
index b505841832ec..b6e9145106be 100644
--- a/doc/man3/BN_generate_prime.pod
+++ b/doc/man3/BN_generate_prime.pod
@@ -197,8 +197,8 @@ L<RSA_generate_key(3)>, L<ERR_get_error(3)>, L<RAND_bytes(3)>
=head1 HISTORY
-BN_GENCB_new(), BN_GENCB_free(),
-and BN_GENCB_get_arg() were added in OpenSSL 1.1.0
+The BN_GENCB_new(), BN_GENCB_free(),
+and BN_GENCB_get_arg() functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/BN_rand.pod b/doc/man3/BN_rand.pod
index eb0a6b13862f..90b50ffc311e 100644
--- a/doc/man3/BN_rand.pod
+++ b/doc/man3/BN_rand.pod
@@ -73,7 +73,8 @@ a future release.
=item *
-BN_priv_rand() and BN_priv_rand_range() were added in OpenSSL 1.1.1.
+The
+BN_priv_rand() and BN_priv_rand_range() functions were added in OpenSSL 1.1.1.
=back
diff --git a/doc/man3/BN_security_bits.pod b/doc/man3/BN_security_bits.pod
index 1aed85a71a9c..f6e5857a4eed 100644
--- a/doc/man3/BN_security_bits.pod
+++ b/doc/man3/BN_security_bits.pod
@@ -33,7 +33,7 @@ function. The symmetric algorithms are not covered neither.
=head1 HISTORY
-BN_security_bits() was added in OpenSSL 1.1.0.
+The BN_security_bits() function was added in OpenSSL 1.1.0.
=head1 SEE ALSO
diff --git a/doc/man3/BUF_MEM_new.pod b/doc/man3/BUF_MEM_new.pod
index 61922502a3f1..0c68f3776f7c 100644
--- a/doc/man3/BUF_MEM_new.pod
+++ b/doc/man3/BUF_MEM_new.pod
@@ -61,7 +61,7 @@ L<CRYPTO_secure_malloc(3)>.
=head1 HISTORY
-BUF_MEM_new_ex() was added in OpenSSL 1.1.0.
+The BUF_MEM_new_ex() function was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/CMS_get0_type.pod b/doc/man3/CMS_get0_type.pod
index cad8d3f66280..bc38a09bdcbc 100644
--- a/doc/man3/CMS_get0_type.pod
+++ b/doc/man3/CMS_get0_type.pod
@@ -16,11 +16,12 @@ CMS_get0_type, CMS_set1_eContentType, CMS_get0_eContentType, CMS_get0_content -
=head1 DESCRIPTION
CMS_get0_type() returns the content type of a CMS_ContentInfo structure as
-and ASN1_OBJECT pointer. An application can then decide how to process the
+an ASN1_OBJECT pointer. An application can then decide how to process the
CMS_ContentInfo structure based on this value.
CMS_set1_eContentType() sets the embedded content type of a CMS_ContentInfo
-structure. It should be called with CMS functions with the B<CMS_PARTIAL>
+structure. It should be called with CMS functions (such as L<CMS_sign>, L<CMS_encrypt>)
+with the B<CMS_PARTIAL>
flag and B<before> the structure is finalised, otherwise the results are
undefined.
@@ -60,7 +61,7 @@ embedded content as it is normally set by higher level functions.
=head1 RETURN VALUES
-CMS_get0_type() and CMS_get0_eContentType() return and ASN1_OBJECT structure.
+CMS_get0_type() and CMS_get0_eContentType() return an ASN1_OBJECT structure.
CMS_set1_eContentType() returns 1 for success or 0 if an error occurred. The
error can be obtained from ERR_get_error(3).
@@ -71,7 +72,7 @@ L<ERR_get_error(3)>
=head1 COPYRIGHT
-Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/CONF_modules_load_file.pod b/doc/man3/CONF_modules_load_file.pod
index ecf294a2c60d..485cf797b12e 100644
--- a/doc/man3/CONF_modules_load_file.pod
+++ b/doc/man3/CONF_modules_load_file.pod
@@ -28,13 +28,21 @@ reads configuration information from B<cnf>.
The following B<flags> are currently recognized:
-B<CONF_MFLAGS_IGNORE_ERRORS> if set errors returned by individual
+If B<CONF_MFLAGS_IGNORE_ERRORS> is set errors returned by individual
configuration modules are ignored. If not set the first module error is
considered fatal and no further modules are loaded.
Normally any modules errors will add error information to the error queue. If
B<CONF_MFLAGS_SILENT> is set no error information is added.
+If B<CONF_MFLAGS_IGNORE_RETURN_CODES> is set the function unconditionally
+returns success.
+This is used by default in L<OPENSSL_init_crypto(3)> to ignore any errors in
+the default system-wide configuration file, as having all OpenSSL applications
+fail to start when there are potentially minor issues in the file is too risky.
+Applications calling B<CONF_modules_load_file> explicitly should not generally
+set this flag.
+
If B<CONF_MFLAGS_NO_DSO> is set configuration module loading from DSOs is
disabled.
@@ -126,7 +134,7 @@ L<config(5)>, L<OPENSSL_config(3)>
=head1 COPYRIGHT
-Copyright 2004-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/CRYPTO_get_ex_new_index.pod b/doc/man3/CRYPTO_get_ex_new_index.pod
index 4d5a2b93a082..b2d33ef90d9e 100644
--- a/doc/man3/CRYPTO_get_ex_new_index.pod
+++ b/doc/man3/CRYPTO_get_ex_new_index.pod
@@ -100,7 +100,7 @@ to avoid likely double-free crashes.
The function B<CRYPTO_free_ex_data> is used to free all exdata attached
to a structure. The appropriate type-specific routine must be used.
The B<class_index> identifies the structure type, the B<obj> is
-be the pointer to the actual structure, and B<r> is a pointer to the
+a pointer to the actual structure, and B<r> is a pointer to the
structure's exdata field.
=head2 Callback Functions
@@ -157,7 +157,7 @@ dup_func() should return 0 for failure and 1 for success.
=head1 COPYRIGHT
-Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/CTLOG_STORE_get0_log_by_id.pod b/doc/man3/CTLOG_STORE_get0_log_by_id.pod
index 36063b62e858..86696a559462 100644
--- a/doc/man3/CTLOG_STORE_get0_log_by_id.pod
+++ b/doc/man3/CTLOG_STORE_get0_log_by_id.pod
@@ -35,7 +35,7 @@ L<CTLOG_STORE_new(3)>
=head1 HISTORY
-This function was added in OpenSSL 1.1.0.
+The CTLOG_STORE_get0_log_by_id() function was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/DH_size.pod b/doc/man3/DH_size.pod
index 3b65d7ea6d6b..3cbdbc67da1c 100644
--- a/doc/man3/DH_size.pod
+++ b/doc/man3/DH_size.pod
@@ -43,7 +43,7 @@ L<BN_num_bits(3)>
=head1 HISTORY
-DH_bits() was added in OpenSSL 1.1.0.
+The DH_bits() function was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/DTLS_get_data_mtu.pod b/doc/man3/DTLS_get_data_mtu.pod
index ab7147217ac1..81b945f134a6 100644
--- a/doc/man3/DTLS_get_data_mtu.pod
+++ b/doc/man3/DTLS_get_data_mtu.pod
@@ -22,7 +22,7 @@ Returns the maximum data payload size on success, or 0 on failure.
=head1 HISTORY
-This function was added in OpenSSL 1.1.1
+The DTLS_get_data_mtu() function was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/DTLS_set_timer_cb.pod b/doc/man3/DTLS_set_timer_cb.pod
index 6e1347213e6f..c5154dca3570 100644
--- a/doc/man3/DTLS_set_timer_cb.pod
+++ b/doc/man3/DTLS_set_timer_cb.pod
@@ -26,7 +26,7 @@ Returns void.
=head1 HISTORY
-This function was added in OpenSSL 1.1.1
+The DTLS_set_timer_cb() function was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/DTLSv1_listen.pod b/doc/man3/DTLSv1_listen.pod
index 858e39316105..76be40b68f10 100644
--- a/doc/man3/DTLSv1_listen.pod
+++ b/doc/man3/DTLSv1_listen.pod
@@ -117,10 +117,10 @@ L<ssl(7)>, L<bio(7)>
=head1 HISTORY
-SSL_stateless() was first added in OpenSSL 1.1.1.
+The SSL_stateless() function was added in OpenSSL 1.1.1.
-DTLSv1_listen() return codes were clarified in OpenSSL 1.1.0. The type of "peer"
-also changed in OpenSSL 1.1.0.
+The DTLSv1_listen() return codes were clarified in OpenSSL 1.1.0.
+The type of "peer" also changed in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/EC_GROUP_copy.pod b/doc/man3/EC_GROUP_copy.pod
index ee20f9526adc..7bf350062375 100644
--- a/doc/man3/EC_GROUP_copy.pod
+++ b/doc/man3/EC_GROUP_copy.pod
@@ -89,7 +89,7 @@ named curve form is used and the parameters must have a corresponding
named curve NID set. If asn1_flags is B<OPENSSL_EC_EXPLICIT_CURVE> the
parameters are explicitly encoded. The functions EC_GROUP_get_asn1_flag and
EC_GROUP_set_asn1_flag get and set the status of the asn1_flag for the curve.
-Note: B<OPENSSL_EC_EXPLICIT_CURVE> was first added to OpenSSL 1.1.0, for
+Note: B<OPENSSL_EC_EXPLICIT_CURVE> was added in OpenSSL 1.1.0, for
previous versions of OpenSSL the value 0 must be used instead. Before OpenSSL
1.1.0 the default form was to use explicit parameters (meaning that
applications would have to explicitly set the named curve form) in OpenSSL
@@ -175,7 +175,7 @@ and EC_GROUP_get_degree return the order, cofactor, curve name (NID), ASN1 flag,
specified curve respectively. If there is no curve name associated with a curve then EC_GROUP_get_curve_name will return 0.
EC_GROUP_get0_order() returns an internal pointer to the group order.
-EC_GROUP_get_order_bits() returns the number of bits in the group order.
+EC_GROUP_order_bits() returns the number of bits in the group order.
EC_GROUP_get0_cofactor() returns an internal pointer to the group cofactor.
EC_GROUP_get0_seed returns a pointer to the seed that was used to generate the parameter b, or NULL if the seed is not
diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod
index 5ecbcc5e8992..37bc10d38056 100644
--- a/doc/man3/EVP_DigestInit.pod
+++ b/doc/man3/EVP_DigestInit.pod
@@ -369,15 +369,15 @@ L<EVP_whirlpool(3)>
=head1 HISTORY
-EVP_MD_CTX_create() and EVP_MD_CTX_destroy() were renamed to
-EVP_MD_CTX_new() and EVP_MD_CTX_free() in OpenSSL 1.1.0.
+The EVP_MD_CTX_create() and EVP_MD_CTX_destroy() functions were renamed to
+EVP_MD_CTX_new() and EVP_MD_CTX_free() in OpenSSL 1.1.0, respectively.
The link between digests and signing algorithms was fixed in OpenSSL 1.0 and
later, so now EVP_sha1() can be used with RSA and DSA.
-EVP_dss1() was removed in OpenSSL 1.1.0.
+The EVP_dss1() function was removed in OpenSSL 1.1.0.
-EVP_MD_CTX_set_pkey_ctx() was added in 1.1.1.
+The EVP_MD_CTX_set_pkey_ctx() function was added in 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/EVP_DigestSignInit.pod b/doc/man3/EVP_DigestSignInit.pod
index 773de87efac4..7b74a23cbcf2 100644
--- a/doc/man3/EVP_DigestSignInit.pod
+++ b/doc/man3/EVP_DigestSignInit.pod
@@ -152,7 +152,7 @@ L<SHA1(3)>, L<dgst(1)>
=head1 HISTORY
EVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal()
-were first added to OpenSSL 1.0.0.
+were added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/EVP_DigestVerifyInit.pod b/doc/man3/EVP_DigestVerifyInit.pod
index e93ac2ef0810..98a0987a3aaa 100644
--- a/doc/man3/EVP_DigestVerifyInit.pod
+++ b/doc/man3/EVP_DigestVerifyInit.pod
@@ -98,7 +98,7 @@ L<SHA1(3)>, L<dgst(1)>
=head1 HISTORY
EVP_DigestVerifyInit(), EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal()
-were first added to OpenSSL 1.0.0.
+were added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index 5fdbc33ac10f..b43a3e5468ca 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -632,7 +632,7 @@ L<EVP_sm4(3)>
=head1 HISTORY
-Support for OCB mode was added in OpenSSL 1.1.0
+Support for OCB mode was added in OpenSSL 1.1.0.
B<EVP_CIPHER_CTX> was made opaque in OpenSSL 1.1.0. As a result,
EVP_CIPHER_CTX_reset() appeared and EVP_CIPHER_CTX_cleanup()
diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
index 4982e9205305..75fad0f70ce0 100644
--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
@@ -359,7 +359,7 @@ B<param_enc> when generating EC parameters or an EC key. The encoding can be
B<OPENSSL_EC_EXPLICIT_CURVE> for explicit parameters (the default in versions
of OpenSSL before 1.1.0) or B<OPENSSL_EC_NAMED_CURVE> to use named curve form.
For maximum compatibility the named curve form should be used. Note: the
-B<OPENSSL_EC_NAMED_CURVE> value was only added to OpenSSL 1.1.0; previous
+B<OPENSSL_EC_NAMED_CURVE> value was added in OpenSSL 1.1.0; previous
versions should use 0 instead.
=head2 ECDH parameters
@@ -439,8 +439,9 @@ L<EVP_PKEY_keygen(3)>
=head1 HISTORY
+The
EVP_PKEY_CTX_set1_id(), EVP_PKEY_CTX_get1_id() and EVP_PKEY_CTX_get1_id_len()
-macros were added in 1.1.1, other functions were first added to OpenSSL 1.0.0.
+macros were added in 1.1.1, other functions were added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/EVP_PKEY_CTX_new.pod b/doc/man3/EVP_PKEY_CTX_new.pod
index eff94cd94364..f01fc9752297 100644
--- a/doc/man3/EVP_PKEY_CTX_new.pod
+++ b/doc/man3/EVP_PKEY_CTX_new.pod
@@ -48,7 +48,7 @@ L<EVP_PKEY_new(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
+These functions were added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/EVP_PKEY_asn1_get_count.pod b/doc/man3/EVP_PKEY_asn1_get_count.pod
index 9ad2daed4f5b..cd99e4d75786 100644
--- a/doc/man3/EVP_PKEY_asn1_get_count.pod
+++ b/doc/man3/EVP_PKEY_asn1_get_count.pod
@@ -48,7 +48,7 @@ engine that implements it.
EVP_PKEY_asn1_get0_info() returns the public key ID, base public key
ID (both NIDs), any flags, the method description and PEM type string
-associated with the public key ASN.1 method B<*ameth>.
+associated with the public key ASN.1 method B<*ameth>.
EVP_PKEY_asn1_count(), EVP_PKEY_asn1_get0(), EVP_PKEY_asn1_find() and
EVP_PKEY_asn1_find_str() are not thread safe, but as long as all
@@ -70,7 +70,7 @@ L<EVP_PKEY_asn1_new(3)>, L<EVP_PKEY_asn1_add0(3)>
=head1 COPYRIGHT
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod
index 2a691a61773b..2e3d266541a6 100644
--- a/doc/man3/EVP_PKEY_decrypt.pod
+++ b/doc/man3/EVP_PKEY_decrypt.pod
@@ -91,7 +91,7 @@ L<EVP_PKEY_derive(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
+These functions were added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/EVP_PKEY_derive.pod b/doc/man3/EVP_PKEY_derive.pod
index 8cd0b54740d4..a74065e31f3b 100644
--- a/doc/man3/EVP_PKEY_derive.pod
+++ b/doc/man3/EVP_PKEY_derive.pod
@@ -89,7 +89,7 @@ L<EVP_PKEY_verify_recover(3)>,
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
+These functions were added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/EVP_PKEY_encrypt.pod b/doc/man3/EVP_PKEY_encrypt.pod
index 4e9a34e740f3..371891046473 100644
--- a/doc/man3/EVP_PKEY_encrypt.pod
+++ b/doc/man3/EVP_PKEY_encrypt.pod
@@ -96,7 +96,7 @@ L<EVP_PKEY_derive(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
+These functions were added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/EVP_PKEY_get_default_digest_nid.pod b/doc/man3/EVP_PKEY_get_default_digest_nid.pod
index da76677044c2..ed52e9696c9f 100644
--- a/doc/man3/EVP_PKEY_get_default_digest_nid.pod
+++ b/doc/man3/EVP_PKEY_get_default_digest_nid.pod
@@ -37,7 +37,7 @@ L<EVP_PKEY_verify_recover(3)>,
=head1 HISTORY
-This function was first added to OpenSSL 1.0.0.
+This function was added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/EVP_PKEY_keygen.pod b/doc/man3/EVP_PKEY_keygen.pod
index 0b86eaaaa3db..83cebe7ce2f4 100644
--- a/doc/man3/EVP_PKEY_keygen.pod
+++ b/doc/man3/EVP_PKEY_keygen.pod
@@ -189,7 +189,7 @@ L<EVP_PKEY_derive(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
+These functions were added in OpenSSL 1.0.0.
EVP_PKEY_check(), EVP_PKEY_public_check() and EVP_PKEY_param_check() were added
in OpenSSL 1.1.1.
diff --git a/doc/man3/EVP_PKEY_new.pod b/doc/man3/EVP_PKEY_new.pod
index a3532a359632..ebe20986dba1 100644
--- a/doc/man3/EVP_PKEY_new.pod
+++ b/doc/man3/EVP_PKEY_new.pod
@@ -114,12 +114,15 @@ L<EVP_PKEY_set1_EC_KEY>
=head1 HISTORY
-EVP_PKEY_new() and EVP_PKEY_free() exist in all versions of OpenSSL.
+The
+EVP_PKEY_new() and EVP_PKEY_free() functions exist in all versions of OpenSSL.
-EVP_PKEY_up_ref() was first added to OpenSSL 1.1.0.
+The EVP_PKEY_up_ref() function was added in OpenSSL 1.1.0.
+
+The
EVP_PKEY_new_raw_private_key(), EVP_PKEY_new_raw_public_key(),
EVP_PKEY_new_CMAC_key(), EVP_PKEY_new_raw_private_key() and
-EVP_PKEY_get_raw_public_key() were first added to OpenSSL 1.1.1.
+EVP_PKEY_get_raw_public_key() functions were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/EVP_PKEY_print_private.pod b/doc/man3/EVP_PKEY_print_private.pod
index 3ebd086a1c19..e0750c7eedbb 100644
--- a/doc/man3/EVP_PKEY_print_private.pod
+++ b/doc/man3/EVP_PKEY_print_private.pod
@@ -47,7 +47,7 @@ L<EVP_PKEY_keygen(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
+These functions were added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/EVP_PKEY_sign.pod b/doc/man3/EVP_PKEY_sign.pod
index bdebf0b9241f..1672831ff015 100644
--- a/doc/man3/EVP_PKEY_sign.pod
+++ b/doc/man3/EVP_PKEY_sign.pod
@@ -101,7 +101,7 @@ L<EVP_PKEY_derive(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
+These functions were added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/EVP_PKEY_verify.pod b/doc/man3/EVP_PKEY_verify.pod
index 57d7f8cf86f8..cdbb80b99df8 100644
--- a/doc/man3/EVP_PKEY_verify.pod
+++ b/doc/man3/EVP_PKEY_verify.pod
@@ -89,7 +89,7 @@ L<EVP_PKEY_derive(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
+These functions were added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/EVP_PKEY_verify_recover.pod b/doc/man3/EVP_PKEY_verify_recover.pod
index 85d76f84ac37..251360656167 100644
--- a/doc/man3/EVP_PKEY_verify_recover.pod
+++ b/doc/man3/EVP_PKEY_verify_recover.pod
@@ -100,7 +100,7 @@ L<EVP_PKEY_derive(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.0.
+These functions were added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/EVP_SignInit.pod b/doc/man3/EVP_SignInit.pod
index 12e67f8cbf86..86fec82fb007 100644
--- a/doc/man3/EVP_SignInit.pod
+++ b/doc/man3/EVP_SignInit.pod
@@ -17,7 +17,7 @@ functions
void EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type);
- int EVP_PKEY_size(EVP_PKEY *pkey);
+ int EVP_PKEY_size(const EVP_PKEY *pkey);
int EVP_PKEY_security_bits(const EVP_PKEY *pkey);
=head1 DESCRIPTION
diff --git a/doc/man3/HMAC.pod b/doc/man3/HMAC.pod
index c480a9c9ebef..65386a7baa31 100644
--- a/doc/man3/HMAC.pod
+++ b/doc/man3/HMAC.pod
@@ -91,7 +91,7 @@ because reuse of an existing key with a different digest is not supported.
HMAC_Init() initializes a B<HMAC_CTX> structure to use the hash
function B<evp_md> and the key B<key> which is B<key_len> bytes
-long.
+long.
HMAC_Update() can be called repeatedly with chunks of the message to
be authenticated (B<len> bytes at B<data>).
@@ -147,7 +147,7 @@ OpenSSL before version 1.0.0.
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/OPENSSL_init_crypto.pod b/doc/man3/OPENSSL_init_crypto.pod
index a259539f0552..c7823e32d6df 100644
--- a/doc/man3/OPENSSL_init_crypto.pod
+++ b/doc/man3/OPENSSL_init_crypto.pod
@@ -2,10 +2,11 @@
=head1 NAME
-OPENSSL_INIT_new, OPENSSL_INIT_set_config_appname, OPENSSL_INIT_free,
-OPENSSL_init_crypto, OPENSSL_cleanup,
-OPENSSL_atexit, OPENSSL_thread_stop - OpenSSL
-initialisation and deinitialisation functions
+OPENSSL_INIT_new, OPENSSL_INIT_set_config_filename,
+OPENSSL_INIT_set_config_appname, OPENSSL_INIT_set_config_file_flags,
+OPENSSL_INIT_free, OPENSSL_init_crypto, OPENSSL_cleanup, OPENSSL_atexit,
+OPENSSL_thread_stop - OpenSSL initialisation
+and deinitialisation functions
=head1 SYNOPSIS
@@ -17,6 +18,10 @@ initialisation and deinitialisation functions
void OPENSSL_thread_stop(void);
OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void);
+ int OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *init,
+ const char* filename);
+ int OPENSSL_INIT_set_config_file_flags(OPENSSL_INIT_SETTINGS *init,
+ unsigned long flags);
int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *init,
const char* name);
void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *init);
@@ -33,7 +38,7 @@ As of version 1.1.0 OpenSSL will automatically allocate all resources that it
needs so no explicit initialisation is required. Similarly it will also
automatically deinitialise as required.
-However, there way be situations when explicit initialisation is desirable or
+However, there may be situations when explicit initialisation is desirable or
needed, for example when some non-default initialisation is required. The
function OPENSSL_init_crypto() can be used for this purpose for
libcrypto (see also L<OPENSSL_init_ssl(3)> for the libssl
@@ -96,7 +101,7 @@ B<OPENSSL_INIT_ADD_ALL_DIGESTS> will be ignored.
With this option an OpenSSL configuration file will be automatically loaded and
used by calling OPENSSL_config(). This is not a default option for libcrypto.
-From OpenSSL 1.1.1 this is a default option for libssl (see
+As of OpenSSL 1.1.1 this is a default option for libssl (see
L<OPENSSL_init_ssl(3)> for further details about libssl initialisation). See the
description of OPENSSL_INIT_new(), below.
@@ -157,6 +162,13 @@ engines. This not a default option.
With this option the library will register its fork handlers.
See OPENSSL_fork_prepare(3) for details.
+=item OPENSSL_INIT_NO_ATEXIT
+
+By default OpenSSL will attempt to clean itself up when the process exits via an
+"atexit" handler. Using this option suppresses that behaviour. This means that
+the application will have to clean up OpenSSL explicitly using
+OPENSSL_cleanup().
+
=back
Multiple options may be combined together in a single call to
@@ -196,12 +208,22 @@ the library when the thread exits. This should only be called directly if
resources should be freed at an earlier time, or under the circumstances
described in the NOTES section below.
-The B<OPENSSL_INIT_LOAD_CONFIG> flag will load a default configuration
-file. For optional configuration file settings, an B<OPENSSL_INIT_SETTINGS>
-must be created and used.
-The routines OPENSSL_init_new() and OPENSSL_INIT_set_config_appname() can
-be used to allocate the object and set the application name, and then the
-object can be released with OPENSSL_INIT_free() when done.
+The B<OPENSSL_INIT_LOAD_CONFIG> flag will load a configuration file, as with
+L<CONF_modules_load_file(3)> with NULL filename and application name and the
+B<CONF_MFLAGS_IGNORE_MISSING_FILE>, B<CONF_MFLAGS_IGNORE_RETURN_CODES> and
+B<CONF_MFLAGS_DEFAULT_SECTION> flags.
+The filename, application name, and flags can be customized by providing a
+non-null B<OPENSSL_INIT_SETTINGS> object.
+The object can be allocated via B<OPENSSL_init_new()>.
+The B<OPENSSL_INIT_set_config_filename()> function can be used to specify a
+non-default filename, which is copied and need not refer to persistent storage.
+Similarly, OPENSSL_INIT_set_config_appname() can be used to specify a
+non-default application name.
+Finally, OPENSSL_INIT_set_file_flags can be used to specify non-default flags.
+If the B<CONF_MFLAGS_IGNORE_RETURN_CODES> flag is not included, any errors in
+the configuration file will cause an error return from B<OPENSSL_init_crypto>
+or indirectly L<OPENSSL_init_ssl(3)>.
+The object can be released with OPENSSL_INIT_free() when done.
=head1 NOTES
@@ -242,7 +264,7 @@ and OPENSSL_INIT_free() functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
-Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/OPENSSL_malloc.pod b/doc/man3/OPENSSL_malloc.pod
index 049a12556ae7..2d678c951f0a 100644
--- a/doc/man3/OPENSSL_malloc.pod
+++ b/doc/man3/OPENSSL_malloc.pod
@@ -90,10 +90,8 @@ generally macro's that add the standard C B<__FILE__> and B<__LINE__>
parameters and call a lower-level B<CRYPTO_xxx> API.
Some functions do not add those parameters, but exist for consistency.
-OPENSSL_malloc_init() sets the lower-level memory allocation functions
-to their default implementation.
-It is generally not necessary to call this, except perhaps in certain
-shared-library situations.
+OPENSSL_malloc_init() does nothing and does not need to be called. It is
+included for compatibility with older versions of OpenSSL.
OPENSSL_malloc(), OPENSSL_realloc(), and OPENSSL_free() are like the
C malloc(), realloc(), and free() functions.
@@ -247,7 +245,7 @@ only, say, the malloc() implementation is outright dangerous.>
=head1 COPYRIGHT
-Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/OPENSSL_secure_malloc.pod b/doc/man3/OPENSSL_secure_malloc.pod
index 5a01c8246933..6c395383513b 100644
--- a/doc/man3/OPENSSL_secure_malloc.pod
+++ b/doc/man3/OPENSSL_secure_malloc.pod
@@ -120,7 +120,7 @@ L<BN_new(3)>
=head1 HISTORY
-OPENSSL_secure_clear_free() was added in OpenSSL 1.1.0g.
+The OPENSSL_secure_clear_free() function was added in OpenSSL 1.1.0g.
=head1 COPYRIGHT
diff --git a/doc/man3/OSSL_STORE_INFO.pod b/doc/man3/OSSL_STORE_INFO.pod
index 20d41ac534e7..4c68986c56b2 100644
--- a/doc/man3/OSSL_STORE_INFO.pod
+++ b/doc/man3/OSSL_STORE_INFO.pod
@@ -190,7 +190,7 @@ OSSL_STORE_INFO_get0_CERT(), OSSL_STORE_INFO_get0_CRL(),
OSSL_STORE_INFO_type_string(), OSSL_STORE_INFO_free(), OSSL_STORE_INFO_new_NAME(),
OSSL_STORE_INFO_new_PARAMS(), OSSL_STORE_INFO_new_PKEY(),
OSSL_STORE_INFO_new_CERT() and OSSL_STORE_INFO_new_CRL()
-were added to OpenSSL 1.1.1.
+were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/OSSL_STORE_LOADER.pod b/doc/man3/OSSL_STORE_LOADER.pod
index 87c135a1275b..150375411452 100644
--- a/doc/man3/OSSL_STORE_LOADER.pod
+++ b/doc/man3/OSSL_STORE_LOADER.pod
@@ -250,7 +250,7 @@ OSSL_STORE_LOADER_set_eof(), OSSL_STORE_LOADER_set_close(),
OSSL_STORE_LOADER_free(), OSSL_STORE_register_loader(),
OSSL_STORE_unregister_loader(), OSSL_STORE_open_fn(), OSSL_STORE_ctrl_fn(),
OSSL_STORE_load_fn(), OSSL_STORE_eof_fn() and OSSL_STORE_close_fn()
-were added to OpenSSL 1.1.1.
+were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/OSSL_STORE_SEARCH.pod b/doc/man3/OSSL_STORE_SEARCH.pod
index 6d36a190ae5a..0c2dd2bc24c5 100644
--- a/doc/man3/OSSL_STORE_SEARCH.pod
+++ b/doc/man3/OSSL_STORE_SEARCH.pod
@@ -179,7 +179,7 @@ OSSL_STORE_SEARCH_get0_name(),
OSSL_STORE_SEARCH_get0_serial(),
OSSL_STORE_SEARCH_get0_bytes(),
and OSSL_STORE_SEARCH_get0_string()
-were added to OpenSSL 1.1.1.
+were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/OSSL_STORE_expect.pod b/doc/man3/OSSL_STORE_expect.pod
index e3f06b55be71..154472a76b51 100644
--- a/doc/man3/OSSL_STORE_expect.pod
+++ b/doc/man3/OSSL_STORE_expect.pod
@@ -65,7 +65,7 @@ L<OSSL_STORE_load(3)>
=head1 HISTORY
OSSL_STORE_expect(), OSSL_STORE_supports_search() and OSSL_STORE_find()
-were added to OpenSSL 1.1.1.
+were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/OSSL_STORE_open.pod b/doc/man3/OSSL_STORE_open.pod
index b1467f4100a7..1e8ebf7ce1ce 100644
--- a/doc/man3/OSSL_STORE_open.pod
+++ b/doc/man3/OSSL_STORE_open.pod
@@ -147,7 +147,7 @@ L<passphrase-encoding(7)>
OSSL_STORE_CTX(), OSSL_STORE_post_process_info_fn(), OSSL_STORE_open(),
OSSL_STORE_ctrl(), OSSL_STORE_load(), OSSL_STORE_eof() and OSSL_STORE_close()
-were added to OpenSSL 1.1.1.
+were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/PEM_read_bio_ex.pod b/doc/man3/PEM_read_bio_ex.pod
index e171bff2453a..a16b0ede5a9c 100644
--- a/doc/man3/PEM_read_bio_ex.pod
+++ b/doc/man3/PEM_read_bio_ex.pod
@@ -56,7 +56,7 @@ L<PEM(3)>
=head1 HISTORY
-PEM_read_bio_ex() was added in OpenSSL 1.1.1.
+The PEM_read_bio_ex() function was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/PEM_write_bio_CMS_stream.pod b/doc/man3/PEM_write_bio_CMS_stream.pod
index c73fafd44bdc..bc3ee167e0c4 100644
--- a/doc/man3/PEM_write_bio_CMS_stream.pod
+++ b/doc/man3/PEM_write_bio_CMS_stream.pod
@@ -36,7 +36,7 @@ L<i2d_CMS_bio_stream(3)>
=head1 HISTORY
-PEM_write_bio_CMS_stream() was added to OpenSSL 1.0.0
+The PEM_write_bio_CMS_stream() function was added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/PEM_write_bio_PKCS7_stream.pod b/doc/man3/PEM_write_bio_PKCS7_stream.pod
index 77f97aaa2bbc..32b7ef2ef754 100644
--- a/doc/man3/PEM_write_bio_PKCS7_stream.pod
+++ b/doc/man3/PEM_write_bio_PKCS7_stream.pod
@@ -35,7 +35,7 @@ L<i2d_PKCS7_bio_stream(3)>
=head1 HISTORY
-PEM_write_bio_PKCS7_stream() was added to OpenSSL 1.0.0
+The PEM_write_bio_PKCS7_stream() function was added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/PKCS12_parse.pod b/doc/man3/PKCS12_parse.pod
index 747a36f5ed04..208644c019bf 100644
--- a/doc/man3/PKCS12_parse.pod
+++ b/doc/man3/PKCS12_parse.pod
@@ -8,7 +8,8 @@ PKCS12_parse - parse a PKCS#12 structure
#include <openssl/pkcs12.h>
-int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca);
+ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
+ STACK_OF(X509) **ca);
=head1 DESCRIPTION
diff --git a/doc/man3/PKCS7_sign.pod b/doc/man3/PKCS7_sign.pod
index c1df5f19a070..6fd54777d1f1 100644
--- a/doc/man3/PKCS7_sign.pod
+++ b/doc/man3/PKCS7_sign.pod
@@ -108,9 +108,9 @@ L<ERR_get_error(3)>, L<PKCS7_verify(3)>
=head1 HISTORY
The B<PKCS7_PARTIAL> flag, and the ability for B<certs>, B<signcert>,
-and B<pkey> parameters to be B<NULL> to be was added in OpenSSL 1.0.0
+and B<pkey> parameters to be B<NULL> were added in OpenSSL 1.0.0.
-The B<PKCS7_STREAM> flag was added in OpenSSL 1.0.0
+The B<PKCS7_STREAM> flag was added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/PKCS7_sign_add_signer.pod b/doc/man3/PKCS7_sign_add_signer.pod
index 2bc6c40bd2ea..d4a27a2f6194 100644
--- a/doc/man3/PKCS7_sign_add_signer.pod
+++ b/doc/man3/PKCS7_sign_add_signer.pod
@@ -83,7 +83,7 @@ L<PKCS7_final(3)>,
=head1 HISTORY
-PPKCS7_sign_add_signer() was added to OpenSSL 1.0.0
+The PPKCS7_sign_add_signer() function was added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/RAND_bytes.pod b/doc/man3/RAND_bytes.pod
index fca1ad6961de..f257e050065f 100644
--- a/doc/man3/RAND_bytes.pod
+++ b/doc/man3/RAND_bytes.pod
@@ -53,7 +53,7 @@ RAND_pseudo_bytes() was deprecated in OpenSSL 1.1.0; use RAND_bytes() instead.
=item *
-RAND_priv_bytes() was added in OpenSSL 1.1.1.
+The RAND_priv_bytes() function was added in OpenSSL 1.1.1.
=back
diff --git a/doc/man3/RIPEMD160_Init.pod b/doc/man3/RIPEMD160_Init.pod
index 77ac4fbc122f..d3cdf930d88e 100644
--- a/doc/man3/RIPEMD160_Init.pod
+++ b/doc/man3/RIPEMD160_Init.pod
@@ -13,7 +13,7 @@ RIPEMD-160 hash function
unsigned char *md);
int RIPEMD160_Init(RIPEMD160_CTX *c);
- int RIPEMD160_Update(RIPEMD_CTX *c, const void *data, unsigned long len);
+ int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len);
int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
=head1 DESCRIPTION
@@ -61,7 +61,7 @@ L<EVP_DigestInit(3)>
=head1 COPYRIGHT
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/RSA_get0_key.pod b/doc/man3/RSA_get0_key.pod
index cb7d0f66db10..358c2de256f9 100644
--- a/doc/man3/RSA_get0_key.pod
+++ b/doc/man3/RSA_get0_key.pod
@@ -157,6 +157,7 @@ L<RSA_new(3)>, L<RSA_size(3)>
=head1 HISTORY
+The
RSA_get_multi_prime_extra_count(), RSA_get0_multi_prime_factors(),
RSA_get0_multi_prime_crt_params(), RSA_set0_multi_prime_params(),
and RSA_get_version() functions were added in OpenSSL 1.1.1.
diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
index 93911cac97d6..9ea2634c0346 100644
--- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod
+++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
@@ -110,7 +110,12 @@ L<ERR_get_error(3)>.
The RSA_padding_check_PKCS1_type_2() padding check leaks timing
information which can potentially be used to mount a Bleichenbacher
padding oracle attack. This is an inherent weakness in the PKCS #1
-v1.5 padding design. Prefer PKCS1_OAEP padding.
+v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can
+be recommended to pass zero-padded B<f>, so that B<fl> equals to
+B<rsa_len>, and if fixed by protocol, B<tlen> being set to the
+expected length. In such case leakage would be minimal, it would
+take attacker's ability to observe memory access pattern with byte
+granilarity as it occurs, post-factum timing analysis won't do.
=head1 SEE ALSO
diff --git a/doc/man3/RSA_size.pod b/doc/man3/RSA_size.pod
index 022620078a7c..99498650866f 100644
--- a/doc/man3/RSA_size.pod
+++ b/doc/man3/RSA_size.pod
@@ -41,7 +41,7 @@ L<BN_num_bits(3)>
=head1 HISTORY
-RSA_bits() was added in OpenSSL 1.1.0.
+The RSA_bits() function was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CIPHER_get_name.pod b/doc/man3/SSL_CIPHER_get_name.pod
index af59b58946cc..4c12c5ed20d0 100644
--- a/doc/man3/SSL_CIPHER_get_name.pod
+++ b/doc/man3/SSL_CIPHER_get_name.pod
@@ -179,19 +179,19 @@ protocol-specific ID.
=head1 HISTORY
-SSL_CIPHER_get_version() was updated to always return the correct protocol
-string in OpenSSL 1.1.0.
+The SSL_CIPHER_get_version() function was updated to always return the
+correct protocol string in OpenSSL 1.1.0.
-SSL_CIPHER_description() was changed to return B<NULL> on error,
+The SSL_CIPHER_description() function was changed to return B<NULL> on error,
rather than a fixed string, in OpenSSL 1.1.0.
-SSL_CIPHER_get_handshake_digest() was added in OpenSSL 1.1.1.
+The SSL_CIPHER_get_handshake_digest() function was added in OpenSSL 1.1.1.
-SSL_CIPHER_standard_name() was globally available in OpenSSL 1.1.1. Before
-OpenSSL 1.1.1, tracing (B<enable-ssl-trace> argument to Configure) was
+The SSL_CIPHER_standard_name() function was globally available in OpenSSL 1.1.1.
+ Before OpenSSL 1.1.1, tracing (B<enable-ssl-trace> argument to Configure) was
required to enable this function.
-OPENSSL_cipher_name() was added in OpenSSL 1.1.1.
+The OPENSSL_cipher_name() function was added in OpenSSL 1.1.1.
=head1 SEE ALSO
diff --git a/doc/man3/SSL_COMP_add_compression_method.pod b/doc/man3/SSL_COMP_add_compression_method.pod
index 1dc8eb149947..76c036e5ce44 100644
--- a/doc/man3/SSL_COMP_add_compression_method.pod
+++ b/doc/man3/SSL_COMP_add_compression_method.pod
@@ -91,9 +91,8 @@ L<ssl(7)>
=head1 HISTORY
-SSL_COMP_free_compression_methods() was deprecated in OpenSSL 1.1.0;
-do not use it.
-SSL_COMP_get0_name() and SSL_comp_get_id() were added in OpenSSL 1.1.0d.
+The SSL_COMP_free_compression_methods() function was deprecated in OpenSSL 1.1.0.
+The SSL_COMP_get0_name() and SSL_comp_get_id() functions were added in OpenSSL 1.1.0d.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CONF_CTX_new.pod b/doc/man3/SSL_CONF_CTX_new.pod
index 79f0bbc7dd5f..df5492f79ba8 100644
--- a/doc/man3/SSL_CONF_CTX_new.pod
+++ b/doc/man3/SSL_CONF_CTX_new.pod
@@ -36,7 +36,7 @@ L<SSL_CONF_cmd_argv(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.2
+These functions were added in OpenSSL 1.0.2.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CONF_CTX_set1_prefix.pod b/doc/man3/SSL_CONF_CTX_set1_prefix.pod
index d98647025470..b2eff5bf519f 100644
--- a/doc/man3/SSL_CONF_CTX_set1_prefix.pod
+++ b/doc/man3/SSL_CONF_CTX_set1_prefix.pod
@@ -44,7 +44,7 @@ L<SSL_CONF_cmd_argv(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.2
+These functions were added in OpenSSL 1.0.2.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CONF_CTX_set_flags.pod b/doc/man3/SSL_CONF_CTX_set_flags.pod
index 766d984626a9..d6f6ff589758 100644
--- a/doc/man3/SSL_CONF_CTX_set_flags.pod
+++ b/doc/man3/SSL_CONF_CTX_set_flags.pod
@@ -70,7 +70,7 @@ L<SSL_CONF_cmd_argv(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.2
+These functions were added in OpenSSL 1.0.2.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod
index 7e4120f7ce57..3b001d1686f4 100644
--- a/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod
+++ b/doc/man3/SSL_CONF_CTX_set_ssl_ctx.pod
@@ -42,7 +42,7 @@ L<SSL_CONF_cmd_argv(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.2
+These functions were added in OpenSSL 1.0.2.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index b399bcf4990c..a74e7284f9de 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod
@@ -308,11 +308,6 @@ Attempts to pad TLSv1.3 records so that they are a multiple of B<value> in
length on send. A B<value> of 0 or 1 turns off padding. Otherwise, the
B<value> must be >1 or <=16384.
-=item B<NoRenegotiation>
-
-Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting
-B<SSL_OP_NO_RENEGOTIATION>.
-
=item B<SignatureAlgorithms>
This sets the supported signature algorithms for TLSv1.2 and TLSv1.3.
@@ -456,6 +451,9 @@ Only used by servers.
B<NoResumptionOnRenegotiation>: set
B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> flag. Only used by servers.
+B<NoRenegotiation>: disables all attempts at renegotiation in TLSv1.2 and
+earlier, same as setting B<SSL_OP_NO_RENEGOTIATION>.
+
B<UnsafeLegacyRenegotiation>: permits the use of unsafe legacy renegotiation.
Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
@@ -670,12 +668,12 @@ L<SSL_CTX_set_options(3)>
=head1 HISTORY
-SSL_CONF_cmd() was first added to OpenSSL 1.0.2
+The SSL_CONF_cmd() function was added in OpenSSL 1.0.2.
-B<SSL_OP_NO_SSL2> doesn't have effect since 1.1.0, but the macro is retained
-for backwards compatibility.
+The B<SSL_OP_NO_SSL2> option doesn't have effect since 1.1.0, but the macro
+is retained for backwards compatibility.
-B<SSL_CONF_TYPE_NONE> was first added to OpenSSL 1.1.0. In earlier versions of
+The B<SSL_CONF_TYPE_NONE> was added in OpenSSL 1.1.0. In earlier versions of
OpenSSL passing a command which didn't take an argument would return
B<SSL_CONF_TYPE_UNKNOWN>.
@@ -685,7 +683,7 @@ B<AllowNoDHEKEX> and B<PrioritizeChaCha> were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
-Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2012-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_CONF_cmd_argv.pod b/doc/man3/SSL_CONF_cmd_argv.pod
index 567fa5a5084f..130814803d86 100644
--- a/doc/man3/SSL_CONF_cmd_argv.pod
+++ b/doc/man3/SSL_CONF_cmd_argv.pod
@@ -37,7 +37,7 @@ L<SSL_CONF_cmd(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.2
+These functions were added in OpenSSL 1.0.2.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CTX_add1_chain_cert.pod b/doc/man3/SSL_CTX_add1_chain_cert.pod
index 24730024f857..8fe8a7d5e18e 100644
--- a/doc/man3/SSL_CTX_add1_chain_cert.pod
+++ b/doc/man3/SSL_CTX_add1_chain_cert.pod
@@ -144,7 +144,7 @@ L<SSL_CTX_add_extra_chain_cert(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.2.
+These functions were added in OpenSSL 1.0.2.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CTX_config.pod b/doc/man3/SSL_CTX_config.pod
index 5b2aed76c283..90d86746cec1 100644
--- a/doc/man3/SSL_CTX_config.pod
+++ b/doc/man3/SSL_CTX_config.pod
@@ -77,7 +77,7 @@ L<CONF_modules_load_file(3)>
=head1 HISTORY
-SSL_CTX_config() and SSL_config() were first added to OpenSSL 1.1.0
+The SSL_CTX_config() and SSL_config() functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CTX_dane_enable.pod b/doc/man3/SSL_CTX_dane_enable.pod
index d767bb296e83..d1b3c1aad7d3 100644
--- a/doc/man3/SSL_CTX_dane_enable.pod
+++ b/doc/man3/SSL_CTX_dane_enable.pod
@@ -368,7 +368,7 @@ L<EVP_PKEY_free(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.1.0.
+These functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CTX_get0_param.pod b/doc/man3/SSL_CTX_get0_param.pod
index 6b9373745880..8b99dc330ad9 100644
--- a/doc/man3/SSL_CTX_get0_param.pod
+++ b/doc/man3/SSL_CTX_get0_param.pod
@@ -50,7 +50,7 @@ L<X509_VERIFY_PARAM_set_flags(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.2.
+These functions were added in OpenSSL 1.0.2.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CTX_set0_CA_list.pod b/doc/man3/SSL_CTX_set0_CA_list.pod
index d7ed89775b2e..b483f83b7182 100644
--- a/doc/man3/SSL_CTX_set0_CA_list.pod
+++ b/doc/man3/SSL_CTX_set0_CA_list.pod
@@ -101,7 +101,7 @@ set CA names using the "client CA list" functions and then get them using the
used on the server side then the "client CA list" functions take precedence.
Typically, on the server side, the "client CA list " functions should be used in
preference. As noted above in most cases it is not necessary to set CA names on
-the client side.
+the client side.
SSL_CTX_set0_CA_list() sets the list of CAs to be sent to the peer to
B<name_list>. Ownership of B<name_list> is transferred to B<ctx> and
@@ -178,7 +178,7 @@ L<SSL_CTX_load_verify_locations(3)>
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod
index 7dca0e0161d9..6c3d4fc9e912 100644
--- a/doc/man3/SSL_CTX_set1_curves.pod
+++ b/doc/man3/SSL_CTX_set1_curves.pod
@@ -97,8 +97,8 @@ L<SSL_CTX_add_extra_chain_cert(3)>
=head1 HISTORY
-The curve functions were first added to OpenSSL 1.0.2. The equivalent group
-functions were first added to OpenSSL 1.1.1.
+The curve functions were added in OpenSSL 1.0.2. The equivalent group
+functions were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CTX_set1_verify_cert_store.pod b/doc/man3/SSL_CTX_set1_verify_cert_store.pod
index bfe8b70af902..b42f2a499f13 100644
--- a/doc/man3/SSL_CTX_set1_verify_cert_store.pod
+++ b/doc/man3/SSL_CTX_set1_verify_cert_store.pod
@@ -86,7 +86,7 @@ L<SSL_build_cert_chain(3)>
=head1 HISTORY
-These functions were first added to OpenSSL 1.0.2.
+These functions were added in OpenSSL 1.0.2.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CTX_set_ctlog_list_file.pod b/doc/man3/SSL_CTX_set_ctlog_list_file.pod
index 275831ab1550..5fb0feb45183 100644
--- a/doc/man3/SSL_CTX_set_ctlog_list_file.pod
+++ b/doc/man3/SSL_CTX_set_ctlog_list_file.pod
@@ -24,7 +24,7 @@ See L<CTLOG_STORE_new(3)> for the file format.
=head1 NOTES
These functions will not clear the existing CT log list - it will be appended
-to. To replace the existing list, use L<SSL_CTX_set0_ctlog_store> first.
+to. To replace the existing list, use L<SSL_CTX_set0_ctlog_store> first.
If an error occurs whilst parsing a particular log entry in the file, that log
entry will be skipped.
@@ -43,7 +43,7 @@ L<CTLOG_STORE_new(3)>
=head1 COPYRIGHT
-Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set_default_passwd_cb.pod b/doc/man3/SSL_CTX_set_default_passwd_cb.pod
index c7bdc9b92a04..999a70c8c366 100644
--- a/doc/man3/SSL_CTX_set_default_passwd_cb.pod
+++ b/doc/man3/SSL_CTX_set_default_passwd_cb.pod
@@ -94,7 +94,7 @@ truncated.
SSL_CTX_get_default_passwd_cb(), SSL_CTX_get_default_passwd_cb_userdata(),
SSL_set_default_passwd_cb() and SSL_set_default_passwd_cb_userdata() were
-first added to OpenSSL 1.1.0
+added in OpenSSL 1.1.0.
=head1 SEE ALSO
diff --git a/doc/man3/SSL_CTX_set_info_callback.pod b/doc/man3/SSL_CTX_set_info_callback.pod
index f01ca66fce7c..01b03f9a59ae 100644
--- a/doc/man3/SSL_CTX_set_info_callback.pod
+++ b/doc/man3/SSL_CTX_set_info_callback.pod
@@ -92,17 +92,13 @@ Callback has been called due to an alert being sent or received.
=item SSL_CB_HANDSHAKE_START
-Callback has been called because a new handshake is started. In TLSv1.3 this is
-also used for the start of post-handshake message exchanges such as for the
-exchange of session tickets, or for key updates. It also occurs when resuming a
-handshake following a pause to handle early data.
+Callback has been called because a new handshake is started. It also occurs when
+resuming a handshake following a pause to handle early data.
-=item SSL_CB_HANDSHAKE_DONE 0x20
+=item SSL_CB_HANDSHAKE_DONE
-Callback has been called because a handshake is finished. In TLSv1.3 this is
-also used at the end of an exchange of post-handshake messages such as for
-session tickets or key updates. It also occurs if the handshake is paused to
-allow the exchange of early data.
+Callback has been called because a handshake is finished. It also occurs if the
+handshake is paused to allow the exchange of early data.
=back
@@ -160,7 +156,7 @@ L<SSL_alert_type_string(3)>
=head1 COPYRIGHT
-Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set_mode.pod b/doc/man3/SSL_CTX_set_mode.pod
index 8f8edcf05420..387d1ec1ef04 100644
--- a/doc/man3/SSL_CTX_set_mode.pod
+++ b/doc/man3/SSL_CTX_set_mode.pod
@@ -105,6 +105,15 @@ Enable asynchronous processing. TLS I/O operations may indicate a retry with
SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is
used to perform cryptographic operations. See L<SSL_get_error(3)>.
+=item SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG
+
+Older versions of OpenSSL had a bug in the computation of the label length
+used for computing the endpoint-pair shared secret. The bug was that the
+terminating zero was included in the length of the label. Setting this option
+enables this behaviour to allow interoperability with such broken
+implementations. Please note that setting this option breaks interoperability
+with correct implementations. This option only applies to DTLS over SCTP.
+
=back
All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by
@@ -124,11 +133,11 @@ L<SSL_write(3)>, L<SSL_get_error(3)>
=head1 HISTORY
-SSL_MODE_ASYNC was first added to OpenSSL 1.1.0.
+SSL_MODE_ASYNC was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
-Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set_msg_callback.pod b/doc/man3/SSL_CTX_set_msg_callback.pod
index bbc78b64b9c5..8cf77cc553a1 100644
--- a/doc/man3/SSL_CTX_set_msg_callback.pod
+++ b/doc/man3/SSL_CTX_set_msg_callback.pod
@@ -128,8 +128,7 @@ L<ssl(7)>, L<SSL_new(3)>
=head1 HISTORY
-The pseudo content type B<SSL3_RT_INNER_CONTENT_TYPE> was added in OpenSSL
-1.1.1.
+The pseudo content type B<SSL3_RT_INNER_CONTENT_TYPE> was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CTX_set_num_tickets.pod b/doc/man3/SSL_CTX_set_num_tickets.pod
index b6b0e3ebee74..ad13ed15f406 100644
--- a/doc/man3/SSL_CTX_set_num_tickets.pod
+++ b/doc/man3/SSL_CTX_set_num_tickets.pod
@@ -20,10 +20,10 @@ SSL_CTX_get_num_tickets
=head1 DESCRIPTION
SSL_CTX_set_num_tickets() and SSL_set_num_tickets() can be called for a server
-application and set the number of session tickets that will be sent to the
-client after a full handshake. Set the desired value (which could be 0) in the
-B<num_tickets> argument. Typically these functions should be called before the
-start of the handshake.
+application and set the number of TLSv1.3 session tickets that will be sent to
+the client after a full handshake. Set the desired value (which could be 0) in
+the B<num_tickets> argument. Typically these functions should be called before
+the start of the handshake.
The default number of tickets is 2; the default number of tickets sent following
a resumption handshake is 1 but this cannot be changed using these functions.
diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod
index ae5ca1bd5d23..2d840b62cb24 100644
--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod
@@ -361,10 +361,10 @@ L<dhparam(1)>
=head1 HISTORY
The attempt to always try to use secure renegotiation was added in
-Openssl 0.9.8m.
+OpenSSL 0.9.8m.
-B<SSL_OP_PRIORITIZE_CHACHA> and B<SSL_OP_NO_RENEGOTIATION> were added in
-OpenSSL 1.1.1.
+The B<SSL_OP_PRIORITIZE_CHACHA> and B<SSL_OP_NO_RENEGOTIATION> options
+were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CTX_set_record_padding_callback.pod b/doc/man3/SSL_CTX_set_record_padding_callback.pod
index d0b2e30f2571..13e56f0c57f6 100644
--- a/doc/man3/SSL_CTX_set_record_padding_callback.pod
+++ b/doc/man3/SSL_CTX_set_record_padding_callback.pod
@@ -19,10 +19,10 @@ SSL_set_block_padding - install callback to specify TLS 1.3 record padding
void SSL_set_record_padding_callback(SSL *ssl, size_t (*cb)(SSL *s, int type, size_t len, void *arg));
void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg);
- void *SSL_CTX_get_record_padding_callback_arg(SSL_CTX *ctx);
+ void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx);
void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg);
- void *SSL_get_record_padding_callback_arg(SSL *ssl);
+ void *SSL_get_record_padding_callback_arg(const SSL *ssl);
int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size);
int SSL_set_block_padding(SSL *ssl, size_t block_size);
@@ -86,7 +86,7 @@ The record padding API was added for TLS 1.3 support in OpenSSL 1.1.1.
=head1 COPYRIGHT
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod
index 8baaaffec5c8..0cb6c1f52a22 100644
--- a/doc/man3/SSL_CTX_set_security_level.pod
+++ b/doc/man3/SSL_CTX_set_security_level.pod
@@ -176,7 +176,7 @@ data pointer or NULL if the ex data is not set.
=head1 HISTORY
-These functions were first added to OpenSSL 1.1.0
+These functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CTX_set_session_ticket_cb.pod b/doc/man3/SSL_CTX_set_session_ticket_cb.pod
index 8f98c6f1c99e..f3dfb62c231c 100644
--- a/doc/man3/SSL_CTX_set_session_ticket_cb.pod
+++ b/doc/man3/SSL_CTX_set_session_ticket_cb.pod
@@ -177,8 +177,8 @@ L<SSL_get_session(3)>
=head1 HISTORY
-SSL_CTX_set_session_ticket_cb(), SSSL_SESSION_set1_ticket_appdata() and
-SSL_SESSION_get_ticket_appdata() were added to OpenSSL 1.1.1.
+The SSL_CTX_set_session_ticket_cb(), SSSL_SESSION_set1_ticket_appdata()
+and SSL_SESSION_get_ticket_appdata() functions were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CTX_set_split_send_fragment.pod b/doc/man3/SSL_CTX_set_split_send_fragment.pod
index ef5e7cda35a2..877b4aecd949 100644
--- a/doc/man3/SSL_CTX_set_split_send_fragment.pod
+++ b/doc/man3/SSL_CTX_set_split_send_fragment.pod
@@ -169,8 +169,8 @@ SSL_CTX_set_split_send_fragment(), SSL_set_split_send_fragment(),
SSL_CTX_set_default_read_buffer_len() and SSL_set_default_read_buffer_len()
functions were added in OpenSSL 1.1.0.
-SSL_CTX_set_tlsext_max_fragment_length(), SSL_set_tlsext_max_fragment_length()
-and SSL_SESSION_get_max_fragment_length() were added in OpenSSL 1.1.1.
+The SSL_CTX_set_tlsext_max_fragment_length(), SSL_set_tlsext_max_fragment_length()
+and SSL_SESSION_get_max_fragment_length() functions were added in OpenSSL 1.1.1.
=head1 SEE ALSO
diff --git a/doc/man3/SSL_CTX_set_ssl_version.pod b/doc/man3/SSL_CTX_set_ssl_version.pod
index 901c057f453a..6c132756f2ca 100644
--- a/doc/man3/SSL_CTX_set_ssl_version.pod
+++ b/doc/man3/SSL_CTX_set_ssl_version.pod
@@ -11,7 +11,7 @@ SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *method);
int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
- const SSL_METHOD *SSL_get_ssl_method(SSL *ssl);
+ const SSL_METHOD *SSL_get_ssl_method(const SSL *ssl);
=head1 DESCRIPTION
@@ -60,7 +60,7 @@ L<SSL_set_connect_state(3)>
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_CTX_set_tlsext_status_cb.pod b/doc/man3/SSL_CTX_set_tlsext_status_cb.pod
index d6c04eced8ce..cb40a9dbcbcb 100644
--- a/doc/man3/SSL_CTX_set_tlsext_status_cb.pod
+++ b/doc/man3/SSL_CTX_set_tlsext_status_cb.pod
@@ -108,8 +108,8 @@ side if the client requested OCSP stapling. Otherwise -1 is returned.
=head1 HISTORY
-SSL_get_tlsext_status_type(), SSL_CTX_get_tlsext_status_type() and
-SSL_CTX_set_tlsext_status_type() were added in OpenSSL 1.1.0.
+The SSL_get_tlsext_status_type(), SSL_CTX_get_tlsext_status_type()
+and SSL_CTX_set_tlsext_status_type() functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
index 9b448db664e1..7a4bb3427027 100644
--- a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
+++ b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
@@ -38,7 +38,7 @@ ticket information or it starts a full TLS handshake to create a new session
ticket.
Before the callback function is started I<ctx> and I<hctx> have been
-initialised with EVP_CIPHER_CTX_init and HMAC_CTX_init respectively.
+initialised with L<EVP_CIPHER_CTX_reset(3)> and L<HMAC_CTX_reset(3)> respectively.
For new sessions tickets, when the client doesn't present a session ticket, or
an attempted retrieval of the ticket failed, or a renew option was indicated,
diff --git a/doc/man3/SSL_SESSION_free.pod b/doc/man3/SSL_SESSION_free.pod
index 87a1cab1b462..9a3bf3ec988e 100644
--- a/doc/man3/SSL_SESSION_free.pod
+++ b/doc/man3/SSL_SESSION_free.pod
@@ -73,7 +73,7 @@ L<d2i_SSL_SESSION(3)>
=head1 HISTORY
-SSL_SESSION_dup() was added in OpenSSL 1.1.1.
+The SSL_SESSION_dup() function was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_SESSION_get0_cipher.pod b/doc/man3/SSL_SESSION_get0_cipher.pod
index 60f66a2d2b9d..5ef754c4a841 100644
--- a/doc/man3/SSL_SESSION_get0_cipher.pod
+++ b/doc/man3/SSL_SESSION_get0_cipher.pod
@@ -43,8 +43,8 @@ L<SSL_CTX_set_psk_use_session_callback(3)>
=head1 HISTORY
-SSL_SESSION_get0_cipher() was first added to OpenSSL 1.1.0.
-SSL_SESSION_set_cipher() was first added to OpenSSL 1.1.1.
+The SSL_SESSION_get0_cipher() function was added in OpenSSL 1.1.0.
+The SSL_SESSION_set_cipher() function was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_SESSION_get0_hostname.pod b/doc/man3/SSL_SESSION_get0_hostname.pod
index c35c89279520..989c997882ca 100644
--- a/doc/man3/SSL_SESSION_get0_hostname.pod
+++ b/doc/man3/SSL_SESSION_get0_hostname.pod
@@ -59,8 +59,8 @@ L<SSL_SESSION_free(3)>
=head1 HISTORY
-SSL_SESSION_set1_hostname(), SSL_SESSION_get0_alpn_selected() and
-SSL_SESSION_set1_alpn_selected() were added in OpenSSL 1.1.1.
+The SSL_SESSION_set1_hostname(), SSL_SESSION_get0_alpn_selected() and
+SSL_SESSION_set1_alpn_selected() functions were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_SESSION_get0_id_context.pod b/doc/man3/SSL_SESSION_get0_id_context.pod
index 69619a72b434..99b21bd126e9 100644
--- a/doc/man3/SSL_SESSION_get0_id_context.pod
+++ b/doc/man3/SSL_SESSION_get0_id_context.pod
@@ -42,7 +42,7 @@ L<SSL_set_session_id_context(3)>
=head1 HISTORY
-SSL_SESSION_get0_id_context() was first added to OpenSSL 1.1.0
+The SSL_SESSION_get0_id_context() function was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_SESSION_get_protocol_version.pod b/doc/man3/SSL_SESSION_get_protocol_version.pod
index 84c9ac173b5c..961ed3e923c7 100644
--- a/doc/man3/SSL_SESSION_get_protocol_version.pod
+++ b/doc/man3/SSL_SESSION_get_protocol_version.pod
@@ -41,8 +41,8 @@ L<SSL_CTX_set_psk_use_session_callback(3)>
=head1 HISTORY
-SSL_SESSION_get_protocol_version() was first added to OpenSSL 1.1.0.
-SSL_SESSION_set_protocol_version() was first added to OpenSSL 1.1.1.
+The SSL_SESSION_get_protocol_version() function was added in OpenSSL 1.1.0.
+The SSL_SESSION_set_protocol_version() function was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_SESSION_has_ticket.pod b/doc/man3/SSL_SESSION_has_ticket.pod
index 7197382369de..6fb41b75cb60 100644
--- a/doc/man3/SSL_SESSION_has_ticket.pod
+++ b/doc/man3/SSL_SESSION_has_ticket.pod
@@ -44,8 +44,8 @@ L<SSL_SESSION_free(3)>
=head1 HISTORY
-SSL_SESSION_has_ticket, SSL_SESSION_get_ticket_lifetime_hint and
-SSL_SESSION_get0_ticket were added in OpenSSL 1.1.0.
+The SSL_SESSION_has_ticket(), SSL_SESSION_get_ticket_lifetime_hint()
+and SSL_SESSION_get0_ticket() functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_SESSION_is_resumable.pod b/doc/man3/SSL_SESSION_is_resumable.pod
index 729479a99b48..8e47eee09ac7 100644
--- a/doc/man3/SSL_SESSION_is_resumable.pod
+++ b/doc/man3/SSL_SESSION_is_resumable.pod
@@ -30,7 +30,7 @@ L<SSL_CTX_sess_set_new_cb(3)>
=head1 HISTORY
-SSL_SESSION_is_resumable() was first added to OpenSSL 1.1.1
+The SSL_SESSION_is_resumable() function was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_SESSION_set1_id.pod b/doc/man3/SSL_SESSION_set1_id.pod
index f0b131d6a1f6..deafdf1ea579 100644
--- a/doc/man3/SSL_SESSION_set1_id.pod
+++ b/doc/man3/SSL_SESSION_set1_id.pod
@@ -36,7 +36,7 @@ L<ssl(7)>
=head1 HISTORY
-SSL_SESSION_set1_id() was first added to OpenSSL 1.1.0
+The SSL_SESSION_set1_id() function was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_export_keying_material.pod b/doc/man3/SSL_export_keying_material.pod
index abebf911fc32..c6b9229cbf16 100644
--- a/doc/man3/SSL_export_keying_material.pod
+++ b/doc/man3/SSL_export_keying_material.pod
@@ -59,7 +59,8 @@ B<label> and should be B<llen> bytes long. Typically this will be a value from
the IANA Exporter Label Registry
(L<https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels>).
Alternatively labels beginning with "EXPERIMENTAL" are permitted by the standard
-to be used without registration.
+to be used without registration. TLSv1.3 imposes a maximum label length of
+249 bytes.
Note that this function is only defined for TLSv1.0 and above, and DTLSv1.0 and
above. Attempting to use it in SSLv3 will result in an error.
@@ -72,7 +73,7 @@ SSL_export_keying_material_early() returns 0 on failure or 1 on success.
=head1 HISTORY
-SSL_export_keying_material_early() was first added in OpenSSL 1.1.1.
+The SSL_export_keying_material_early() function was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_extension_supported.pod b/doc/man3/SSL_extension_supported.pod
index 51ff6beeb513..df23ac6551ba 100644
--- a/doc/man3/SSL_extension_supported.pod
+++ b/doc/man3/SSL_extension_supported.pod
@@ -277,7 +277,7 @@ internally by OpenSSL and 0 otherwise.
=head1 HISTORY
-The function SSL_CTX_add_custom_ext() was added in OpenSSL 1.1.1.
+The SSL_CTX_add_custom_ext() function was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_get_all_async_fds.pod b/doc/man3/SSL_get_all_async_fds.pod
index fd4515db5561..5b17f091e353 100644
--- a/doc/man3/SSL_get_all_async_fds.pod
+++ b/doc/man3/SSL_get_all_async_fds.pod
@@ -73,8 +73,8 @@ L<SSL_get_error(3)>, L<SSL_CTX_set_mode(3)>
=head1 HISTORY
-SSL_waiting_for_async(), SSL_get_all_async_fds() and SSL_get_changed_async_fds()
-were first added to OpenSSL 1.1.0.
+The SSL_waiting_for_async(), SSL_get_all_async_fds()
+and SSL_get_changed_async_fds() functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod
index b3ab50568731..5a7a4b7058ef 100644
--- a/doc/man3/SSL_get_error.pod
+++ b/doc/man3/SSL_get_error.pod
@@ -138,17 +138,20 @@ Details depend on the application.
=item SSL_ERROR_SYSCALL
-Some non-recoverable I/O error occurred.
-The OpenSSL error queue may contain more information on the error.
-For socket I/O on Unix systems, consult B<errno> for details.
+Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may
+contain more information on the error. For socket I/O on Unix systems, consult
+B<errno> for details. If this error occurs then no further I/O operations should
+be performed on the connection and SSL_shutdown() must not be called.
This value can also be returned for other errors, check the error queue for
details.
=item SSL_ERROR_SSL
-A failure in the SSL library occurred, usually a protocol error. The
-OpenSSL error queue contains more information on the error.
+A non-recoverable, fatal error in the SSL library occurred, usually a protocol
+error. The OpenSSL error queue contains more information on the error. If this
+error occurs then no further I/O operations should be performed on the
+connection and SSL_shutdown() must not be called.
=back
@@ -158,8 +161,8 @@ L<ssl(7)>
=head1 HISTORY
-SSL_ERROR_WANT_ASYNC was added in OpenSSL 1.1.0.
-SSL_ERROR_WANT_CLIENT_HELLO_CB was added in OpenSSL 1.1.1.
+The SSL_ERROR_WANT_ASYNC error code was added in OpenSSL 1.1.0.
+The SSL_ERROR_WANT_CLIENT_HELLO_CB error code was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_get_version.pod b/doc/man3/SSL_get_version.pod
index b0aaba3a59d7..5507ff3f3de9 100644
--- a/doc/man3/SSL_get_version.pod
+++ b/doc/man3/SSL_get_version.pod
@@ -97,7 +97,7 @@ L<ssl(7)>
=head1 HISTORY
-SSL_is_dtls() was added in OpenSSL 1.1.0.
+The SSL_is_dtls() function was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_key_update.pod b/doc/man3/SSL_key_update.pod
index 7772b70bc69e..068ace597836 100644
--- a/doc/man3/SSL_key_update.pod
+++ b/doc/man3/SSL_key_update.pod
@@ -14,11 +14,11 @@ SSL_renegotiate_pending
#include <openssl/ssl.h>
int SSL_key_update(SSL *s, int updatetype);
- int SSL_get_key_update_type(SSL *s);
+ int SSL_get_key_update_type(const SSL *s);
int SSL_renegotiate(SSL *s);
int SSL_renegotiate_abbreviated(SSL *s);
- int SSL_renegotiate_pending(SSL *s);
+ int SSL_renegotiate_pending(const SSL *s);
=head1 DESCRIPTION
@@ -100,7 +100,7 @@ OpenSSL 1.1.1.
=head1 COPYRIGHT
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_read.pod b/doc/man3/SSL_read.pod
index e671b8eb794a..1410a0228c30 100644
--- a/doc/man3/SSL_read.pod
+++ b/doc/man3/SSL_read.pod
@@ -128,7 +128,7 @@ You should instead call SSL_get_error() to find out if it's retryable.
=head1 HISTORY
-SSL_read_ex() and SSL_peek_ex() were added in OpenSSL 1.1.1.
+The SSL_read_ex() and SSL_peek_ex() functions were added in OpenSSL 1.1.1.
=head1 SEE ALSO
diff --git a/doc/man3/SSL_read_early_data.pod b/doc/man3/SSL_read_early_data.pod
index 9769aa72e4a0..c51fe1359dc3 100644
--- a/doc/man3/SSL_read_early_data.pod
+++ b/doc/man3/SSL_read_early_data.pod
@@ -93,7 +93,7 @@ the server.
A client uses the function SSL_write_early_data() to send early data. This
function is similar to the L<SSL_write_ex(3)> function, but with the following
differences. See L<SSL_write_ex(3)> for information on how to write bytes to
-the underlying connection, and how to handle any errors that may arise. This
+the underlying connection, and how to handle any errors that may arise. This
page describes the differences between SSL_write_early_data() and
L<SSL_write_ex(3)>.
@@ -364,7 +364,7 @@ All of the functions described above were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
-Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/SSL_set1_host.pod b/doc/man3/SSL_set1_host.pod
index 3ca3c6b0136b..a2c9f133eed3 100644
--- a/doc/man3/SSL_set1_host.pod
+++ b/doc/man3/SSL_set1_host.pod
@@ -104,7 +104,7 @@ L<SSL_dane_enable(3)>.
=head1 HISTORY
-These functions were first added to OpenSSL 1.1.0.
+These functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_shutdown.pod b/doc/man3/SSL_shutdown.pod
index 0a3d6d370d8b..551fff6308b6 100644
--- a/doc/man3/SSL_shutdown.pod
+++ b/doc/man3/SSL_shutdown.pod
@@ -22,6 +22,10 @@ Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and
a currently open session is considered closed and good and will be kept in the
session cache for further reuse.
+Note that SSL_shutdown() must not be called if a previous fatal error has
+occurred on a connection i.e. if SSL_get_error() has returned SSL_ERROR_SYSCALL
+or SSL_ERROR_SSL.
+
The shutdown procedure consists of two steps: sending of the close_notify
shutdown alert, and reception of the peer's close_notify shutdown alert.
The order of those two steps depends on the application.
diff --git a/doc/man3/SSL_want.pod b/doc/man3/SSL_want.pod
index ef4b2183e08d..6840ccbfb626 100644
--- a/doc/man3/SSL_want.pod
+++ b/doc/man3/SSL_want.pod
@@ -101,7 +101,8 @@ L<ssl(7)>, L<SSL_get_error(3)>
=head1 HISTORY
-SSL_want_client_hello_cb() and SSL_CLIENT_HELLO_CB were added in OpenSSL 1.1.1.
+The SSL_want_client_hello_cb() function and the SSL_CLIENT_HELLO_CB return value
+were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/SSL_write.pod b/doc/man3/SSL_write.pod
index 4dffd1fefc8a..3956f1def387 100644
--- a/doc/man3/SSL_write.pod
+++ b/doc/man3/SSL_write.pod
@@ -106,7 +106,7 @@ You should instead call SSL_get_error() to find out if it's retryable.
=head1 HISTORY
-SSL_write_ex() was added in OpenSSL 1.1.1.
+The SSL_write_ex() function was added in OpenSSL 1.1.1.
=head1 SEE ALSO
diff --git a/doc/man3/UI_create_method.pod b/doc/man3/UI_create_method.pod
index aefd41dac396..a01e1012dcf9 100644
--- a/doc/man3/UI_create_method.pod
+++ b/doc/man3/UI_create_method.pod
@@ -205,9 +205,8 @@ L<UI(3)>, L<CRYPTO_get_ex_data(3)>, L<UI_STRING(3)>
=head1 HISTORY
-UI_method_set_data_duplicator(), UI_method_get_data_duplicator() and
-UI_method_get_data_destructor()
-were added in OpenSSL 1.1.1.
+The UI_method_set_data_duplicator(), UI_method_get_data_duplicator()
+and UI_method_get_data_destructor() functions were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/UI_new.pod b/doc/man3/UI_new.pod
index dd1b80ec635d..3042b13f1f1a 100644
--- a/doc/man3/UI_new.pod
+++ b/doc/man3/UI_new.pod
@@ -233,14 +233,13 @@ UI_process() returns 0 on success or a negative value on error.
UI_ctrl() returns a mask on success or -1 on error.
-UI_get_default_method(), UI_get_method(), UI_Openssl(), UI_null() and
+UI_get_default_method(), UI_get_method(), UI_OpenSSL(), UI_null() and
UI_set_method() return either a valid B<UI_METHOD> structure or NULL
respectively.
=head1 HISTORY
-UI_dup_user_data()
-was added in OpenSSL 1.1.1.
+The UI_dup_user_data() function was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
diff --git a/doc/man3/X509_NAME_ENTRY_get_object.pod b/doc/man3/X509_NAME_ENTRY_get_object.pod
index 5de1b88b9945..74f1a96d07ef 100644
--- a/doc/man3/X509_NAME_ENTRY_get_object.pod
+++ b/doc/man3/X509_NAME_ENTRY_get_object.pod
@@ -51,9 +51,6 @@ X509_NAME_ENTRY_get_object() and X509_NAME_ENTRY_get_data() can be
used to examine an B<X509_NAME_ENTRY> function as returned by
X509_NAME_get_entry() for example.
-X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID(),
-and X509_NAME_ENTRY_create_by_OBJ() create and return an
-
X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_OBJ(),
X509_NAME_ENTRY_create_by_NID() and X509_NAME_ENTRY_set_data()
are seldom used in practice because B<X509_NAME_ENTRY> structures
diff --git a/doc/man3/X509_STORE_CTX_new.pod b/doc/man3/X509_STORE_CTX_new.pod
index 2828ed75d2a9..472db508bc4e 100644
--- a/doc/man3/X509_STORE_CTX_new.pod
+++ b/doc/man3/X509_STORE_CTX_new.pod
@@ -159,8 +159,8 @@ L<X509_VERIFY_PARAM_set_flags(3)>
=head1 HISTORY
-X509_STORE_CTX_set0_crls() was first added to OpenSSL 1.0.0
-X509_STORE_CTX_get_num_untrusted() was first added to OpenSSL 1.1.0
+The X509_STORE_CTX_set0_crls() function was added in OpenSSL 1.0.0.
+The X509_STORE_CTX_get_num_untrusted() function was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/X509_STORE_CTX_set_verify_cb.pod b/doc/man3/X509_STORE_CTX_set_verify_cb.pod
index 5688ab79a77e..647ed2f17401 100644
--- a/doc/man3/X509_STORE_CTX_set_verify_cb.pod
+++ b/doc/man3/X509_STORE_CTX_set_verify_cb.pod
@@ -192,12 +192,13 @@ L<X509_STORE_CTX_get_ex_new_index(3)>
=head1 HISTORY
+The
X509_STORE_CTX_get_get_issuer(),
X509_STORE_CTX_get_check_issued(), X509_STORE_CTX_get_check_revocation(),
X509_STORE_CTX_get_get_crl(), X509_STORE_CTX_get_check_crl(),
X509_STORE_CTX_get_cert_crl(), X509_STORE_CTX_get_check_policy(),
X509_STORE_CTX_get_lookup_certs(), X509_STORE_CTX_get_lookup_crls()
-and X509_STORE_CTX_get_cleanup() were added in OpenSSL 1.1.0.
+and X509_STORE_CTX_get_cleanup() functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/X509_STORE_new.pod b/doc/man3/X509_STORE_new.pod
index f7a5c81416b3..b3bc96e20b59 100644
--- a/doc/man3/X509_STORE_new.pod
+++ b/doc/man3/X509_STORE_new.pod
@@ -44,7 +44,7 @@ L<X509_STORE_get0_param(3)>
=head1 HISTORY
The X509_STORE_up_ref(), X509_STORE_lock() and X509_STORE_unlock()
-functions were added in OpenSSL 1.1.0
+functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/X509_STORE_set_verify_cb_func.pod b/doc/man3/X509_STORE_set_verify_cb_func.pod
index 12a464674191..d16881edd83d 100644
--- a/doc/man3/X509_STORE_set_verify_cb_func.pod
+++ b/doc/man3/X509_STORE_set_verify_cb_func.pod
@@ -237,8 +237,9 @@ L<CMS_verify(3)>
=head1 HISTORY
-X509_STORE_set_verify_cb() was added to OpenSSL 1.0.0.
+The X509_STORE_set_verify_cb() function was added in OpenSSL 1.0.0.
+The functions
X509_STORE_set_verify_cb(), X509_STORE_get_verify_cb(),
X509_STORE_set_verify(), X509_STORE_CTX_get_verify(),
X509_STORE_set_get_issuer(), X509_STORE_get_get_issuer(),
@@ -250,8 +251,8 @@ X509_STORE_set_cert_crl(), X509_STORE_get_cert_crl(),
X509_STORE_set_check_policy(), X509_STORE_get_check_policy(),
X509_STORE_set_lookup_certs(), X509_STORE_get_lookup_certs(),
X509_STORE_set_lookup_crls(), X509_STORE_get_lookup_crls(),
-X509_STORE_set_cleanup() and X509_STORE_get_cleanup() were added in
-OpenSSL 1.1.0.
+X509_STORE_set_cleanup() and X509_STORE_get_cleanup()
+were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index 9b64e0a915a2..f45467cacecc 100644
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -368,11 +368,11 @@ L<x509(1)>
=head1 HISTORY
-The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0
-The flag B<X509_V_FLAG_CB_ISSUER_CHECK> was deprecated in
-OpenSSL 1.1.0, and has no effect.
+The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0.
+The flag B<X509_V_FLAG_CB_ISSUER_CHECK> was deprecated in OpenSSL 1.1.0
+and has no effect.
-X509_VERIFY_PARAM_get_hostflags() was added in OpenSSL 1.1.0i.
+The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
=head1 COPYRIGHT
diff --git a/doc/man3/X509_get0_signature.pod b/doc/man3/X509_get0_signature.pod
index f63c5a5b689e..4133bc37a9af 100644
--- a/doc/man3/X509_get0_signature.pod
+++ b/doc/man3/X509_get0_signature.pod
@@ -109,12 +109,14 @@ L<X509_verify_cert(3)>
=head1 HISTORY
-X509_get0_signature() and X509_get_signature_nid() were first added to
-OpenSSL 1.0.2.
+The
+X509_get0_signature() and X509_get_signature_nid() functions were
+added in OpenSSL 1.0.2.
+The
X509_REQ_get0_signature(), X509_REQ_get_signature_nid(),
-X509_CRL_get0_signature() and X509_CRL_get_signature_nid() were first added
-to OpenSSL 1.1.0.
+X509_CRL_get0_signature() and X509_CRL_get_signature_nid() were
+added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/X509_get_serialNumber.pod b/doc/man3/X509_get_serialNumber.pod
index 2e81c623969e..684adb7578b9 100644
--- a/doc/man3/X509_get_serialNumber.pod
+++ b/doc/man3/X509_get_serialNumber.pod
@@ -56,8 +56,9 @@ L<X509_verify_cert(3)>
=head1 HISTORY
-X509_get_serialNumber() and X509_set_serialNumber() are available in
-all versions of OpenSSL. X509_get0_serialNumber() was added in OpenSSL 1.1.0.
+The X509_get_serialNumber() and X509_set_serialNumber() functions are
+available in all versions of OpenSSL.
+The X509_get0_serialNumber() function was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/doc/man3/X509_get_subject_name.pod b/doc/man3/X509_get_subject_name.pod
index 2107c1d0905e..7c4a499225ec 100644
--- a/doc/man3/X509_get_subject_name.pod
+++ b/doc/man3/X509_get_subject_name.pod
@@ -53,8 +53,8 @@ and X509_CRL_set_issuer_name() return 1 for success and 0 for failure.
X509_REQ_get_subject_name() is a function in OpenSSL 1.1.0 and a macro in
earlier versions.
-X509_CRL_get_issuer() is a function in OpenSSL 1.1.0. It was first added
-to OpenSSL 1.0.0 as a macro.
+X509_CRL_get_issuer() is a function in OpenSSL 1.1.0. It was previously
+added in OpenSSL 1.0.0 as a macro.
=head1 SEE ALSO
diff --git a/doc/man3/X509_sign.pod b/doc/man3/X509_sign.pod
index 994fd438811a..8794c57e8d57 100644
--- a/doc/man3/X509_sign.pod
+++ b/doc/man3/X509_sign.pod
@@ -81,11 +81,11 @@ L<X509_verify_cert(3)>
=head1 HISTORY
-X509_sign(), X509_REQ_sign() and X509_CRL_sign() are available in all
-versions of OpenSSL.
+The X509_sign(), X509_REQ_sign() and X509_CRL_sign() functions are
+available in all versions of OpenSSL.
-X509_sign_ctx(), X509_REQ_sign_ctx() and X509_CRL_sign_ctx() were first added
-to OpenSSL 1.0.1.
+The X509_sign_ctx(), X509_REQ_sign_ctx()
+and X509_CRL_sign_ctx() functions were added OpenSSL 1.0.1.
=head1 COPYRIGHT
diff --git a/doc/man3/d2i_PrivateKey.pod b/doc/man3/d2i_PrivateKey.pod
index 13415d5488e8..4e3f20f8b324 100644
--- a/doc/man3/d2i_PrivateKey.pod
+++ b/doc/man3/d2i_PrivateKey.pod
@@ -50,15 +50,19 @@ If the B<*a> is not NULL when calling d2i_PrivateKey() or d2i_AutoPrivateKey()
(i.e. an existing structure is being reused) and the key format is PKCS#8
then B<*a> will be freed and replaced on a successful call.
+To decode a key with type B<EVP_PKEY_EC>, d2i_PublicKey() requires B<*a> to be
+a non-NULL EVP_PKEY structure assigned an EC_KEY structure referencing the proper
+EC_GROUP.
+
=head1 RETURN VALUES
-d2i_PrivateKey() and d2i_AutoPrivateKey() return a valid B<EVP_KEY> structure
-or B<NULL> if an error occurs. The error code can be obtained by calling
-L<ERR_get_error(3)>.
+The d2i_PrivateKey(), d2i_AutoPrivateKey(), d2i_PrivateKey_bio(), d2i_PrivateKey_fp(),
+and d2i_PublicKey() functions return a valid B<EVP_KEY> structure or B<NULL> if an
+error occurs. The error code can be obtained by calling L<ERR_get_error(3)>.
-i2d_PrivateKey() returns the number of bytes successfully encoded or a
-negative value if an error occurs. The error code can be obtained by calling
-L<ERR_get_error(3)>.
+i2d_PrivateKey() and i2d_PublicKey() return the number of bytes successfully
+encoded or a negative value if an error occurs. The error code can be obtained
+by calling L<ERR_get_error(3)>.
=head1 SEE ALSO
@@ -67,7 +71,7 @@ L<d2i_PKCS8PrivateKey_bio(3)>
=head1 COPYRIGHT
-Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/i2d_CMS_bio_stream.pod b/doc/man3/i2d_CMS_bio_stream.pod
index ece7a4800eee..dd2bd213f1e1 100644
--- a/doc/man3/i2d_CMS_bio_stream.pod
+++ b/doc/man3/i2d_CMS_bio_stream.pod
@@ -39,7 +39,7 @@ L<PEM_write_bio_CMS_stream(3)>
=head1 HISTORY
-i2d_CMS_bio_stream() was added to OpenSSL 1.0.0
+The i2d_CMS_bio_stream() function was added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man3/i2d_PKCS7_bio_stream.pod b/doc/man3/i2d_PKCS7_bio_stream.pod
index b42940a83cfa..a33aa08f2d32 100644
--- a/doc/man3/i2d_PKCS7_bio_stream.pod
+++ b/doc/man3/i2d_PKCS7_bio_stream.pod
@@ -39,7 +39,7 @@ L<PEM_write_bio_PKCS7_stream(3)>
=head1 HISTORY
-i2d_PKCS7_bio_stream() was added to OpenSSL 1.0.0
+The i2d_PKCS7_bio_stream() function was added in OpenSSL 1.0.0.
=head1 COPYRIGHT
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 3e110b03135b..992fdfccf917 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -42,6 +42,13 @@ working directory so unless the configuration file containing the
B<.include> directive is application specific the inclusion will not
work as expected.
+There can be optional B<=> character and whitespace characters between
+B<.include> directive and the path which can be useful in cases the
+configuration file needs to be loaded by old OpenSSL versions which do
+not support the B<.include> syntax. They would bail out with error
+if the B<=> character is not present but with it they just ignore
+the include.
+
Each section in a configuration file consists of a number of name and
value pairs of the form B<name=value>
@@ -419,7 +426,7 @@ L<x509(1)>, L<req(1)>, L<ca(1)>
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man7/ct.pod b/doc/man7/ct.pod
index 355204d2a632..9f82c0ba44be 100644
--- a/doc/man7/ct.pod
+++ b/doc/man7/ct.pod
@@ -15,7 +15,7 @@ clients, as defined in RFC 6962. This verification can provide some confidence
that a certificate has been publicly logged in a set of CT logs.
By default, these checks are disabled. They can be enabled using
-SSL_CTX_ct_enable() or SSL_ct_enable().
+L<SSL_CTX_enable_ct(3)> or L<SSL_enable_ct(3)>.
This library can also be used to parse and examine CT data structures, such as
Signed Certificate Timestamps (SCTs), or to read a list of CT logs. There are
@@ -39,7 +39,7 @@ L<SSL_CTX_set_ct_validation_callback(3)>
=head1 HISTORY
-This library was added in OpenSSL 1.1.0.
+The ct library was added in OpenSSL 1.1.0.
=head1 COPYRIGHT