1 files changed, 33 insertions, 109 deletions
diff --git a/secure/lib/libcrypto/man/man7/proxy-certificates.7 b/secure/lib/libcrypto/man/man7/proxy-certificates.7
index 7eae21849f5b..a24e8b9ac0bc 100644
--- a/secure/lib/libcrypto/man/man7/proxy-certificates.7
+++ b/secure/lib/libcrypto/man/man7/proxy-certificates.7
@@ -1,4 +1,5 @@
-.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)
+.\" -*- mode: troff; coding: utf-8 -*-
+.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -15,29 +16,12 @@
 .ft R
 .fi
 ..
-.\" Set up some character translations and predefined strings.  \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
-.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
 .ie n \{\
-.    ds -- \(*W-
-.    ds PI pi
-.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
-.    ds L" ""
-.    ds R" ""
 .    ds C` ""
 .    ds C' ""
 'br\}
 .el\{\
-.    ds -- \|\(em\|
-.    ds PI \(*p
-.    ds L" ``
-.    ds R" ''
 .    ds C`
 .    ds C'
 'br\}
@@ -68,93 +52,33 @@
 .    \}
 .\}
 .rr rF
-.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.    \" fudge factors for nroff and troff
-.if n \{\
-.    ds #H 0
-.    ds #V .8m
-.    ds #F .3m
-.    ds #[ \f1
-.    ds #] \fP
-.\}
-.if t \{\
-.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-.    ds #V .6m
-.    ds #F 0
-.    ds #[ \&
-.    ds #] \&
-.\}
-.    \" simple accents for nroff and troff
-.if n \{\
-.    ds ' \&
-.    ds ` \&
-.    ds ^ \&
-.    ds , \&
-.    ds ~ ~
-.    ds /
-.\}
-.if t \{\
-.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-.    \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-.    \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-.    \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-.    ds : e
-.    ds 8 ss
-.    ds o a
-.    ds d- d\h'-1'\(ga
-.    ds D- D\h'-1'\(hy
-.    ds th \o'bp'
-.    ds Th \o'LP'
-.    ds ae ae
-.    ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
 .\" ========================================================================
 .\"
 .IX Title "PROXY-CERTIFICATES 7ossl"
-.TH PROXY-CERTIFICATES 7ossl "2023-09-19" "3.0.11" "OpenSSL"
+.TH PROXY-CERTIFICATES 7ossl 2025-07-01 3.5.1 OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
 .nh
-.SH "NAME"
+.SH NAME
 proxy\-certificates \- Proxy certificates in OpenSSL
-.SH "DESCRIPTION"
+.SH DESCRIPTION
 .IX Header "DESCRIPTION"
-Proxy certificates are defined in \s-1RFC 3820.\s0  They are used to
+Proxy certificates are defined in RFC 3820.  They are used to
 extend rights to some other entity (a computer process, typically, or
 sometimes to the user itself).  This allows the entity to perform
-operations on behalf of the owner of the \s-1EE\s0 (End Entity) certificate.
+operations on behalf of the owner of the EE (End Entity) certificate.
 .PP
 The requirements for a valid proxy certificate are:
-.IP "\(bu" 4
-They are issued by an End Entity, either a normal \s-1EE\s0 certificate, or
+.IP \(bu 4
+They are issued by an End Entity, either a normal EE certificate, or
 another proxy certificate.
-.IP "\(bu" 4
+.IP \(bu 4
 They must not have the \fBsubjectAltName\fR or \fBissuerAltName\fR
 extensions.
-.IP "\(bu" 4
+.IP \(bu 4
 They must have the \fBproxyCertInfo\fR extension.
-.IP "\(bu" 4
+.IP \(bu 4
 They must have the subject of their issuer, with one \fBcommonName\fR
 added.
 .SS "Enabling proxy certificate verification"
@@ -173,7 +97,7 @@ or
 \&    X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_ALLOW_PROXY_CERTS);
 .Ve
 .PP
-See \*(L"\s-1NOTES\*(R"\s0 for a discussion on this requirement.
+See "NOTES" for a discussion on this requirement.
 .SS "Creating proxy certificates"
 .IX Subsection "Creating proxy certificates"
 Creating proxy certificates can be done using the \fBopenssl\-x509\fR\|(1)
@@ -203,14 +127,14 @@ It's also possible to specify the proxy extension in a separate section:
 The policy value has a specific syntax, \fIsyntag\fR:\fIstring\fR, where the
 \&\fIsyntag\fR determines what will be done with the string.  The following
 \&\fIsyntag\fRs are recognised:
-.IP "\fBtext\fR" 4
+.IP \fBtext\fR 4
 .IX Item "text"
 indicates that the string is a byte sequence, without any encoding:
 .Sp
 .Vb 1
-\&    policy=text:ra\*:ksmo\*:rga\*os
+\&    policy=text:räksmörgås
 .Ve
-.IP "\fBhex\fR" 4
+.IP \fBhex\fR 4
 .IX Item "hex"
 indicates the string is encoded hexadecimal encoded binary data, with
 colons between each byte (every second hex digit):
@@ -218,11 +142,11 @@ colons between each byte (every second hex digit):
 .Vb 1
 \&    policy=hex:72:E4:6B:73:6D:F6:72:67:E5:73
 .Ve
-.IP "\fBfile\fR" 4
+.IP \fBfile\fR 4
 .IX Item "file"
 indicates that the text of the policy should be taken from a file.
 The string is then a filename.  This is useful for policies that are
-more than a few lines, such as \s-1XML\s0 or other markup.
+more than a few lines, such as XML or other markup.
 .PP
 Note that the proxy policy value is what determines the rights granted
 to the process during the proxy certificate, and it is up to the
@@ -259,24 +183,24 @@ configuration section for the proxy extensions:
 To interpret proxy policies, the application would normally start with
 some default rights (perhaps none at all), then compute the resulting
 rights by checking the rights against the chain of proxy certificates,
-user certificate and \s-1CA\s0 certificates.
+user certificate and CA certificates.
 .PP
 The complicated part is figuring out how to pass data between your
 application and the certificate validation procedure.
 .PP
 The following ingredients are needed for such processing:
-.IP "\(bu" 4
+.IP \(bu 4
 a callback function that will be called for every certificate being
 validated.  The callback is called several times for each certificate,
 so you must be careful to do the proxy policy interpretation at the
-right time.  You also need to fill in the defaults when the \s-1EE\s0
+right time.  You also need to fill in the defaults when the EE
 certificate is checked.
-.IP "\(bu" 4
+.IP \(bu 4
 a data structure that is shared between your application code and the
 callback.
-.IP "\(bu" 4
+.IP \(bu 4
 a wrapper function that sets it all up.
-.IP "\(bu" 4
+.IP \(bu 4
 an ex_data index function that creates an index into the generic
 ex_data store that is attached to an X509 validation context.
 .PP
@@ -368,7 +292,7 @@ The following skeleton code can be used as a starting point:
 \&                     * another, temporary bit array and fill it with
 \&                     * the rights granted by the current proxy
 \&                     * certificate, then use it as a mask on the
-\&                     * accumulated rights bit array, and voila\*`, you
+\&                     * accumulated rights bit array, and voilà, you
 \&                     * now have a new accumulated rights bit array.
 \&                     */
 \&                    {
@@ -436,14 +360,14 @@ The following skeleton code can be used as a starting point:
 \&    }
 .Ve
 .PP
-If you use \s-1SSL\s0 or \s-1TLS,\s0 you can easily set up a callback to have the
+If you use SSL or TLS, you can easily set up a callback to have the
 certificates checked properly, using the code above:
 .PP
 .Vb 2
 \&    SSL_CTX_set_cert_verify_callback(s_ctx, my_X509_verify_cert,
 \&                                     &needed_rights);
 .Ve
-.SH "NOTES"
+.SH NOTES
 .IX Header "NOTES"
 To this date, it seems that proxy certificates have only been used in
 environments that are aware of them, and no one seems to have
@@ -463,12 +387,12 @@ the same as the issuer, with one commonName added on.
 \&\fBX509_VERIFY_PARAM_set_flags\fR\|(3),
 \&\fBSSL_CTX_set_cert_verify_callback\fR\|(3),
 \&\fBopenssl\-req\fR\|(1), \fBopenssl\-x509\fR\|(1),
-\&\s-1RFC 3820\s0 <https://tools.ietf.org/html/rfc3820>
-.SH "COPYRIGHT"
+RFC 3820 <https://tools.ietf.org/html/rfc3820>
+.SH COPYRIGHT
 .IX Header "COPYRIGHT"
-Copyright 2019\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
-Licensed under the Apache License 2.0 (the \*(L"License\*(R").  You may not use
+Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
-in the file \s-1LICENSE\s0 in the source distribution or at
+in the file LICENSE in the source distribution or at
 <https://www.openssl.org/source/license.html>.