Update OpenSSL 0.9.7d -> 0.9.7e.

36 files changed, 1778 insertions, 1638 deletions

diff --git a/secure/usr.bin/openssl/Makefile b/secure/usr.bin/openssl/Makefile
index 4e65be0..76665dd 100644
--- a/secure/usr.bin/openssl/Makefile
+++ b/secure/usr.bin/openssl/Makefile
@@ -15,7 +15,7 @@ CFLAGS+= -DMONOLITH -I${.CURDIR}
 SRCS+=	app_rand.c apps.c asn1pars.c ca.c ciphers.c crl.c crl2p7.c \
 	dgst.c dh.c dhparam.c dsa.c dsaparam.c enc.c engine.c errstr.c \
 	gendh.c gendsa.c genrsa.c nseq.c ocsp.c openssl.c passwd.c \
-	pkcs12.c pkcs7.c pkcs8.c rand.c req.c rsa.c rsautl.c s_cb.c \
+	pkcs12.c pkcs7.c pkcs8.c prime.c rand.c req.c rsa.c rsautl.c s_cb.c \
 	s_client.c s_server.c s_socket.c s_time.c sess_id.c smime.c \
 	speed.c spkac.c verify.c version.c x509.c
 
diff --git a/secure/usr.bin/openssl/Makefile.man b/secure/usr.bin/openssl/Makefile.man
index 51f677d..f82cd8a 100644
--- a/secure/usr.bin/openssl/Makefile.man
+++ b/secure/usr.bin/openssl/Makefile.man
@@ -26,6 +26,7 @@ MAN+= rsa.1
 MAN+= rsautl.1
 MAN+= s_client.1
 MAN+= s_server.1
+MAN+= s_time.1
 MAN+= sess_id.1
 MAN+= smime.1
 MAN+= speed.1
diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1
index 6cdcd26..17db727 100644
--- a/secure/usr.bin/openssl/man/CA.pl.1
+++ b/secure/usr.bin/openssl/man/CA.pl.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:30 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "CA.PL 1"
-.TH CA.PL 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH CA.PL 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-\&\s-1CA\s0.pl \- friendlier interface for OpenSSL certificate programs
+CA.pl \- friendlier interface for OpenSSL certificate programs
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fB\s-1CA\s0.pl\fR
@@ -150,7 +140,7 @@
 [\fB\-help\fR]
 [\fB\-newcert\fR]
 [\fB\-newreq\fR]
-[\fB\-newreq-nodes\fR]
+[\fB\-newreq\-nodes\fR]
 [\fB\-newca\fR]
 [\fB\-xsign\fR]
 [\fB\-sign\fR]
@@ -166,28 +156,28 @@ It is intended to simplify the process of certificate creation and management
 by the use of some simple options.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-.Ip "\fB?\fR, \fB\-h\fR, \fB\-help\fR" 4
+.IP "\fB?\fR, \fB\-h\fR, \fB\-help\fR" 4
 .IX Item "?, -h, -help"
 prints a usage message.
-.Ip "\fB\-newcert\fR" 4
+.IP "\fB\-newcert\fR" 4
 .IX Item "-newcert"
 creates a new self signed certificate. The private key and certificate are
 written to the file \*(L"newreq.pem\*(R".
-.Ip "\fB\-newreq\fR" 4
+.IP "\fB\-newreq\fR" 4
 .IX Item "-newreq"
 creates a new certificate request. The private key and request are
 written to the file \*(L"newreq.pem\*(R".
-.Ip "\fB\-newreq-nowdes\fR" 4
+.IP "\fB\-newreq\-nowdes\fR" 4
 .IX Item "-newreq-nowdes"
 is like \fB\-newreq\fR except that the private key will not be encrypted.
-.Ip "\fB\-newca\fR" 4
+.IP "\fB\-newca\fR" 4
 .IX Item "-newca"
 creates a new \s-1CA\s0 hierarchy for use with the \fBca\fR program (or the \fB\-signcert\fR
 and \fB\-xsign\fR options). The user is prompted to enter the filename of the \s-1CA\s0
 certificates (which should also contain the private key) or by hitting \s-1ENTER\s0
 details of the \s-1CA\s0 will be prompted for. The relevant files and directories
 are created in a directory called \*(L"demoCA\*(R" in the current directory.
-.Ip "\fB\-pkcs12\fR" 4
+.IP "\fB\-pkcs12\fR" 4
 .IX Item "-pkcs12"
 create a PKCS#12 file containing the user certificate, private key and \s-1CA\s0
 certificate. It expects the user certificate and private key to be in the
@@ -197,26 +187,26 @@ it creates a file \*(L"newcert.p12\*(R". This command can thus be called after t
 If there is an additional argument on the command line it will be used as the
 \&\*(L"friendly name\*(R" for the certificate (which is typically displayed in the browser
 list box), otherwise the name \*(L"My Certificate\*(R" is used.
-.Ip "\fB\-sign\fR, \fB\-signreq\fR, \fB\-xsign\fR" 4
+.IP "\fB\-sign\fR, \fB\-signreq\fR, \fB\-xsign\fR" 4
 .IX Item "-sign, -signreq, -xsign"
 calls the \fBca\fR program to sign a certificate request. It expects the request
 to be in the file \*(L"newreq.pem\*(R". The new certificate is written to the file
 \&\*(L"newcert.pem\*(R" except in the case of the \fB\-xsign\fR option when it is written
 to standard output.
-.Ip "\fB\-signCA\fR" 4
+.IP "\fB\-signCA\fR" 4
 .IX Item "-signCA"
 this option is the same as the \fB\-signreq\fR option except it uses the configuration
 file section \fBv3_ca\fR and so makes the signed request a valid \s-1CA\s0 certificate. This
 is useful when creating intermediate \s-1CA\s0 from a root \s-1CA\s0.
-.Ip "\fB\-signcert\fR" 4
+.IP "\fB\-signcert\fR" 4
 .IX Item "-signcert"
 this option is the same as \fB\-sign\fR except it expects a self signed certificate
 to be present in the file \*(L"newreq.pem\*(R".
-.Ip "\fB\-verify\fR" 4
+.IP "\fB\-verify\fR" 4
 .IX Item "-verify"
 verifies certificates against the \s-1CA\s0 certificate for \*(L"demoCA\*(R". If no certificates
 are specified on the command line it tries to verify the file \*(L"newcert.pem\*(R". 
-.Ip "\fBfiles\fR" 4
+.IP "\fBfiles\fR" 4
 .IX Item "files"
 one or more optional certificate file names for use with the \fB\-verify\fR command.
 .SH "EXAMPLES"
@@ -226,6 +216,7 @@ Create a \s-1CA\s0 hierarchy:
 .Vb 1
 \& CA.pl -newca
 .Ve
+.PP
 Complete certificate creation example: create a \s-1CA\s0, create a request, sign
 the request and finally create a PKCS#12 file containing it.
 .PP
@@ -238,7 +229,7 @@ the request and finally create a PKCS#12 file containing it.
 .SH "DSA CERTIFICATES"
 .IX Header "DSA CERTIFICATES"
 Although the \fB\s-1CA\s0.pl\fR creates \s-1RSA\s0 CAs and requests it is still possible to
-use it with \s-1DSA\s0 certificates and requests using the req(1) command
+use it with \s-1DSA\s0 certificates and requests using the \fIreq\fR\|(1) command
 directly. The following example shows the steps that would typically be taken.
 .PP
 Create some \s-1DSA\s0 parameters:
@@ -246,16 +237,19 @@ Create some \s-1DSA\s0 parameters:
 .Vb 1
 \& openssl dsaparam -out dsap.pem 1024
 .Ve
+.PP
 Create a \s-1DSA\s0 \s-1CA\s0 certificate and private key:
 .PP
 .Vb 1
 \& openssl req -x509 -newkey dsa:dsap.pem -keyout cacert.pem -out cacert.pem
 .Ve
+.PP
 Create the \s-1CA\s0 directories and files:
 .PP
 .Vb 1
 \& CA.pl -newca
 .Ve
+.PP
 enter cacert.pem when prompted for the \s-1CA\s0 file name.
 .PP
 Create a \s-1DSA\s0 certificate request and private key (a different set of parameters
@@ -264,6 +258,7 @@ can optionally be created first):
 .Vb 1
 \& openssl req -out newreq.pem -newkey dsa:dsap.pem
 .Ve
+.PP
 Sign the request:
 .PP
 .Vb 1
@@ -285,6 +280,7 @@ be wrong. In this case the command:
 .Vb 1
 \& perl -S CA.pl
 .Ve
+.PP
 can be used and the \fB\s-1OPENSSL_CONF\s0\fR environment variable changed to point to 
 the correct path of the configuration file \*(L"openssl.cnf\*(R".
 .PP
@@ -298,5 +294,5 @@ file location to be specified, it should contain the full path to the
 configuration file, not just its directory.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-x509(1), ca(1), req(1), pkcs12(1),
-config(5)
+\&\fIx509\fR\|(1), \fIca\fR\|(1), \fIreq\fR\|(1), \fIpkcs12\fR\|(1),
+\&\fIconfig\fR\|(5)
diff --git a/secure/usr.bin/openssl/man/asn1parse.1 b/secure/usr.bin/openssl/man/asn1parse.1
index 0586002..d1a81e8 100644
--- a/secure/usr.bin/openssl/man/asn1parse.1
+++ b/secure/usr.bin/openssl/man/asn1parse.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:31 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "ASN1PARSE 1"
-.TH ASN1PARSE 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH ASN1PARSE 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-asn1parse \- \s-1ASN\s0.1 parsing tool
+asn1parse \- ASN.1 parsing tool
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBasn1parse\fR
@@ -160,35 +150,35 @@ The \fBasn1parse\fR command is a diagnostic utility that can parse \s-1ASN\s0.1
 structures. It can also be used to extract data from \s-1ASN\s0.1 formatted data.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.Ip "\fB\-inform\fR \fBDER|PEM\fR" 4
+.IP "\fB\-inform\fR \fBDER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
 the input format. \fB\s-1DER\s0\fR is binary format and \fB\s-1PEM\s0\fR (the default) is base64
 encoded.
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 the input file, default is standard input
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 output file to place the \s-1DER\s0 encoded data into. If this
 option is not present then no data will be output. This is most useful when
 combined with the \fB\-strparse\fR option.
-.Ip "\fB\-noout\fR" 4
+.IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 don't output the parsed version of the input file.
-.Ip "\fB\-offset number\fR" 4
+.IP "\fB\-offset number\fR" 4
 .IX Item "-offset number"
 starting offset to begin parsing, default is start of file.
-.Ip "\fB\-length number\fR" 4
+.IP "\fB\-length number\fR" 4
 .IX Item "-length number"
 number of bytes to parse, default is until end of file.
-.Ip "\fB\-i\fR" 4
+.IP "\fB\-i\fR" 4
 .IX Item "-i"
 indents the output according to the \*(L"depth\*(R" of the structures.
-.Ip "\fB\-oid filename\fR" 4
+.IP "\fB\-oid filename\fR" 4
 .IX Item "-oid filename"
 a file containing additional \s-1OBJECT\s0 IDENTIFIERs (OIDs). The format of this
 file is described in the \s-1NOTES\s0 section below.
-.Ip "\fB\-strparse offset\fR" 4
+.IP "\fB\-strparse offset\fR" 4
 .IX Item "-strparse offset"
 parse the contents octets of the \s-1ASN\s0.1 object starting at \fBoffset\fR. This
 option can be used multiple times to \*(L"drill down\*(R" into a nested structure.
@@ -199,6 +189,7 @@ The output will typically contain lines like this:
 .Vb 1
 \&  0:d=0  hl=4 l= 681 cons: SEQUENCE
 .Ve
+.PP
 \&.....
 .PP
 .Vb 10
@@ -213,6 +204,7 @@ The output will typically contain lines like this:
 \&  417:d=5  hl=2 l= 105 prim: OCTET STRING      
 \&  524:d=4  hl=2 l=  12 cons: SEQUENCE
 .Ve
+.PP
 \&.....
 .PP
 This example is part of a self signed certificate. Each line starts with the
diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/ca.1
index c6bc46d..ab85a0c 100644
--- a/secure/usr.bin/openssl/man/ca.1
+++ b/secure/usr.bin/openssl/man/ca.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:31 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "CA 1"
-.TH CA 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH CA 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-ca \- sample minimal \s-1CA\s0 application
+ca \- sample minimal CA application
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBca\fR
@@ -191,120 +181,120 @@ and their status.
 The options descriptions will be divided into each purpose.
 .SH "CA OPTIONS"
 .IX Header "CA OPTIONS"
-.Ip "\fB\-config filename\fR" 4
+.IP "\fB\-config filename\fR" 4
 .IX Item "-config filename"
 specifies the configuration file to use.
-.Ip "\fB\-name section\fR" 4
+.IP "\fB\-name section\fR" 4
 .IX Item "-name section"
 specifies the configuration file section to use (overrides
 \&\fBdefault_ca\fR in the \fBca\fR section).
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 an input filename containing a single certificate request to be
 signed by the \s-1CA\s0.
-.Ip "\fB\-ss_cert filename\fR" 4
+.IP "\fB\-ss_cert filename\fR" 4
 .IX Item "-ss_cert filename"
 a single self signed certificate to be signed by the \s-1CA\s0.
-.Ip "\fB\-spkac filename\fR" 4
+.IP "\fB\-spkac filename\fR" 4
 .IX Item "-spkac filename"
 a file containing a single Netscape signed public key and challenge
 and additional field values to be signed by the \s-1CA\s0. See the \fB\s-1SPKAC\s0 \s-1FORMAT\s0\fR
 section for information on the required format.
-.Ip "\fB\-infiles\fR" 4
+.IP "\fB\-infiles\fR" 4
 .IX Item "-infiles"
 if present this should be the last option, all subsequent arguments
 are assumed to the the names of files containing certificate requests. 
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 the output file to output certificates to. The default is standard
 output. The certificate details will also be printed out to this
 file.
-.Ip "\fB\-outdir directory\fR" 4
+.IP "\fB\-outdir directory\fR" 4
 .IX Item "-outdir directory"
 the directory to output certificates to. The certificate will be
 written to a filename consisting of the serial number in hex with
 \&\*(L".pem\*(R" appended.
-.Ip "\fB\-cert\fR" 4
+.IP "\fB\-cert\fR" 4
 .IX Item "-cert"
 the \s-1CA\s0 certificate file.
-.Ip "\fB\-keyfile filename\fR" 4
+.IP "\fB\-keyfile filename\fR" 4
 .IX Item "-keyfile filename"
 the private key to sign requests with.
-.Ip "\fB\-key password\fR" 4
+.IP "\fB\-key password\fR" 4
 .IX Item "-key password"
 the password used to encrypt the private key. Since on some
 systems the command line arguments are visible (e.g. Unix with
 the 'ps' utility) this option should be used with caution.
-.Ip "\fB\-passin arg\fR" 4
+.IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the key password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
-.Ip "\fB\-verbose\fR" 4
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-verbose\fR" 4
 .IX Item "-verbose"
 this prints extra details about the operations being performed.
-.Ip "\fB\-notext\fR" 4
+.IP "\fB\-notext\fR" 4
 .IX Item "-notext"
 don't output the text form of a certificate to the output file.
-.Ip "\fB\-startdate date\fR" 4
+.IP "\fB\-startdate date\fR" 4
 .IX Item "-startdate date"
 this allows the start date to be explicitly set. The format of the
 date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure).
-.Ip "\fB\-enddate date\fR" 4
+.IP "\fB\-enddate date\fR" 4
 .IX Item "-enddate date"
 this allows the expiry date to be explicitly set. The format of the
 date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure).
-.Ip "\fB\-days arg\fR" 4
+.IP "\fB\-days arg\fR" 4
 .IX Item "-days arg"
 the number of days to certify the certificate for.
-.Ip "\fB\-md alg\fR" 4
+.IP "\fB\-md alg\fR" 4
 .IX Item "-md alg"
 the message digest to use. Possible values include md5, sha1 and mdc2.
 This option also applies to CRLs.
-.Ip "\fB\-policy arg\fR" 4
+.IP "\fB\-policy arg\fR" 4
 .IX Item "-policy arg"
 this option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in
 the configuration file which decides which fields should be mandatory
 or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY\s0 \s-1FORMAT\s0\fR section
 for more information.
-.Ip "\fB\-msie_hack\fR" 4
+.IP "\fB\-msie_hack\fR" 4
 .IX Item "-msie_hack"
 this is a legacy option to make \fBca\fR work with very old versions of
 the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings
 for almost everything. Since the old control has various security bugs
 its use is strongly discouraged. The newer control \*(L"Xenroll\*(R" does not
 need this option.
-.Ip "\fB\-preserveDN\fR" 4
+.IP "\fB\-preserveDN\fR" 4
 .IX Item "-preserveDN"
 Normally the \s-1DN\s0 order of a certificate is the same as the order of the
 fields in the relevant policy section. When this option is set the order 
 is the same as the request. This is largely for compatibility with the
 older \s-1IE\s0 enrollment control which would only accept certificates if their
 DNs match the order of the request. This is not needed for Xenroll.
-.Ip "\fB\-noemailDN\fR" 4
+.IP "\fB\-noemailDN\fR" 4
 .IX Item "-noemailDN"
 The \s-1DN\s0 of a certificate can contain the \s-1EMAIL\s0 field if present in the
-request \s-1DN\s0, however it is good policy just having the e-mail set into
+request \s-1DN\s0, however it is good policy just having the e\-mail set into
 the altName extension of the certificate. When this option is set the
 \&\s-1EMAIL\s0 field is removed from the certificate' subject and set only in
 the, eventually present, extensions. The \fBemail_in_dn\fR keyword can be
 used in the configuration file to enable this behaviour.
-.Ip "\fB\-batch\fR" 4
+.IP "\fB\-batch\fR" 4
 .IX Item "-batch"
 this sets the batch mode. In this mode no questions will be asked
 and all certificates will be certified automatically.
-.Ip "\fB\-extensions section\fR" 4
+.IP "\fB\-extensions section\fR" 4
 .IX Item "-extensions section"
 the section of the configuration file containing certificate extensions
 to be added when a certificate is issued (defaults to \fBx509_extensions\fR
 unless the \fB\-extfile\fR option is used). If no extension section is
 present then, a V1 certificate is created. If the extension section
 is present (even if it is empty), then a V3 certificate is created.
-.Ip "\fB\-extfile file\fR" 4
+.IP "\fB\-extfile file\fR" 4
 .IX Item "-extfile file"
 an additional configuration file to read certificate extensions from
 (using the default section unless the \fB\-extensions\fR option is also
 used).
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
 to attempt to obtain a functional reference to the specified engine,
@@ -312,20 +302,20 @@ thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 .SH "CRL OPTIONS"
 .IX Header "CRL OPTIONS"
-.Ip "\fB\-gencrl\fR" 4
+.IP "\fB\-gencrl\fR" 4
 .IX Item "-gencrl"
 this option generates a \s-1CRL\s0 based on information in the index file.
-.Ip "\fB\-crldays num\fR" 4
+.IP "\fB\-crldays num\fR" 4
 .IX Item "-crldays num"
 the number of days before the next \s-1CRL\s0 is due. That is the days from
 now to place in the \s-1CRL\s0 nextUpdate field.
-.Ip "\fB\-crlhours num\fR" 4
+.IP "\fB\-crlhours num\fR" 4
 .IX Item "-crlhours num"
 the number of hours before the next \s-1CRL\s0 is due.
-.Ip "\fB\-revoke filename\fR" 4
+.IP "\fB\-revoke filename\fR" 4
 .IX Item "-revoke filename"
 a filename containing a certificate to revoke.
-.Ip "\fB\-crl_reason reason\fR" 4
+.IP "\fB\-crl_reason reason\fR" 4
 .IX Item "-crl_reason reason"
 revocation reason, where \fBreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR,
 \&\fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR, \fBcessationOfOperation\fR,
@@ -334,26 +324,26 @@ insensitive. Setting any revocation reason will make the \s-1CRL\s0 v2.
 .Sp
 In practive \fBremoveFromCRL\fR is not particularly useful because it is only used
 in delta CRLs which are not currently implemented.
-.Ip "\fB\-crl_hold instruction\fR" 4
+.IP "\fB\-crl_hold instruction\fR" 4
 .IX Item "-crl_hold instruction"
 This sets the \s-1CRL\s0 revocation reason code to \fBcertificateHold\fR and the hold
 instruction to \fBinstruction\fR which must be an \s-1OID\s0. Although any \s-1OID\s0 can be
 used only \fBholdInstructionNone\fR (the use of which is discouraged by \s-1RFC2459\s0)
 \&\fBholdInstructionCallIssuer\fR or \fBholdInstructionReject\fR will normally be used.
-.Ip "\fB\-crl_compromise time\fR" 4
+.IP "\fB\-crl_compromise time\fR" 4
 .IX Item "-crl_compromise time"
 This sets the revocation reason to \fBkeyCompromise\fR and the compromise time to
 \&\fBtime\fR. \fBtime\fR should be in GeneralizedTime format that is \fB\s-1YYYYMMDDHHMMSSZ\s0\fR.
-.Ip "\fB\-crl_CA_compromise time\fR" 4
+.IP "\fB\-crl_CA_compromise time\fR" 4
 .IX Item "-crl_CA_compromise time"
 This is the same as \fBcrl_compromise\fR except the revocation reason is set to
 \&\fBCACompromise\fR.
-.Ip "\fB\-subj arg\fR" 4
+.IP "\fB\-subj arg\fR" 4
 .IX Item "-subj arg"
 supersedes subject name given in the request.
 The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR,
 characters may be escaped by \e (backslash), no spaces are skipped.
-.Ip "\fB\-crlexts section\fR" 4
+.IP "\fB\-crlexts section\fR" 4
 .IX Item "-crlexts section"
 the section of the configuration file containing \s-1CRL\s0 extensions to
 include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is
@@ -382,85 +372,85 @@ and the command line the command line value is used. Where an
 option is described as mandatory then it must be present in
 the configuration file or the command line equivalent (if
 any) used.
-.Ip "\fBoid_file\fR" 4
+.IP "\fBoid_file\fR" 4
 .IX Item "oid_file"
 This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR.
 Each line of the file should consist of the numerical form of the
 object identifier followed by white space then the short name followed
 by white space and finally the long name. 
-.Ip "\fBoid_section\fR" 4
+.IP "\fBoid_section\fR" 4
 .IX Item "oid_section"
 This specifies a section in the configuration file containing extra
 object identifiers. Each line should consist of the short name of the
 object identifier followed by \fB=\fR and the numerical form. The short
 and long names are the same when this option is used.
-.Ip "\fBnew_certs_dir\fR" 4
+.IP "\fBnew_certs_dir\fR" 4
 .IX Item "new_certs_dir"
 the same as the \fB\-outdir\fR command line option. It specifies
 the directory where new certificates will be placed. Mandatory.
-.Ip "\fBcertificate\fR" 4
+.IP "\fBcertificate\fR" 4
 .IX Item "certificate"
 the same as \fB\-cert\fR. It gives the file containing the \s-1CA\s0
 certificate. Mandatory.
-.Ip "\fBprivate_key\fR" 4
+.IP "\fBprivate_key\fR" 4
 .IX Item "private_key"
 same as the \fB\-keyfile\fR option. The file containing the
 \&\s-1CA\s0 private key. Mandatory.
-.Ip "\fB\s-1RANDFILE\s0\fR" 4
+.IP "\fB\s-1RANDFILE\s0\fR" 4
 .IX Item "RANDFILE"
 a file used to read and write random number seed information, or
-an \s-1EGD\s0 socket (see RAND_egd(3)).
-.Ip "\fBdefault_days\fR" 4
+an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
+.IP "\fBdefault_days\fR" 4
 .IX Item "default_days"
 the same as the \fB\-days\fR option. The number of days to certify
 a certificate for. 
-.Ip "\fBdefault_startdate\fR" 4
+.IP "\fBdefault_startdate\fR" 4
 .IX Item "default_startdate"
 the same as the \fB\-startdate\fR option. The start date to certify
 a certificate for. If not set the current time is used.
-.Ip "\fBdefault_enddate\fR" 4
+.IP "\fBdefault_enddate\fR" 4
 .IX Item "default_enddate"
 the same as the \fB\-enddate\fR option. Either this option or
 \&\fBdefault_days\fR (or the command line equivalents) must be
 present.
-.Ip "\fBdefault_crl_hours default_crl_days\fR" 4
+.IP "\fBdefault_crl_hours default_crl_days\fR" 4
 .IX Item "default_crl_hours default_crl_days"
 the same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These
 will only be used if neither command line option is present. At
 least one of these must be present to generate a \s-1CRL\s0.
-.Ip "\fBdefault_md\fR" 4
+.IP "\fBdefault_md\fR" 4
 .IX Item "default_md"
 the same as the \fB\-md\fR option. The message digest to use. Mandatory.
-.Ip "\fBdatabase\fR" 4
+.IP "\fBdatabase\fR" 4
 .IX Item "database"
 the text database file to use. Mandatory. This file must be present
 though initially it will be empty.
-.Ip "\fBserialfile\fR" 4
-.IX Item "serialfile"
+.IP "\fBserial\fR" 4
+.IX Item "serial"
 a text file containing the next serial number to use in hex. Mandatory.
 This file must be present and contain a valid serial number.
-.Ip "\fBx509_extensions\fR" 4
+.IP "\fBx509_extensions\fR" 4
 .IX Item "x509_extensions"
 the same as \fB\-extensions\fR.
-.Ip "\fBcrl_extensions\fR" 4
+.IP "\fBcrl_extensions\fR" 4
 .IX Item "crl_extensions"
 the same as \fB\-crlexts\fR.
-.Ip "\fBpreserve\fR" 4
+.IP "\fBpreserve\fR" 4
 .IX Item "preserve"
 the same as \fB\-preserveDN\fR
-.Ip "\fBemail_in_dn\fR" 4
+.IP "\fBemail_in_dn\fR" 4
 .IX Item "email_in_dn"
 the same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed
 from the \s-1DN\s0 of the certificate simply set this to 'no'. If not present
 the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN\s0.
-.Ip "\fBmsie_hack\fR" 4
+.IP "\fBmsie_hack\fR" 4
 .IX Item "msie_hack"
 the same as \fB\-msie_hack\fR
-.Ip "\fBpolicy\fR" 4
+.IP "\fBpolicy\fR" 4
 .IX Item "policy"
 the same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY\s0 \s-1FORMAT\s0\fR section
 for more information.
-.Ip "\fBnameopt\fR, \fBcertopt\fR" 4
+.IP "\fBnameopt\fR, \fBcertopt\fR" 4
 .IX Item "nameopt, certopt"
 these options allow the format used to display the certificate details
 when asking the user to confirm signing. All the options supported by
@@ -469,14 +459,14 @@ here, except the \fBno_signame\fR and \fBno_sigdump\fR are permanently set
 and cannot be disabled (this is because the certificate signature cannot
 be displayed because the certificate has not been signed at this point).
 .Sp
-For convenience the values \fBdefault_ca\fR are accepted by both to produce
+For convenience the values \fBca_default\fR are accepted by both to produce
 a reasonable output.
 .Sp
 If neither option is present the format used in earlier versions of
 OpenSSL is used. Use of the old format is \fBstrongly\fR discouraged because
 it only displays fields mentioned in the \fBpolicy\fR section, mishandles
 multicharacter string types and does not display extensions.
-.Ip "\fBcopy_extensions\fR" 4
+.IP "\fBcopy_extensions\fR" 4
 .IX Item "copy_extensions"
 determines how extensions in certificate requests should be handled.
 If set to \fBnone\fR or this option is not present then extensions are
@@ -529,26 +519,31 @@ Sign a certificate request:
 .Vb 1
 \& openssl ca -in req.pem -out newcert.pem
 .Ve
+.PP
 Sign a certificate request, using \s-1CA\s0 extensions:
 .PP
 .Vb 1
 \& openssl ca -in req.pem -extensions v3_ca -out newcert.pem
 .Ve
+.PP
 Generate a \s-1CRL\s0
 .PP
 .Vb 1
 \& openssl ca -gencrl -out crl.pem
 .Ve
+.PP
 Sign several requests:
 .PP
 .Vb 1
 \& openssl ca -infiles req1.pem req2.pem req3.pem
 .Ve
+.PP
 Certify a Netscape \s-1SPKAC:\s0
 .PP
 .Vb 1
 \& openssl ca -spkac spkac.txt
 .Ve
+.PP
 A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity):
 .PP
 .Vb 5
@@ -558,40 +553,48 @@ A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity
 \& 0.OU=OpenSSL Group
 \& 1.OU=Another Group
 .Ve
+.PP
 A sample configuration file with the relevant sections for \fBca\fR:
 .PP
 .Vb 2
 \& [ ca ]
 \& default_ca      = CA_default            # The default ca section
 .Ve
+.PP
 .Vb 1
 \& [ CA_default ]
 .Ve
+.PP
 .Vb 3
 \& dir            = ./demoCA              # top dir
 \& database       = $dir/index.txt        # index file.
 \& new_certs_dir  = $dir/newcerts         # new certs dir
 .Ve
+.PP
 .Vb 4
 \& certificate    = $dir/cacert.pem       # The CA cert
 \& serial         = $dir/serial           # serial no file
 \& private_key    = $dir/private/cakey.pem# CA private key
 \& RANDFILE       = $dir/private/.rand    # random number file
 .Ve
+.PP
 .Vb 3
 \& default_days   = 365                   # how long to certify for
 \& default_crl_days= 30                   # how long before next CRL
 \& default_md     = md5                   # md to use
 .Ve
+.PP
 .Vb 2
 \& policy         = policy_any            # default policy
 \& email_in_dn    = no                    # Don't add the email into cert DN
 .Ve
+.PP
 .Vb 3
-\& nameopt        = default_ca            # Subject name display option
-\& certopt        = default_ca            # Certificate display option
+\& nameopt        = ca_default            # Subject name display option
+\& certopt        = ca_default            # Certificate display option
 \& copy_extensions = none                 # Don't copy extensions from request
 .Ve
+.PP
 .Vb 7
 \& [ policy_any ]
 \& countryName            = supplied
@@ -694,8 +697,9 @@ For example if the \s-1CA\s0 certificate has:
 .Vb 1
 \& basicConstraints = CA:TRUE, pathlen:0
 .Ve
+.PP
 then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-req(1), spkac(1), x509(1), CA.pl(1),
-config(5)
+\&\fIreq\fR\|(1), \fIspkac\fR\|(1), \fIx509\fR\|(1), \s-1\fICA\s0.pl\fR\|(1),
+\&\fIconfig\fR\|(5)
diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1
index 80e8138..b539f13 100644
--- a/secure/usr.bin/openssl/man/ciphers.1
+++ b/secure/usr.bin/openssl/man/ciphers.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:31 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "CIPHERS 1"
-.TH CIPHERS 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH CIPHERS 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-ciphers \- \s-1SSL\s0 cipher display and cipher list tool.
+ciphers \- SSL cipher display and cipher list tool.
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBciphers\fR
@@ -157,7 +147,7 @@ The \fBcipherlist\fR command converts OpenSSL cipher lists into ordered
 the appropriate cipherlist.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-.Ip "\fB\-v\fR" 4
+.IP "\fB\-v\fR" 4
 .IX Item "-v"
 verbose option. List ciphers with a complete description of
 protocol version (SSLv2 or SSLv3; the latter includes \s-1TLS\s0), key exchange,
@@ -166,19 +156,19 @@ restrictions and whether the algorithm is classed as an \*(L"export\*(R" cipher.
 Note that without the \fB\-v\fR option, ciphers may seem to appear twice
 in a cipher list; this is when similar ciphers are available for
 \&\s-1SSL\s0 v2 and for \s-1SSL\s0 v3/TLS v1.
-.Ip "\fB\-ssl3\fR" 4
+.IP "\fB\-ssl3\fR" 4
 .IX Item "-ssl3"
 only include \s-1SSL\s0 v3 ciphers.
-.Ip "\fB\-ssl2\fR" 4
+.IP "\fB\-ssl2\fR" 4
 .IX Item "-ssl2"
 only include \s-1SSL\s0 v2 ciphers.
-.Ip "\fB\-tls1\fR" 4
+.IP "\fB\-tls1\fR" 4
 .IX Item "-tls1"
 only include \s-1TLS\s0 v1 ciphers.
-.Ip "\fB\-h\fR, \fB\-?\fR" 4
+.IP "\fB\-h\fR, \fB\-?\fR" 4
 .IX Item "-h, -?"
 print a brief usage message.
-.Ip "\fBcipherlist\fR" 4
+.IP "\fBcipherlist\fR" 4
 .IX Item "cipherlist"
 a cipher list to convert to a cipher preference list. If it is not included
 then the default cipher list will be used. The format is described below.
@@ -202,13 +192,13 @@ Lists of cipher suites can be combined in a single cipher string using the
 algorithms.
 .PP
 Each cipher string can be optionally preceded by the characters \fB!\fR,
-\&\fB-\fR or \fB+\fR.
+\&\fB\-\fR or \fB+\fR.
 .PP
 If \fB!\fR is used then the ciphers are permanently deleted from the list.
 The ciphers deleted can never reappear in the list even if they are
 explicitly stated.
 .PP
-If \fB-\fR is used then the ciphers are deleted from the list, but some or
+If \fB\-\fR is used then the ciphers are deleted from the list, but some or
 all of the ciphers can be added again by later options.
 .PP
 If \fB+\fR is used then the ciphers are moved to the end of the list. This
@@ -224,107 +214,107 @@ the current cipher list in order of encryption algorithm key length.
 .SH "CIPHER STRINGS"
 .IX Header "CIPHER STRINGS"
 The following is a list of all permitted cipher strings and their meanings.
-.Ip "\fB\s-1DEFAULT\s0\fR" 4
+.IP "\fB\s-1DEFAULT\s0\fR" 4
 .IX Item "DEFAULT"
 the default cipher list. This is determined at compile time and is normally
 \&\fB\s-1ALL:\s0!ADH:RC4+RSA:+SSLv2:@STRENGTH\fR. This must be the first cipher string
 specified.
-.Ip "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4
+.IP "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4
 .IX Item "COMPLEMENTOFDEFAULT"
 the ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently
 this is \fB\s-1ADH\s0\fR. Note that this rule does not cover \fBeNULL\fR, which is
 not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if necessary).
-.Ip "\fB\s-1ALL\s0\fR" 4
+.IP "\fB\s-1ALL\s0\fR" 4
 .IX Item "ALL"
 all ciphers suites except the \fBeNULL\fR ciphers which must be explicitly enabled.
-.Ip "\fB\s-1COMPLEMENTOFALL\s0\fR" 4
+.IP "\fB\s-1COMPLEMENTOFALL\s0\fR" 4
 .IX Item "COMPLEMENTOFALL"
 the cipher suites not enabled by \fB\s-1ALL\s0\fR, currently being \fBeNULL\fR.
-.Ip "\fB\s-1HIGH\s0\fR" 4
+.IP "\fB\s-1HIGH\s0\fR" 4
 .IX Item "HIGH"
 \&\*(L"high\*(R" encryption cipher suites. This currently means those with key lengths larger
 than 128 bits.
-.Ip "\fB\s-1MEDIUM\s0\fR" 4
+.IP "\fB\s-1MEDIUM\s0\fR" 4
 .IX Item "MEDIUM"
 \&\*(L"medium\*(R" encryption cipher suites, currently those using 128 bit encryption.
-.Ip "\fB\s-1LOW\s0\fR" 4
+.IP "\fB\s-1LOW\s0\fR" 4
 .IX Item "LOW"
 \&\*(L"low\*(R" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms
 but excluding export cipher suites.
-.Ip "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4
+.IP "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4
 .IX Item "EXP, EXPORT"
 export encryption algorithms. Including 40 and 56 bits algorithms.
-.Ip "\fB\s-1EXPORT40\s0\fR" 4
+.IP "\fB\s-1EXPORT40\s0\fR" 4
 .IX Item "EXPORT40"
 40 bit export encryption algorithms
-.Ip "\fB\s-1EXPORT56\s0\fR" 4
+.IP "\fB\s-1EXPORT56\s0\fR" 4
 .IX Item "EXPORT56"
 56 bit export encryption algorithms.
-.Ip "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4
+.IP "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4
 .IX Item "eNULL, NULL"
 the \*(L"\s-1NULL\s0\*(R" ciphers that is those offering no encryption. Because these offer no
 encryption at all and are a security risk they are disabled unless explicitly
 included.
-.Ip "\fBaNULL\fR" 4
+.IP "\fBaNULL\fR" 4
 .IX Item "aNULL"
 the cipher suites offering no authentication. This is currently the anonymous
 \&\s-1DH\s0 algorithms. These cipher suites are vulnerable to a \*(L"man in the middle\*(R"
 attack and so their use is normally discouraged.
-.Ip "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4
+.IP "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4
 .IX Item "kRSA, RSA"
 cipher suites using \s-1RSA\s0 key exchange.
-.Ip "\fBkEDH\fR" 4
+.IP "\fBkEDH\fR" 4
 .IX Item "kEDH"
 cipher suites using ephemeral \s-1DH\s0 key agreement.
-.Ip "\fBkDHr\fR, \fBkDHd\fR" 4
+.IP "\fBkDHr\fR, \fBkDHd\fR" 4
 .IX Item "kDHr, kDHd"
 cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0
 and \s-1DSS\s0 keys respectively. Not implemented.
-.Ip "\fBaRSA\fR" 4
+.IP "\fBaRSA\fR" 4
 .IX Item "aRSA"
 cipher suites using \s-1RSA\s0 authentication, i.e. the certificates carry \s-1RSA\s0 keys.
-.Ip "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4
+.IP "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4
 .IX Item "aDSS, DSS"
 cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1DSS\s0 keys.
-.Ip "\fBaDH\fR" 4
+.IP "\fBaDH\fR" 4
 .IX Item "aDH"
 cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry
 \&\s-1DH\s0 keys.  Not implemented.
-.Ip "\fBkFZA\fR, \fBaFZA\fR, \fBeFZA\fR, \fB\s-1FZA\s0\fR" 4
+.IP "\fBkFZA\fR, \fBaFZA\fR, \fBeFZA\fR, \fB\s-1FZA\s0\fR" 4
 .IX Item "kFZA, aFZA, eFZA, FZA"
 ciphers suites using \s-1FORTEZZA\s0 key exchange, authentication, encryption or all
 \&\s-1FORTEZZA\s0 algorithms. Not implemented.
-.Ip "\fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4
+.IP "\fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4
 .IX Item "TLSv1, SSLv3, SSLv2"
 \&\s-1TLS\s0 v1.0, \s-1SSL\s0 v3.0 or \s-1SSL\s0 v2.0 cipher suites respectively.
-.Ip "\fB\s-1DH\s0\fR" 4
+.IP "\fB\s-1DH\s0\fR" 4
 .IX Item "DH"
 cipher suites using \s-1DH\s0, including anonymous \s-1DH\s0.
-.Ip "\fB\s-1ADH\s0\fR" 4
+.IP "\fB\s-1ADH\s0\fR" 4
 .IX Item "ADH"
 anonymous \s-1DH\s0 cipher suites.
-.Ip "\fB\s-1AES\s0\fR" 4
+.IP "\fB\s-1AES\s0\fR" 4
 .IX Item "AES"
 cipher suites using \s-1AES\s0.
-.Ip "\fB3DES\fR" 4
+.IP "\fB3DES\fR" 4
 .IX Item "3DES"
 cipher suites using triple \s-1DES\s0.
-.Ip "\fB\s-1DES\s0\fR" 4
+.IP "\fB\s-1DES\s0\fR" 4
 .IX Item "DES"
 cipher suites using \s-1DES\s0 (not triple \s-1DES\s0).
-.Ip "\fB\s-1RC4\s0\fR" 4
+.IP "\fB\s-1RC4\s0\fR" 4
 .IX Item "RC4"
 cipher suites using \s-1RC4\s0.
-.Ip "\fB\s-1RC2\s0\fR" 4
+.IP "\fB\s-1RC2\s0\fR" 4
 .IX Item "RC2"
 cipher suites using \s-1RC2\s0.
-.Ip "\fB\s-1IDEA\s0\fR" 4
+.IP "\fB\s-1IDEA\s0\fR" 4
 .IX Item "IDEA"
 cipher suites using \s-1IDEA\s0.
-.Ip "\fB\s-1MD5\s0\fR" 4
+.IP "\fB\s-1MD5\s0\fR" 4
 .IX Item "MD5"
 cipher suites using \s-1MD5\s0.
-.Ip "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4
+.IP "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4
 .IX Item "SHA1, SHA"
 cipher suites using \s-1SHA1\s0.
 .SH "CIPHER SUITE NAMES"
@@ -332,7 +322,7 @@ cipher suites using \s-1SHA1\s0.
 The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the
 relevant specification and their OpenSSL equivalents. It should be noted,
 that several cipher suite names do not include the authentication used,
-e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
+e.g. \s-1DES\-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 .Sh "\s-1SSL\s0 v3.0 cipher suites."
 .IX Subsection "SSL v3.0 cipher suites."
 .Vb 10
@@ -347,6 +337,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& SSL_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
 \& SSL_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
 .Ve
+.PP
 .Vb 12
 \& SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
 \& SSL_DH_DSS_WITH_DES_CBC_SHA             Not implemented.
@@ -361,6 +352,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& SSL_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
 \& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
 .Ve
+.PP
 .Vb 5
 \& SSL_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
 \& SSL_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
@@ -368,6 +360,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& SSL_DH_anon_WITH_DES_CBC_SHA            ADH-DES-CBC-SHA
 \& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
 .Ve
+.PP
 .Vb 3
 \& SSL_FORTEZZA_KEA_WITH_NULL_SHA          Not implemented.
 \& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA  Not implemented.
@@ -387,6 +380,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& TLS_RSA_WITH_DES_CBC_SHA                DES-CBC-SHA
 \& TLS_RSA_WITH_3DES_EDE_CBC_SHA           DES-CBC3-SHA
 .Ve
+.PP
 .Vb 12
 \& TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA    Not implemented.
 \& TLS_DH_DSS_WITH_DES_CBC_SHA             Not implemented.
@@ -401,6 +395,7 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& TLS_DHE_RSA_WITH_DES_CBC_SHA            EDH-RSA-DES-CBC-SHA
 \& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA       EDH-RSA-DES-CBC3-SHA
 .Ve
+.PP
 .Vb 5
 \& TLS_DH_anon_EXPORT_WITH_RC4_40_MD5      EXP-ADH-RC4-MD5
 \& TLS_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
@@ -414,18 +409,21 @@ e.g. \s-1DES-CBC3\-SHA\s0. In these cases, \s-1RSA\s0 authentication is used.
 \& TLS_RSA_WITH_AES_128_CBC_SHA            AES128-SHA
 \& TLS_RSA_WITH_AES_256_CBC_SHA            AES256-SHA
 .Ve
+.PP
 .Vb 4
 \& TLS_DH_DSS_WITH_AES_128_CBC_SHA         DH-DSS-AES128-SHA
 \& TLS_DH_DSS_WITH_AES_256_CBC_SHA         DH-DSS-AES256-SHA
 \& TLS_DH_RSA_WITH_AES_128_CBC_SHA         DH-RSA-AES128-SHA
 \& TLS_DH_RSA_WITH_AES_256_CBC_SHA         DH-RSA-AES256-SHA
 .Ve
+.PP
 .Vb 4
 \& TLS_DHE_DSS_WITH_AES_128_CBC_SHA        DHE-DSS-AES128-SHA
 \& TLS_DHE_DSS_WITH_AES_256_CBC_SHA        DHE-DSS-AES256-SHA
 \& TLS_DHE_RSA_WITH_AES_128_CBC_SHA        DHE-RSA-AES128-SHA
 \& TLS_DHE_RSA_WITH_AES_256_CBC_SHA        DHE-RSA-AES256-SHA
 .Ve
+.PP
 .Vb 2
 \& TLS_DH_anon_WITH_AES_128_CBC_SHA        ADH-AES128-SHA
 \& TLS_DH_anon_WITH_AES_256_CBC_SHA        ADH-AES256-SHA
@@ -466,22 +464,26 @@ Verbose listing of all OpenSSL ciphers including \s-1NULL\s0 ciphers:
 .Vb 1
 \& openssl ciphers -v 'ALL:eNULL'
 .Ve
+.PP
 Include all ciphers except \s-1NULL\s0 and anonymous \s-1DH\s0 then sort by
 strength:
 .PP
 .Vb 1
 \& openssl ciphers -v 'ALL:!ADH:@STRENGTH'
 .Ve
+.PP
 Include only 3DES ciphers and then place \s-1RSA\s0 ciphers last:
 .PP
 .Vb 1
 \& openssl ciphers -v '3DES:+RSA'
 .Ve
+.PP
 Include all \s-1RC4\s0 ciphers but leave out those without authentication:
 .PP
 .Vb 1
 \& openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'
 .Ve
+.PP
 Include all chiphers with \s-1RSA\s0 authentication but leave out ciphers without
 encryption.
 .PP
@@ -490,7 +492,7 @@ encryption.
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-s_client(1), s_server(1), ssl(3)
+\&\fIs_client\fR\|(1), \fIs_server\fR\|(1), \fIssl\fR\|(3)
 .SH "HISTORY"
 .IX Header "HISTORY"
 The \fB\s-1COMPLENTOFALL\s0\fR and \fB\s-1COMPLEMENTOFDEFAULT\s0\fR selection options were
diff --git a/secure/usr.bin/openssl/man/crl.1 b/secure/usr.bin/openssl/man/crl.1
index 39fecaa..2151b2b 100644
--- a/secure/usr.bin/openssl/man/crl.1
+++ b/secure/usr.bin/openssl/man/crl.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:31 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "CRL 1"
-.TH CRL 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH CRL 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-crl \- \s-1CRL\s0 utility
+crl \- CRL utility
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBcrl\fR
@@ -162,47 +152,47 @@ crl \- \s-1CRL\s0 utility
 The \fBcrl\fR command processes \s-1CRL\s0 files in \s-1DER\s0 or \s-1PEM\s0 format.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-.Ip "\fB\-inform DER|PEM\fR" 4
+.IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
 This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0
 structure. \fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
 the \s-1DER\s0 form with header and footer lines.
-.Ip "\fB\-outform DER|PEM\fR" 4
+.IP "\fB\-outform DER|PEM\fR" 4
 .IX Item "-outform DER|PEM"
 This specifies the output format, the options have the same meaning as the 
 \&\fB\-inform\fR option.
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read from or standard input if this
 option is not specified.
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 specifies the output filename to write to or standard output by
 default.
-.Ip "\fB\-text\fR" 4
+.IP "\fB\-text\fR" 4
 .IX Item "-text"
 print out the \s-1CRL\s0 in text form.
-.Ip "\fB\-noout\fR" 4
+.IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 don't output the encoded version of the \s-1CRL\s0.
-.Ip "\fB\-hash\fR" 4
+.IP "\fB\-hash\fR" 4
 .IX Item "-hash"
 output a hash of the issuer name. This can be use to lookup CRLs in
 a directory by issuer name.
-.Ip "\fB\-issuer\fR" 4
+.IP "\fB\-issuer\fR" 4
 .IX Item "-issuer"
 output the issuer name.
-.Ip "\fB\-lastupdate\fR" 4
+.IP "\fB\-lastupdate\fR" 4
 .IX Item "-lastupdate"
 output the lastUpdate field.
-.Ip "\fB\-nextupdate\fR" 4
+.IP "\fB\-nextupdate\fR" 4
 .IX Item "-nextupdate"
 output the nextUpdate field.
-.Ip "\fB\-CAfile file\fR" 4
+.IP "\fB\-CAfile file\fR" 4
 .IX Item "-CAfile file"
 verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in
 \&\fBfile\fR
-.Ip "\fB\-CApath dir\fR" 4
+.IP "\fB\-CApath dir\fR" 4
 .IX Item "-CApath dir"
 verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in
 \&\fBdir\fR. This directory must be a standard certificate directory: that
@@ -223,6 +213,7 @@ Convert a \s-1CRL\s0 file from \s-1PEM\s0 to \s-1DER:\s0
 .Vb 1
 \& openssl crl -in crl.pem -outform DER -out crl.der
 .Ve
+.PP
 Output the text form of a \s-1DER\s0 encoded certificate:
 .PP
 .Vb 1
@@ -234,4 +225,4 @@ Ideally it should be possible to create a \s-1CRL\s0 using appropriate options
 and files too.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-crl2pkcs7(1), ca(1), x509(1)
+\&\fIcrl2pkcs7\fR\|(1), \fIca\fR\|(1), \fIx509\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/crl2pkcs7.1 b/secure/usr.bin/openssl/man/crl2pkcs7.1
index 850b4e7..4a6f956 100644
--- a/secure/usr.bin/openssl/man/crl2pkcs7.1
+++ b/secure/usr.bin/openssl/man/crl2pkcs7.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:32 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "CRL2PKCS7 1"
-.TH CRL2PKCS7 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH CRL2PKCS7 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-crl2pkcs7 \- Create a PKCS#7 structure from a \s-1CRL\s0 and certificates.
+crl2pkcs7 \- Create a PKCS#7 structure from a CRL and certificates.
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBcrl2pkcs7\fR
@@ -158,31 +148,31 @@ certificates and converts them into a PKCS#7 degenerate \*(L"certificates
 only\*(R" structure.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-.Ip "\fB\-inform DER|PEM\fR" 4
+.IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
 This specifies the \s-1CRL\s0 input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0
 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
 the \s-1DER\s0 form with header and footer lines.
-.Ip "\fB\-outform DER|PEM\fR" 4
+.IP "\fB\-outform DER|PEM\fR" 4
 .IX Item "-outform DER|PEM"
 This specifies the PKCS#7 structure output format. \fB\s-1DER\s0\fR format is \s-1DER\s0
 encoded PKCS#7 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
 the \s-1DER\s0 form with header and footer lines.
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read a \s-1CRL\s0 from or standard input if this
 option is not specified.
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 specifies the output filename to write the PKCS#7 structure to or standard
 output by default.
-.Ip "\fB\-certfile filename\fR" 4
+.IP "\fB\-certfile filename\fR" 4
 .IX Item "-certfile filename"
 specifies a filename containing one or more certificates in \fB\s-1PEM\s0\fR format.
 All certificates in the file will be added to the PKCS#7 structure. This
 option can be used more than once to read certificates form multiple
 files.
-.Ip "\fB\-nocrl\fR" 4
+.IP "\fB\-nocrl\fR" 4
 .IX Item "-nocrl"
 normally a \s-1CRL\s0 is included in the output file. With this option no \s-1CRL\s0 is
 included in the output file and a \s-1CRL\s0 is not read from the input file.
@@ -193,6 +183,7 @@ Create a PKCS#7 structure from a certificate and \s-1CRL:\s0
 .Vb 1
 \& openssl crl2pkcs7 -in crl.pem -certfile cert.pem -out p7.pem
 .Ve
+.PP
 Creates a PKCS#7 structure in \s-1DER\s0 format with no \s-1CRL\s0 from several
 different certificates:
 .PP
@@ -207,10 +198,10 @@ just certificates and an optional \s-1CRL\s0.
 .PP
 This utility can be used to send certificates and CAs to Netscape as part of
 the certificate enrollment process. This involves sending the \s-1DER\s0 encoded output
-as \s-1MIME\s0 type application/x-x509\-user-cert.
+as \s-1MIME\s0 type application/x\-x509\-user\-cert.
 .PP
 The \fB\s-1PEM\s0\fR encoded form with the header and footer lines removed can be used to
 install user certificates and CAs in \s-1MSIE\s0 using the Xenroll control.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-pkcs7(1)
+\&\fIpkcs7\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/dgst.1 b/secure/usr.bin/openssl/man/dgst.1
index b13b322..cb6be37 100644
--- a/secure/usr.bin/openssl/man/dgst.1
+++ b/secure/usr.bin/openssl/man/dgst.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:32 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "DGST 1"
-.TH DGST 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH DGST 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 \- message digests
 .SH "SYNOPSIS"
@@ -167,44 +157,44 @@ The digest functions output the message digest of a supplied file or files
 in hexadecimal form. They can also be used for digital signing and verification.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.Ip "\fB\-c\fR" 4
+.IP "\fB\-c\fR" 4
 .IX Item "-c"
 print out the digest in two digit groups separated by colons, only relevant if
 \&\fBhex\fR format output is used.
-.Ip "\fB\-d\fR" 4
+.IP "\fB\-d\fR" 4
 .IX Item "-d"
 print out \s-1BIO\s0 debugging information.
-.Ip "\fB\-hex\fR" 4
+.IP "\fB\-hex\fR" 4
 .IX Item "-hex"
 digest is to be output as a hex dump. This is the default case for a \*(L"normal\*(R"
 digest as opposed to a digital signature.
-.Ip "\fB\-binary\fR" 4
+.IP "\fB\-binary\fR" 4
 .IX Item "-binary"
 output the digest or signature in binary form.
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 filename to output to, or standard output by default.
-.Ip "\fB\-sign filename\fR" 4
+.IP "\fB\-sign filename\fR" 4
 .IX Item "-sign filename"
 digitally sign the digest using the private key in \*(L"filename\*(R".
-.Ip "\fB\-verify filename\fR" 4
+.IP "\fB\-verify filename\fR" 4
 .IX Item "-verify filename"
 verify the signature using the the public key in \*(L"filename\*(R".
 The output is either \*(L"Verification \s-1OK\s0\*(R" or \*(L"Verification Failure\*(R".
-.Ip "\fB\-prverify filename\fR" 4
+.IP "\fB\-prverify filename\fR" 4
 .IX Item "-prverify filename"
 verify the signature using the  the private key in \*(L"filename\*(R".
-.Ip "\fB\-signature filename\fR" 4
+.IP "\fB\-signature filename\fR" 4
 .IX Item "-signature filename"
 the actual signature to verify.
-.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
-.IX Item "-rand file"
+.IP "\fB\-rand file(s)\fR" 4
+.IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
-generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 Multiple files can be specified separated by a OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others. 
-.Ip "\fBfile...\fR" 4
+.IP "\fBfile...\fR" 4
 .IX Item "file..."
 file or files to digest. If no files are specified then standard input is
 used.
diff --git a/secure/usr.bin/openssl/man/dhparam.1 b/secure/usr.bin/openssl/man/dhparam.1
index 95bc6d6..08bf690 100644
--- a/secure/usr.bin/openssl/man/dhparam.1
+++ b/secure/usr.bin/openssl/man/dhparam.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:32 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "DHPARAM 1"
-.TH DHPARAM 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH DHPARAM 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-dhparam \- \s-1DH\s0 parameter manipulation and generation
+dhparam \- DH parameter manipulation and generation
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl dhparam\fR
@@ -155,7 +145,7 @@ dhparam \- \s-1DH\s0 parameter manipulation and generation
 [\fB\-C\fR]
 [\fB\-2\fR]
 [\fB\-5\fR]
-[\fB\-rand\fR \fI\fIfile\fI\|(s)\fR]
+[\fB\-rand\fR \fIfile(s)\fR]
 [\fB\-engine id\fR]
 [\fInumbits\fR]
 .SH "DESCRIPTION"
@@ -163,64 +153,64 @@ dhparam \- \s-1DH\s0 parameter manipulation and generation
 This command is used to manipulate \s-1DH\s0 parameter files.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.Ip "\fB\-inform DER|PEM\fR" 4
+.IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
 This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
 form compatible with the PKCS#3 DHparameter structure. The \s-1PEM\s0 form is the
 default format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with
 additional header and footer lines.
-.Ip "\fB\-outform DER|PEM\fR" 4
+.IP "\fB\-outform DER|PEM\fR" 4
 .IX Item "-outform DER|PEM"
 This specifies the output format, the options have the same meaning as the 
 \&\fB\-inform\fR option.
-.Ip "\fB\-in\fR \fIfilename\fR" 4
+.IP "\fB\-in\fR \fIfilename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read parameters from or standard input if
 this option is not specified.
-.Ip "\fB\-out\fR \fIfilename\fR" 4
+.IP "\fB\-out\fR \fIfilename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename parameters to. Standard output is used
 if this option is not present. The output filename should \fBnot\fR be the same
 as the input filename.
-.Ip "\fB\-dsaparam\fR" 4
+.IP "\fB\-dsaparam\fR" 4
 .IX Item "-dsaparam"
 If this option is used, \s-1DSA\s0 rather than \s-1DH\s0 parameters are read or created;
 they are converted to \s-1DH\s0 format.  Otherwise, \*(L"strong\*(R" primes (such
-that (p-1)/2 is also prime) will be used for \s-1DH\s0 parameter generation.
+that (p\-1)/2 is also prime) will be used for \s-1DH\s0 parameter generation.
 .Sp
 \&\s-1DH\s0 parameter generation with the \fB\-dsaparam\fR option is much faster,
 and the recommended exponent length is shorter, which makes \s-1DH\s0 key
 exchange more efficient.  Beware that with such DSA-style \s-1DH\s0
 parameters, a fresh \s-1DH\s0 key should be created for each use to
 avoid small-subgroup attacks that may be possible otherwise.
-.Ip "\fB\-2\fR, \fB\-5\fR" 4
+.IP "\fB\-2\fR, \fB\-5\fR" 4
 .IX Item "-2, -5"
 The generator to use, either 2 or 5. 2 is the default. If present then the
 input file is ignored and parameters are generated instead.
-.Ip "\fB\-rand\fR \fI\fIfile\fI\|(s)\fR" 4
-.IX Item "-rand file"
+.IP "\fB\-rand\fR \fIfile(s)\fR" 4
+.IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
-generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 Multiple files can be specified separated by a OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
-.Ip "\fInumbits\fR" 4
+.IP "\fInumbits\fR" 4
 .IX Item "numbits"
 this option specifies that a parameter set should be generated of size
 \&\fInumbits\fR. It must be the last option. If not present then a value of 512
 is used. If this option is present then the input file is ignored and 
 parameters are generated instead.
-.Ip "\fB\-noout\fR" 4
+.IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 this option inhibits the output of the encoded version of the parameters.
-.Ip "\fB\-text\fR" 4
+.IP "\fB\-text\fR" 4
 .IX Item "-text"
 this option prints out the \s-1DH\s0 parameters in human readable form.
-.Ip "\fB\-C\fR" 4
+.IP "\fB\-C\fR" 4
 .IX Item "-C"
 this option converts the parameters into C code. The parameters can then
 be loaded by calling the \fBget_dh\fR\fInumbits\fR\fB()\fR function.
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
 to attempt to obtain a functional reference to the specified engine,
@@ -240,6 +230,7 @@ versions of OpenSSL.
 \& -----BEGIN DH PARAMETERS-----
 \& -----END DH PARAMETERS-----
 .Ve
+.PP
 OpenSSL currently only supports the older PKCS#3 \s-1DH\s0, not the newer X9.42
 \&\s-1DH\s0.
 .PP
@@ -249,7 +240,7 @@ This program manipulates \s-1DH\s0 parameters not keys.
 There should be a way to generate and manipulate \s-1DH\s0 keys.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-dsaparam(1)
+\&\fIdsaparam\fR\|(1)
 .SH "HISTORY"
 .IX Header "HISTORY"
 The \fBdhparam\fR command was added in OpenSSL 0.9.5.
diff --git a/secure/usr.bin/openssl/man/dsa.1 b/secure/usr.bin/openssl/man/dsa.1
index 35a9bb7..1c87076 100644
--- a/secure/usr.bin/openssl/man/dsa.1
+++ b/secure/usr.bin/openssl/man/dsa.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:32 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "DSA 1"
-.TH DSA 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH DSA 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-dsa \- \s-1DSA\s0 key processing
+dsa \- DSA key processing
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBdsa\fR
@@ -168,7 +158,7 @@ traditional SSLeay compatible format for private key encryption: newer
 applications should use the more secure PKCS#8 format using the \fBpkcs8\fR
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-.Ip "\fB\-inform DER|PEM\fR" 4
+.IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
 This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses
 an \s-1ASN1\s0 \s-1DER\s0 encoded form of an \s-1ASN\s0.1 \s-1SEQUENCE\s0 consisting of the values of
@@ -179,30 +169,30 @@ SubjectPublicKeyInfo structure: it is an error if the key is not \s-1DSA\s0.
 The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64
 encoded with additional header and footer lines. In the case of a private key
 PKCS#8 format is also accepted.
-.Ip "\fB\-outform DER|PEM\fR" 4
+.IP "\fB\-outform DER|PEM\fR" 4
 .IX Item "-outform DER|PEM"
 This specifies the output format, the options have the same meaning as the 
 \&\fB\-inform\fR option.
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read a key from or standard input if this
 option is not specified. If the key is encrypted a pass phrase will be
 prompted for.
-.Ip "\fB\-passin arg\fR" 4
+.IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the input file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
-.Ip "\fB\-out filename\fR" 4
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write a key to or standard output by
 is not specified. If any encryption options are set then a pass phrase will be
 prompted for. The output filename should \fBnot\fR be the same as the input
 filename.
-.Ip "\fB\-passout arg\fR" 4
+.IP "\fB\-passout arg\fR" 4
 .IX Item "-passout arg"
 the output file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
-.Ip "\fB\-des|\-des3|\-idea\fR" 4
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-des|\-des3|\-idea\fR" 4
 .IX Item "-des|-des3|-idea"
 These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the 
 \&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for.
@@ -211,25 +201,25 @@ means that using the \fBdsa\fR utility to read in an encrypted key with no
 encryption option can be used to remove the pass phrase from a key, or by
 setting the encryption options it can be use to add or change the pass phrase.
 These options can only be used with \s-1PEM\s0 format output files.
-.Ip "\fB\-text\fR" 4
+.IP "\fB\-text\fR" 4
 .IX Item "-text"
 prints out the public, private key components and parameters.
-.Ip "\fB\-noout\fR" 4
+.IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 this option prevents output of the encoded version of the key.
-.Ip "\fB\-modulus\fR" 4
+.IP "\fB\-modulus\fR" 4
 .IX Item "-modulus"
 this option prints out the value of the public key component of the key.
-.Ip "\fB\-pubin\fR" 4
+.IP "\fB\-pubin\fR" 4
 .IX Item "-pubin"
 by default a private key is read from the input file: with this option a
 public key is read instead.
-.Ip "\fB\-pubout\fR" 4
+.IP "\fB\-pubout\fR" 4
 .IX Item "-pubout"
 by default a private key is output. With this option a public
 key will be output instead. This option is automatically set if the input is
 a public key.
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
 to attempt to obtain a functional reference to the specified engine,
@@ -243,6 +233,7 @@ The \s-1PEM\s0 private key format uses the header and footer lines:
 \& -----BEGIN DSA PRIVATE KEY-----
 \& -----END DSA PRIVATE KEY-----
 .Ve
+.PP
 The \s-1PEM\s0 public key format uses the header and footer lines:
 .PP
 .Vb 2
@@ -256,21 +247,25 @@ To remove the pass phrase on a \s-1DSA\s0 private key:
 .Vb 1
 \& openssl dsa -in key.pem -out keyout.pem
 .Ve
+.PP
 To encrypt a private key using triple \s-1DES:\s0
 .PP
 .Vb 1
 \& openssl dsa -in key.pem -des3 -out keyout.pem
 .Ve
+.PP
 To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: 
 .PP
 .Vb 1
 \& openssl dsa -in key.pem -outform DER -out keyout.der
 .Ve
+.PP
 To print out the components of a private key to standard output:
 .PP
 .Vb 1
 \& openssl dsa -in key.pem -text -noout
 .Ve
+.PP
 To just output the public part of a private key:
 .PP
 .Vb 1
@@ -278,5 +273,5 @@ To just output the public part of a private key:
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-dsaparam(1), gendsa(1), rsa(1),
-genrsa(1)
+\&\fIdsaparam\fR\|(1), \fIgendsa\fR\|(1), \fIrsa\fR\|(1),
+\&\fIgenrsa\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/dsaparam.1 b/secure/usr.bin/openssl/man/dsaparam.1
index d42f5bf..86eb368 100644
--- a/secure/usr.bin/openssl/man/dsaparam.1
+++ b/secure/usr.bin/openssl/man/dsaparam.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:32 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "DSAPARAM 1"
-.TH DSAPARAM 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH DSAPARAM 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-dsaparam \- \s-1DSA\s0 parameter manipulation and generation
+dsaparam \- DSA parameter manipulation and generation
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl dsaparam\fR
@@ -152,7 +142,7 @@ dsaparam \- \s-1DSA\s0 parameter manipulation and generation
 [\fB\-noout\fR]
 [\fB\-text\fR]
 [\fB\-C\fR]
-[\fB\-rand \f(BIfile\fB\|(s)\fR]
+[\fB\-rand file(s)\fR]
 [\fB\-genkey\fR]
 [\fB\-engine id\fR]
 [\fBnumbits\fR]
@@ -161,53 +151,53 @@ dsaparam \- \s-1DSA\s0 parameter manipulation and generation
 This command is used to manipulate or generate \s-1DSA\s0 parameter files.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.Ip "\fB\-inform DER|PEM\fR" 4
+.IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
 This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
 form compatible with \s-1RFC2459\s0 (\s-1PKIX\s0) DSS-Parms that is a \s-1SEQUENCE\s0 consisting
 of p, q and g respectively. The \s-1PEM\s0 form is the default format: it consists
 of the \fB\s-1DER\s0\fR format base64 encoded with additional header and footer lines.
-.Ip "\fB\-outform DER|PEM\fR" 4
+.IP "\fB\-outform DER|PEM\fR" 4
 .IX Item "-outform DER|PEM"
 This specifies the output format, the options have the same meaning as the 
 \&\fB\-inform\fR option.
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read parameters from or standard input if
 this option is not specified. If the \fBnumbits\fR parameter is included then
 this option will be ignored.
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename parameters to. Standard output is used
 if this option is not present. The output filename should \fBnot\fR be the same
 as the input filename.
-.Ip "\fB\-noout\fR" 4
+.IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 this option inhibits the output of the encoded version of the parameters.
-.Ip "\fB\-text\fR" 4
+.IP "\fB\-text\fR" 4
 .IX Item "-text"
 this option prints out the \s-1DSA\s0 parameters in human readable form.
-.Ip "\fB\-C\fR" 4
+.IP "\fB\-C\fR" 4
 .IX Item "-C"
 this option converts the parameters into C code. The parameters can then
 be loaded by calling the \fB\f(BIget_dsaXXX()\fB\fR function.
-.Ip "\fB\-genkey\fR" 4
+.IP "\fB\-genkey\fR" 4
 .IX Item "-genkey"
 this option will generate a \s-1DSA\s0 either using the specified or generated
 parameters.
-.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
-.IX Item "-rand file"
+.IP "\fB\-rand file(s)\fR" 4
+.IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
-generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 Multiple files can be specified separated by a OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
-.Ip "\fBnumbits\fR" 4
+.IP "\fBnumbits\fR" 4
 .IX Item "numbits"
 this option specifies that a parameter set should be generated of size
 \&\fBnumbits\fR. It must be the last option. If this option is included then
 the input file (if any) is ignored.
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
 to attempt to obtain a functional reference to the specified engine,
@@ -221,9 +211,10 @@ for all available algorithms.
 \& -----BEGIN DSA PARAMETERS-----
 \& -----END DSA PARAMETERS-----
 .Ve
+.PP
 \&\s-1DSA\s0 parameter generation is a slow process and as a result the same set of
 \&\s-1DSA\s0 parameters is often used to generate several distinct keys.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-gendsa(1), dsa(1), genrsa(1),
-rsa(1)
+\&\fIgendsa\fR\|(1), \fIdsa\fR\|(1), \fIgenrsa\fR\|(1),
+\&\fIrsa\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/enc.1 b/secure/usr.bin/openssl/man/enc.1
index 22a4222..9152e4a 100644
--- a/secure/usr.bin/openssl/man/enc.1
+++ b/secure/usr.bin/openssl/man/enc.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:33 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "ENC 1"
-.TH ENC 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH ENC 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 enc \- symmetric cipher routines
 .SH "SYNOPSIS"
@@ -169,54 +159,54 @@ or explicitly provided. Base64 encoding or decoding can also be performed
 either by itself or in addition to the encryption or decryption.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 the input filename, standard input by default.
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 the output filename, standard output by default.
-.Ip "\fB\-pass arg\fR" 4
+.IP "\fB\-pass arg\fR" 4
 .IX Item "-pass arg"
 the password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
-.Ip "\fB\-salt\fR" 4
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-salt\fR" 4
 .IX Item "-salt"
 use a salt in the key derivation routines. This option should \fB\s-1ALWAYS\s0\fR
 be used unless compatibility with previous versions of OpenSSL or SSLeay
 is required. This option is only present on OpenSSL versions 0.9.5 or
 above.
-.Ip "\fB\-nosalt\fR" 4
+.IP "\fB\-nosalt\fR" 4
 .IX Item "-nosalt"
 don't use a salt in the key derivation routines. This is the default for
 compatibility with previous versions of OpenSSL and SSLeay.
-.Ip "\fB\-e\fR" 4
+.IP "\fB\-e\fR" 4
 .IX Item "-e"
 encrypt the input data: this is the default.
-.Ip "\fB\-d\fR" 4
+.IP "\fB\-d\fR" 4
 .IX Item "-d"
 decrypt the input data.
-.Ip "\fB\-a\fR" 4
+.IP "\fB\-a\fR" 4
 .IX Item "-a"
 base64 process the data. This means that if encryption is taking place
 the data is base64 encoded after encryption. If decryption is set then
 the input data is base64 decoded before being decrypted.
-.Ip "\fB\-A\fR" 4
+.IP "\fB\-A\fR" 4
 .IX Item "-A"
 if the \fB\-a\fR option is set then base64 process the data on one line.
-.Ip "\fB\-k password\fR" 4
+.IP "\fB\-k password\fR" 4
 .IX Item "-k password"
 the password to derive the key from. This is for compatibility with previous
 versions of OpenSSL. Superseded by the \fB\-pass\fR argument.
-.Ip "\fB\-kfile filename\fR" 4
+.IP "\fB\-kfile filename\fR" 4
 .IX Item "-kfile filename"
 read the password to derive the key from the first line of \fBfilename\fR.
-This is for computability with previous versions of OpenSSL. Superseded by
+This is for compatibility with previous versions of OpenSSL. Superseded by
 the \fB\-pass\fR argument.
-.Ip "\fB\-S salt\fR" 4
+.IP "\fB\-S salt\fR" 4
 .IX Item "-S salt"
 the actual salt to use: this must be represented as a string comprised only
 of hex digits.
-.Ip "\fB\-K key\fR" 4
+.IP "\fB\-K key\fR" 4
 .IX Item "-K key"
 the actual key to use: this must be represented as a string comprised only
 of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified
@@ -224,26 +214,26 @@ using the \fB\-iv\fR option. When both a key and a password are specified, the
 key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the
 password will be taken. It probably does not make much sense to specify
 both key and password.
-.Ip "\fB\-iv \s-1IV\s0\fR" 4
+.IP "\fB\-iv \s-1IV\s0\fR" 4
 .IX Item "-iv IV"
 the actual \s-1IV\s0 to use: this must be represented as a string comprised only
 of hex digits. When only the key is specified using the \fB\-K\fR option, the
 \&\s-1IV\s0 must explicitly be defined. When a password is being specified using
 one of the other options, the \s-1IV\s0 is generated from this password.
-.Ip "\fB\-p\fR" 4
+.IP "\fB\-p\fR" 4
 .IX Item "-p"
 print out the key and \s-1IV\s0 used.
-.Ip "\fB\-P\fR" 4
+.IP "\fB\-P\fR" 4
 .IX Item "-P"
 print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption
 or decryption.
-.Ip "\fB\-bufsize number\fR" 4
+.IP "\fB\-bufsize number\fR" 4
 .IX Item "-bufsize number"
 set the buffer size for I/O
-.Ip "\fB\-nopad\fR" 4
+.IP "\fB\-nopad\fR" 4
 .IX Item "-nopad"
 disable standard block padding
-.Ip "\fB\-debug\fR" 4
+.IP "\fB\-debug\fR" 4
 .IX Item "-debug"
 debug the BIOs used for I/O.
 .SH "NOTES"
@@ -284,6 +274,7 @@ Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
 .Vb 1
 \& base64             Base 64
 .Ve
+.PP
 .Vb 5
 \& bf-cbc             Blowfish in CBC mode
 \& bf                 Alias for bf-cbc
@@ -291,6 +282,7 @@ Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
 \& bf-ecb             Blowfish in ECB mode
 \& bf-ofb             Blowfish in OFB mode
 .Ve
+.PP
 .Vb 6
 \& cast-cbc           CAST in CBC mode
 \& cast               Alias for cast-cbc
@@ -299,6 +291,7 @@ Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
 \& cast5-ecb          CAST5 in ECB mode
 \& cast5-ofb          CAST5 in OFB mode
 .Ve
+.PP
 .Vb 5
 \& des-cbc            DES in CBC mode
 \& des                Alias for des-cbc
@@ -306,12 +299,14 @@ Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
 \& des-ofb            DES in OFB mode
 \& des-ecb            DES in ECB mode
 .Ve
+.PP
 .Vb 4
 \& des-ede-cbc        Two key triple DES EDE in CBC mode
 \& des-ede            Alias for des-ede
 \& des-ede-cfb        Two key triple DES EDE in CFB mode
 \& des-ede-ofb        Two key triple DES EDE in OFB mode
 .Ve
+.PP
 .Vb 5
 \& des-ede3-cbc       Three key triple DES EDE in CBC mode
 \& des-ede3           Alias for des-ede3-cbc
@@ -319,9 +314,11 @@ Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
 \& des-ede3-cfb       Three key triple DES EDE CFB mode
 \& des-ede3-ofb       Three key triple DES EDE in OFB mode
 .Ve
+.PP
 .Vb 1
 \& desx               DESX algorithm.
 .Ve
+.PP
 .Vb 5
 \& idea-cbc           IDEA algorithm in CBC mode
 \& idea               same as idea-cbc
@@ -329,6 +326,7 @@ Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
 \& idea-ecb           IDEA in ECB mode
 \& idea-ofb           IDEA in OFB mode
 .Ve
+.PP
 .Vb 7
 \& rc2-cbc            128 bit RC2 in CBC mode
 \& rc2                Alias for rc2-cbc
@@ -338,11 +336,13 @@ Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
 \& rc2-64-cbc         64 bit RC2 in CBC mode
 \& rc2-40-cbc         40 bit RC2 in CBC mode
 .Ve
+.PP
 .Vb 3
 \& rc4                128 bit RC4
 \& rc4-64             64 bit RC4
 \& rc4-40             40 bit RC4
 .Ve
+.PP
 .Vb 5
 \& rc5-cbc            RC5 cipher in CBC mode
 \& rc5                Alias for rc5-cbc
@@ -357,32 +357,38 @@ Just base64 encode a binary file:
 .Vb 1
 \& openssl base64 -in file.bin -out file.b64
 .Ve
+.PP
 Decode the same file
 .PP
 .Vb 1
 \& openssl base64 -d -in file.b64 -out file.bin
 .Ve
+.PP
 Encrypt a file using triple \s-1DES\s0 in \s-1CBC\s0 mode using a prompted password:
 .PP
 .Vb 1
 \& openssl des3 -salt -in file.txt -out file.des3
 .Ve
+.PP
 Decrypt a file using a supplied password:
 .PP
 .Vb 1
 \& openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
 .Ve
+.PP
 Encrypt a file then base64 encode it (so it can be sent via mail for example)
 using Blowfish in \s-1CBC\s0 mode:
 .PP
 .Vb 1
 \& openssl bf -a -salt -in file.txt -out file.bf
 .Ve
+.PP
 Base64 decode a file then decrypt it:
 .PP
 .Vb 1
 \& openssl bf -d -salt -a -in file.bf -out file.txt
 .Ve
+.PP
 Decrypt some data using a supplied 40 bit \s-1RC4\s0 key:
 .PP
 .Vb 1
diff --git a/secure/usr.bin/openssl/man/gendsa.1 b/secure/usr.bin/openssl/man/gendsa.1
index 97aff77..1d69e33 100644
--- a/secure/usr.bin/openssl/man/gendsa.1
+++ b/secure/usr.bin/openssl/man/gendsa.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:33 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "GENDSA 1"
-.TH GENDSA 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH GENDSA 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-gendsa \- generate a \s-1DSA\s0 private key from a set of parameters
+gendsa \- generate a DSA private key from a set of parameters
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBgendsa\fR
@@ -149,7 +139,7 @@ gendsa \- generate a \s-1DSA\s0 private key from a set of parameters
 [\fB\-des\fR]
 [\fB\-des3\fR]
 [\fB\-idea\fR]
-[\fB\-rand \f(BIfile\fB\|(s)\fR]
+[\fB\-rand file(s)\fR]
 [\fB\-engine id\fR]
 [\fBparamfile\fR]
 .SH "DESCRIPTION"
@@ -158,25 +148,25 @@ The \fBgendsa\fR command generates a \s-1DSA\s0 private key from a \s-1DSA\s0 pa
 (which will be typically generated by the \fBopenssl dsaparam\fR command).
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.Ip "\fB\-des|\-des3|\-idea\fR" 4
+.IP "\fB\-des|\-des3|\-idea\fR" 4
 .IX Item "-des|-des3|-idea"
 These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the 
 \&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for.
 If none of these options is specified no encryption is used.
-.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
-.IX Item "-rand file"
+.IP "\fB\-rand file(s)\fR" 4
+.IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
-generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 Multiple files can be specified separated by a OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
-.Ip "\fBparamfile\fR" 4
+.IP "\fBparamfile\fR" 4
 .IX Item "paramfile"
 This option specifies the \s-1DSA\s0 parameter file to use. The parameters in this
 file determine the size of the private key. \s-1DSA\s0 parameters can be generated
@@ -187,5 +177,5 @@ and examined using the \fBopenssl dsaparam\fR command.
 much quicker that \s-1RSA\s0 key generation for example.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-dsaparam(1), dsa(1), genrsa(1),
-rsa(1)
+\&\fIdsaparam\fR\|(1), \fIdsa\fR\|(1), \fIgenrsa\fR\|(1),
+\&\fIrsa\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/genrsa.1 b/secure/usr.bin/openssl/man/genrsa.1
index 883bde2..589d10b 100644
--- a/secure/usr.bin/openssl/man/genrsa.1
+++ b/secure/usr.bin/openssl/man/genrsa.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:33 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "GENRSA 1"
-.TH GENRSA 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH GENRSA 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-genrsa \- generate an \s-1RSA\s0 private key
+genrsa \- generate an RSA private key
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBgenrsa\fR
@@ -152,7 +142,7 @@ genrsa \- generate an \s-1RSA\s0 private key
 [\fB\-idea\fR]
 [\fB\-f4\fR]
 [\fB\-3\fR]
-[\fB\-rand \f(BIfile\fB\|(s)\fR]
+[\fB\-rand file(s)\fR]
 [\fB\-engine id\fR]
 [\fBnumbits\fR]
 .SH "DESCRIPTION"
@@ -160,37 +150,37 @@ genrsa \- generate an \s-1RSA\s0 private key
 The \fBgenrsa\fR command generates an \s-1RSA\s0 private key.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 the output filename. If this argument is not specified then standard output is
 used.  
-.Ip "\fB\-passout arg\fR" 4
+.IP "\fB\-passout arg\fR" 4
 .IX Item "-passout arg"
 the output file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
-.Ip "\fB\-des|\-des3|\-idea\fR" 4
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-des|\-des3|\-idea\fR" 4
 .IX Item "-des|-des3|-idea"
 These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the 
 \&\s-1IDEA\s0 ciphers respectively before outputting it. If none of these options is
 specified no encryption is used. If encryption is used a pass phrase is prompted
 for if it is not supplied via the \fB\-passout\fR argument.
-.Ip "\fB\-F4|\-3\fR" 4
+.IP "\fB\-F4|\-3\fR" 4
 .IX Item "-F4|-3"
 the public exponent to use, either 65537 or 3. The default is 65537.
-.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
-.IX Item "-rand file"
+.IP "\fB\-rand file(s)\fR" 4
+.IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
-generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 Multiple files can be specified separated by a OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
-.Ip "\fBnumbits\fR" 4
+.IP "\fBnumbits\fR" 4
 .IX Item "numbits"
 the size of the private key to generate in bits. This must be the last option
 specified. The default is 512.
@@ -213,4 +203,4 @@ private keys this will not matter because for security reasons they will
 be much larger (typically 1024 bits).
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-gendsa(1)
+\&\fIgendsa\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/nseq.1 b/secure/usr.bin/openssl/man/nseq.1
index 76360560..605e699 100644
--- a/secure/usr.bin/openssl/man/nseq.1
+++ b/secure/usr.bin/openssl/man/nseq.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:33 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "NSEQ 1"
-.TH NSEQ 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH NSEQ 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 nseq \- create or examine a netscape certificate sequence
 .SH "SYNOPSIS"
@@ -156,14 +146,14 @@ file of certificates and converts it into a Netscape certificate
 sequence.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read or standard input if this
 option is not specified.
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 specifies the output filename or standard output by default.
-.Ip "\fB\-toseq\fR" 4
+.IP "\fB\-toseq\fR" 4
 .IX Item "-toseq"
 normally a Netscape certificate sequence will be input and the output
 is the certificates contained in it. With the \fB\-toseq\fR option the
@@ -176,6 +166,7 @@ Output the certificates in a Netscape certificate sequence
 .Vb 1
 \& openssl nseq -in nseq.pem -out certs.pem
 .Ve
+.PP
 Create a Netscape certificate sequence
 .PP
 .Vb 1
@@ -189,6 +180,7 @@ The \fB\s-1PEM\s0\fR encoded form uses the same headers and footers as a certifi
 \& -----BEGIN CERTIFICATE-----
 \& -----END CERTIFICATE-----
 .Ve
+.PP
 A Netscape certificate sequence is a Netscape specific form that can be sent
 to browsers as an alternative to the standard PKCS#7 format when several
 certificates are sent to the browser: for example during certificate enrollment.
diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1
index f1a68ad..66694b5 100644
--- a/secure/usr.bin/openssl/man/ocsp.1
+++ b/secure/usr.bin/openssl/man/ocsp.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:33 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "OCSP 1"
-.TH OCSP 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH OCSP 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 ocsp \- Online Certificate Status Protocol utility
 .SH "SYNOPSIS"
@@ -149,6 +139,10 @@ ocsp \- Online Certificate Status Protocol utility
 [\fB\-issuer file\fR]
 [\fB\-cert file\fR]
 [\fB\-serial n\fR]
+[\fB\-signer file\fR]
+[\fB\-signkey file\fR]
+[\fB\-sign_other file\fR]
+[\fB\-no_certs\fR]
 [\fB\-req_text\fR]
 [\fB\-resp_text\fR]
 [\fB\-text\fR]
@@ -158,26 +152,35 @@ ocsp \- Online Certificate Status Protocol utility
 [\fB\-respin file\fR]
 [\fB\-nonce\fR]
 [\fB\-no_nonce\fR]
-[\fB\-url responder_url\fR]
+[\fB\-url \s-1URL\s0\fR]
 [\fB\-host host:n\fR]
 [\fB\-path\fR]
-[\fB\-CApath file\fR]
+[\fB\-CApath dir\fR]
 [\fB\-CAfile file\fR]
 [\fB\-VAfile file\fR]
-[\fB\-verify_certs file\fR]
+[\fB\-validity_period n\fR]
+[\fB\-status_age n\fR]
 [\fB\-noverify\fR]
+[\fB\-verify_other file\fR]
 [\fB\-trust_other\fR]
 [\fB\-no_intern\fR]
-[\fB\-no_sig_verify\fR]
+[\fB\-no_signature_verify\fR]
 [\fB\-no_cert_verify\fR]
 [\fB\-no_chain\fR]
 [\fB\-no_cert_checks\fR]
-[\fB\-validity_period nsec\fR]
-[\fB\-status_age nsec\fR]
+[\fB\-port num\fR]
+[\fB\-index file\fR]
+[\fB\-CA file\fR]
+[\fB\-rsigner file\fR]
+[\fB\-rkey file\fR]
+[\fB\-rother file\fR]
+[\fB\-resp_no_certs\fR]
+[\fB\-nmin n\fR]
+[\fB\-ndays n\fR]
+[\fB\-resp_key_id\fR]
+[\fB\-nrequest n\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
-\&\fB\s-1WARNING:\s0 this documentation is preliminary and subject to change.\fR
-.PP
 The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to
 determine the (revocation) state of an identified certificate (\s-1RFC\s0 2560).
 .PP
@@ -186,108 +189,111 @@ to print out requests and responses, create requests and send queries
 to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself.
 .SH "OCSP CLIENT OPTIONS"
 .IX Header "OCSP CLIENT OPTIONS"
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 specify output filename, default is standard output.
-.Ip "\fB\-issuer filename\fR" 4
+.IP "\fB\-issuer filename\fR" 4
 .IX Item "-issuer filename"
 This specifies the current issuer certificate. This option can be used
 multiple times. The certificate specified in \fBfilename\fR must be in
 \&\s-1PEM\s0 format.
-.Ip "\fB\-cert filename\fR" 4
+.IP "\fB\-cert filename\fR" 4
 .IX Item "-cert filename"
 Add the certificate \fBfilename\fR to the request. The issuer certificate
 is taken from the previous \fBissuer\fR option, or an error occurs if no
 issuer certificate is specified.
-.Ip "\fB\-serial num\fR" 4
+.IP "\fB\-serial num\fR" 4
 .IX Item "-serial num"
 Same as the \fBcert\fR option except the certificate with serial number
 \&\fBnum\fR is added to the request. The serial number is interpreted as a
 decimal integer unless preceded by \fB0x\fR. Negative integers can also
-be specified by preceding the value by a \fB-\fR sign.
-.Ip "\fB\-signer filename\fR, \fB\-signkey filename\fR" 4
+be specified by preceding the value by a \fB\-\fR sign.
+.IP "\fB\-signer filename\fR, \fB\-signkey filename\fR" 4
 .IX Item "-signer filename, -signkey filename"
 Sign the \s-1OCSP\s0 request using the certificate specified in the \fBsigner\fR
 option and the private key specified by the \fBsignkey\fR option. If
 the \fBsignkey\fR option is not present then the private key is read
 from the same file as the certificate. If neither option is specified then
 the \s-1OCSP\s0 request is not signed.
-.Ip "\fB\-nonce\fR, \fB\-no_nonce\fR" 4
+.IP "\fB\-sign_other filename\fR" 4
+.IX Item "-sign_other filename"
+Additional certificates to include in the signed request.
+.IP "\fB\-nonce\fR, \fB\-no_nonce\fR" 4
 .IX Item "-nonce, -no_nonce"
 Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition.
 Normally if an \s-1OCSP\s0 request is input using the \fBrespin\fR option no
 nonce is added: using the \fBnonce\fR option will force addition of a nonce.
 If an \s-1OCSP\s0 request is being created (using \fBcert\fR and \fBserial\fR options)
 a nonce is automatically added specifying \fBno_nonce\fR overrides this.
-.Ip "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4
+.IP "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4
 .IX Item "-req_text, -resp_text, -text"
 print out the text form of the \s-1OCSP\s0 request, response or both respectively.
-.Ip "\fB\-reqout file\fR, \fB\-respout file\fR" 4
+.IP "\fB\-reqout file\fR, \fB\-respout file\fR" 4
 .IX Item "-reqout file, -respout file"
 write out the \s-1DER\s0 encoded certificate request or response to \fBfile\fR.
-.Ip "\fB\-reqin file\fR, \fB\-respin file\fR" 4
+.IP "\fB\-reqin file\fR, \fB\-respin file\fR" 4
 .IX Item "-reqin file, -respin file"
 read \s-1OCSP\s0 request or response file from \fBfile\fR. These option are ignored
 if \s-1OCSP\s0 request or response creation is implied by other options (for example
 with \fBserial\fR, \fBcert\fR and \fBhost\fR options).
-.Ip "\fB\-url responder_url\fR" 4
+.IP "\fB\-url responder_url\fR" 4
 .IX Item "-url responder_url"
 specify the responder \s-1URL\s0. Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified.
-.Ip "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4
+.IP "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4
 .IX Item "-host hostname:port, -path pathname"
 if the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host
 \&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 path name to use
 or \*(L"/\*(R" by default.
-.Ip "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4
+.IP "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4
 .IX Item "-CAfile file, -CApath pathname"
 file or pathname containing trusted \s-1CA\s0 certificates. These are used to verify
 the signature on the \s-1OCSP\s0 response.
-.Ip "\fB\-verify_certs file\fR" 4
-.IX Item "-verify_certs file"
+.IP "\fB\-verify_other file\fR" 4
+.IX Item "-verify_other file"
 file containing additional certificates to search when attempting to locate
 the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's
 certificate from the response: this option can be used to supply the necessary
 certificate in such cases.
-.Ip "\fB\-trust_other\fR" 4
+.IP "\fB\-trust_other\fR" 4
 .IX Item "-trust_other"
 the certificates specified by the \fB\-verify_certs\fR option should be explicitly
 trusted and no additional checks will be performed on them. This is useful
 when the complete responder certificate chain is not available or trusting a
 root \s-1CA\s0 is not appropriate.
-.Ip "\fB\-VAfile file\fR" 4
+.IP "\fB\-VAfile file\fR" 4
 .IX Item "-VAfile file"
 file containing explicitly trusted responder certificates. Equivalent to the
 \&\fB\-verify_certs\fR and \fB\-trust_other\fR options.
-.Ip "\fB\-noverify\fR" 4
+.IP "\fB\-noverify\fR" 4
 .IX Item "-noverify"
 don't attempt to verify the \s-1OCSP\s0 response signature or the nonce values. This
 option will normally only be used for debugging since it disables all verification
 of the responders certificate.
-.Ip "\fB\-no_intern\fR" 4
+.IP "\fB\-no_intern\fR" 4
 .IX Item "-no_intern"
 ignore certificates contained in the \s-1OCSP\s0 response when searching for the
 signers certificate. With this option the signers certificate must be specified
 with either the \fB\-verify_certs\fR or \fB\-VAfile\fR options.
-.Ip "\fB\-no_sig_verify\fR" 4
-.IX Item "-no_sig_verify"
+.IP "\fB\-no_signature_verify\fR" 4
+.IX Item "-no_signature_verify"
 don't check the signature on the \s-1OCSP\s0 response. Since this option tolerates invalid
 signatures on \s-1OCSP\s0 responses it will normally only be used for testing purposes.
-.Ip "\fB\-no_cert_verify\fR" 4
+.IP "\fB\-no_cert_verify\fR" 4
 .IX Item "-no_cert_verify"
 don't verify the \s-1OCSP\s0 response signers certificate at all. Since this option allows
 the \s-1OCSP\s0 response to be signed by any certificate it should only be used for
 testing purposes.
-.Ip "\fB\-no_chain\fR" 4
+.IP "\fB\-no_chain\fR" 4
 .IX Item "-no_chain"
 do not use certificates in the response as additional untrusted \s-1CA\s0
 certificates.
-.Ip "\fB\-no_cert_checks\fR" 4
+.IP "\fB\-no_cert_checks\fR" 4
 .IX Item "-no_cert_checks"
 don't perform any additional checks on the \s-1OCSP\s0 response signers certificate.
 That is do not make any checks to see if the signers certificate is authorised
 to provide the necessary status information: as a result this option should
 only be used for testing purposes.
-.Ip "\fB\-validity_period nsec\fR, \fB\-status_age age\fR" 4
+.IP "\fB\-validity_period nsec\fR, \fB\-status_age age\fR" 4
 .IX Item "-validity_period nsec, -status_age age"
 these options specify the range of times, in seconds, which will be tolerated
 in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR time and
@@ -303,45 +309,45 @@ is checked to see it is not older than \fBage\fR seconds old. By default this ad
 check is not performed.
 .SH "OCSP SERVER OPTIONS"
 .IX Header "OCSP SERVER OPTIONS"
-.Ip "\fB\-index indexfile\fR" 4
+.IP "\fB\-index indexfile\fR" 4
 .IX Item "-index indexfile"
 \&\fBindexfile\fR is a text index file in \fBca\fR format containing certificate revocation
 information.
 .Sp
 If the \fBindex\fR option is specified the \fBocsp\fR utility is in responder mode, otherwise
-it is in client mode. The \fIrequest\fR\|(s) the responder processes can be either specified on
+it is in client mode. The request(s) the responder processes can be either specified on
 the command line (using \fBissuer\fR and \fBserial\fR options), supplied in a file (using the
 \&\fBrespin\fR option) or via external \s-1OCSP\s0 clients (if \fBport\fR or \fBurl\fR is specified).
 .Sp
 If the \fBindex\fR option is present then the \fB\s-1CA\s0\fR and \fBrsigner\fR options must also be
 present.
-.Ip "\fB\-CA file\fR" 4
+.IP "\fB\-CA file\fR" 4
 .IX Item "-CA file"
 \&\s-1CA\s0 certificate corresponding to the revocation information in \fBindexfile\fR.
-.Ip "\fB\-rsigner file\fR" 4
+.IP "\fB\-rsigner file\fR" 4
 .IX Item "-rsigner file"
 The certificate to sign \s-1OCSP\s0 responses with.
-.Ip "\fB\-rother file\fR" 4
+.IP "\fB\-rother file\fR" 4
 .IX Item "-rother file"
 Additional certificates to include in the \s-1OCSP\s0 response.
-.Ip "\fB\-resp_no_certs\fR" 4
+.IP "\fB\-resp_no_certs\fR" 4
 .IX Item "-resp_no_certs"
 Don't include any certificates in the \s-1OCSP\s0 response.
-.Ip "\fB\-resp_key_id\fR" 4
+.IP "\fB\-resp_key_id\fR" 4
 .IX Item "-resp_key_id"
 Identify the signer certificate using the key \s-1ID\s0, default is to use the subject name.
-.Ip "\fB\-rkey file\fR" 4
+.IP "\fB\-rkey file\fR" 4
 .IX Item "-rkey file"
 The private key to sign \s-1OCSP\s0 responses with: if not present the file specified in the
 \&\fBrsigner\fR option is used.
-.Ip "\fB\-port portnum\fR" 4
+.IP "\fB\-port portnum\fR" 4
 .IX Item "-port portnum"
 Port to listen for \s-1OCSP\s0 requests on. The port may also be specified using the \fBurl\fR
 option.
-.Ip "\fB\-nrequest number\fR" 4
+.IP "\fB\-nrequest number\fR" 4
 .IX Item "-nrequest number"
 The \s-1OCSP\s0 server will exit after receiving \fBnumber\fR requests, default unlimited. 
-.Ip "\fB\-nmin minutes\fR, \fB\-ndays days\fR" 4
+.IP "\fB\-nmin minutes\fR, \fB\-ndays days\fR" 4
 .IX Item "-nmin minutes, -ndays days"
 Number of minutes or days when fresh revocation information is available: used in the
 \&\fBnextUpdate\fR field. If neither option is present then the \fBnextUpdate\fR field is 
@@ -386,6 +392,7 @@ multiple CAs and has its own separate certificate chain then its root
 .Vb 1
 \& openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem
 .Ve
+.PP
 Alternatively the responder certificate itself can be explicitly trusted
 with the \fB\-VAfile\fR option.
 .SH "NOTES"
@@ -411,6 +418,7 @@ Create an \s-1OCSP\s0 request and write it to a file:
 .Vb 1
 \& openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
 .Ve
+.PP
 Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the 
 response to a file and print it out in text form
 .PP
@@ -418,11 +426,13 @@ response to a file and print it out in text form
 \& openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \e
 \&     -url http://ocsp.myhost.com/ -resp_text -respout resp.der
 .Ve
+.PP
 Read in an \s-1OCSP\s0 response and print out text form:
 .PP
 .Vb 1
 \& openssl ocsp -respin resp.der -text
 .Ve
+.PP
 \&\s-1OCSP\s0 server on port 8888 using a standard \fBca\fR configuration, and a separate
 responder certificate. All requests and responses are printed to a file.
 .PP
@@ -430,18 +440,21 @@ responder certificate. All requests and responses are printed to a file.
 \& openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
 \&        -text -out log.txt
 .Ve
+.PP
 As above but exit after processing one request:
 .PP
 .Vb 2
 \& openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
 \&     -nrequest 1
 .Ve
+.PP
 Query status information using internally generated request:
 .PP
 .Vb 2
 \& openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
 \&     -issuer demoCA/cacert.pem -serial 1
 .Ve
+.PP
 Query status information using request read from a file, write response to a
 second file.
 .PP
diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1
index 54d4f99..d29225f 100644
--- a/secure/usr.bin/openssl/man/openssl.1
+++ b/secure/usr.bin/openssl/man/openssl.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:34 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "OPENSSL 1"
-.TH OPENSSL 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH OPENSSL 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 openssl \- OpenSSL command line tool
 .SH "SYNOPSIS"
@@ -151,7 +141,7 @@ openssl \- OpenSSL command line tool
 .PP
 \&\fBopenssl\fR [ \fBlist-standard-commands\fR | \fBlist-message-digest-commands\fR | \fBlist-cipher-commands\fR ]
 .PP
-\&\fBopenssl\fR \fBno-\fR\fI\s-1XXX\s0\fR [ \fIarbitrary options\fR ]
+\&\fBopenssl\fR \fBno\-\fR\fI\s-1XXX\s0\fR [ \fIarbitrary options\fR ]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (\s-1SSL\s0
@@ -181,174 +171,174 @@ and \fBlist-cipher-commands\fR output a list (one entry per line) of the names
 of all standard commands, message digest commands, or cipher commands,
 respectively, that are available in the present \fBopenssl\fR utility.
 .PP
-The pseudo-command \fBno-\fR\fI\s-1XXX\s0\fR tests whether a command of the
+The pseudo-command \fBno\-\fR\fI\s-1XXX\s0\fR tests whether a command of the
 specified name is available.  If no command named \fI\s-1XXX\s0\fR exists, it
-returns 0 (success) and prints \fBno-\fR\fI\s-1XXX\s0\fR; otherwise it returns 1
+returns 0 (success) and prints \fBno\-\fR\fI\s-1XXX\s0\fR; otherwise it returns 1
 and prints \fI\s-1XXX\s0\fR.  In both cases, the output goes to \fBstdout\fR and
 nothing is printed to \fBstderr\fR.  Additional command line arguments
 are always ignored.  Since for each cipher there is a command of the
 same name, this provides an easy way for shell scripts to test for the
-availability of ciphers in the \fBopenssl\fR program.  (\fBno-\fR\fI\s-1XXX\s0\fR is
+availability of ciphers in the \fBopenssl\fR program.  (\fBno\-\fR\fI\s-1XXX\s0\fR is
 not able to detect pseudo-commands such as \fBquit\fR,
-\&\fBlist-\fR\fI...\fR\fB\-commands\fR, or \fBno-\fR\fI\s-1XXX\s0\fR itself.)
+\&\fBlist\-\fR\fI...\fR\fB\-commands\fR, or \fBno\-\fR\fI\s-1XXX\s0\fR itself.)
 .Sh "\s-1STANDARD\s0 \s-1COMMANDS\s0"
 .IX Subsection "STANDARD COMMANDS"
-.Ip "\fBasn1parse\fR" 10
+.IP "\fBasn1parse\fR" 10
 .IX Item "asn1parse"
 Parse an \s-1ASN\s0.1 sequence.
-.Ip "\fBca\fR" 10
+.IP "\fBca\fR" 10
 .IX Item "ca"
 Certificate Authority (\s-1CA\s0) Management.  
-.Ip "\fBciphers\fR" 10
+.IP "\fBciphers\fR" 10
 .IX Item "ciphers"
 Cipher Suite Description Determination.
-.Ip "\fBcrl\fR" 10
+.IP "\fBcrl\fR" 10
 .IX Item "crl"
 Certificate Revocation List (\s-1CRL\s0) Management.
-.Ip "\fBcrl2pkcs7\fR" 10
+.IP "\fBcrl2pkcs7\fR" 10
 .IX Item "crl2pkcs7"
 \&\s-1CRL\s0 to PKCS#7 Conversion.
-.Ip "\fBdgst\fR" 10
+.IP "\fBdgst\fR" 10
 .IX Item "dgst"
 Message Digest Calculation.
-.Ip "\fBdh\fR" 10
+.IP "\fBdh\fR" 10
 .IX Item "dh"
 Diffie-Hellman Parameter Management.
 Obsoleted by \fBdhparam\fR.
-.Ip "\fBdsa\fR" 10
+.IP "\fBdsa\fR" 10
 .IX Item "dsa"
 \&\s-1DSA\s0 Data Management.
-.Ip "\fBdsaparam\fR" 10
+.IP "\fBdsaparam\fR" 10
 .IX Item "dsaparam"
 \&\s-1DSA\s0 Parameter Generation.
-.Ip "\fBenc\fR" 10
+.IP "\fBenc\fR" 10
 .IX Item "enc"
 Encoding with Ciphers.
-.Ip "\fBerrstr\fR" 10
+.IP "\fBerrstr\fR" 10
 .IX Item "errstr"
 Error Number to Error String Conversion.
-.Ip "\fBdhparam\fR" 10
+.IP "\fBdhparam\fR" 10
 .IX Item "dhparam"
 Generation and Management of Diffie-Hellman Parameters.
-.Ip "\fBgendh\fR" 10
+.IP "\fBgendh\fR" 10
 .IX Item "gendh"
 Generation of Diffie-Hellman Parameters.
 Obsoleted by \fBdhparam\fR.
-.Ip "\fBgendsa\fR" 10
+.IP "\fBgendsa\fR" 10
 .IX Item "gendsa"
 Generation of \s-1DSA\s0 Parameters.
-.Ip "\fBgenrsa\fR" 10
+.IP "\fBgenrsa\fR" 10
 .IX Item "genrsa"
 Generation of \s-1RSA\s0 Parameters.
-.Ip "\fBocsp\fR" 10
+.IP "\fBocsp\fR" 10
 .IX Item "ocsp"
 Online Certificate Status Protocol utility.
-.Ip "\fBpasswd\fR" 10
+.IP "\fBpasswd\fR" 10
 .IX Item "passwd"
 Generation of hashed passwords.
-.Ip "\fBpkcs12\fR" 10
+.IP "\fBpkcs12\fR" 10
 .IX Item "pkcs12"
 PKCS#12 Data Management.
-.Ip "\fBpkcs7\fR" 10
+.IP "\fBpkcs7\fR" 10
 .IX Item "pkcs7"
 PKCS#7 Data Management.
-.Ip "\fBrand\fR" 10
+.IP "\fBrand\fR" 10
 .IX Item "rand"
 Generate pseudo-random bytes.
-.Ip "\fBreq\fR" 10
+.IP "\fBreq\fR" 10
 .IX Item "req"
 X.509 Certificate Signing Request (\s-1CSR\s0) Management.
-.Ip "\fBrsa\fR" 10
+.IP "\fBrsa\fR" 10
 .IX Item "rsa"
 \&\s-1RSA\s0 Data Management.
-.Ip "\fBrsautl\fR" 10
+.IP "\fBrsautl\fR" 10
 .IX Item "rsautl"
 \&\s-1RSA\s0 utility for signing, verification, encryption, and decryption.
-.Ip "\fBs_client\fR" 10
+.IP "\fBs_client\fR" 10
 .IX Item "s_client"
 This implements a generic \s-1SSL/TLS\s0 client which can establish a transparent
 connection to a remote server speaking \s-1SSL/TLS\s0. It's intended for testing
 purposes only and provides only rudimentary interface functionality but
 internally uses mostly all functionality of the OpenSSL \fBssl\fR library.
-.Ip "\fBs_server\fR" 10
+.IP "\fBs_server\fR" 10
 .IX Item "s_server"
 This implements a generic \s-1SSL/TLS\s0 server which accepts connections from remote
 clients speaking \s-1SSL/TLS\s0. It's intended for testing purposes only and provides
 only rudimentary interface functionality but internally uses mostly all
 functionality of the OpenSSL \fBssl\fR library.  It provides both an own command
 line oriented protocol for testing \s-1SSL\s0 functions and a simple \s-1HTTP\s0 response
-facility to emulate an SSL/TLS-aware webserver.
-.Ip "\fBs_time\fR" 10
+facility to emulate an SSL/TLS\-aware webserver.
+.IP "\fBs_time\fR" 10
 .IX Item "s_time"
 \&\s-1SSL\s0 Connection Timer.
-.Ip "\fBsess_id\fR" 10
+.IP "\fBsess_id\fR" 10
 .IX Item "sess_id"
 \&\s-1SSL\s0 Session Data Management.
-.Ip "\fBsmime\fR" 10
+.IP "\fBsmime\fR" 10
 .IX Item "smime"
 S/MIME mail processing.
-.Ip "\fBspeed\fR" 10
+.IP "\fBspeed\fR" 10
 .IX Item "speed"
 Algorithm Speed Measurement.
-.Ip "\fBverify\fR" 10
+.IP "\fBverify\fR" 10
 .IX Item "verify"
 X.509 Certificate Verification.
-.Ip "\fBversion\fR" 10
+.IP "\fBversion\fR" 10
 .IX Item "version"
 OpenSSL Version Information.
-.Ip "\fBx509\fR" 10
+.IP "\fBx509\fR" 10
 .IX Item "x509"
 X.509 Certificate Data Management.
 .Sh "\s-1MESSAGE\s0 \s-1DIGEST\s0 \s-1COMMANDS\s0"
 .IX Subsection "MESSAGE DIGEST COMMANDS"
-.Ip "\fBmd2\fR" 10
+.IP "\fBmd2\fR" 10
 .IX Item "md2"
 \&\s-1MD2\s0 Digest
-.Ip "\fBmd5\fR" 10
+.IP "\fBmd5\fR" 10
 .IX Item "md5"
 \&\s-1MD5\s0 Digest
-.Ip "\fBmdc2\fR" 10
+.IP "\fBmdc2\fR" 10
 .IX Item "mdc2"
 \&\s-1MDC2\s0 Digest
-.Ip "\fBrmd160\fR" 10
+.IP "\fBrmd160\fR" 10
 .IX Item "rmd160"
-\&\s-1RMD-160\s0 Digest
-.Ip "\fBsha\fR" 10
+\&\s-1RMD\-160\s0 Digest
+.IP "\fBsha\fR" 10
 .IX Item "sha"
 \&\s-1SHA\s0 Digest
-.Ip "\fBsha1\fR" 10
+.IP "\fBsha1\fR" 10
 .IX Item "sha1"
-\&\s-1SHA-1\s0 Digest
+\&\s-1SHA\-1\s0 Digest
 .Sh "\s-1ENCODING\s0 \s-1AND\s0 \s-1CIPHER\s0 \s-1COMMANDS\s0"
 .IX Subsection "ENCODING AND CIPHER COMMANDS"
-.Ip "\fBbase64\fR" 10
+.IP "\fBbase64\fR" 10
 .IX Item "base64"
 Base64 Encoding
-.Ip "\fBbf bf-cbc bf-cfb bf-ecb bf-ofb\fR" 10
+.IP "\fBbf bf-cbc bf-cfb bf-ecb bf-ofb\fR" 10
 .IX Item "bf bf-cbc bf-cfb bf-ecb bf-ofb"
 Blowfish Cipher
-.Ip "\fBcast cast-cbc\fR" 10
+.IP "\fBcast cast-cbc\fR" 10
 .IX Item "cast cast-cbc"
 \&\s-1CAST\s0 Cipher
-.Ip "\fBcast5\-cbc cast5\-cfb cast5\-ecb cast5\-ofb\fR" 10
+.IP "\fBcast5\-cbc cast5\-cfb cast5\-ecb cast5\-ofb\fR" 10
 .IX Item "cast5-cbc cast5-cfb cast5-ecb cast5-ofb"
 \&\s-1CAST5\s0 Cipher
-.Ip "\fBdes des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb\fR" 10
+.IP "\fBdes des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb\fR" 10
 .IX Item "des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb"
 \&\s-1DES\s0 Cipher
-.Ip "\fBdes3 desx des-ede3 des-ede3\-cbc des-ede3\-cfb des-ede3\-ofb\fR" 10
+.IP "\fBdes3 desx des\-ede3 des\-ede3\-cbc des\-ede3\-cfb des\-ede3\-ofb\fR" 10
 .IX Item "des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb"
 Triple-DES Cipher
-.Ip "\fBidea idea-cbc idea-cfb idea-ecb idea-ofb\fR" 10
+.IP "\fBidea idea-cbc idea-cfb idea-ecb idea-ofb\fR" 10
 .IX Item "idea idea-cbc idea-cfb idea-ecb idea-ofb"
 \&\s-1IDEA\s0 Cipher
-.Ip "\fBrc2 rc2\-cbc rc2\-cfb rc2\-ecb rc2\-ofb\fR" 10
+.IP "\fBrc2 rc2\-cbc rc2\-cfb rc2\-ecb rc2\-ofb\fR" 10
 .IX Item "rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb"
 \&\s-1RC2\s0 Cipher
-.Ip "\fBrc4\fR" 10
+.IP "\fBrc4\fR" 10
 .IX Item "rc4"
 \&\s-1RC4\s0 Cipher
-.Ip "\fBrc5 rc5\-cbc rc5\-cfb rc5\-ecb rc5\-ofb\fR" 10
+.IP "\fBrc5 rc5\-cbc rc5\-cfb rc5\-ecb rc5\-ofb\fR" 10
 .IX Item "rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb"
 \&\s-1RC5\s0 Cipher
 .SH "PASS PHRASE ARGUMENTS"
@@ -360,48 +350,49 @@ options take a single argument whose format is described below. If no
 password argument is given and a password is required then the user is
 prompted to enter one: this will typically be read from the current
 terminal with echoing turned off.
-.Ip "\fBpass:password\fR" 10
+.IP "\fBpass:password\fR" 10
 .IX Item "pass:password"
 the actual password is \fBpassword\fR. Since the password is visible
 to utilities (like 'ps' under Unix) this form should only be used
 where security is not important.
-.Ip "\fBenv:var\fR" 10
+.IP "\fBenv:var\fR" 10
 .IX Item "env:var"
 obtain the password from the environment variable \fBvar\fR. Since
 the environment of other processes is visible on certain platforms
 (e.g. ps under certain Unix OSes) this option should be used with caution.
-.Ip "\fBfile:pathname\fR" 10
+.IP "\fBfile:pathname\fR" 10
 .IX Item "file:pathname"
 the first line of \fBpathname\fR is the password. If the same \fBpathname\fR
 argument is supplied to \fB\-passin\fR and \fB\-passout\fR arguments then the first
 line will be used for the input password and the next line for the output
 password. \fBpathname\fR need not refer to a regular file: it could for example
 refer to a device or named pipe.
-.Ip "\fBfd:number\fR" 10
+.IP "\fBfd:number\fR" 10
 .IX Item "fd:number"
 read the password from the file descriptor \fBnumber\fR. This can be used to
 send the data via a pipe for example.
-.Ip "\fBstdin\fR" 10
+.IP "\fBstdin\fR" 10
 .IX Item "stdin"
 read the password from standard input.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-asn1parse(1), ca(1), config(5),
-crl(1), crl2pkcs7(1), dgst(1),
-dhparam(1), dsa(1), dsaparam(1),
-enc(1), gendsa(1),
-genrsa(1), nseq(1), openssl(1),
-passwd(1),
-pkcs12(1), pkcs7(1), pkcs8(1),
-rand(1), req(1), rsa(1),
-rsautl(1), s_client(1),
-s_server(1), smime(1), spkac(1),
-verify(1), version(1), x509(1),
-crypto(3), ssl(3) 
+\&\fIasn1parse\fR\|(1), \fIca\fR\|(1), \fIconfig\fR\|(5),
+\&\fIcrl\fR\|(1), \fIcrl2pkcs7\fR\|(1), \fIdgst\fR\|(1),
+\&\fIdhparam\fR\|(1), \fIdsa\fR\|(1), \fIdsaparam\fR\|(1),
+\&\fIenc\fR\|(1), \fIgendsa\fR\|(1),
+\&\fIgenrsa\fR\|(1), \fInseq\fR\|(1), \fIopenssl\fR\|(1),
+\&\fIpasswd\fR\|(1),
+\&\fIpkcs12\fR\|(1), \fIpkcs7\fR\|(1), \fIpkcs8\fR\|(1),
+\&\fIrand\fR\|(1), \fIreq\fR\|(1), \fIrsa\fR\|(1),
+\&\fIrsautl\fR\|(1), \fIs_client\fR\|(1),
+\&\fIs_server\fR\|(1), \fIs_time\fR\|(1),
+\&\fIsmime\fR\|(1), \fIspkac\fR\|(1),
+\&\fIverify\fR\|(1), \fIversion\fR\|(1), \fIx509\fR\|(1),
+\&\fIcrypto\fR\|(3), \fIssl\fR\|(3) 
 .SH "HISTORY"
 .IX Header "HISTORY"
 The \fIopenssl\fR\|(1) document appeared in OpenSSL 0.9.2.
-The \fBlist-\fR\fI\s-1XXX\s0\fR\fB\-commands\fR pseudo-commands were added in OpenSSL 0.9.3;
-the \fBno-\fR\fI\s-1XXX\s0\fR pseudo-commands were added in OpenSSL 0.9.5a.
+The \fBlist\-\fR\fI\s-1XXX\s0\fR\fB\-commands\fR pseudo-commands were added in OpenSSL 0.9.3;
+the \fBno\-\fR\fI\s-1XXX\s0\fR pseudo-commands were added in OpenSSL 0.9.5a.
 For notes on the availability of other commands, see their individual
 manual pages.
diff --git a/secure/usr.bin/openssl/man/passwd.1 b/secure/usr.bin/openssl/man/passwd.1
index 4568223..55bb623 100644
--- a/secure/usr.bin/openssl/man/passwd.1
+++ b/secure/usr.bin/openssl/man/passwd.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:34 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "PASSWD 1"
-.TH PASSWD 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH PASSWD 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 passwd \- compute password hashes
 .SH "SYNOPSIS"
@@ -165,32 +155,32 @@ The Unix standard algorithm \fBcrypt\fR and the MD5\-based \s-1BSD\s0 password
 algorithm \fB1\fR and its Apache variant \fBapr1\fR are available.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.Ip "\fB\-crypt\fR" 4
+.IP "\fB\-crypt\fR" 4
 .IX Item "-crypt"
 Use the \fBcrypt\fR algorithm (default).
-.Ip "\fB\-1\fR" 4
+.IP "\fB\-1\fR" 4
 .IX Item "-1"
 Use the \s-1MD5\s0 based \s-1BSD\s0 password algorithm \fB1\fR.
-.Ip "\fB\-apr1\fR" 4
+.IP "\fB\-apr1\fR" 4
 .IX Item "-apr1"
 Use the \fBapr1\fR algorithm (Apache variant of the \s-1BSD\s0 algorithm).
-.Ip "\fB\-salt\fR \fIstring\fR" 4
+.IP "\fB\-salt\fR \fIstring\fR" 4
 .IX Item "-salt string"
 Use the specified salt.
 When reading a password from the terminal, this implies \fB\-noverify\fR.
-.Ip "\fB\-in\fR \fIfile\fR" 4
+.IP "\fB\-in\fR \fIfile\fR" 4
 .IX Item "-in file"
 Read passwords from \fIfile\fR.
-.Ip "\fB\-stdin\fR" 4
+.IP "\fB\-stdin\fR" 4
 .IX Item "-stdin"
 Read passwords from \fBstdin\fR.
-.Ip "\fB\-noverify\fR" 4
+.IP "\fB\-noverify\fR" 4
 .IX Item "-noverify"
 Don't verify when reading a password from the terminal.
-.Ip "\fB\-quiet\fR" 4
+.IP "\fB\-quiet\fR" 4
 .IX Item "-quiet"
 Don't output warnings when passwords given at the command line are truncated.
-.Ip "\fB\-table\fR" 4
+.IP "\fB\-table\fR" 4
 .IX Item "-table"
 In the output list, prepend the cleartext password and a \s-1TAB\s0 character
 to each password hash.
diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/pkcs12.1
index 4762491..0eb7690 100644
--- a/secure/usr.bin/openssl/man/pkcs12.1
+++ b/secure/usr.bin/openssl/man/pkcs12.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:35 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "PKCS12 1"
-.TH PKCS12 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH PKCS12 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 pkcs12 \- PKCS#12 file utility
 .SH "SYNOPSIS"
@@ -175,7 +165,7 @@ pkcs12 \- PKCS#12 file utility
 [\fB\-password arg\fR]
 [\fB\-passin arg\fR]
 [\fB\-passout arg\fR]
-[\fB\-rand \f(BIfile\fB\|(s)\fR]
+[\fB\-rand file(s)\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \fBpkcs12\fR command allows PKCS#12 files (sometimes referred to as
@@ -188,124 +178,124 @@ is being created or parsed. By default a PKCS#12 file is parsed a PKCS#12
 file can be created by using the \fB\-export\fR option (see below).
 .SH "PARSING OPTIONS"
 .IX Header "PARSING OPTIONS"
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 This specifies filename of the PKCS#12 file to be parsed. Standard input is used
 by default.
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 The filename to write certificates and private keys to, standard output by default.
 They are all written in \s-1PEM\s0 format.
-.Ip "\fB\-pass arg\fR, \fB\-passin arg\fR" 4
+.IP "\fB\-pass arg\fR, \fB\-passin arg\fR" 4
 .IX Item "-pass arg, -passin arg"
 the PKCS#12 file (i.e. input file) password source. For more information about the
 format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
-openssl(1).
-.Ip "\fB\-passout arg\fR" 4
+\&\fIopenssl\fR\|(1).
+.IP "\fB\-passout arg\fR" 4
 .IX Item "-passout arg"
 pass phrase source to encrypt any outputed private keys with. For more information
 about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
-openssl(1).
-.Ip "\fB\-noout\fR" 4
+\&\fIopenssl\fR\|(1).
+.IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 this option inhibits output of the keys and certificates to the output file version
 of the PKCS#12 file.
-.Ip "\fB\-clcerts\fR" 4
+.IP "\fB\-clcerts\fR" 4
 .IX Item "-clcerts"
 only output client certificates (not \s-1CA\s0 certificates).
-.Ip "\fB\-cacerts\fR" 4
+.IP "\fB\-cacerts\fR" 4
 .IX Item "-cacerts"
 only output \s-1CA\s0 certificates (not client certificates).
-.Ip "\fB\-nocerts\fR" 4
+.IP "\fB\-nocerts\fR" 4
 .IX Item "-nocerts"
 no certificates at all will be output.
-.Ip "\fB\-nokeys\fR" 4
+.IP "\fB\-nokeys\fR" 4
 .IX Item "-nokeys"
 no private keys will be output.
-.Ip "\fB\-info\fR" 4
+.IP "\fB\-info\fR" 4
 .IX Item "-info"
 output additional information about the PKCS#12 file structure, algorithms used and
 iteration counts.
-.Ip "\fB\-des\fR" 4
+.IP "\fB\-des\fR" 4
 .IX Item "-des"
 use \s-1DES\s0 to encrypt private keys before outputting.
-.Ip "\fB\-des3\fR" 4
+.IP "\fB\-des3\fR" 4
 .IX Item "-des3"
 use triple \s-1DES\s0 to encrypt private keys before outputting, this is the default.
-.Ip "\fB\-idea\fR" 4
+.IP "\fB\-idea\fR" 4
 .IX Item "-idea"
 use \s-1IDEA\s0 to encrypt private keys before outputting.
-.Ip "\fB\-nodes\fR" 4
+.IP "\fB\-nodes\fR" 4
 .IX Item "-nodes"
 don't encrypt the private keys at all.
-.Ip "\fB\-nomacver\fR" 4
+.IP "\fB\-nomacver\fR" 4
 .IX Item "-nomacver"
 don't attempt to verify the integrity \s-1MAC\s0 before reading the file.
-.Ip "\fB\-twopass\fR" 4
+.IP "\fB\-twopass\fR" 4
 .IX Item "-twopass"
 prompt for separate integrity and encryption passwords: most software
 always assumes these are the same so this option will render such
 PKCS#12 files unreadable.
 .SH "FILE CREATION OPTIONS"
 .IX Header "FILE CREATION OPTIONS"
-.Ip "\fB\-export\fR" 4
+.IP "\fB\-export\fR" 4
 .IX Item "-export"
 This option specifies that a PKCS#12 file will be created rather than
 parsed.
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 This specifies filename to write the PKCS#12 file to. Standard output is used
 by default.
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 The filename to read certificates and private keys from, standard input by default.
 They must all be in \s-1PEM\s0 format. The order doesn't matter but one private key and
 its corresponding certificate should be present. If additional certificates are
 present they will also be included in the PKCS#12 file.
-.Ip "\fB\-inkey filename\fR" 4
+.IP "\fB\-inkey filename\fR" 4
 .IX Item "-inkey filename"
 file to read private key from. If not present then a private key must be present
 in the input file.
-.Ip "\fB\-name friendlyname\fR" 4
+.IP "\fB\-name friendlyname\fR" 4
 .IX Item "-name friendlyname"
 This specifies the \*(L"friendly name\*(R" for the certificate and private key. This name
 is typically displayed in list boxes by software importing the file.
-.Ip "\fB\-certfile filename\fR" 4
+.IP "\fB\-certfile filename\fR" 4
 .IX Item "-certfile filename"
 A filename to read additional certificates from.
-.Ip "\fB\-caname friendlyname\fR" 4
+.IP "\fB\-caname friendlyname\fR" 4
 .IX Item "-caname friendlyname"
 This specifies the \*(L"friendly name\*(R" for other certificates. This option may be
 used multiple times to specify names for all certificates in the order they
 appear. Netscape ignores friendly names on other certificates whereas \s-1MSIE\s0
 displays them.
-.Ip "\fB\-pass arg\fR, \fB\-passout arg\fR" 4
+.IP "\fB\-pass arg\fR, \fB\-passout arg\fR" 4
 .IX Item "-pass arg, -passout arg"
 the PKCS#12 file (i.e. output file) password source. For more information about
 the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
-openssl(1).
-.Ip "\fB\-passin password\fR" 4
+\&\fIopenssl\fR\|(1).
+.IP "\fB\-passin password\fR" 4
 .IX Item "-passin password"
 pass phrase source to decrypt any input private keys with. For more information
 about the format of \fBarg\fR see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in
-openssl(1).
-.Ip "\fB\-chain\fR" 4
+\&\fIopenssl\fR\|(1).
+.IP "\fB\-chain\fR" 4
 .IX Item "-chain"
 if this option is present then an attempt is made to include the entire
 certificate chain of the user certificate. The standard \s-1CA\s0 store is used
 for this search. If the search fails it is considered a fatal error.
-.Ip "\fB\-descert\fR" 4
+.IP "\fB\-descert\fR" 4
 .IX Item "-descert"
 encrypt the certificate using triple \s-1DES\s0, this may render the PKCS#12
 file unreadable by some \*(L"export grade\*(R" software. By default the private
 key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC2\s0.
-.Ip "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4
+.IP "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4
 .IX Item "-keypbe alg, -certpbe alg"
 these options allow the algorithm used to encrypt the private key and
 certificates to be selected. Although any PKCS#5 v1.5 or PKCS#12 algorithms
 can be selected it is advisable only to use PKCS#12 algorithms. See the list
 in the \fB\s-1NOTES\s0\fR section for more information.
-.Ip "\fB\-keyex|\-keysig\fR" 4
+.IP "\fB\-keyex|\-keysig\fR" 4
 .IX Item "-keyex|-keysig"
 specifies that the private key is to be used for key exchange or just signing.
 This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. Normally
@@ -315,7 +305,7 @@ option marks the key for signing only. Signing only keys can be used for
 S/MIME signing, authenticode (ActiveX control signing)  and \s-1SSL\s0 client
 authentication, however due to a bug only \s-1MSIE\s0 5.0 and later support
 the use of signing only keys for \s-1SSL\s0 client authentication.
-.Ip "\fB\-nomaciter\fR, \fB\-noiter\fR" 4
+.IP "\fB\-nomaciter\fR, \fB\-noiter\fR" 4
 .IX Item "-nomaciter, -noiter"
 these options affect the iteration counts on the \s-1MAC\s0 and key algorithms.
 Unless you wish to produce files compatible with \s-1MSIE\s0 4.0 you should leave
@@ -332,16 +322,16 @@ this reduces the file security you should not use these options unless you
 really have to. Most software supports both \s-1MAC\s0 and key iteration counts.
 \&\s-1MSIE\s0 4.0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR
 option.
-.Ip "\fB\-maciter\fR" 4
+.IP "\fB\-maciter\fR" 4
 .IX Item "-maciter"
 This option is included for compatibility with previous versions, it used
 to be needed to use \s-1MAC\s0 iterations counts but they are now used by default.
-.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
-.IX Item "-rand file"
+.IP "\fB\-rand file(s)\fR" 4
+.IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
-generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 Multiple files can be specified separated by a OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
 .SH "NOTES"
 .IX Header "NOTES"
@@ -363,7 +353,7 @@ the \fB\-nokeys \-cacerts\fR options to just output \s-1CA\s0 certificates.
 The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption
 algorithms for private keys and certificates to be specified. Normally
 the defaults are fine but occasionally software can't handle triple \s-1DES\s0
-encrypted private keys, then the option \fB\-keypbe \s-1PBE-SHA1\-RC2\-40\s0\fR can
+encrypted private keys, then the option \fB\-keypbe \s-1PBE\-SHA1\-RC2\-40\s0\fR can
 be used to reduce the private key encryption to 40 bit \s-1RC2\s0. A complete
 description of all algorithms is contained in the \fBpkcs8\fR manual page.
 .SH "EXAMPLES"
@@ -373,26 +363,31 @@ Parse a PKCS#12 file and output it to a file:
 .Vb 1
 \& openssl pkcs12 -in file.p12 -out file.pem
 .Ve
+.PP
 Output only client certificates to a file:
 .PP
 .Vb 1
 \& openssl pkcs12 -in file.p12 -clcerts -out file.pem
 .Ve
+.PP
 Don't encrypt the private key:
 .PP
 .Vb 1
 \& openssl pkcs12 -in file.p12 -out file.pem -nodes
 .Ve
+.PP
 Print some info about a PKCS#12 file:
 .PP
 .Vb 1
 \& openssl pkcs12 -in file.p12 -info -noout
 .Ve
+.PP
 Create a PKCS#12 file:
 .PP
 .Vb 1
 \& openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate"
 .Ve
+.PP
 Include some extra certificates:
 .PP
 .Vb 2
@@ -426,4 +421,4 @@ file from the keys and certificates using a newer version of OpenSSL. For exampl
 .Ve
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-pkcs8(1)
+\&\fIpkcs8\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/pkcs7.1 b/secure/usr.bin/openssl/man/pkcs7.1
index 4603b97..18f1e2c 100644
--- a/secure/usr.bin/openssl/man/pkcs7.1
+++ b/secure/usr.bin/openssl/man/pkcs7.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:35 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "PKCS7 1"
-.TH PKCS7 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH PKCS7 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 pkcs7 \- PKCS#7 utility
 .SH "SYNOPSIS"
@@ -158,36 +148,36 @@ pkcs7 \- PKCS#7 utility
 The \fBpkcs7\fR command processes PKCS#7 files in \s-1DER\s0 or \s-1PEM\s0 format.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-.Ip "\fB\-inform DER|PEM\fR" 4
+.IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
 This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded PKCS#7
 v1.5 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
 the \s-1DER\s0 form with header and footer lines.
-.Ip "\fB\-outform DER|PEM\fR" 4
+.IP "\fB\-outform DER|PEM\fR" 4
 .IX Item "-outform DER|PEM"
 This specifies the output format, the options have the same meaning as the 
 \&\fB\-inform\fR option.
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read from or standard input if this
 option is not specified.
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 specifies the output filename to write to or standard output by
 default.
-.Ip "\fB\-print_certs\fR" 4
+.IP "\fB\-print_certs\fR" 4
 .IX Item "-print_certs"
 prints out any certificates or CRLs contained in the file. They are
 preceded by their subject and issuer names in one line format.
-.Ip "\fB\-text\fR" 4
+.IP "\fB\-text\fR" 4
 .IX Item "-text"
 prints out certificates details in full rather than just subject and
 issuer names.
-.Ip "\fB\-noout\fR" 4
+.IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 don't output the encoded version of the PKCS#7 structure (or certificates
 is \fB\-print_certs\fR is set).
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
 to attempt to obtain a functional reference to the specified engine,
@@ -200,6 +190,7 @@ Convert a PKCS#7 file from \s-1PEM\s0 to \s-1DER:\s0
 .Vb 1
 \& openssl pkcs7 -in file.pem -outform DER -out file.der
 .Ve
+.PP
 Output all certificates in a file:
 .PP
 .Vb 1
@@ -213,6 +204,7 @@ The \s-1PEM\s0 PKCS#7 format uses the header and footer lines:
 \& -----BEGIN PKCS7-----
 \& -----END PKCS7-----
 .Ve
+.PP
 For compatibility with some CAs it will also accept:
 .PP
 .Vb 2
@@ -227,4 +219,4 @@ This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in \s-1RFC2315\s0
 cannot currently parse, for example, the new \s-1CMS\s0 as described in \s-1RFC2630\s0.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-crl2pkcs7(1)
+\&\fIcrl2pkcs7\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/pkcs8.1 b/secure/usr.bin/openssl/man/pkcs8.1
index 198138c..fcf25e7 100644
--- a/secure/usr.bin/openssl/man/pkcs8.1
+++ b/secure/usr.bin/openssl/man/pkcs8.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:35 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "PKCS8 1"
-.TH PKCS8 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH PKCS8 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 pkcs8 \- PKCS#8 format private key conversion tool
 .SH "SYNOPSIS"
@@ -167,42 +157,42 @@ both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo
 format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-.Ip "\fB\-topk8\fR" 4
+.IP "\fB\-topk8\fR" 4
 .IX Item "-topk8"
 Normally a PKCS#8 private key is expected on input and a traditional format
 private key will be written. With the \fB\-topk8\fR option the situation is
 reversed: it reads a traditional format private key and writes a PKCS#8
 format key.
-.Ip "\fB\-inform DER|PEM\fR" 4
+.IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
 This specifies the input format. If a PKCS#8 format key is expected on input
 then either a \fB\s-1DER\s0\fR or \fB\s-1PEM\s0\fR encoded version of a PKCS#8 key will be
 expected. Otherwise the \fB\s-1DER\s0\fR or \fB\s-1PEM\s0\fR format of the traditional format
 private key is used.
-.Ip "\fB\-outform DER|PEM\fR" 4
+.IP "\fB\-outform DER|PEM\fR" 4
 .IX Item "-outform DER|PEM"
 This specifies the output format, the options have the same meaning as the 
 \&\fB\-inform\fR option.
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read a key from or standard input if this
 option is not specified. If the key is encrypted a pass phrase will be
 prompted for.
-.Ip "\fB\-passin arg\fR" 4
+.IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the input file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
-.Ip "\fB\-out filename\fR" 4
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write a key to or standard output by
 default. If any encryption options are set then a pass phrase will be
 prompted for. The output filename should \fBnot\fR be the same as the input
 filename.
-.Ip "\fB\-passout arg\fR" 4
+.IP "\fB\-passout arg\fR" 4
 .IX Item "-passout arg"
 the output file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
-.Ip "\fB\-nocrypt\fR" 4
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-nocrypt\fR" 4
 .IX Item "-nocrypt"
 PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
 structures using an appropriate password based encryption algorithm. With
@@ -210,28 +200,28 @@ this option an unencrypted PrivateKeyInfo structure is expected or output.
 This option does not encrypt private keys at all and should only be used
 when absolutely necessary. Certain software such as some versions of Java
 code signing software used unencrypted private keys.
-.Ip "\fB\-nooct\fR" 4
+.IP "\fB\-nooct\fR" 4
 .IX Item "-nooct"
 This option generates \s-1RSA\s0 private keys in a broken format that some software
 uses. Specifically the private key should be enclosed in a \s-1OCTET\s0 \s-1STRING\s0
 but some software just includes the structure itself without the
 surrounding \s-1OCTET\s0 \s-1STRING\s0.
-.Ip "\fB\-embed\fR" 4
+.IP "\fB\-embed\fR" 4
 .IX Item "-embed"
 This option generates \s-1DSA\s0 keys in a broken format. The \s-1DSA\s0 parameters are
 embedded inside the PrivateKey structure. In this form the \s-1OCTET\s0 \s-1STRING\s0
 contains an \s-1ASN1\s0 \s-1SEQUENCE\s0 consisting of two structures: a \s-1SEQUENCE\s0 containing
 the parameters and an \s-1ASN1\s0 \s-1INTEGER\s0 containing the private key.
-.Ip "\fB\-nsdb\fR" 4
+.IP "\fB\-nsdb\fR" 4
 .IX Item "-nsdb"
 This option generates \s-1DSA\s0 keys in a broken format compatible with Netscape
 private key databases. The PrivateKey contains a \s-1SEQUENCE\s0 consisting of
 the public and private keys respectively.
-.Ip "\fB\-v2 alg\fR" 4
+.IP "\fB\-v2 alg\fR" 4
 .IX Item "-v2 alg"
 This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8
 private keys are encrypted with the password based encryption algorithm
-called \fBpbeWithMD5AndDES-CBC\fR this uses 56 bit \s-1DES\s0 encryption but it
+called \fBpbeWithMD5AndDES\-CBC\fR this uses 56 bit \s-1DES\s0 encryption but it
 was the strongest encryption algorithm supported in PKCS#5 v1.5. Using 
 the \fB\-v2\fR option PKCS#5 v2.0 algorithms are used which can use any
 encryption algorithm such as 168 bit triple \s-1DES\s0 or 128 bit \s-1RC2\s0 however
@@ -240,11 +230,11 @@ private keys with OpenSSL then this doesn't matter.
 .Sp
 The \fBalg\fR argument is the encryption algorithm to use, valid values include
 \&\fBdes\fR, \fBdes3\fR and \fBrc2\fR. It is recommended that \fBdes3\fR is used.
-.Ip "\fB\-v1 alg\fR" 4
+.IP "\fB\-v1 alg\fR" 4
 .IX Item "-v1 alg"
 This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete
 list of possible algorithms is included below.
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
 to attempt to obtain a functional reference to the specified engine,
@@ -259,12 +249,14 @@ headers and footers:
 \& -----BEGIN ENCRYPTED PRIVATE KEY-----
 \& -----END ENCRYPTED PRIVATE KEY-----
 .Ve
+.PP
 The unencrypted form uses:
 .PP
 .Vb 2
 \& -----BEGIN PRIVATE KEY-----
 \& -----END PRIVATE KEY-----
 .Ve
+.PP
 Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
 counts are more secure that those encrypted using the traditional
 SSLeay compatible formats. So if additional security is considered
@@ -285,17 +277,17 @@ level whereas the traditional format includes them at a \s-1PEM\s0 level.
 Various algorithms can be used with the \fB\-v1\fR command line option,
 including PKCS#5 v1.5 and PKCS#12. These are described in more detail
 below.
-.Ip "\fB\s-1PBE-MD2\-DES\s0 \s-1PBE-MD5\-DES\s0\fR" 4
+.IP "\fB\s-1PBE\-MD2\-DES\s0 \s-1PBE\-MD5\-DES\s0\fR" 4
 .IX Item "PBE-MD2-DES PBE-MD5-DES"
 These algorithms were included in the original PKCS#5 v1.5 specification.
 They only offer 56 bits of protection since they both use \s-1DES\s0.
-.Ip "\fB\s-1PBE-SHA1\-RC2\-64\s0 \s-1PBE-MD2\-RC2\-64\s0 \s-1PBE-MD5\-RC2\-64\s0 \s-1PBE-SHA1\-DES\s0\fR" 4
+.IP "\fB\s-1PBE\-SHA1\-RC2\-64\s0 \s-1PBE\-MD2\-RC2\-64\s0 \s-1PBE\-MD5\-RC2\-64\s0 \s-1PBE\-SHA1\-DES\s0\fR" 4
 .IX Item "PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES"
 These algorithms are not mentioned in the original PKCS#5 v1.5 specification
 but they use the same key derivation algorithm and are supported by some
 software. They are mentioned in PKCS#5 v2.0. They use either 64 bit \s-1RC2\s0 or
 56 bit \s-1DES\s0.
-.Ip "\fB\s-1PBE-SHA1\-RC4\-128\s0 \s-1PBE-SHA1\-RC4\-40\s0 \s-1PBE-SHA1\-3DES\s0 \s-1PBE-SHA1\-2DES\s0 \s-1PBE-SHA1\-RC2\-128\s0 \s-1PBE-SHA1\-RC2\-40\s0\fR" 4
+.IP "\fB\s-1PBE\-SHA1\-RC4\-128\s0 \s-1PBE\-SHA1\-RC4\-40\s0 \s-1PBE\-SHA1\-3DES\s0 \s-1PBE\-SHA1\-2DES\s0 \s-1PBE\-SHA1\-RC2\-128\s0 \s-1PBE\-SHA1\-RC2\-40\s0\fR" 4
 .IX Item "PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40"
 These algorithms use the PKCS#12 password based encryption algorithm and
 allow strong encryption algorithms like triple \s-1DES\s0 or 128 bit \s-1RC2\s0 to be used.
@@ -307,23 +299,27 @@ Convert a private from traditional to PKCS#5 v2.0 format using triple
 .Vb 1
 \& openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem
 .Ve
+.PP
 Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
 (\s-1DES\s0):
 .PP
 .Vb 1
 \& openssl pkcs8 -in key.pem -topk8 -out enckey.pem
 .Ve
+.PP
 Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm
 (3DES):
 .PP
 .Vb 1
 \& openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES
 .Ve
+.PP
 Read a \s-1DER\s0 unencrypted PKCS#8 format private key:
 .PP
 .Vb 1
 \& openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem
 .Ve
+.PP
 Convert a private key from any PKCS#8 format to traditional format:
 .PP
 .Vb 1
@@ -351,5 +347,5 @@ key format for OpenSSL: for compatibility several of the utilities use
 the old format at present.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-dsa(1), rsa(1), genrsa(1),
-gendsa(1) 
+\&\fIdsa\fR\|(1), \fIrsa\fR\|(1), \fIgenrsa\fR\|(1),
+\&\fIgendsa\fR\|(1) 
diff --git a/secure/usr.bin/openssl/man/rand.1 b/secure/usr.bin/openssl/man/rand.1
index 0f50a63..b7b351c 100644
--- a/secure/usr.bin/openssl/man/rand.1
+++ b/secure/usr.bin/openssl/man/rand.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:35 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,18 +126,17 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "RAND 1"
-.TH RAND 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH RAND 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-rand \- generate pseudo-random bytes
+rand \- generate pseudo\-random bytes
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl rand\fR
 [\fB\-out\fR \fIfile\fR]
-[\fB\-rand\fR \fI\fIfile\fI\|(s)\fR]
+[\fB\-rand\fR \fIfile(s)\fR]
 [\fB\-base64\fR]
 \&\fInum\fR
 .SH "DESCRIPTION"
@@ -159,19 +149,19 @@ in addition to the files given in the \fB\-rand\fR option.  A new
 seeding was obtained from these sources.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.Ip "\fB\-out\fR \fIfile\fR" 4
+.IP "\fB\-out\fR \fIfile\fR" 4
 .IX Item "-out file"
 Write to \fIfile\fR instead of standard output.
-.Ip "\fB\-rand\fR \fI\fIfile\fI\|(s)\fR" 4
-.IX Item "-rand file"
-Use specified file or files or \s-1EGD\s0 socket (see RAND_egd(3))
+.IP "\fB\-rand\fR \fIfile(s)\fR" 4
+.IX Item "-rand file(s)"
+Use specified file or files or \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3))
 for seeding the random number generator.
 Multiple files can be specified separated by a OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
-.Ip "\fB\-base64\fR" 4
+.IP "\fB\-base64\fR" 4
 .IX Item "-base64"
 Perform base64 encoding on the output.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-RAND_bytes(3)
+\&\fIRAND_bytes\fR\|(3)
diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/req.1
index 7f2ee69..0b4718d 100644
--- a/secure/usr.bin/openssl/man/req.1
+++ b/secure/usr.bin/openssl/man/req.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:35 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "REQ 1"
-.TH REQ 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH REQ 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 req \- PKCS#10 certificate request and certificate generating utility.
 .SH "SYNOPSIS"
@@ -157,7 +147,7 @@ req \- PKCS#10 certificate request and certificate generating utility.
 [\fB\-verify\fR]
 [\fB\-modulus\fR]
 [\fB\-new\fR]
-[\fB\-rand \f(BIfile\fB\|(s)\fR]
+[\fB\-rand file(s)\fR]
 [\fB\-newkey rsa:bits\fR]
 [\fB\-newkey dsa:file\fR]
 [\fB\-nodes\fR]
@@ -186,50 +176,50 @@ in PKCS#10 format. It can additionally create self signed certificates
 for use as root CAs for example.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-.Ip "\fB\-inform DER|PEM\fR" 4
+.IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
 This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
 form compatible with the PKCS#10. The \fB\s-1PEM\s0\fR form is the default format: it
 consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header and
 footer lines.
-.Ip "\fB\-outform DER|PEM\fR" 4
+.IP "\fB\-outform DER|PEM\fR" 4
 .IX Item "-outform DER|PEM"
 This specifies the output format, the options have the same meaning as the 
 \&\fB\-inform\fR option.
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read a request from or standard input
 if this option is not specified. A request is only read if the creation
 options (\fB\-new\fR and \fB\-newkey\fR) are not specified.
-.Ip "\fB\-passin arg\fR" 4
+.IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the input file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
-.Ip "\fB\-out filename\fR" 4
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write to or standard output by
 default.
-.Ip "\fB\-passout arg\fR" 4
+.IP "\fB\-passout arg\fR" 4
 .IX Item "-passout arg"
 the output file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
-.Ip "\fB\-text\fR" 4
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-text\fR" 4
 .IX Item "-text"
 prints out the certificate request in text form.
-.Ip "\fB\-pubkey\fR" 4
+.IP "\fB\-pubkey\fR" 4
 .IX Item "-pubkey"
 outputs the public key.
-.Ip "\fB\-noout\fR" 4
+.IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 this option prevents output of the encoded version of the request.
-.Ip "\fB\-modulus\fR" 4
+.IP "\fB\-modulus\fR" 4
 .IX Item "-modulus"
 this option prints out the value of the modulus of the public key
 contained in the request.
-.Ip "\fB\-verify\fR" 4
+.IP "\fB\-verify\fR" 4
 .IX Item "-verify"
 verifies the signature on the request.
-.Ip "\fB\-new\fR" 4
+.IP "\fB\-new\fR" 4
 .IX Item "-new"
 this option generates a new certificate request. It will prompt
 the user for the relevant field values. The actual fields
@@ -238,54 +228,54 @@ in the configuration file and any requested extensions.
 .Sp
 If the \fB\-key\fR option is not used it will generate a new \s-1RSA\s0 private
 key using information specified in the configuration file.
-.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
-.IX Item "-rand file"
+.IP "\fB\-rand file(s)\fR" 4
+.IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
-generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 Multiple files can be specified separated by a OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
-.Ip "\fB\-newkey arg\fR" 4
+.IP "\fB\-newkey arg\fR" 4
 .IX Item "-newkey arg"
 this option creates a new certificate request and a new private
 key. The argument takes one of two forms. \fBrsa:nbits\fR, where
 \&\fBnbits\fR is the number of bits, generates an \s-1RSA\s0 key \fBnbits\fR
 in size. \fBdsa:filename\fR generates a \s-1DSA\s0 key using the parameters
 in the file \fBfilename\fR.
-.Ip "\fB\-key filename\fR" 4
+.IP "\fB\-key filename\fR" 4
 .IX Item "-key filename"
 This specifies the file to read the private key from. It also
 accepts PKCS#8 format private keys for \s-1PEM\s0 format files.
-.Ip "\fB\-keyform PEM|DER\fR" 4
+.IP "\fB\-keyform PEM|DER\fR" 4
 .IX Item "-keyform PEM|DER"
 the format of the private key file specified in the \fB\-key\fR
 argument. \s-1PEM\s0 is the default.
-.Ip "\fB\-keyout filename\fR" 4
+.IP "\fB\-keyout filename\fR" 4
 .IX Item "-keyout filename"
 this gives the filename to write the newly created private key to.
 If this option is not specified then the filename present in the
 configuration file is used.
-.Ip "\fB\-nodes\fR" 4
+.IP "\fB\-nodes\fR" 4
 .IX Item "-nodes"
 if this option is specified then if a private key is created it
 will not be encrypted.
-.Ip "\fB\-[md5|sha1|md2|mdc2]\fR" 4
+.IP "\fB\-[md5|sha1|md2|mdc2]\fR" 4
 .IX Item "-[md5|sha1|md2|mdc2]"
 this specifies the message digest to sign the request with. This
 overrides the digest algorithm specified in the configuration file.
 This option is ignored for \s-1DSA\s0 requests: they always use \s-1SHA1\s0.
-.Ip "\fB\-config filename\fR" 4
+.IP "\fB\-config filename\fR" 4
 .IX Item "-config filename"
 this allows an alternative configuration file to be specified,
 this overrides the compile time filename or any specified in
 the \fB\s-1OPENSSL_CONF\s0\fR environment variable.
-.Ip "\fB\-subj arg\fR" 4
+.IP "\fB\-subj arg\fR" 4
 .IX Item "-subj arg"
 sets subject name for new request or supersedes the subject name
 when processing a request.
 The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR,
 characters may be escaped by \e (backslash), no spaces are skipped.
-.Ip "\fB\-x509\fR" 4
+.IP "\fB\-x509\fR" 4
 .IX Item "-x509"
 this option outputs a self signed certificate instead of a certificate
 request. This is typically used to generate a test certificate or
@@ -293,19 +283,19 @@ a self signed root \s-1CA\s0. The extensions added to the certificate
 (if any) are specified in the configuration file. Unless specified
 using the \fBset_serial\fR option \fB0\fR will be used for the serial
 number.
-.Ip "\fB\-days n\fR" 4
+.IP "\fB\-days n\fR" 4
 .IX Item "-days n"
 when the \fB\-x509\fR option is being used this specifies the number of
 days to certify the certificate for. The default is 30 days.
-.Ip "\fB\-set_serial n\fR" 4
+.IP "\fB\-set_serial n\fR" 4
 .IX Item "-set_serial n"
 serial number to use when outputting a self signed certificate. This
 may be specified as a decimal value or a hex value if preceded by \fB0x\fR.
 It is possible to use negative serial numbers but this is not recommended.
-.Ip "\fB\-extensions section\fR" 4
+.IP "\fB\-extensions section\fR" 4
 .IX Item "-extensions section"
 .PD 0
-.Ip "\fB\-reqexts section\fR" 4
+.IP "\fB\-reqexts section\fR" 4
 .IX Item "-reqexts section"
 .PD
 these options specify alternative sections to include certificate
@@ -313,19 +303,19 @@ extensions (if the \fB\-x509\fR option is present) or certificate
 request extensions. This allows several different sections to
 be used in the same configuration file to specify requests for
 a variety of purposes.
-.Ip "\fB\-utf8\fR" 4
+.IP "\fB\-utf8\fR" 4
 .IX Item "-utf8"
 this option causes field values to be interpreted as \s-1UTF8\s0 strings, by 
 default they are interpreted as \s-1ASCII\s0. This means that the field
 values, whether prompted from a terminal or obtained from a
 configuration file, must be valid \s-1UTF8\s0 strings.
-.Ip "\fB\-nameopt option\fR" 4
+.IP "\fB\-nameopt option\fR" 4
 .IX Item "-nameopt option"
 option which determines how the subject or issuer names are displayed. The
 \&\fBoption\fR argument can be a single option or multiple options separated by
 commas.  Alternatively the \fB\-nameopt\fR switch may be used more than once to
-set multiple options. See the x509(1) manual page for details.
-.Ip "\fB\-asn1\-kludge\fR" 4
+set multiple options. See the \fIx509\fR\|(1) manual page for details.
+.IP "\fB\-asn1\-kludge\fR" 4
 .IX Item "-asn1-kludge"
 by default the \fBreq\fR command outputs certificate requests containing
 no attributes in the correct PKCS#10 format. However certain CAs will only
@@ -339,17 +329,17 @@ empty \fB\s-1SET\s0 \s-1OF\s0\fR. The invalid form does not include the empty
 \&\fB\s-1SET\s0 \s-1OF\s0\fR whereas the correct form does.
 .Sp
 It should be noted that very few CAs still require the use of this option.
-.Ip "\fB\-newhdr\fR" 4
+.IP "\fB\-newhdr\fR" 4
 .IX Item "-newhdr"
 Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputed
 request. Some software (Netscape certificate server) and some CAs need this.
-.Ip "\fB\-batch\fR" 4
+.IP "\fB\-batch\fR" 4
 .IX Item "-batch"
 non-interactive mode.
-.Ip "\fB\-verbose\fR" 4
+.IP "\fB\-verbose\fR" 4
 .IX Item "-verbose"
 print extra details about the operations being performed.
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
 to attempt to obtain a functional reference to the specified engine,
@@ -363,50 +353,50 @@ value is specified in the specific section (i.e. \fBreq\fR) then
 the initial unnamed or \fBdefault\fR section is searched too.
 .PP
 The options available are described in detail below.
-.Ip "\fBinput_password output_password\fR" 4
+.IP "\fBinput_password output_password\fR" 4
 .IX Item "input_password output_password"
 The passwords for the input private key file (if present) and
 the output private key file (if one will be created). The
 command line options \fBpassin\fR and \fBpassout\fR override the
 configuration file values.
-.Ip "\fBdefault_bits\fR" 4
+.IP "\fBdefault_bits\fR" 4
 .IX Item "default_bits"
 This specifies the default key size in bits. If not specified then
 512 is used. It is used if the \fB\-new\fR option is used. It can be
 overridden by using the \fB\-newkey\fR option.
-.Ip "\fBdefault_keyfile\fR" 4
+.IP "\fBdefault_keyfile\fR" 4
 .IX Item "default_keyfile"
 This is the default filename to write a private key to. If not
 specified the key is written to standard output. This can be
 overridden by the \fB\-keyout\fR option.
-.Ip "\fBoid_file\fR" 4
+.IP "\fBoid_file\fR" 4
 .IX Item "oid_file"
 This specifies a file containing additional \fB\s-1OBJECT\s0 \s-1IDENTIFIERS\s0\fR.
 Each line of the file should consist of the numerical form of the
 object identifier followed by white space then the short name followed
 by white space and finally the long name. 
-.Ip "\fBoid_section\fR" 4
+.IP "\fBoid_section\fR" 4
 .IX Item "oid_section"
 This specifies a section in the configuration file containing extra
 object identifiers. Each line should consist of the short name of the
 object identifier followed by \fB=\fR and the numerical form. The short
 and long names are the same when this option is used.
-.Ip "\fB\s-1RANDFILE\s0\fR" 4
+.IP "\fB\s-1RANDFILE\s0\fR" 4
 .IX Item "RANDFILE"
 This specifies a filename in which random number seed information is
-placed and read from, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+placed and read from, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 It is used for private key generation.
-.Ip "\fBencrypt_key\fR" 4
+.IP "\fBencrypt_key\fR" 4
 .IX Item "encrypt_key"
 If this is set to \fBno\fR then if a private key is generated it is
 \&\fBnot\fR encrypted. This is equivalent to the \fB\-nodes\fR command line
 option. For compatibility \fBencrypt_rsa_key\fR is an equivalent option.
-.Ip "\fBdefault_md\fR" 4
+.IP "\fBdefault_md\fR" 4
 .IX Item "default_md"
 This option specifies the digest algorithm to use. Possible values
 include \fBmd5 sha1 mdc2\fR. If not present then \s-1MD5\s0 is used. This
 option can be overridden on the command line.
-.Ip "\fBstring_mask\fR" 4
+.IP "\fBstring_mask\fR" 4
 .IX Item "string_mask"
 This option masks out the use of certain string types in certain
 fields. Most users will not need to change this option.
@@ -419,34 +409,34 @@ be used. This follows the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0. If the
 is the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0 after 2003. Finally the \fBnombstr\fR
 option just uses PrintableStrings and T61Strings: certain software has
 problems with BMPStrings and UTF8Strings: in particular Netscape.
-.Ip "\fBreq_extensions\fR" 4
+.IP "\fBreq_extensions\fR" 4
 .IX Item "req_extensions"
 this specifies the configuration file section containing a list of
 extensions to add to the certificate request. It can be overridden
 by the \fB\-reqexts\fR command line switch.
-.Ip "\fBx509_extensions\fR" 4
+.IP "\fBx509_extensions\fR" 4
 .IX Item "x509_extensions"
 this specifies the configuration file section containing a list of
 extensions to add to certificate generated when the \fB\-x509\fR switch
 is used. It can be overridden by the \fB\-extensions\fR command line switch.
-.Ip "\fBprompt\fR" 4
+.IP "\fBprompt\fR" 4
 .IX Item "prompt"
 if set to the value \fBno\fR this disables prompting of certificate fields
 and just takes values from the config file directly. It also changes the
 expected format of the \fBdistinguished_name\fR and \fBattributes\fR sections.
-.Ip "\fButf8\fR" 4
+.IP "\fButf8\fR" 4
 .IX Item "utf8"
 if set to the value \fByes\fR then field values to be interpreted as \s-1UTF8\s0
 strings, by default they are interpreted as \s-1ASCII\s0. This means that
 the field values, whether prompted from a terminal or obtained from a
 configuration file, must be valid \s-1UTF8\s0 strings.
-.Ip "\fBattributes\fR" 4
+.IP "\fBattributes\fR" 4
 .IX Item "attributes"
 this specifies the section containing any request attributes: its format
 is the same as \fBdistinguished_name\fR. Typically these may contain the
 challengePassword or unstructuredName types. They are currently ignored
 by OpenSSL's request signing utilities but some CAs might want them.
-.Ip "\fBdistinguished_name\fR" 4
+.IP "\fBdistinguished_name\fR" 4
 .IX Item "distinguished_name"
 This specifies the section containing the distinguished name fields to
 prompt for when generating a certificate or certificate request. The format
@@ -462,6 +452,7 @@ just consist of field names and values: for example,
 \& OU=My Organization
 \& emailAddress=someone@somewhere.org
 .Ve
+.PP
 This allows external programs (e.g. \s-1GUI\s0 based) to generate a template file
 with all the field names and values and just pass it to \fBreq\fR. An example
 of this kind of configuration file is contained in the \fB\s-1EXAMPLES\s0\fR section.
@@ -475,6 +466,7 @@ file contains field prompting information. It consists of lines of the form:
 \& fieldName_min= 2
 \& fieldName_max= 4
 .Ve
+.PP
 \&\*(L"fieldName\*(R" is the field name being used, for example commonName (or \s-1CN\s0).
 The \*(L"prompt\*(R" string is used to ask the user to enter the relevant
 details. If the user enters nothing then the default value is used if no
@@ -510,28 +502,33 @@ Examine and verify certificate request:
 .Vb 1
 \& openssl req -in req.pem -text -verify -noout
 .Ve
+.PP
 Create a private key and then generate a certificate request from it:
 .PP
 .Vb 2
 \& openssl genrsa -out key.pem 1024
 \& openssl req -new -key key.pem -out req.pem
 .Ve
+.PP
 The same but just using req:
 .PP
 .Vb 1
 \& openssl req -newkey rsa:1024 -keyout key.pem -out req.pem
 .Ve
+.PP
 Generate a self signed root certificate:
 .PP
 .Vb 1
 \& openssl req -x509 -newkey rsa:1024 -keyout key.pem -out req.pem
 .Ve
+.PP
 Example of a file pointed to by the \fBoid_file\fR option:
 .PP
 .Vb 2
 \& 1.2.3.4        shortName       A longer Name
 \& 1.2.3.6        otherName       Other longer Name
 .Ve
+.PP
 Example of a section pointed to by \fBoid_section\fR making use of variable
 expansion:
 .PP
@@ -539,6 +536,7 @@ expansion:
 \& testoid1=1.2.3.5
 \& testoid2=${testoid1}.6
 .Ve
+.PP
 Sample configuration file prompting for field values:
 .PP
 .Vb 6
@@ -549,9 +547,11 @@ Sample configuration file prompting for field values:
 \& attributes             = req_attributes
 \& x509_extensions        = v3_ca
 .Ve
+.PP
 .Vb 1
 \& dirstring_type = nobmp
 .Ve
+.PP
 .Vb 5
 \& [ req_distinguished_name ]
 \& countryName                    = Country Name (2 letter code)
@@ -559,39 +559,48 @@ Sample configuration file prompting for field values:
 \& countryName_min                = 2
 \& countryName_max                = 2
 .Ve
+.PP
 .Vb 1
 \& localityName                   = Locality Name (eg, city)
 .Ve
+.PP
 .Vb 1
 \& organizationalUnitName         = Organizational Unit Name (eg, section)
 .Ve
+.PP
 .Vb 2
 \& commonName                     = Common Name (eg, YOUR name)
 \& commonName_max                 = 64
 .Ve
+.PP
 .Vb 2
 \& emailAddress                   = Email Address
 \& emailAddress_max               = 40
 .Ve
+.PP
 .Vb 4
 \& [ req_attributes ]
 \& challengePassword              = A challenge password
 \& challengePassword_min          = 4
 \& challengePassword_max          = 20
 .Ve
+.PP
 .Vb 1
 \& [ v3_ca ]
 .Ve
+.PP
 .Vb 3
 \& subjectKeyIdentifier=hash
 \& authorityKeyIdentifier=keyid:always,issuer:always
 \& basicConstraints = CA:true
 .Ve
+.PP
 Sample configuration containing all field values:
 .PP
 .Vb 1
 \& RANDFILE               = $ENV::HOME/.rnd
 .Ve
+.PP
 .Vb 7
 \& [ req ]
 \& default_bits           = 1024
@@ -601,6 +610,7 @@ Sample configuration containing all field values:
 \& prompt                 = no
 \& output_password        = mypass
 .Ve
+.PP
 .Vb 8
 \& [ req_distinguished_name ]
 \& C                      = GB
@@ -611,6 +621,7 @@ Sample configuration containing all field values:
 \& CN                     = Common Name
 \& emailAddress           = test@email.address
 .Ve
+.PP
 .Vb 2
 \& [ req_attributes ]
 \& challengePassword              = A challenge password
@@ -623,12 +634,14 @@ The header and footer lines in the \fB\s-1PEM\s0\fR format are normally:
 \& -----BEGIN CERTIFICATE REQUEST-----
 \& -----END CERTIFICATE REQUEST-----
 .Ve
+.PP
 some software (some versions of Netscape certificate server) instead needs:
 .PP
 .Vb 2
 \& -----BEGIN NEW CERTIFICATE REQUEST-----
 \& -----END NEW CERTIFICATE REQUEST-----
 .Ve
+.PP
 which is produced with the \fB\-newhdr\fR option but is otherwise compatible.
 Either form is accepted transparently on input.
 .PP
@@ -644,12 +657,14 @@ The following messages are frequently asked about:
 \&        Using configuration from /some/path/openssl.cnf
 \&        Unable to load config info
 .Ve
+.PP
 This is followed some time later by...
 .PP
 .Vb 2
 \&        unable to find 'distinguished_name' in config
 \&        problems making Certificate Request
 .Ve
+.PP
 The first error message is the clue: it can't find the configuration
 file! Certain operations (like examining a certificate request) don't
 need a configuration file so its use isn't enforced. Generation of
@@ -662,6 +677,7 @@ Another puzzling message is this:
 \&        Attributes:
 \&            a0:00
 .Ve
+.PP
 this is displayed when no attributes are present and the request includes
 the correct empty \fB\s-1SET\s0 \s-1OF\s0\fR structure (the \s-1DER\s0 encoding of which is 0xa0
 0x00). If you just see:
@@ -669,6 +685,7 @@ the correct empty \fB\s-1SET\s0 \s-1OF\s0\fR structure (the \s-1DER\s0 encoding
 .Vb 1
 \&        Attributes:
 .Ve
+.PP
 then the \fB\s-1SET\s0 \s-1OF\s0\fR is missing and the encoding is technically invalid (but
 it is tolerated). See the description of the command line option \fB\-asn1\-kludge\fR
 for more information.
@@ -681,7 +698,7 @@ environment variable serves the same purpose but its use is discouraged.
 .SH "BUGS"
 .IX Header "BUGS"
 OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
-treats them as \s-1ISO-8859\-1\s0 (Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour.
+treats them as \s-1ISO\-8859\-1\s0 (Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour.
 This can cause problems if you need characters that aren't available in
 PrintableStrings and you don't want to or can't use BMPStrings.
 .PP
@@ -696,5 +713,5 @@ statically defined in the configuration file. Some of these: like an email
 address in subjectAltName should be input by the user.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-x509(1), ca(1), genrsa(1),
-gendsa(1), config(5)
+\&\fIx509\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1),
+\&\fIgendsa\fR\|(1), \fIconfig\fR\|(5)
diff --git a/secure/usr.bin/openssl/man/rsa.1 b/secure/usr.bin/openssl/man/rsa.1
index ec6a381..e0ee2fe 100644
--- a/secure/usr.bin/openssl/man/rsa.1
+++ b/secure/usr.bin/openssl/man/rsa.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:36 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "RSA 1"
-.TH RSA 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH RSA 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-rsa \- \s-1RSA\s0 key processing tool
+rsa \- RSA key processing tool
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBrsa\fR
@@ -171,7 +161,7 @@ applications should use the more secure PKCS#8 format using the \fBpkcs8\fR
 utility.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-.Ip "\fB\-inform DER|NET|PEM\fR" 4
+.IP "\fB\-inform DER|NET|PEM\fR" 4
 .IX Item "-inform DER|NET|PEM"
 This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
 form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
@@ -179,34 +169,34 @@ The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s
 encoded with additional header and footer lines. On input PKCS#8 format private
 keys are also accepted. The \fB\s-1NET\s0\fR form is a format is described in the \fB\s-1NOTES\s0\fR
 section.
-.Ip "\fB\-outform DER|NET|PEM\fR" 4
+.IP "\fB\-outform DER|NET|PEM\fR" 4
 .IX Item "-outform DER|NET|PEM"
 This specifies the output format, the options have the same meaning as the 
 \&\fB\-inform\fR option.
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read a key from or standard input if this
 option is not specified. If the key is encrypted a pass phrase will be
 prompted for.
-.Ip "\fB\-passin arg\fR" 4
+.IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the input file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
-.Ip "\fB\-out filename\fR" 4
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write a key to or standard output if this
 option is not specified. If any encryption options are set then a pass phrase
 will be prompted for. The output filename should \fBnot\fR be the same as the input
 filename.
-.Ip "\fB\-passout password\fR" 4
+.IP "\fB\-passout password\fR" 4
 .IX Item "-passout password"
 the output file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
-.Ip "\fB\-sgckey\fR" 4
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-sgckey\fR" 4
 .IX Item "-sgckey"
 use the modified \s-1NET\s0 algorithm used with some versions of Microsoft \s-1IIS\s0 and \s-1SGC\s0
 keys.
-.Ip "\fB\-des|\-des3|\-idea\fR" 4
+.IP "\fB\-des|\-des3|\-idea\fR" 4
 .IX Item "-des|-des3|-idea"
 These options encrypt the private key with the \s-1DES\s0, triple \s-1DES\s0, or the 
 \&\s-1IDEA\s0 ciphers respectively before outputting it. A pass phrase is prompted for.
@@ -215,29 +205,29 @@ means that using the \fBrsa\fR utility to read in an encrypted key with no
 encryption option can be used to remove the pass phrase from a key, or by
 setting the encryption options it can be use to add or change the pass phrase.
 These options can only be used with \s-1PEM\s0 format output files.
-.Ip "\fB\-text\fR" 4
+.IP "\fB\-text\fR" 4
 .IX Item "-text"
 prints out the various public or private key components in
 plain text in addition to the encoded version. 
-.Ip "\fB\-noout\fR" 4
+.IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 this option prevents output of the encoded version of the key.
-.Ip "\fB\-modulus\fR" 4
+.IP "\fB\-modulus\fR" 4
 .IX Item "-modulus"
 this option prints out the value of the modulus of the key.
-.Ip "\fB\-check\fR" 4
+.IP "\fB\-check\fR" 4
 .IX Item "-check"
 this option checks the consistency of an \s-1RSA\s0 private key.
-.Ip "\fB\-pubin\fR" 4
+.IP "\fB\-pubin\fR" 4
 .IX Item "-pubin"
 by default a private key is read from the input file: with this
 option a public key is read instead.
-.Ip "\fB\-pubout\fR" 4
+.IP "\fB\-pubout\fR" 4
 .IX Item "-pubout"
 by default a private key is output: with this option a public
 key will be output instead. This option is automatically set if
 the input is a public key.
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
 to attempt to obtain a functional reference to the specified engine,
@@ -251,19 +241,21 @@ The \s-1PEM\s0 private key format uses the header and footer lines:
 \& -----BEGIN RSA PRIVATE KEY-----
 \& -----END RSA PRIVATE KEY-----
 .Ve
+.PP
 The \s-1PEM\s0 public key format uses the header and footer lines:
 .PP
 .Vb 2
 \& -----BEGIN PUBLIC KEY-----
 \& -----END PUBLIC KEY-----
 .Ve
+.PP
 The \fB\s-1NET\s0\fR form is a format compatible with older Netscape servers
 and Microsoft \s-1IIS\s0 .key files, this uses unsalted \s-1RC4\s0 for its encryption.
 It is not very secure and so should only be used when necessary.
 .PP
 Some newer version of \s-1IIS\s0 have additional data in the exported .key
 files. To use these with the utility, view the file with a binary editor
-and look for the string \*(L"private-key\*(R", then trace back to the byte
+and look for the string \*(L"private\-key\*(R", then trace back to the byte
 sequence 0x30, 0x82 (this is an \s-1ASN1\s0 \s-1SEQUENCE\s0). Copy all the data
 from this point onwards to another file and use that as the input
 to the \fBrsa\fR utility with the \fB\-inform \s-1NET\s0\fR option. If you get
@@ -275,21 +267,25 @@ To remove the pass phrase on an \s-1RSA\s0 private key:
 .Vb 1
 \& openssl rsa -in key.pem -out keyout.pem
 .Ve
+.PP
 To encrypt a private key using triple \s-1DES:\s0
 .PP
 .Vb 1
 \& openssl rsa -in key.pem -des3 -out keyout.pem
 .Ve
+.PP
 To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format: 
 .PP
 .Vb 1
 \& openssl rsa -in key.pem -outform DER -out keyout.der
 .Ve
+.PP
 To print out the components of a private key to standard output:
 .PP
 .Vb 1
 \& openssl rsa -in key.pem -text -noout
 .Ve
+.PP
 To just output the public part of a private key:
 .PP
 .Vb 1
@@ -304,5 +300,5 @@ There should be an option that automatically handles .key files,
 without having to manually edit them.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-pkcs8(1), dsa(1), genrsa(1),
-gendsa(1) 
+\&\fIpkcs8\fR\|(1), \fIdsa\fR\|(1), \fIgenrsa\fR\|(1),
+\&\fIgendsa\fR\|(1) 
diff --git a/secure/usr.bin/openssl/man/rsautl.1 b/secure/usr.bin/openssl/man/rsautl.1
index 0ba4a9d..a46de46 100644
--- a/secure/usr.bin/openssl/man/rsautl.1
+++ b/secure/usr.bin/openssl/man/rsautl.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:36 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "RSAUTL 1"
-.TH RSAUTL 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH RSAUTL 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-rsautl \- \s-1RSA\s0 utility
+rsautl \- RSA utility
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBrsautl\fR
@@ -165,46 +155,46 @@ The \fBrsautl\fR command can be used to sign, verify, encrypt and decrypt
 data using the \s-1RSA\s0 algorithm.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read data from or standard input
 if this option is not specified.
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 specifies the output filename to write to or standard output by
 default.
-.Ip "\fB\-inkey file\fR" 4
+.IP "\fB\-inkey file\fR" 4
 .IX Item "-inkey file"
 the input key file, by default it should be an \s-1RSA\s0 private key.
-.Ip "\fB\-pubin\fR" 4
+.IP "\fB\-pubin\fR" 4
 .IX Item "-pubin"
 the input file is an \s-1RSA\s0 public key. 
-.Ip "\fB\-certin\fR" 4
+.IP "\fB\-certin\fR" 4
 .IX Item "-certin"
 the input is a certificate containing an \s-1RSA\s0 public key. 
-.Ip "\fB\-sign\fR" 4
+.IP "\fB\-sign\fR" 4
 .IX Item "-sign"
 sign the input data and output the signed result. This requires
 and \s-1RSA\s0 private key.
-.Ip "\fB\-verify\fR" 4
+.IP "\fB\-verify\fR" 4
 .IX Item "-verify"
 verify the input data and output the recovered data.
-.Ip "\fB\-encrypt\fR" 4
+.IP "\fB\-encrypt\fR" 4
 .IX Item "-encrypt"
 encrypt the input data using an \s-1RSA\s0 public key.
-.Ip "\fB\-decrypt\fR" 4
+.IP "\fB\-decrypt\fR" 4
 .IX Item "-decrypt"
 decrypt the input data using an \s-1RSA\s0 private key.
-.Ip "\fB\-pkcs, \-oaep, \-ssl, \-raw\fR" 4
+.IP "\fB\-pkcs, \-oaep, \-ssl, \-raw\fR" 4
 .IX Item "-pkcs, -oaep, -ssl, -raw"
 the padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP\s0,
 special padding used in \s-1SSL\s0 v2 backwards compatible handshakes,
 or no padding, respectively.
 For signatures, only \fB\-pkcs\fR and \fB\-raw\fR can be used.
-.Ip "\fB\-hexdump\fR" 4
+.IP "\fB\-hexdump\fR" 4
 .IX Item "-hexdump"
 hex dump the output data.
-.Ip "\fB\-asn1parse\fR" 4
+.IP "\fB\-asn1parse\fR" 4
 .IX Item "-asn1parse"
 asn1parse the output data, this is useful when combined with the
 \&\fB\-verify\fR option.
@@ -219,16 +209,19 @@ Sign some data using a private key:
 .Vb 1
 \& openssl rsautl -sign -in file -inkey key.pem -out sig
 .Ve
+.PP
 Recover the signed data
 .PP
 .Vb 1
 \& openssl rsautl -verify -in sig -inkey key.pem
 .Ve
+.PP
 Examine the raw signed data:
 .PP
 .Vb 1
 \& openssl rsautl -verify -in file -inkey key.pem -raw -hexdump
 .Ve
+.PP
 .Vb 8
 \& 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
 \& 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
@@ -239,17 +232,19 @@ Examine the raw signed data:
 \& 0060 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
 \& 0070 - ff ff ff ff 00 68 65 6c-6c 6f 20 77 6f 72 6c 64   .....hello world
 .Ve
+.PP
 The PKCS#1 block formatting is evident from this. If this was done using
 encrypt and decrypt the block would have been of type 2 (the second byte)
 and random padding data visible instead of the 0xff bytes.
 .PP
 It is possible to analyse the signature of certificates using this
 utility in conjunction with \fBasn1parse\fR. Consider the self signed
-example in certs/pca-cert.pem . Running \fBasn1parse\fR as follows yields:
+example in certs/pca\-cert.pem . Running \fBasn1parse\fR as follows yields:
 .PP
 .Vb 1
 \& openssl asn1parse -in pca-cert.pem
 .Ve
+.PP
 .Vb 18
 \&    0:d=0  hl=4 l= 742 cons: SEQUENCE          
 \&    4:d=1  hl=4 l= 591 cons:  SEQUENCE          
@@ -270,21 +265,25 @@ example in certs/pca-cert.pem . Running \fBasn1parse\fR as follows yields:
 \&  612:d=2  hl=2 l=   0 prim:   NULL              
 \&  614:d=1  hl=3 l= 129 prim:  BIT STRING
 .Ve
+.PP
 The final \s-1BIT\s0 \s-1STRING\s0 contains the actual signature. It can be extracted with:
 .PP
 .Vb 1
 \& openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614
 .Ve
+.PP
 The certificate public key can be extracted with:
 .PP
 .Vb 1
 \& openssl x509 -in test/testx509.pem -pubout -noout >pubkey.pem
 .Ve
+.PP
 The signature can be analysed with:
 .PP
 .Vb 1
 \& openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin
 .Ve
+.PP
 .Vb 6
 \&    0:d=0  hl=2 l=  32 cons: SEQUENCE          
 \&    2:d=1  hl=2 l=  12 cons:  SEQUENCE          
@@ -293,6 +292,7 @@ The signature can be analysed with:
 \&   16:d=1  hl=2 l=  16 prim:  OCTET STRING      
 \&      0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5   .F...Js.7...H%..
 .Ve
+.PP
 This is the parsed version of an \s-1ASN1\s0 DigestInfo structure. It can be seen that
 the digest used was md5. The actual part of the certificate that was signed can
 be extracted with:
@@ -300,13 +300,15 @@ be extracted with:
 .Vb 1
 \& openssl asn1parse -in pca-cert.pem -out tbs -noout -strparse 4
 .Ve
+.PP
 and its digest computed with:
 .PP
 .Vb 2
 \& openssl md5 -c tbs
 \& MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5
 .Ve
+.PP
 which it can be seen agrees with the recovered value above.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-dgst(1), rsa(1), genrsa(1)
+\&\fIdgst\fR\|(1), \fIrsa\fR\|(1), \fIgenrsa\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1
index 8e9583c..3c1afbc 100644
--- a/secure/usr.bin/openssl/man/s_client.1
+++ b/secure/usr.bin/openssl/man/s_client.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:36 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,17 +126,16 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "S_CLIENT 1"
-.TH S_CLIENT 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH S_CLIENT 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-s_client \- \s-1SSL/TLS\s0 client program
+s_client \- SSL/TLS client program
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBs_client\fR
-[\fB\-connect\fR host:port>]
+[\fB\-connect host:port\fR]
 [\fB\-verify depth\fR]
 [\fB\-cert filename\fR]
 [\fB\-key filename\fR]
@@ -170,8 +160,9 @@ s_client \- \s-1SSL/TLS\s0 client program
 [\fB\-no_tls1\fR]
 [\fB\-bugs\fR]
 [\fB\-cipher cipherlist\fR]
+[\fB\-starttls protocol\fR]
 [\fB\-engine id\fR]
-[\fB\-rand \f(BIfile\fB\|(s)\fR]
+[\fB\-rand file(s)\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects
@@ -179,46 +170,46 @@ to a remote host using \s-1SSL/TLS\s0. It is a \fIvery\fR useful diagnostic tool
 \&\s-1SSL\s0 servers.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.Ip "\fB\-connect host:port\fR" 4
+.IP "\fB\-connect host:port\fR" 4
 .IX Item "-connect host:port"
 This specifies the host and optional port to connect to. If not specified
 then an attempt is made to connect to the local host on port 4433.
-.Ip "\fB\-cert certname\fR" 4
+.IP "\fB\-cert certname\fR" 4
 .IX Item "-cert certname"
 The certificate to use, if one is requested by the server. The default is
 not to use a certificate.
-.Ip "\fB\-key keyfile\fR" 4
+.IP "\fB\-key keyfile\fR" 4
 .IX Item "-key keyfile"
 The private key to use. If not specified then the certificate file will
 be used.
-.Ip "\fB\-verify depth\fR" 4
+.IP "\fB\-verify depth\fR" 4
 .IX Item "-verify depth"
 The verify depth to use. This specifies the maximum length of the
 server certificate chain and turns on server certificate verification.
 Currently the verify operation continues after errors so all the problems
 with a certificate chain can be seen. As a side effect the connection
 will never fail due to a server certificate verify failure.
-.Ip "\fB\-CApath directory\fR" 4
+.IP "\fB\-CApath directory\fR" 4
 .IX Item "-CApath directory"
 The directory to use for server certificate verification. This directory
 must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are
 also used when building the client certificate chain.
-.Ip "\fB\-CAfile file\fR" 4
+.IP "\fB\-CAfile file\fR" 4
 .IX Item "-CAfile file"
 A file containing trusted certificates to use during server authentication
 and to use when attempting to build the client certificate chain.
-.Ip "\fB\-reconnect\fR" 4
+.IP "\fB\-reconnect\fR" 4
 .IX Item "-reconnect"
 reconnects to the same server 5 times using the same session \s-1ID\s0, this can
 be used as a test that session caching is working.
-.Ip "\fB\-pause\fR" 4
+.IP "\fB\-pause\fR" 4
 .IX Item "-pause"
 pauses 1 second between each read and write call.
-.Ip "\fB\-showcerts\fR" 4
+.IP "\fB\-showcerts\fR" 4
 .IX Item "-showcerts"
 display the whole server certificate chain: normally only the server
 certificate itself is displayed.
-.Ip "\fB\-prexit\fR" 4
+.IP "\fB\-prexit\fR" 4
 .IX Item "-prexit"
 print session information when the program exits. This will always attempt
 to print out information even if the connection fails. Normally information
@@ -228,34 +219,34 @@ because a client certificate is required or is requested only after an
 attempt is made to access a certain \s-1URL\s0. Note: the output produced by this
 option is not always accurate because a connection might never have been
 established.
-.Ip "\fB\-state\fR" 4
+.IP "\fB\-state\fR" 4
 .IX Item "-state"
 prints out the \s-1SSL\s0 session states.
-.Ip "\fB\-debug\fR" 4
+.IP "\fB\-debug\fR" 4
 .IX Item "-debug"
 print extensive debugging information including a hex dump of all traffic.
-.Ip "\fB\-msg\fR" 4
+.IP "\fB\-msg\fR" 4
 .IX Item "-msg"
 show all protocol messages with hex dump.
-.Ip "\fB\-nbio_test\fR" 4
+.IP "\fB\-nbio_test\fR" 4
 .IX Item "-nbio_test"
 tests non-blocking I/O
-.Ip "\fB\-nbio\fR" 4
+.IP "\fB\-nbio\fR" 4
 .IX Item "-nbio"
 turns on non-blocking I/O
-.Ip "\fB\-crlf\fR" 4
+.IP "\fB\-crlf\fR" 4
 .IX Item "-crlf"
 this option translated a line feed from the terminal into \s-1CR+LF\s0 as required
 by some servers.
-.Ip "\fB\-ign_eof\fR" 4
+.IP "\fB\-ign_eof\fR" 4
 .IX Item "-ign_eof"
 inhibit shutting down the connection when end of file is reached in the
 input.
-.Ip "\fB\-quiet\fR" 4
+.IP "\fB\-quiet\fR" 4
 .IX Item "-quiet"
 inhibit printing of session and certificate information.  This implicitly
 turns on \fB\-ign_eof\fR as well.
-.Ip "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4
+.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4
 .IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1"
 these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default
 the initial handshake uses a method which should be compatible with all
@@ -265,28 +256,33 @@ Unfortunately there are a lot of ancient and broken servers in use which
 cannot handle this technique and will fail to connect. Some servers only
 work if \s-1TLS\s0 is turned off with the \fB\-no_tls\fR option others will only
 support \s-1SSL\s0 v2 and may need the \fB\-ssl2\fR option.
-.Ip "\fB\-bugs\fR" 4
+.IP "\fB\-bugs\fR" 4
 .IX Item "-bugs"
 there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
 option enables various workarounds.
-.Ip "\fB\-cipher cipherlist\fR" 4
+.IP "\fB\-cipher cipherlist\fR" 4
 .IX Item "-cipher cipherlist"
 this allows the cipher list sent by the client to be modified. Although
 the server determines which cipher suite is used it should take the first
 supported cipher in the list sent by the client. See the \fBciphers\fR
 command for more information.
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-starttls protocol\fR" 4
+.IX Item "-starttls protocol"
+send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication.
+\&\fBprotocol\fR is a keyword for the intended protocol.  Currently, the only
+supported keywords are \*(L"smtp\*(R" and \*(L"pop3\*(R".
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBs_client\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
-.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
-.IX Item "-rand file"
+.IP "\fB\-rand file(s)\fR" 4
+.IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
-generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 Multiple files can be specified separated by a OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
 .SH "CONNECTED COMMANDS"
 .IX Header "CONNECTED COMMANDS"
@@ -304,12 +300,13 @@ server the command:
 .Vb 1
 \& openssl s_client -connect servername:443
 .Ve
+.PP
 would typically be used (https uses port 443). If the connection succeeds
 then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET\s0 /\*(R" to retrieve a web page.
 .PP
 If the handshake fails then there are several possible causes, if it is
 nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR,
-\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR can be tried
+\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried
 in case it is a buggy server. In particular you should play with these
 options \fBbefore\fR submitting a bug report to an OpenSSL mailing list.
 .PP
@@ -320,7 +317,7 @@ the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" whe
 requests a certificate. By using \fBs_client\fR the \s-1CA\s0 list can be viewed
 and checked. However some servers only request client authentication
 after a specific \s-1URL\s0 is requested. To obtain the list in this case it
-is necessary to use the \fB\-prexit\fR command and send an \s-1HTTP\s0 request
+is necessary to use the \fB\-prexit\fR option and send an \s-1HTTP\s0 request
 for an appropriate page.
 .PP
 If a certificate is specified on the command line using the \fB\-cert\fR
@@ -344,4 +341,4 @@ The \fB\-prexit\fR option is a bit of a hack. We should really report
 information whenever a session is renegotiated.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-sess_id(1), s_server(1), ciphers(1)
+\&\fIsess_id\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1
index 50e0835..79d774f 100644
--- a/secure/usr.bin/openssl/man/s_server.1
+++ b/secure/usr.bin/openssl/man/s_server.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:37 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "S_SERVER 1"
-.TH S_SERVER 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH S_SERVER 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-s_server \- \s-1SSL/TLS\s0 server program
+s_server \- SSL/TLS server program
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBs_server\fR
@@ -179,31 +169,32 @@ s_server \- \s-1SSL/TLS\s0 server program
 [\fB\-WWW\fR]
 [\fB\-HTTP\fR]
 [\fB\-engine id\fR]
-[\fB\-rand \f(BIfile\fB\|(s)\fR]
+[\fB\-id_prefix arg\fR]
+[\fB\-rand file(s)\fR]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \fBs_server\fR command implements a generic \s-1SSL/TLS\s0 server which listens
 for connections on a given port using \s-1SSL/TLS\s0.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.Ip "\fB\-accept port\fR" 4
+.IP "\fB\-accept port\fR" 4
 .IX Item "-accept port"
 the \s-1TCP\s0 port to listen on for connections. If not specified 4433 is used.
-.Ip "\fB\-context id\fR" 4
+.IP "\fB\-context id\fR" 4
 .IX Item "-context id"
 sets the \s-1SSL\s0 context id. It can be given any string value. If this option
 is not present a default value will be used.
-.Ip "\fB\-cert certname\fR" 4
+.IP "\fB\-cert certname\fR" 4
 .IX Item "-cert certname"
 The certificate to use, most servers cipher suites require the use of a
 certificate and some require a certificate with a certain public key type:
 for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS\s0
 (\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used.
-.Ip "\fB\-key keyfile\fR" 4
+.IP "\fB\-key keyfile\fR" 4
 .IX Item "-key keyfile"
 The private key to use. If not specified then the certificate file will
 be used.
-.Ip "\fB\-dcert filename\fR, \fB\-dkey keyname\fR" 4
+.IP "\fB\-dcert filename\fR, \fB\-dkey keyname\fR" 4
 .IX Item "-dcert filename, -dkey keyname"
 specify an additional certificate and private key, these behave in the
 same manner as the \fB\-cert\fR and \fB\-key\fR options except there is no default
@@ -213,114 +204,120 @@ a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key
 and some a \s-1DSS\s0 (\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys
 a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites
 by using an appropriate certificate.
-.Ip "\fB\-nocert\fR" 4
+.IP "\fB\-nocert\fR" 4
 .IX Item "-nocert"
 if this option is set then no certificate is used. This restricts the
 cipher suites available to the anonymous ones (currently just anonymous
 \&\s-1DH\s0).
-.Ip "\fB\-dhparam filename\fR" 4
+.IP "\fB\-dhparam filename\fR" 4
 .IX Item "-dhparam filename"
 the \s-1DH\s0 parameter file to use. The ephemeral \s-1DH\s0 cipher suites generate keys
 using a set of \s-1DH\s0 parameters. If not specified then an attempt is made to
 load the parameters from the server certificate file. If this fails then
 a static set of parameters hard coded into the s_server program will be used.
-.Ip "\fB\-no_dhe\fR" 4
+.IP "\fB\-no_dhe\fR" 4
 .IX Item "-no_dhe"
 if this option is set then no \s-1DH\s0 parameters will be loaded effectively
 disabling the ephemeral \s-1DH\s0 cipher suites.
-.Ip "\fB\-no_tmp_rsa\fR" 4
+.IP "\fB\-no_tmp_rsa\fR" 4
 .IX Item "-no_tmp_rsa"
 certain export cipher suites sometimes use a temporary \s-1RSA\s0 key, this option
 disables temporary \s-1RSA\s0 key generation.
-.Ip "\fB\-verify depth\fR, \fB\-Verify depth\fR" 4
+.IP "\fB\-verify depth\fR, \fB\-Verify depth\fR" 4
 .IX Item "-verify depth, -Verify depth"
 The verify depth to use. This specifies the maximum length of the
 client certificate chain and makes the server request a certificate from
 the client. With the \fB\-verify\fR option a certificate is requested but the
 client does not have to send one, with the \fB\-Verify\fR option the client
 must supply a certificate or an error occurs.
-.Ip "\fB\-CApath directory\fR" 4
+.IP "\fB\-CApath directory\fR" 4
 .IX Item "-CApath directory"
 The directory to use for client certificate verification. This directory
 must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are
 also used when building the server certificate chain.
-.Ip "\fB\-CAfile file\fR" 4
+.IP "\fB\-CAfile file\fR" 4
 .IX Item "-CAfile file"
 A file containing trusted certificates to use during client authentication
 and to use when attempting to build the server certificate chain. The list
 is also used in the list of acceptable client CAs passed to the client when
 a certificate is requested.
-.Ip "\fB\-state\fR" 4
+.IP "\fB\-state\fR" 4
 .IX Item "-state"
 prints out the \s-1SSL\s0 session states.
-.Ip "\fB\-debug\fR" 4
+.IP "\fB\-debug\fR" 4
 .IX Item "-debug"
 print extensive debugging information including a hex dump of all traffic.
-.Ip "\fB\-msg\fR" 4
+.IP "\fB\-msg\fR" 4
 .IX Item "-msg"
 show all protocol messages with hex dump.
-.Ip "\fB\-nbio_test\fR" 4
+.IP "\fB\-nbio_test\fR" 4
 .IX Item "-nbio_test"
 tests non blocking I/O
-.Ip "\fB\-nbio\fR" 4
+.IP "\fB\-nbio\fR" 4
 .IX Item "-nbio"
 turns on non blocking I/O
-.Ip "\fB\-crlf\fR" 4
+.IP "\fB\-crlf\fR" 4
 .IX Item "-crlf"
 this option translated a line feed from the terminal into \s-1CR+LF\s0.
-.Ip "\fB\-quiet\fR" 4
+.IP "\fB\-quiet\fR" 4
 .IX Item "-quiet"
 inhibit printing of session and certificate information.
-.Ip "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4
+.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR" 4
 .IX Item "-ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1"
 these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default
 the initial handshake uses a method which should be compatible with all
 servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate.
-.Ip "\fB\-bugs\fR" 4
+.IP "\fB\-bugs\fR" 4
 .IX Item "-bugs"
 there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
 option enables various workarounds.
-.Ip "\fB\-hack\fR" 4
+.IP "\fB\-hack\fR" 4
 .IX Item "-hack"
 this option enables a further workaround for some some early Netscape
 \&\s-1SSL\s0 code (?).
-.Ip "\fB\-cipher cipherlist\fR" 4
+.IP "\fB\-cipher cipherlist\fR" 4
 .IX Item "-cipher cipherlist"
 this allows the cipher list used by the server to be modified.  When
 the client sends a list of supported ciphers the first client cipher
 also included in the server list is used. Because the client specifies
 the preference order, the order of the server cipherlist irrelevant. See
 the \fBciphers\fR command for more information.
-.Ip "\fB\-www\fR" 4
+.IP "\fB\-www\fR" 4
 .IX Item "-www"
 sends a status message back to the client when it connects. This includes
 lots of information about the ciphers used and various session parameters.
 The output is in \s-1HTML\s0 format so this option will normally be used with a
 web browser.
-.Ip "\fB\-WWW\fR" 4
+.IP "\fB\-WWW\fR" 4
 .IX Item "-WWW"
 emulates a simple web server. Pages will be resolved relative to the
 current directory, for example if the \s-1URL\s0 https://myhost/page.html is
 requested the file ./page.html will be loaded.
-.Ip "\fB\-HTTP\fR" 4
+.IP "\fB\-HTTP\fR" 4
 .IX Item "-HTTP"
 emulates a simple web server. Pages will be resolved relative to the
 current directory, for example if the \s-1URL\s0 https://myhost/page.html is
 requested the file ./page.html will be loaded. The files loaded are
 assumed to contain a complete and correct \s-1HTTP\s0 response (lines that
 are part of the \s-1HTTP\s0 response line and headers must end with \s-1CRLF\s0).
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBs_server\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
-.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
-.IX Item "-rand file"
+.IP "\fB\-id_prefix arg\fR" 4
+.IX Item "-id_prefix arg"
+generate \s-1SSL/TLS\s0 session IDs prefixed by \fBarg\fR. This is mostly useful
+for testing any \s-1SSL/TLS\s0 code (eg. proxies) that wish to deal with multiple
+servers, when each of which might be generating a unique range of session
+IDs (eg. with a certain prefix).
+.IP "\fB\-rand file(s)\fR" 4
+.IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
-generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 Multiple files can be specified separated by a OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
 .SH "CONNECTED COMMANDS"
 .IX Header "CONNECTED COMMANDS"
@@ -330,23 +327,23 @@ from the client is displayed and any key presses will be sent to the client.
 .PP
 Certain single letter commands are also recognized which perform special
 operations: these are listed below.
-.Ip "\fBq\fR" 4
+.IP "\fBq\fR" 4
 .IX Item "q"
 end the current \s-1SSL\s0 connection but still accept new connections.
-.Ip "\fBQ\fR" 4
+.IP "\fBQ\fR" 4
 .IX Item "Q"
 end the current \s-1SSL\s0 connection and exit.
-.Ip "\fBr\fR" 4
+.IP "\fBr\fR" 4
 .IX Item "r"
 renegotiate the \s-1SSL\s0 session.
-.Ip "\fBR\fR" 4
+.IP "\fBR\fR" 4
 .IX Item "R"
 renegotiate the \s-1SSL\s0 session and request a client certificate.
-.Ip "\fBP\fR" 4
+.IP "\fBP\fR" 4
 .IX Item "P"
 send some plain text down the underlying \s-1TCP\s0 connection: this should
 cause the client to disconnect due to a protocol violation.
-.Ip "\fBS\fR" 4
+.IP "\fBS\fR" 4
 .IX Item "S"
 print out some session cache status information.
 .SH "NOTES"
@@ -357,6 +354,7 @@ a web browser the command:
 .Vb 1
 \& openssl s_server -accept 443 -www
 .Ve
+.PP
 can be used for example.
 .PP
 Most web browsers (in particular Netscape and \s-1MSIE\s0) only support \s-1RSA\s0 cipher
@@ -382,4 +380,4 @@ There should be a way for the \fBs_server\fR program to print out details of any
 unknown cipher suites a client says it supports.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-sess_id(1), s_client(1), ciphers(1)
+\&\fIsess_id\fR\|(1), \fIs_client\fR\|(1), \fIciphers\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/s_time.1 b/secure/usr.bin/openssl/man/s_time.1
new file mode 100644
index 0000000..03b6e0e
--- /dev/null
+++ b/secure/usr.bin/openssl/man/s_time.1
@@ -0,0 +1,278 @@
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sh \" Subsection heading
+.br
+.if t .Sp
+.ne 5
+.PP
+\fB\\$1\fR
+.PP
+..
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings.  \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote.  | will give a
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
+.tr \(*W-|\(bv\*(Tr
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+.    ds -- \(*W-
+.    ds PI pi
+.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
+.    ds L" ""
+.    ds R" ""
+.    ds C` ""
+.    ds C' ""
+'br\}
+.el\{\
+.    ds -- \|\(em\|
+.    ds PI \(*p
+.    ds L" ``
+.    ds R" ''
+'br\}
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.if \nF \{\
+.    de IX
+.    tm Index:\\$1\t\\n%\t"\\$2"
+..
+.    nr % 0
+.    rr F
+.\}
+.\"
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.hy 0
+.if n .na
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
+.    \" fudge factors for nroff and troff
+.if n \{\
+.    ds #H 0
+.    ds #V .8m
+.    ds #F .3m
+.    ds #[ \f1
+.    ds #] \fP
+.\}
+.if t \{\
+.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+.    ds #V .6m
+.    ds #F 0
+.    ds #[ \&
+.    ds #] \&
+.\}
+.    \" simple accents for nroff and troff
+.if n \{\
+.    ds ' \&
+.    ds ` \&
+.    ds ^ \&
+.    ds , \&
+.    ds ~ ~
+.    ds /
+.\}
+.if t \{\
+.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+.    \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+.    \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+.    \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+.    ds : e
+.    ds 8 ss
+.    ds o a
+.    ds d- d\h'-1'\(ga
+.    ds D- D\h'-1'\(hy
+.    ds th \o'bp'
+.    ds Th \o'LP'
+.    ds ae ae
+.    ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "S_TIME 1"
+.TH S_TIME 1 "2005-02-25" "0.9.7d" "OpenSSL"
+.SH "NAME"
+s_time \- SSL/TLS performance timing program
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBopenssl\fR \fBs_time\fR
+[\fB\-connect host:port\fR]
+[\fB\-www page\fR]
+[\fB\-cert filename\fR]
+[\fB\-key filename\fR]
+[\fB\-CApath directory\fR]
+[\fB\-CAfile filename\fR]
+[\fB\-reuse\fR]
+[\fB\-new\fR]
+[\fB\-verify depth\fR]
+[\fB\-nbio\fR]
+[\fB\-time seconds\fR]
+[\fB\-ssl2\fR]
+[\fB\-ssl3\fR]
+[\fB\-bugs\fR]
+[\fB\-cipher cipherlist\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects to a
+remote host using \s-1SSL/TLS\s0. It can request a page from the server and includes
+the time to transfer the payload data in its timing measurements. It measures
+the number of connections within a given timeframe, the amount of data
+transferred (if any), and calculates the average time spent for one connection.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+.IP "\fB\-connect host:port\fR" 4
+.IX Item "-connect host:port"
+This specifies the host and optional port to connect to.
+.IP "\fB\-www page\fR" 4
+.IX Item "-www page"
+This specifies the page to \s-1GET\s0 from the server. A value of '/' gets the
+index.htm[l] page. If this parameter is not specified, then \fBs_time\fR will only
+perform the handshake to establish \s-1SSL\s0 connections but not transfer any
+payload data.
+.IP "\fB\-cert certname\fR" 4
+.IX Item "-cert certname"
+The certificate to use, if one is requested by the server. The default is
+not to use a certificate. The file is in \s-1PEM\s0 format.
+.IP "\fB\-key keyfile\fR" 4
+.IX Item "-key keyfile"
+The private key to use. If not specified then the certificate file will
+be used. The file is in \s-1PEM\s0 format.
+.IP "\fB\-verify depth\fR" 4
+.IX Item "-verify depth"
+The verify depth to use. This specifies the maximum length of the
+server certificate chain and turns on server certificate verification.
+Currently the verify operation continues after errors so all the problems
+with a certificate chain can be seen. As a side effect the connection
+will never fail due to a server certificate verify failure.
+.IP "\fB\-CApath directory\fR" 4
+.IX Item "-CApath directory"
+The directory to use for server certificate verification. This directory
+must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are
+also used when building the client certificate chain.
+.IP "\fB\-CAfile file\fR" 4
+.IX Item "-CAfile file"
+A file containing trusted certificates to use during server authentication
+and to use when attempting to build the client certificate chain.
+.IP "\fB\-new\fR" 4
+.IX Item "-new"
+performs the timing test using a new session \s-1ID\s0 for each connection.
+If neither \fB\-new\fR nor \fB\-reuse\fR are specified, they are both on by default
+and executed in sequence.
+.IP "\fB\-reuse\fR" 4
+.IX Item "-reuse"
+performs the timing test using the same session \s-1ID\s0; this can be used as a test
+that session caching is working. If neither \fB\-new\fR nor \fB\-reuse\fR are
+specified, they are both on by default and executed in sequence.
+.IP "\fB\-nbio\fR" 4
+.IX Item "-nbio"
+turns on non-blocking I/O.
+.IP "\fB\-ssl2\fR, \fB\-ssl3\fR" 4
+.IX Item "-ssl2, -ssl3"
+these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default
+the initial handshake uses a method which should be compatible with all
+servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate.
+The timing program is not as rich in options to turn protocols on and off as
+the \fIs_client\fR\|(1) program and may not connect to all servers.
+.Sp
+Unfortunately there are a lot of ancient and broken servers in use which
+cannot handle this technique and will fail to connect. Some servers only
+work if \s-1TLS\s0 is turned off with the \fB\-ssl3\fR option; others
+will only support \s-1SSL\s0 v2 and may need the \fB\-ssl2\fR option.
+.IP "\fB\-bugs\fR" 4
+.IX Item "-bugs"
+there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
+option enables various workarounds.
+.IP "\fB\-cipher cipherlist\fR" 4
+.IX Item "-cipher cipherlist"
+this allows the cipher list sent by the client to be modified. Although
+the server determines which cipher suite is used it should take the first
+supported cipher in the list sent by the client.
+See the \fIciphers\fR\|(1) command for more information.
+.IP "\fB\-time length\fR" 4
+.IX Item "-time length"
+specifies how long (in seconds) \fBs_time\fR should establish connections and
+optionally transfer payload data from a server. Server and client performance
+and the link speed determine how many connections \fBs_time\fR can establish.
+.SH "NOTES"
+.IX Header "NOTES"
+\&\fBs_client\fR can be used to measure the performance of an \s-1SSL\s0 connection.
+To connect to an \s-1SSL\s0 \s-1HTTP\s0 server and get the default page the command
+.PP
+.Vb 1
+\& openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3]
+.Ve
+.PP
+would typically be used (https uses port 443). 'commoncipher' is a cipher to
+which both client and server can agree, see the \fIciphers\fR\|(1) command
+for details.
+.PP
+If the handshake fails then there are several possible causes, if it is
+nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR,
+\&\fB\-ssl3\fR options can be tried
+in case it is a buggy server. In particular you should play with these
+options \fBbefore\fR submitting a bug report to an OpenSSL mailing list.
+.PP
+A frequent problem when attempting to get client certificates working
+is that a web client complains it has no certificates or gives an empty
+list to choose from. This is normally because the server is not sending
+the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it
+requests a certificate. By using \fIs_client\fR\|(1) the \s-1CA\s0 list can be
+viewed and checked. However some servers only request client authentication
+after a specific \s-1URL\s0 is requested. To obtain the list in this case it
+is necessary to use the \fB\-prexit\fR option of \fIs_client\fR\|(1) and
+send an \s-1HTTP\s0 request for an appropriate page.
+.PP
+If a certificate is specified on the command line using the \fB\-cert\fR
+option it will not be used unless the server specifically requests
+a client certificate. Therefor merely including a client certificate
+on the command line is no guarantee that the certificate works.
+.SH "BUGS"
+.IX Header "BUGS"
+Because this program does not have all the options of the
+\&\fIs_client\fR\|(1) program to turn protocols on and off, you may not be
+able to measure the performance of all protocols with all servers.
+.PP
+The \fB\-verify\fR option should really exit if the server verification
+fails.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIs_client\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/sess_id.1 b/secure/usr.bin/openssl/man/sess_id.1
index 87063c1..4ade266 100644
--- a/secure/usr.bin/openssl/man/sess_id.1
+++ b/secure/usr.bin/openssl/man/sess_id.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:37 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "SESS_ID 1"
-.TH SESS_ID 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH SESS_ID 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-sess_id \- \s-1SSL/TLS\s0 session handling utility
+sess_id \- SSL/TLS session handling utility
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBsess_id\fR
@@ -159,36 +149,36 @@ and optionally prints out \s-1SSL\s0 session details (for example the \s-1SSL\s0
 master key) in human readable format. Since this is a diagnostic tool that
 needs some knowledge of the \s-1SSL\s0 protocol to use properly, most users will
 not need to use it.
-.Ip "\fB\-inform DER|PEM\fR" 4
+.IP "\fB\-inform DER|PEM\fR" 4
 .IX Item "-inform DER|PEM"
 This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1\s0 \s-1DER\s0 encoded
 format containing session details. The precise format can vary from one version
 to the next.  The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR
 format base64 encoded with additional header and footer lines.
-.Ip "\fB\-outform DER|PEM\fR" 4
+.IP "\fB\-outform DER|PEM\fR" 4
 .IX Item "-outform DER|PEM"
 This specifies the output format, the options have the same meaning as the 
 \&\fB\-inform\fR option.
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read session information from or standard
 input by default.
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write session information to or standard
 output if this option is not specified.
-.Ip "\fB\-text\fR" 4
+.IP "\fB\-text\fR" 4
 .IX Item "-text"
 prints out the various public or private key components in
 plain text in addition to the encoded version. 
-.Ip "\fB\-cert\fR" 4
+.IP "\fB\-cert\fR" 4
 .IX Item "-cert"
 if a certificate is present in the session it will be output using this option,
 if the \fB\-text\fR option is also present then it will be printed out in text form.
-.Ip "\fB\-noout\fR" 4
+.IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 this option prevents output of the encoded version of the session.
-.Ip "\fB\-context \s-1ID\s0\fR" 4
+.IP "\fB\-context \s-1ID\s0\fR" 4
 .IX Item "-context ID"
 this option can set the session id so the output session information uses the
 supplied \s-1ID\s0. The \s-1ID\s0 can be any string of characters. This option wont normally
@@ -209,33 +199,34 @@ Typical output:
 \&     Timeout   : 300 (sec)
 \&     Verify return code 0 (ok)
 .Ve
+.PP
 Theses are described below in more detail.
-.Ip "\fBProtocol\fR" 4
+.IP "\fBProtocol\fR" 4
 .IX Item "Protocol"
 this is the protocol in use TLSv1, SSLv3 or SSLv2.
-.Ip "\fBCipher\fR" 4
+.IP "\fBCipher\fR" 4
 .IX Item "Cipher"
 the cipher used this is the actual raw \s-1SSL\s0 or \s-1TLS\s0 cipher code, see the \s-1SSL\s0
 or \s-1TLS\s0 specifications for more information.
-.Ip "\fBSession-ID\fR" 4
+.IP "\fBSession-ID\fR" 4
 .IX Item "Session-ID"
 the \s-1SSL\s0 session \s-1ID\s0 in hex format.
-.Ip "\fBSession-ID-ctx\fR" 4
+.IP "\fBSession-ID-ctx\fR" 4
 .IX Item "Session-ID-ctx"
 the session \s-1ID\s0 context in hex format.
-.Ip "\fBMaster-Key\fR" 4
+.IP "\fBMaster-Key\fR" 4
 .IX Item "Master-Key"
 this is the \s-1SSL\s0 session master key.
-.Ip "\fBKey-Arg\fR" 4
+.IP "\fBKey-Arg\fR" 4
 .IX Item "Key-Arg"
 the key argument, this is only used in \s-1SSL\s0 v2.
-.Ip "\fBStart Time\fR" 4
+.IP "\fBStart Time\fR" 4
 .IX Item "Start Time"
 this is the session start time represented as an integer in standard Unix format.
-.Ip "\fBTimeout\fR" 4
+.IP "\fBTimeout\fR" 4
 .IX Item "Timeout"
 the timeout in seconds.
-.Ip "\fBVerify return code\fR" 4
+.IP "\fBVerify return code\fR" 4
 .IX Item "Verify return code"
 this is the return code when an \s-1SSL\s0 client certificate is verified.
 .SH "NOTES"
@@ -246,6 +237,7 @@ The \s-1PEM\s0 encoded session format uses the header and footer lines:
 \& -----BEGIN SSL SESSION PARAMETERS-----
 \& -----END SSL SESSION PARAMETERS-----
 .Ve
+.PP
 Since the \s-1SSL\s0 session output contains the master key it is possible to read the contents
 of an encrypted session using this information. Therefore appropriate security precautions
 should be taken if the information is being output by a \*(L"real\*(R" application. This is
@@ -255,4 +247,4 @@ however strongly discouraged and should only be used for debugging purposes.
 The cipher and start time should be printed out in human readable form.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-ciphers(1), s_server(1)
+\&\fIciphers\fR\|(1), \fIs_server\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/smime.1
index 64323c5..66f86bc 100644
--- a/secure/usr.bin/openssl/man/smime.1
+++ b/secure/usr.bin/openssl/man/smime.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:37 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "SMIME 1"
-.TH SMIME 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH SMIME 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 smime \- S/MIME utility
 .SH "SYNOPSIS"
@@ -155,6 +145,9 @@ smime \- S/MIME utility
 [\fB\-rc2\-40\fR]
 [\fB\-rc2\-64\fR]
 [\fB\-rc2\-128\fR]
+[\fB\-aes128\fR]
+[\fB\-aes192\fR]
+[\fB\-aes256\fR]
 [\fB\-in file\fR]
 [\fB\-certfile file\fR]
 [\fB\-signer file\fR]
@@ -169,7 +162,7 @@ smime \- S/MIME utility
 [\fB\-from ad\fR]
 [\fB\-subject s\fR]
 [\fB\-text\fR]
-[\fB\-rand \f(BIfile\fB\|(s)\fR]
+[\fB\-rand file(s)\fR]
 [cert.pem]...
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
@@ -179,32 +172,32 @@ verify S/MIME messages.
 .IX Header "COMMAND OPTIONS"
 There are five operation options that set the type of operation to be performed.
 The meaning of the other options varies according to the operation type.
-.Ip "\fB\-encrypt\fR" 4
+.IP "\fB\-encrypt\fR" 4
 .IX Item "-encrypt"
 encrypt mail for the given recipient certificates. Input file is the message
 to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format.
-.Ip "\fB\-decrypt\fR" 4
+.IP "\fB\-decrypt\fR" 4
 .IX Item "-decrypt"
 decrypt mail using the supplied certificate and private key. Expects an
 encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail
 is written to the output file.
-.Ip "\fB\-sign\fR" 4
+.IP "\fB\-sign\fR" 4
 .IX Item "-sign"
 sign mail using the supplied certificate and private key. Input file is
 the message to be signed. The signed message in \s-1MIME\s0 format is written
 to the output file.
-.Ip "\fB\-verify\fR" 4
+.IP "\fB\-verify\fR" 4
 .IX Item "-verify"
 verify signed mail. Expects a signed mail message on input and outputs
 the signed data. Both clear text and opaque signing is supported.
-.Ip "\fB\-pk7out\fR" 4
+.IP "\fB\-pk7out\fR" 4
 .IX Item "-pk7out"
 takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure.
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 the input message to be encrypted or signed or the \s-1MIME\s0 message to
 be decrypted or verified.
-.Ip "\fB\-inform SMIME|PEM|DER\fR" 4
+.IP "\fB\-inform SMIME|PEM|DER\fR" 4
 .IX Item "-inform SMIME|PEM|DER"
 this specifies the input format for the PKCS#7 structure. The default
 is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
@@ -212,11 +205,11 @@ format change this to expect \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
 instead. This currently only affects the input format of the PKCS#7
 structure, if no PKCS#7 structure is being input (for example with
 \&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect.
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 the message text that has been decrypted or verified or the output \s-1MIME\s0
 format message that has been signed or verified.
-.Ip "\fB\-outform SMIME|PEM|DER\fR" 4
+.IP "\fB\-outform SMIME|PEM|DER\fR" 4
 .IX Item "-outform SMIME|PEM|DER"
 this specifies the output format for the PKCS#7 structure. The default
 is \fB\s-1SMIME\s0\fR which write an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
@@ -224,108 +217,108 @@ format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
 instead. This currently only affects the output format of the PKCS#7
 structure, if no PKCS#7 structure is being output (for example with
 \&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect.
-.Ip "\fB\-content filename\fR" 4
+.IP "\fB\-content filename\fR" 4
 .IX Item "-content filename"
 This specifies a file containing the detached content, this is only
 useful with the \fB\-verify\fR command. This is only usable if the PKCS#7
 structure is using the detached signature form where the content is
 not included. This option will override any content if the input format
 is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
-.Ip "\fB\-text\fR" 4
+.IP "\fB\-text\fR" 4
 .IX Item "-text"
 this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
 message if encrypting or signing. If decrypting or verifying it strips
 off text headers: if the decrypted or verified message is not of \s-1MIME\s0 
 type text/plain then an error occurs.
-.Ip "\fB\-CAfile file\fR" 4
+.IP "\fB\-CAfile file\fR" 4
 .IX Item "-CAfile file"
 a file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR.
-.Ip "\fB\-CApath dir\fR" 4
+.IP "\fB\-CApath dir\fR" 4
 .IX Item "-CApath dir"
 a directory containing trusted \s-1CA\s0 certificates, only used with
 \&\fB\-verify\fR. This directory must be a standard certificate directory: that
 is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
 to each certificate.
-.Ip "\fB\-des \-des3 \-rc2\-40 \-rc2\-64 \-rc2\-128\fR" 4
-.IX Item "-des -des3 -rc2-40 -rc2-64 -rc2-128"
-the encryption algorithm to use. \s-1DES\s0 (56 bits), triple \s-1DES\s0 (168 bits)
-or 40, 64 or 128 bit \s-1RC2\s0 respectively if not specified 40 bit \s-1RC2\s0 is
-used. Only used with \fB\-encrypt\fR.
-.Ip "\fB\-nointern\fR" 4
+.IP "\fB\-des \-des3 \-rc2\-40 \-rc2\-64 \-rc2\-128 \-aes128 \-aes192 \-aes256\fR" 4
+.IX Item "-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256"
+the encryption algorithm to use. \s-1DES\s0 (56 bits), triple \s-1DES\s0 (168 bits),
+40, 64 or 128 bit \s-1RC2\s0 or 128, 192 or 256 bit \s-1AES\s0 respectively.  If not
+specified 40 bit \s-1RC2\s0 is used. Only used with \fB\-encrypt\fR.
+.IP "\fB\-nointern\fR" 4
 .IX Item "-nointern"
 when verifying a message normally certificates (if any) included in
 the message are searched for the signing certificate. With this option
 only the certificates specified in the \fB\-certfile\fR option are used.
 The supplied certificates can still be used as untrusted CAs however.
-.Ip "\fB\-noverify\fR" 4
+.IP "\fB\-noverify\fR" 4
 .IX Item "-noverify"
 do not verify the signers certificate of a signed message.
-.Ip "\fB\-nochain\fR" 4
+.IP "\fB\-nochain\fR" 4
 .IX Item "-nochain"
 do not do chain verification of signers certificates: that is don't
 use the certificates in the signed message as untrusted CAs.
-.Ip "\fB\-nosigs\fR" 4
+.IP "\fB\-nosigs\fR" 4
 .IX Item "-nosigs"
 don't try to verify the signatures on the message.
-.Ip "\fB\-nocerts\fR" 4
+.IP "\fB\-nocerts\fR" 4
 .IX Item "-nocerts"
 when signing a message the signer's certificate is normally included
 with this option it is excluded. This will reduce the size of the
 signed message but the verifier must have a copy of the signers certificate
 available locally (passed using the \fB\-certfile\fR option for example).
-.Ip "\fB\-noattr\fR" 4
+.IP "\fB\-noattr\fR" 4
 .IX Item "-noattr"
 normally when a message is signed a set of attributes are included which
 include the signing time and supported symmetric algorithms. With this
 option they are not included.
-.Ip "\fB\-binary\fR" 4
+.IP "\fB\-binary\fR" 4
 .IX Item "-binary"
 normally the input message is converted to \*(L"canonical\*(R" format which is
 effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME
 specification. When this option is present no translation occurs. This
 is useful when handling binary data which may not be in \s-1MIME\s0 format.
-.Ip "\fB\-nodetach\fR" 4
+.IP "\fB\-nodetach\fR" 4
 .IX Item "-nodetach"
 when signing a message use opaque signing: this form is more resistant
 to translation by mail relays but it cannot be read by mail agents that
 do not support S/MIME.  Without this option cleartext signing with
 the \s-1MIME\s0 type multipart/signed is used.
-.Ip "\fB\-certfile file\fR" 4
+.IP "\fB\-certfile file\fR" 4
 .IX Item "-certfile file"
 allows additional certificates to be specified. When signing these will
 be included with the message. When verifying these will be searched for
 the signers certificates. The certificates should be in \s-1PEM\s0 format.
-.Ip "\fB\-signer file\fR" 4
+.IP "\fB\-signer file\fR" 4
 .IX Item "-signer file"
 the signers certificate when signing a message. If a message is
 being verified then the signers certificates will be written to this
 file if the verification was successful.
-.Ip "\fB\-recip file\fR" 4
+.IP "\fB\-recip file\fR" 4
 .IX Item "-recip file"
 the recipients certificate when decrypting a message. This certificate
 must match one of the recipients of the message or an error occurs.
-.Ip "\fB\-inkey file\fR" 4
+.IP "\fB\-inkey file\fR" 4
 .IX Item "-inkey file"
 the private key to use when signing or decrypting. This must match the
 corresponding certificate. If this option is not specified then the
 private key must be included in the certificate file specified with
 the \fB\-recip\fR or \fB\-signer\fR file.
-.Ip "\fB\-passin arg\fR" 4
+.IP "\fB\-passin arg\fR" 4
 .IX Item "-passin arg"
 the private key password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
-.Ip "\fB\-rand \f(BIfile\fB\|(s)\fR" 4
-.IX Item "-rand file"
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-rand file(s)\fR" 4
+.IX Item "-rand file(s)"
 a file or files containing random data used to seed the random number
-generator, or an \s-1EGD\s0 socket (see RAND_egd(3)).
+generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)).
 Multiple files can be specified separated by a OS-dependent character.
-The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
+The separator is \fB;\fR for MS\-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
 all others.
-.Ip "\fBcert.pem...\fR" 4
+.IP "\fBcert.pem...\fR" 4
 .IX Item "cert.pem..."
 one or more certificates of message recipients: used when encrypting
 a message. 
-.Ip "\fB\-to, \-from, \-subject\fR" 4
+.IP "\fB\-to, \-from, \-subject\fR" 4
 .IX Item "-to, -from, -subject"
 the relevant mail headers. These are included outside the signed
 portion of a message so they may be included manually. If signing
@@ -357,22 +350,22 @@ clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7
 encrypted data is used for other purposes.
 .SH "EXIT CODES"
 .IX Header "EXIT CODES"
-.Ip "0" 4
+.IP "0" 4
 the operation was completely successfully.
-.Ip "1" 4
+.IP "1" 4
 .IX Item "1"
 an error occurred parsing the command options.
-.Ip "2" 4
+.IP "2" 4
 .IX Item "2"
 one of the input files could not be read.
-.Ip "3" 4
+.IP "3" 4
 .IX Item "3"
 an error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0
 message.
-.Ip "4" 4
+.IP "4" 4
 .IX Item "4"
 an error occurred decrypting or verifying the message.
-.Ip "5" 4
+.IP "5" 4
 .IX Item "5"
 the message was verified correctly but an error occurred writing out
 the signers certificates.
@@ -384,12 +377,14 @@ Create a cleartext signed message:
 \& openssl smime -sign -in message.txt -text -out mail.msg \e
 \&        -signer mycert.pem
 .Ve
+.PP
 Create and opaque signed message
 .PP
 .Vb 2
 \& openssl smime -sign -in message.txt -text -out mail.msg -nodetach \e
 \&        -signer mycert.pem
 .Ve
+.PP
 Create a signed message, include some additional certificates and
 read the private key from another file:
 .PP
@@ -397,6 +392,7 @@ read the private key from another file:
 \& openssl smime -sign -in in.txt -text -out mail.msg \e
 \&        -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
 .Ve
+.PP
 Send a signed message under Unix directly to sendmail, including headers:
 .PP
 .Vb 3
@@ -404,11 +400,13 @@ Send a signed message under Unix directly to sendmail, including headers:
 \&        -from steve@openssl.org -to someone@somewhere \e
 \&        -subject "Signed message" | sendmail someone@somewhere
 .Ve
+.PP
 Verify a message and extract the signer's certificate if successful:
 .PP
 .Vb 1
 \& openssl smime -verify -in mail.msg -signer user.pem -out signedtext.txt
 .Ve
+.PP
 Send encrypted mail using triple \s-1DES:\s0
 .PP
 .Vb 3
@@ -416,6 +414,7 @@ Send encrypted mail using triple \s-1DES:\s0
 \&        -to someone@somewhere -subject "Encrypted message" \e
 \&        -des3 user.pem -out mail.msg
 .Ve
+.PP
 Sign and encrypt mail:
 .PP
 .Vb 4
@@ -424,6 +423,7 @@ Sign and encrypt mail:
 \&        -from steve@openssl.org -to someone@somewhere \e
 \&        -subject "Signed and Encrypted message" -des3 user.pem
 .Ve
+.PP
 Note: the encryption command does not include the \fB\-text\fR option because the message
 being encrypted already has \s-1MIME\s0 headers.
 .PP
@@ -432,6 +432,7 @@ Decrypt mail:
 .Vb 1
 \& openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
 .Ve
+.PP
 The output from Netscape form signing is a PKCS#7 structure with the
 detached signature format. You can use this program to verify the
 signature by line wrapping the base64 encoded structure and surrounding
@@ -441,11 +442,13 @@ it with:
 \& -----BEGIN PKCS7-----
 \& -----END PKCS7-----
 .Ve
+.PP
 and using the command, 
 .PP
 .Vb 1
 \& openssl smime -verify -inform PEM -in signature.pem -content content.txt
 .Ve
+.PP
 alternatively you can base64 decode the signature and use
 .PP
 .Vb 1
diff --git a/secure/usr.bin/openssl/man/speed.1 b/secure/usr.bin/openssl/man/speed.1
index fba9d81..d659da2 100644
--- a/secure/usr.bin/openssl/man/speed.1
+++ b/secure/usr.bin/openssl/man/speed.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:37 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "SPEED 1"
-.TH SPEED 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH SPEED 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 speed \- test library performance
 .SH "SYNOPSIS"
@@ -157,7 +147,7 @@ speed \- test library performance
 [\fBrc5\-cbc\fR]
 [\fBbf-cbc\fR]
 [\fBdes-cbc\fR]
-[\fBdes-ede3\fR]
+[\fBdes\-ede3\fR]
 [\fBrc4\fR]
 [\fBrsa512\fR]
 [\fBrsa1024\fR]
@@ -176,13 +166,13 @@ speed \- test library performance
 This command is used to test the performance of cryptographic algorithms.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBspeed\fR
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
-.Ip "\fB[zero or more test algorithms]\fR" 4
+.IP "\fB[zero or more test algorithms]\fR" 4
 .IX Item "[zero or more test algorithms]"
 If any options are given, \fBspeed\fR tests those algorithms, otherwise all of
 the above are tested.
diff --git a/secure/usr.bin/openssl/man/spkac.1 b/secure/usr.bin/openssl/man/spkac.1
index 4841c47..64bb77d 100644
--- a/secure/usr.bin/openssl/man/spkac.1
+++ b/secure/usr.bin/openssl/man/spkac.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:38 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,13 +126,12 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "SPKAC 1"
-.TH SPKAC 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH SPKAC 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
-spkac \- \s-1SPKAC\s0 printing and generating utility
+spkac \- SPKAC printing and generating utility
 .SH "SYNOPSIS"
 .IX Header "SYNOPSIS"
 \&\fBopenssl\fR \fBspkac\fR
@@ -163,47 +153,47 @@ The \fBspkac\fR command processes Netscape signed public key and challenge
 produce its own SPKACs from a supplied private key.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read from or standard input if this
 option is not specified. Ignored if the \fB\-key\fR option is used.
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 specifies the output filename to write to or standard output by
 default.
-.Ip "\fB\-key keyfile\fR" 4
+.IP "\fB\-key keyfile\fR" 4
 .IX Item "-key keyfile"
 create an \s-1SPKAC\s0 file using the private key in \fBkeyfile\fR. The
 \&\fB\-in\fR, \fB\-noout\fR, \fB\-spksect\fR and \fB\-verify\fR options are ignored if
 present.
-.Ip "\fB\-passin password\fR" 4
+.IP "\fB\-passin password\fR" 4
 .IX Item "-passin password"
 the input file password source. For more information about the format of \fBarg\fR
-see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in openssl(1).
-.Ip "\fB\-challenge string\fR" 4
+see the \fB\s-1PASS\s0 \s-1PHRASE\s0 \s-1ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1).
+.IP "\fB\-challenge string\fR" 4
 .IX Item "-challenge string"
 specifies the challenge string if an \s-1SPKAC\s0 is being created.
-.Ip "\fB\-spkac spkacname\fR" 4
+.IP "\fB\-spkac spkacname\fR" 4
 .IX Item "-spkac spkacname"
 allows an alternative name form the variable containing the
 \&\s-1SPKAC\s0. The default is \*(L"\s-1SPKAC\s0\*(R". This option affects both
 generated and input \s-1SPKAC\s0 files.
-.Ip "\fB\-spksect section\fR" 4
+.IP "\fB\-spksect section\fR" 4
 .IX Item "-spksect section"
 allows an alternative name form the section containing the
 \&\s-1SPKAC\s0. The default is the default section.
-.Ip "\fB\-noout\fR" 4
+.IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 don't output the text version of the \s-1SPKAC\s0 (not used if an
 \&\s-1SPKAC\s0 is being created).
-.Ip "\fB\-pubkey\fR" 4
+.IP "\fB\-pubkey\fR" 4
 .IX Item "-pubkey"
 output the public key of an \s-1SPKAC\s0 (not used if an \s-1SPKAC\s0 is
 being created).
-.Ip "\fB\-verify\fR" 4
+.IP "\fB\-verify\fR" 4
 .IX Item "-verify"
 verifies the digital signature on the supplied \s-1SPKAC\s0.
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
 to attempt to obtain a functional reference to the specified engine,
@@ -216,16 +206,19 @@ Print out the contents of an \s-1SPKAC:\s0
 .Vb 1
 \& openssl spkac -in spkac.cnf
 .Ve
+.PP
 Verify the signature of an \s-1SPKAC:\s0
 .PP
 .Vb 1
 \& openssl spkac -in spkac.cnf -noout -verify
 .Ve
+.PP
 Create an \s-1SPKAC\s0 using the challenge string \*(L"hello\*(R":
 .PP
 .Vb 1
 \& openssl spkac -key key.pem -challenge hello -out spkac.cnf
 .Ve
+.PP
 Example of an \s-1SPKAC\s0, (long lines split up for clarity):
 .PP
 .Vb 5
@@ -252,4 +245,4 @@ some applications. Without this it is possible for a previous \s-1SPKAC\s0
 to be used in a \*(L"replay attack\*(R".
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-ca(1)
+\&\fIca\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1
index f2ea599..2c6eec4 100644
--- a/secure/usr.bin/openssl/man/verify.1
+++ b/secure/usr.bin/openssl/man/verify.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:38 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "VERIFY 1"
-.TH VERIFY 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH VERIFY 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 verify \- Utility to verify certificates.
 .SH "SYNOPSIS"
@@ -152,52 +142,52 @@ verify \- Utility to verify certificates.
 [\fB\-help\fR]
 [\fB\-issuer_checks\fR]
 [\fB\-verbose\fR]
-[\fB-\fR]
+[\fB\-\fR]
 [certificates]
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
 The \fBverify\fR command verifies certificate chains.
 .SH "COMMAND OPTIONS"
 .IX Header "COMMAND OPTIONS"
-.Ip "\fB\-CApath directory\fR" 4
+.IP "\fB\-CApath directory\fR" 4
 .IX Item "-CApath directory"
 A directory of trusted certificates. The certificates should have names
 of the form: hash.0 or have symbolic links to them of this
 form (\*(L"hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option
 of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically
 create symbolic links to a directory of certificates.
-.Ip "\fB\-CAfile file\fR" 4
+.IP "\fB\-CAfile file\fR" 4
 .IX Item "-CAfile file"
 A file of trusted certificates. The file should contain multiple certificates
 in \s-1PEM\s0 format concatenated together.
-.Ip "\fB\-untrusted file\fR" 4
+.IP "\fB\-untrusted file\fR" 4
 .IX Item "-untrusted file"
 A file of untrusted certificates. The file should contain multiple certificates
-.Ip "\fB\-purpose purpose\fR" 4
+.IP "\fB\-purpose purpose\fR" 4
 .IX Item "-purpose purpose"
 the intended use for the certificate. Without this option no chain verification
 will be done. Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR,
 \&\fBnssslserver\fR, \fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY\s0 \s-1OPERATION\s0\fR
 section for more information.
-.Ip "\fB\-help\fR" 4
+.IP "\fB\-help\fR" 4
 .IX Item "-help"
 prints out a usage message.
-.Ip "\fB\-verbose\fR" 4
+.IP "\fB\-verbose\fR" 4
 .IX Item "-verbose"
 print extra information about the operations being performed.
-.Ip "\fB\-issuer_checks\fR" 4
+.IP "\fB\-issuer_checks\fR" 4
 .IX Item "-issuer_checks"
 print out diagnostics relating to searches for the issuer certificate
 of the current certificate. This shows why each candidate issuer
 certificate was rejected. However the presence of rejection messages
 does not itself imply that anything is wrong: during the normal
 verify process several rejections may take place.
-.Ip "\fB-\fR" 4
+.IP "\fB\-\fR" 4
 .IX Item "-"
 marks the last option. All arguments following this are assumed to be
 certificate files. This is useful if the first certificate filename begins
-with a \fB-\fR.
-.Ip "\fBcertificates\fR" 4
+with a \fB\-\fR.
+.IP "\fBcertificates\fR" 4
 .IX Item "certificates"
 one or more certificates to verify. If no certificate filenames are included
 then an attempt is made to read a certificate from standard input. They should
@@ -267,6 +257,7 @@ general form of the error message is:
 \& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
 \& error 24 at 1 depth lookup:invalid CA certificate
 .Ve
+.PP
 The first line contains the name of the certificate being verified followed by
 the subject name of the certificate. The second line contains the error number
 and the depth. The depth is number of the certificate being verified when a
@@ -278,119 +269,119 @@ An exhaustive list of the error codes and messages is shown below, this also
 includes the name of the error code as defined in the header file x509_vfy.h
 Some of the error codes are defined but never returned: these are described
 as \*(L"unused\*(R".
-.Ip "\fB0 X509_V_OK: ok\fR" 4
+.IP "\fB0 X509_V_OK: ok\fR" 4
 .IX Item "0 X509_V_OK: ok"
 the operation was successful.
-.Ip "\fB2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate\fR" 4
+.IP "\fB2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate\fR" 4
 .IX Item "2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate"
 the issuer certificate could not be found: this occurs if the issuer certificate
 of an untrusted certificate cannot be found.
-.Ip "\fB3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate \s-1CRL\s0\fR" 4
+.IP "\fB3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate \s-1CRL\s0\fR" 4
 .IX Item "3 X509_V_ERR_UNABLE_TO_GET_CRL unable to get certificate CRL"
 the \s-1CRL\s0 of a certificate could not be found. Unused.
-.Ip "\fB4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4
+.IP "\fB4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4
 .IX Item "4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature"
 the certificate signature could not be decrypted. This means that the actual signature value
 could not be determined rather than it not matching the expected value, this is only
 meaningful for \s-1RSA\s0 keys.
-.Ip "\fB5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt \s-1CRL\s0's signature\fR" 4
+.IP "\fB5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt \s-1CRL\s0's signature\fR" 4
 .IX Item "5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature"
 the \s-1CRL\s0 signature could not be decrypted: this means that the actual signature value
 could not be determined rather than it not matching the expected value. Unused.
-.Ip "\fB6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key\fR" 4
+.IP "\fB6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key\fR" 4
 .IX Item "6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key"
 the public key in the certificate SubjectPublicKeyInfo could not be read.
-.Ip "\fB7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure\fR" 4
+.IP "\fB7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure\fR" 4
 .IX Item "7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure"
 the signature of the certificate is invalid.
-.Ip "\fB8 X509_V_ERR_CRL_SIGNATURE_FAILURE: \s-1CRL\s0 signature failure\fR" 4
+.IP "\fB8 X509_V_ERR_CRL_SIGNATURE_FAILURE: \s-1CRL\s0 signature failure\fR" 4
 .IX Item "8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure"
 the signature of the certificate is invalid. Unused.
-.Ip "\fB9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid\fR" 4
+.IP "\fB9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid\fR" 4
 .IX Item "9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid"
 the certificate is not yet valid: the notBefore date is after the current time.
-.Ip "\fB10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired\fR" 4
+.IP "\fB10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired\fR" 4
 .IX Item "10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired"
 the certificate has expired: that is the notAfter date is before the current time.
-.Ip "\fB11 X509_V_ERR_CRL_NOT_YET_VALID: \s-1CRL\s0 is not yet valid\fR" 4
+.IP "\fB11 X509_V_ERR_CRL_NOT_YET_VALID: \s-1CRL\s0 is not yet valid\fR" 4
 .IX Item "11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid"
 the \s-1CRL\s0 is not yet valid. Unused.
-.Ip "\fB12 X509_V_ERR_CRL_HAS_EXPIRED: \s-1CRL\s0 has expired\fR" 4
+.IP "\fB12 X509_V_ERR_CRL_HAS_EXPIRED: \s-1CRL\s0 has expired\fR" 4
 .IX Item "12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired"
 the \s-1CRL\s0 has expired. Unused.
-.Ip "\fB13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4
+.IP "\fB13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4
 .IX Item "13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field"
 the certificate notBefore field contains an invalid time.
-.Ip "\fB14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR" 4
+.IP "\fB14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR" 4
 .IX Item "14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field"
 the certificate notAfter field contains an invalid time.
-.Ip "\fB15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in \s-1CRL\s0's lastUpdate field\fR" 4
+.IP "\fB15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in \s-1CRL\s0's lastUpdate field\fR" 4
 .IX Item "15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field"
 the \s-1CRL\s0 lastUpdate field contains an invalid time. Unused.
-.Ip "\fB16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in \s-1CRL\s0's nextUpdate field\fR" 4
+.IP "\fB16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in \s-1CRL\s0's nextUpdate field\fR" 4
 .IX Item "16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field"
 the \s-1CRL\s0 nextUpdate field contains an invalid time. Unused.
-.Ip "\fB17 X509_V_ERR_OUT_OF_MEM: out of memory\fR" 4
+.IP "\fB17 X509_V_ERR_OUT_OF_MEM: out of memory\fR" 4
 .IX Item "17 X509_V_ERR_OUT_OF_MEM: out of memory"
 an error occurred trying to allocate memory. This should never happen.
-.Ip "\fB18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate\fR" 4
+.IP "\fB18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate\fR" 4
 .IX Item "18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate"
 the passed certificate is self signed and the same certificate cannot be found in the list of
 trusted certificates.
-.Ip "\fB19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain\fR" 4
+.IP "\fB19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain\fR" 4
 .IX Item "19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain"
 the certificate chain could be built up using the untrusted certificates but the root could not
 be found locally.
-.Ip "\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate\fR" 4
+.IP "\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate\fR" 4
 .IX Item "20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate"
 the issuer certificate of a locally looked up certificate could not be found. This normally means
 the list of trusted certificates is not complete.
-.Ip "\fB21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate\fR" 4
+.IP "\fB21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate\fR" 4
 .IX Item "21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate"
 no signatures could be verified because the chain contains only one certificate and it is not
 self signed.
-.Ip "\fB22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long\fR" 4
+.IP "\fB22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long\fR" 4
 .IX Item "22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long"
 the certificate chain length is greater than the supplied maximum depth. Unused.
-.Ip "\fB23 X509_V_ERR_CERT_REVOKED: certificate revoked\fR" 4
+.IP "\fB23 X509_V_ERR_CERT_REVOKED: certificate revoked\fR" 4
 .IX Item "23 X509_V_ERR_CERT_REVOKED: certificate revoked"
 the certificate has been revoked. Unused.
-.Ip "\fB24 X509_V_ERR_INVALID_CA: invalid \s-1CA\s0 certificate\fR" 4
+.IP "\fB24 X509_V_ERR_INVALID_CA: invalid \s-1CA\s0 certificate\fR" 4
 .IX Item "24 X509_V_ERR_INVALID_CA: invalid CA certificate"
 a \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions are not consistent
 with the supplied purpose.
-.Ip "\fB25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR" 4
+.IP "\fB25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR" 4
 .IX Item "25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded"
 the basicConstraints pathlength parameter has been exceeded.
-.Ip "\fB26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose\fR" 4
+.IP "\fB26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose\fR" 4
 .IX Item "26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose"
 the supplied certificate cannot be used for the specified purpose.
-.Ip "\fB27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted\fR" 4
+.IP "\fB27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted\fR" 4
 .IX Item "27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted"
 the root \s-1CA\s0 is not marked as trusted for the specified purpose.
-.Ip "\fB28 X509_V_ERR_CERT_REJECTED: certificate rejected\fR" 4
+.IP "\fB28 X509_V_ERR_CERT_REJECTED: certificate rejected\fR" 4
 .IX Item "28 X509_V_ERR_CERT_REJECTED: certificate rejected"
 the root \s-1CA\s0 is marked to reject the specified purpose.
-.Ip "\fB29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch\fR" 4
+.IP "\fB29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch\fR" 4
 .IX Item "29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch"
 the current candidate issuer certificate was rejected because its subject name
 did not match the issuer name of the current certificate. Only displayed when
 the \fB\-issuer_checks\fR option is set.
-.Ip "\fB30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch\fR" 4
+.IP "\fB30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch\fR" 4
 .IX Item "30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch"
 the current candidate issuer certificate was rejected because its subject key
 identifier was present and did not match the authority key identifier current
 certificate. Only displayed when the \fB\-issuer_checks\fR option is set.
-.Ip "\fB31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch\fR" 4
+.IP "\fB31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch\fR" 4
 .IX Item "31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch"
 the current candidate issuer certificate was rejected because its issuer name
 and serial number was present and did not match the authority key identifier
 of the current certificate. Only displayed when the \fB\-issuer_checks\fR option is set.
-.Ip "\fB32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing\fR" 4
+.IP "\fB32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing\fR" 4
 .IX Item "32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing"
 the current candidate issuer certificate was rejected because its keyUsage extension
 does not permit certificate signing.
-.Ip "\fB50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure\fR" 4
+.IP "\fB50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure\fR" 4
 .IX Item "50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure"
 an application specific error. Unused.
 .SH "BUGS"
@@ -405,4 +396,4 @@ Previous versions of OpenSSL assume certificates with matching subject name are
 mishandled them.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-x509(1)
+\&\fIx509\fR\|(1)
diff --git a/secure/usr.bin/openssl/man/version.1 b/secure/usr.bin/openssl/man/version.1
index 730647d..9bb441d 100644
--- a/secure/usr.bin/openssl/man/version.1
+++ b/secure/usr.bin/openssl/man/version.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:38 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "VERSION 1"
-.TH VERSION 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH VERSION 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 version \- print OpenSSL version information
 .SH "SYNOPSIS"
@@ -156,25 +146,25 @@ version \- print OpenSSL version information
 This command is used to print out version information about OpenSSL.
 .SH "OPTIONS"
 .IX Header "OPTIONS"
-.Ip "\fB\-a\fR" 4
+.IP "\fB\-a\fR" 4
 .IX Item "-a"
 all information, this is the same as setting all the other flags.
-.Ip "\fB\-v\fR" 4
+.IP "\fB\-v\fR" 4
 .IX Item "-v"
 the current OpenSSL version.
-.Ip "\fB\-b\fR" 4
+.IP "\fB\-b\fR" 4
 .IX Item "-b"
 the date the current version of OpenSSL was built.
-.Ip "\fB\-o\fR" 4
+.IP "\fB\-o\fR" 4
 .IX Item "-o"
 option information: various options set when the library was built.
-.Ip "\fB\-c\fR" 4
+.IP "\fB\-c\fR" 4
 .IX Item "-c"
 compilation flags.
-.Ip "\fB\-p\fR" 4
+.IP "\fB\-p\fR" 4
 .IX Item "-p"
 platform setting.
-.Ip "\fB\-d\fR" 4
+.IP "\fB\-d\fR" 4
 .IX Item "-d"
 \&\s-1OPENSSLDIR\s0 setting.
 .SH "NOTES"
diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1
index 380d1a0..a61b513 100644
--- a/secure/usr.bin/openssl/man/x509.1
+++ b/secure/usr.bin/openssl/man/x509.1
@@ -1,8 +1,7 @@
-.\" Automatically generated by Pod::Man version 1.15
-.\" Wed Feb 19 16:49:38 2003
+.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
 .\"
 .\" Standard preamble:
-.\" ======================================================================
+.\" ========================================================================
 .de Sh \" Subsection heading
 .br
 .if t .Sp
@@ -15,12 +14,6 @@
 .if t .sp .5v
 .if n .sp
 ..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
 .de Vb \" Begin verbatim text
 .ft CW
 .nf
@@ -28,15 +21,14 @@
 ..
 .de Ve \" End verbatim text
 .ft R
-
 .fi
 ..
 .\" Set up some character translations and predefined strings.  \*(-- will
 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
 .\" double quote, and \*(R" will give a right double quote.  | will give a
-.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used
-.\" to do unbreakable dashes and therefore won't be available.  \*(C` and
-.\" \*(C' expand to `' in nroff, nothing in troff, for use with C<>
+.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
 .tr \(*W-|\(bv\*(Tr
 .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
 .ie n \{\
@@ -56,10 +48,10 @@
 .    ds R" ''
 'br\}
 .\"
-.\" If the F register is turned on, we'll generate index entries on stderr
-.\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
-.\" index entries marked with X<> in POD.  Of course, you'll have to process
-.\" the output yourself in some meaningful fashion.
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" entries marked with X<> in POD.  Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
 .if \nF \{\
 .    de IX
 .    tm Index:\\$1\t\\n%\t"\\$2"
@@ -68,14 +60,13 @@
 .    rr F
 .\}
 .\"
-.\" For nroff, turn off justification.  Always turn off hyphenation; it
-.\" makes way too many mistakes in technical documents.
+.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
 .hy 0
 .if n .na
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
-.bd B 3
 .    \" fudge factors for nroff and troff
 .if n \{\
 .    ds #H 0
@@ -135,11 +126,10 @@
 .    ds Ae AE
 .\}
 .rm #[ #] #H #V #F C
-.\" ======================================================================
+.\" ========================================================================
 .\"
 .IX Title "X509 1"
-.TH X509 1 "0.9.7a" "2003-02-19" "OpenSSL"
-.UC
+.TH X509 1 "2005-02-25" "0.9.7d" "OpenSSL"
 .SH "NAME"
 x509 \- Certificate display and signing utility
 .SH "SYNOPSIS"
@@ -201,7 +191,7 @@ various sections.
 .IX Header "OPTIONS"
 .Sh "\s-1INPUT\s0, \s-1OUTPUT\s0 \s-1AND\s0 \s-1GENERAL\s0 \s-1PURPOSE\s0 \s-1OPTIONS\s0"
 .IX Subsection "INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS"
-.Ip "\fB\-inform DER|PEM|NET\fR" 4
+.IP "\fB\-inform DER|PEM|NET\fR" 4
 .IX Item "-inform DER|PEM|NET"
 This specifies the input format normally the command will expect an X509
 certificate but this can change if other options such as \fB\-req\fR are
@@ -209,25 +199,25 @@ present. The \s-1DER\s0 format is the \s-1DER\s0 encoding of the certificate and
 is the base64 encoding of the \s-1DER\s0 encoding with header and footer lines
 added. The \s-1NET\s0 option is an obscure Netscape server format that is now
 obsolete.
-.Ip "\fB\-outform DER|PEM|NET\fR" 4
+.IP "\fB\-outform DER|PEM|NET\fR" 4
 .IX Item "-outform DER|PEM|NET"
 This specifies the output format, the options have the same meaning as the 
 \&\fB\-inform\fR option.
-.Ip "\fB\-in filename\fR" 4
+.IP "\fB\-in filename\fR" 4
 .IX Item "-in filename"
 This specifies the input filename to read a certificate from or standard input
 if this option is not specified.
-.Ip "\fB\-out filename\fR" 4
+.IP "\fB\-out filename\fR" 4
 .IX Item "-out filename"
 This specifies the output filename to write to or standard output by
 default.
-.Ip "\fB\-md2|\-md5|\-sha1|\-mdc2\fR" 4
+.IP "\fB\-md2|\-md5|\-sha1|\-mdc2\fR" 4
 .IX Item "-md2|-md5|-sha1|-mdc2"
 the digest to use. This affects any signing or display option that uses a message
 digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options. If not
 specified then \s-1MD5\s0 is used. If the key being used to sign with is a \s-1DSA\s0 key then
 this option has no effect: \s-1SHA1\s0 is always used with \s-1DSA\s0 keys.
-.Ip "\fB\-engine id\fR" 4
+.IP "\fB\-engine id\fR" 4
 .IX Item "-engine id"
 specifying an engine (by it's unique \fBid\fR string) will cause \fBreq\fR
 to attempt to obtain a functional reference to the specified engine,
@@ -237,61 +227,61 @@ for all available algorithms.
 .IX Subsection "DISPLAY OPTIONS"
 Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options
 but are described in the \fB\s-1TRUST\s0 \s-1SETTINGS\s0\fR section.
-.Ip "\fB\-text\fR" 4
+.IP "\fB\-text\fR" 4
 .IX Item "-text"
 prints out the certificate in text form. Full details are output including the
 public key, signature algorithms, issuer and subject names, serial number
 any extensions present and any trust settings.
-.Ip "\fB\-certopt option\fR" 4
+.IP "\fB\-certopt option\fR" 4
 .IX Item "-certopt option"
 customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be
 a single option or multiple options separated by commas. The \fB\-certopt\fR switch
 may be also be used more than once to set multiple options. See the \fB\s-1TEXT\s0 \s-1OPTIONS\s0\fR
 section for more information.
-.Ip "\fB\-noout\fR" 4
+.IP "\fB\-noout\fR" 4
 .IX Item "-noout"
 this option prevents output of the encoded version of the request.
-.Ip "\fB\-modulus\fR" 4
+.IP "\fB\-modulus\fR" 4
 .IX Item "-modulus"
 this option prints out the value of the modulus of the public key
 contained in the certificate.
-.Ip "\fB\-serial\fR" 4
+.IP "\fB\-serial\fR" 4
 .IX Item "-serial"
 outputs the certificate serial number.
-.Ip "\fB\-hash\fR" 4
+.IP "\fB\-hash\fR" 4
 .IX Item "-hash"
 outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to
 form an index to allow certificates in a directory to be looked up by subject
 name.
-.Ip "\fB\-subject\fR" 4
+.IP "\fB\-subject\fR" 4
 .IX Item "-subject"
 outputs the subject name.
-.Ip "\fB\-issuer\fR" 4
+.IP "\fB\-issuer\fR" 4
 .IX Item "-issuer"
 outputs the issuer name.
-.Ip "\fB\-nameopt option\fR" 4
+.IP "\fB\-nameopt option\fR" 4
 .IX Item "-nameopt option"
 option which determines how the subject or issuer names are displayed. The
 \&\fBoption\fR argument can be a single option or multiple options separated by
 commas.  Alternatively the \fB\-nameopt\fR switch may be used more than once to
 set multiple options. See the \fB\s-1NAME\s0 \s-1OPTIONS\s0\fR section for more information.
-.Ip "\fB\-email\fR" 4
+.IP "\fB\-email\fR" 4
 .IX Item "-email"
 outputs the email address(es) if any.
-.Ip "\fB\-startdate\fR" 4
+.IP "\fB\-startdate\fR" 4
 .IX Item "-startdate"
 prints out the start date of the certificate, that is the notBefore date.
-.Ip "\fB\-enddate\fR" 4
+.IP "\fB\-enddate\fR" 4
 .IX Item "-enddate"
 prints out the expiry date of the certificate, that is the notAfter date.
-.Ip "\fB\-dates\fR" 4
+.IP "\fB\-dates\fR" 4
 .IX Item "-dates"
 prints out the start and expiry dates of a certificate.
-.Ip "\fB\-fingerprint\fR" 4
+.IP "\fB\-fingerprint\fR" 4
 .IX Item "-fingerprint"
 prints out the digest of the \s-1DER\s0 encoded version of the whole certificate
 (see digest options).
-.Ip "\fB\-C\fR" 4
+.IP "\fB\-C\fR" 4
 .IX Item "-C"
 this outputs the certificate in the form of a C source file.
 .Sh "\s-1TRUST\s0 \s-1SETTINGS\s0"
@@ -316,37 +306,37 @@ meaning of trust settings.
 .PP
 Future versions of OpenSSL will recognize trust settings on any
 certificate: not just root CAs.
-.Ip "\fB\-trustout\fR" 4
+.IP "\fB\-trustout\fR" 4
 .IX Item "-trustout"
 this causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary
 or trusted certificate can be input but by default an ordinary
 certificate is output and any trust settings are discarded. With the
 \&\fB\-trustout\fR option a trusted certificate is output. A trusted
 certificate is automatically output if any trust settings are modified.
-.Ip "\fB\-setalias arg\fR" 4
+.IP "\fB\-setalias arg\fR" 4
 .IX Item "-setalias arg"
 sets the alias of the certificate. This will allow the certificate
 to be referred to using a nickname for example \*(L"Steve's Certificate\*(R".
-.Ip "\fB\-alias\fR" 4
+.IP "\fB\-alias\fR" 4
 .IX Item "-alias"
 outputs the certificate alias, if any.
-.Ip "\fB\-clrtrust\fR" 4
+.IP "\fB\-clrtrust\fR" 4
 .IX Item "-clrtrust"
 clears all the permitted or trusted uses of the certificate.
-.Ip "\fB\-clrreject\fR" 4
+.IP "\fB\-clrreject\fR" 4
 .IX Item "-clrreject"
 clears all the prohibited or rejected uses of the certificate.
-.Ip "\fB\-addtrust arg\fR" 4
+.IP "\fB\-addtrust arg\fR" 4
 .IX Item "-addtrust arg"
 adds a trusted certificate use. Any object name can be used here
 but currently only \fBclientAuth\fR (\s-1SSL\s0 client use), \fBserverAuth\fR
 (\s-1SSL\s0 server use) and \fBemailProtection\fR (S/MIME email) are used.
 Other OpenSSL applications may define additional uses.
-.Ip "\fB\-addreject arg\fR" 4
+.IP "\fB\-addreject arg\fR" 4
 .IX Item "-addreject arg"
 adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR
 option.
-.Ip "\fB\-purpose\fR" 4
+.IP "\fB\-purpose\fR" 4
 .IX Item "-purpose"
 this option performs tests on the certificate extensions and outputs
 the results. For a more complete description see the \fB\s-1CERTIFICATE\s0
@@ -355,7 +345,7 @@ the results. For a more complete description see the \fB\s-1CERTIFICATE\s0
 .IX Subsection "SIGNING OPTIONS"
 The \fBx509\fR utility can be used to sign certificates and requests: it
 can thus behave like a \*(L"mini \s-1CA\s0\*(R".
-.Ip "\fB\-signkey filename\fR" 4
+.IP "\fB\-signkey filename\fR" 4
 .IX Item "-signkey filename"
 this option causes the input file to be self signed using the supplied
 private key. 
@@ -370,29 +360,29 @@ the \fB\-clrext\fR option is supplied.
 If the input is a certificate request then a self signed certificate
 is created using the supplied private key using the subject name in
 the request.
-.Ip "\fB\-clrext\fR" 4
+.IP "\fB\-clrext\fR" 4
 .IX Item "-clrext"
 delete any extensions from a certificate. This option is used when a
 certificate is being created from another certificate (for example with
 the \fB\-signkey\fR or the \fB\-CA\fR options). Normally all extensions are
 retained.
-.Ip "\fB\-keyform PEM|DER\fR" 4
+.IP "\fB\-keyform PEM|DER\fR" 4
 .IX Item "-keyform PEM|DER"
 specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the
 \&\fB\-signkey\fR option.
-.Ip "\fB\-days arg\fR" 4
+.IP "\fB\-days arg\fR" 4
 .IX Item "-days arg"
 specifies the number of days to make a certificate valid for. The default
 is 30 days.
-.Ip "\fB\-x509toreq\fR" 4
+.IP "\fB\-x509toreq\fR" 4
 .IX Item "-x509toreq"
 converts a certificate into a certificate request. The \fB\-signkey\fR option
 is used to pass the required private key.
-.Ip "\fB\-req\fR" 4
+.IP "\fB\-req\fR" 4
 .IX Item "-req"
 by default a certificate is expected on input. With this option a
 certificate request is expected instead.
-.Ip "\fB\-set_serial n\fR" 4
+.IP "\fB\-set_serial n\fR" 4
 .IX Item "-set_serial n"
 specifies the serial number to use. This option can be used with either
 the \fB\-signkey\fR or \fB\-CA\fR options. If used in conjunction with the \fB\-CA\fR
@@ -401,7 +391,7 @@ option the serial number file (as specified by the \fB\-CAserial\fR or
 .Sp
 The serial number can be decimal or hex (if preceded by \fB0x\fR). Negative
 serial numbers can also be specified but their use is not recommended.
-.Ip "\fB\-CA filename\fR" 4
+.IP "\fB\-CA filename\fR" 4
 .IX Item "-CA filename"
 specifies the \s-1CA\s0 certificate to be used for signing. When this option is
 present \fBx509\fR behaves like a \*(L"mini \s-1CA\s0\*(R". The input file is signed by this
@@ -410,12 +400,12 @@ of the \s-1CA\s0 and it is digitally signed using the CAs private key.
 .Sp
 This option is normally combined with the \fB\-req\fR option. Without the
 \&\fB\-req\fR option the input is a certificate which must be self signed.
-.Ip "\fB\-CAkey filename\fR" 4
+.IP "\fB\-CAkey filename\fR" 4
 .IX Item "-CAkey filename"
 sets the \s-1CA\s0 private key to sign a certificate with. If this option is
 not specified then it is assumed that the \s-1CA\s0 private key is present in
 the \s-1CA\s0 certificate file.
-.Ip "\fB\-CAserial filename\fR" 4
+.IP "\fB\-CAserial filename\fR" 4
 .IX Item "-CAserial filename"
 sets the \s-1CA\s0 serial number file to use.
 .Sp
@@ -427,17 +417,17 @@ use the serial number is incremented and written out to the file again.
 The default filename consists of the \s-1CA\s0 certificate file base name with
 \&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called 
 \&\*(L"mycacert.pem\*(R" it expects to find a serial number file called \*(L"mycacert.srl\*(R".
-.Ip "\fB\-CAcreateserial\fR" 4
+.IP "\fB\-CAcreateserial\fR" 4
 .IX Item "-CAcreateserial"
 with this option the \s-1CA\s0 serial number file is created if it does not exist:
 it will contain the serial number \*(L"02\*(R" and the certificate being signed will
 have the 1 as its serial number. Normally if the \fB\-CA\fR option is specified
 and the serial number file does not exist it is an error.
-.Ip "\fB\-extfile filename\fR" 4
+.IP "\fB\-extfile filename\fR" 4
 .IX Item "-extfile filename"
 file containing certificate extensions to use. If not specified then
 no extensions are added to the certificate.
-.Ip "\fB\-extensions section\fR" 4
+.IP "\fB\-extensions section\fR" 4
 .IX Item "-extensions section"
 the section to add certificate extensions from. If this option is not
 specified then the extensions should either be contained in the unnamed
@@ -449,45 +439,45 @@ The \fBnameopt\fR command line switch determines how the subject and issuer
 names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R"
 format is used which is compatible with previous versions of OpenSSL.
 Each option is described in detail below, all options can be preceded by
-a \fB-\fR to turn the option off. Only the first four will normally be used.
-.Ip "\fBcompat\fR" 4
+a \fB\-\fR to turn the option off. Only the first four will normally be used.
+.IP "\fBcompat\fR" 4
 .IX Item "compat"
 use the old format. This is equivalent to specifying no name options at all.
-.Ip "\fB\s-1RFC2253\s0\fR" 4
+.IP "\fB\s-1RFC2253\s0\fR" 4
 .IX Item "RFC2253"
 displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR,
 \&\fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR,
 \&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR.
-.Ip "\fBoneline\fR" 4
+.IP "\fBoneline\fR" 4
 .IX Item "oneline"
 a oneline format which is more readable than \s-1RFC2253\s0. It is equivalent to
 specifying the  \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR,
 \&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_spc\fR, \fBspc_eq\fR and \fBsname\fR
 options.
-.Ip "\fBmultiline\fR" 4
+.IP "\fBmultiline\fR" 4
 .IX Item "multiline"
 a multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR,
 \&\fBspc_eq\fR, \fBlname\fR and \fBalign\fR.
-.Ip "\fBesc_2253\fR" 4
+.IP "\fBesc_2253\fR" 4
 .IX Item "esc_2253"
 escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field That is
 \&\fB,+"<>;\fR. Additionally \fB#\fR is escaped at the beginning of a string
 and a space character at the beginning or end of a string.
-.Ip "\fBesc_ctrl\fR" 4
+.IP "\fBesc_ctrl\fR" 4
 .IX Item "esc_ctrl"
 escape control characters. That is those with \s-1ASCII\s0 values less than
 0x20 (space) and the delete (0x7f) character. They are escaped using the
 \&\s-1RFC2253\s0 \eXX notation (where \s-1XX\s0 are two hex digits representing the
 character value).
-.Ip "\fBesc_msb\fR" 4
+.IP "\fBesc_msb\fR" 4
 .IX Item "esc_msb"
 escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than
 127.
-.Ip "\fBuse_quote\fR" 4
+.IP "\fBuse_quote\fR" 4
 .IX Item "use_quote"
 escapes some characters by surrounding the whole string with \fB"\fR characters,
 without the option all escaping is done with the \fB\e\fR character.
-.Ip "\fButf8\fR" 4
+.IP "\fButf8\fR" 4
 .IX Item "utf8"
 convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253\s0. If
 you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use
@@ -497,35 +487,35 @@ present then multibyte characters larger than 0xff will be represented
 using the format \eUXXXX for 16 bits and \eWXXXXXXXX for 32 bits.
 Also if this option is off any UTF8Strings will be converted to their
 character form first.
-.Ip "\fBno_type\fR" 4
+.IP "\fBno_type\fR" 4
 .IX Item "no_type"
 this option does not attempt to interpret multibyte characters in any
 way. That is their content octets are merely dumped as though one octet
 represents each character. This is useful for diagnostic purposes but
 will result in rather odd looking output.
-.Ip "\fBshow_type\fR" 4
+.IP "\fBshow_type\fR" 4
 .IX Item "show_type"
 show the type of the \s-1ASN1\s0 character string. The type precedes the
 field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R".
-.Ip "\fBdump_der\fR" 4
+.IP "\fBdump_der\fR" 4
 .IX Item "dump_der"
 when this option is set any fields that need to be hexdumped will
 be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the
 content octets will be displayed. Both options use the \s-1RFC2253\s0
 \&\fB#XXXX...\fR format.
-.Ip "\fBdump_nostr\fR" 4
+.IP "\fBdump_nostr\fR" 4
 .IX Item "dump_nostr"
 dump non character string types (for example \s-1OCTET\s0 \s-1STRING\s0) if this
 option is not set then non character string types will be displayed
 as though each content octet represents a single character.
-.Ip "\fBdump_all\fR" 4
+.IP "\fBdump_all\fR" 4
 .IX Item "dump_all"
 dump all fields. This option when used with \fBdump_der\fR allows the
 \&\s-1DER\s0 encoding of the structure to be unambiguously determined.
-.Ip "\fBdump_unknown\fR" 4
+.IP "\fBdump_unknown\fR" 4
 .IX Item "dump_unknown"
 dump any field whose \s-1OID\s0 is not recognised by OpenSSL.
-.Ip "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4
+.IP "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4
 .IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline"
 these options determine the field separators. The first character is
 between RDNs and the second between multiple AVAs (multiple AVAs are
@@ -534,23 +524,23 @@ very rare and their use is discouraged). The options ending in
 more readable. The \fBsep_multiline\fR uses a linefeed character for
 the \s-1RDN\s0 separator and a spaced \fB+\fR for the \s-1AVA\s0 separator. It also
 indents the fields by four characters.
-.Ip "\fBdn_rev\fR" 4
+.IP "\fBdn_rev\fR" 4
 .IX Item "dn_rev"
 reverse the fields of the \s-1DN\s0. This is required by \s-1RFC2253\s0. As a side
 effect this also reverses the order of multiple AVAs but this is
 permissible.
-.Ip "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4
+.IP "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4
 .IX Item "nofname, sname, lname, oid"
 these options alter how the field name is displayed. \fBnofname\fR does
 not display the field at all. \fBsname\fR uses the \*(L"short name\*(R" form
 (\s-1CN\s0 for commonName for example). \fBlname\fR uses the long form.
 \&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for
 diagnostic purpose.
-.Ip "\fBalign\fR" 4
+.IP "\fBalign\fR" 4
 .IX Item "align"
 align field values for a more readable output. Only usable with
 \&\fBsep_multiline\fR.
-.Ip "\fBspc_eq\fR" 4
+.IP "\fBspc_eq\fR" 4
 .IX Item "spc_eq"
 places spaces round the \fB=\fR character which follows the field
 name.
@@ -559,55 +549,55 @@ name.
 As well as customising the name output format, it is also possible to
 customise the actual fields printed using the \fBcertopt\fR options when
 the \fBtext\fR option is present. The default behaviour is to print all fields.
-.Ip "\fBcompatible\fR" 4
+.IP "\fBcompatible\fR" 4
 .IX Item "compatible"
 use the old format. This is equivalent to specifying no output options at all.
-.Ip "\fBno_header\fR" 4
+.IP "\fBno_header\fR" 4
 .IX Item "no_header"
 don't print header information: that is the lines saying \*(L"Certificate\*(R" and \*(L"Data\*(R".
-.Ip "\fBno_version\fR" 4
+.IP "\fBno_version\fR" 4
 .IX Item "no_version"
 don't print out the version number.
-.Ip "\fBno_serial\fR" 4
+.IP "\fBno_serial\fR" 4
 .IX Item "no_serial"
 don't print out the serial number.
-.Ip "\fBno_signame\fR" 4
+.IP "\fBno_signame\fR" 4
 .IX Item "no_signame"
 don't print out the signature algorithm used.
-.Ip "\fBno_validity\fR" 4
+.IP "\fBno_validity\fR" 4
 .IX Item "no_validity"
 don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields.
-.Ip "\fBno_subject\fR" 4
+.IP "\fBno_subject\fR" 4
 .IX Item "no_subject"
 don't print out the subject name.
-.Ip "\fBno_issuer\fR" 4
+.IP "\fBno_issuer\fR" 4
 .IX Item "no_issuer"
 don't print out the issuer name.
-.Ip "\fBno_pubkey\fR" 4
+.IP "\fBno_pubkey\fR" 4
 .IX Item "no_pubkey"
 don't print out the public key.
-.Ip "\fBno_sigdump\fR" 4
+.IP "\fBno_sigdump\fR" 4
 .IX Item "no_sigdump"
 don't give a hexadecimal dump of the certificate signature.
-.Ip "\fBno_aux\fR" 4
+.IP "\fBno_aux\fR" 4
 .IX Item "no_aux"
 don't print out certificate trust information.
-.Ip "\fBno_extensions\fR" 4
+.IP "\fBno_extensions\fR" 4
 .IX Item "no_extensions"
 don't print out any X509V3 extensions.
-.Ip "\fBext_default\fR" 4
+.IP "\fBext_default\fR" 4
 .IX Item "ext_default"
 retain default extension behaviour: attempt to print out unsupported certificate extensions.
-.Ip "\fBext_error\fR" 4
+.IP "\fBext_error\fR" 4
 .IX Item "ext_error"
 print an error message for unsupported certificate extensions.
-.Ip "\fBext_parse\fR" 4
+.IP "\fBext_parse\fR" 4
 .IX Item "ext_parse"
 \&\s-1ASN1\s0 parse unsupported extensions.
-.Ip "\fBext_dump\fR" 4
+.IP "\fBext_dump\fR" 4
 .IX Item "ext_dump"
 hex dump unsupported extensions.
-.Ip "\fBca_default\fR" 4
+.IP "\fBca_default\fR" 4
 .IX Item "ca_default"
 the value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR, \fBno_header\fR,
 \&\fBno_version\fR, \fBno_sigdump\fR and \fBno_signame\fR.
@@ -621,47 +611,56 @@ Display the contents of a certificate:
 .Vb 1
 \& openssl x509 -in cert.pem -noout -text
 .Ve
+.PP
 Display the certificate serial number:
 .PP
 .Vb 1
 \& openssl x509 -in cert.pem -noout -serial
 .Ve
+.PP
 Display the certificate subject name:
 .PP
 .Vb 1
 \& openssl x509 -in cert.pem -noout -subject
 .Ve
+.PP
 Display the certificate subject name in \s-1RFC2253\s0 form:
 .PP
 .Vb 1
 \& openssl x509 -in cert.pem -noout -subject -nameopt RFC2253
 .Ve
+.PP
 Display the certificate subject name in oneline form on a terminal
 supporting \s-1UTF8:\s0
 .PP
 .Vb 1
 \& openssl x509 -in cert.pem -noout -subject -nameopt oneline,-escmsb
 .Ve
+.PP
 Display the certificate \s-1MD5\s0 fingerprint:
 .PP
 .Vb 1
 \& openssl x509 -in cert.pem -noout -fingerprint
 .Ve
+.PP
 Display the certificate \s-1SHA1\s0 fingerprint:
 .PP
 .Vb 1
 \& openssl x509 -sha1 -in cert.pem -noout -fingerprint
 .Ve
+.PP
 Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format:
 .PP
 .Vb 1
 \& openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
 .Ve
+.PP
 Convert a certificate to a certificate request:
 .PP
 .Vb 1
 \& openssl x509 -x509toreq -in cert.pem -out req.pem -signkey key.pem
 .Ve
+.PP
 Convert a certificate request into a self signed certificate using
 extensions for a \s-1CA:\s0
 .PP
@@ -669,6 +668,7 @@ extensions for a \s-1CA:\s0
 \& openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \e
 \&        -signkey key.pem -out cacert.pem
 .Ve
+.PP
 Sign a certificate request using the \s-1CA\s0 certificate above and add user
 certificate extensions:
 .PP
@@ -676,6 +676,7 @@ certificate extensions:
 \& openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \e
 \&        -CA cacert.pem -CAkey key.pem -CAcreateserial
 .Ve
+.PP
 Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to
 \&\*(L"Steve's Class 1 \s-1CA\s0\*(R"
 .PP
@@ -691,18 +692,21 @@ The \s-1PEM\s0 format uses the header and footer lines:
 \& -----BEGIN CERTIFICATE-----
 \& -----END CERTIFICATE-----
 .Ve
+.PP
 it will also handle files containing:
 .PP
 .Vb 2
 \& -----BEGIN X509 CERTIFICATE-----
 \& -----END X509 CERTIFICATE-----
 .Ve
+.PP
 Trusted certificates have the lines
 .PP
 .Vb 2
 \& -----BEGIN TRUSTED CERTIFICATE-----
 \& -----END TRUSTED CERTIFICATE-----
 .Ve
+.PP
 The conversion to \s-1UTF8\s0 format used with the name options assumes that
 T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape
 and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect
@@ -755,62 +759,62 @@ the key can only be used for the purposes specified.
 A complete description of each test is given below. The comments about
 basicConstraints and keyUsage and V1 certificates above apply to \fBall\fR
 \&\s-1CA\s0 certificates.
-.Ip "\fB\s-1SSL\s0 Client\fR" 4
+.IP "\fB\s-1SSL\s0 Client\fR" 4
 .IX Item "SSL Client"
 The extended key usage extension must be absent or include the \*(L"web client
 authentication\*(R" \s-1OID\s0.  keyUsage must be absent or it must have the
 digitalSignature bit set. Netscape certificate type must be absent or it must
 have the \s-1SSL\s0 client bit set.
-.Ip "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4
+.IP "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4
 .IX Item "SSL Client CA"
 The extended key usage extension must be absent or include the \*(L"web client
 authentication\*(R" \s-1OID\s0. Netscape certificate type must be absent or it must have
 the \s-1SSL\s0 \s-1CA\s0 bit set: this is used as a work around if the basicConstraints
 extension is absent.
-.Ip "\fB\s-1SSL\s0 Server\fR" 4
+.IP "\fB\s-1SSL\s0 Server\fR" 4
 .IX Item "SSL Server"
 The extended key usage extension must be absent or include the \*(L"web server
 authentication\*(R" and/or one of the \s-1SGC\s0 OIDs.  keyUsage must be absent or it
 must have the digitalSignature, the keyEncipherment set or both bits set.
 Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set.
-.Ip "\fB\s-1SSL\s0 Server \s-1CA\s0\fR" 4
+.IP "\fB\s-1SSL\s0 Server \s-1CA\s0\fR" 4
 .IX Item "SSL Server CA"
 The extended key usage extension must be absent or include the \*(L"web server
 authentication\*(R" and/or one of the \s-1SGC\s0 OIDs.  Netscape certificate type must
 be absent or the \s-1SSL\s0 \s-1CA\s0 bit must be set: this is used as a work around if the
 basicConstraints extension is absent.
-.Ip "\fBNetscape \s-1SSL\s0 Server\fR" 4
+.IP "\fBNetscape \s-1SSL\s0 Server\fR" 4
 .IX Item "Netscape SSL Server"
 For Netscape \s-1SSL\s0 clients to connect to an \s-1SSL\s0 server it must have the
 keyEncipherment bit set if the keyUsage extension is present. This isn't
 always valid because some cipher suites use the key for digital signing.
 Otherwise it is the same as a normal \s-1SSL\s0 server.
-.Ip "\fBCommon S/MIME Client Tests\fR" 4
+.IP "\fBCommon S/MIME Client Tests\fR" 4
 .IX Item "Common S/MIME Client Tests"
 The extended key usage extension must be absent or include the \*(L"email
 protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or should have the
 S/MIME bit set. If the S/MIME bit is not set in netscape certificate type
 then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown:
 this is because some Verisign certificates don't set the S/MIME bit.
-.Ip "\fBS/MIME Signing\fR" 4
+.IP "\fBS/MIME Signing\fR" 4
 .IX Item "S/MIME Signing"
 In addition to the common S/MIME client tests the digitalSignature bit must
 be set if the keyUsage extension is present.
-.Ip "\fBS/MIME Encryption\fR" 4
+.IP "\fBS/MIME Encryption\fR" 4
 .IX Item "S/MIME Encryption"
 In addition to the common S/MIME tests the keyEncipherment bit must be set
 if the keyUsage extension is present.
-.Ip "\fBS/MIME \s-1CA\s0\fR" 4
+.IP "\fBS/MIME \s-1CA\s0\fR" 4
 .IX Item "S/MIME CA"
 The extended key usage extension must be absent or include the \*(L"email
 protection\*(R" \s-1OID\s0. Netscape certificate type must be absent or must have the
 S/MIME \s-1CA\s0 bit set: this is used as a work around if the basicConstraints
 extension is absent. 
-.Ip "\fB\s-1CRL\s0 Signing\fR" 4
+.IP "\fB\s-1CRL\s0 Signing\fR" 4
 .IX Item "CRL Signing"
 The keyUsage extension must be absent or it must have the \s-1CRL\s0 signing bit
 set.
-.Ip "\fB\s-1CRL\s0 Signing \s-1CA\s0\fR" 4
+.IP "\fB\s-1CRL\s0 Signing \s-1CA\s0\fR" 4
 .IX Item "CRL Signing CA"
 The normal \s-1CA\s0 tests apply. Except in this case the basicConstraints extension
 must be present.
@@ -832,5 +836,5 @@ than the current behaviour. It is hoped that it will represent reality in
 OpenSSL 0.9.5 and later.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-req(1), ca(1), genrsa(1),
-gendsa(1), verify(1)
+\&\fIreq\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1),
+\&\fIgendsa\fR\|(1), \fIverify\fR\|(1)