[openssl-commits] [openssl] master update

Richard Levitte levitte at openssl.org
Thu Mar 30 12:16:46 UTC 2017


The branch master has been updated
       via  c4de074e6385a86a43a30fee574e77f9dcabb022 (commit)
      from  3cb47b4ec1514248996ca037a5e7890ea7fdc855 (commit)


- Log -----------------------------------------------------------------
commit c4de074e6385a86a43a30fee574e77f9dcabb022
Author: Pauli <paul.dale at oracle.com>
Date:   Thu Mar 30 07:38:30 2017 +1000

    Documentation updates
    
    Fix capitilistion of list items.
    Wrap long lines.
    Add full stops to the ends of sentances.
    Change ciphersuite to cipher suite in all of doc.
    
    [skip ci]
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/3082)

-----------------------------------------------------------------------

Summary of changes:
 doc/man1/CA.pl.pod                              |  36 ++---
 doc/man1/asn1parse.pod                          |  28 ++--
 doc/man1/ca.pod                                 | 118 ++++++++--------
 doc/man1/ciphers.pod                            |  52 +++----
 doc/man1/cms.pod                                | 106 +++++++-------
 doc/man1/crl.pod                                |  26 ++--
 doc/man1/crl2pkcs7.pod                          |   8 +-
 doc/man1/dgst.pod                               |  36 +++--
 doc/man1/dhparam.pod                            |  14 +-
 doc/man1/dsa.pod                                |  16 +--
 doc/man1/dsaparam.pod                           |  16 +--
 doc/man1/ec.pod                                 |  20 +--
 doc/man1/ecparam.pod                            |   6 +-
 doc/man1/gendsa.pod                             |   4 +-
 doc/man1/genpkey.pod                            |  16 +--
 doc/man1/genrsa.pod                             |  12 +-
 doc/man1/ocsp.pod                               |  86 +++++------
 doc/man1/openssl.pod                            |  33 +++--
 doc/man1/pkcs12.pod                             |  64 ++++-----
 doc/man1/pkcs7.pod                              |  12 +-
 doc/man1/pkcs8.pod                              |  14 +-
 doc/man1/pkey.pod                               |  20 +--
 doc/man1/pkeyparam.pod                          |   8 +-
 doc/man1/pkeyutl.pod                            |  37 +++--
 doc/man1/req.pod                                |  74 +++++-----
 doc/man1/rsa.pod                                |  20 +--
 doc/man1/rsautl.pod                             |  26 ++--
 doc/man1/s_client.pod                           |  84 ++++++-----
 doc/man1/s_server.pod                           |  46 +++---
 doc/man1/s_time.pod                             |  18 +--
 doc/man1/sess_id.pod                            |  36 ++---
 doc/man1/smime.pod                              |  86 +++++------
 doc/man1/speed.pod                              |   4 +-
 doc/man1/spkac.pod                              |  22 +--
 doc/man1/ts.pod                                 |   3 +-
 doc/man1/verify.pod                             |  67 +++++----
 doc/man1/version.pod                            |  14 +-
 doc/man1/x509.pod                               | 180 ++++++++++++------------
 doc/man3/SSL_CIPHER_get_name.pod                |   8 +-
 doc/man3/SSL_CTX_add1_chain_cert.pod            |   4 +-
 doc/man3/SSL_CTX_set_ct_validation_callback.pod |   2 +-
 doc/man3/SSL_CTX_set_security_level.pod         |  24 ++--
 doc/man3/SSL_CTX_set_split_send_fragment.pod    |   2 +-
 doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod   |   4 +-
 doc/man3/SSL_CTX_set_tmp_dh_callback.pod        |   2 +-
 doc/man3/SSL_get_peer_signature_nid.pod         |   2 +-
 46 files changed, 760 insertions(+), 756 deletions(-)

diff --git a/doc/man1/CA.pl.pod b/doc/man1/CA.pl.pod
index a7f3970..6949ec6 100644
--- a/doc/man1/CA.pl.pod
+++ b/doc/man1/CA.pl.pod
@@ -42,28 +42,28 @@ by the use of some simple options.
 
 =item B<?>, B<-h>, B<-help>
 
-prints a usage message.
+Prints a usage message.
 
 =item B<-newcert>
 
-creates a new self signed certificate. The private key is written to the file
+Creates a new self signed certificate. The private key is written to the file
 "newkey.pem" and the request written to the file "newreq.pem".
 This argument invokes B<openssl req> command.
 
 =item B<-newreq>
 
-creates a new certificate request. The private key is written to the file
+Creates a new certificate request. The private key is written to the file
 "newkey.pem" and the request written to the file "newreq.pem".
 Executes B<openssl req> command below the hood.
 
 =item B<-newreq-nodes>
 
-is like B<-newreq> except that the private key will not be encrypted.
+Is like B<-newreq> except that the private key will not be encrypted.
 Uses B<openssl req> command.
 
 =item B<-newca>
 
-creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
+Creates a new CA hierarchy for use with the B<ca> program (or the B<-signcert>
 and B<-xsign> options). The user is prompted to enter the filename of the CA
 certificates (which should also contain the private key) or by hitting ENTER
 details of the CA will be prompted for. The relevant files and directories
@@ -72,7 +72,7 @@ B<openssl req> and B<openssl ca> commands are get invoked.
 
 =item B<-pkcs12>
 
-create a PKCS#12 file containing the user certificate, private key and CA
+Create a PKCS#12 file containing the user certificate, private key and CA
 certificate. It expects the user certificate and private key to be in the
 file "newcert.pem" and the CA certificate to be in the file demoCA/cacert.pem,
 it creates a file "newcert.p12". This command can thus be called after the
@@ -84,31 +84,31 @@ Delegates work to B<openssl pkcs12> command.
 
 =item B<-sign>, B<-signcert>, B<-xsign>
 
-calls the B<ca> program to sign a certificate request. It expects the request
+Calls the B<ca> program to sign a certificate request. It expects the request
 to be in the file "newreq.pem". The new certificate is written to the file
 "newcert.pem" except in the case of the B<-xsign> option when it is written
 to standard output. Leverages B<openssl ca> command.
 
 =item B<-signCA>
 
-this option is the same as the B<-signreq> option except it uses the configuration
-file section B<v3_ca> and so makes the signed request a valid CA certificate. This
-is useful when creating intermediate CA from a root CA.
-Extra params are passed on to B<openssl ca> command.
+This option is the same as the B<-signreq> option except it uses the
+configuration file section B<v3_ca> and so makes the signed request a
+valid CA certificate. This is useful when creating intermediate CA from
+a root CA.  Extra params are passed on to B<openssl ca> command.
 
 =item B<-signcert>
 
-this option is the same as B<-sign> except it expects a self signed certificate
+This option is the same as B<-sign> except it expects a self signed certificate
 to be present in the file "newreq.pem".
 Extra params are passed on to B<openssl x509> and B<openssl ca> commands.
 
 =item B<-crl>
 
-generate a CRL. Executes B<openssl ca> command.
+Generate a CRL. Executes B<openssl ca> command.
 
 =item B<-revoke certfile [reason]>
 
-revoke the certificate contained in the specified B<certfile>. An optional
+Revoke the certificate contained in the specified B<certfile>. An optional
 reason may be specified, and must be one of: B<unspecified>,
 B<keyCompromise>, B<CACompromise>, B<affiliationChanged>, B<superseded>,
 B<cessationOfOperation>, B<certificateHold>, or B<removeFromCRL>.
@@ -116,9 +116,9 @@ Leverages B<openssl ca> command.
 
 =item B<-verify>
 
-verifies certificates against the CA certificate for "demoCA". If no certificates
-are specified on the command line it tries to verify the file "newcert.pem".
-Invokes B<openssl verify> command.
+Verifies certificates against the CA certificate for "demoCA". If no
+certificates are specified on the command line it tries to verify the file
+"newcert.pem".  Invokes B<openssl verify> command.
 
 =item B<-extra-req> | B<-extra-ca> | B<-extra-pkcs12> | B<-extra-x509> | B<-extra-verify> <extra-params>
 
@@ -204,7 +204,7 @@ L<config(5)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/asn1parse.pod b/doc/man1/asn1parse.pod
index ee09a83..602754e 100644
--- a/doc/man1/asn1parse.pod
+++ b/doc/man1/asn1parse.pod
@@ -39,56 +39,56 @@ Print out a usage message.
 
 =item B<-inform> B<DER|PEM>
 
-the input format. B<DER> is binary format and B<PEM> (the default) is base64
+The input format. B<DER> is binary format and B<PEM> (the default) is base64
 encoded.
 
 =item B<-in filename>
 
-the input file, default is standard input
+The input file, default is standard input.
 
 =item B<-out filename>
 
-output file to place the DER encoded data into. If this
+Output file to place the DER encoded data into. If this
 option is not present then no data will be output. This is most useful when
 combined with the B<-strparse> option.
 
 =item B<-noout>
 
-don't output the parsed version of the input file.
+Don't output the parsed version of the input file.
 
 =item B<-offset number>
 
-starting offset to begin parsing, default is start of file.
+Starting offset to begin parsing, default is start of file.
 
 =item B<-length number>
 
-number of bytes to parse, default is until end of file.
+Number of bytes to parse, default is until end of file.
 
 =item B<-i>
 
-indents the output according to the "depth" of the structures.
+Indents the output according to the "depth" of the structures.
 
 =item B<-oid filename>
 
-a file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
+A file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
 file is described in the NOTES section below.
 
 =item B<-dump>
 
-dump unknown data in hex format.
+Dump unknown data in hex format.
 
 =item B<-dlimit num>
 
-like B<-dump>, but only the first B<num> bytes are output.
+Like B<-dump>, but only the first B<num> bytes are output.
 
 =item B<-strparse offset>
 
-parse the contents octets of the ASN.1 object starting at B<offset>. This
+Parse the contents octets of the ASN.1 object starting at B<offset>. This
 option can be used multiple times to "drill down" into a nested structure.
 
 =item B<-genstr string>, B<-genconf file>
 
-generate encoded data based on B<string>, B<file> or both using
+Generate encoded data based on B<string>, B<file> or both using
 L<ASN1_generate_nconf(3)> format. If B<file> only is
 present then the string is obtained from the default section using the name
 B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
@@ -105,7 +105,7 @@ END marker in a PEM file.
 
 =item B<-item name>
 
-attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
+Attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
 print out the fields of any supported ASN.1 structure if the type is known.
 
 =back
@@ -204,7 +204,7 @@ L<ASN1_generate_nconf(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod
index c09db82..f2c003b 100644
--- a/doc/man1/ca.pod
+++ b/doc/man1/ca.pod
@@ -72,73 +72,73 @@ Print out a usage message.
 
 =item B<-verbose>
 
-this prints extra details about the operations being performed.
+This prints extra details about the operations being performed.
 
 =item B<-config filename>
 
-specifies the configuration file to use.
+Specifies the configuration file to use.
 Optional; for a description of the default value,
 see L<openssl(1)/COMMAND SUMMARY>.
 
 =item B<-name section>
 
-specifies the configuration file section to use (overrides
+Specifies the configuration file section to use (overrides
 B<default_ca> in the B<ca> section).
 
 =item B<-in filename>
 
-an input filename containing a single certificate request to be
+An input filename containing a single certificate request to be
 signed by the CA.
 
 =item B<-ss_cert filename>
 
-a single self-signed certificate to be signed by the CA.
+A single self-signed certificate to be signed by the CA.
 
 =item B<-spkac filename>
 
-a file containing a single Netscape signed public key and challenge
+A file containing a single Netscape signed public key and challenge
 and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
 section for information on the required input and output format.
 
 =item B<-infiles>
 
-if present this should be the last option, all subsequent arguments
+If present this should be the last option, all subsequent arguments
 are taken as the names of files containing certificate requests.
 
 =item B<-out filename>
 
-the output file to output certificates to. The default is standard
+The output file to output certificates to. The default is standard
 output. The certificate details will also be printed out to this
 file in PEM format (except that B<-spkac> outputs DER format).
 
 =item B<-outdir directory>
 
-the directory to output certificates to. The certificate will be
+The directory to output certificates to. The certificate will be
 written to a filename consisting of the serial number in hex with
 ".pem" appended.
 
 =item B<-cert>
 
-the CA certificate file.
+The CA certificate file.
 
 =item B<-keyfile filename>
 
-the private key to sign requests with.
+The private key to sign requests with.
 
 =item B<-keyform PEM|DER>
 
-the format of the data in the private key file.
+The format of the data in the private key file.
 The default is PEM.
 
 =item B<-key password>
 
-the password used to encrypt the private key. Since on some
+The password used to encrypt the private key. Since on some
 systems the command line arguments are visible (e.g. Unix with
 the 'ps' utility) this option should be used with caution.
 
 =item B<-selfsign>
 
-indicates the issued certificates are to be signed with the key
+Indicates the issued certificates are to be signed with the key
 the certificate requests were signed with (given with B<-keyfile>).
 Certificate requests signed with a different key are ignored.  If
 B<-spkac>, B<-ss_cert> or B<-gencrl> are given, B<-selfsign> is
@@ -152,43 +152,43 @@ self-signed certificate.
 
 =item B<-passin arg>
 
-the key password source. For more information about the format of B<arg>
+The key password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-notext>
 
-don't output the text form of a certificate to the output file.
+Don't output the text form of a certificate to the output file.
 
 =item B<-startdate date>
 
-this allows the start date to be explicitly set. The format of the
+This allows the start date to be explicitly set. The format of the
 date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).
 
 =item B<-enddate date>
 
-this allows the expiry date to be explicitly set. The format of the
+This allows the expiry date to be explicitly set. The format of the
 date is YYMMDDHHMMSSZ (the same as an ASN1 UTCTime structure).
 
 =item B<-days arg>
 
-the number of days to certify the certificate for.
+The number of days to certify the certificate for.
 
 =item B<-md alg>
 
-the message digest to use.
+The message digest to use.
 Any digest supported by the OpenSSL B<dgst> command can be used.
 This option also applies to CRLs.
 
 =item B<-policy arg>
 
-this option defines the CA "policy" to use. This is a section in
+This option defines the CA "policy" to use. This is a section in
 the configuration file which decides which fields should be mandatory
 or match the CA certificate. Check out the B<POLICY FORMAT> section
 for more information.
 
 =item B<-msie_hack>
 
-this is a legacy option to make B<ca> work with very old versions of
+This is a legacy option to make B<ca> work with very old versions of
 the IE certificate enrollment control "certenr3". It used UniversalStrings
 for almost everything. Since the old control has various security bugs
 its use is strongly discouraged. The newer control "Xenroll" does not
@@ -213,12 +213,12 @@ used in the configuration file to enable this behaviour.
 
 =item B<-batch>
 
-this sets the batch mode. In this mode no questions will be asked
+This sets the batch mode. In this mode no questions will be asked
 and all certificates will be certified automatically.
 
 =item B<-extensions section>
 
-the section of the configuration file containing certificate extensions
+The section of the configuration file containing certificate extensions
 to be added when a certificate is issued (defaults to B<x509_extensions>
 unless the B<-extfile> option is used). If no extension section is
 present then, a V1 certificate is created. If the extension section
@@ -228,33 +228,33 @@ extension section format.
 
 =item B<-extfile file>
 
-an additional configuration file to read certificate extensions from
+An additional configuration file to read certificate extensions from
 (using the default section unless the B<-extensions> option is also
 used).
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<ca>
+Specifying an engine (by its unique B<id> string) will cause B<ca>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
 =item B<-subj arg>
 
-supersedes subject name given in the request.
+Supersedes subject name given in the request.
 The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
 characters may be escaped by \ (backslash), no spaces are skipped.
 
 =item B<-utf8>
 
-this option causes field values to be interpreted as UTF8 strings, by
+This option causes field values to be interpreted as UTF8 strings, by
 default they are interpreted as ASCII. This means that the field
 values, whether prompted from a terminal or obtained from a
 configuration file, must be valid UTF8 strings.
 
 =item B<-create_serial>
 
-if reading serial from the text file as specified in the configuration
+If reading serial from the text file as specified in the configuration
 fails, specifying this option creates a new random serial to be used as next
 serial number.
 
@@ -275,28 +275,28 @@ If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
 
 =item B<-gencrl>
 
-this option generates a CRL based on information in the index file.
+This option generates a CRL based on information in the index file.
 
 =item B<-crldays num>
 
-the number of days before the next CRL is due. That is the days from
+The number of days before the next CRL is due. That is the days from
 now to place in the CRL nextUpdate field.
 
 =item B<-crlhours num>
 
-the number of hours before the next CRL is due.
+The number of hours before the next CRL is due.
 
 =item B<-revoke filename>
 
-a filename containing a certificate to revoke.
+A filename containing a certificate to revoke.
 
 =item B<-valid filename>
 
-a filename containing a certificate to add a Valid certificate entry.
+A filename containing a certificate to add a Valid certificate entry.
 
 =item B<-status serial>
 
-displays the revocation status of the certificate with the specified
+Displays the revocation status of the certificate with the specified
 serial number and exits.
 
 =item B<-updatedb>
@@ -305,7 +305,7 @@ Updates the database index to purge expired certificates.
 
 =item B<-crl_reason reason>
 
-revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
+Revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
 B<CACompromise>, B<affiliationChanged>, B<superseded>, B<cessationOfOperation>,
 B<certificateHold> or B<removeFromCRL>. The matching of B<reason> is case
 insensitive. Setting any revocation reason will make the CRL v2.
@@ -332,7 +332,7 @@ B<CACompromise>.
 
 =item B<-crlexts section>
 
-the section of the configuration file containing CRL extensions to
+The section of the configuration file containing CRL extensions to
 include. If no CRL extension section is present then a V1 CRL is
 created, if the CRL extension section is present (even if it is
 empty) then a V2 CRL is created. The CRL extensions specified are
@@ -383,58 +383,58 @@ and long names are the same when this option is used.
 
 =item B<new_certs_dir>
 
-the same as the B<-outdir> command line option. It specifies
+The same as the B<-outdir> command line option. It specifies
 the directory where new certificates will be placed. Mandatory.
 
 =item B<certificate>
 
-the same as B<-cert>. It gives the file containing the CA
+The same as B<-cert>. It gives the file containing the CA
 certificate. Mandatory.
 
 =item B<private_key>
 
-same as the B<-keyfile> option. The file containing the
+Same as the B<-keyfile> option. The file containing the
 CA private key. Mandatory.
 
 =item B<RANDFILE>
 
-a file used to read and write random number seed information, or
+A file used to read and write random number seed information, or
 an EGD socket (see L<RAND_egd(3)>).
 
 =item B<default_days>
 
-the same as the B<-days> option. The number of days to certify
+The same as the B<-days> option. The number of days to certify
 a certificate for.
 
 =item B<default_startdate>
 
-the same as the B<-startdate> option. The start date to certify
+The same as the B<-startdate> option. The start date to certify
 a certificate for. If not set the current time is used.
 
 =item B<default_enddate>
 
-the same as the B<-enddate> option. Either this option or
+The same as the B<-enddate> option. Either this option or
 B<default_days> (or the command line equivalents) must be
 present.
 
 =item B<default_crl_hours default_crl_days>
 
-the same as the B<-crlhours> and the B<-crldays> options. These
+The same as the B<-crlhours> and the B<-crldays> options. These
 will only be used if neither command line option is present. At
 least one of these must be present to generate a CRL.
 
 =item B<default_md>
 
-the same as the B<-md> option. Mandatory.
+The same as the B<-md> option. Mandatory.
 
 =item B<database>
 
-the text database file to use. Mandatory. This file must be present
+The text database file to use. Mandatory. This file must be present
 though initially it will be empty.
 
 =item B<unique_subject>
 
-if the value B<yes> is given, the valid certificate entries in the
+If the value B<yes> is given, the valid certificate entries in the
 database must have unique subjects.  if the value B<no> is given,
 several valid certificate entries may have the exact same subject.
 The default value is B<yes>, to be compatible with older (pre 0.9.8)
@@ -444,45 +444,45 @@ the B<-selfsign> command line option.
 
 =item B<serial>
 
-a text file containing the next serial number to use in hex. Mandatory.
+A text file containing the next serial number to use in hex. Mandatory.
 This file must be present and contain a valid serial number.
 
 =item B<crlnumber>
 
-a text file containing the next CRL number to use in hex. The crl number
+A text file containing the next CRL number to use in hex. The crl number
 will be inserted in the CRLs only if this file exists. If this file is
 present, it must contain a valid CRL number.
 
 =item B<x509_extensions>
 
-the same as B<-extensions>.
+The same as B<-extensions>.
 
 =item B<crl_extensions>
 
-the same as B<-crlexts>.
+The same as B<-crlexts>.
 
 =item B<preserve>
 
-the same as B<-preserveDN>
+The same as B<-preserveDN>
 
 =item B<email_in_dn>
 
-the same as B<-noemailDN>. If you want the EMAIL field to be removed
+The same as B<-noemailDN>. If you want the EMAIL field to be removed
 from the DN of the certificate simply set this to 'no'. If not present
 the default is to allow for the EMAIL filed in the certificate's DN.
 
 =item B<msie_hack>
 
-the same as B<-msie_hack>
+The same as B<-msie_hack>
 
 =item B<policy>
 
-the same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
+The same as B<-policy>. Mandatory. See the B<POLICY FORMAT> section
 for more information.
 
 =item B<name_opt>, B<cert_opt>
 
-these options allow the format used to display the certificate details
+These options allow the format used to display the certificate details
 when asking the user to confirm signing. All the options supported by
 the B<x509> utilities B<-nameopt> and B<-certopt> switches can be used
 here, except the B<no_signame> and B<no_sigdump> are permanently set
@@ -499,7 +499,7 @@ multicharacter string types and does not display extensions.
 
 =item B<copy_extensions>
 
-determines how extensions in certificate requests should be handled.
+Determines how extensions in certificate requests should be handled.
 If set to B<none> or this option is not present then extensions are
 ignored and not copied to the certificate. If set to B<copy> then any
 extensions present in the request that are not already present are copied
@@ -709,7 +709,7 @@ L<config(5)>, L<x509v3_config(5)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/ciphers.pod b/doc/man1/ciphers.pod
index 6fea824..4774a54 100644
--- a/doc/man1/ciphers.pod
+++ b/doc/man1/ciphers.pod
@@ -63,7 +63,7 @@ When combined with B<-s> includes cipher suites which require SRP.
 
 =item B<-v>
 
-Verbose output: For each ciphersuite, list details as provided by
+Verbose output: For each cipher suite, list details as provided by
 L<SSL_CIPHER_description(3)>.
 
 =item B<-V>
@@ -97,12 +97,12 @@ TLSv1.1 were negotiated.
 
 =item B<-stdname>
 
-precede each ciphersuite by its standard name: only available is OpenSSL
+Precede each cipher suite by its standard name: only available is OpenSSL
 is built with tracing enabled (B<enable-ssl-trace> argument to Configure).
 
 =item B<cipherlist>
 
-a cipher list to convert to a cipher preference list. If it is not included
+A cipher list to convert to a cipher preference list. If it is not included
 then the default cipher list will be used. The format is described below.
 
 =back
@@ -168,7 +168,7 @@ When used, this must be the first cipherstring specified.
 The ciphers included in B<ALL>, but not enabled by default. Currently
 this includes all RC4 and anonymous ciphers. Note that this rule does
 not cover B<eNULL>, which is not included by B<ALL> (use B<COMPLEMENTOFALL> if
-necessary). Note that RC4 based ciphersuites are not built into OpenSSL by
+necessary). Note that RC4 based cipher suites are not built into OpenSSL by
 default (see the enable-weak-ssl-ciphers option to Configure).
 
 =item B<ALL>
@@ -183,19 +183,19 @@ The cipher suites not enabled by B<ALL>, currently B<eNULL>.
 
 =item B<HIGH>
 
-"high" encryption cipher suites. This currently means those with key lengths
+"High" encryption cipher suites. This currently means those with key lengths
 larger than 128 bits, and some cipher suites with 128-bit keys.
 
 =item B<MEDIUM>
 
-"medium" encryption cipher suites, currently some of those using 128 bit
+"Medium" encryption cipher suites, currently some of those using 128 bit
 encryption.
 
 =item B<LOW>
 
-"low" encryption cipher suites, currently those using 64 or 56 bit
+"Low" encryption cipher suites, currently those using 64 or 56 bit
 encryption algorithms but excluding export cipher suites.  All these
-ciphersuites have been removed as of OpenSSL 1.1.0.
+cipher suites have been removed as of OpenSSL 1.1.0.
 
 =item B<eNULL>, B<NULL>
 
@@ -272,11 +272,11 @@ keys.
 
 =item B<TLSv1.2>, B<TLSv1.0>, B<SSLv3>
 
-Lists ciphersuites which are only supported in at least TLS v1.2, TLS v1.0 or
+Lists cipher suites which are only supported in at least TLS v1.2, TLS v1.0 or
 SSL v3.0 respectively.
-Note: there are no ciphersuites specific to TLS v1.1.
+Note: there are no cipher suites specific to TLS v1.1.
 Since this is only the minimum version, if, for example, TLSv1.0 is negotiated
-then both TLSv1.0 and SSLv3.0 ciphersuites are available.
+then both TLSv1.0 and SSLv3.0 cipher suites are available.
 
 Note: these cipher strings B<do not> change the negotiated version of SSL or
 TLS, they only affect the list of available cipher suites.
@@ -287,33 +287,33 @@ cipher suites using 128 bit AES, 256 bit AES or either 128 or 256 bit AES.
 
 =item B<AESGCM>
 
-AES in Galois Counter Mode (GCM): these ciphersuites are only supported
+AES in Galois Counter Mode (GCM): these cipher suites are only supported
 in TLS v1.2.
 
 =item B<AESCCM>, B<AESCCM8>
 
 AES in Cipher Block Chaining - Message Authentication Mode (CCM): these
-ciphersuites are only supported in TLS v1.2. B<AESCCM> references CCM
+cipher suites are only supported in TLS v1.2. B<AESCCM> references CCM
 cipher suites using both 16 and 8 octet Integrity Check Value (ICV)
 while B<AESCCM8> only references 8 octet ICV.
 
 =item B<ARIA128>, B<ARIA256>, B<ARIA>
 
-cipher suites using 128 bit ARIA, 256 bit ARIA or either 128 or 256 bit
+Cipher suites using 128 bit ARIA, 256 bit ARIA or either 128 or 256 bit
 ARIA.
 
 =item B<CAMELLIA128>, B<CAMELLIA256>, B<CAMELLIA>
 
-cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
+Cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
 CAMELLIA.
 
 =item B<CHACHA20>
 
-cipher suites using ChaCha20.
+Cipher suites using ChaCha20.
 
 =item B<3DES>
 
-cipher suites using triple DES.
+Cipher suites using triple DES.
 
 =item B<DES>
 
@@ -346,7 +346,7 @@ Cipher suites using SHA1.
 
 =item B<SHA256>, B<SHA384>
 
-Ciphersuites using SHA256 or SHA384.
+Cipher suites using SHA256 or SHA384.
 
 =item B<aGOST>
 
@@ -393,7 +393,7 @@ Setting Suite B mode has additional consequences required to comply with
 RFC6460.
 In particular the supported signature algorithms is reduced to support only
 ECDSA and SHA256 or SHA384, only the elliptic curves P-256 and P-384 can be
-used and only the two suite B compliant ciphersuites
+used and only the two suite B compliant cipher suites
 (ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-ECDSA-AES256-GCM-SHA384) are
 permissible.
 
@@ -444,7 +444,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
  TLS_DH_anon_WITH_RC4_128_MD5            ADH-RC4-MD5
  TLS_DH_anon_WITH_3DES_EDE_CBC_SHA       ADH-DES-CBC3-SHA
 
-=head2 AES ciphersuites from RFC3268, extending TLS v1.0
+=head2 AES cipher suites from RFC3268, extending TLS v1.0
 
  TLS_RSA_WITH_AES_128_CBC_SHA            AES128-SHA
  TLS_RSA_WITH_AES_256_CBC_SHA            AES256-SHA
@@ -462,7 +462,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
  TLS_DH_anon_WITH_AES_128_CBC_SHA        ADH-AES128-SHA
  TLS_DH_anon_WITH_AES_256_CBC_SHA        ADH-AES256-SHA
 
-=head2 Camellia ciphersuites from RFC4132, extending TLS v1.0
+=head2 Camellia cipher suites from RFC4132, extending TLS v1.0
 
  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA      CAMELLIA128-SHA
  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA      CAMELLIA256-SHA
@@ -480,7 +480,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
  TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA  ADH-CAMELLIA128-SHA
  TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA  ADH-CAMELLIA256-SHA
 
-=head2 SEED ciphersuites from RFC4162, extending TLS v1.0
+=head2 SEED cipher suites from RFC4162, extending TLS v1.0
 
  TLS_RSA_WITH_SEED_CBC_SHA              SEED-SHA
 
@@ -492,7 +492,7 @@ e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
 
  TLS_DH_anon_WITH_SEED_CBC_SHA          ADH-SEED-SHA
 
-=head2 GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0
+=head2 GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0
 
 Note: these ciphers require an engine which including GOST cryptographic
 algorithms, such as the B<ccgost> engine, included in the OpenSSL distribution.
@@ -585,7 +585,7 @@ Note: these ciphers can also be used in SSL v3.
  ECDHE_ECDSA_WITH_AES_128_CCM_8            ECDHE-ECDSA-AES128-CCM8
  ECDHE_ECDSA_WITH_AES_256_CCM_8            ECDHE-ECDSA-AES256-CCM8
 
-=head2 ARIA ciphersuites from RFC6209, extending TLS v1.2
+=head2 ARIA cipher suites from RFC6209, extending TLS v1.2
 
  TLS_RSA_WITH_ARIA_128_CBC_SHA256          ARIA128-CBC-SHA256
  TLS_RSA_WITH_ARIA_256_CBC_SHA384          ARIA256-CBC-SHA384
@@ -600,14 +600,14 @@ Note: these ciphers can also be used in SSL v3.
  TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256    ECDHE-RSA-ARIA128-CBC-SHA256
  TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384    ECDHE-RSA-ARIA256-CBC-SHA384
 
-=head2 Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2
+=head2 Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2
 
  TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256
  TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384
  TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   ECDHE-RSA-CAMELLIA128-SHA256
  TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   ECDHE-RSA-CAMELLIA256-SHA384
 
-=head2 Pre-shared keying (PSK) ciphersuites
+=head2 Pre-shared keying (PSK) cipher suites
 
  PSK_WITH_NULL_SHA                         PSK-NULL-SHA
  DHE_PSK_WITH_NULL_SHA                     DHE-PSK-NULL-SHA
diff --git a/doc/man1/cms.pod b/doc/man1/cms.pod
index b97120a..21e5bde 100644
--- a/doc/man1/cms.pod
+++ b/doc/man1/cms.pod
@@ -118,7 +118,7 @@ Print out a usage message.
 
 =item B<-encrypt>
 
-encrypt mail for the given recipient certificates. Input file is the message
+Encrypt mail for the given recipient certificates. Input file is the message
 to be encrypted. The output file is the encrypted mail in MIME format. The
 actual CMS type is <B>EnvelopedData<B>.
 
@@ -127,33 +127,33 @@ key has been compromised, others may be able to decrypt the text.
 
 =item B<-decrypt>
 
-decrypt mail using the supplied certificate and private key. Expects an
+Decrypt mail using the supplied certificate and private key. Expects an
 encrypted mail message in MIME format for the input file. The decrypted mail
 is written to the output file.
 
 =item B<-debug_decrypt>
 
-this option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
+This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
 with caution: see the notes section below.
 
 =item B<-sign>
 
-sign mail using the supplied certificate and private key. Input file is
+Sign mail using the supplied certificate and private key. Input file is
 the message to be signed. The signed message in MIME format is written
 to the output file.
 
 =item B<-verify>
 
-verify signed mail. Expects a signed mail message on input and outputs
+Verify signed mail. Expects a signed mail message on input and outputs
 the signed data. Both clear text and opaque signing is supported.
 
 =item B<-cmsout>
 
-takes an input message and writes out a PEM encoded CMS structure.
+Takes an input message and writes out a PEM encoded CMS structure.
 
 =item B<-resign>
 
-resign a message: take an existing message and one or more new signers.
+Resign a message: take an existing message and one or more new signers.
 
 =item B<-data_create>
 
@@ -201,12 +201,12 @@ to the B<-verify> operation.
 
 =item B<-in filename>
 
-the input message to be encrypted or signed or the message to be decrypted
+The input message to be encrypted or signed or the message to be decrypted
 or verified.
 
 =item B<-inform SMIME|PEM|DER>
 
-this specifies the input format for the CMS structure. The default
+This specifies the input format for the CMS structure. The default
 is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
 format change this to expect PEM and DER format CMS structures
 instead. This currently only affects the input format of the CMS
@@ -215,17 +215,17 @@ B<-encrypt> or B<-sign>) this option has no effect.
 
 =item B<-rctform SMIME|PEM|DER>
 
-specify the format for a signed receipt for use with the B<-receipt_verify>
+Specify the format for a signed receipt for use with the B<-receipt_verify>
 operation.
 
 =item B<-out filename>
 
-the message text that has been decrypted or verified or the output MIME
+The message text that has been decrypted or verified or the output MIME
 format message that has been signed or verified.
 
 =item B<-outform SMIME|PEM|DER>
 
-this specifies the output format for the CMS structure. The default
+This specifies the output format for the CMS structure. The default
 is B<SMIME> which writes an S/MIME format message. B<PEM> and B<DER>
 format change this to write PEM and DER format CMS structures
 instead. This currently only affects the output format of the CMS
@@ -234,7 +234,7 @@ B<-verify> or B<-decrypt>) this option has no effect.
 
 =item B<-stream -indef -noindef>
 
-the B<-stream> and B<-indef> options are equivalent and enable streaming I/O
+The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
 for encoding operations. This permits single pass processing of data without
 the need to hold the entire contents in memory, potentially supporting very
 large files. Streaming is automatically set for S/MIME signing with detached
@@ -243,7 +243,7 @@ other operations.
 
 =item B<-noindef>
 
-disable streaming I/O where it would produce and indefinite length constructed
+Disable streaming I/O where it would produce and indefinite length constructed
 encoding. This option currently has no effect. In future streaming will be
 enabled by default on all relevant operations and this option will disable it.
 
@@ -257,29 +257,29 @@ is S/MIME and it uses the multipart/signed MIME content type.
 
 =item B<-text>
 
-this option adds plain text (text/plain) MIME headers to the supplied
+This option adds plain text (text/plain) MIME headers to the supplied
 message if encrypting or signing. If decrypting or verifying it strips
 off text headers: if the decrypted or verified message is not of MIME
 type text/plain then an error occurs.
 
 =item B<-noout>
 
-for the B<-cmsout> operation do not output the parsed CMS structure. This
+For the B<-cmsout> operation do not output the parsed CMS structure. This
 is useful when combined with the B<-print> option or if the syntax of the CMS
 structure is being checked.
 
 =item B<-print>
 
-for the B<-cmsout> operation print out all fields of the CMS structure. This
+For the B<-cmsout> operation print out all fields of the CMS structure. This
 is mainly useful for testing purposes.
 
 =item B<-CAfile file>
 
-a file containing trusted CA certificates, only used with B<-verify>.
+A file containing trusted CA certificates, only used with B<-verify>.
 
 =item B<-CApath dir>
 
-a directory containing trusted CA certificates, only used with
+A directory containing trusted CA certificates, only used with
 B<-verify>. This directory must be a standard certificate directory: that
 is a hash of each subject name (using B<x509 -hash>) should be linked
 to each certificate.
@@ -294,12 +294,12 @@ Do not load the trusted CA certificates from the default directory location
 
 =item B<-md digest>
 
-digest algorithm to use when signing or resigning. If not present then the
+Digest algorithm to use when signing or resigning. If not present then the
 default digest algorithm for the signing key will be used (usually SHA1).
 
 =item B<-[cipher]>
 
-the encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
+The encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
 or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
 EVP_get_cipherbyname() function) can also be used preceded by a dash, for
 example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for a list of ciphers
@@ -310,48 +310,48 @@ B<-EncryptedData_create> commands.
 
 =item B<-nointern>
 
-when verifying a message normally certificates (if any) included in
+When verifying a message normally certificates (if any) included in
 the message are searched for the signing certificate. With this option
 only the certificates specified in the B<-certfile> option are used.
 The supplied certificates can still be used as untrusted CAs however.
 
 =item B<-no_signer_cert_verify>
 
-do not verify the signers certificate of a signed message.
+Do not verify the signers certificate of a signed message.
 
 =item B<-nocerts>
 
-when signing a message the signer's certificate is normally included
+When signing a message the signer's certificate is normally included
 with this option it is excluded. This will reduce the size of the
 signed message but the verifier must have a copy of the signers certificate
 available locally (passed using the B<-certfile> option for example).
 
 =item B<-noattr>
 
-normally when a message is signed a set of attributes are included which
+Normally when a message is signed a set of attributes are included which
 include the signing time and supported symmetric algorithms. With this
 option they are not included.
 
 =item B<-nosmimecap>
 
-exclude the list of supported algorithms from signed attributes, other options
+Exclude the list of supported algorithms from signed attributes, other options
 such as signing time and content type are still included.
 
 =item B<-binary>
 
-normally the input message is converted to "canonical" format which is
+Normally the input message is converted to "canonical" format which is
 effectively using CR and LF as end of line: as required by the S/MIME
 specification. When this option is present no translation occurs. This
 is useful when handling binary data which may not be in MIME format.
 
 =item B<-crlfeol>
 
-normally the output file uses a single B<LF> as end of line. When this
+Normally the output file uses a single B<LF> as end of line. When this
 option is present B<CRLF> is used instead.
 
 =item B<-asciicrlf>
 
-when signing use ASCII CRLF format canonicalisation. This strips trailing
+When signing use ASCII CRLF format canonicalisation. This strips trailing
 whitespace from all lines, deletes trailing blank lines at EOF and sets
 the encapsulated content type. This option is normally used with detached
 content and an output signature format of DER. This option is not normally
@@ -360,31 +360,31 @@ content format is detected.
 
 =item B<-nodetach>
 
-when signing a message use opaque signing: this form is more resistant
+When signing a message use opaque signing: this form is more resistant
 to translation by mail relays but it cannot be read by mail agents that
 do not support S/MIME.  Without this option cleartext signing with
 the MIME type multipart/signed is used.
 
 =item B<-certfile file>
 
-allows additional certificates to be specified. When signing these will
+Allows additional certificates to be specified. When signing these will
 be included with the message. When verifying these will be searched for
 the signers certificates. The certificates should be in PEM format.
 
 =item B<-certsout file>
 
-any certificates contained in the message are written to B<file>.
+Any certificates contained in the message are written to B<file>.
 
 =item B<-signer file>
 
-a signing certificate when signing or resigning a message, this option can be
+A signing certificate when signing or resigning a message, this option can be
 used multiple times if more than one signer is required. If a message is being
 verified then the signers certificates will be written to this file if the
 verification was successful.
 
 =item B<-recip file>
 
-when decrypting a message this specifies the recipients certificate. The
+When decrypting a message this specifies the recipients certificate. The
 certificate must match one of the recipients of the message or an error
 occurs.
 
@@ -394,19 +394,19 @@ required (for example to specify RSA-OAEP).
 
 =item B<-keyid>
 
-use subject key identifier to identify certificates instead of issuer name and
+Use subject key identifier to identify certificates instead of issuer name and
 serial number. The supplied certificate B<must> include a subject key
 identifier extension. Supported by B<-sign> and B<-encrypt> options.
 
 =item B<-receipt_request_all -receipt_request_first>
 
-for B<-sign> option include a signed receipt request. Indicate requests should
+For B<-sign> option include a signed receipt request. Indicate requests should
 be provided by all recipient or first tier recipients (those mailed directly
 and not from a mailing list). Ignored it B<-receipt_request_from> is included.
 
 =item B<-receipt_request_from emailaddress>
 
-for B<-sign> option include a signed receipt request. Add an explicit email
+For B<-sign> option include a signed receipt request. Add an explicit email
 address where receipts should be supplied.
 
 =item B<-receipt_request_to emailaddress>
@@ -421,7 +421,7 @@ requests.
 
 =item B<-secretkey key>
 
-specify symmetric key to use. The key must be supplied in hex format and be
+Specify symmetric key to use. The key must be supplied in hex format and be
 consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt>
 B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used
 with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the
@@ -429,7 +429,7 @@ content encryption key using an AES key in the B<KEKRecipientInfo> type.
 
 =item B<-secretkeyid id>
 
-the key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
+The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
 This option B<must> be present if the B<-secretkey> option is used with
 B<-encrypt>. With B<-decrypt> operations the B<id> is used to locate the
 relevant key if it is not supplied then an attempt is used to decrypt any
@@ -437,13 +437,13 @@ B<KEKRecipientInfo> structures.
 
 =item B<-econtent_type type>
 
-set the encapsulated content type to B<type> if not supplied the B<Data> type
+Set the encapsulated content type to B<type> if not supplied the B<Data> type
 is used. The B<type> argument can be any valid OID name in either text or
 numerical format.
 
 =item B<-inkey file>
 
-the private key to use when signing or decrypting. This must match the
+The private key to use when signing or decrypting. This must match the
 corresponding certificate. If this option is not specified then the
 private key must be included in the certificate file specified with
 the B<-recip> or B<-signer> file. When signing this option can be used
@@ -451,19 +451,19 @@ multiple times to specify successive keys.
 
 =item B<-keyopt name:opt>
 
-for signing and encryption this option can be used multiple times to
+For signing and encryption this option can be used multiple times to
 set customised parameters for the preceding key or certificate. It can
 currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
 or to modify default parameters for ECDH.
 
 =item B<-passin arg>
 
-the private key password source. For more information about the format of B<arg>
+The private key password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-rand file(s)>
 
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
 generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by an OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
@@ -471,12 +471,12 @@ all others.
 
 =item B<cert.pem...>
 
-one or more certificates of message recipients: used when encrypting
+One or more certificates of message recipients: used when encrypting
 a message.
 
 =item B<-to, -from, -subject>
 
-the relevant mail headers. These are included outside the signed
+The relevant mail headers. These are included outside the signed
 portion of a message so they may be included manually. If signing
 then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
@@ -548,28 +548,28 @@ with caution. For a fuller description see L<CMS_decrypt(3)>).
 
 =item Z<>0
 
-the operation was completely successfully.
+The operation was completely successfully.
 
 =item Z<>1
 
-an error occurred parsing the command options.
+An error occurred parsing the command options.
 
 =item Z<>2
 
-one of the input files could not be read.
+One of the input files could not be read.
 
 =item Z<>3
 
-an error occurred creating the CMS file or when reading the MIME
+An error occurred creating the CMS file or when reading the MIME
 message.
 
 =item Z<>4
 
-an error occurred decrypting or verifying the message.
+An error occurred decrypting or verifying the message.
 
 =item Z<>5
 
-the message was verified correctly but an error occurred writing out
+The message was verified correctly but an error occurred writing out
 the signers certificates.
 
 =back
@@ -727,7 +727,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/crl.pod b/doc/man1/crl.pod
index 2fad210..1f5f4dd 100644
--- a/doc/man1/crl.pod
+++ b/doc/man1/crl.pod
@@ -52,52 +52,52 @@ option is not specified.
 
 =item B<-out filename>
 
-specifies the output filename to write to or standard output by
+Specifies the output filename to write to or standard output by
 default.
 
 =item B<-text>
 
-print out the CRL in text form.
+Print out the CRL in text form.
 
 =item B<-nameopt option>
 
-option which determines how the subject or issuer names are displayed. See
+Option which determines how the subject or issuer names are displayed. See
 the description of B<-nameopt> in L<x509(1)>.
 
 =item B<-noout>
 
-don't output the encoded version of the CRL.
+Don't output the encoded version of the CRL.
 
 =item B<-hash>
 
-output a hash of the issuer name. This can be use to lookup CRLs in
+Output a hash of the issuer name. This can be use to lookup CRLs in
 a directory by issuer name.
 
 =item B<-hash_old>
 
-outputs the "hash" of the CRL issuer name using the older algorithm
+Outputs the "hash" of the CRL issuer name using the older algorithm
 as used by OpenSSL versions before 1.0.0.
 
 =item B<-issuer>
 
-output the issuer name.
+Output the issuer name.
 
 =item B<-lastupdate>
 
-output the lastUpdate field.
+Output the lastUpdate field.
 
 =item B<-nextupdate>
 
-output the nextUpdate field.
+Output the nextUpdate field.
 
 =item B<-CAfile file>
 
-verify the signature on a CRL by looking up the issuing certificate in
-B<file>
+Verify the signature on a CRL by looking up the issuing certificate in
+B<file>.
 
 =item B<-CApath dir>
 
-verify the signature on a CRL by looking up the issuing certificate in
+Verify the signature on a CRL by looking up the issuing certificate in
 B<dir>. This directory must be a standard certificate directory: that
 is a hash of each subject name (using B<x509 -hash>) should be linked
 to each certificate.
@@ -132,7 +132,7 @@ L<crl2pkcs7(1)>, L<ca(1)>, L<x509(1)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/crl2pkcs7.pod b/doc/man1/crl2pkcs7.pod
index 8c679ea..11d7cc9 100644
--- a/doc/man1/crl2pkcs7.pod
+++ b/doc/man1/crl2pkcs7.pod
@@ -48,19 +48,19 @@ option is not specified.
 
 =item B<-out filename>
 
-specifies the output filename to write the PKCS#7 structure to or standard
+Specifies the output filename to write the PKCS#7 structure to or standard
 output by default.
 
 =item B<-certfile filename>
 
-specifies a filename containing one or more certificates in B<PEM> format.
+Specifies a filename containing one or more certificates in B<PEM> format.
 All certificates in the file will be added to the PKCS#7 structure. This
 option can be used more than once to read certificates form multiple
 files.
 
 =item B<-nocrl>
 
-normally a CRL is included in the output file. With this option no CRL is
+Normally a CRL is included in the output file. With this option no CRL is
 included in the output file and a CRL is not read from the input file.
 
 =back
@@ -95,7 +95,7 @@ L<pkcs7(1)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/dgst.pod b/doc/man1/dgst.pod
index 3f1b02c..9faaf34 100644
--- a/doc/man1/dgst.pod
+++ b/doc/man1/dgst.pod
@@ -59,34 +59,34 @@ supported digests, use the command I<list --digest-commands>.
 
 =item B<-c>
 
-print out the digest in two digit groups separated by colons, only relevant if
+Print out the digest in two digit groups separated by colons, only relevant if
 B<hex> format output is used.
 
 =item B<-d>
 
-print out BIO debugging information.
+Print out BIO debugging information.
 
 =item B<-hex>
 
-digest is to be output as a hex dump. This is the default case for a "normal"
+Digest is to be output as a hex dump. This is the default case for a "normal"
 digest as opposed to a digital signature.  See NOTES below for digital
 signatures using B<-hex>.
 
 =item B<-binary>
 
-output the digest or signature in binary form.
+Output the digest or signature in binary form.
 
 =item B<-r>
 
-output the digest in the "coreutils" format used by programs like B<sha1sum>.
+Output the digest in the "coreutils" format used by programs like B<sha1sum>.
 
 =item B<-out filename>
 
-filename to output to, or standard output by default.
+Filename to output to, or standard output by default.
 
 =item B<-sign filename>
 
-digitally sign the digest using the private key in "filename".
+Digitally sign the digest using the private key in "filename".
 
 =item B<-keyform arg>
 
@@ -98,32 +98,31 @@ and ENGINE formats are supported.
 Pass options to the signature algorithm during sign or verify operations.
 Names and values of these options are algorithm-specific.
 
-
 =item B<-passin arg>
 
-the private key password source. For more information about the format of B<arg>
+The private key password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-verify filename>
 
-verify the signature using the public key in "filename".
+Verify the signature using the public key in "filename".
 The output is either "Verification OK" or "Verification Failure".
 
 =item B<-prverify filename>
 
-verify the signature using the private key in "filename".
+Verify the signature using the private key in "filename".
 
 =item B<-signature filename>
 
-the actual signature to verify.
+The actual signature to verify.
 
 =item B<-hmac key>
 
-create a hashed MAC using "key".
+Create a hashed MAC using "key".
 
 =item B<-mac alg>
 
-create MAC (keyed Message Authentication Code). The most popular MAC
+Create MAC (keyed Message Authentication Code). The most popular MAC
 algorithm is HMAC (hash-based MAC), but there are other MAC algorithms
 which are not based on hash, for instance B<gost-mac> algorithm,
 supported by B<ccgost> engine. MAC keys and other options should be set
@@ -152,7 +151,7 @@ for example exactly 32 chars for gost-mac.
 
 =item B<-rand file(s)>
 
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
 generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by an OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
@@ -160,8 +159,7 @@ all others.
 
 =item B<-fips-fingerprint>
 
-compute HMAC using a specific key
-for certain OpenSSL-FIPS operations.
+Compute HMAC using a specific key for certain OpenSSL-FIPS operations.
 
 =item B<-engine id>
 
@@ -177,7 +175,7 @@ engine B<id> for digest operations.
 
 =item B<file...>
 
-file or files to digest. If no files are specified then standard input is
+File or files to digest. If no files are specified then standard input is
 used.
 
 =back
@@ -230,7 +228,7 @@ The FIPS-related options were removed in OpenSSL 1.1.0
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/dhparam.pod b/doc/man1/dhparam.pod
index addd88a..a6317a9 100644
--- a/doc/man1/dhparam.pod
+++ b/doc/man1/dhparam.pod
@@ -84,7 +84,7 @@ default generator 2.
 
 =item B<-rand> I<file(s)>
 
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
 generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by an OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
@@ -92,7 +92,7 @@ all others.
 
 =item I<numbits>
 
-this option specifies that a parameter set should be generated of size
+This option specifies that a parameter set should be generated of size
 I<numbits>. It must be the last option. If this option is present then
 the input file is ignored and parameters are generated instead. If
 this option is not present but a generator (B<-2> or B<-5>) is
@@ -100,20 +100,20 @@ present, parameters are generated with a default length of 2048 bits.
 
 =item B<-noout>
 
-this option inhibits the output of the encoded version of the parameters.
+This option inhibits the output of the encoded version of the parameters.
 
 =item B<-text>
 
-this option prints out the DH parameters in human readable form.
+This option prints out the DH parameters in human readable form.
 
 =item B<-C>
 
-this option converts the parameters into C code. The parameters can then
+This option converts the parameters into C code. The parameters can then
 be loaded by calling the get_dhNNNN() function.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<dhparam>
+Specifying an engine (by its unique B<id> string) will cause B<dhparam>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -149,7 +149,7 @@ L<dsaparam(1)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/dsa.pod b/doc/man1/dsa.pod
index b852987..2f8df0c 100644
--- a/doc/man1/dsa.pod
+++ b/doc/man1/dsa.pod
@@ -73,7 +73,7 @@ prompted for.
 
 =item B<-passin arg>
 
-the input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-out filename>
@@ -85,7 +85,7 @@ filename.
 
 =item B<-passout arg>
 
-the output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
@@ -100,30 +100,30 @@ These options can only be used with PEM format output files.
 
 =item B<-text>
 
-prints out the public, private key components and parameters.
+Prints out the public, private key components and parameters.
 
 =item B<-noout>
 
-this option prevents output of the encoded version of the key.
+This option prevents output of the encoded version of the key.
 
 =item B<-modulus>
 
-this option prints out the value of the public key component of the key.
+This option prints out the value of the public key component of the key.
 
 =item B<-pubin>
 
-by default a private key is read from the input file: with this option a
+By default, a private key is read from the input file. With this option a
 public key is read instead.
 
 =item B<-pubout>
 
-by default a private key is output. With this option a public
+By default, a private key is output. With this option a public
 key will be output instead. This option is automatically set if the input is
 a public key.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<dsa>
+Specifying an engine (by its unique B<id> string) will cause B<dsa>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/doc/man1/dsaparam.pod b/doc/man1/dsaparam.pod
index 08ad47f..0a34c29 100644
--- a/doc/man1/dsaparam.pod
+++ b/doc/man1/dsaparam.pod
@@ -58,25 +58,25 @@ as the input filename.
 
 =item B<-noout>
 
-this option inhibits the output of the encoded version of the parameters.
+This option inhibits the output of the encoded version of the parameters.
 
 =item B<-text>
 
-this option prints out the DSA parameters in human readable form.
+This option prints out the DSA parameters in human readable form.
 
 =item B<-C>
 
-this option converts the parameters into C code. The parameters can then
+This option converts the parameters into C code. The parameters can then
 be loaded by calling the get_dsaXXX() function.
 
 =item B<-genkey>
 
-this option will generate a DSA either using the specified or generated
+This option will generate a DSA either using the specified or generated
 parameters.
 
 =item B<-rand file(s)>
 
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
 generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by an OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
@@ -84,13 +84,13 @@ all others.
 
 =item B<numbits>
 
-this option specifies that a parameter set should be generated of size
+This option specifies that a parameter set should be generated of size
 B<numbits>. It must be the last option. If this option is included then
 the input file (if any) is ignored.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<dsaparam>
+Specifying an engine (by its unique B<id> string) will cause B<dsaparam>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -114,7 +114,7 @@ L<rsa(1)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/ec.pod b/doc/man1/ec.pod
index a5f920e..99cf9d0 100644
--- a/doc/man1/ec.pod
+++ b/doc/man1/ec.pod
@@ -66,7 +66,7 @@ prompted for.
 
 =item B<-passin arg>
 
-the input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-out filename>
@@ -78,7 +78,7 @@ filename.
 
 =item B<-passout arg>
 
-the output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-des|-des3|-idea>
@@ -94,24 +94,24 @@ These options can only be used with PEM format output files.
 
 =item B<-text>
 
-prints out the public, private key components and parameters.
+Prints out the public, private key components and parameters.
 
 =item B<-noout>
 
-this option prevents output of the encoded version of the key.
+This option prevents output of the encoded version of the key.
 
 =item B<-modulus>
 
-this option prints out the value of the public key component of the key.
+This option prints out the value of the public key component of the key.
 
 =item B<-pubin>
 
-by default a private key is read from the input file: with this option a
+By default, a private key is read from the input file. With this option a
 public key is read instead.
 
 =item B<-pubout>
 
-by default a private key is output. With this option a public
+By default a private key is output. With this option a public
 key will be output instead. This option is automatically set if the input is
 a public key.
 
@@ -141,11 +141,11 @@ This option omits the public key components from the private key output.
 
 =item B<-check>
 
-this option checks the consistency of an EC private or public key.
+This option checks the consistency of an EC private or public key.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<ec>
+Specifying an engine (by its unique B<id> string) will cause B<ec>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -196,7 +196,7 @@ L<ecparam(1)>, L<dsa(1)>, L<rsa(1)>
 
 =head1 COPYRIGHT
 
-Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2003-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/ecparam.pod b/doc/man1/ecparam.pod
index 5167896..7e0d074 100644
--- a/doc/man1/ecparam.pod
+++ b/doc/man1/ecparam.pod
@@ -118,7 +118,7 @@ This option will generate an EC private key using the specified parameters.
 
 =item B<-rand file(s)>
 
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
 generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by an OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
@@ -126,7 +126,7 @@ all others.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<ecparam>
+Specifying an engine (by its unique B<id> string) will cause B<ecparam>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -175,7 +175,7 @@ L<ec(1)>, L<dsaparam(1)>
 
 =head1 COPYRIGHT
 
-Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2003-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/gendsa.pod b/doc/man1/gendsa.pod
index a148b20..1068ffd 100644
--- a/doc/man1/gendsa.pod
+++ b/doc/man1/gendsa.pod
@@ -51,7 +51,7 @@ If none of these options is specified no encryption is used.
 
 =item B<-rand file(s)>
 
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
 generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by an OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
@@ -59,7 +59,7 @@ all others.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<gendsa>
+Specifying an engine (by its unique B<id> string) will cause B<gendsa>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/doc/man1/genpkey.pod b/doc/man1/genpkey.pod
index 8df0905..50a7b1b 100644
--- a/doc/man1/genpkey.pod
+++ b/doc/man1/genpkey.pod
@@ -42,7 +42,7 @@ This specifies the output format DER or PEM.
 
 =item B<-pass arg>
 
-the output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-cipher>
@@ -52,7 +52,7 @@ name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<genpkey>
+Specifying an engine (by its unique B<id> string) will cause B<genpkey>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms. If used this option should precede all other
@@ -60,19 +60,19 @@ options.
 
 =item B<-algorithm alg>
 
-public key algorithm to use such as RSA, DSA or DH. If used this option must
+Public key algorithm to use such as RSA, DSA or DH. If used this option must
 precede any B<-pkeyopt> options. The options B<-paramfile> and B<-algorithm>
 are mutually exclusive.
 
 =item B<-pkeyopt opt:value>
 
-set the public key algorithm option B<opt> to B<value>. The precise set of
+Set the public key algorithm option B<opt> to B<value>. The precise set of
 options supported depends on the public key algorithm used and its
 implementation. See B<KEY GENERATION OPTIONS> below for more details.
 
 =item B<-genparam>
 
-generate a set of parameters instead of a private key. If used this option must
+Generate a set of parameters instead of a private key. If used this option must
 precede any B<-algorithm>, B<-paramfile> or B<-pkeyopt> options.
 
 =item B<-paramfile filename>
@@ -179,11 +179,11 @@ key from a named curve without the need to use an explicit parameter file.
 
 =item B<ec_paramgen_curve:curve>
 
-the EC curve to use. OpenSSL supports NIST curve names such as "P-256".
+The EC curve to use. OpenSSL supports NIST curve names such as "P-256".
 
 =item B<ec_param_enc:encoding>
 
-the encoding to use for parameters. The "encoding" parameter must be either
+The encoding to use for parameters. The "encoding" parameter must be either
 "named_curve" or "explicit".
 
 =back
@@ -292,7 +292,7 @@ were added in OpenSSL 1.0.2.
 
 =head1 COPYRIGHT
 
-Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/genrsa.pod b/doc/man1/genrsa.pod
index f4ed959..4e44fe5 100644
--- a/doc/man1/genrsa.pod
+++ b/doc/man1/genrsa.pod
@@ -47,8 +47,8 @@ standard output is used.
 
 =item B<-passout arg>
 
-the output file password source. For more information about the format of B<arg>
-see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
+The output file password source. For more information about the format
+of B<arg> see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
 
@@ -59,11 +59,11 @@ for if it is not supplied via the B<-passout> argument.
 
 =item B<-F4|-3>
 
-the public exponent to use, either 65537 or 3. The default is 65537.
+The public exponent to use, either 65537 or 3. The default is 65537.
 
 =item B<-rand file(s)>
 
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
 generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by an OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
@@ -71,14 +71,14 @@ all others.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<genrsa>
+Specifying an engine (by its unique B<id> string) will cause B<genrsa>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
 =item B<numbits>
 
-the size of the private key to generate in bits. This must be the last option
+The size of the private key to generate in bits. This must be the last option
 specified. The default is 2048.
 
 =back
diff --git a/doc/man1/ocsp.pod b/doc/man1/ocsp.pod
index ec82088..058462f 100644
--- a/doc/man1/ocsp.pod
+++ b/doc/man1/ocsp.pod
@@ -153,25 +153,25 @@ a nonce is automatically added specifying B<no_nonce> overrides this.
 
 =item B<-req_text>, B<-resp_text>, B<-text>
 
-print out the text form of the OCSP request, response or both respectively.
+Print out the text form of the OCSP request, response or both respectively.
 
 =item B<-reqout file>, B<-respout file>
 
-write out the DER encoded certificate request or response to B<file>.
+Write out the DER encoded certificate request or response to B<file>.
 
 =item B<-reqin file>, B<-respin file>
 
-read OCSP request or response file from B<file>. These option are ignored
+Read OCSP request or response file from B<file>. These option are ignored
 if OCSP request or response creation is implied by other options (for example
 with B<serial>, B<cert> and B<host> options).
 
 =item B<-url responder_url>
 
-specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
+Specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified.
 
 =item B<-host hostname:port>, B<-path pathname>
 
-if the B<host> option is present then the OCSP request is sent to the host
+If the B<host> option is present then the OCSP request is sent to the host
 B<hostname> on port B<port>. B<path> specifies the HTTP path name to use
 or "/" by default.  This is equivalent to specifying B<-url> with scheme
 http:// and the given hostname, port, and pathname.
@@ -184,11 +184,11 @@ This may be repeated.
 
 =item B<-timeout seconds>
 
-connection timeout to the OCSP responder in seconds
+Connection timeout to the OCSP responder in seconds
 
 =item B<-CAfile file>, B<-CApath pathname>
 
-file or pathname containing trusted CA certificates. These are used to verify
+File or pathname containing trusted CA certificates. These are used to verify
 the signature on the OCSP response.
 
 =item B<-no-CAfile>
@@ -212,65 +212,66 @@ See L<verify(1)> manual page for details.
 
 =item B<-verify_other file>
 
-file containing additional certificates to search when attempting to locate
+File containing additional certificates to search when attempting to locate
 the OCSP response signing certificate. Some responders omit the actual signer's
 certificate from the response: this option can be used to supply the necessary
 certificate in such cases.
 
 =item B<-trust_other>
 
-the certificates specified by the B<-verify_other> option should be explicitly
+The certificates specified by the B<-verify_other> option should be explicitly
 trusted and no additional checks will be performed on them. This is useful
 when the complete responder certificate chain is not available or trusting a
 root CA is not appropriate.
 
 =item B<-VAfile file>
 
-file containing explicitly trusted responder certificates. Equivalent to the
+File containing explicitly trusted responder certificates. Equivalent to the
 B<-verify_other> and B<-trust_other> options.
 
 =item B<-noverify>
 
-don't attempt to verify the OCSP response signature or the nonce values. This
-option will normally only be used for debugging since it disables all verification
-of the responders certificate.
+Don't attempt to verify the OCSP response signature or the nonce
+values. This option will normally only be used for debugging since it
+disables all verification of the responders certificate.
 
 =item B<-no_intern>
 
-ignore certificates contained in the OCSP response when searching for the
+Ignore certificates contained in the OCSP response when searching for the
 signers certificate. With this option the signers certificate must be specified
 with either the B<-verify_other> or B<-VAfile> options.
 
 =item B<-no_signature_verify>
 
-don't check the signature on the OCSP response. Since this option tolerates invalid
-signatures on OCSP responses it will normally only be used for testing purposes.
+Don't check the signature on the OCSP response. Since this option
+tolerates invalid signatures on OCSP responses it will normally only be
+used for testing purposes.
 
 =item B<-no_cert_verify>
 
-don't verify the OCSP response signers certificate at all. Since this option allows
-the OCSP response to be signed by any certificate it should only be used for
-testing purposes.
+Don't verify the OCSP response signers certificate at all. Since this
+option allows the OCSP response to be signed by any certificate it should
+only be used for testing purposes.
 
 =item B<-no_chain>
 
-do not use certificates in the response as additional untrusted CA
+Do not use certificates in the response as additional untrusted CA
 certificates.
 
 =item B<-no_explicit>
 
-do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
+Do not explicitly trust the root CA if it is set to be trusted for OCSP signing.
 
 =item B<-no_cert_checks>
 
-don't perform any additional checks on the OCSP response signers certificate.
+Don't perform any additional checks on the OCSP response signers certificate.
 That is do not make any checks to see if the signers certificate is authorised
 to provide the necessary status information: as a result this option should
 only be used for testing purposes.
 
 =item B<-validity_period nsec>, B<-status_age age>
 
-these options specify the range of times, in seconds, which will be tolerated
+These options specify the range of times, in seconds, which will be tolerated
 in an OCSP response. Each certificate status response includes a B<notBefore>
 time and an optional B<notAfter> time. The current time should fall between
 these two values, but the interval between the two times may be only a few
@@ -286,7 +287,7 @@ By default this additional check is not performed.
 
 =item B<-[digest]>
 
-this option sets digest algorithm to use for certificate identification in the
+This option sets digest algorithm to use for certificate identification in the
 OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used.
 The default is SHA-1. This option may be used multiple times to specify the
 digest used by subsequent certificate identifiers.
@@ -299,16 +300,17 @@ digest used by subsequent certificate identifiers.
 
 =item B<-index indexfile>
 
-B<indexfile> is a text index file in B<ca> format containing certificate revocation
-information.
+The B<indexfile> parameter is the name of a text index file in B<ca>
+format containing certificate revocation information.
 
-If the B<index> option is specified the B<ocsp> utility is in responder mode, otherwise
-it is in client mode. The request(s) the responder processes can be either specified on
-the command line (using B<issuer> and B<serial> options), supplied in a file (using the
-B<reqin> option) or via external OCSP clients (if B<port> or B<url> is specified).
+If the B<index> option is specified the B<ocsp> utility is in responder
+mode, otherwise it is in client mode. The request(s) the responder
+processes can be either specified on the command line (using B<issuer>
+and B<serial> options), supplied in a file (using the B<reqin> option)
+or via external OCSP clients (if B<port> or B<url> is specified).
 
-If the B<index> option is present then the B<CA> and B<rsigner> options must also be
-present.
+If the B<index> option is present then the B<CA> and B<rsigner> options
+must also be present.
 
 =item B<-CA file>
 
@@ -328,17 +330,18 @@ Don't include any certificates in the OCSP response.
 
 =item B<-resp_key_id>
 
-Identify the signer certificate using the key ID, default is to use the subject name.
+Identify the signer certificate using the key ID, default is to use the
+subject name.
 
 =item B<-rkey file>
 
-The private key to sign OCSP responses with: if not present the file specified in the
-B<rsigner> option is used.
+The private key to sign OCSP responses with: if not present the file
+specified in the B<rsigner> option is used.
 
 =item B<-port portnum>
 
-Port to listen for OCSP requests on. The port may also be specified using the B<url>
-option.
+Port to listen for OCSP requests on. The port may also be specified
+using the B<url> option.
 
 =item B<-nrequest number>
 
@@ -346,9 +349,10 @@ The OCSP server will exit after receiving B<number> requests, default unlimited.
 
 =item B<-nmin minutes>, B<-ndays days>
 
-Number of minutes or days when fresh revocation information is available: used in the
-B<nextUpdate> field. If neither option is present then the B<nextUpdate> field
-is omitted meaning fresh revocation information is immediately available.
+Number of minutes or days when fresh revocation information is available:
+used in the B<nextUpdate> field. If neither option is present then the
+B<nextUpdate> field is omitted meaning fresh revocation information is
+immediately available.
 
 =back
 
@@ -456,7 +460,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod
index da07cd5..bfac312 100644
--- a/doc/man1/openssl.pod
+++ b/doc/man1/openssl.pod
@@ -91,7 +91,7 @@ Cipher Suite Description Determination.
 
 =item L<B<cms>|cms(1)>
 
-CMS (Cryptographic Message Syntax) utility
+CMS (Cryptographic Message Syntax) utility.
 
 =item L<B<crl>|crl(1)>
 
@@ -113,8 +113,7 @@ Obsoleted by L<B<dhparam>|dhparam(1)>.
 =item L<B<dhparam>|dhparam(1)>
 
 Generation and Management of Diffie-Hellman Parameters. Superseded by
-L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
-
+L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>.
 
 =item L<B<dsa>|dsa(1)>
 
@@ -123,15 +122,15 @@ DSA Data Management.
 =item L<B<dsaparam>|dsaparam(1)>
 
 DSA Parameter Generation and Management. Superseded by
-L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
+L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>.
 
 =item L<B<ec>|ec(1)>
 
-EC (Elliptic curve) key processing
+EC (Elliptic curve) key processing.
 
 =item L<B<ecparam>|ecparam(1)>
 
-EC parameter manipulation and generation
+EC parameter manipulation and generation.
 
 =item L<B<enc>|enc(1)>
 
@@ -153,7 +152,7 @@ Obsoleted by L<B<dhparam>|dhparam(1)>.
 =item L<B<gendsa>|gendsa(1)>
 
 Generation of DSA Private Key from Parameters. Superseded by
-L<B<genpkey>|genpkey(1)> and L<B<pkey>|pkey(1)>
+L<B<genpkey>|genpkey(1)> and L<B<pkey>|pkey(1)>.
 
 =item L<B<genpkey>|genpkey(1)>
 
@@ -165,7 +164,7 @@ Generation of RSA Private Key. Superseded by L<B<genpkey>|genpkey(1)>.
 
 =item L<B<nseq>|nseq(1)>
 
-Create or examine a Netscape certificate sequence
+Create or examine a Netscape certificate sequence.
 
 =item L<B<ocsp>|ocsp(1)>
 
@@ -211,7 +210,7 @@ RSA key management.
 =item L<B<rsautl>|rsautl(1)>
 
 RSA utility for signing, verification, encryption, and decryption. Superseded
-by  L<B<pkeyutl>|pkeyutl(1)>
+by  L<B<pkeyutl>|pkeyutl(1)>.
 
 =item L<B<s_client>|s_client(1)>
 
@@ -247,11 +246,11 @@ Algorithm Speed Measurement.
 
 =item L<B<spkac>|spkac(1)>
 
-SPKAC printing and generating utility
+SPKAC printing and generating utility.
 
 =item L<B<ts>|ts(1)>
 
-Time Stamping Authority tool (client/server)
+Time Stamping Authority tool (client/server).
 
 =item L<B<verify>|verify(1)>
 
@@ -388,19 +387,19 @@ terminal with echoing turned off.
 
 =item B<pass:password>
 
-the actual password is B<password>. Since the password is visible
+The actual password is B<password>. Since the password is visible
 to utilities (like 'ps' under Unix) this form should only be used
 where security is not important.
 
 =item B<env:var>
 
-obtain the password from the environment variable B<var>. Since
+Obtain the password from the environment variable B<var>. Since
 the environment of other processes is visible on certain platforms
 (e.g. ps under certain Unix OSes) this option should be used with caution.
 
 =item B<file:pathname>
 
-the first line of B<pathname> is the password. If the same B<pathname>
+The first line of B<pathname> is the password. If the same B<pathname>
 argument is supplied to B<-passin> and B<-passout> arguments then the first
 line will be used for the input password and the next line for the output
 password. B<pathname> need not refer to a regular file: it could for example
@@ -408,12 +407,12 @@ refer to a device or named pipe.
 
 =item B<fd:number>
 
-read the password from the file descriptor B<number>. This can be used to
+Read the password from the file descriptor B<number>. This can be used to
 send the data via a pipe for example.
 
 =item B<stdin>
 
-read the password from standard input.
+Read the password from standard input.
 
 =back
 
@@ -441,7 +440,7 @@ manual pages.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/pkcs12.pod b/doc/man1/pkcs12.pod
index 82e64da..80373f2 100644
--- a/doc/man1/pkcs12.pod
+++ b/doc/man1/pkcs12.pod
@@ -75,13 +75,13 @@ default.  They are all written in PEM format.
 
 =item B<-passin arg>
 
-the PKCS#12 file (i.e. input file) password source. For more information about
+The PKCS#12 file (i.e. input file) password source. For more information about
 the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
 L<openssl(1)>.
 
 =item B<-passout arg>
 
-pass phrase source to encrypt any outputted private keys with. For more
+Pass phrase source to encrypt any outputted private keys with. For more
 information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
 in L<openssl(1)>.
 
@@ -92,65 +92,65 @@ Otherwise, -password is equivalent to -passin.
 
 =item B<-noout>
 
-this option inhibits output of the keys and certificates to the output file
+This option inhibits output of the keys and certificates to the output file
 version of the PKCS#12 file.
 
 =item B<-clcerts>
 
-only output client certificates (not CA certificates).
+Only output client certificates (not CA certificates).
 
 =item B<-cacerts>
 
-only output CA certificates (not client certificates).
+Only output CA certificates (not client certificates).
 
 =item B<-nocerts>
 
-no certificates at all will be output.
+No certificates at all will be output.
 
 =item B<-nokeys>
 
-no private keys will be output.
+No private keys will be output.
 
 =item B<-info>
 
-output additional information about the PKCS#12 file structure, algorithms used and
-iteration counts.
+Output additional information about the PKCS#12 file structure, algorithms
+used and iteration counts.
 
 =item B<-des>
 
-use DES to encrypt private keys before outputting.
+Use DES to encrypt private keys before outputting.
 
 =item B<-des3>
 
-use triple DES to encrypt private keys before outputting, this is the default.
+Use triple DES to encrypt private keys before outputting, this is the default.
 
 =item B<-idea>
 
-use IDEA to encrypt private keys before outputting.
+Use IDEA to encrypt private keys before outputting.
 
 =item B<-aes128>, B<-aes192>, B<-aes256>
 
-use AES to encrypt private keys before outputting.
+Use AES to encrypt private keys before outputting.
 
 =item B<-aria128>, B<-aria192>, B<-aria256>
 
-use ARIA to encrypt private keys before outputting.
+Use ARIA to encrypt private keys before outputting.
 
 =item B<-camellia128>, B<-camellia192>, B<-camellia256>
 
-use Camellia to encrypt private keys before outputting.
+Use Camellia to encrypt private keys before outputting.
 
 =item B<-nodes>
 
-don't encrypt the private keys at all.
+Don't encrypt the private keys at all.
 
 =item B<-nomacver>
 
-don't attempt to verify the integrity MAC before reading the file.
+Don't attempt to verify the integrity MAC before reading the file.
 
 =item B<-twopass>
 
-prompt for separate integrity and encryption passwords: most software
+Prompt for separate integrity and encryption passwords: most software
 always assumes these are the same so this option will render such
 PKCS#12 files unreadable.
 
@@ -179,7 +179,7 @@ certificates are present they will also be included in the PKCS#12 file.
 
 =item B<-inkey filename>
 
-file to read private key from. If not present then a private key must be present
+File to read private key from. If not present then a private key must be present
 in the input file.
 
 =item B<-name friendlyname>
@@ -200,31 +200,31 @@ displays them.
 
 =item B<-pass arg>, B<-passout arg>
 
-the PKCS#12 file (i.e. output file) password source. For more information about
+The PKCS#12 file (i.e. output file) password source. For more information about
 the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
 L<openssl(1)>.
 
 =item B<-passin password>
 
-pass phrase source to decrypt any input private keys with. For more information
+Pass phrase source to decrypt any input private keys with. For more information
 about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
 L<openssl(1)>.
 
 =item B<-chain>
 
-if this option is present then an attempt is made to include the entire
+If this option is present then an attempt is made to include the entire
 certificate chain of the user certificate. The standard CA store is used
 for this search. If the search fails it is considered a fatal error.
 
 =item B<-descert>
 
-encrypt the certificate using triple DES, this may render the PKCS#12
+Encrypt the certificate using triple DES, this may render the PKCS#12
 file unreadable by some "export grade" software. By default the private
 key is encrypted using triple DES and the certificate using 40 bit RC2.
 
 =item B<-keypbe alg>, B<-certpbe alg>
 
-these options allow the algorithm used to encrypt the private key and
+These options allow the algorithm used to encrypt the private key and
 certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 PBE algorithm name
 can be used (see B<NOTES> section for more information). If a cipher name
 (as output by the B<list-cipher-algorithms> command is specified then it
@@ -233,7 +233,7 @@ use PKCS#12 algorithms.
 
 =item B<-keyex|-keysig>
 
-specifies that the private key is to be used for key exchange or just signing.
+Specifies that the private key is to be used for key exchange or just signing.
 This option is only interpreted by MSIE and similar MS software. Normally
 "export grade" software will only allow 512 bit RSA keys to be used for
 encryption purposes but arbitrary length keys for signing. The B<-keysig>
@@ -244,11 +244,11 @@ the use of signing only keys for SSL client authentication.
 
 =item B<-macalg digest>
 
-specify the MAC digest algorithm. If not included them SHA1 will be used.
+Specify the MAC digest algorithm. If not included them SHA1 will be used.
 
 =item B<-nomaciter>, B<-noiter>
 
-these options affect the iteration counts on the MAC and key algorithms.
+These options affect the iteration counts on the MAC and key algorithms.
 Unless you wish to produce files compatible with MSIE 4.0 you should leave
 these options alone.
 
@@ -271,11 +271,11 @@ to be needed to use MAC iterations counts but they are now used by default.
 
 =item B<-nomac>
 
-don't attempt to provide the MAC integrity.
+Don't attempt to provide the MAC integrity.
 
 =item B<-rand file(s)>
 
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
 generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by an OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
@@ -293,15 +293,15 @@ linked to each certificate.
 
 =item B<-no-CAfile>
 
-Do not load the trusted CA certificates from the default file location
+Do not load the trusted CA certificates from the default file location.
 
 =item B<-no-CApath>
 
-Do not load the trusted CA certificates from the default directory location
+Do not load the trusted CA certificates from the default directory location.
 
 =item B<-CSP name>
 
-write B<name> as a Microsoft CSP name.
+Write B<name> as a Microsoft CSP name.
 
 =back
 
diff --git a/doc/man1/pkcs7.pod b/doc/man1/pkcs7.pod
index d238946..184ac14 100644
--- a/doc/man1/pkcs7.pod
+++ b/doc/man1/pkcs7.pod
@@ -47,27 +47,27 @@ option is not specified.
 
 =item B<-out filename>
 
-specifies the output filename to write to or standard output by
+Specifies the output filename to write to or standard output by
 default.
 
 =item B<-print_certs>
 
-prints out any certificates or CRLs contained in the file. They are
+Prints out any certificates or CRLs contained in the file. They are
 preceded by their subject and issuer names in one line format.
 
 =item B<-text>
 
-prints out certificates details in full rather than just subject and
+Prints out certificates details in full rather than just subject and
 issuer names.
 
 =item B<-noout>
 
-don't output the encoded version of the PKCS#7 structure (or certificates
+Don't output the encoded version of the PKCS#7 structure (or certificates
 is B<-print_certs> is set).
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<pkcs7>
+Specifying an engine (by its unique B<id> string) will cause B<pkcs7>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -109,7 +109,7 @@ L<crl2pkcs7(1)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/pkcs8.pod b/doc/man1/pkcs8.pod
index dee64a0..ebdcea9 100644
--- a/doc/man1/pkcs8.pod
+++ b/doc/man1/pkcs8.pod
@@ -69,7 +69,7 @@ prompted for.
 
 =item B<-passin arg>
 
-the input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-out filename>
@@ -81,7 +81,7 @@ filename.
 
 =item B<-passout arg>
 
-the output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-iter count>
@@ -124,21 +124,21 @@ If not specified PKCS#5 v2.0 form is used.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<pkcs8>
+Specifying an engine (by its unique B<id> string) will cause B<pkcs8>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
 =item B<-scrypt>
 
-uses the B<scrypt> algorithm for private key encryption using default
+Uses the B<scrypt> algorithm for private key encryption using default
 parameters: currently N=16384, r=8 and p=1 and AES in CBC mode with a 256 bit
 key. These parameters can be modified using the B<-scrypt_N>, B<-scrypt_r>,
 B<-scrypt_p> and B<-v2> options.
 
-B<-scrypt_N N> B<-scrypt_r r> B<-scrypt_p p>
+=item B<-scrypt_N N> B<-scrypt_r r> B<-scrypt_p p>
 
-sets the scrypt B<N>, B<r> or B<p> parameters.
+Sets the scrypt B<N>, B<r> or B<p> parameters.
 
 =back
 
@@ -291,7 +291,7 @@ The B<-iter> option was added to OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/pkey.pod b/doc/man1/pkey.pod
index 2119c70..a09736d 100644
--- a/doc/man1/pkey.pod
+++ b/doc/man1/pkey.pod
@@ -53,7 +53,7 @@ prompted for.
 
 =item B<-passin arg>
 
-the input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-out filename>
@@ -65,12 +65,12 @@ filename.
 
 =item B<-passout password>
 
-the output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-traditional>
 
-normally a private key is written using standard format: this is PKCS#8 form
+Normally a private key is written using standard format: this is PKCS#8 form
 with the appropriate encryption algorithm (if any). If the B<-traditional>
 option is specified then the older "traditional" format is used instead.
 
@@ -81,31 +81,31 @@ name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
 
 =item B<-text>
 
-prints out the various public or private key components in
+Prints out the various public or private key components in
 plain text in addition to the encoded version.
 
 =item B<-text_pub>
 
-print out only public key components even if a private key is being processed.
+Print out only public key components even if a private key is being processed.
 
 =item B<-noout>
 
-do not output the encoded version of the key.
+Do not output the encoded version of the key.
 
 =item B<-pubin>
 
-by default a private key is read from the input file: with this
+By default a private key is read from the input file: with this
 option a public key is read instead.
 
 =item B<-pubout>
 
-by default a private key is output: with this option a public
+By default a private key is output: with this option a public
 key will be output instead. This option is automatically set if
 the input is a public key.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<pkey>
+Specifying an engine (by its unique B<id> string) will cause B<pkey>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -145,7 +145,7 @@ L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)>
 
 =head1 COPYRIGHT
 
-Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/pkeyparam.pod b/doc/man1/pkeyparam.pod
index 755915f..d3440ea 100644
--- a/doc/man1/pkeyparam.pod
+++ b/doc/man1/pkeyparam.pod
@@ -39,15 +39,15 @@ this option is not specified.
 
 =item B<-text>
 
-prints out the parameters in plain text in addition to the encoded version.
+Prints out the parameters in plain text in addition to the encoded version.
 
 =item B<-noout>
 
-do not output the encoded version of the parameters.
+Do not output the encoded version of the parameters.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<pkeyparam>
+Specifying an engine (by its unique B<id> string) will cause B<pkeyparam>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -72,7 +72,7 @@ L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)>
 
 =head1 COPYRIGHT
 
-Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/pkeyutl.pod b/doc/man1/pkeyutl.pod
index 310c5cc..ee8a588 100644
--- a/doc/man1/pkeyutl.pod
+++ b/doc/man1/pkeyutl.pod
@@ -53,7 +53,7 @@ if this option is not specified.
 
 =item B<-out filename>
 
-specifies the output filename to write to or standard output by
+Specifies the output filename to write to or standard output by
 default.
 
 =item B<-sigfile file>
@@ -62,64 +62,63 @@ Signature file, required for B<verify> operations only
 
 =item B<-inkey file>
 
-the input key file, by default it should be a private key.
+The input key file, by default it should be a private key.
 
 =item B<-keyform PEM|DER|ENGINE>
 
-the key format PEM, DER or ENGINE. Default is PEM.
+The key format PEM, DER or ENGINE. Default is PEM.
 
 =item B<-passin arg>
 
-the input key password source. For more information about the format of B<arg>
+The input key password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
-
 =item B<-peerkey file>
 
-the peer key file, used by key derivation (agreement) operations.
+The peer key file, used by key derivation (agreement) operations.
 
 =item B<-peerform PEM|DER|ENGINE>
 
-the peer key format PEM, DER or ENGINE. Default is PEM.
+The peer key format PEM, DER or ENGINE. Default is PEM.
 
 =item B<-pubin>
 
-the input file is a public key.
+The input file is a public key.
 
 =item B<-certin>
 
-the input is a certificate containing a public key.
+The input is a certificate containing a public key.
 
 =item B<-rev>
 
-reverse the order of the input buffer. This is useful for some libraries
+Reverse the order of the input buffer. This is useful for some libraries
 (such as CryptoAPI) which represent the buffer in little endian format.
 
 =item B<-sign>
 
-sign the input data and output the signed result. This requires
+Sign the input data and output the signed result. This requires
 a private key.
 
 =item B<-verify>
 
-verify the input data against the signature file and indicate if the
+Verify the input data against the signature file and indicate if the
 verification succeeded or failed.
 
 =item B<-verifyrecover>
 
-verify the input data and output the recovered data.
+Verify the input data and output the recovered data.
 
 =item B<-encrypt>
 
-encrypt the input data using a public key.
+Encrypt the input data using a public key.
 
 =item B<-decrypt>
 
-decrypt the input data using a private key.
+Decrypt the input data using a private key.
 
 =item B<-derive>
 
-derive a shared secret using the peer key.
+Derive a shared secret using the peer key.
 
 =item B<-kdf algorithm>
 
@@ -144,12 +143,12 @@ hex dump the output data.
 
 =item B<-asn1parse>
 
-asn1parse the output data, this is useful when combined with the
+Parse the ASN.1 output data, this is useful when combined with the
 B<-verifyrecover> option when an ASN1 structure is signed.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<pkeyutl>
+Specifying an engine (by its unique B<id> string) will cause B<pkeyutl>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -308,7 +307,7 @@ L<EVP_PKEY_CTX_set_hkdf_md(3)>, L<EVP_PKEY_CTX_set_tls1_prf_md(3)>
 
 =head1 COPYRIGHT
 
-Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/req.pod b/doc/man1/req.pod
index 641d8f6..f9e424b 100644
--- a/doc/man1/req.pod
+++ b/doc/man1/req.pod
@@ -81,7 +81,7 @@ options (B<-new> and B<-newkey>) are not specified.
 
 =item B<-passin arg>
 
-the input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-out filename>
@@ -91,38 +91,38 @@ default.
 
 =item B<-passout arg>
 
-the output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-text>
 
-prints out the certificate request in text form.
+Prints out the certificate request in text form.
 
 =item B<-subject>
 
-prints out the request subject (or certificate subject if B<-x509> is
+Prints out the request subject (or certificate subject if B<-x509> is
 specified)
 
 =item B<-pubkey>
 
-outputs the public key.
+Outputs the public key.
 
 =item B<-noout>
 
-this option prevents output of the encoded version of the request.
+This option prevents output of the encoded version of the request.
 
 =item B<-modulus>
 
-this option prints out the value of the modulus of the public key
+This option prints out the value of the modulus of the public key
 contained in the request.
 
 =item B<-verify>
 
-verifies the signature on the request.
+Verifies the signature on the request.
 
 =item B<-new>
 
-this option generates a new certificate request. It will prompt
+This option generates a new certificate request. It will prompt
 the user for the relevant field values. The actual fields
 prompted for and their maximum and minimum sizes are specified
 in the configuration file and any requested extensions.
@@ -132,7 +132,7 @@ key using information specified in the configuration file.
 
 =item B<-rand file(s)>
 
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
 generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by an OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
@@ -140,7 +140,7 @@ all others.
 
 =item B<-newkey arg>
 
-this option creates a new certificate request and a new private
+This option creates a new certificate request and a new private
 key. The argument takes one of several forms. B<rsa:nbits>, where
 B<nbits> is the number of bits, generates an RSA key B<nbits>
 in size. If B<nbits> is omitted, i.e. B<-newkey rsa> specified,
@@ -166,7 +166,7 @@ specified by B<-pkeyopt paramset:X>
 
 =item B<-pkeyopt opt:value>
 
-set the public key algorithm option B<opt> to B<value>. The precise set of
+Set the public key algorithm option B<opt> to B<value>. The precise set of
 options supported depends on the public key algorithm used and its
 implementation. See B<KEY GENERATION OPTIONS> in the B<genpkey> manual page
 for more details.
@@ -178,23 +178,23 @@ accepts PKCS#8 format private keys for PEM format files.
 
 =item B<-keyform PEM|DER>
 
-the format of the private key file specified in the B<-key>
+The format of the private key file specified in the B<-key>
 argument. PEM is the default.
 
 =item B<-keyout filename>
 
-this gives the filename to write the newly created private key to.
+This gives the filename to write the newly created private key to.
 If this option is not specified then the filename present in the
 configuration file is used.
 
 =item B<-nodes>
 
-if this option is specified then if a private key is created it
+If this option is specified then if a private key is created it
 will not be encrypted.
 
 =item B<-[digest]>
 
-this specifies the message digest to sign the request.
+This specifies the message digest to sign the request.
 Any digest supported by the OpenSSL B<dgst> command can be used.
 This overrides the digest algorithm specified in
 the configuration file.
@@ -205,20 +205,20 @@ GOST R 34.11-94 (B<-md_gost94>).
 
 =item B<-config filename>
 
-this allows an alternative configuration file to be specified.
+This allows an alternative configuration file to be specified.
 Optional; for a description of the default value,
 see L<openssl(1)/COMMAND SUMMARY>.
 
 =item B<-subj arg>
 
-sets subject name for new request or supersedes the subject name
+Sets subject name for new request or supersedes the subject name
 when processing a request.
 The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
 characters may be escaped by \ (backslash), no spaces are skipped.
 
 =item B<-multivalue-rdn>
 
-this option causes the -subj argument to be interpreted with full
+This option causes the -subj argument to be interpreted with full
 support for multivalued RDNs. Example:
 
 I</DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe>
@@ -227,7 +227,7 @@ If -multi-rdn is not used then the UID value is I<123456+CN=John Doe>.
 
 =item B<-x509>
 
-this option outputs a self signed certificate instead of a certificate
+This option outputs a self signed certificate instead of a certificate
 request. This is typically used to generate a test certificate or
 a self signed root CA. The extensions added to the certificate
 (if any) are specified in the configuration file. Unless specified
@@ -236,19 +236,19 @@ the serial number.
 
 =item B<-days n>
 
-when the B<-x509> option is being used this specifies the number of
+When the B<-x509> option is being used this specifies the number of
 days to certify the certificate for. The default is 30 days.
 
 =item B<-set_serial n>
 
-serial number to use when outputting a self signed certificate. This
+Serial number to use when outputting a self signed certificate. This
 may be specified as a decimal value or a hex value if preceded by B<0x>.
 
 =item B<-extensions section>
 
 =item B<-reqexts section>
 
-these options specify alternative sections to include certificate
+These options specify alternative sections to include certificate
 extensions (if the B<-x509> option is present) or certificate
 request extensions. This allows several different sections to
 be used in the same configuration file to specify requests for
@@ -256,7 +256,7 @@ a variety of purposes.
 
 =item B<-precert>
 
-a poison extension will be added to the certificate, making it a
+A poison extension will be added to the certificate, making it a
 "pre-certificate" (see RFC6962). This can be submitted to Certificate
 Transparency logs in order to obtain signed certificate timestamps (SCTs).
 These SCTs can then be embedded into the pre-certificate as an extension, before
@@ -266,21 +266,21 @@ This implies the B<-new> flag.
 
 =item B<-utf8>
 
-this option causes field values to be interpreted as UTF8 strings, by
+This option causes field values to be interpreted as UTF8 strings, by
 default they are interpreted as ASCII. This means that the field
 values, whether prompted from a terminal or obtained from a
 configuration file, must be valid UTF8 strings.
 
 =item B<-nameopt option>
 
-option which determines how the subject or issuer names are displayed. The
+Option which determines how the subject or issuer names are displayed. The
 B<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
 set multiple options. See the L<x509(1)> manual page for details.
 
 =item B<-reqopt>
 
-customise the output format used with B<-text>. The B<option> argument can be
+Customise the output format used with B<-text>. The B<option> argument can be
 a single option or multiple options separated by commas.
 
 See discussion of the  B<-certopt> parameter in the L<x509(1)>
@@ -293,22 +293,22 @@ request. Some software (Netscape certificate server) and some CAs need this.
 
 =item B<-batch>
 
-non-interactive mode.
+Non-interactive mode.
 
 =item B<-verbose>
 
-print extra details about the operations being performed.
+Print extra details about the operations being performed.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<req>
+Specifying an engine (by its unique B<id> string) will cause B<req>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
 =item B<-keygen_engine id>
 
-specifies an engine (by its unique B<id> string) which would be used
+Specifies an engine (by its unique B<id> string) which would be used
 for key generation operations.
 
 =back
@@ -395,7 +395,7 @@ problems with BMPStrings and UTF8Strings: in particular Netscape.
 
 =item B<req_extensions>
 
-this specifies the configuration file section containing a list of
+This specifies the configuration file section containing a list of
 extensions to add to the certificate request. It can be overridden
 by the B<-reqexts> command line switch. See the
 L<x509v3_config(5)> manual page for details of the
@@ -403,26 +403,26 @@ extension section format.
 
 =item B<x509_extensions>
 
-this specifies the configuration file section containing a list of
+This specifies the configuration file section containing a list of
 extensions to add to certificate generated when the B<-x509> switch
 is used. It can be overridden by the B<-extensions> command line switch.
 
 =item B<prompt>
 
-if set to the value B<no> this disables prompting of certificate fields
+If set to the value B<no> this disables prompting of certificate fields
 and just takes values from the config file directly. It also changes the
 expected format of the B<distinguished_name> and B<attributes> sections.
 
 =item B<utf8>
 
-if set to the value B<yes> then field values to be interpreted as UTF8
+If set to the value B<yes> then field values to be interpreted as UTF8
 strings, by default they are interpreted as ASCII. This means that
 the field values, whether prompted from a terminal or obtained from a
 configuration file, must be valid UTF8 strings.
 
 =item B<attributes>
 
-this specifies the section containing any request attributes: its format
+This specifies the section containing any request attributes: its format
 is the same as B<distinguished_name>. Typically these may contain the
 challengePassword or unstructuredName types. They are currently ignored
 by OpenSSL's request signing utilities but some CAs might want them.
@@ -659,7 +659,7 @@ L<x509v3_config(5)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/rsa.pod b/doc/man1/rsa.pod
index 22c3e33..6fce46c 100644
--- a/doc/man1/rsa.pod
+++ b/doc/man1/rsa.pod
@@ -74,7 +74,7 @@ prompted for.
 
 =item B<-passin arg>
 
-the input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-out filename>
@@ -86,7 +86,7 @@ filename.
 
 =item B<-passout password>
 
-the output file password source. For more information about the format of B<arg>
+The output file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>
@@ -101,39 +101,39 @@ These options can only be used with PEM format output files.
 
 =item B<-text>
 
-prints out the various public or private key components in
+Prints out the various public or private key components in
 plain text in addition to the encoded version.
 
 =item B<-noout>
 
-this option prevents output of the encoded version of the key.
+This option prevents output of the encoded version of the key.
 
 =item B<-modulus>
 
-this option prints out the value of the modulus of the key.
+This option prints out the value of the modulus of the key.
 
 =item B<-check>
 
-this option checks the consistency of an RSA private key.
+This option checks the consistency of an RSA private key.
 
 =item B<-pubin>
 
-by default a private key is read from the input file: with this
+By default a private key is read from the input file: with this
 option a public key is read instead.
 
 =item B<-pubout>
 
-by default a private key is output: with this option a public
+By default a private key is output: with this option a public
 key will be output instead. This option is automatically set if
 the input is a public key.
 
 =item B<-RSAPublicKey_in>, B<-RSAPublicKey_out>
 
-like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
+Like B<-pubin> and B<-pubout> except B<RSAPublicKey> format is used instead.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<rsa>
+Specifying an engine (by its unique B<id> string) will cause B<rsa>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
diff --git a/doc/man1/rsautl.pod b/doc/man1/rsautl.pod
index 038f00b..8883c7b 100644
--- a/doc/man1/rsautl.pod
+++ b/doc/man1/rsautl.pod
@@ -44,56 +44,56 @@ if this option is not specified.
 
 =item B<-out filename>
 
-specifies the output filename to write to or standard output by
+Specifies the output filename to write to or standard output by
 default.
 
 =item B<-inkey file>
 
-the input key file, by default it should be an RSA private key.
+The input key file, by default it should be an RSA private key.
 
 =item B<-keyform PEM|DER|ENGINE>
 
-the key format PEM, DER or ENGINE.
+The key format PEM, DER or ENGINE.
 
 =item B<-pubin>
 
-the input file is an RSA public key.
+The input file is an RSA public key.
 
 =item B<-certin>
 
-the input is a certificate containing an RSA public key.
+The input is a certificate containing an RSA public key.
 
 =item B<-sign>
 
-sign the input data and output the signed result. This requires
+Sign the input data and output the signed result. This requires
 an RSA private key.
 
 =item B<-verify>
 
-verify the input data and output the recovered data.
+Verify the input data and output the recovered data.
 
 =item B<-encrypt>
 
-encrypt the input data using an RSA public key.
+Encrypt the input data using an RSA public key.
 
 =item B<-decrypt>
 
-decrypt the input data using an RSA private key.
+Decrypt the input data using an RSA private key.
 
 =item B<-pkcs, -oaep, -ssl, -raw>
 
-the padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
+The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
 special padding used in SSL v2 backwards compatible handshakes,
 or no padding, respectively.
 For signatures, only B<-pkcs> and B<-raw> can be used.
 
 =item B<-hexdump>
 
-hex dump the output data.
+Hex dump the output data.
 
 =item B<-asn1parse>
 
-asn1parse the output data, this is useful when combined with the
+Parse the ASN.1 output data, this is useful when combined with the
 B<-verify> option.
 
 =back
@@ -194,7 +194,7 @@ L<dgst(1)>, L<rsa(1)>, L<genrsa(1)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod
index 24ef1e4..e9794c4 100644
--- a/doc/man1/s_client.pod
+++ b/doc/man1/s_client.pod
@@ -194,7 +194,7 @@ abort the handshake with a fatal error.
 
 =item B<-nameopt option>
 
-option which determines how the subject or issuer names are displayed. The
+Option which determines how the subject or issuer names are displayed. The
 B<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
 set multiple options. See the L<x509(1)> manual page for details.
@@ -287,17 +287,17 @@ L<verify(1)> manual page for details.
 
 =item B<-reconnect>
 
-reconnects to the same server 5 times using the same session ID, this can
+Reconnects to the same server 5 times using the same session ID, this can
 be used as a test that session caching is working.
 
 =item B<-showcerts>
 
-display the whole server certificate chain: normally only the server
+Display the whole server certificate chain: normally only the server
 certificate itself is displayed.
 
 =item B<-prexit>
 
-print session information when the program exits. This will always attempt
+Print session information when the program exits. This will always attempt
 to print out information even if the connection fails. Normally information
 will only be printed out once if the connection succeeds. This option is useful
 because the cipher in use may be renegotiated or the connection may fail
@@ -308,51 +308,51 @@ established.
 
 =item B<-state>
 
-prints out the SSL session states.
+Prints out the SSL session states.
 
 =item B<-debug>
 
-print extensive debugging information including a hex dump of all traffic.
+Print extensive debugging information including a hex dump of all traffic.
 
 =item B<-msg>
 
-show all protocol messages with hex dump.
+Show all protocol messages with hex dump.
 
 =item B<-trace>
 
-show verbose trace output of protocol messages. OpenSSL needs to be compiled
+Show verbose trace output of protocol messages. OpenSSL needs to be compiled
 with B<enable-ssl-trace> for this option to work.
 
 =item B<-msgfile>
 
-file to send output of B<-msg> or B<-trace> to, default standard output.
+File to send output of B<-msg> or B<-trace> to, default standard output.
 
 =item B<-nbio_test>
 
-tests non-blocking I/O
+Tests non-blocking I/O
 
 =item B<-nbio>
 
-turns on non-blocking I/O
+Turns on non-blocking I/O
 
 =item B<-crlf>
 
-this option translated a line feed from the terminal into CR+LF as required
+This option translated a line feed from the terminal into CR+LF as required
 by some servers.
 
 =item B<-ign_eof>
 
-inhibit shutting down the connection when end of file is reached in the
+Inhibit shutting down the connection when end of file is reached in the
 input.
 
 =item B<-quiet>
 
-inhibit printing of session and certificate information.  This implicitly
+Inhibit printing of session and certificate information.  This implicitly
 turns on B<-ign_eof> as well.
 
 =item B<-no_ign_eof>
 
-shut down the connection when end of file is reached in the input.
+Shut down the connection when end of file is reached in the input.
 Can be used to override the implicit B<-ign_eof> after B<-quiet>.
 
 =item B<-psk_identity identity>
@@ -386,7 +386,7 @@ Send TLS_FALLBACK_SCSV in the ClientHello.
 
 =item B<-async>
 
-switch on asynchronous mode. Cryptographic operations will be performed
+Switch on asynchronous mode. Cryptographic operations will be performed
 asynchronously. This will only have an effect if an asynchronous capable engine
 is also used via the B<-engine> option. For test purposes the dummy async engine
 (dasync) can be used (if available).
@@ -396,7 +396,7 @@ is also used via the B<-engine> option. For test purposes the dummy async engine
 The size used to split data for encrypt pipelines. If more data is written in
 one go than this value then it will be split into multiple pipelines, up to the
 maximum number of pipelines defined by max_pipelines. This only has an effect if
-a suitable ciphersuite has been negotiated, an engine that supports pipelining
+a suitable cipher suite has been negotiated, an engine that supports pipelining
 has been loaded, and max_pipelines is greater than 1. See
 L<SSL_CTX_set_split_send_fragment(3)> for further information.
 
@@ -404,7 +404,7 @@ L<SSL_CTX_set_split_send_fragment(3)> for further information.
 
 The maximum number of encrypt/decrypt pipelines to be used. This will only have
 an effect if an engine has been loaded that supports pipelining (e.g. the dasync
-engine) and a suitable ciphersuite has been negotiated. The default value is 1.
+engine) and a suitable cipher suite has been negotiated. The default value is 1.
 See L<SSL_CTX_set_max_pipelines(3)> for further information.
 
 =item B<-read_buf int>
@@ -416,7 +416,7 @@ further information).
 
 =item B<-bugs>
 
-there are several known bug in SSL and TLS implementations. Adding this
+There are several known bug in SSL and TLS implementations. Adding this
 option enables various workarounds.
 
 =item B<-comp>
@@ -434,7 +434,7 @@ OpenSSL 1.1.0.
 
 =item B<-brief>
 
-only provide a brief summary of connection parameters instead of the
+Only provide a brief summary of connection parameters instead of the
 normal verbose output.
 
 =item B<-sigalgs sigalglist>
@@ -452,14 +452,14 @@ is ultimately selected by the server. For a list of all curves, use:
 
 =item B<-cipher cipherlist>
 
-this allows the cipher list sent by the client to be modified. Although
+This allows the cipher list sent by the client to be modified. Although
 the server determines which cipher suite is used it should take the first
 supported cipher in the list sent by the client. See the B<ciphers>
 command for more information.
 
 =item B<-starttls protocol>
 
-send the protocol-specific message(s) to switch to TLS for communication.
+Send the protocol-specific message(s) to switch to TLS for communication.
 B<protocol> is a keyword for the intended protocol.  Currently, the only
 supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
 "irc", "postgres", "lmtp", "nntp", "sieve" and "ldap".
@@ -473,31 +473,31 @@ will be used.
 
 =item B<-tlsextdebug>
 
-print out a hex dump of any TLS extensions received from the server.
+Print out a hex dump of any TLS extensions received from the server.
 
 =item B<-no_ticket>
 
-disable RFC4507bis session ticket support.
+Disable RFC4507bis session ticket support.
 
 =item B<-sess_out filename>
 
-output SSL session to B<filename>
+Output SSL session to B<filename>.
 
 =item B<-sess_in sess.pem>
 
-load SSL session from B<filename>. The client will attempt to resume a
+Load SSL session from B<filename>. The client will attempt to resume a
 connection from this session.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<s_client>
+Specifying an engine (by its unique B<id> string) will cause B<s_client>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
 
 =item B<-rand file(s)>
 
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
 generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by an OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
@@ -505,30 +505,28 @@ all others.
 
 =item B<-serverinfo types>
 
-a list of comma-separated TLS Extension Types (numbers between 0 and
+A list of comma-separated TLS Extension Types (numbers between 0 and
 65535).  Each type will be sent as an empty ClientHello TLS Extension.
 The server's response (if any) will be encoded and displayed as a PEM
 file.
 
 =item B<-status>
 
-sends a certificate status request to the server (OCSP stapling). The server
+Sends a certificate status request to the server (OCSP stapling). The server
 response (if any) is printed out.
 
 =item B<-alpn protocols>, B<-nextprotoneg protocols>
 
-these flags enable the 
-Enable the Application-Layer Protocol Negotiation or Next Protocol
-Negotiation extension, respectively. ALPN is the IETF standard and
-replaces NPN.
-The B<protocols> list is a
-comma-separated protocol names that the client should advertise
-support for. The list should contain most wanted protocols first.
-Protocol names are printable ASCII strings, for example "http/1.1" or
-"spdy/3".
-Empty list of protocols is treated specially and will cause the client to
-advertise support for the TLS extension but disconnect just after
-receiving ServerHello with a list of server supported protocols.
+These flags enable the Enable the Application-Layer Protocol Negotiation
+or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
+IETF standard and replaces NPN.
+The B<protocols> list is a comma-separated list of protocol names that
+the client should advertise support for. The list should contain the most
+desirable protocols first.  Protocol names are printable ASCII strings,
+for example "http/1.1" or "spdy/3".
+An empty list of protocols is treated specially and will cause the
+client to advertise support for the TLS extension but disconnect just
+after receiving ServerHello with a list of server supported protocols.
 
 =item B<-ct|noct>
 
@@ -629,7 +627,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/s_server.pod b/doc/man1/s_server.pod
index 6fe16f3..838ce2d 100644
--- a/doc/man1/s_server.pod
+++ b/doc/man1/s_server.pod
@@ -249,11 +249,11 @@ a certificate is requested.
 
 =item B<-no-CAfile>
 
-Do not load the trusted CA certificates from the default file location
+Do not load the trusted CA certificates from the default file location.
 
 =item B<-no-CApath>
 
-Do not load the trusted CA certificates from the default directory location
+Do not load the trusted CA certificates from the default directory location.
 
 =item B<-verify depth>, B<-Verify depth>
 
@@ -263,12 +263,12 @@ the client. With the B<-verify> option a certificate is requested but the
 client does not have to send one, with the B<-Verify> option the client
 must supply a certificate or an error occurs.
 
-If the ciphersuite cannot request a client certificate (for example an
-anonymous ciphersuite or PSK) this option has no effect.
+If the cipher suite cannot request a client certificate (for example an
+anonymous cipher suite or PSK) this option has no effect.
 
 =item B<-nameopt option>
 
-option which determines how the subject or issuer names are displayed. The
+Option which determines how the subject or issuer names are displayed. The
 B<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
 set multiple options. See the L<x509(1)> manual page for details.
@@ -313,11 +313,11 @@ File to send output of B<-msg> or B<-trace> to, default standard output.
 
 =item B<-nbio_test>
 
-Tests non blocking I/O
+Tests non blocking I/O.
 
 =item B<-nbio>
 
-Turns on non blocking I/O
+Turns on non blocking I/O.
 
 =item B<-crlf>
 
@@ -374,7 +374,7 @@ is also used via the B<-engine> option. For test purposes the dummy async engine
 The size used to split data for encrypt pipelines. If more data is written in
 one go than this value then it will be split into multiple pipelines, up to the
 maximum number of pipelines defined by max_pipelines. This only has an effect if
-a suitable ciphersuite has been negotiated, an engine that supports pipelining
+a suitable cipher suite has been negotiated, an engine that supports pipelining
 has been loaded, and max_pipelines is greater than 1. See
 L<SSL_CTX_set_split_send_fragment(3)> for further information.
 
@@ -382,7 +382,7 @@ L<SSL_CTX_set_split_send_fragment(3)> for further information.
 
 The maximum number of encrypt/decrypt pipelines to be used. This will only have
 an effect if an engine has been loaded that supports pipelining (e.g. the dasync
-engine) and a suitable ciphersuite has been negotiated. The default value is 1.
+engine) and a suitable cipher suite has been negotiated. The default value is 1.
 See L<SSL_CTX_set_max_pipelines(3)> for further information.
 
 =item B<-read_buf int>
@@ -418,7 +418,7 @@ output.
 =item B<-client_sigalgs sigalglist>
 
 Signature algorithms to support for client certificate authentication
-(colon-separated list)
+(colon-separated list).
 
 =item B<-named_curve curve>
 
@@ -533,13 +533,11 @@ OCSP Response stored in the file. The file must be in DER format.
 
 =item B<-alpn protocols>, B<-nextprotoneg protocols>
 
-these flags enable the 
-Enable the Application-Layer Protocol Negotiation or Next Protocol
-Negotiation extension, respectively. ALPN is the IETF standard and
-replaces NPN.
-The B<protocols> list is a
-comma-separated list of supported protocol names.
-The list should contain most wanted protocols first.
+These flags enable the Enable the Application-Layer Protocol Negotiation
+or Next Protocol Negotiation (NPN) extension, respectively. ALPN is the
+IETF standard and replaces NPN.
+The B<protocols> list is a comma-separated list of supported protocol
+names.  The list should contain the most desirable protocols first.
 Protocol names are printable ASCII strings, for example "http/1.1" or
 "spdy/3".
 
@@ -574,28 +572,28 @@ operations: these are listed below.
 
 =item B<q>
 
-end the current SSL connection but still accept new connections.
+End the current SSL connection but still accept new connections.
 
 =item B<Q>
 
-end the current SSL connection and exit.
+End the current SSL connection and exit.
 
 =item B<r>
 
-renegotiate the SSL session.
+Renegotiate the SSL session.
 
 =item B<R>
 
-renegotiate the SSL session and request a client certificate.
+Renegotiate the SSL session and request a client certificate.
 
 =item B<P>
 
-send some plain text down the underlying TCP connection: this should
+Send some plain text down the underlying TCP connection: this should
 cause the client to disconnect due to a protocol violation.
 
 =item B<S>
 
-print out some session cache status information.
+Print out some session cache status information.
 
 =back
 
@@ -642,7 +640,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/s_time.pod b/doc/man1/s_time.pod
index 9d5dbc3..8661a00 100644
--- a/doc/man1/s_time.pod
+++ b/doc/man1/s_time.pod
@@ -73,7 +73,7 @@ will never fail due to a server certificate verify failure.
 
 =item B<-nameopt option>
 
-option which determines how the subject or issuer names are displayed. The
+Option which determines how the subject or issuer names are displayed. The
 B<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
 set multiple options. See the L<x509(1)> manual page for details.
@@ -99,23 +99,23 @@ Do not load the trusted CA certificates from the default directory location
 
 =item B<-new>
 
-performs the timing test using a new session ID for each connection.
+Performs the timing test using a new session ID for each connection.
 If neither B<-new> nor B<-reuse> are specified, they are both on by default
 and executed in sequence.
 
 =item B<-reuse>
 
-performs the timing test using the same session ID; this can be used as a test
+Performs the timing test using the same session ID; this can be used as a test
 that session caching is working. If neither B<-new> nor B<-reuse> are
 specified, they are both on by default and executed in sequence.
 
 =item B<-nbio>
 
-turns on non-blocking I/O.
+Turns on non-blocking I/O.
 
 =item B<-ssl3>
 
-these options disable the use of certain SSL or TLS protocols. By default
+These options disable the use of certain SSL or TLS protocols. By default
 the initial handshake uses a method which should be compatible with all
 servers and permit them to use SSL v3 or TLS as appropriate.
 The timing program is not as rich in options to turn protocols on and off as
@@ -127,19 +127,19 @@ work if TLS is turned off with the B<-ssl3> option.
 
 =item B<-bugs>
 
-there are several known bug in SSL and TLS implementations. Adding this
+There are several known bug in SSL and TLS implementations. Adding this
 option enables various workarounds.
 
 =item B<-cipher cipherlist>
 
-this allows the cipher list sent by the client to be modified. Although
+This allows the cipher list sent by the client to be modified. Although
 the server determines which cipher suite is used it should take the first
 supported cipher in the list sent by the client.
 See the L<ciphers(1)> command for more information.
 
 =item B<-time length>
 
-specifies how long (in seconds) B<s_time> should establish connections and
+Specifies how long (in seconds) B<s_time> should establish connections and
 optionally transfer payload data from a server. Server and client performance
 and the link speed determine how many connections B<s_time> can establish.
 
@@ -192,7 +192,7 @@ L<s_client(1)>, L<s_server(1)>, L<ciphers(1)>
 
 =head1 COPYRIGHT
 
-Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/sess_id.pod b/doc/man1/sess_id.pod
index 19ac9a7..5084b3f 100644
--- a/doc/man1/sess_id.pod
+++ b/doc/man1/sess_id.pod
@@ -57,21 +57,21 @@ output if this option is not specified.
 
 =item B<-text>
 
-prints out the various public or private key components in
+Prints out the various public or private key components in
 plain text in addition to the encoded version.
 
 =item B<-cert>
 
-if a certificate is present in the session it will be output using this option,
+If a certificate is present in the session it will be output using this option,
 if the B<-text> option is also present then it will be printed out in text form.
 
 =item B<-noout>
 
-this option prevents output of the encoded version of the session.
+This option prevents output of the encoded version of the session.
 
 =item B<-context ID>
 
-this option can set the session id so the output session information uses the
+This option can set the session id so the output session information uses the
 supplied ID. The ID can be any string of characters. This option won't normally
 be used.
 
@@ -98,36 +98,37 @@ Theses are described below in more detail.
 
 =item B<Protocol>
 
-this is the protocol in use TLSv1.2, TLSv1.1, TLSv1 or SSLv3.
+This is the protocol in use TLSv1.2, TLSv1.1, TLSv1 or SSLv3.
 
 =item B<Cipher>
 
-the cipher used this is the actual raw SSL or TLS cipher code, see the SSL
+The cipher used this is the actual raw SSL or TLS cipher code, see the SSL
 or TLS specifications for more information.
 
 =item B<Session-ID>
 
-the SSL session ID in hex format.
+The SSL session ID in hex format.
 
 =item B<Session-ID-ctx>
 
-the session ID context in hex format.
+The session ID context in hex format.
 
 =item B<Master-Key>
 
-this is the SSL session master key.
+This is the SSL session master key.
 
 =item B<Start Time>
 
-this is the session start time represented as an integer in standard Unix format.
+This is the session start time represented as an integer in standard
+Unix format.
 
 =item B<Timeout>
 
-the timeout in seconds.
+The timeout in seconds.
 
 =item B<Verify return code>
 
-this is the return code when an SSL client certificate is verified.
+This is the return code when an SSL client certificate is verified.
 
 =back
 
@@ -138,10 +139,11 @@ The PEM encoded session format uses the header and footer lines:
  -----BEGIN SSL SESSION PARAMETERS-----
  -----END SSL SESSION PARAMETERS-----
 
-Since the SSL session output contains the master key it is possible to read the contents
-of an encrypted session using this information. Therefore appropriate security precautions
-should be taken if the information is being output by a "real" application. This is
-however strongly discouraged and should only be used for debugging purposes.
+Since the SSL session output contains the master key it is
+possible to read the contents of an encrypted session using this
+information. Therefore appropriate security precautions should be taken if
+the information is being output by a "real" application. This is however
+strongly discouraged and should only be used for debugging purposes.
 
 =head1 BUGS
 
@@ -153,7 +155,7 @@ L<ciphers(1)>, L<s_server(1)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/smime.pod b/doc/man1/smime.pod
index 7980e35..7cae26f 100644
--- a/doc/man1/smime.pod
+++ b/doc/man1/smime.pod
@@ -87,7 +87,7 @@ Print out a usage message.
 
 =item B<-encrypt>
 
-encrypt mail for the given recipient certificates. Input file is the message
+Encrypt mail for the given recipient certificates. Input file is the message
 to be encrypted. The output file is the encrypted mail in MIME format.
 
 Note that no revocation check is done for the recipient cert, so if that
@@ -95,37 +95,37 @@ key has been compromised, others may be able to decrypt the text.
 
 =item B<-decrypt>
 
-decrypt mail using the supplied certificate and private key. Expects an
+Decrypt mail using the supplied certificate and private key. Expects an
 encrypted mail message in MIME format for the input file. The decrypted mail
 is written to the output file.
 
 =item B<-sign>
 
-sign mail using the supplied certificate and private key. Input file is
+Sign mail using the supplied certificate and private key. Input file is
 the message to be signed. The signed message in MIME format is written
 to the output file.
 
 =item B<-verify>
 
-verify signed mail. Expects a signed mail message on input and outputs
+Verify signed mail. Expects a signed mail message on input and outputs
 the signed data. Both clear text and opaque signing is supported.
 
 =item B<-pk7out>
 
-takes an input message and writes out a PEM encoded PKCS#7 structure.
+Takes an input message and writes out a PEM encoded PKCS#7 structure.
 
 =item B<-resign>
 
-resign a message: take an existing message and one or more new signers.
+Resign a message: take an existing message and one or more new signers.
 
 =item B<-in filename>
 
-the input message to be encrypted or signed or the MIME message to
+The input message to be encrypted or signed or the MIME message to
 be decrypted or verified.
 
 =item B<-inform SMIME|PEM|DER>
 
-this specifies the input format for the PKCS#7 structure. The default
+This specifies the input format for the PKCS#7 structure. The default
 is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
 format change this to expect PEM and DER format PKCS#7 structures
 instead. This currently only affects the input format of the PKCS#7
@@ -134,12 +134,12 @@ B<-encrypt> or B<-sign>) this option has no effect.
 
 =item B<-out filename>
 
-the message text that has been decrypted or verified or the output MIME
+The message text that has been decrypted or verified or the output MIME
 format message that has been signed or verified.
 
 =item B<-outform SMIME|PEM|DER>
 
-this specifies the output format for the PKCS#7 structure. The default
+This specifies the output format for the PKCS#7 structure. The default
 is B<SMIME> which write an S/MIME format message. B<PEM> and B<DER>
 format change this to write PEM and DER format PKCS#7 structures
 instead. This currently only affects the output format of the PKCS#7
@@ -148,7 +148,7 @@ B<-verify> or B<-decrypt>) this option has no effect.
 
 =item B<-stream -indef -noindef>
 
-the B<-stream> and B<-indef> options are equivalent and enable streaming I/O
+The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
 for encoding operations. This permits single pass processing of data without
 the need to hold the entire contents in memory, potentially supporting very
 large files. Streaming is automatically set for S/MIME signing with detached
@@ -157,7 +157,7 @@ other operations.
 
 =item B<-noindef>
 
-disable streaming I/O where it would produce and indefinite length constructed
+Disable streaming I/O where it would produce and indefinite length constructed
 encoding. This option currently has no effect. In future streaming will be
 enabled by default on all relevant operations and this option will disable it.
 
@@ -171,38 +171,38 @@ is S/MIME and it uses the multipart/signed MIME content type.
 
 =item B<-text>
 
-this option adds plain text (text/plain) MIME headers to the supplied
+This option adds plain text (text/plain) MIME headers to the supplied
 message if encrypting or signing. If decrypting or verifying it strips
 off text headers: if the decrypted or verified message is not of MIME
 type text/plain then an error occurs.
 
 =item B<-CAfile file>
 
-a file containing trusted CA certificates, only used with B<-verify>.
+A file containing trusted CA certificates, only used with B<-verify>.
 
 =item B<-CApath dir>
 
-a directory containing trusted CA certificates, only used with
+A directory containing trusted CA certificates, only used with
 B<-verify>. This directory must be a standard certificate directory: that
 is a hash of each subject name (using B<x509 -hash>) should be linked
 to each certificate.
 
 =item B<-no-CAfile>
 
-Do not load the trusted CA certificates from the default file location
+Do not load the trusted CA certificates from the default file location.
 
 =item B<-no-CApath>
 
-Do not load the trusted CA certificates from the default directory location
+Do not load the trusted CA certificates from the default directory location.
 
 =item B<-md digest>
 
-digest algorithm to use when signing or resigning. If not present then the
+Digest algorithm to use when signing or resigning. If not present then the
 default digest algorithm for the signing key will be used (usually SHA1).
 
 =item B<-[cipher]>
 
-the encryption algorithm to use. For example DES  (56 bits) - B<-des>,
+The encryption algorithm to use. For example DES  (56 bits) - B<-des>,
 triple DES (168 bits) - B<-des3>,
 EVP_get_cipherbyname() function) can also be used preceded by a dash, for
 example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for list of ciphers
@@ -212,77 +212,77 @@ If not specified triple DES is used. Only used with B<-encrypt>.
 
 =item B<-nointern>
 
-when verifying a message normally certificates (if any) included in
+When verifying a message normally certificates (if any) included in
 the message are searched for the signing certificate. With this option
 only the certificates specified in the B<-certfile> option are used.
 The supplied certificates can still be used as untrusted CAs however.
 
 =item B<-noverify>
 
-do not verify the signers certificate of a signed message.
+Do not verify the signers certificate of a signed message.
 
 =item B<-nochain>
 
-do not do chain verification of signers certificates: that is don't
+Do not do chain verification of signers certificates: that is don't
 use the certificates in the signed message as untrusted CAs.
 
 =item B<-nosigs>
 
-don't try to verify the signatures on the message.
+Don't try to verify the signatures on the message.
 
 =item B<-nocerts>
 
-when signing a message the signer's certificate is normally included
+When signing a message the signer's certificate is normally included
 with this option it is excluded. This will reduce the size of the
 signed message but the verifier must have a copy of the signers certificate
 available locally (passed using the B<-certfile> option for example).
 
 =item B<-noattr>
 
-normally when a message is signed a set of attributes are included which
+Normally when a message is signed a set of attributes are included which
 include the signing time and supported symmetric algorithms. With this
 option they are not included.
 
 =item B<-binary>
 
-normally the input message is converted to "canonical" format which is
+Normally the input message is converted to "canonical" format which is
 effectively using CR and LF as end of line: as required by the S/MIME
 specification. When this option is present no translation occurs. This
 is useful when handling binary data which may not be in MIME format.
 
 =item B<-crlfeol>
 
-normally the output file uses a single B<LF> as end of line. When this
+Normally the output file uses a single B<LF> as end of line. When this
 option is present B<CRLF> is used instead.
 
 =item B<-nodetach>
 
-when signing a message use opaque signing: this form is more resistant
+When signing a message use opaque signing: this form is more resistant
 to translation by mail relays but it cannot be read by mail agents that
 do not support S/MIME.  Without this option cleartext signing with
 the MIME type multipart/signed is used.
 
 =item B<-certfile file>
 
-allows additional certificates to be specified. When signing these will
+Allows additional certificates to be specified. When signing these will
 be included with the message. When verifying these will be searched for
 the signers certificates. The certificates should be in PEM format.
 
 =item B<-signer file>
 
-a signing certificate when signing or resigning a message, this option can be
+A signing certificate when signing or resigning a message, this option can be
 used multiple times if more than one signer is required. If a message is being
 verified then the signers certificates will be written to this file if the
 verification was successful.
 
 =item B<-recip file>
 
-the recipients certificate when decrypting a message. This certificate
+The recipients certificate when decrypting a message. This certificate
 must match one of the recipients of the message or an error occurs.
 
 =item B<-inkey file>
 
-the private key to use when signing or decrypting. This must match the
+The private key to use when signing or decrypting. This must match the
 corresponding certificate. If this option is not specified then the
 private key must be included in the certificate file specified with
 the B<-recip> or B<-signer> file. When signing this option can be used
@@ -290,12 +290,12 @@ multiple times to specify successive keys.
 
 =item B<-passin arg>
 
-the private key password source. For more information about the format of B<arg>
+The private key password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-rand file(s)>
 
-a file or files containing random data used to seed the random number
+A file or files containing random data used to seed the random number
 generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by an OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
@@ -303,12 +303,12 @@ all others.
 
 =item B<cert.pem...>
 
-one or more certificates of message recipients: used when encrypting
+One or more certificates of message recipients: used when encrypting
 a message.
 
 =item B<-to, -from, -subject>
 
-the relevant mail headers. These are included outside the signed
+The relevant mail headers. These are included outside the signed
 portion of a message so they may be included manually. If signing
 then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
@@ -370,28 +370,28 @@ remains DER.
 
 =item Z<>0
 
-the operation was completely successfully.
+The operation was completely successfully.
 
 =item Z<>1
 
-an error occurred parsing the command options.
+An error occurred parsing the command options.
 
 =item Z<>2
 
-one of the input files could not be read.
+One of the input files could not be read.
 
 =item Z<>3
 
-an error occurred creating the PKCS#7 file or when reading the MIME
+An error occurred creating the PKCS#7 file or when reading the MIME
 message.
 
 =item Z<>4
 
-an error occurred decrypting or verifying the message.
+An error occurred decrypting or verifying the message.
 
 =item Z<>5
 
-the message was verified correctly but an error occurred writing out
+The message was verified correctly but an error occurred writing out
 the signers certificates.
 
 =back
@@ -505,7 +505,7 @@ The -no_alt_chains options was first added to OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/speed.pod b/doc/man1/speed.pod
index ad81bfb..b0d4daa 100644
--- a/doc/man1/speed.pod
+++ b/doc/man1/speed.pod
@@ -30,7 +30,7 @@ Print out a usage message.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<speed>
+Specifying an engine (by its unique B<id> string) will cause B<speed>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -57,7 +57,7 @@ the above are tested.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/spkac.pod b/doc/man1/spkac.pod
index 8955bc4..d4b896a 100644
--- a/doc/man1/spkac.pod
+++ b/doc/man1/spkac.pod
@@ -41,52 +41,52 @@ option is not specified. Ignored if the B<-key> option is used.
 
 =item B<-out filename>
 
-specifies the output filename to write to or standard output by
+Specifies the output filename to write to or standard output by
 default.
 
 =item B<-key keyfile>
 
-create an SPKAC file using the private key in B<keyfile>. The
+Create an SPKAC file using the private key in B<keyfile>. The
 B<-in>, B<-noout>, B<-spksect> and B<-verify> options are ignored if
 present.
 
 =item B<-passin password>
 
-the input file password source. For more information about the format of B<arg>
+The input file password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-challenge string>
 
-specifies the challenge string if an SPKAC is being created.
+Specifies the challenge string if an SPKAC is being created.
 
 =item B<-spkac spkacname>
 
-allows an alternative name form the variable containing the
+Allows an alternative name form the variable containing the
 SPKAC. The default is "SPKAC". This option affects both
 generated and input SPKAC files.
 
 =item B<-spksect section>
 
-allows an alternative name form the section containing the
+Allows an alternative name form the section containing the
 SPKAC. The default is the default section.
 
 =item B<-noout>
 
-don't output the text version of the SPKAC (not used if an
+Don't output the text version of the SPKAC (not used if an
 SPKAC is being created).
 
 =item B<-pubkey>
 
-output the public key of an SPKAC (not used if an SPKAC is
+Output the public key of an SPKAC (not used if an SPKAC is
 being created).
 
 =item B<-verify>
 
-verifies the digital signature on the supplied SPKAC.
+Verifies the digital signature on the supplied SPKAC.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<spkac>
+Specifying an engine (by its unique B<id> string) will cause B<spkac>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -137,7 +137,7 @@ L<ca(1)>
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod
index d807394..5b2e639 100644
--- a/doc/man1/ts.pod
+++ b/doc/man1/ts.pod
@@ -187,7 +187,6 @@ response. (Optional)
 This option specifies a previously created time stamp request in DER
 format that will be printed into the output file. Useful when you need
 to examine the content of a request in human-readable
-
 format. (Optional)
 
 =item B<-out> request.tsq
@@ -640,7 +639,7 @@ L<config(5)>
 
 =head1 COPYRIGHT
 
-Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/verify.pod b/doc/man1/verify.pod
index 36050ec..6db7cd8 100644
--- a/doc/man1/verify.pod
+++ b/doc/man1/verify.pod
@@ -79,15 +79,15 @@ create symbolic links to a directory of certificates.
 
 =item B<-no-CAfile>
 
-Do not load the trusted CA certificates from the default file location
+Do not load the trusted CA certificates from the default file location.
 
 =item B<-no-CApath>
 
-Do not load the trusted CA certificates from the default directory location
+Do not load the trusted CA certificates from the default directory location.
 
 =item B<-allow_proxy_certs>
 
-Allow the verification of proxy certificates
+Allow the verification of proxy certificates.
 
 =item B<-attime timestamp>
 
@@ -154,7 +154,7 @@ Set policy variable inhibit-policy-mapping (see RFC5280).
 
 =item B<-nameopt option>
 
-option which determines how the subject or issuer names are displayed. The
+Option which determines how the subject or issuer names are displayed. The
 B<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
 set multiple options. See the L<x509(1)> manual page for details.
@@ -195,7 +195,7 @@ information.
 
 =item B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>
 
-enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
+Enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
 192 bit, or only 192 bit Level of Security respectively.
 See RFC6460 for details. In particular the supported signature algorithms are
 reduced to support only ECDSA and SHA256 or SHA384 and only the elliptic curves
@@ -427,14 +427,15 @@ The CRL of a certificate could not be found.
 
 =item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE>
 
-The certificate signature could not be decrypted. This means that the actual signature value
-could not be determined rather than it not matching the expected value, this is only
-meaningful for RSA keys.
+The certificate signature could not be decrypted. This means that the
+actual signature value could not be determined rather than it not matching
+the expected value, this is only meaningful for RSA keys.
 
 =item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE>
 
-The CRL signature could not be decrypted: this means that the actual signature value
-could not be determined rather than it not matching the expected value. Unused.
+The CRL signature could not be decrypted: this means that the actual
+signature value could not be determined rather than it not matching the
+expected value. Unused.
 
 =item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY>
 
@@ -450,11 +451,13 @@ The signature of the certificate is invalid.
 
 =item B<X509_V_ERR_CERT_NOT_YET_VALID>
 
-The certificate is not yet valid: the notBefore date is after the current time.
+The certificate is not yet valid: the notBefore date is after the
+current time.
 
 =item B<X509_V_ERR_CERT_HAS_EXPIRED>
 
-The certificate has expired: that is the notAfter date is before the current time.
+The certificate has expired: that is the notAfter date is before the
+current time.
 
 =item B<X509_V_ERR_CRL_NOT_YET_VALID>
 
@@ -486,13 +489,13 @@ An error occurred trying to allocate memory. This should never happen.
 
 =item B<X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT>
 
-The passed certificate is self-signed and the same certificate cannot be found in the list of
-trusted certificates.
+The passed certificate is self-signed and the same certificate cannot
+be found in the list of trusted certificates.
 
 =item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN>
 
-The certificate chain could be built up using the untrusted certificates but the root could not
-be found locally.
+The certificate chain could be built up using the untrusted certificates
+but the root could not be found locally.
 
 =item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY>
 
@@ -501,12 +504,13 @@ certificate of an untrusted certificate cannot be found.
 
 =item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE>
 
-No signatures could be verified because the chain contains only one certificate and it is not
-self signed.
+No signatures could be verified because the chain contains only one
+certificate and it is not self signed.
 
 =item B<X509_V_ERR_CERT_CHAIN_TOO_LONG>
 
-The certificate chain length is greater than the supplied maximum depth. Unused.
+The certificate chain length is greater than the supplied maximum
+depth. Unused.
 
 =item B<X509_V_ERR_CERT_REVOKED>
 
@@ -514,8 +518,8 @@ The certificate has been revoked.
 
 =item B<X509_V_ERR_INVALID_CA>
 
-A CA certificate is invalid. Either it is not a CA or its extensions are not consistent
-with the supplied purpose.
+A CA certificate is invalid. Either it is not a CA or its extensions
+are not consistent with the supplied purpose.
 
 =item B<X509_V_ERR_PATH_LENGTH_EXCEEDED>
 
@@ -527,7 +531,7 @@ The supplied certificate cannot be used for the specified purpose.
 
 =item B<X509_V_ERR_CERT_UNTRUSTED>
 
-the root CA is not marked as trusted for the specified purpose.
+The root CA is not marked as trusted for the specified purpose.
 
 =item B<X509_V_ERR_CERT_REJECTED>
 
@@ -535,7 +539,7 @@ The root CA is marked to reject the specified purpose.
 
 =item B<X509_V_ERR_SUBJECT_ISSUER_MISMATCH>
 
-not used as of OpenSSL 1.1.0 as a result of the deprecation of the
+Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
 B<-issuer_checks> option.
 
 =item B<X509_V_ERR_AKID_SKID_MISMATCH>
@@ -696,14 +700,15 @@ This error is only possible in L<s_client(1)>.
 
 =head1 BUGS
 
-Although the issuer checks are a considerable improvement over the old technique they still
-suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that
-trusted certificates with matching subject name must either appear in a file (as specified by the
-B<-CAfile> option) or a directory (as specified by B<-CApath>). If they occur in both then only
-the certificates in the file will be recognised.
+Although the issuer checks are a considerable improvement over the old
+technique they still suffer from limitations in the underlying X509_LOOKUP
+API. One consequence of this is that trusted certificates with matching
+subject name must either appear in a file (as specified by the B<-CAfile>
+option) or a directory (as specified by B<-CApath>). If they occur in
+both then only the certificates in the file will be recognised.
 
-Previous versions of OpenSSL assume certificates with matching subject name are identical and
-mishandled them.
+Previous versions of OpenSSL assume certificates with matching subject
+name are identical and mishandled them.
 
 Previous versions of this documentation swapped the meaning of the
 B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT> and
@@ -722,7 +727,7 @@ is silently ignored.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/version.pod b/doc/man1/version.pod
index a97ed20..c14311b 100644
--- a/doc/man1/version.pod
+++ b/doc/man1/version.pod
@@ -31,27 +31,27 @@ Print out a usage message.
 
 =item B<-a>
 
-all information, this is the same as setting all the other flags.
+All information, this is the same as setting all the other flags.
 
 =item B<-v>
 
-the current OpenSSL version.
+The current OpenSSL version.
 
 =item B<-b>
 
-the date the current version of OpenSSL was built.
+The date the current version of OpenSSL was built.
 
 =item B<-o>
 
-option information: various options set when the library was built.
+Option information: various options set when the library was built.
 
 =item B<-f>
 
-compilation flags.
+Compilation flags.
 
 =item B<-p>
 
-platform setting.
+Platform setting.
 
 =item B<-d>
 
@@ -70,7 +70,7 @@ in a bug report.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod
index cddfc8c..fccfd6c 100644
--- a/doc/man1/x509.pod
+++ b/doc/man1/x509.pod
@@ -107,7 +107,7 @@ default.
 
 =item B<-[digest]>
 
-the digest to use.
+The digest to use.
 This affects any signing or display option that uses a message
 digest, such as the B<-fingerprint>, B<-signkey> and B<-CA> options.
 Any digest supported by the OpenSSL B<dgst> command can be used.
@@ -116,7 +116,7 @@ the default digest for the signing algorithm is used, typically SHA256.
 
 =item B<-engine id>
 
-specifying an engine (by its unique B<id> string) will cause B<x509>
+Specifying an engine (by its unique B<id> string) will cause B<x509>
 to attempt to obtain a functional reference to the specified engine,
 thus initialising it if needed. The engine will then be set as the default
 for all available algorithms.
@@ -132,110 +132,110 @@ but are described in the B<TRUST SETTINGS> section.
 
 =item B<-text>
 
-prints out the certificate in text form. Full details are output including the
+Prints out the certificate in text form. Full details are output including the
 public key, signature algorithms, issuer and subject names, serial number
 any extensions present and any trust settings.
 
 =item B<-certopt option>
 
-customise the output format used with B<-text>. The B<option> argument can be
-a single option or multiple options separated by commas. The B<-certopt> switch
-may be also be used more than once to set multiple options. See the B<TEXT OPTIONS>
-section for more information.
+Customise the output format used with B<-text>. The B<option> argument
+can be a single option or multiple options separated by commas. The
+B<-certopt> switch may be also be used more than once to set multiple
+options. See the B<TEXT OPTIONS> section for more information.
 
 =item B<-noout>
 
-this option prevents output of the encoded version of the request.
+This option prevents output of the encoded version of the request.
 
 =item B<-pubkey>
 
-outputs the certificate's SubjectPublicKeyInfo block in PEM format.
+Outputs the certificate's SubjectPublicKeyInfo block in PEM format.
 
 =item B<-modulus>
 
-this option prints out the value of the modulus of the public key
+This option prints out the value of the modulus of the public key
 contained in the certificate.
 
 =item B<-serial>
 
-outputs the certificate serial number.
+Outputs the certificate serial number.
 
 =item B<-subject_hash>
 
-outputs the "hash" of the certificate subject name. This is used in OpenSSL to
+Outputs the "hash" of the certificate subject name. This is used in OpenSSL to
 form an index to allow certificates in a directory to be looked up by subject
 name.
 
 =item B<-issuer_hash>
 
-outputs the "hash" of the certificate issuer name.
+Outputs the "hash" of the certificate issuer name.
 
 =item B<-ocspid>
 
-outputs the OCSP hash values for the subject name and public key.
+Outputs the OCSP hash values for the subject name and public key.
 
 =item B<-hash>
 
-synonym for "-subject_hash" for backward compatibility reasons.
+Synonym for "-subject_hash" for backward compatibility reasons.
 
 =item B<-subject_hash_old>
 
-outputs the "hash" of the certificate subject name using the older algorithm
+Outputs the "hash" of the certificate subject name using the older algorithm
 as used by OpenSSL versions before 1.0.0.
 
 =item B<-issuer_hash_old>
 
-outputs the "hash" of the certificate issuer name using the older algorithm
+Outputs the "hash" of the certificate issuer name using the older algorithm
 as used by OpenSSL versions before 1.0.0.
 
 =item B<-subject>
 
-outputs the subject name.
+Outputs the subject name.
 
 =item B<-issuer>
 
-outputs the issuer name.
+Outputs the issuer name.
 
 =item B<-nameopt option>
 
-option which determines how the subject or issuer names are displayed. The
+Option which determines how the subject or issuer names are displayed. The
 B<option> argument can be a single option or multiple options separated by
 commas.  Alternatively the B<-nameopt> switch may be used more than once to
 set multiple options. See the B<NAME OPTIONS> section for more information.
 
 =item B<-email>
 
-outputs the email address(es) if any.
+Outputs the email address(es) if any.
 
 =item B<-ocsp_uri>
 
-outputs the OCSP responder address(es) if any.
+Outputs the OCSP responder address(es) if any.
 
 =item B<-startdate>
 
-prints out the start date of the certificate, that is the notBefore date.
+Prints out the start date of the certificate, that is the notBefore date.
 
 =item B<-enddate>
 
-prints out the expiry date of the certificate, that is the notAfter date.
+Prints out the expiry date of the certificate, that is the notAfter date.
 
 =item B<-dates>
 
-prints out the start and expiry dates of a certificate.
+Prints out the start and expiry dates of a certificate.
 
 =item B<-checkend arg>
 
-checks if the certificate expires within the next B<arg> seconds and exits
+Checks if the certificate expires within the next B<arg> seconds and exits
 non-zero if yes it will expire or zero if not.
 
 =item B<-fingerprint>
 
-prints out the digest of the DER encoded version of the whole certificate
+Prints out the digest of the DER encoded version of the whole certificate
 (see digest options).
 
 =item B<-C>
 
-this outputs the certificate in the form of a C source file.
+This outputs the certificate in the form of a C source file.
 
 =back
 
@@ -265,7 +265,7 @@ certificate: not just root CAs.
 
 =item B<-trustout>
 
-this causes B<x509> to output a B<trusted> certificate. An ordinary
+This causes B<x509> to output a B<trusted> certificate. An ordinary
 or trusted certificate can be input but by default an ordinary
 certificate is output and any trust settings are discarded. With the
 B<-trustout> option a trusted certificate is output. A trusted
@@ -273,24 +273,24 @@ certificate is automatically output if any trust settings are modified.
 
 =item B<-setalias arg>
 
-sets the alias of the certificate. This will allow the certificate
+Sets the alias of the certificate. This will allow the certificate
 to be referred to using a nickname for example "Steve's Certificate".
 
 =item B<-alias>
 
-outputs the certificate alias, if any.
+Outputs the certificate alias, if any.
 
 =item B<-clrtrust>
 
-clears all the permitted or trusted uses of the certificate.
+Clears all the permitted or trusted uses of the certificate.
 
 =item B<-clrreject>
 
-clears all the prohibited or rejected uses of the certificate.
+Clears all the prohibited or rejected uses of the certificate.
 
 =item B<-addtrust arg>
 
-adds a trusted certificate use.
+Adds a trusted certificate use.
 Any object name can be used here but currently only B<clientAuth> (SSL client
 use), B<serverAuth> (SSL server use), B<emailProtection> (S/MIME email) and
 B<anyExtendedKeyUsage> are used.
@@ -300,12 +300,12 @@ Other OpenSSL applications may define additional uses.
 
 =item B<-addreject arg>
 
-adds a prohibited use. It accepts the same values as the B<-addtrust>
+Adds a prohibited use. It accepts the same values as the B<-addtrust>
 option.
 
 =item B<-purpose>
 
-this option performs tests on the certificate extensions and outputs
+This option performs tests on the certificate extensions and outputs
 the results. For a more complete description see the B<CERTIFICATE
 EXTENSIONS> section.
 
@@ -320,7 +320,7 @@ can thus behave like a "mini CA".
 
 =item B<-signkey filename>
 
-this option causes the input file to be self signed using the supplied
+This option causes the input file to be self signed using the supplied
 private key.
 
 If the input file is a certificate it sets the issuer name to the
@@ -337,39 +337,39 @@ the request.
 
 =item B<-passin arg>
 
-the key password source. For more information about the format of B<arg>
+The key password source. For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
 =item B<-clrext>
 
-delete any extensions from a certificate. This option is used when a
+Delete any extensions from a certificate. This option is used when a
 certificate is being created from another certificate (for example with
 the B<-signkey> or the B<-CA> options). Normally all extensions are
 retained.
 
 =item B<-keyform PEM|DER>
 
-specifies the format (DER or PEM) of the private key file used in the
+Specifies the format (DER or PEM) of the private key file used in the
 B<-signkey> option.
 
 =item B<-days arg>
 
-specifies the number of days to make a certificate valid for. The default
+Specifies the number of days to make a certificate valid for. The default
 is 30 days.
 
 =item B<-x509toreq>
 
-converts a certificate into a certificate request. The B<-signkey> option
+Converts a certificate into a certificate request. The B<-signkey> option
 is used to pass the required private key.
 
 =item B<-req>
 
-by default a certificate is expected on input. With this option a
+By default a certificate is expected on input. With this option a
 certificate request is expected instead.
 
 =item B<-set_serial n>
 
-specifies the serial number to use. This option can be used with either
+Specifies the serial number to use. This option can be used with either
 the B<-signkey> or B<-CA> options. If used in conjunction with the B<-CA>
 option the serial number file (as specified by the B<-CAserial> or
 B<-CAcreateserial> options) is not used.
@@ -378,7 +378,7 @@ The serial number can be decimal or hex (if preceded by B<0x>).
 
 =item B<-CA filename>
 
-specifies the CA certificate to be used for signing. When this option is
+Specifies the CA certificate to be used for signing. When this option is
 present B<x509> behaves like a "mini CA". The input file is signed by this
 CA using this option: that is its issuer name is set to the subject name
 of the CA and it is digitally signed using the CAs private key.
@@ -388,13 +388,13 @@ B<-req> option the input is a certificate which must be self signed.
 
 =item B<-CAkey filename>
 
-sets the CA private key to sign a certificate with. If this option is
+Sets the CA private key to sign a certificate with. If this option is
 not specified then it is assumed that the CA private key is present in
 the CA certificate file.
 
 =item B<-CAserial filename>
 
-sets the CA serial number file to use.
+Sets the CA serial number file to use.
 
 When the B<-CA> option is used to sign a certificate it uses a serial
 number specified in a file. This file consist of one line containing
@@ -407,7 +407,7 @@ The default filename consists of the CA certificate file base name with
 
 =item B<-CAcreateserial>
 
-with this option the CA serial number file is created if it does not exist:
+With this option the CA serial number file is created if it does not exist:
 it will contain the serial number "02" and the certificate being signed will
 have the 1 as its serial number. If the B<-CA> option is specified
 and the serial number file does not exist a random number is generated;
@@ -415,12 +415,12 @@ this is the recommended practice.
 
 =item B<-extfile filename>
 
-file containing certificate extensions to use. If not specified then
+File containing certificate extensions to use. If not specified then
 no extensions are added to the certificate.
 
 =item B<-extensions section>
 
-the section to add certificate extensions from. If this option is not
+The section to add certificate extensions from. If this option is not
 specified then the extensions should either be contained in the unnamed
 (default) section or the default section should contain a variable called
 "extensions" which contains the section to use. See the
@@ -429,7 +429,7 @@ extension section format.
 
 =item B<-force_pubkey key>
 
-when a certificate is created set its public key to B<key> instead of the
+When a certificate is created set its public key to B<key> instead of the
 key in the certificate or certificate request. This option is useful for
 creating certificates where the algorithm can't normally sign requests, for
 example DH.
@@ -450,57 +450,57 @@ a B<-> to turn the option off. Only the first four will normally be used.
 
 =item B<compat>
 
-use the old format.
+Use the old format.
 
 =item B<RFC2253>
 
-displays names compatible with RFC2253 equivalent to B<esc_2253>, B<esc_ctrl>,
+Displays names compatible with RFC2253 equivalent to B<esc_2253>, B<esc_ctrl>,
 B<esc_msb>, B<utf8>, B<dump_nostr>, B<dump_unknown>, B<dump_der>,
 B<sep_comma_plus>, B<dn_rev> and B<sname>.
 
 =item B<oneline>
 
-a oneline format which is more readable than RFC2253. It is equivalent to
+A oneline format which is more readable than RFC2253. It is equivalent to
 specifying the  B<esc_2253>, B<esc_ctrl>, B<esc_msb>, B<utf8>, B<dump_nostr>,
 B<dump_der>, B<use_quote>, B<sep_comma_plus_space>, B<space_eq> and B<sname>
 options.  This is the I<default> of no name options are given explicitly.
 
 =item B<multiline>
 
-a multiline format. It is equivalent B<esc_ctrl>, B<esc_msb>, B<sep_multiline>,
+A multiline format. It is equivalent B<esc_ctrl>, B<esc_msb>, B<sep_multiline>,
 B<space_eq>, B<lname> and B<align>.
 
 =item B<esc_2253>
 
-escape the "special" characters required by RFC2253 in a field. That is
+Escape the "special" characters required by RFC2253 in a field. That is
 B<,+"E<lt>E<gt>;>. Additionally B<#> is escaped at the beginning of a string
 and a space character at the beginning or end of a string.
 
 =item B<esc_2254>
 
-escape the "special" characters required by RFC2254 in a field. That is
+Escape the "special" characters required by RFC2254 in a field. That is
 the B<NUL> character as well as and B<()*>.
 
 =item B<esc_ctrl>
 
-escape control characters. That is those with ASCII values less than
+Escape control characters. That is those with ASCII values less than
 0x20 (space) and the delete (0x7f) character. They are escaped using the
 RFC2253 \XX notation (where XX are two hex digits representing the
 character value).
 
 =item B<esc_msb>
 
-escape characters with the MSB set, that is with ASCII values larger than
+Escape characters with the MSB set, that is with ASCII values larger than
 127.
 
 =item B<use_quote>
 
-escapes some characters by surrounding the whole string with B<"> characters,
+Escapes some characters by surrounding the whole string with B<"> characters,
 without the option all escaping is done with the B<\> character.
 
 =item B<utf8>
 
-convert all strings to UTF8 format first. This is required by RFC2253. If
+Convert all strings to UTF8 format first. This is required by RFC2253. If
 you are lucky enough to have a UTF8 compatible terminal then the use
 of this option (and B<not> setting B<esc_msb>) may result in the correct
 display of multibyte (international) characters. Is this option is not
@@ -511,42 +511,42 @@ character form first.
 
 =item B<ignore_type>
 
-this option does not attempt to interpret multibyte characters in any
+This option does not attempt to interpret multibyte characters in any
 way. That is their content octets are merely dumped as though one octet
 represents each character. This is useful for diagnostic purposes but
 will result in rather odd looking output.
 
 =item B<show_type>
 
-show the type of the ASN1 character string. The type precedes the
+Show the type of the ASN1 character string. The type precedes the
 field contents. For example "BMPSTRING: Hello World".
 
 =item B<dump_der>
 
-when this option is set any fields that need to be hexdumped will
+When this option is set any fields that need to be hexdumped will
 be dumped using the DER encoding of the field. Otherwise just the
 content octets will be displayed. Both options use the RFC2253
 B<#XXXX...> format.
 
 =item B<dump_nostr>
 
-dump non character string types (for example OCTET STRING) if this
+Dump non character string types (for example OCTET STRING) if this
 option is not set then non character string types will be displayed
 as though each content octet represents a single character.
 
 =item B<dump_all>
 
-dump all fields. This option when used with B<dump_der> allows the
+Dump all fields. This option when used with B<dump_der> allows the
 DER encoding of the structure to be unambiguously determined.
 
 =item B<dump_unknown>
 
-dump any field whose OID is not recognised by OpenSSL.
+Dump any field whose OID is not recognised by OpenSSL.
 
 =item B<sep_comma_plus>, B<sep_comma_plus_space>, B<sep_semi_plus_space>,
 B<sep_multiline>
 
-these options determine the field separators. The first character is
+These options determine the field separators. The first character is
 between RDNs and the second between multiple AVAs (multiple AVAs are
 very rare and their use is discouraged). The options ending in
 "space" additionally place a space after the separator to make it
@@ -557,13 +557,13 @@ then B<sep_comma_plus_space> is used by default.
 
 =item B<dn_rev>
 
-reverse the fields of the DN. This is required by RFC2253. As a side
+Reverse the fields of the DN. This is required by RFC2253. As a side
 effect this also reverses the order of multiple AVAs but this is
 permissible.
 
 =item B<nofname>, B<sname>, B<lname>, B<oid>
 
-these options alter how the field name is displayed. B<nofname> does
+These options alter how the field name is displayed. B<nofname> does
 not display the field at all. B<sname> uses the "short name" form
 (CN for commonName for example). B<lname> uses the long form.
 B<oid> represents the OID in numerical form and is useful for
@@ -571,12 +571,12 @@ diagnostic purpose.
 
 =item B<align>
 
-align field values for a more readable output. Only usable with
+Align field values for a more readable output. Only usable with
 B<sep_multiline>.
 
 =item B<space_eq>
 
-places spaces round the B<=> character which follows the field
+Places spaces round the B<=> character which follows the field
 name.
 
 =back
@@ -591,59 +591,61 @@ the B<text> option is present. The default behaviour is to print all fields.
 
 =item B<compatible>
 
-use the old format. This is equivalent to specifying no output options at all.
+Use the old format. This is equivalent to specifying no output options at all.
 
 =item B<no_header>
 
-don't print header information: that is the lines saying "Certificate" and "Data".
+Don't print header information: that is the lines saying "Certificate"
+and "Data".
 
 =item B<no_version>
 
-don't print out the version number.
+Don't print out the version number.
 
 =item B<no_serial>
 
-don't print out the serial number.
+Don't print out the serial number.
 
 =item B<no_signame>
 
-don't print out the signature algorithm used.
+Don't print out the signature algorithm used.
 
 =item B<no_validity>
 
-don't print the validity, that is the B<notBefore> and B<notAfter> fields.
+Don't print the validity, that is the B<notBefore> and B<notAfter> fields.
 
 =item B<no_subject>
 
-don't print out the subject name.
+Don't print out the subject name.
 
 =item B<no_issuer>
 
-don't print out the issuer name.
+Don't print out the issuer name.
 
 =item B<no_pubkey>
 
-don't print out the public key.
+Don't print out the public key.
 
 =item B<no_sigdump>
 
-don't give a hexadecimal dump of the certificate signature.
+Don't give a hexadecimal dump of the certificate signature.
 
 =item B<no_aux>
 
-don't print out certificate trust information.
+Don't print out certificate trust information.
 
 =item B<no_extensions>
 
-don't print out any X509V3 extensions.
+Don't print out any X509V3 extensions.
 
 =item B<ext_default>
 
-retain default extension behaviour: attempt to print out unsupported certificate extensions.
+Retain default extension behaviour: attempt to print out unsupported
+certificate extensions.
 
 =item B<ext_error>
 
-print an error message for unsupported certificate extensions.
+Print an error message for unsupported certificate extensions.
 
 =item B<ext_parse>
 
@@ -651,11 +653,11 @@ ASN1 parse unsupported extensions.
 
 =item B<ext_dump>
 
-hex dump unsupported extensions.
+Hex dump unsupported extensions.
 
 =item B<ca_default>
 
-the value used by the B<ca> utility, equivalent to B<no_issuer>, B<no_pubkey>,
+The value used by the B<ca> utility, equivalent to B<no_issuer>, B<no_pubkey>,
 B<no_header>, and B<no_version>.
 
 =back
@@ -895,7 +897,7 @@ the old form must have their links rebuilt using B<c_rehash> or similar.
 
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/SSL_CIPHER_get_name.pod b/doc/man3/SSL_CIPHER_get_name.pod
index 872e37d..e19bf21 100644
--- a/doc/man3/SSL_CIPHER_get_name.pod
+++ b/doc/man3/SSL_CIPHER_get_name.pod
@@ -34,17 +34,17 @@ SSL_CIPHER_get_version() returns string which indicates the SSL/TLS protocol
 version that first defined the cipher.  It returns "(NONE)" if B<cipher> is NULL.
 
 SSL_CIPHER_get_cipher_nid() returns the cipher NID corresponding to B<c>.
-If there is no cipher (e.g. for ciphersuites with no encryption) then
+If there is no cipher (e.g. for cipher suites with no encryption) then
 B<NID_undef> is returned.
 
 SSL_CIPHER_get_digest_nid() returns the digest NID corresponding to the MAC
-used by B<c>. If there is no digest (e.g. for AEAD ciphersuites) then
+used by B<c>. If there is no digest (e.g. for AEAD cipher suites) then
 B<NID_undef> is returned.
 
 SSL_CIPHER_get_kx_nid() returns the key exchange NID corresponding to the method
 used by B<c>. If there is no key exchange, then B<NID_undef> is returned.
 If any appropriate key exchange algorithm can be used (as in the case of TLS 1.3
-ciphersuites) B<NID_kx_any> is returned. Examples (not comprehensive):
+cipher suites) B<NID_kx_any> is returned. Examples (not comprehensive):
 
  NID_kx_rsa
  NID_kx_ecdhe
@@ -54,7 +54,7 @@ ciphersuites) B<NID_kx_any> is returned. Examples (not comprehensive):
 SSL_CIPHER_get_auth_nid() returns the authentication NID corresponding to the method
 used by B<c>. If there is no authentication, then B<NID_undef> is returned.
 If any appropriate authentication algorithm can be used (as in the case of
-TLS 1.3 ciphersuites) B<NID_auth_any> is returned. Examples (not comprehensive):
+TLS 1.3 cipher suites) B<NID_auth_any> is returned. Examples (not comprehensive):
 
  NID_auth_rsa
  NID_auth_ecdsa
diff --git a/doc/man3/SSL_CTX_add1_chain_cert.pod b/doc/man3/SSL_CTX_add1_chain_cert.pod
index 1f0418b..2473002 100644
--- a/doc/man3/SSL_CTX_add1_chain_cert.pod
+++ b/doc/man3/SSL_CTX_add1_chain_cert.pod
@@ -86,7 +86,7 @@ used to iterate over all certificates in an B<SSL_CTX> structure.
 SSL_set_current_cert() also supports the option B<SSL_CERT_SET_SERVER>.
 If B<ssl> is a server and has sent a certificate to a connected client
 this option sets that certificate to the current certificate and returns 1.
-If the negotiated ciphersuite is anonymous (and thus no certificate will
+If the negotiated cipher suite is anonymous (and thus no certificate will
 be sent) 2 is returned and the current certificate is unchanged. If B<ssl>
 is not a server or a certificate has not been sent 0 is returned and
 the current certificate is unchanged.
@@ -129,7 +129,7 @@ using SSL_CTX_add_extra_chain_cert() will be used.
 =head1 RETURN VALUES
 
 SSL_set_current_cert() with B<SSL_CERT_SET_SERVER> return 1 for success, 2 if
-no server certificate is used because the ciphersuites is anonymous and 0
+no server certificate is used because the cipher suites is anonymous and 0
 for failure.
 
 SSL_CTX_build_cert_chain() and SSL_build_cert_chain() return 1 for success
diff --git a/doc/man3/SSL_CTX_set_ct_validation_callback.pod b/doc/man3/SSL_CTX_set_ct_validation_callback.pod
index afa45dc..a0a8028 100644
--- a/doc/man3/SSL_CTX_set_ct_validation_callback.pod
+++ b/doc/man3/SSL_CTX_set_ct_validation_callback.pod
@@ -78,7 +78,7 @@ If no callback is set, SCTs will not be requested and Certificate Transparency
 validation will not occur.
 
 No callback will be invoked when the peer presents no certificate, e.g. by
-employing an anonymous (aNULL) ciphersuite.
+employing an anonymous (aNULL) cipher suite.
 In that case the handshake continues as it would had no callback been
 requested.
 Callbacks are also not invoked when the peer certificate chain is invalid or
diff --git a/doc/man3/SSL_CTX_set_security_level.pod b/doc/man3/SSL_CTX_set_security_level.pod
index 577b393..3613306 100644
--- a/doc/man3/SSL_CTX_set_security_level.pod
+++ b/doc/man3/SSL_CTX_set_security_level.pod
@@ -70,31 +70,31 @@ OpenSSL.
 The security level corresponds to a minimum of 80 bits of security. Any
 parameters offering below 80 bits of security are excluded. As a result RSA,
 DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits
-are prohibited. All export ciphersuites are prohibited since they all offer
-less than 80 bits of security. SSL version 2 is prohibited. Any ciphersuite
+are prohibited. All export cipher suites are prohibited since they all offer
+less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite
 using MD5 for the MAC is also prohibited.
 
 =item B<Level 2>
 
 Security level set to 112 bits of security. As a result RSA, DSA and DH keys
 shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
-In addition to the level 1 exclusions any ciphersuite using RC4 is also
+In addition to the level 1 exclusions any cipher suite using RC4 is also
 prohibited. SSL version 3 is also not allowed. Compression is disabled.
 
 =item B<Level 3>
 
 Security level set to 128 bits of security. As a result RSA, DSA and DH keys
 shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited.
-In addition to the level 2 exclusions ciphersuites not offering forward
+In addition to the level 2 exclusions cipher suites not offering forward
 secrecy are prohibited. TLS versions below 1.1 are not permitted. Session
 tickets are disabled.
 
 =item B<Level 4>
 
-Security level set to 192 bits of security. As a result RSA, DSA and DH keys
-shorter than 7680 bits and ECC keys shorter than 384 bits are prohibited.
-Ciphersuites using SHA1 for the MAC are prohibited. TLS versions below 1.2 are
-not permitted.
+Security level set to 192 bits of security. As a result RSA, DSA and
+DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are
+prohibited.  Cipher suites using SHA1 for the MAC are prohibited. TLS
+versions below 1.2 are not permitted.
 
 =item B<Level 5>
 
@@ -128,11 +128,11 @@ By setting an appropriate security level much of this complexity can be
 avoided.
 
 The bits of security limits affect all relevant parameters including
-ciphersuite encryption algorithms, supported ECC curves, supported
+cipher suite encryption algorithms, supported ECC curves, supported
 signature algorithms, DH parameter sizes, certificate key sizes and
 signature algorithms. This limit applies no matter what other custom
-settings an application has set: so if the ciphersuite is set to B<ALL>
-then only ciphersuites consistent with the security level are permissible.
+settings an application has set: so if the cipher suite is set to B<ALL>
+then only cipher suites consistent with the security level are permissible.
 
 See SP800-57 for how the security limits are related to individual
 algorithms.
@@ -141,7 +141,7 @@ Some security levels require large key sizes for non-ECC public key
 algorithms which can severely degrade performance. For example 256 bits
 of security requires the use of RSA keys of at least 15360 bits in size.
 
-Some restrictions can be gracefully handled: for example ciphersuites
+Some restrictions can be gracefully handled: for example cipher suites
 offering insufficient security are not sent by the client and will not
 be selected by the server. Other restrictions such as the peer certificate
 key size or the DH parameter size will abort the handshake with a fatal
diff --git a/doc/man3/SSL_CTX_set_split_send_fragment.pod b/doc/man3/SSL_CTX_set_split_send_fragment.pod
index 4c3e9e6..f65540f 100644
--- a/doc/man3/SSL_CTX_set_split_send_fragment.pod
+++ b/doc/man3/SSL_CTX_set_split_send_fragment.pod
@@ -51,7 +51,7 @@ used (i.e. normal non-parallel operation). The number of pipelines set must be
 in the range 1 - SSL_MAX_PIPELINES (32). Setting this to a value > 1 will also
 automatically turn on "read_ahead" (see L<SSL_CTX_set_read_ahead(3)>). This is
 explained further below. OpenSSL will only every use more than one pipeline if
-a ciphersuite is negotiated that uses a pipeline capable cipher provided by an
+a cipher suite is negotiated that uses a pipeline capable cipher provided by an
 engine.
 
 Pipelining operates slightly differently for reading encrypted data compared to
diff --git a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
index 0a925ce..3c0761d 100644
--- a/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
+++ b/doc/man3/SSL_CTX_set_tlsext_ticket_key_cb.pod
@@ -112,12 +112,12 @@ exactly as if a full negotiation had occurred.
 
 If an attacker can obtain the key used to encrypt a session ticket, they can
 obtain the master secret for any ticket using that key and decrypt any traffic
-using that session: even if the ciphersuite supports forward secrecy. As
+using that session: even if the cipher suite supports forward secrecy. As
 a result applications may wish to use multiple keys and avoid using long term
 keys stored in files.
 
 Applications can use longer keys to maintain a consistent level of security.
-For example if a ciphersuite uses 256 bit ciphers but only a 128 bit ticket key
+For example if a cipher suite uses 256 bit ciphers but only a 128 bit ticket key
 the overall security is only 128 bits because breaking the ticket key will
 enable an attacker to obtain the session keys.
 
diff --git a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
index 24d02dc..ee62d85 100644
--- a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
+++ b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
@@ -74,7 +74,7 @@ can supply the DH parameters via a callback function.
 
 Previous versions of the callback used B<is_export> and B<keylength>
 parameters to control parameter generation for export and non-export
-cipher suites. Modern servers that do not support export ciphersuites
+cipher suites. Modern servers that do not support export cipher suites
 are advised to either use SSL_CTX_set_tmp_dh() or alternatively, use
 the callback but ignore B<keylength> and B<is_export> and simply
 supply at least 2048-bit parameters in the callback.
diff --git a/doc/man3/SSL_get_peer_signature_nid.pod b/doc/man3/SSL_get_peer_signature_nid.pod
index 492b13f..66caa75 100644
--- a/doc/man3/SSL_get_peer_signature_nid.pod
+++ b/doc/man3/SSL_get_peer_signature_nid.pod
@@ -25,7 +25,7 @@ where it is B<EVP_PKEY_RSA_PSS>.
 =head1 RETURN VALUES
 
 These functions return 1 for success and 0 for failure. There are several
-possible reasons for failure: the ciphersuite has no signature (e.g. it
+possible reasons for failure: the cipher suite has no signature (e.g. it
 uses RSA key exchange or is anonymous), the TLS version is below 1.2 or
 the functions were called before the peer signed a message.
 


More information about the openssl-commits mailing list