Merge remote-tracking branch 'origin/released'

Conflicts:
	openssl/Configure
	openssl/Makefile
	openssl/util/pl/VC-32.pl

9 files changed, 32 insertions, 12 deletions

diff --git a/openssl/doc/apps/config.pod b/openssl/doc/apps/config.pod
index ace34b62b..25c5381b9 100644
--- a/openssl/doc/apps/config.pod
+++ b/openssl/doc/apps/config.pod
@@ -119,7 +119,7 @@ variable points to a section containing further ENGINE configuration
 information.
 
 The section pointed to by B<engines> is a table of engine names (though see
-B<engine_id> below) and further sections containing configuration informations
+B<engine_id> below) and further sections containing configuration information
 specific to each ENGINE.
 
 Each ENGINE specific section is used to set default algorithms, load
diff --git a/openssl/doc/apps/crl.pod b/openssl/doc/apps/crl.pod
index a40c873b9..1ad76a5f8 100644
--- a/openssl/doc/apps/crl.pod
+++ b/openssl/doc/apps/crl.pod
@@ -62,6 +62,11 @@ don't output the encoded version of the CRL.
 output a hash of the issuer name. This can be use to lookup CRLs in
 a directory by issuer name.
 
+=item B<-hash_old>
+
+outputs the "hash" of the CRL issuer name using the older algorithm
+as used by OpenSSL versions before 1.0.0.
+
 =item B<-issuer>
 
 output the issuer name.
diff --git a/openssl/doc/apps/ec.pod b/openssl/doc/apps/ec.pod
index ba6dc4689..5c7b45d4e 100644
--- a/openssl/doc/apps/ec.pod
+++ b/openssl/doc/apps/ec.pod
@@ -41,7 +41,7 @@ PKCS#8 private key format use the B<pkcs8> command.
 
 This specifies the input format. The B<DER> option with a private key uses
 an ASN.1 DER encoded SEC1 private key. When used with a public key it
-uses the SubjectPublicKeyInfo structur as specified in RFC 3280.
+uses the SubjectPublicKeyInfo structure as specified in RFC 3280.
 The B<PEM> form is the default format: it consists of the B<DER> format base64
 encoded with additional header and footer lines. In the case of a private key
 PKCS#8 format is also accepted.
diff --git a/openssl/doc/apps/pkcs12.pod b/openssl/doc/apps/pkcs12.pod
index f69a5c5a4..8e0d91798 100644
--- a/openssl/doc/apps/pkcs12.pod
+++ b/openssl/doc/apps/pkcs12.pod
@@ -67,7 +67,7 @@ by default.
 The filename to write certificates and private keys to, standard output by
 default.  They are all written in PEM format.
 
-=item B<-pass arg>, B<-passin arg>
+=item B<-passin arg>
 
 the PKCS#12 file (i.e. input file) password source. For more information about
 the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
@@ -75,10 +75,15 @@ L<openssl(1)|openssl(1)>.
 
 =item B<-passout arg>
 
-pass phrase source to encrypt any outputed private keys with. For more
+pass phrase source to encrypt any outputted private keys with. For more
 information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
 in L<openssl(1)|openssl(1)>.
 
+=item B<-password arg>
+
+With -export, -password is equivalent to -passout.
+Otherwise, -password is equivalent to -passin.
+
 =item B<-noout>
 
 this option inhibits output of the keys and certificates to the output file
diff --git a/openssl/doc/apps/req.pod b/openssl/doc/apps/req.pod
index ff48bbdf2..0730d117b 100644
--- a/openssl/doc/apps/req.pod
+++ b/openssl/doc/apps/req.pod
@@ -303,7 +303,7 @@ Reverses effect of B<-asn1-kludge>
 
 =item B<-newhdr>
 
-Adds the word B<NEW> to the PEM file header and footer lines on the outputed
+Adds the word B<NEW> to the PEM file header and footer lines on the outputted
 request. Some software (Netscape certificate server) and some CAs need this.
 
 =item B<-batch>
diff --git a/openssl/doc/apps/s_client.pod b/openssl/doc/apps/s_client.pod
index 4ebf7b585..3215b2e8c 100644
--- a/openssl/doc/apps/s_client.pod
+++ b/openssl/doc/apps/s_client.pod
@@ -10,6 +10,7 @@ s_client - SSL/TLS client program
 B<openssl> B<s_client>
 [B<-connect host:port>]
 [B<-verify depth>]
+[B<-verify_return_error>]
 [B<-cert filename>]
 [B<-certform DER|PEM>]
 [B<-key filename>]
@@ -90,6 +91,11 @@ Currently the verify operation continues after errors so all the problems
 with a certificate chain can be seen. As a side effect the connection
 will never fail due to a server certificate verify failure.
 
+=item B<-verify_return_error>
+
+Return verification errors instead of continuing. This will typically
+abort the handshake with a fatal error.
+
 =item B<-CApath directory>
 
 The directory to use for server certificate verification. This directory
@@ -286,6 +292,13 @@ Since the SSLv23 client hello cannot include compression methods or extensions
 these will only be supported if its use is disabled, for example by using the
 B<-no_sslv2> option.
 
+The B<s_client> utility is a test tool and is designed to continue the
+handshake after any certificate verification errors. As a result it will
+accept any certificate chain (trusted or not) sent by the peer. None test
+applications should B<not> do this as it makes them vulnerable to a MITM
+attack. This behaviour can be changed by with the B<-verify_return_error>
+option: any verify errors are then returned aborting the handshake.
+
 =head1 BUGS
 
 Because this program has a lot of options and also because some of
@@ -293,9 +306,6 @@ the techniques used are rather old, the C source of s_client is rather
 hard to read and not a model of how things should be done. A typical
 SSL client program would be much simpler.
 
-The B<-verify> option should really exit if the server verification
-fails.
-
 The B<-prexit> option is a bit of a hack. We should really report
 information whenever a session is renegotiated.
 
diff --git a/openssl/doc/apps/s_server.pod b/openssl/doc/apps/s_server.pod
index 3e503e17e..6758ba308 100644
--- a/openssl/doc/apps/s_server.pod
+++ b/openssl/doc/apps/s_server.pod
@@ -111,7 +111,7 @@ by using an appropriate certificate.
 
 =item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg>
 
-addtional certificate and private key format and passphrase respectively.
+additional certificate and private key format and passphrase respectively.
 
 =item B<-nocert>
 
diff --git a/openssl/doc/apps/ts.pod b/openssl/doc/apps/ts.pod
index 7fb6caa96..d6aa47d31 100644
--- a/openssl/doc/apps/ts.pod
+++ b/openssl/doc/apps/ts.pod
@@ -352,7 +352,7 @@ switch always overrides the settings in the config file.
 
 This is the main section and it specifies the name of another section
 that contains all the options for the B<-reply> command. This default
-section can be overriden with the B<-section> command line switch. (Optional)
+section can be overridden with the B<-section> command line switch. (Optional)
 
 =item B<oid_file>
 
@@ -453,7 +453,7 @@ included. Default is no. (Optional)
 =head1 ENVIRONMENT VARIABLES
 
 B<OPENSSL_CONF> contains the path of the configuration file and can be
-overriden by the B<-config> command line option.
+overridden by the B<-config> command line option.
 
 =head1 EXAMPLES
 
diff --git a/openssl/doc/apps/tsget.pod b/openssl/doc/apps/tsget.pod
index b05957bee..56db985c4 100644
--- a/openssl/doc/apps/tsget.pod
+++ b/openssl/doc/apps/tsget.pod
@@ -124,7 +124,7 @@ The name of an EGD socket to get random data from. (Optional)
 =item [request]...
 
 List of files containing B<RFC 3161> DER-encoded time stamp requests. If no
-requests are specifed only one request will be sent to the server and it will be
+requests are specified only one request will be sent to the server and it will be
 read from the standard input. (Optional)
 
 =back