Fix nits in pod files.

Add doc-nit-check to help find future issues.
Make podchecker be almost clean.
Remove trailing whitespace.
Tab expansion

Reviewed-by: Richard Levitte <levitte@openssl.org>

34 files changed, 126 insertions, 144 deletions

diff --git a/doc/ssl/SSL_CONF_CTX_set1_prefix.pod b/doc/ssl/SSL_CONF_CTX_set1_prefix.pod
index 00b7118021..2e82f05241 100644
--- a/doc/ssl/SSL_CONF_CTX_set1_prefix.pod
+++ b/doc/ssl/SSL_CONF_CTX_set1_prefix.pod
@@ -20,7 +20,7 @@ to B<prefix>. If B<prefix> is B<NULL> it is restored to the default value.
 Command prefixes alter the commands recognised by subsequent SSL_CTX_cmd()
 calls. For example for files, if the prefix "SSL" is set then command names
 such as "SSLProtocol", "SSLOptions" etc. are recognised instead of "Protocol"
-and "Options". Similarly for command lines if the prefix is "--ssl-" then 
+and "Options". Similarly for command lines if the prefix is "--ssl-" then
 "--ssl-no_tls1_2" is recognised instead of "-no_tls1_2".
 
 If the B<SSL_CONF_FLAG_CMDLINE> flag is set then prefix checks are case
diff --git a/doc/ssl/SSL_CTX_add_session.pod b/doc/ssl/SSL_CTX_add_session.pod
index 4d4c32746e..fd782b3344 100644
--- a/doc/ssl/SSL_CTX_add_session.pod
+++ b/doc/ssl/SSL_CTX_add_session.pod
@@ -59,7 +59,7 @@ The following values are returned by all functions:
  session was not found in the cache.
 
 =item Z<>1
- 
+
  The operation succeeded.
 
 =back
diff --git a/doc/ssl/SSL_CTX_flush_sessions.pod b/doc/ssl/SSL_CTX_flush_sessions.pod
index 4c90016dab..e16775b7b8 100644
--- a/doc/ssl/SSL_CTX_flush_sessions.pod
+++ b/doc/ssl/SSL_CTX_flush_sessions.pod
@@ -26,7 +26,7 @@ As sessions will not be reused ones they are expired, they should be
 removed from the cache to save resources. This can either be done
  automatically whenever 255 new sessions were established (see
 L<SSL_CTX_set_session_cache_mode(3)>)
-or manually by calling SSL_CTX_flush_sessions(). 
+or manually by calling SSL_CTX_flush_sessions().
 
 The parameter B<tm> specifies the time which should be used for the
 expiration test, in most cases the actual time given by time(0)
@@ -37,8 +37,6 @@ cache. When a session is found and removed, the remove_session_cb is however
 called to synchronize with the external cache (see
 L<SSL_CTX_sess_set_get_cb(3)>).
 
-=head1 RETURN VALUES
-
 =head1 SEE ALSO
 
 L<ssl(3)>,
diff --git a/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/doc/ssl/SSL_CTX_sess_set_get_cb.pod
index 19924da3ca..e8aa8ee937 100644
--- a/doc/ssl/SSL_CTX_sess_set_get_cb.pod
+++ b/doc/ssl/SSL_CTX_sess_set_get_cb.pod
@@ -9,11 +9,11 @@ SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SS
  #include <openssl/ssl.h>
 
  void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
-			      int (*new_session_cb)(SSL *, SSL_SESSION *));
+                              int (*new_session_cb)(SSL *, SSL_SESSION *));
  void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
-	   void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *));
+           void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *));
  void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
-	   SSL_SESSION (*get_session_cb)(SSL *, const unsigned char *, int, int *));
+           SSL_SESSION (*get_session_cb)(SSL *, const unsigned char *, int, int *));
 
  int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess);
  void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
@@ -22,7 +22,7 @@ SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SS
  int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess);
  void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess);
  SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,
-	       int len, int *copy);
+               int len, int *copy);
 
 =head1 DESCRIPTION
 
diff --git a/doc/ssl/SSL_CTX_set1_curves.pod b/doc/ssl/SSL_CTX_set1_curves.pod
index 5e99d65167..2429dfbe06 100644
--- a/doc/ssl/SSL_CTX_set1_curves.pod
+++ b/doc/ssl/SSL_CTX_set1_curves.pod
@@ -23,7 +23,7 @@ SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve - EC supported curve
 SSL_CTX_set1_curves() sets the supported curves for B<ctx> to B<clistlen>
 curves in the array B<clist>. The array consist of all NIDs of curves in
 preference order. For a TLS client the curves are used directly in the
-supported curves extension. For a TLS server the curves are used to 
+supported curves extension. For a TLS server the curves are used to
 determine the set of shared curves.
 
 SSL_CTX_set1_curves_list() sets the supported curves for B<ctx> to
@@ -34,7 +34,7 @@ SSL_set1_curves() and SSL_set1_curves_list() are similar except they set
 supported curves for the SSL structure B<ssl>.
 
 SSL_get1_curves() returns the set of supported curves sent by a client
-in the supported curves extension. It returns the total number of 
+in the supported curves extension. It returns the total number of
 supported curves. The B<curves> parameter can be B<NULL> to simply
 return the number of curves for memory allocation purposes. The
 B<curves> array is in the form of a set of curve NIDs in preference
diff --git a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod
index 5343aa09df..fa6ce5611e 100644
--- a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod
+++ b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod
@@ -54,7 +54,7 @@ any client certificate chain.
 The chain store is used to build the certificate chain.
 
 If the mode B<SSL_MODE_NO_AUTO_CHAIN> is set or a certificate chain is
-configured already (for example using the functions such as 
+configured already (for example using the functions such as
 L<SSL_CTX_add1_chain_cert(3)> or
 L<SSL_CTX_add_extra_chain_cert(3)>) then
 automatic chain building is disabled.
diff --git a/doc/ssl/SSL_CTX_set_cert_store.pod b/doc/ssl/SSL_CTX_set_cert_store.pod
index d53bf4fde4..27243f3ad5 100644
--- a/doc/ssl/SSL_CTX_set_cert_store.pod
+++ b/doc/ssl/SSL_CTX_set_cert_store.pod
@@ -46,7 +46,7 @@ X509_STORE object and its handling becomes available.
 
 The X509_STORE structure used by an SSL_CTX is used for verifying peer
 certificates and building certificate chains, it is also shared by
-every child SSL structure. Applications wanting finer control can use 
+every child SSL structure. Applications wanting finer control can use
 functions such as SSL_CTX_set1_verify_cert_store() instead.
 
 =head1 RETURN VALUES
diff --git a/doc/ssl/SSL_CTX_set_cert_verify_callback.pod b/doc/ssl/SSL_CTX_set_cert_verify_callback.pod
index 018335f00a..2eda8006c7 100644
--- a/doc/ssl/SSL_CTX_set_cert_verify_callback.pod
+++ b/doc/ssl/SSL_CTX_set_cert_verify_callback.pod
@@ -26,7 +26,7 @@ SSL_CTX_set_cert_verify_callback(), the supplied callback function is called
 instead. By setting I<callback> to NULL, the default behaviour is restored.
 
 When the verification must be performed, I<callback> will be called with
-the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The 
+the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The
 argument I<arg> is specified by the application when setting I<callback>.
 
 I<callback> should return 1 to indicate verification success and 0 to
@@ -35,7 +35,7 @@ returns 0, the handshake will fail. As the verification procedure may
 allow to continue the connection in case of failure (by always returning 1)
 the verification result must be set in any case using the B<error>
 member of I<x509_store_ctx> so that the calling application will be informed
-about the detailed result of the verification procedure! 
+about the detailed result of the verification procedure!
 
 Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback>
 function set using L<SSL_CTX_set_verify(3)>.
@@ -54,8 +54,6 @@ the B<verify_callback> function.
 
 =head1 BUGS
 
-=head1 RETURN VALUES
-
 SSL_CTX_set_cert_verify_callback() does not provide diagnostic information.
 
 =head1 SEE ALSO
diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod
index 57d3f0a5d0..c0656abbf2 100644
--- a/doc/ssl/SSL_CTX_set_client_CA_list.pod
+++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
@@ -9,7 +9,7 @@ client certificate
 =head1 SYNOPSIS
 
  #include <openssl/ssl.h>
- 
+
  void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
  void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
  int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
@@ -42,7 +42,7 @@ This list must explicitly be set using SSL_CTX_set_client_CA_list() for
 B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list
 specified overrides the previous setting. The CAs listed do not become
 trusted (B<list> only contains the names, not the complete certificates); use
-L<SSL_CTX_load_verify_locations(3)> 
+L<SSL_CTX_load_verify_locations(3)>
 to additionally load them for verification.
 
 If the list of acceptable CAs is compiled in a file, the
diff --git a/doc/ssl/SSL_CTX_set_custom_cli_ext.pod b/doc/ssl/SSL_CTX_set_custom_cli_ext.pod
index 670ed4b6c1..07b5e94f25 100644
--- a/doc/ssl/SSL_CTX_set_custom_cli_ext.pod
+++ b/doc/ssl/SSL_CTX_set_custom_cli_ext.pod
@@ -9,41 +9,41 @@ SSL_CTX_add_client_custom_ext, SSL_CTX_add_server_custom_ext - custom TLS extens
  #include <openssl/ssl.h>
 
  int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
-			           custom_ext_add_cb add_cb,
-			           custom_ext_free_cb free_cb, void *add_arg,
-			           custom_ext_parse_cb parse_cb,
-				   void *parse_arg);
+                                   custom_ext_add_cb add_cb,
+                                   custom_ext_free_cb free_cb, void *add_arg,
+                                   custom_ext_parse_cb parse_cb,
+                                   void *parse_arg);
 
  int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
-			           custom_ext_add_cb add_cb,
-			           custom_ext_free_cb free_cb, void *add_arg,
-			           custom_ext_parse_cb parse_cb,
-				   void *parse_arg);
+                                   custom_ext_add_cb add_cb,
+                                   custom_ext_free_cb free_cb, void *add_arg,
+                                   custom_ext_parse_cb parse_cb,
+                                   void *parse_arg);
 
  int SSL_extension_supported(unsigned int ext_type);
 
  typedef int (*custom_ext_add_cb)(SSL *s, unsigned int ext_type,
-				  const unsigned char **out,
-				  size_t *outlen, int *al,
-				  void *add_arg);
+                                  const unsigned char **out,
+                                  size_t *outlen, int *al,
+                                  void *add_arg);
 
  typedef void (*custom_ext_free_cb)(SSL *s, unsigned int ext_type,
-				    const unsigned char *out,
-				    void *add_arg);
+                                    const unsigned char *out,
+                                    void *add_arg);
 
  typedef int (*custom_ext_parse_cb)(SSL *s, unsigned int ext_type,
-				    const unsigned char *in,
-				    size_t inlen, int *al,
-				    void *parse_arg);
+                                    const unsigned char *in,
+                                    size_t inlen, int *al,
+                                    void *parse_arg);
 
 
 =head1 DESCRIPTION
 
-SSL_CTX_add_client_custom_ext() adds a custom extension for a TLS client 
+SSL_CTX_add_client_custom_ext() adds a custom extension for a TLS client
 with extension type B<ext_type> and callbacks B<add_cb>, B<free_cb> and
 B<parse_cb>.
 
-SSL_CTX_add_server_custom_ext() adds a custom extension for a TLS server 
+SSL_CTX_add_server_custom_ext() adds a custom extension for a TLS server
 with extension type B<ext_type> and callbacks B<add_cb>, B<free_cb> and
 B<parse_cb>.
 
@@ -55,7 +55,7 @@ internally by OpenSSL and 0 otherwise.
 
 =head1 EXTENSION CALLBACKS
 
-The callback B<add_cb> is called to send custom extension data to be 
+The callback B<add_cb> is called to send custom extension data to be
 included in ClientHello for TLS clients or ServerHello for servers. The
 B<ext_type> parameter is set to the extension type which will be added and
 B<add_arg> to the value set when the extension handler was added.
diff --git a/doc/ssl/SSL_CTX_set_generate_session_id.pod b/doc/ssl/SSL_CTX_set_generate_session_id.pod
index 968be766bb..170f743f4e 100644
--- a/doc/ssl/SSL_CTX_set_generate_session_id.pod
+++ b/doc/ssl/SSL_CTX_set_generate_session_id.pod
@@ -14,7 +14,7 @@ SSL_CTX_set_generate_session_id, SSL_set_generate_session_id, SSL_has_matching_s
  int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb);
  int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB, cb);
  int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
-				 unsigned int id_len);
+                                 unsigned int id_len);
 
 =head1 DESCRIPTION
 
diff --git a/doc/ssl/SSL_CTX_set_info_callback.pod b/doc/ssl/SSL_CTX_set_info_callback.pod
index fd1dee90e9..f20284f506 100644
--- a/doc/ssl/SSL_CTX_set_info_callback.pod
+++ b/doc/ssl/SSL_CTX_set_info_callback.pod
@@ -110,40 +110,40 @@ The following example callback function prints state strings, information
 about alerts being handled and error messages to the B<bio_err> BIO.
 
  void apps_ssl_info_callback(SSL *s, int where, int ret)
-	{
-	const char *str;
-	int w;
-
-	w=where& ~SSL_ST_MASK;
-
-	if (w & SSL_ST_CONNECT) str="SSL_connect";
-	else if (w & SSL_ST_ACCEPT) str="SSL_accept";
-	else str="undefined";
-
-	if (where & SSL_CB_LOOP)
-		{
-		BIO_printf(bio_err,"%s:%s\n",str,SSL_state_string_long(s));
-		}
-	else if (where & SSL_CB_ALERT)
-		{
-		str=(where & SSL_CB_READ)?"read":"write";
-		BIO_printf(bio_err,"SSL3 alert %s:%s:%s\n",
-			str,
-			SSL_alert_type_string_long(ret),
-			SSL_alert_desc_string_long(ret));
-		}
-	else if (where & SSL_CB_EXIT)
-		{
-		if (ret == 0)
-			BIO_printf(bio_err,"%s:failed in %s\n",
-				str,SSL_state_string_long(s));
-		else if (ret < 0)
-			{
-			BIO_printf(bio_err,"%s:error in %s\n",
-				str,SSL_state_string_long(s));
-			}
-		}
-	}
+        {
+        const char *str;
+        int w;
+
+        w=where& ~SSL_ST_MASK;
+
+        if (w & SSL_ST_CONNECT) str="SSL_connect";
+        else if (w & SSL_ST_ACCEPT) str="SSL_accept";
+        else str="undefined";
+
+        if (where & SSL_CB_LOOP)
+                {
+                BIO_printf(bio_err,"%s:%s\n",str,SSL_state_string_long(s));
+                }
+        else if (where & SSL_CB_ALERT)
+                {
+                str=(where & SSL_CB_READ)?"read":"write";
+                BIO_printf(bio_err,"SSL3 alert %s:%s:%s\n",
+                        str,
+                        SSL_alert_type_string_long(ret),
+                        SSL_alert_desc_string_long(ret));
+                }
+        else if (where & SSL_CB_EXIT)
+                {
+                if (ret == 0)
+                        BIO_printf(bio_err,"%s:failed in %s\n",
+                                str,SSL_state_string_long(s));
+                else if (ret < 0)
+                        {
+                        BIO_printf(bio_err,"%s:error in %s\n",
+                                str,SSL_state_string_long(s));
+                        }
+                }
+        }
 
 =head1 SEE ALSO
 
diff --git a/doc/ssl/SSL_CTX_set_psk_client_callback.pod b/doc/ssl/SSL_CTX_set_psk_client_callback.pod
index 6895152856..c780bec7c3 100644
--- a/doc/ssl/SSL_CTX_set_psk_client_callback.pod
+++ b/doc/ssl/SSL_CTX_set_psk_client_callback.pod
@@ -9,13 +9,13 @@ SSL_CTX_set_psk_client_callback, SSL_set_psk_client_callback - set PSK client ca
  #include <openssl/ssl.h>
 
  void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
-	unsigned int (*callback)(SSL *ssl, const char *hint,
-	char *identity, unsigned int max_identity_len,
-	unsigned char *psk, unsigned int max_psk_len));
+        unsigned int (*callback)(SSL *ssl, const char *hint,
+        char *identity, unsigned int max_identity_len,
+        unsigned char *psk, unsigned int max_psk_len));
  void SSL_set_psk_client_callback(SSL *ssl,
-	unsigned int (*callback)(SSL *ssl, const char *hint,
-	char *identity, unsigned int max_identity_len,
- 	unsigned char *psk, unsigned int max_psk_len));
+        unsigned int (*callback)(SSL *ssl, const char *hint,
+        char *identity, unsigned int max_identity_len,
+        unsigned char *psk, unsigned int max_psk_len));
 
 
 =head1 DESCRIPTION
diff --git a/doc/ssl/SSL_CTX_set_security_level.pod b/doc/ssl/SSL_CTX_set_security_level.pod
index 446ab1a15b..60c3e44213 100644
--- a/doc/ssl/SSL_CTX_set_security_level.pod
+++ b/doc/ssl/SSL_CTX_set_security_level.pod
@@ -15,12 +15,12 @@ SSL_CTX_set_security_level, SSL_set_security_level, SSL_CTX_get_security_level,
  int SSL_get_security_level(const SSL *s);
 
  void SSL_CTX_set_security_callback(SSL_CTX *ctx,
-		int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid,
-							void *other, void *ex));
+                int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid,
+                                                        void *other, void *ex));
 
  void SSL_set_security_callback(SSL *s,
-		int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid,
-							void *other, void *ex));
+                int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid,
+                                                        void *other, void *ex));
 
  int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx))(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex);
  int (*SSL_get_security_callback(const SSL *s))(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex);
diff --git a/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/doc/ssl/SSL_CTX_set_session_cache_mode.pod
index d891372295..d7a4c1cce7 100644
--- a/doc/ssl/SSL_CTX_set_session_cache_mode.pod
+++ b/doc/ssl/SSL_CTX_set_session_cache_mode.pod
@@ -26,7 +26,7 @@ SSL_CTX object is being maintained, the sessions are unique for each SSL_CTX
 object.
 
 In order to reuse a session, a client must send the session's id to the
-server. It can only send exactly one id.  The server then either 
+server. It can only send exactly one id.  The server then either
 agrees to reuse the session or it starts a full handshake (to create a new
 session).
 
diff --git a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
index 4ae381861a..4d9cd5e19e 100644
--- a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
+++ b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod
@@ -10,13 +10,13 @@ SSL_CTX_set_tlsext_ticket_key_cb - set a callback for session ticket processing
 
  long SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX sslctx,
         int (*cb)(SSL *s, unsigned char key_name[16],
-	          unsigned char iv[EVP_MAX_IV_LENGTH],
-		  EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc));
+                  unsigned char iv[EVP_MAX_IV_LENGTH],
+                  EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc));
 
 =head1 DESCRIPTION
 
 SSL_CTX_set_tlsext_ticket_key_cb() sets a callback function I<cb> for handling
-session tickets for the ssl context I<sslctx>. Session tickets, defined in 
+session tickets for the ssl context I<sslctx>. Session tickets, defined in
 RFC5077 provide an enhanced session resumption capability where the server
 implementation is not required to maintain per session state. It only applies
 to TLS and there is no SSLv3 implementation.
@@ -26,9 +26,9 @@ session when session ticket extension is presented in the TLS hello
 message. It is the responsibility of this function to create or retrieve the
 cryptographic parameters and to maintain their state.
 
-The OpenSSL library uses your callback function to help implement a common TLS 
+The OpenSSL library uses your callback function to help implement a common TLS
 ticket construction state according to RFC5077 Section 4 such that per session
-state is unnecessary and a small set of cryptographic variables needs to be 
+state is unnecessary and a small set of cryptographic variables needs to be
 maintained by the callback function implementation.
 
 In order to reuse a session, a TLS client must send the a session ticket
@@ -56,7 +56,7 @@ I<ctx> should use the initialisation vector I<iv>. The cipher context can be
 set using L<EVP_EncryptInit_ex(3)>. The hmac context can be set using
 L<HMAC_Init_ex(3)>.
 
-When the client presents a session ticket, the callback function with be called 
+When the client presents a session ticket, the callback function with be called
 with I<enc> set to 0 indicating that the I<cb> function should retrieve a set
 of parameters. In this case I<name> and I<iv> have already been parsed out of
 the session ticket. The OpenSSL library expects that the I<name> will be used
@@ -76,7 +76,7 @@ further processing will occur. The following return values have meaning:
 
 =item Z<>2
 
-This indicates that the I<ctx> and I<hctx> have been set and the session can 
+This indicates that the I<ctx> and I<hctx> have been set and the session can
 continue on those parameters. Additionally it indicates that the session
 ticket is in a renewal period and should be replaced. The OpenSSL library will
 call I<cb> again with an enc argument of 1 to set the new ticket (see RFC5077
@@ -84,12 +84,12 @@ call I<cb> again with an enc argument of 1 to set the new ticket (see RFC5077
 
 =item Z<>1
 
-This indicates that the I<ctx> and I<hctx> have been set and the session can 
+This indicates that the I<ctx> and I<hctx> have been set and the session can
 continue on those parameters.
 
 =item Z<>0
 
-This indicates that it was not possible to set/retrieve a session ticket and 
+This indicates that it was not possible to set/retrieve a session ticket and
 the SSL/TLS session will continue by negotiating a set of cryptographic
 parameters or using the alternate SSL/TLS resumption mechanism, session ids.
 
@@ -133,7 +133,7 @@ Reference Implementation:
           if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) ) {
               return -1; /* insufficient random */
           }
-  
+
           key = currentkey(); /* something that you need to implement */
           if ( !key ) {
               /* current key doesn't exist or isn't valid */
@@ -146,19 +146,19 @@ Reference Implementation:
               }
           }
           memcpy(key_name, key->name, 16);
-  
+
           EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv);
           HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL);
-  
+
           return 1;
-  
+
       } else { /* retrieve session */
           key = findkey(name);
-  
+
           if  (!key || key->expire < now() ) {
               return 0;
           }
-  
+
           HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL);
           EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv );
 
@@ -167,7 +167,7 @@ Reference Implementation:
               return 2;
           }
           return 1;
-  
+
       }
   }
 
diff --git a/doc/ssl/SSL_CTX_set_verify.pod b/doc/ssl/SSL_CTX_set_verify.pod
index e1cd4d2b2f..60b0d179b0 100644
--- a/doc/ssl/SSL_CTX_set_verify.pod
+++ b/doc/ssl/SSL_CTX_set_verify.pod
@@ -208,7 +208,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
         preverify_ok = 0;
         err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
         X509_STORE_CTX_set_error(ctx, err);
-    } 
+    }
     if (!preverify_ok) {
         printf("verify error:num=%d:%s:depth=%d:%s\n", err,
                  X509_verify_cert_error_string(err), depth, buf);
@@ -258,7 +258,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>).
  SSL_set_ex_data(ssl, mydata_index, &mydata);
 
  ...
- SSL_accept(ssl);	/* check of success left out for clarity */
+ SSL_accept(ssl);       /* check of success left out for clarity */
  if (peer = SSL_get_peer_certificate(ssl))
  {
    if (SSL_get_verify_result(ssl) == X509_V_OK)
diff --git a/doc/ssl/SSL_CTX_use_certificate.pod b/doc/ssl/SSL_CTX_use_certificate.pod
index 79b13873e1..4f39abb2d8 100644
--- a/doc/ssl/SSL_CTX_use_certificate.pod
+++ b/doc/ssl/SSL_CTX_use_certificate.pod
@@ -20,7 +20,7 @@ SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_f
 
  int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
  int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d,
-				 long len);
+                                 long len);
  int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
  int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
  int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);
@@ -67,7 +67,7 @@ SSL_use_certificate_file() loads the certificate from B<file> into B<ssl>.
 See the NOTES section on why SSL_CTX_use_certificate_chain_file()
 should be preferred.
 
-SSL_CTX_use_certificate_chain_file() loads a certificate chain from 
+SSL_CTX_use_certificate_chain_file() loads a certificate chain from
 B<file> into B<ctx>. The certificates must be in PEM format and must
 be sorted starting with the subject's certificate (actual client or server
 certificate), followed by intermediate CA certificates if applicable, and
@@ -82,7 +82,7 @@ If a certificate has already been set and the private does not belong
 to the certificate an error is returned. To change a certificate, private
 key pair the new certificate needs to be set with SSL_use_certificate()
 or SSL_CTX_use_certificate() before setting the private key with
-SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey(). 
+SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey().
 
 
 SSL_CTX_use_PrivateKey_ASN1() adds the private key of type B<pk>
@@ -109,14 +109,14 @@ the same check for B<ssl>. If no key/certificate was explicitly added for
 this B<ssl>, the last item added into B<ctx> will be checked.
 
 =head1 NOTES
-  
+
 The internal certificate store of OpenSSL can hold several private
 key/certificate pairs at a time. The certificate used depends on the
 cipher selected, see also L<SSL_CTX_set_cipher_list(3)>.
 
 When reading certificates and private keys from file, files of type
 SSL_FILETYPE_ASN1 (also known as B<DER>, binary encoding) can only contain
-one certificate or private key, consequently 
+one certificate or private key, consequently
 SSL_CTX_use_certificate_chain_file() is only applicable to PEM formatting.
 Files of type SSL_FILETYPE_PEM can contain more than one item.
 
@@ -124,7 +124,7 @@ SSL_CTX_use_certificate_chain_file() adds the first certificate found
 in the file to the certificate store. The other certificates are added
 to the store of chain certificates using L<SSL_CTX_add1_chain_cert(3)>. Note: versions of OpenSSL before 1.0.2 only had a single
 certificate chain store for all certificate types, OpenSSL 1.0.2 and later
-have a separate chain store for each type. SSL_CTX_use_certificate_chain_file() 
+have a separate chain store for each type. SSL_CTX_use_certificate_chain_file()
 should be used instead of the SSL_CTX_use_certificate_file() function in order
 to allow the use of complete certificate chains even when no trusted CA
 storage is used or when the CA issuing the certificate shall not be added to
diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
index 27a46c3406..b45b2d3997 100644
--- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
+++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
@@ -6,7 +6,6 @@ SSL_CTX_use_psk_identity_hint, SSL_use_psk_identity_hint,
 SSL_CTX_set_psk_server_callback, SSL_set_psk_server_callback - set PSK
 identity hint to use
 
-
 =head1 SYNOPSIS
 
  #include <openssl/ssl.h>
@@ -15,11 +14,11 @@ identity hint to use
  int SSL_use_psk_identity_hint(SSL *ssl, const char *hint);
 
  void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
-	unsigned int (*callback)(SSL *ssl, const char *identity,
-	unsigned char *psk, int max_psk_len));
+        unsigned int (*callback)(SSL *ssl, const char *identity,
+        unsigned char *psk, int max_psk_len));
  void SSL_set_psk_server_callback(SSL *ssl,
-	unsigned int (*callback)(SSL *ssl, const char *identity,
-	unsigned char *psk, int max_psk_len));
+        unsigned int (*callback)(SSL *ssl, const char *identity,
+        unsigned char *psk, int max_psk_len));
 
 
 =head1 DESCRIPTION
diff --git a/doc/ssl/SSL_CTX_use_serverinfo.pod b/doc/ssl/SSL_CTX_use_serverinfo.pod
index bafb1a8302..6b1cdf14cd 100644
--- a/doc/ssl/SSL_CTX_use_serverinfo.pod
+++ b/doc/ssl/SSL_CTX_use_serverinfo.pod
@@ -20,8 +20,8 @@ A "serverinfo" extension is returned in response to an empty ClientHello
 Extension.
 
 SSL_CTX_use_serverinfo() loads one or more serverinfo extensions from
-a byte array into B<ctx>.  The extensions must be concatenated into a 
-sequence of bytes.  Each extension must consist of a 2-byte Extension Type, 
+a byte array into B<ctx>.  The extensions must be concatenated into a
+sequence of bytes.  Each extension must consist of a 2-byte Extension Type,
 a 2-byte length, and then length bytes of extension_data.
 
 SSL_CTX_use_serverinfo_file() loads one or more serverinfo extensions from
@@ -38,19 +38,12 @@ use the serverinfo extension for multiple certificates,
 SSL_CTX_use_serverinfo() needs to be called multiple times, once B<after>
 each time a certificate is loaded.
 
-=head1 NOTES
-
 =head1 RETURN VALUES
 
 On success, the functions return 1.
 On failure, the functions return 0.  Check out the error stack to find out
 the reason.
 
-=head1 SEE ALSO
-
-=head1 HISTORY
-
-
 =cut
 
 =head1 COPYRIGHT
diff --git a/doc/ssl/SSL_SESSION_get_time.pod b/doc/ssl/SSL_SESSION_get_time.pod
index 911b7e6053..c032856424 100644
--- a/doc/ssl/SSL_SESSION_get_time.pod
+++ b/doc/ssl/SSL_SESSION_get_time.pod
@@ -52,7 +52,7 @@ valid values.
 
 SSL_SESSION_set_time() and SSL_SESSION_set_timeout() return 1 on success.
 
-If any of the function is passed the NULL pointer for the session B<s>, 
+If any of the function is passed the NULL pointer for the session B<s>,
 0 is returned.
 
 =head1 SEE ALSO
diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod
index b3563e4c4b..88d6e8f318 100644
--- a/doc/ssl/SSL_accept.pod
+++ b/doc/ssl/SSL_accept.pod
@@ -18,7 +18,7 @@ B<ssl> by setting an underlying B<BIO>.
 
 =head1 NOTES
 
-The behaviour of SSL_accept() depends on the underlying BIO. 
+The behaviour of SSL_accept() depends on the underlying BIO.
 
 If the underlying BIO is B<blocking>, SSL_accept() will only return once the
 handshake has been finished or an error occurred.
diff --git a/doc/ssl/SSL_alert_type_string.pod b/doc/ssl/SSL_alert_type_string.pod
index d889ddab05..2711c9cfa5 100644
--- a/doc/ssl/SSL_alert_type_string.pod
+++ b/doc/ssl/SSL_alert_type_string.pod
@@ -217,7 +217,7 @@ point. This message is always a warning.
 =item "UP"/"unknown PSK identity"
 
 Sent by the server to indicate that it does not recognize a PSK
-identity or an SRP identity. 
+identity or an SRP identity.
 
 =item "UK"/"unknown"
 
diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod
index 34ee086793..7c69e5df0a 100644
--- a/doc/ssl/SSL_connect.pod
+++ b/doc/ssl/SSL_connect.pod
@@ -18,7 +18,7 @@ underlying B<BIO>.
 
 =head1 NOTES
 
-The behaviour of SSL_connect() depends on the underlying BIO. 
+The behaviour of SSL_connect() depends on the underlying BIO.
 
 If the underlying BIO is B<blocking>, SSL_connect() will only return once the
 handshake has been finished or an error occurred.
diff --git a/doc/ssl/SSL_get_client_CA_list.pod b/doc/ssl/SSL_get_client_CA_list.pod
index be79112b7c..2cf5b7d7aa 100644
--- a/doc/ssl/SSL_get_client_CA_list.pod
+++ b/doc/ssl/SSL_get_client_CA_list.pod
@@ -9,7 +9,7 @@ SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs
  #include <openssl/ssl.h>
 
  STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
- STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); 
+ STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);
 
 =head1 DESCRIPTION
 
diff --git a/doc/ssl/SSL_get_current_cipher.pod b/doc/ssl/SSL_get_current_cipher.pod
index 46d38d0c11..66918b4071 100644
--- a/doc/ssl/SSL_get_current_cipher.pod
+++ b/doc/ssl/SSL_get_current_cipher.pod
@@ -27,7 +27,7 @@ the B<ssl> object.
 
 SSL_get_cipher() and SSL_get_cipher_name() are identical macros to obtain the
 name of the currently used cipher. SSL_get_cipher_bits() is a
-macro to obtain the number of secret/algorithm bits used and 
+macro to obtain the number of secret/algorithm bits used and
 SSL_get_cipher_version() returns the protocol name.
 See L<SSL_CIPHER_get_name(3)> for more details.
 
diff --git a/doc/ssl/SSL_get_psk_identity.pod b/doc/ssl/SSL_get_psk_identity.pod
index e75e38cc86..c54f42978d 100644
--- a/doc/ssl/SSL_get_psk_identity.pod
+++ b/doc/ssl/SSL_get_psk_identity.pod
@@ -4,7 +4,6 @@
 
 SSL_get_psk_identity, SSL_get_psk_identity_hint - get PSK client identity and hint
 
-
 =head1 SYNOPSIS
 
  #include <openssl/ssl.h>
diff --git a/doc/ssl/SSL_library_init.pod b/doc/ssl/SSL_library_init.pod
index 0235e724bb..f838b7aff3 100644
--- a/doc/ssl/SSL_library_init.pod
+++ b/doc/ssl/SSL_library_init.pod
@@ -21,7 +21,7 @@ OpenSSL_add_ssl_algorithms() is a synonym for SSL_library_init().
 =head1 NOTES
 
 SSL_library_init() must be called before any other action takes place.
-SSL_library_init() is not reentrant. 
+SSL_library_init() is not reentrant.
 
 =head1 WARNING
 
diff --git a/doc/ssl/SSL_load_client_CA_file.pod b/doc/ssl/SSL_load_client_CA_file.pod
index 86b14b41ee..0db6cf10a1 100644
--- a/doc/ssl/SSL_load_client_CA_file.pod
+++ b/doc/ssl/SSL_load_client_CA_file.pod
@@ -30,7 +30,7 @@ Load names of CAs from file and use it as a client CA list:
  SSL_CTX *ctx;
  STACK_OF(X509_NAME) *cert_names;
 
- ... 
+ ...
  cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem");
  if (cert_names != NULL)
    SSL_CTX_set_client_CA_list(ctx, cert_names);
diff --git a/doc/ssl/SSL_read.pod b/doc/ssl/SSL_read.pod
index 95b8c22ab3..18efc7659c 100644
--- a/doc/ssl/SSL_read.pod
+++ b/doc/ssl/SSL_read.pod
@@ -22,7 +22,7 @@ not already explicitly performed by L<SSL_connect(3)> or
 L<SSL_accept(3)>. If the
 peer requests a re-negotiation, it will be performed transparently during
 the SSL_read() operation. The behaviour of SSL_read() depends on the
-underlying BIO. 
+underlying BIO.
 
 For the transparent negotiation to succeed, the B<ssl> must have been
 initialized to client or server mode. This is being done by calling
@@ -47,7 +47,7 @@ record is complete and SSL_read() can succeed.
 
 If the underlying BIO is B<blocking>, SSL_read() will only return, once the
 read operation has been finished or an error occurred, except when a
-renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. 
+renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur.
 This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the
 L<SSL_CTX_set_mode(3)> call.
 
diff --git a/doc/ssl/SSL_set1_host.pod b/doc/ssl/SSL_set1_host.pod
index 47e2e66819..1483c4a750 100644
--- a/doc/ssl/SSL_set1_host.pod
+++ b/doc/ssl/SSL_set1_host.pod
@@ -2,8 +2,8 @@
 
 =head1 NAME
 
- SSL_set1_host, SSL_add1_host, SSL_set_hostflags, SSL_get0_peername -
- SSL server verification parameters
+SSL_set1_host, SSL_add1_host, SSL_set_hostflags, SSL_get0_peername -
+SSL server verification parameters
 
 =head1 SYNOPSIS
 
@@ -72,8 +72,6 @@ applicable (as with RFC7671 DANE-EE(3)), or no trusted peername was
 matched.  Otherwise, it returns the matched peername.  To determine
 whether verification succeeded call L<SSL_get_verify_result(3)>.
 
-=head1 NOTES
-
 =head1 EXAMPLE
 
 Suppose "smtp.example.com" is the MX host of the domain "example.com".
diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod
index 990a181748..b698d94d89 100644
--- a/doc/ssl/SSL_shutdown.pod
+++ b/doc/ssl/SSL_shutdown.pod
@@ -12,7 +12,7 @@ SSL_shutdown - shut down a TLS/SSL connection
 
 =head1 DESCRIPTION
 
-SSL_shutdown() shuts down an active TLS/SSL connection. It sends the 
+SSL_shutdown() shuts down an active TLS/SSL connection. It sends the
 "close notify" shutdown alert to the peer.
 
 =head1 NOTES
@@ -62,7 +62,7 @@ It is therefore recommended, to check the return value of SSL_shutdown()
 and call SSL_shutdown() again, if the bidirectional shutdown is not yet
 complete (return value of the first call is 0).
 
-The behaviour of SSL_shutdown() additionally depends on the underlying BIO. 
+The behaviour of SSL_shutdown() additionally depends on the underlying BIO.
 
 If the underlying BIO is B<blocking>, SSL_shutdown() will only return once the
 handshake step has been finished or an error occurred.
diff --git a/doc/ssl/SSL_write.pod b/doc/ssl/SSL_write.pod
index 42afbd51b0..838ae3f052 100644
--- a/doc/ssl/SSL_write.pod
+++ b/doc/ssl/SSL_write.pod
@@ -22,7 +22,7 @@ not already explicitly performed by L<SSL_connect(3)> or
 L<SSL_accept(3)>. If the
 peer requests a re-negotiation, it will be performed transparently during
 the SSL_write() operation. The behaviour of SSL_write() depends on the
-underlying BIO. 
+underlying BIO.
 
 For the transparent negotiation to succeed, the B<ssl> must have been
 initialized to client or server mode. This is being done by calling
@@ -31,7 +31,7 @@ before the first call to an L<SSL_read(3)> or SSL_write() function.
 
 If the underlying BIO is B<blocking>, SSL_write() will only return, once the
 write operation has been finished or an error occurred, except when a
-renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. 
+renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur.
 This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the
 L<SSL_CTX_set_mode(3)> call.
 
diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
index 863c360377..fbda108842 100644
--- a/doc/ssl/ssl.pod
+++ b/doc/ssl/ssl.pod
@@ -1,12 +1,9 @@
-
 =pod
 
 =head1 NAME
 
 SSL - OpenSSL SSL/TLS library
 
-=head1 SYNOPSIS
-
 =head1 DESCRIPTION
 
 The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and