This commit was manufactured by cvs2git to create tag 'tb_20250414'.tb_20250414

126 files changed, 0 insertions, 19883 deletions

diff --git a/src/lib/libssl/man/BIO_f_ssl.3 b/src/lib/libssl/man/BIO_f_ssl.3
deleted file mode 100644
index 3b74a3d6a4..0000000000
--- a/src/lib/libssl/man/BIO_f_ssl.3
+++ /dev/null
@@ -1,609 +0,0 @@
-.\" $OpenBSD: BIO_f_ssl.3,v 1.16 2024/01/13 18:37:51 tb Exp $
-.\" full merge up to: OpenSSL f672aee4 Feb 9 11:52:40 2016 -0500
-.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2003, 2009, 2014-2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: January 13 2024 $
-.Dt BIO_F_SSL 3
-.Os
-.Sh NAME
-.Nm BIO_f_ssl ,
-.Nm BIO_set_ssl ,
-.Nm BIO_get_ssl ,
-.Nm BIO_set_ssl_mode ,
-.Nm BIO_set_ssl_renegotiate_bytes ,
-.Nm BIO_get_num_renegotiates ,
-.Nm BIO_set_ssl_renegotiate_timeout ,
-.Nm BIO_new_ssl ,
-.Nm BIO_new_ssl_connect ,
-.Nm BIO_new_buffer_ssl_connect ,
-.Nm BIO_ssl_copy_session_id ,
-.Nm BIO_ssl_shutdown ,
-.Nm BIO_do_handshake
-.Nd SSL BIO
-.Sh SYNOPSIS
-.In openssl/bio.h
-.In openssl/ssl.h
-.Ft const BIO_METHOD *
-.Fn BIO_f_ssl void
-.Ft long
-.Fo BIO_set_ssl
-.Fa "BIO *b"
-.Fa "SSL *ssl"
-.Fa "long c"
-.Fc
-.Ft long
-.Fo BIO_get_ssl
-.Fa "BIO *b"
-.Fa "SSL *sslp"
-.Fc
-.Ft long
-.Fo BIO_set_ssl_mode
-.Fa "BIO *b"
-.Fa "long client"
-.Fc
-.Ft long
-.Fo BIO_set_ssl_renegotiate_bytes
-.Fa "BIO *b"
-.Fa "long num"
-.Fc
-.Ft long
-.Fo BIO_set_ssl_renegotiate_timeout
-.Fa "BIO *b"
-.Fa "long seconds"
-.Fc
-.Ft long
-.Fo BIO_get_num_renegotiates
-.Fa "BIO *b"
-.Fc
-.Ft BIO *
-.Fn BIO_new_ssl "SSL_CTX *ctx" "int client"
-.Ft BIO *
-.Fn BIO_new_ssl_connect "SSL_CTX *ctx"
-.Ft BIO *
-.Fn BIO_new_buffer_ssl_connect "SSL_CTX *ctx"
-.Ft int
-.Fn BIO_ssl_copy_session_id "BIO *to" "BIO *from"
-.Ft void
-.Fn BIO_ssl_shutdown "BIO *bio"
-.Ft long
-.Fn BIO_do_handshake "BIO *b"
-.Sh DESCRIPTION
-.Fn BIO_f_ssl
-returns the
-.Vt SSL
-.Vt BIO
-method.
-This is a filter
-.Vt BIO
-which is a wrapper around the OpenSSL
-.Vt SSL
-routines adding a
-.Vt BIO
-.Dq flavor
-to SSL I/O.
-.Pp
-I/O performed on an
-.Vt SSL
-.Vt BIO
-communicates using the SSL protocol with
-the
-.Vt SSL Ns 's
-read and write
-.Vt BIO Ns s .
-If an SSL connection is not established then an attempt is made to establish
-one on the first I/O call.
-.Pp
-If a
-.Vt BIO
-is appended to an
-.Vt SSL
-.Vt BIO
-using
-.Xr BIO_push 3 ,
-it is automatically used as the
-.Vt SSL
-.Vt BIO Ns 's read and write
-.Vt BIO Ns s .
-.Pp
-Calling
-.Xr BIO_reset 3
-on an
-.Vt SSL
-.Vt BIO
-closes down any current SSL connection by calling
-.Xr SSL_shutdown 3 .
-.Xr BIO_reset 3
-is then sent to the next
-.Vt BIO
-in the chain; this will typically disconnect the underlying transport.
-The
-.Vt SSL
-.Vt BIO
-is then reset to the initial accept or connect state.
-.Pp
-If the close flag is set when an
-.Vt SSL
-.Vt BIO
-is freed then the internal
-.Vt SSL
-structure is also freed using
-.Xr SSL_free 3 .
-.Pp
-.Fn BIO_set_ssl
-sets the internal
-.Vt SSL
-pointer of
-.Vt BIO
-.Fa b
-to
-.Fa ssl
-using
-the close flag
-.Fa c .
-.Pp
-.Fn BIO_get_ssl
-retrieves the
-.Vt SSL
-pointer of
-.Vt BIO
-.Fa b ;
-it can then be manipulated using the standard SSL library functions.
-.Pp
-.Fn BIO_set_ssl_mode
-sets the
-.Vt SSL
-.Vt BIO
-mode to
-.Fa client .
-If
-.Fa client
-is 1, client mode is set.
-If
-.Fa client
-is 0, server mode is set.
-.Pp
-.Fn BIO_set_ssl_renegotiate_bytes
-sets the renegotiate byte count to
-.Fa num .
-When set, after every
-.Fa num
-bytes of I/O (read and write) the SSL session is automatically renegotiated.
-.Fa num
-must be at least 512 bytes.
-.Pp
-.Fn BIO_set_ssl_renegotiate_timeout
-sets the renegotiate timeout to
-.Fa seconds .
-When the renegotiate timeout elapses, the session is automatically renegotiated.
-.Pp
-.Fn BIO_get_num_renegotiates
-returns the total number of session renegotiations due to I/O or timeout.
-.Pp
-.Fn BIO_new_ssl
-allocates an
-.Vt SSL
-.Vt BIO
-using
-.Vt SSL_CTX
-.Va ctx
-and using client mode if
-.Fa client
-is nonzero.
-.Pp
-.Fn BIO_new_ssl_connect
-creates a new
-.Vt BIO
-chain consisting of an
-.Vt SSL
-.Vt BIO
-(using
-.Fa ctx )
-followed by a connect BIO.
-.Pp
-.Fn BIO_new_buffer_ssl_connect
-creates a new
-.Vt BIO
-chain consisting of a buffering
-.Vt BIO ,
-an
-.Vt SSL
-.Vt BIO
-(using
-.Fa ctx )
-and a connect
-.Vt BIO .
-.Pp
-.Fn BIO_ssl_copy_session_id
-copies an SSL session id between
-.Vt BIO
-chains
-.Fa from
-and
-.Fa to .
-It does this by locating the
-.Vt SSL
-.Vt BIO Ns s
-in each chain and calling
-.Xr SSL_copy_session_id 3
-on the internal
-.Vt SSL
-pointer.
-.Pp
-.Fn BIO_ssl_shutdown
-closes down an SSL connection on
-.Vt BIO
-chain
-.Fa bio .
-It does this by locating the
-.Vt SSL
-.Vt BIO
-in the
-chain and calling
-.Xr SSL_shutdown 3
-on its internal
-.Vt SSL
-pointer.
-.Pp
-.Fn BIO_do_handshake
-attempts to complete an SSL handshake on the supplied
-.Vt BIO
-and establish the SSL connection.
-It returns 1 if the connection was established successfully.
-A zero or negative value is returned if the connection could not be
-established; the call
-.Xr BIO_should_retry 3
-should be used for non blocking connect
-.Vt BIO Ns s
-to determine if the call should be retried.
-If an SSL connection has already been established, this call has no effect.
-.Pp
-When a chain containing an SSL BIO is copied with
-.Xr BIO_dup_chain 3 ,
-.Xr SSL_dup 3
-is called internally to copy the
-.Vt SSL
-object from the existing BIO object to the new BIO object,
-and the internal data related to
-.Fn BIO_set_ssl_renegotiate_bytes
-and
-.Fn BIO_set_ssl_renegotiate_timeout
-is also copied.
-.Pp
-.Vt SSL
-.Vt BIO Ns s
-are exceptional in that if the underlying transport is non-blocking they can
-still request a retry in exceptional circumstances.
-Specifically this will happen if a session renegotiation takes place during a
-.Xr BIO_read 3
-operation.
-One case where this happens is when step up occurs.
-.Pp
-In OpenSSL 0.9.6 and later the SSL flag
-.Dv SSL_AUTO_RETRY
-can be set to disable this behaviour.
-In other words, when this flag is set an
-.Vt SSL
-.Vt BIO
-using a blocking transport will never request a retry.
-.Pp
-Since unknown
-.Xr BIO_ctrl 3
-operations are sent through filter
-.Vt BIO Ns s ,
-the server name and port can be set using
-.Xr BIO_set_conn_hostname 3
-and
-.Xr BIO_set_conn_port 3
-on the
-.Vt BIO
-returned by
-.Fn BIO_new_ssl_connect
-without having to locate the connect
-.Vt BIO
-first.
-.Pp
-Applications do not have to call
-.Fn BIO_do_handshake
-but may wish to do so to separate the handshake process from other I/O
-processing.
-.Pp
-.Fn BIO_set_ssl ,
-.Fn BIO_get_ssl ,
-.Fn BIO_set_ssl_mode ,
-.Fn BIO_set_ssl_renegotiate_bytes ,
-.Fn BIO_set_ssl_renegotiate_timeout ,
-.Fn BIO_get_num_renegotiates ,
-and
-.Fn BIO_do_handshake
-are implemented as macros.
-.Sh RETURN VALUES
-.Fn BIO_f_ssl
-returns a pointer to a static
-.Vt BIO_METHOD
-structure.
-.Pp
-When called on an SSL BIO object,
-.Xr BIO_method_type 3
-returns the constant
-.Dv BIO_TYPE_SSL
-and
-.Xr BIO_method_name 3
-returns a pointer to the static string
-.Qq ssl .
-.Pp
-.Fn BIO_set_ssl ,
-.Fn BIO_get_ssl ,
-.Fn BIO_set_ssl_mode ,
-.Fn BIO_set_ssl_renegotiate_bytes ,
-.Fn BIO_set_ssl_renegotiate_timeout ,
-and
-.Fn BIO_get_num_renegotiates
-return 1 on success or a value less than or equal to 0
-if an error occurred.
-.Pp
-.Fn BIO_new_ssl ,
-.Fn BIO_new_ssl_connect ,
-and
-.Fn BIO_new_buffer_ssl_connect
-returns a pointer to a newly allocated
-.Vt BIO
-chain or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn BIO_ssl_copy_session_id
-returns 1 on success or 0 on error.
-.Pp
-.Fn BIO_do_handshake
-returns 1 if the connection was established successfully
-or a value less than or equal to 0 otherwise.
-.Sh EXAMPLES
-This SSL/TLS client example attempts to retrieve a page from an SSL/TLS web
-server.
-The I/O routines are identical to those of the unencrypted example in
-.Xr BIO_s_connect 3 .
-.Bd -literal
-BIO *sbio, *out;
-int len;
-char tmpbuf[1024];
-SSL_CTX *ctx;
-SSL *ssl;
-
-ERR_load_crypto_strings();
-ERR_load_SSL_strings();
-OpenSSL_add_all_algorithms();
-
-/*
- * We would seed the PRNG here if the platform didn't do it automatically
- */
-
-ctx = SSL_CTX_new(SSLv23_client_method());
-
-/*
- * We'd normally set some stuff like the verify paths and mode here because
- * as things stand this will connect to any server whose certificate is
- * signed by any CA.
- */
-
-sbio = BIO_new_ssl_connect(ctx);
-
-BIO_get_ssl(sbio, &ssl);
-
-if (!ssl) {
-        fprintf(stderr, "Can't locate SSL pointer\en");
-        /* whatever ... */
-}
-
-/* Don't want any retries */
-SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
-
-/* We might want to do other things with ssl here */
-
-BIO_set_conn_hostname(sbio, "localhost:https");
-
-out = BIO_new_fp(stdout, BIO_NOCLOSE);
-if (BIO_do_connect(sbio) <= 0) {
-        fprintf(stderr, "Error connecting to server\en");
-        ERR_print_errors_fp(stderr);
-        /* whatever ... */
-}
-
-if (BIO_do_handshake(sbio) <= 0) {
-        fprintf(stderr, "Error establishing SSL connection\en");
-        ERR_print_errors_fp(stderr);
-        /* whatever ... */
-}
-
-/* Could examine ssl here to get connection info */
-
-BIO_puts(sbio, "GET / HTTP/1.0\en\en");
-for (;;) {
-        len = BIO_read(sbio, tmpbuf, 1024);
-        if(len <= 0) break;
-        BIO_write(out, tmpbuf, len);
-}
-BIO_free_all(sbio);
-BIO_free(out);
-.Ed
-.Pp
-Here is a simple server example.
-It makes use of a buffering
-.Vt BIO
-to allow lines to be read from the
-.Vt SSL
-.Vt BIO
-using
-.Xr BIO_gets 3 .
-It creates a pseudo web page containing the actual request from a client and
-also echoes the request to standard output.
-.Bd -literal
-BIO *sbio, *bbio, *acpt, *out;
-int len;
-char tmpbuf[1024];
-SSL_CTX *ctx;
-SSL *ssl;
-
-ctx = SSL_CTX_new(SSLv23_server_method());
-
-if (!SSL_CTX_use_certificate_file(ctx,"server.pem",SSL_FILETYPE_PEM)
-    || !SSL_CTX_use_PrivateKey_file(ctx,"server.pem",SSL_FILETYPE_PEM)
-    || !SSL_CTX_check_private_key(ctx)) {
-        fprintf(stderr, "Error setting up SSL_CTX\en");
-        ERR_print_errors_fp(stderr);
-        return 0;
-}
-
-/*
- * Might do other things here like setting verify locations and DH and/or
- * RSA temporary key callbacks
- */
-
-/* New SSL BIO setup as server */
-sbio = BIO_new_ssl(ctx,0);
-
-BIO_get_ssl(sbio, &ssl);
-
-if (!ssl) {
-        fprintf(stderr, "Can't locate SSL pointer\en");
-        /* whatever ... */
-}
-
-/* Don't want any retries */
-SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
-
-/* Create the buffering BIO */
-
-bbio = BIO_new(BIO_f_buffer());
-
-/* Add to chain */
-sbio = BIO_push(bbio, sbio);
-
-acpt = BIO_new_accept("4433");
-
-/*
- * By doing this when a new connection is established we automatically
- * have sbio inserted into it. The BIO chain is now 'swallowed' by the
- * accept BIO and will be freed when the accept BIO is freed.
- */
-
-BIO_set_accept_bios(acpt,sbio);
-
-out = BIO_new_fp(stdout, BIO_NOCLOSE);
-
-/* Wait for incoming connection */
-if (BIO_do_accept(acpt) <= 0) {
-        fprintf(stderr, "Error setting up accept BIO\en");
-        ERR_print_errors_fp(stderr);
-        return 0;
-}
-
-/* We only want one connection so remove and free accept BIO */
-
-sbio = BIO_pop(acpt);
-
-BIO_free_all(acpt);
-
-if (BIO_do_handshake(sbio) <= 0) {
-        fprintf(stderr, "Error in SSL handshake\en");
-        ERR_print_errors_fp(stderr);
-        return 0;
-}
-
-BIO_puts(sbio, "HTTP/1.0 200 OK\er\enContent-type: text/plain\er\en\er\en");
-BIO_puts(sbio, "\er\enConnection Established\er\enRequest headers:\er\en");
-BIO_puts(sbio, "--------------------------------------------------\er\en");
-
-for (;;) {
-        len = BIO_gets(sbio, tmpbuf, 1024);
-        if (len <= 0)
-                break;
-        BIO_write(sbio, tmpbuf, len);
-        BIO_write(out, tmpbuf, len);
-        /* Look for blank line signifying end of headers */
-        if ((tmpbuf[0] == '\er') || (tmpbuf[0] == '\en'))
-                break;
-}
-
-BIO_puts(sbio, "--------------------------------------------------\er\en");
-BIO_puts(sbio, "\er\en");
-
-/* Since there is a buffering BIO present we had better flush it */
-BIO_flush(sbio);
-
-BIO_free_all(sbio);
-.Ed
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr ssl 3
-.Sh HISTORY
-.Fn BIO_f_ssl ,
-.Fn BIO_set_ssl ,
-and
-.Fn BIO_get_ssl
-first appeared in SSLeay 0.6.0.
-.Fn BIO_set_ssl_mode ,
-.Fn BIO_new_ssl ,
-and
-.Fn BIO_ssl_copy_session_id
-first appeared in SSLeay 0.8.0.
-.Fn BIO_ssl_shutdown
-and
-.Fn BIO_do_handshake
-first appeared in SSLeay 0.8.1.
-.Fn BIO_set_ssl_renegotiate_bytes ,
-.Fn BIO_get_num_renegotiates ,
-.Fn BIO_set_ssl_renegotiate_timeout ,
-.Fn BIO_new_ssl_connect ,
-and
-.Fn BIO_new_buffer_ssl_connect
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/DTLSv1_listen.3 b/src/lib/libssl/man/DTLSv1_listen.3
deleted file mode 100644
index 047ec0a7ff..0000000000
--- a/src/lib/libssl/man/DTLSv1_listen.3
+++ /dev/null
@@ -1,187 +0,0 @@
-.\"     $OpenBSD: DTLSv1_listen.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL 7795475f Dec 18 13:18:31 2015 -0500
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt DTLSV1_LISTEN 3
-.Os
-.Sh NAME
-.Nm DTLSv1_listen
-.Nd listen for incoming DTLS connections
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo DTLSv1_listen
-.Fa "SSL *ssl"
-.Fa "struct sockaddr *peer"
-.Fc
-.Sh DESCRIPTION
-.Fn DTLSv1_listen
-listens for new incoming DTLS connections.
-If a ClientHello is received that does not contain a cookie, then
-.Fn DTLSv1_listen
-responds with a HelloVerifyRequest.
-If a ClientHello is received with a cookie that is verified, then
-control is returned to user code to enable the handshake to be
-completed (for example by using
-.Xr SSL_accept 3 ) .
-.Pp
-.Fn DTLSv1_listen
-is currently implemented as a macro.
-.Pp
-Datagram based protocols can be susceptible to Denial of Service
-attacks.
-A DTLS attacker could, for example, submit a series of handshake
-initiation requests that cause the server to allocate state (and
-possibly perform cryptographic operations) thus consuming server
-resources.
-The attacker could also (with UDP) quite simply forge the source IP
-address in such an attack.
-.Pp
-As a counter measure to that DTLS includes a stateless cookie mechanism.
-The idea is that when a client attempts to connect to a server it sends
-a ClientHello message.
-The server responds with a HelloVerifyRequest which contains a unique
-cookie.
-The client then resends the ClientHello, but this time includes the
-cookie in the message thus proving that the client is capable of
-receiving messages sent to that address.
-All of this can be done by the server without allocating any state, and
-thus without consuming expensive resources.
-.Pp
-OpenSSL implements this capability via the
-.Fn DTLSv1_listen
-function.
-The
-.Fa ssl
-parameter should be a newly allocated
-.Vt SSL
-object with its read and write BIOs set, in the same way as might
-be done for a call to
-.Xr SSL_accept 3 .
-Typically the read BIO will be in an "unconnected" state and thus
-capable of receiving messages from any peer.
-.Pp
-When a ClientHello is received that contains a cookie that has been
-verified, then
-.Fn DTLSv1_listen
-will return with the
-.Fa ssl
-parameter updated into a state where the handshake can be continued by a
-call to (for example)
-.Xr SSL_accept 3 .
-Additionally the
-.Vt struct sockaddr
-pointed to by
-.Fa peer
-will be filled in with details of the peer that sent the ClientHello.
-It is the calling code's responsibility to ensure that the
-.Fa peer
-location is sufficiently large to accommodate the addressing scheme in use.
-For example this might be done by allocating space for a
-.Vt struct sockaddr_storage
-and casting the pointer to it to a
-.Vt struct sockaddr *
-for the call to
-.Fn DTLSv1_listen .
-Typically user code is expected to "connect" the underlying socket
-to the peer and continue the handshake in a connected state.
-.Pp
-Prior to calling
-.Fn DTLSv1_listen
-user code must ensure that cookie generation and verification callbacks
-have been set up using
-.Fn SSL_CTX_set_cookie_generate_cb
-and
-.Fn SSL_CTX_set_cookie_verify_cb
-respectively.
-.Pp
-Since
-.Fn DTLSv1_listen
-operates entirely statelessly whilst processing incoming ClientHellos,
-it is unable to process fragmented messages (since this would require
-the allocation of state).
-An implication of this is that
-.Fn DTLSv1_listen
-only supports ClientHellos that fit inside a single datagram.
-.Sh RETURN VALUES
-From OpenSSL 1.1.0 a return value of >= 1 indicates success.
-In this instance the
-.Fa peer
-value will be filled in and the
-.Fa ssl
-object set up ready to continue the handshake.
-.Pp
-A return value of 0 indicates a non-fatal error.
-This could (for example) be because of non-blocking IO, or some invalid
-message having been received from a peer.
-Errors may be placed on the OpenSSL error queue with further information
-if appropriate.
-Typically user code is expected to retry the call to
-.Fn DTLSv1_listen
-in the event of a non-fatal error.
-Any old errors on the error queue will be cleared in the subsequent
-call.
-.Pp
-A return value of <0 indicates a fatal error.
-This could (for example) be because of a failure to allocate sufficient
-memory for the operation.
-.Pp
-Prior to OpenSSL 1.1.0 fatal and non-fatal errors both produce return
-codes <= 0 (in typical implementations user code treats all errors as
-non-fatal), whilst return codes >0 indicate success.
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr ssl 3 ,
-.Xr SSL_accept 3 ,
-.Xr SSL_get_error 3
-.Sh HISTORY
-.Fn DTLSv1_listen
-first appeared in OpenSSL 0.9.8m and has been available since
-.Ox 4.9 .
diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile
deleted file mode 100644
index c8f6e28541..0000000000
--- a/src/lib/libssl/man/Makefile
+++ /dev/null
@@ -1,134 +0,0 @@
-# $OpenBSD: Makefile,v 1.77 2022/07/13 20:52:36 schwarze Exp $
-
-.include <bsd.own.mk>
-
-MAN =   BIO_f_ssl.3 \
-        DTLSv1_listen.3 \
-        OPENSSL_init_ssl.3 \
-        PEM_read_SSL_SESSION.3 \
-        SSL_CIPHER_get_name.3 \
-        SSL_COMP_add_compression_method.3 \
-        SSL_CTX_add1_chain_cert.3 \
-        SSL_CTX_add_extra_chain_cert.3 \
-        SSL_CTX_add_session.3 \
-        SSL_CTX_ctrl.3 \
-        SSL_CTX_flush_sessions.3 \
-        SSL_CTX_free.3 \
-        SSL_CTX_get0_certificate.3 \
-        SSL_CTX_get_ex_new_index.3 \
-        SSL_CTX_get_verify_mode.3 \
-        SSL_CTX_load_verify_locations.3 \
-        SSL_CTX_new.3 \
-        SSL_CTX_sess_number.3 \
-        SSL_CTX_sess_set_cache_size.3 \
-        SSL_CTX_sess_set_get_cb.3 \
-        SSL_CTX_sessions.3 \
-        SSL_CTX_set1_groups.3 \
-        SSL_CTX_set_alpn_select_cb.3 \
-        SSL_CTX_set_cert_store.3 \
-        SSL_CTX_set_cert_verify_callback.3 \
-        SSL_CTX_set_cipher_list.3 \
-        SSL_CTX_set_client_CA_list.3 \
-        SSL_CTX_set_client_cert_cb.3 \
-        SSL_CTX_set_default_passwd_cb.3 \
-        SSL_CTX_set_generate_session_id.3 \
-        SSL_CTX_set_info_callback.3 \
-        SSL_CTX_set_keylog_callback.3 \
-        SSL_CTX_set_max_cert_list.3 \
-        SSL_CTX_set_min_proto_version.3 \
-        SSL_CTX_set_mode.3 \
-        SSL_CTX_set_msg_callback.3 \
-        SSL_CTX_set_options.3 \
-        SSL_CTX_set_quiet_shutdown.3 \
-        SSL_CTX_set_read_ahead.3 \
-        SSL_CTX_set_security_level.3 \
-        SSL_CTX_set_session_cache_mode.3 \
-        SSL_CTX_set_session_id_context.3 \
-        SSL_CTX_set_ssl_version.3 \
-        SSL_CTX_set_timeout.3 \
-        SSL_CTX_set_tlsext_servername_callback.3 \
-        SSL_CTX_set_tlsext_status_cb.3 \
-        SSL_CTX_set_tlsext_ticket_key_cb.3 \
-        SSL_CTX_set_tlsext_use_srtp.3 \
-        SSL_CTX_set_tmp_dh_callback.3 \
-        SSL_CTX_set_tmp_rsa_callback.3 \
-        SSL_CTX_set_verify.3 \
-        SSL_CTX_use_certificate.3 \
-        SSL_SESSION_free.3 \
-        SSL_SESSION_get0_cipher.3 \
-        SSL_SESSION_get0_peer.3 \
-        SSL_SESSION_get_compress_id.3 \
-        SSL_SESSION_get_ex_new_index.3 \
-        SSL_SESSION_get_id.3 \
-        SSL_SESSION_get_protocol_version.3 \
-        SSL_SESSION_get_time.3 \
-        SSL_SESSION_has_ticket.3 \
-        SSL_SESSION_is_resumable.3 \
-        SSL_SESSION_new.3 \
-        SSL_SESSION_print.3 \
-        SSL_SESSION_set1_id_context.3 \
-        SSL_accept.3 \
-        SSL_alert_type_string.3 \
-        SSL_clear.3 \
-        SSL_connect.3 \
-        SSL_copy_session_id.3 \
-        SSL_do_handshake.3 \
-        SSL_dup.3 \
-        SSL_dup_CA_list.3 \
-        SSL_export_keying_material.3 \
-        SSL_free.3 \
-        SSL_get_SSL_CTX.3 \
-        SSL_get_certificate.3 \
-        SSL_get_ciphers.3 \
-        SSL_get_client_CA_list.3 \
-        SSL_get_client_random.3 \
-        SSL_get_current_cipher.3 \
-        SSL_get_default_timeout.3 \
-        SSL_get_error.3 \
-        SSL_get_ex_data_X509_STORE_CTX_idx.3 \
-        SSL_get_ex_new_index.3 \
-        SSL_get_fd.3 \
-        SSL_get_finished.3 \
-        SSL_get_peer_cert_chain.3 \
-        SSL_get_peer_certificate.3 \
-        SSL_get_rbio.3 \
-        SSL_get_server_tmp_key.3 \
-        SSL_get_session.3 \
-        SSL_get_shared_ciphers.3 \
-        SSL_get_state.3 \
-        SSL_get_verify_result.3 \
-        SSL_get_version.3 \
-        SSL_library_init.3 \
-        SSL_load_client_CA_file.3 \
-        SSL_new.3 \
-        SSL_num_renegotiations.3 \
-        SSL_pending.3 \
-        SSL_read.3 \
-        SSL_read_early_data.3 \
-        SSL_renegotiate.3 \
-        SSL_rstate_string.3 \
-        SSL_session_reused.3 \
-        SSL_set1_host.3 \
-        SSL_set1_param.3 \
-        SSL_set_SSL_CTX.3 \
-        SSL_set_bio.3 \
-        SSL_set_connect_state.3 \
-        SSL_set_fd.3 \
-        SSL_set_max_send_fragment.3 \
-        SSL_set_psk_use_session_callback.3 \
-        SSL_set_session.3 \
-        SSL_set_shutdown.3 \
-        SSL_set_tmp_ecdh.3 \
-        SSL_set_verify_result.3 \
-        SSL_shutdown.3 \
-        SSL_state_string.3 \
-        SSL_want.3 \
-        SSL_write.3 \
-        d2i_SSL_SESSION.3 \
-        ssl.3
-
-all clean cleandir depend includes obj tags:
-
-install: maninstall
-
-.include <bsd.man.mk>
diff --git a/src/lib/libssl/man/OPENSSL_init_ssl.3 b/src/lib/libssl/man/OPENSSL_init_ssl.3
deleted file mode 100644
index f37dccfaac..0000000000
--- a/src/lib/libssl/man/OPENSSL_init_ssl.3
+++ /dev/null
@@ -1,76 +0,0 @@
-.\" $OpenBSD: OPENSSL_init_ssl.3,v 1.4 2019/06/14 13:41:31 schwarze Exp $
-.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 14 2019 $
-.Dt OPENSSL_INIT_SSL 3
-.Os
-.Sh NAME
-.Nm OPENSSL_init_ssl
-.Nd initialise the crypto and ssl libraries
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo OPENSSL_init_ssl
-.Fa "uint64_t options"
-.Fa "const void *dummy"
-.Fc
-.Sh DESCRIPTION
-This function is deprecated.
-It is never useful for any application program to call it explicitly.
-The library automatically calls it internally with an
-.Fa options
-argument of 0 whenever needed.
-It is safest to assume that any function may do so.
-.Pp
-To enable or disable the standard configuration file, instead use
-.Xr OPENSSL_config 3
-or
-.Xr OPENSSL_no_config 3 ,
-respectively.
-To load a non-standard configuration file, refer to
-.Xr CONF_modules_load_file 3 .
-.Pp
-.Fn OPENSSL_init_ssl
-calls
-.Xr OPENSSL_init_crypto 3 ,
-.Xr SSL_load_error_strings 3 ,
-and
-.Xr SSL_library_init 3 .
-.Pp
-The
-.Fa options
-argument is passed on to
-.Xr OPENSSL_init_crypto 3
-and the
-.Fa dummy
-argument is ignored.
-.Pp
-If this function is called more than once,
-none of the calls except the first one have any effect.
-.Sh RETURN VALUES
-.Fn OPENSSL_init_ssl
-is intended to return 1 on success or 0 on error.
-.Sh SEE ALSO
-.Xr CONF_modules_load_file 3 ,
-.Xr OPENSSL_config 3 ,
-.Xr ssl 3
-.Sh HISTORY
-.Fn OPENSSL_init_ssl
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
-.Sh BUGS
-.Fn OPENSSL_init_ssl
-silently ignores even more configuration failures than
-.Xr OPENSSL_init_crypto 3 .
diff --git a/src/lib/libssl/man/PEM_read_SSL_SESSION.3 b/src/lib/libssl/man/PEM_read_SSL_SESSION.3
deleted file mode 100644
index 3eb1414c62..0000000000
--- a/src/lib/libssl/man/PEM_read_SSL_SESSION.3
+++ /dev/null
@@ -1,147 +0,0 @@
-.\"     $OpenBSD: PEM_read_SSL_SESSION.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
-.\"     OpenSSL doc/man3/PEM_read_CMS.pod b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Rich Salz <rsalz@openssl.org>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt PEM_READ_SSL_SESSION 3
-.Os
-.Sh NAME
-.Nm PEM_read_SSL_SESSION ,
-.Nm PEM_read_bio_SSL_SESSION ,
-.Nm PEM_write_SSL_SESSION ,
-.Nm PEM_write_bio_SSL_SESSION
-.Nd encode and decode SSL session objects in PEM format
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft SSL_SESSION *
-.Fo PEM_read_SSL_SESSION
-.Fa "FILE *fp"
-.Fa "SSL_SESSION **a"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft SSL_SESSION *
-.Fo PEM_read_bio_SSL_SESSION
-.Fa "BIO *bp"
-.Fa "SSL_SESSION **a"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft int
-.Fo PEM_write_SSL_SESSION
-.Fa "FILE *fp"
-.Fa "const SSL_SESSION *a"
-.Fc
-.Ft int
-.Fo PEM_write_bio_SSL_SESSION
-.Fa "BIO *bp"
-.Fa "const SSL_SESSION *a"
-.Fc
-.Sh DESCRIPTION
-These routines convert between local instances of ASN.1
-.Vt SSL_SESSION
-objects and the PEM encoding.
-.Pp
-.Fn PEM_read_SSL_SESSION
-reads a PEM-encoded
-.Vt SSL_SESSION
-object from the file
-.Fa fp
-and returns it.
-The
-.Fa cb
-and
-.Fa u
-parameters are as described in
-.Xr PEM_read_bio_PrivateKey 3 .
-.Pp
-.Fn PEM_read_bio_SSL_SESSION
-is similar to
-.Fn PEM_read_SSL_SESSION
-but reads from the BIO
-.Fa bp .
-.Pp
-.Fn PEM_write_SSL_SESSION
-writes the PEM encoding of the object
-.Fa a
-to the file
-.Fa fp .
-.Pp
-.Fn PEM_write_bio_SSL_SESSION
-similarly writes to the BIO
-.Fa bp .
-.Sh RETURN VALUES
-.Fn PEM_read_SSL_SESSION
-and
-.Fn PEM_read_bio_SSL_SESSION
-return a pointer to an allocated object, which should be released by
-calling
-.Xr SSL_SESSION_free 3 ,
-or
-.Dv NULL
-on error.
-.Pp
-.Fn PEM_write_SSL_SESSION
-and
-.Fn PEM_write_bio_SSL_SESSION
-return the number of bytes written or 0 on error.
-.Sh SEE ALSO
-.Xr PEM_read 3 ,
-.Xr ssl 3
-.Sh HISTORY
-.Fn PEM_read_SSL_SESSION
-and
-.Fn PEM_write_SSL_SESSION
-first appeared in SSLeay 0.5.2.
-.Fn PEM_read_bio_SSL_SESSION
-and
-.Fn PEM_write_bio_SSL_SESSION
-first appeared in SSLeay 0.6.0.
-These functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_CIPHER_get_name.3 b/src/lib/libssl/man/SSL_CIPHER_get_name.3
deleted file mode 100644
index 86c1d3c0ba..0000000000
--- a/src/lib/libssl/man/SSL_CIPHER_get_name.3
+++ /dev/null
@@ -1,398 +0,0 @@
-.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.17 2024/07/16 10:19:38 tb Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>,
-.\" Dr. Stephen Henson <steve@openssl.org>, Todd Short <tshort@akamai.com>,
-.\" and Paul Yang <yang.yang@baishancloud.com>.
-.\" Copyright (c) 2000, 2005, 2009, 2013, 2014, 2015, 2016, 2017
-.\" The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 16 2024 $
-.Dt SSL_CIPHER_GET_NAME 3
-.Os
-.Sh NAME
-.Nm SSL_CIPHER_get_name ,
-.Nm SSL_CIPHER_get_bits ,
-.Nm SSL_CIPHER_get_version ,
-.Nm SSL_CIPHER_get_cipher_nid ,
-.Nm SSL_CIPHER_get_digest_nid ,
-.Nm SSL_CIPHER_get_handshake_digest ,
-.Nm SSL_CIPHER_get_kx_nid ,
-.Nm SSL_CIPHER_get_auth_nid ,
-.Nm SSL_CIPHER_is_aead ,
-.Nm SSL_CIPHER_find ,
-.Nm SSL_CIPHER_get_id ,
-.Nm SSL_CIPHER_description
-.Nd get SSL_CIPHER properties
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft const char *
-.Fn SSL_CIPHER_get_name "const SSL_CIPHER *cipher"
-.Ft int
-.Fn SSL_CIPHER_get_bits "const SSL_CIPHER *cipher" "int *alg_bits"
-.Ft const char *
-.Fn SSL_CIPHER_get_version "const SSL_CIPHER *cipher"
-.Ft int
-.Fn SSL_CIPHER_get_cipher_nid "const SSL_CIPHER *cipher"
-.Ft int
-.Fn SSL_CIPHER_get_digest_nid "const SSL_CIPHER *cipher"
-.Ft "const EVP_MD *"
-.Fn SSL_CIPHER_get_handshake_digest "const SSL_CIPHER *cipher"
-.Ft int
-.Fn SSL_CIPHER_get_kx_nid "const SSL_CIPHER *cipher"
-.Ft int
-.Fn SSL_CIPHER_get_auth_nid "const SSL_CIPHER *cipher"
-.Ft int
-.Fn SSL_CIPHER_is_aead "const SSL_CIPHER *cipher"
-.Ft const SSL_CIPHER *
-.Fn SSL_CIPHER_find "SSL *ssl" "const unsigned char *ptr"
-.Ft unsigned long
-.Fn SSL_CIPHER_get_id "const SSL_CIPHER *cipher"
-.Ft char *
-.Fn SSL_CIPHER_description "const SSL_CIPHER *cipher" "char *buf" "int size"
-.Sh DESCRIPTION
-.Fn SSL_CIPHER_get_name
-returns a pointer to the name of
-.Fa cipher .
-.Pp
-.Fn SSL_CIPHER_get_bits
-returns the number of secret bits used for
-.Fa cipher .
-If
-.Fa alg_bits
-is not
-.Dv NULL ,
-the number of bits processed by the chosen algorithm is stored into it.
-.Pp
-.Fn SSL_CIPHER_get_version
-returns a string which indicates the SSL/TLS protocol version that first
-defined the cipher.
-This is currently
-.Qq TLSv1/SSLv3 .
-In some cases it should possibly return
-.Qq TLSv1.2
-but the function does not; use
-.Fn SSL_CIPHER_description
-instead.
-.Pp
-.Fn SSL_CIPHER_get_cipher_nid
-returns the cipher NID corresponding to the
-.Fa cipher .
-If there is no cipher (e.g. for cipher suites with no encryption), then
-.Dv NID_undef
-is returned.
-.Pp
-.Fn SSL_CIPHER_get_digest_nid
-returns the digest NID corresponding to the MAC used by the
-.Fa cipher
-during record encryption/decryption.
-If there is no digest (e.g. for AEAD cipher suites), then
-.Dv NID_undef
-is returned.
-.Pp
-.Fn SSL_CIPHER_get_handshake_digest
-returns the
-.Vt EVP_MD
-object representing the digest used during a TLS handshake with the cipher
-.Fa c ,
-which may be different to the digest used in the message authentication code
-for encrypted records.
-.Pp
-.Fn SSL_CIPHER_get_kx_nid
-returns the key exchange NID corresponding to the method used by the
-.Fa cipher .
-If there is no key exchange, then
-.Dv NID_undef
-is returned.
-Examples of possible return values include
-.Dv NID_kx_rsa ,
-.Dv NID_kx_dhe ,
-and
-.Dv NID_kx_ecdhe .
-.Pp
-.Fn SSL_CIPHER_get_auth_nid
-returns the authentication NID corresponding to the method used by the
-.Fa cipher .
-If there is no authentication,
-.Dv NID_undef
-is returned.
-Examples of possible return values include
-.Dv NID_auth_rsa
-and
-.Dv NID_auth_ecdsa .
-.Pp
-.Fn SSL_CIPHER_is_aead
-returns 1 if the
-.Fa cipher
-is AEAD (e.g. GCM or ChaCha20/Poly1305), or 0 if it is not AEAD.
-.Pp
-.Fn SSL_CIPHER_find
-returns a pointer to a
-.Vt SSL_CIPHER
-structure which has the cipher ID specified in
-.Fa ptr .
-The
-.Fa ptr
-parameter is an array of length two which stores the two-byte
-TLS cipher ID (as allocated by IANA) in network byte order.
-.Fa SSL_CIPHER_find
-returns
-.Dv NULL
-if an error occurs or the indicated cipher is not found.
-.Pp
-.Fn SSL_CIPHER_get_id
-returns the ID of the given
-.Fa cipher ,
-which must not be
-.Dv NULL .
-The ID here is an OpenSSL-specific concept, which stores a prefix
-of 0x0300 in the higher two bytes and the IANA-specified cipher
-suite ID in the lower two bytes.
-For instance, TLS_RSA_WITH_NULL_MD5 has IANA ID "0x00, 0x01", so
-.Fn SSL_CIPHER_get_id
-returns 0x03000001.
-.Pp
-.Fn SSL_CIPHER_description
-copies a textual description of
-.Fa cipher
-into the buffer
-.Fa buf ,
-which must be at least
-.Fa size
-bytes long.
-The
-.Fa cipher
-argument must not be a
-.Dv NULL
-pointer.
-If
-.Fa buf
-is
-.Dv NULL ,
-a buffer is allocated using
-.Xr asprintf 3 ;
-that buffer should be freed using the
-.Xr free 3
-function.
-If
-.Fa len
-is too small to hold the description, a pointer to the static string
-.Qq Buffer too small
-is returned.
-If memory allocation fails, which can happen even if a
-.Fa buf
-of sufficient size is provided, a pointer to the static string
-.Qq OPENSSL_malloc Error
-is returned and the content of
-.Fa buf
-remains unchanged.
-.Pp
-The string returned by
-.Fn SSL_CIPHER_description
-consists of several fields separated by whitespace:
-.Bl -tag -width Ds
-.It Aq Ar ciphername
-Textual representation of the cipher name.
-.It Aq Ar protocol version
-Protocol version:
-.Sy SSLv3 ,
-.Sy TLSv1.2 ,
-or
-.Sy TLSv1.3 .
-The TLSv1.0 ciphers are flagged with SSLv3.
-No new ciphers were added by TLSv1.1.
-.It Kx= Ns Aq Ar key exchange
-Key exchange method:
-.Sy DH ,
-.Sy ECDH ,
-.Sy GOST ,
-.Sy RSA ,
-or
-.Sy TLSv1.3 .
-.It Au= Ns Aq Ar authentication
-Authentication method:
-.Sy ECDSA ,
-.Sy GOST01 ,
-.Sy RSA ,
-.Sy TLSv1.3 ,
-or
-.Sy None .
-.Sy None
-is the representation of anonymous ciphers.
-.It Enc= Ns Aq Ar symmetric encryption method
-Encryption method with number of secret bits:
-.Sy 3DES(168) ,
-.Sy RC4(128) ,
-.Sy AES(128) ,
-.Sy AES(256) ,
-.Sy AESGCM(128) ,
-.Sy AESGCM(256) ,
-.Sy Camellia(128) ,
-.Sy Camellia(256) ,
-.Sy ChaCha20-Poly1305 ,
-.Sy GOST-28178-89-CNT ,
-or
-.Sy None .
-.It Mac= Ns Aq Ar message authentication code
-Message digest:
-.Sy MD5 ,
-.Sy SHA1 ,
-.Sy SHA256 ,
-.Sy SHA384 ,
-.Sy AEAD ,
-.Sy GOST94 ,
-.Sy GOST89IMIT ,
-or
-.Sy STREEBOG256 .
-.El
-.Sh RETURN VALUES
-.Fn SSL_CIPHER_get_name
-returns an internal pointer to a NUL-terminated string.
-.Fn SSL_CIPHER_get_version
-returns a pointer to a static NUL-terminated string.
-If
-.Fa cipher
-is a
-.Dv NULL
-pointer, both functions return a pointer to the static string
-.Qq Pq NONE .
-.Pp
-.Fn SSL_CIPHER_get_bits
-returns a positive integer representing the number of secret bits
-or 0 if
-.Fa cipher
-is a
-.Dv NULL
-pointer.
-.Pp
-.Fn SSL_CIPHER_get_cipher_nid ,
-.Fn SSL_CIPHER_get_digest_nid ,
-.Fn SSL_CIPHER_get_kx_nid ,
-and
-.Fn SSL_CIPHER_get_auth_nid
-return an NID constant or
-.Dv NID_undef
-if an error occurred.
-.Fn SSL_CIPHER_get_handshake_digest
-returns a valid
-.Vt EVP_MD
-object or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn SSL_CIPHER_is_aead
-returns 1 if the
-.Fa cipher
-is AEAD or 0 otherwise.
-.Pp
-.Fn SSL_CIPHER_find
-returns a pointer to a valid
-.Vt SSL_CIPHER
-structure or
-.Dv NULL
-if an error occurred.
-.Pp
-.Fn SSL_CIPHER_get_id
-returns a 32-bit unsigned integer.
-.Pp
-.Fn SSL_CIPHER_description
-returns
-.Fa buf
-or a newly allocated string on success or a pointer to a static
-string on error.
-.Sh EXAMPLES
-An example for the output of
-.Fn SSL_CIPHER_description :
-.Bd -literal
-ECDHE-RSA-AES256-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
-.Ed
-.Pp
-A complete list can be retrieved by invoking the following command:
-.Pp
-.Dl $ openssl ciphers -v ALL:COMPLEMENTOFALL
-.Sh SEE ALSO
-.Xr openssl 1 ,
-.Xr ssl 3 ,
-.Xr SSL_get_ciphers 3 ,
-.Xr SSL_get_current_cipher 3
-.Sh HISTORY
-.Fn SSL_CIPHER_description
-first appeared in SSLeay 0.8.0.
-.Fn SSL_CIPHER_get_name ,
-.Fn SSL_CIPHER_get_bits ,
-and
-.Fn SSL_CIPHER_get_version
-first appeared in SSLeay 0.8.1.
-These functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_CIPHER_get_id
-first appeared in OpenSSL 1.0.1 and has been available since
-.Ox 5.3 .
-.Pp
-.Fn SSL_CIPHER_get_cipher_nid ,
-.Fn SSL_CIPHER_get_digest_nid ,
-.Fn SSL_CIPHER_get_kx_nid ,
-.Fn SSL_CIPHER_get_auth_nid ,
-and
-.Fn SSL_CIPHER_is_aead
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.3 .
-.Fn SSL_CIPHER_find
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.0 .
-.Fn SSL_CIPHER_get_handshake_digest
-first appeared in OpenSSL 1.1.1 and has been available since
-.Ox 7.6 .
-.Sh BUGS
-If
-.Fn SSL_CIPHER_description
-cannot handle a built-in cipher,
-the according description of the cipher property is
-.Qq unknown .
-This case should not occur.
diff --git a/src/lib/libssl/man/SSL_COMP_add_compression_method.3 b/src/lib/libssl/man/SSL_COMP_add_compression_method.3
deleted file mode 100644
index f9e25358d7..0000000000
--- a/src/lib/libssl/man/SSL_COMP_add_compression_method.3
+++ /dev/null
@@ -1,42 +0,0 @@
-.\" $OpenBSD: SSL_COMP_add_compression_method.3,v 1.7 2024/08/31 10:51:48 tb Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: August 31 2024 $
-.Dt SSL_COMP_ADD_COMPRESSION_METHOD 3
-.Os
-.Sh NAME
-.Nm SSL_COMP_get_compression_methods
-.Nd handle SSL/TLS integrated compression methods
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft STACK_OF(SSL_COMP) *
-.Fn SSL_COMP_get_compression_methods void
-.Sh DESCRIPTION
-This function is deprecated and has no effect.
-It is provided purely for compatibility with legacy application code.
-.Pp
-.Fn SSL_COMP_get_compression_methods
-used to return a stack of available compression methods.
-.Sh RETURN VALUES
-.Fn SSL_COMP_get_compression_methods
-always returns
-.Dv NULL .
-.Sh SEE ALSO
-.Xr ssl 3
-.Sh HISTORY
-.Fn SSL_COMP_get_compression_methods
-first appeared in OpenSSL 0.9.8 and has been available since
-.Ox 4.5 .
diff --git a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
deleted file mode 100644
index 86eb27a523..0000000000
--- a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
+++ /dev/null
@@ -1,222 +0,0 @@
-.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.2 2025/01/18 10:45:12 tb Exp $
-.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>
-.\" and Rob Stradling <rob.stradling@comodo.com>.
-.\" Copyright (c) 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: January 18 2025 $
-.Dt SSL_CTX_ADD1_CHAIN_CERT 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set0_chain ,
-.Nm SSL_CTX_set1_chain ,
-.Nm SSL_CTX_add0_chain_cert ,
-.Nm SSL_CTX_add1_chain_cert ,
-.Nm SSL_CTX_get0_chain_certs ,
-.Nm SSL_CTX_clear_chain_certs ,
-.Nm SSL_set0_chain ,
-.Nm SSL_set1_chain ,
-.Nm SSL_add0_chain_cert ,
-.Nm SSL_add1_chain_cert ,
-.Nm SSL_get0_chain_certs ,
-.Nm SSL_clear_chain_certs
-.Nd extra chain certificate processing
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_CTX_set0_chain
-.Fa "SSL_CTX *ctx"
-.Fa "STACK_OF(X509) *chain"
-.Fc
-.Ft int
-.Fo SSL_CTX_set1_chain
-.Fa "SSL_CTX *ctx"
-.Fa "STACK_OF(X509) *chain"
-.Fc
-.Ft int
-.Fo SSL_CTX_add0_chain_cert
-.Fa "SSL_CTX *ctx"
-.Fa "X509 *cert"
-.Fc
-.Ft int
-.Fo SSL_CTX_add1_chain_cert
-.Fa "SSL_CTX *ctx"
-.Fa "X509 *cert"
-.Fc
-.Ft int
-.Fo SSL_CTX_get0_chain_certs
-.Fa "SSL_CTX *ctx"
-.Fa "STACK_OF(X509) **chain"
-.Fc
-.Ft int
-.Fo SSL_CTX_clear_chain_certs
-.Fa "SSL_CTX *ctx"
-.Fc
-.Ft int
-.Fo SSL_set0_chain
-.Fa "SSL *ssl"
-.Fa "STACK_OF(X509) *chain"
-.Fc
-.Ft int
-.Fo SSL_set1_chain
-.Fa "SSL *ssl"
-.Fa "STACK_OF(X509) *chain"
-.Fc
-.Ft int
-.Fo SSL_add0_chain_cert
-.Fa "SSL *ssl"
-.Fa "X509 *cert"
-.Fc
-.Ft int
-.Fo SSL_add1_chain_cert
-.Fa "SSL *ssl"
-.Fa "X509 *cert"
-.Fc
-.Ft int
-.Fo SSL_get0_chain_certs
-.Fa "SSL *ssl"
-.Fa "STACK_OF(X509) **chain"
-.Fc
-.Ft int
-.Fo SSL_clear_chain_certs
-.Fa "SSL *ssl"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_set0_chain
-and
-.Fn SSL_CTX_set1_chain
-set the certificate chain associated with the current certificate of
-.Fa ctx
-to
-.Fa chain .
-The
-.Fa chain
-is not supposed to include the current certificate itself.
-.Pp
-.Fn SSL_CTX_add0_chain_cert
-and
-.Fn SSL_CTX_add1_chain_cert
-append the single certificate
-.Fa cert
-to the chain associated with the current certificate of
-.Fa ctx .
-.Pp
-.Fn SSL_CTX_get0_chain_certs
-retrieves the chain associated with the current certificate of
-.Fa ctx .
-.Pp
-.Fn SSL_CTX_clear_chain_certs
-clears the existing chain associated with the current certificate of
-.Fa ctx ,
-if any.
-This is equivalent to calling
-.Fn SSL_CTX_set0_chain
-with
-.Fa chain
-set to
-.Dv NULL .
-.Pp
-Each of these functions operates on the
-.Em current
-end entity (i.e. server or client) certificate.
-This is the last certificate loaded or selected on the corresponding
-.Fa ctx
-structure, for example using
-.Xr SSL_CTX_use_certificate 3 .
-.Pp
-.Fn SSL_set0_chain ,
-.Fn SSL_set1_chain ,
-.Fn SSL_add0_chain_cert ,
-.Fn SSL_add1_chain_cert ,
-.Fn SSL_get0_chain_certs ,
-and
-.Fn SSL_clear_chain_certs
-are similar except that they operate on the
-.Fa ssl
-connection.
-.Pp
-The functions containing a
-.Sy 1
-in their name increment the reference count of the supplied certificate
-or chain, so it must be freed at some point after the operation.
-Those containing a
-.Sy 0
-do not increment reference counts and the supplied certificate or chain
-must not be freed after the operation.
-.Pp
-The chains associated with an
-.Vt SSL_CTX
-structure are copied to the new
-.Vt SSL
-structure when
-.Xr SSL_new 3
-is called.
-Existing
-.Vt SSL
-structures are not affected by any chains subsequently changed
-in the parent
-.Vt SSL_CTX .
-.Pp
-One chain can be set for each key type supported by a server.
-So, for example, an RSA and an ECDSA certificate can have
-different chains.
-.Pp
-If any certificates are added using these functions, no certificates
-added using
-.Xr SSL_CTX_add_extra_chain_cert 3
-will be used.
-.Sh RETURN VALUES
-These functions return 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_add_extra_chain_cert 3 ,
-.Xr SSL_CTX_use_certificate 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.0.2
-and have been available since
-.Ox 6.5 .
diff --git a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
deleted file mode 100644
index b9694b0cbc..0000000000
--- a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
+++ /dev/null
@@ -1,160 +0,0 @@
-.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.8 2025/01/18 10:45:12 tb Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
-.\" Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2000, 2002, 2013, 2015 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: January 18 2025 $
-.Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_add_extra_chain_cert ,
-.Nm SSL_CTX_get_extra_chain_certs_only ,
-.Nm SSL_CTX_get_extra_chain_certs ,
-.Nm SSL_CTX_clear_extra_chain_certs
-.Nd add, retrieve, and clear extra chain certificates
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fn SSL_CTX_add_extra_chain_cert "SSL_CTX *ctx" "X509 *x509"
-.Ft long
-.Fn SSL_CTX_get_extra_chain_certs_only "SSL_CTX *ctx" "STACK_OF(X509) **certs"
-.Ft long
-.Fn SSL_CTX_get_extra_chain_certs "SSL_CTX *ctx" "STACK_OF(X509) **certs"
-.Ft long
-.Fn SSL_CTX_clear_extra_chain_certs "SSL_CTX *ctx"
-.Sh DESCRIPTION
-.Fn SSL_CTX_add_extra_chain_cert
-adds the certificate
-.Fa x509
-to the extra chain certificates associated with
-.Fa ctx .
-Several certificates can be added one after another.
-.Pp
-.Fn SSL_CTX_get_extra_chain_certs_only
-retrieves an internal pointer to the stack of extra chain certificates
-associated with
-.Fa ctx ,
-or set
-.Pf * Fa certs
-to
-.Dv NULL
-if there are none.
-.Pp
-.Fn SSL_CTX_get_extra_chain_certs
-does the same except that it retrieves an internal pointer
-to the chain associated with the certificate
-if there are no extra chain certificates.
-.Pp
-.Fn SSL_CTX_clear_extra_chain_certs
-clears all extra chain certificates associated with
-.Fa ctx .
-.Pp
-These functions are implemented as macros.
-.Pp
-When sending a certificate chain, extra chain certificates are sent
-in order following the end entity certificate.
-.Pp
-If no chain is specified, the library will try to complete the chain from the
-available CA certificates in the trusted CA storage, see
-.Xr SSL_CTX_load_verify_locations 3 .
-.Pp
-The x509 certificate provided to
-.Fn SSL_CTX_add_extra_chain_cert
-will be freed by the library when the
-.Vt SSL_CTX
-is destroyed.
-An application should not free the
-.Fa x509
-object, nor the
-.Pf * Fa certs
-object retrieved by
-.Fn SSL_CTX_get_extra_chain_certs .
-.Sh RETURN VALUES
-These functions return 1 on success or 0 for failure.
-Check out the error stack to find out the reason for failure.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_add1_chain_cert 3 ,
-.Xr SSL_CTX_ctrl 3 ,
-.Xr SSL_CTX_load_verify_locations 3 ,
-.Xr SSL_CTX_set_client_cert_cb 3 ,
-.Xr SSL_CTX_use_certificate 3
-.Sh HISTORY
-.Fn SSL_CTX_add_extra_chain_cert
-first appeared in SSLeay 0.9.1 and has been available since
-.Ox 2.6 .
-.Pp
-.Fn SSL_CTX_get_extra_chain_certs
-and
-.Fn SSL_CTX_clear_extra_chain_certs
-first appeared in OpenSSL 1.0.1 and have been available since
-.Ox 5.3 .
-.Pp
-.Fn SSL_CTX_get_extra_chain_certs_only
-first appeared in OpenSSL 1.0.2 and has been available since
-.Ox 6.7 .
-.Sh CAVEATS
-Certificates added with
-.Fn SSL_CTX_add_extra_chain_cert
-are ignored when certificates are also available that have been
-added using the functions documented in
-.Xr SSL_CTX_set1_chain 3 .
-.Pp
-Only one set of extra chain certificates can be specified per
-.Vt SSL_CTX
-structure using
-.Fn SSL_CTX_add_extra_chain_cert .
-Different chains for different certificates (for example if both
-RSA and ECDSA certificates are specified by the same server) or
-different SSL structures with the same parent
-.Vt SSL_CTX
-require using the functions documented in
-.Xr SSL_CTX_set1_chain 3
-instead.
diff --git a/src/lib/libssl/man/SSL_CTX_add_session.3 b/src/lib/libssl/man/SSL_CTX_add_session.3
deleted file mode 100644
index 443bdb542a..0000000000
--- a/src/lib/libssl/man/SSL_CTX_add_session.3
+++ /dev/null
@@ -1,132 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_add_session.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL SSL_CTX_add_session.pod 1722496f Jun 8 15:18:38 2017 -0400
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
-.\" Geoff Thorpe <geoff@openssl.org>.
-.\" Copyright (c) 2001, 2002, 2014 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_CTX_ADD_SESSION 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_add_session ,
-.Nm SSL_CTX_remove_session
-.Nd manipulate session cache
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_CTX_add_session "SSL_CTX *ctx" "SSL_SESSION *c"
-.Ft int
-.Fn SSL_CTX_remove_session "SSL_CTX *ctx" "SSL_SESSION *c"
-.Sh DESCRIPTION
-.Fn SSL_CTX_add_session
-adds the session
-.Fa c
-to the context
-.Fa ctx .
-The reference count for session
-.Fa c
-is incremented by 1.
-If a session with the same session id already exists,
-the old session is removed by calling
-.Xr SSL_SESSION_free 3 .
-.Pp
-.Fn SSL_CTX_remove_session
-removes the session
-.Fa c
-from the context
-.Fa ctx
-and marks it as non-resumable.
-.Xr SSL_SESSION_free 3
-is called once for
-.Fa c .
-.Pp
-When adding a new session to the internal session cache, it is examined
-whether a session with the same session id already exists.
-In this case it is assumed that both sessions are identical.
-If the same session is stored in a different
-.Vt SSL_SESSION
-object, the old session is removed and replaced by the new session.
-If the session is actually identical (the
-.Vt SSL_SESSION
-object is identical),
-.Fn SSL_CTX_add_session
-is a no-op, and the return value is 0.
-.Pp
-If a server
-.Vt SSL_CTX
-is configured with the
-.Dv SSL_SESS_CACHE_NO_INTERNAL_STORE
-flag then the internal cache will not be populated automatically by new
-sessions negotiated by the SSL/TLS implementation, even though the internal
-cache will be searched automatically for session-resume requests (the
-latter can be suppressed by
-.Dv SSL_SESS_CACHE_NO_INTERNAL_LOOKUP ) .
-So the application can use
-.Fn SSL_CTX_add_session
-directly to have full control over the sessions that can be resumed if desired.
-.Sh RETURN VALUES
-The following values are returned by all functions:
-.Bl -tag -width Ds
-.It 0
-The operation failed.
-In case of the add operation, it was tried to add the same (identical) session
-twice.
-In case of the remove operation, the session was not found in the cache.
-.It 1
-The operation succeeded.
-.El
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_session_cache_mode 3 ,
-.Xr SSL_SESSION_free 3
-.Sh HISTORY
-.Fn SSL_CTX_add_session
-and
-.Fn SSL_CTX_remove_session
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_CTX_ctrl.3 b/src/lib/libssl/man/SSL_CTX_ctrl.3
deleted file mode 100644
index c91ddff374..0000000000
--- a/src/lib/libssl/man/SSL_CTX_ctrl.3
+++ /dev/null
@@ -1,122 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_ctrl.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_CTX_CTRL 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_ctrl ,
-.Nm SSL_CTX_callback_ctrl ,
-.Nm SSL_ctrl ,
-.Nm SSL_callback_ctrl
-.Nd internal handling functions for SSL_CTX and SSL objects
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fn SSL_CTX_ctrl "SSL_CTX *ctx" "int cmd" "long larg" "void *parg"
-.Ft long
-.Fn SSL_CTX_callback_ctrl "SSL_CTX *" "int cmd" "void (*fp)()"
-.Ft long
-.Fn SSL_ctrl "SSL *ssl" "int cmd" "long larg" "void *parg"
-.Ft long
-.Fn SSL_callback_ctrl "SSL *" "int cmd" "void (*fp)()"
-.Sh DESCRIPTION
-The
-.Fn SSL_*_ctrl
-family of functions is used to manipulate settings of
-the
-.Vt SSL_CTX
-and
-.Vt SSL
-objects.
-Depending on the command
-.Fa cmd
-the arguments
-.Fa larg ,
-.Fa parg ,
-or
-.Fa fp
-are evaluated.
-These functions should never be called directly.
-All functionalities needed are made available via other functions or macros.
-.Sh RETURN VALUES
-The return values of the
-.Fn SSL*_ctrl
-functions depend on the command supplied via the
-.Fn cmd
-parameter.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_add_extra_chain_cert 3 ,
-.Xr SSL_CTX_sess_number 3 ,
-.Xr SSL_CTX_sess_set_cache_size 3 ,
-.Xr SSL_CTX_set_max_cert_list 3 ,
-.Xr SSL_CTX_set_mode 3 ,
-.Xr SSL_CTX_set_options 3 ,
-.Xr SSL_CTX_set_session_cache_mode 3 ,
-.Xr SSL_CTX_set_tlsext_servername_callback 3 ,
-.Xr SSL_CTX_set_tlsext_status_cb 3 ,
-.Xr SSL_CTX_set_tlsext_ticket_key_cb 3 ,
-.Xr SSL_get_server_tmp_key 3 ,
-.Xr SSL_num_renegotiations 3 ,
-.Xr SSL_session_reused 3 ,
-.Xr SSL_set_max_send_fragment 3
-.Sh HISTORY
-.Fn SSL_CTX_ctrl
-and
-.Fn SSL_ctrl
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_CTX_callback_ctrl
-and
-.Fn SSL_callback_ctrl
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libssl/man/SSL_CTX_flush_sessions.3 b/src/lib/libssl/man/SSL_CTX_flush_sessions.3
deleted file mode 100644
index 2ef781cb4a..0000000000
--- a/src/lib/libssl/man/SSL_CTX_flush_sessions.3
+++ /dev/null
@@ -1,100 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_flush_sessions.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL SSL_CTX_flush_sessions.pod 1722496f Jun 8 15:18:38 2017 -0400
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_CTX_FLUSH_SESSIONS 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_flush_sessions
-.Nd remove expired sessions
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fn SSL_CTX_flush_sessions "SSL_CTX *ctx" "long tm"
-.Sh DESCRIPTION
-.Fn SSL_CTX_flush_sessions
-causes a run through the session cache of
-.Fa ctx
-to remove sessions expired at time
-.Fa tm .
-.Pp
-If enabled, the internal session cache will collect all sessions established
-up to the specified maximum number (see
-.Xr SSL_CTX_sess_set_cache_size 3 ) .
-As sessions will not be reused once they are expired, they should be
-removed from the cache to save resources.
-This can either be done automatically whenever 255 new sessions were
-established (see
-.Xr SSL_CTX_set_session_cache_mode 3 )
-or manually by calling
-.Fn SSL_CTX_flush_sessions .
-.Pp
-The parameter
-.Fa tm
-specifies the time which should be used for the
-expiration test, in most cases the actual time given by
-.Fn time 0
-will be used.
-.Pp
-.Fn SSL_CTX_flush_sessions
-will only check sessions stored in the internal cache.
-When a session is found and removed, the
-.Va remove_session_cb
-is however called to synchronize with the external cache (see
-.Xr SSL_CTX_sess_set_get_cb 3 ) .
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_sess_set_get_cb 3 ,
-.Xr SSL_CTX_set_session_cache_mode 3 ,
-.Xr SSL_CTX_set_timeout 3
-.Sh HISTORY
-.Fn SSL_CTX_flush_sessions
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_CTX_free.3 b/src/lib/libssl/man/SSL_CTX_free.3
deleted file mode 100644
index 47f247631b..0000000000
--- a/src/lib/libssl/man/SSL_CTX_free.3
+++ /dev/null
@@ -1,101 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_free.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2003 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_CTX_FREE 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_free
-.Nd free an allocated SSL_CTX object
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fn SSL_CTX_free "SSL_CTX *ctx"
-.Sh DESCRIPTION
-.Fn SSL_CTX_free
-decrements the reference count of
-.Fa ctx ,
-and removes the
-.Vt SSL_CTX
-object pointed to by
-.Fa ctx
-and frees up the allocated memory if the reference count has reached 0.
-If
-.Fa ctx
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-It also calls the
-.Xr free 3 Ns ing
-procedures for indirectly affected items, if applicable:
-the session cache, the list of ciphers, the list of Client CAs,
-the certificates and keys.
-.Sh WARNINGS
-If a session-remove callback is set
-.Pq Xr SSL_CTX_sess_set_remove_cb 3 ,
-this callback will be called for each session being freed from
-.Fa ctx Ns 's
-session cache.
-This implies that all corresponding sessions from an external session cache are
-removed as well.
-If this is not desired, the user should explicitly unset the callback by
-calling
-.Fn SSL_CTX_sess_set_remove_cb ctx NULL
-prior to calling
-.Fn SSL_CTX_free .
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_new 3 ,
-.Xr SSL_CTX_sess_set_get_cb 3
-.Sh HISTORY
-.Fn SSL_CTX_free
-first appeared in SSLeay 0.5.1 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_CTX_get0_certificate.3 b/src/lib/libssl/man/SSL_CTX_get0_certificate.3
deleted file mode 100644
index 63c86bd5e0..0000000000
--- a/src/lib/libssl/man/SSL_CTX_get0_certificate.3
+++ /dev/null
@@ -1,51 +0,0 @@
-.\" $OpenBSD: SSL_CTX_get0_certificate.3,v 1.3 2019/06/12 09:36:30 schwarze Exp $
-.\"
-.\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_CTX_GET0_CERTIFICATE 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_get0_certificate
-.Nd get the active certificate from an SSL context
-.Sh SYNOPSIS
-.Ft X509 *
-.Fo SSL_CTX_get0_certificate
-.Fa "const SSL_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-The
-.Fn SSL_CTX_get0_certificate
-function returns an internal pointer
-to the ASN.1 certificate currently active in
-.Fa ctx
-or
-.Dv NULL
-if none was installed with
-.Xr SSL_CTX_use_certificate 3
-or similar functions.
-.Pp
-The returned pointer must not be freed by the caller.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_new 3 ,
-.Xr SSL_CTX_use_certificate 3 ,
-.Xr X509_get_pubkey 3 ,
-.Xr X509_get_subject_name 3 ,
-.Xr X509_new 3
-.Sh HISTORY
-.Fn SSL_CTX_get0_certificate
-first appeared in OpenSSL 1.0.2 and have been available since
-.Ox 6.3 .
diff --git a/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3 b/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3
deleted file mode 100644
index 3dbaf2e981..0000000000
--- a/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3
+++ /dev/null
@@ -1,124 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $
-.\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 21 2018 $
-.Dt SSL_CTX_GET_EX_NEW_INDEX 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_get_ex_new_index ,
-.Nm SSL_CTX_set_ex_data ,
-.Nm SSL_CTX_get_ex_data
-.Nd internal application specific data functions
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_CTX_get_ex_new_index
-.Fa "long argl"
-.Fa "void *argp"
-.Fa "CRYPTO_EX_new *new_func"
-.Fa "CRYPTO_EX_dup *dup_func"
-.Fa "CRYPTO_EX_free *free_func"
-.Fc
-.Ft int
-.Fn SSL_CTX_set_ex_data "SSL_CTX *ctx" "int idx" "void *arg"
-.Ft void *
-.Fn SSL_CTX_get_ex_data "const SSL_CTX *ctx" "int idx"
-.Bd -literal
- typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
-                int idx, long argl, void *argp);
- typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
-                int idx, long argl, void *argp);
- typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d,
-                int idx, long argl, void *argp);
-.Ed
-.Sh DESCRIPTION
-Several OpenSSL structures can have application specific data attached to them.
-These functions are used internally by OpenSSL to manipulate application
-specific data attached to a specific structure.
-.Pp
-.Fn SSL_CTX_get_ex_new_index
-is used to register a new index for application specific data.
-.Pp
-.Fn SSL_CTX_set_ex_data
-is used to store application data at
-.Fa arg
-for
-.Fa idx
-into the
-.Fa ctx
-object.
-.Pp
-.Fn SSL_CTX_get_ex_data
-is used to retrieve the information for
-.Fa idx
-from
-.Fa ctx .
-.Pp
-A detailed description for the
-.Fn *_get_ex_new_index
-functionality can be found in
-.Xr RSA_get_ex_new_index 3 .
-The
-.Fn *_get_ex_data
-and
-.Fn *_set_ex_data
-functionality is described in
-.Xr CRYPTO_set_ex_data 3 .
-.Sh SEE ALSO
-.Xr CRYPTO_set_ex_data 3 ,
-.Xr RSA_get_ex_new_index 3 ,
-.Xr ssl 3
-.Sh HISTORY
-.Fn SSL_CTX_get_ex_new_index ,
-.Fn SSL_CTX_set_ex_data ,
-and
-.Fn SSL_CTX_get_ex_data
-first appeared in SSLeay 0.9.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_CTX_get_verify_mode.3 b/src/lib/libssl/man/SSL_CTX_get_verify_mode.3
deleted file mode 100644
index 7c87775069..0000000000
--- a/src/lib/libssl/man/SSL_CTX_get_verify_mode.3
+++ /dev/null
@@ -1,131 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_get_verify_mode.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_CTX_GET_VERIFY_MODE 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_get_verify_mode ,
-.Nm SSL_get_verify_mode ,
-.Nm SSL_CTX_get_verify_depth ,
-.Nm SSL_get_verify_depth ,
-.Nm SSL_get_verify_callback ,
-.Nm SSL_CTX_get_verify_callback
-.Nd get currently set verification parameters
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_CTX_get_verify_mode "const SSL_CTX *ctx"
-.Ft int
-.Fn SSL_get_verify_mode "const SSL *ssl"
-.Ft int
-.Fn SSL_CTX_get_verify_depth "const SSL_CTX *ctx"
-.Ft int
-.Fn SSL_get_verify_depth "const SSL *ssl"
-.Ft int
-.Fo "(*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))"
-.Fa int "X509_STORE_CTX *"
-.Fc
-.Ft int
-.Fo "(*SSL_get_verify_callback(const SSL *ssl))"
-.Fa int "X509_STORE_CTX *"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_get_verify_mode
-returns the verification mode currently set in
-.Fa ctx .
-.Pp
-.Fn SSL_get_verify_mode
-returns the verification mode currently set in
-.Fa ssl .
-.Pp
-.Fn SSL_CTX_get_verify_depth
-returns the verification depth limit currently set
-in
-.Fa ctx .
-If no limit has been explicitly set,
-\(mi1 is returned and the default value will be used.
-.Pp
-.Fn SSL_get_verify_depth
-returns the verification depth limit currently set in
-.Fa ssl .
-If no limit has been explicitly set,
-\(mi1 is returned and the default value will be used.
-.Pp
-.Fn SSL_CTX_get_verify_callback
-returns a function pointer to the verification callback currently set in
-.Fa ctx .
-If no callback was explicitly set, the
-.Dv NULL
-pointer is returned and the default callback will be used.
-.Pp
-.Fn SSL_get_verify_callback
-returns a function pointer to the verification callback currently set in
-.Fa ssl .
-If no callback was explicitly set, the
-.Dv NULL
-pointer is returned and the default callback will be used.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_verify 3
-.Sh HISTORY
-.Fn SSL_CTX_get_verify_mode ,
-.Fn SSL_get_verify_mode ,
-.Fn SSL_get_verify_callback ,
-and
-.Fn SSL_CTX_get_verify_callback
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_CTX_get_verify_depth
-and
-.Fn SSL_get_verify_depth
-first appeared in OpenSSL 0.9.3 and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libssl/man/SSL_CTX_load_verify_locations.3 b/src/lib/libssl/man/SSL_CTX_load_verify_locations.3
deleted file mode 100644
index 373df2402e..0000000000
--- a/src/lib/libssl/man/SSL_CTX_load_verify_locations.3
+++ /dev/null
@@ -1,238 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_load_verify_locations.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2015, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_CTX_LOAD_VERIFY_LOCATIONS 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_load_verify_locations ,
-.Nm SSL_CTX_set_default_verify_paths
-.Nd set default locations for trusted CA certificates
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_CTX_load_verify_locations
-.Fa "SSL_CTX *ctx" "const char *CAfile" "const char *CApath"
-.Fc
-.Ft int
-.Fo SSL_CTX_set_default_verify_paths
-.Fa "SSL_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_load_verify_locations
-specifies the locations for
-.Fa ctx ,
-at which CA certificates for verification purposes are located.
-The certificates available via
-.Fa CAfile
-and
-.Fa CApath
-are trusted.
-.Pp
-.Fn SSL_CTX_set_default_verify_paths
-specifies that the default locations from which CA certificates are
-loaded should be used.
-There is one default directory and one default file.
-The default CA certificates directory is called
-.Pa certs
-in the default OpenSSL directory.
-The default CA certificates file is called
-.Pa cert.pem
-in the default OpenSSL directory.
-.Pp
-If
-.Fa CAfile
-is not
-.Dv NULL ,
-it points to a file of CA certificates in PEM format.
-The file can contain several CA certificates identified by sequences of:
-.Bd -literal
- -----BEGIN CERTIFICATE-----
- ... (CA certificate in base64 encoding) ...
- -----END CERTIFICATE-----
-.Ed
-.Pp
-Before, between, and after the certificates arbitrary text is allowed which can
-be used, e.g., for descriptions of the certificates.
-.Pp
-The
-.Fa CAfile
-is processed on execution of the
-.Fn SSL_CTX_load_verify_locations
-function.
-.Pp
-If
-.Fa CApath
-is not NULL, it points to a directory containing CA certificates in PEM format.
-The files each contain one CA certificate.
-The files are looked up by the CA subject name hash value,
-which must hence be available.
-If more than one CA certificate with the same name hash value exist,
-the extension must be different (e.g.,
-.Pa 9d66eef0.0 ,
-.Pa 9d66eef0.1 ,
-etc.).
-The search is performed in the ordering of the extension number,
-regardless of other properties of the certificates.
-.Pp
-The certificates in
-.Fa CApath
-are only looked up when required, e.g., when building the certificate chain or
-when actually performing the verification of a peer certificate.
-.Pp
-When looking up CA certificates, the OpenSSL library will first search the
-certificates in
-.Fa CAfile ,
-then those in
-.Fa CApath .
-Certificate matching is done based on the subject name, the key identifier (if
-present), and the serial number as taken from the certificate to be verified.
-If these data do not match, the next certificate will be tried.
-If a first certificate matching the parameters is found,
-the verification process will be performed;
-no other certificates for the same parameters will be searched in case of
-failure.
-.Pp
-In server mode, when requesting a client certificate, the server must send
-the list of CAs of which it will accept client certificates.
-This list is not influenced by the contents of
-.Fa CAfile
-or
-.Fa CApath
-and must explicitly be set using the
-.Xr SSL_CTX_set_client_CA_list 3
-family of functions.
-.Pp
-When building its own certificate chain, an OpenSSL client/server will try to
-fill in missing certificates from
-.Fa CAfile Ns / Fa CApath ,
-if the
-certificate chain was not explicitly specified (see
-.Xr SSL_CTX_add_extra_chain_cert 3
-and
-.Xr SSL_CTX_use_certificate 3 ) .
-.Sh RETURN VALUES
-For
-.Fn SSL_CTX_load_verify_locations ,
-the following return values can occur:
-.Bl -tag -width Ds
-.It 0
-The operation failed because
-.Fa CAfile
-and
-.Fa CApath
-are
-.Dv NULL
-or the processing at one of the locations specified failed.
-Check the error stack to find out the reason.
-.It 1
-The operation succeeded.
-.El
-.Pp
-.Fn SSL_CTX_set_default_verify_paths
-returns 1 on success or 0 on failure.
-A missing default location is still treated as a success.
-.Sh EXAMPLES
-Generate a CA certificate file with descriptive text from the CA certificates
-.Pa ca1.pem
-.Pa ca2.pem
-.Pa ca3.pem :
-.Bd -literal
-#!/bin/sh
-rm CAfile.pem
-for i in ca1.pem ca2.pem ca3.pem; do
-        openssl x509 -in $i -text >> CAfile.pem
-done
-.Ed
-.Pp
-Prepare the directory /some/where/certs containing several CA certificates
-for use as
-.Fa CApath :
-.Bd -literal
-$ cd /some/where/certs
-$ rm -f *.[0-9]* *.r[0-9]*
-$ for c in *.pem; do
->    [ "$c" = "*.pem" ] && continue
->    hash=$(openssl x509 -noout -hash -in "$c")
->    if egrep -q -- '-BEGIN( X509 | TRUSTED | )CERTIFICATE-' "$c"; then
->      suf=0
->      while [ -e $hash.$suf ]; do suf=$(( $suf + 1 )); done
->      ln -s "$c" $hash.$suf
->    fi
->    if egrep -q -- '-BEGIN X509 CRL-' "$c"; then
->      suf=0
->      while [ -e $hash.r$suf ]; do suf=$(( $suf + 1 )); done
->      ln -s "$c" $hash.r$suf
->    fi
-> done
-.Ed
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_add_extra_chain_cert 3 ,
-.Xr SSL_CTX_set_cert_store 3 ,
-.Xr SSL_CTX_set_client_CA_list 3 ,
-.Xr SSL_CTX_use_certificate 3 ,
-.Xr SSL_get_client_CA_list 3
-.Sh HISTORY
-.Fn SSL_CTX_load_verify_locations
-and
-.Fn SSL_CTX_set_default_verify_paths
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Sh CAVEATS
-If several CA certificates matching the name, key identifier, and serial
-number condition are available, only the first one will be examined.
-This may lead to unexpected results if the same CA certificate is available
-with different expiration dates.
-If a
-.Dq certificate expired
-verification error occurs, no other certificate will be searched.
-Make sure to not have expired certificates mixed with valid ones.
diff --git a/src/lib/libssl/man/SSL_CTX_new.3 b/src/lib/libssl/man/SSL_CTX_new.3
deleted file mode 100644
index 4b50a03de4..0000000000
--- a/src/lib/libssl/man/SSL_CTX_new.3
+++ /dev/null
@@ -1,345 +0,0 @@
-.\" $OpenBSD: SSL_CTX_new.3,v 1.17 2022/07/13 22:05:53 schwarze Exp $
-.\" full merge up to: OpenSSL 21cd6e00 Oct 21 14:40:15 2015 +0100
-.\" selective merge up to: OpenSSL 8f75443f May 24 14:04:26 2019 +0200
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2005, 2012, 2013, 2015, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 13 2022 $
-.Dt SSL_CTX_NEW 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_new ,
-.Nm SSL_CTX_up_ref ,
-.Nm TLS_method ,
-.Nm TLS_server_method ,
-.Nm TLS_client_method ,
-.Nm SSLv23_method ,
-.Nm SSLv23_server_method ,
-.Nm SSLv23_client_method ,
-.Nm TLSv1_method ,
-.Nm TLSv1_server_method ,
-.Nm TLSv1_client_method ,
-.Nm TLSv1_1_method ,
-.Nm TLSv1_1_server_method ,
-.Nm TLSv1_1_client_method ,
-.Nm TLSv1_2_method ,
-.Nm TLSv1_2_server_method ,
-.Nm TLSv1_2_client_method ,
-.Nm DTLS_method ,
-.Nm DTLS_server_method ,
-.Nm DTLS_client_method ,
-.Nm DTLSv1_method ,
-.Nm DTLSv1_server_method ,
-.Nm DTLSv1_client_method ,
-.Nm DTLSv1_2_method ,
-.Nm DTLSv1_2_server_method ,
-.Nm DTLSv1_2_client_method
-.Nd create a new SSL_CTX object as a framework for TLS enabled functions
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft SSL_CTX *
-.Fn SSL_CTX_new "const SSL_METHOD *method"
-.Ft int
-.Fn SSL_CTX_up_ref "SSL_CTX *ctx"
-.Ft const SSL_METHOD *
-.Fn TLS_method void
-.Ft const SSL_METHOD *
-.Fn TLS_server_method void
-.Ft const SSL_METHOD *
-.Fn TLS_client_method void
-.Ft const SSL_METHOD *
-.Fn SSLv23_method void
-.Ft const SSL_METHOD *
-.Fn SSLv23_server_method void
-.Ft const SSL_METHOD *
-.Fn SSLv23_client_method void
-.Ft const SSL_METHOD *
-.Fn TLSv1_method void
-.Ft const SSL_METHOD *
-.Fn TLSv1_server_method void
-.Ft const SSL_METHOD *
-.Fn TLSv1_client_method void
-.Ft const SSL_METHOD *
-.Fn TLSv1_1_method void
-.Ft const SSL_METHOD *
-.Fn TLSv1_1_server_method void
-.Ft const SSL_METHOD *
-.Fn TLSv1_1_client_method void
-.Ft const SSL_METHOD *
-.Fn TLSv1_2_method void
-.Ft const SSL_METHOD *
-.Fn TLSv1_2_server_method void
-.Ft const SSL_METHOD *
-.Fn TLSv1_2_client_method void
-.Ft const SSL_METHOD *
-.Fn DTLS_method void
-.Ft const SSL_METHOD *
-.Fn DTLS_server_method void
-.Ft const SSL_METHOD *
-.Fn DTLS_client_method void
-.Ft const SSL_METHOD *
-.Fn DTLSv1_method void
-.Ft const SSL_METHOD *
-.Fn DTLSv1_server_method void
-.Ft const SSL_METHOD *
-.Fn DTLSv1_client_method void
-.Ft const SSL_METHOD *
-.Fn DTLSv1_2_method void
-.Ft const SSL_METHOD *
-.Fn DTLSv1_2_server_method void
-.Ft const SSL_METHOD *
-.Fn DTLSv1_2_client_method void
-.Sh DESCRIPTION
-.Fn SSL_CTX_new
-creates a new
-.Vt SSL_CTX
-object as a framework to establish TLS or DTLS enabled connections.
-It initializes the list of ciphers, the session cache setting, the
-callbacks, the keys and certificates, the options, and the security
-level to its default values.
-.Pp
-An
-.Vt SSL_CTX
-object is reference counted.
-Creating a new
-.Vt SSL_CTX
-object sets its reference count to 1.
-Calling
-.Fn SSL_CTX_up_ref
-on it increments the reference count by 1.
-Calling
-.Xr SSL_CTX_free 3
-on it decrements the reference count by 1.
-When the reference count drops to zero,
-any memory or resources allocated to the
-.Vt SSL_CTX
-object are freed.
-.Pp
-The
-.Vt SSL_CTX
-object uses
-.Fa method
-as its connection method, which can be:
-.Bl -tag -width Ds
-.It Fn TLS_method
-The general-purpose version-flexible TLS method.
-The protocol version used will be negotiated to the highest
-version mutually supported by the client and the server.
-The supported protocols are TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3.
-.It Fn DTLS_method
-The version-flexible DTLS method.
-The currently supported protocols are DTLSv1 and DTLSv1.2.
-.El
-.Pp
-The following
-.Fa method
-arguments are deprecated:
-.Bl -tag -width Ds
-.It Xo
-.Fn TLS_server_method ,
-.Fn TLS_client_method ,
-.Fn SSLv23_method ,
-.Fn SSLv23_server_method ,
-.Fn SSLv23_client_method
-.Xc
-Deprecated aliases for
-.Fn TLS_method .
-.It Xo
-.Fn DTLS_server_method ,
-.Fn DTLS_client_method
-.Xc
-Deprecated aliases for
-.Fn DTLS_method .
-.It Xo
-.Fn TLSv1_method ,
-.Fn TLSv1_server_method ,
-.Fn TLSv1_client_method
-.Xc
-A connection established with these methods will only
-understand the TLSv1 protocol.
-.It Xo
-.Fn TLSv1_1_method ,
-.Fn TLSv1_1_server_method ,
-.Fn TLSv1_1_client_method
-.Xc
-A connection established with these methods will only
-understand the TLSv1.1 protocol.
-.It Xo
-.Fn TLSv1_2_method ,
-.Fn TLSv1_2_server_method ,
-.Fn TLSv1_2_client_method
-.Xc
-A connection established with these methods will only
-understand the TLSv1.2 protocol.
-.It Xo
-.Fn DTLSv1_method ,
-.Fn DTLSv1_server_method ,
-.Fn DTLSv1_client_method
-.Xc
-These are the version-specific methods for DTLSv1.
-.It Xo
-.Fn DTLSv1_2_method ,
-.Fn DTLSv1_2_server_method ,
-.Fn DTLSv1_2_client_method
-These are the version-specific methods for DTLSv1.2.
-.Xc
-.El
-.Pp
-In LibreSSL, the methods containing the substrings
-.Dq _server
-or
-.Dq _client
-in their names return the same objects
-as the methods without these substrings.
-.Pp
-The list of protocols available can also be limited using the
-.Dv SSL_OP_NO_TLSv1 ,
-.Dv SSL_OP_NO_TLSv1_1 ,
-and
-.Dv SSL_OP_NO_TLSv1_2
-options of the
-.Xr SSL_CTX_set_options 3
-or
-.Xr SSL_set_options 3
-functions, but this approach is not recommended.
-Clients should avoid creating "holes" in the set of protocols they support.
-When disabling a protocol, make sure that you also disable either
-all previous or all subsequent protocol versions.
-In clients, when a protocol version is disabled without disabling
-all previous protocol versions, the effect is to also disable all
-subsequent protocol versions.
-.Pp
-DTLSv1 and DTLSv1.2 can be disabled with
-.Xr SSL_CTX_set_options 3
-or
-.Xr SSL_set_options 3
-using the
-.Dv SSL_OP_NO_DTLSv1
-and
-.Dv SSL_OP_NO_DTLSv1_2
-options, respectively.
-.Sh RETURN VALUES
-.Fn SSL_CTX_new
-returns a pointer to the newly allocated object or
-.Dv NULL
-on failure.
-Check the error stack to find out the reason for failure.
-.Pp
-.Fn SSL_CTX_up_ref
-returns 1 for success or 0 for failure.
-.Pp
-.Fn TLS_method
-and the other
-.Fn *_method
-functions return pointers to constant static objects.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_accept 3 ,
-.Xr SSL_CTX_free 3 ,
-.Xr SSL_CTX_set_min_proto_version 3 ,
-.Xr SSL_CTX_set_options 3 ,
-.Xr SSL_CTX_set_security_level 3 ,
-.Xr SSL_set_connect_state 3
-.Sh HISTORY
-.Fn SSL_CTX_new
-first appeared in SSLeay 0.5.1.
-.Fn SSLv23_method ,
-.Fn SSLv23_server_method ,
-and
-.Fn SSLv23_client_method
-first appeared in SSLeay 0.8.0.
-.Fn TLSv1_method ,
-.Fn TLSv1_server_method ,
-and
-.Fn TLSv1_client_method
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn DTLSv1_method ,
-.Fn DTLSv1_server_method ,
-and
-.Fn DTLSv1_client_method
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
-.Fn TLSv1_1_method ,
-.Fn TLSv1_1_server_method ,
-.Fn TLSv1_1_client_method ,
-.Fn TLSv1_2_method ,
-.Fn TLSv1_2_server_method ,
-and
-.Fn TLSv1_2_client_method
-first appeared in OpenSSL 1.0.1 and have been available since
-.Ox 5.3 .
-.Pp
-.Fn DTLS_method ,
-.Fn DTLS_server_method ,
-and
-.Fn DTLS_client_method
-first appeared in OpenSSL 1.0.2 and have been available since
-.Ox 6.5 .
-.Pp
-.Fn TLS_method ,
-.Fn TLS_server_method ,
-and
-.Fn TLS_client_method
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 5.8 .
-.Pp
-.Fn SSL_CTX_up_ref
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
-.Pp
-.Fn DTLSv1_2_method ,
-.Fn DTLSv1_2_server_method ,
-and
-.Fn DTLSv1_2_client_method
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.9 .
diff --git a/src/lib/libssl/man/SSL_CTX_sess_number.3 b/src/lib/libssl/man/SSL_CTX_sess_number.3
deleted file mode 100644
index 76d436cd17..0000000000
--- a/src/lib/libssl/man/SSL_CTX_sess_number.3
+++ /dev/null
@@ -1,168 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_sess_number.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
-.\"     OpenSSL SSL_CTX_sess_number.pod 7bd27895 Mar 29 11:45:29 2017 +1000
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_CTX_SESS_NUMBER 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_sess_number ,
-.Nm SSL_CTX_sess_connect ,
-.Nm SSL_CTX_sess_connect_good ,
-.Nm SSL_CTX_sess_connect_renegotiate ,
-.Nm SSL_CTX_sess_accept ,
-.Nm SSL_CTX_sess_accept_good ,
-.Nm SSL_CTX_sess_accept_renegotiate ,
-.Nm SSL_CTX_sess_hits ,
-.Nm SSL_CTX_sess_cb_hits ,
-.Nm SSL_CTX_sess_misses ,
-.Nm SSL_CTX_sess_timeouts ,
-.Nm SSL_CTX_sess_cache_full
-.Nd obtain session cache statistics
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fn SSL_CTX_sess_number "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_CTX_sess_connect "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_CTX_sess_connect_good "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_CTX_sess_connect_renegotiate "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_CTX_sess_accept "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_CTX_sess_accept_good "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_CTX_sess_accept_renegotiate "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_CTX_sess_hits "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_CTX_sess_cb_hits "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_CTX_sess_misses "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_CTX_sess_timeouts "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_CTX_sess_cache_full "SSL_CTX *ctx"
-.Sh DESCRIPTION
-.Fn SSL_CTX_sess_number
-returns the current number of sessions in the internal session cache.
-.Pp
-.Fn SSL_CTX_sess_connect
-returns the number of started SSL/TLS handshakes in client mode.
-.Pp
-.Fn SSL_CTX_sess_connect_good
-returns the number of successfully established SSL/TLS sessions in client mode.
-.Pp
-.Fn SSL_CTX_sess_connect_renegotiate
-returns the number of started renegotiations in client mode.
-.Pp
-.Fn SSL_CTX_sess_accept
-returns the number of started SSL/TLS handshakes in server mode.
-.Pp
-.Fn SSL_CTX_sess_accept_good
-returns the number of successfully established SSL/TLS sessions in server mode.
-.Pp
-.Fn SSL_CTX_sess_accept_renegotiate
-returns the number of started renegotiations in server mode.
-.Pp
-.Fn SSL_CTX_sess_hits
-returns the number of successfully reused sessions.
-In client mode a session set with
-.Xr SSL_set_session 3
-successfully reused is counted as a hit.
-In server mode a session successfully retrieved from internal or external cache
-is counted as a hit.
-.Pp
-.Fn SSL_CTX_sess_cb_hits
-returns the number of successfully retrieved sessions from the external session
-cache in server mode.
-.Pp
-.Fn SSL_CTX_sess_misses
-returns the number of sessions proposed by clients that were not found in the
-internal session cache in server mode.
-.Pp
-.Fn SSL_CTX_sess_timeouts
-returns the number of sessions proposed by clients and either found in the
-internal or external session cache in server mode,
-but that were invalid due to timeout.
-These sessions are not included in the
-.Fn SSL_CTX_sess_hits
-count.
-.Pp
-.Fn SSL_CTX_sess_cache_full
-returns the number of sessions that were removed because the maximum session
-cache size was exceeded.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_ctrl 3 ,
-.Xr SSL_CTX_sess_set_cache_size 3 ,
-.Xr SSL_CTX_set_session_cache_mode 3 ,
-.Xr SSL_set_session 3
-.Sh HISTORY
-.Fn SSL_CTX_sess_number ,
-.Fn SSL_CTX_sess_connect ,
-.Fn SSL_CTX_sess_connect_good ,
-.Fn SSL_CTX_sess_accept ,
-.Fn SSL_CTX_sess_accept_good ,
-.Fn SSL_CTX_sess_hits ,
-.Fn SSL_CTX_sess_misses ,
-and
-.Fn SSL_CTX_sess_timeouts
-first appeared in SSLeay 0.5.2.
-.Fn SSL_CTX_sess_cb_hits
-first appeared in SSLeay 0.6.0.
-.Fn SSL_CTX_sess_connect_renegotiate ,
-.Fn SSL_CTX_sess_accept_renegotiate ,
-and
-.Fn SSL_CTX_sess_cache_full
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 b/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
deleted file mode 100644
index 6d5fede0b6..0000000000
--- a/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
+++ /dev/null
@@ -1,109 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_sess_set_cache_size.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2002, 2014 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_CTX_SESS_SET_CACHE_SIZE 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_sess_set_cache_size ,
-.Nm SSL_CTX_sess_get_cache_size
-.Nd manipulate session cache size
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fn SSL_CTX_sess_set_cache_size "SSL_CTX *ctx" "long t"
-.Ft long
-.Fn SSL_CTX_sess_get_cache_size "SSL_CTX *ctx"
-.Sh DESCRIPTION
-.Fn SSL_CTX_sess_set_cache_size
-sets the size of the internal session cache of context
-.Fa ctx
-to
-.Fa t .
-.Pp
-.Fn SSL_CTX_sess_get_cache_size
-returns the currently valid session cache size.
-.Pp
-The internal session cache size is
-.Dv SSL_SESSION_CACHE_MAX_SIZE_DEFAULT ,
-currently 1024\(mu20, so that up to 20000 sessions can be held.
-This size can be modified using the
-.Fn SSL_CTX_sess_set_cache_size
-call.
-A special case is the size 0, which is used for unlimited size.
-.Pp
-If adding the session makes the cache exceed its size, then unused
-sessions are dropped from the end of the cache.
-Cache space may also be reclaimed by calling
-.Xr SSL_CTX_flush_sessions 3
-to remove expired sessions.
-.Pp
-If the size of the session cache is reduced and more sessions are already in
-the session cache,
-old session will be removed the next time a session shall be added.
-This removal is not synchronized with the expiration of sessions.
-.Sh RETURN VALUES
-.Fn SSL_CTX_sess_set_cache_size
-returns the previously valid size.
-.Pp
-.Fn SSL_CTX_sess_get_cache_size
-returns the currently valid size.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_ctrl 3 ,
-.Xr SSL_CTX_flush_sessions 3 ,
-.Xr SSL_CTX_sess_number 3 ,
-.Xr SSL_CTX_set_session_cache_mode 3
-.Sh HISTORY
-.Fn SSL_CTX_sess_set_cache_size
-and
-.Fn SSL_CTX_sess_get_cache_size
-first appeared in SSLeay 0.9.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 b/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
deleted file mode 100644
index e99f2be671..0000000000
--- a/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
+++ /dev/null
@@ -1,221 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_sess_set_get_cb.3,v 1.7 2022/03/29 18:15:52 naddy Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2002, 2003, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 29 2022 $
-.Dt SSL_CTX_SESS_SET_GET_CB 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_sess_set_new_cb ,
-.Nm SSL_CTX_sess_set_remove_cb ,
-.Nm SSL_CTX_sess_set_get_cb ,
-.Nm SSL_CTX_sess_get_new_cb ,
-.Nm SSL_CTX_sess_get_remove_cb ,
-.Nm SSL_CTX_sess_get_get_cb
-.Nd provide callback functions for server side external session caching
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fo SSL_CTX_sess_set_new_cb
-.Fa "SSL_CTX *ctx"
-.Fa "int (*new_session_cb)(SSL *, SSL_SESSION *)"
-.Fc
-.Ft void
-.Fo SSL_CTX_sess_set_remove_cb
-.Fa "SSL_CTX *ctx"
-.Fa "void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *)"
-.Fc
-.Ft void
-.Fo SSL_CTX_sess_set_get_cb
-.Fa "SSL_CTX *ctx"
-.Fa "SSL_SESSION (*get_session_cb)(SSL *, const unsigned char *, int, int *)"
-.Fc
-.Ft int
-.Fo "(*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))"
-.Fa "SSL *ssl"
-.Fa "SSL_SESSION *sess"
-.Fc
-.Ft void
-.Fo "(*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))"
-.Fa "SSL_CTX *ctx"
-.Fa "SSL_SESSION *sess"
-.Fc
-.Ft SSL_SESSION *
-.Fo "(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))"
-.Fa "SSL *ssl"
-.Fa "const unsigned char *data"
-.Fa "int len"
-.Fa "int *copy"
-.Fc
-.Ft int
-.Fo "(*new_session_cb)"
-.Fa "SSL *ssl"
-.Fa "SSL_SESSION *sess"
-.Fc
-.Ft void
-.Fo "(*remove_session_cb)"
-.Fa "SSL_CTX *ctx"
-.Fa "SSL_SESSION *sess"
-.Fc
-.Ft SSL_SESSION *
-.Fo "(*get_session_cb)"
-.Fa "SSL *ssl"
-.Fa "unsigned char *data"
-.Fa "int len"
-.Fa "int *copy"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_sess_set_new_cb
-sets the callback function which is automatically called whenever a new session
-was negotiated.
-.Pp
-.Fn SSL_CTX_sess_set_remove_cb
-sets the callback function which is automatically called whenever a session is
-removed by the SSL engine (because it is considered faulty or the session has
-become obsolete because of exceeding the timeout value).
-.Pp
-.Fn SSL_CTX_sess_set_get_cb
-sets the callback function which is called whenever a SSL/TLS client proposes
-to resume a session but the session cannot be found in the internal session
-cache (see
-.Xr SSL_CTX_set_session_cache_mode 3 ) .
-(SSL/TLS server only.)
-.Pp
-.Fn SSL_CTX_sess_get_new_cb ,
-.Fn SSL_CTX_sess_get_remove_cb ,
-and
-.Fn SSL_CTX_sess_get_get_cb
-retrieve the function pointers of the provided callback functions.
-If a callback function has not been set, the
-.Dv NULL
-pointer is returned.
-.Pp
-In order to allow external session caching, synchronization with the internal
-session cache is realized via callback functions.
-Inside these callback functions, session can be saved to disk or put into a
-database using the
-.Xr d2i_SSL_SESSION 3
-interface.
-.Pp
-The
-.Fn new_session_cb
-function is called whenever a new session has been negotiated and session
-caching is enabled (see
-.Xr SSL_CTX_set_session_cache_mode 3 ) .
-The
-.Fn new_session_cb
-function is passed the
-.Fa ssl
-connection and the ssl session
-.Fa sess .
-If the callback returns 0, the session will be immediately removed again.
-.Pp
-The
-.Fn remove_session_cb
-function is called whenever the SSL engine removes a session from the
-internal cache.
-This happens when the session is removed because it is expired or when a
-connection was not shut down cleanly.
-It also happens for all sessions in the internal session cache when
-.Xr SSL_CTX_free 3
-is called.
-The
-.Fn remove_session_cb
-function is passed the
-.Fa ctx
-and the
-.Vt ssl
-session
-.Fa sess .
-It does not provide any feedback.
-.Pp
-The
-.Fn get_session_cb
-function is only called on SSL/TLS servers with the session id proposed by the
-client.
-The
-.Fn get_session_cb
-function is always called, also when session caching was disabled.
-The
-.Fn get_session_cb
-function is passed the
-.Fa ssl
-connection, the session id of length
-.Fa length
-at the memory location
-.Fa data .
-With the parameter
-.Fa copy
-the callback can require the SSL engine to increment the reference count of the
-.Vt SSL_SESSION
-object,
-Normally the reference count is not incremented and therefore the session must
-not be explicitly freed with
-.Xr SSL_SESSION_free 3 .
-.Sh SEE ALSO
-.Xr d2i_SSL_SESSION 3 ,
-.Xr ssl 3 ,
-.Xr SSL_CTX_flush_sessions 3 ,
-.Xr SSL_CTX_free 3 ,
-.Xr SSL_CTX_set_session_cache_mode 3 ,
-.Xr SSL_SESSION_free 3
-.Sh HISTORY
-.Fn SSL_CTX_sess_set_new_cb ,
-.Fn SSL_CTX_sess_set_get_cb ,
-.Fn SSL_CTX_sess_get_new_cb ,
-and
-.Fn SSL_CTX_sess_get_get_cb
-first appeared in SSLeay 0.6.0.
-.Fn SSL_CTX_sess_set_remove_cb
-and
-.Fn SSL_CTX_sess_get_remove_cb
-first appeared in SSLeay 0.8.0.
-These functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_CTX_sessions.3 b/src/lib/libssl/man/SSL_CTX_sessions.3
deleted file mode 100644
index 964d1a7346..0000000000
--- a/src/lib/libssl/man/SSL_CTX_sessions.3
+++ /dev/null
@@ -1,86 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_sessions.3,v 1.5 2018/04/25 14:19:39 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 25 2018 $
-.Dt SSL_CTX_SESSIONS 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_sessions
-.Nd access internal session cache
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft LHASH_OF(SSL_SESSION) *
-.Fn SSL_CTX_sessions "SSL_CTX *ctx"
-.Sh DESCRIPTION
-.Fn SSL_CTX_sessions
-returns a pointer to the lhash databases containing the internal session cache
-for
-.Fa ctx .
-.Pp
-The sessions in the internal session cache are kept in an
-lhash-type database
-(see
-.Xr lh_new 3 ) .
-It is possible to directly access this database, e.g., for searching.
-In parallel,
-the sessions form a linked list which is maintained separately from the
-lhash operations,
-so that the database must not be modified directly but by using the
-.Xr SSL_CTX_add_session 3
-family of functions.
-.Sh SEE ALSO
-.Xr lh_new 3 ,
-.Xr ssl 3 ,
-.Xr SSL_CTX_add_session 3 ,
-.Xr SSL_CTX_set_session_cache_mode 3
-.Sh HISTORY
-.Fn SSL_CTX_sessions
-first appeared in SSLeay 0.5.2 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_CTX_set1_groups.3 b/src/lib/libssl/man/SSL_CTX_set1_groups.3
deleted file mode 100644
index 0d1eb36ea7..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set1_groups.3
+++ /dev/null
@@ -1,163 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set1_groups.3,v 1.2 2017/08/19 19:36:39 schwarze Exp $
-.\"     OpenSSL SSL_CTX_set1_curves.pod de4d764e Nov 9 14:51:06 2016 +0000
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2013, 2014, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 19 2017 $
-.Dt SSL_CTX_SET1_GROUPS 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set1_groups ,
-.Nm SSL_CTX_set1_groups_list ,
-.Nm SSL_set1_groups ,
-.Nm SSL_set1_groups_list ,
-.Nm SSL_CTX_set1_curves ,
-.Nm SSL_CTX_set1_curves_list ,
-.Nm SSL_set1_curves ,
-.Nm SSL_set1_curves_list
-.Nd choose supported EC groups
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_CTX_set1_groups
-.Fa "SSL_CTX *ctx"
-.Fa "const int *glist"
-.Fa "size_t glistlen"
-.Fc
-.Ft int
-.Fo SSL_CTX_set1_groups_list
-.Fa "SSL_CTX *ctx"
-.Fa "const char *list"
-.Fc
-.Ft int
-.Fo SSL_set1_groups
-.Fa "SSL *ssl"
-.Fa "const int *glist"
-.Fa "size_t glistlen"
-.Fc
-.Ft int
-.Fo SSL_set1_groups_list
-.Fa "SSL *ssl"
-.Fa "const char *list"
-.Fc
-.Ft int
-.Fo SSL_CTX_set1_curves
-.Fa "SSL_CTX *ctx"
-.Fa "const int *clist"
-.Fa "size_t clistlen"
-.Fc
-.Ft int
-.Fo SSL_CTX_set1_curves_list
-.Fa "SSL_CTX *ctx"
-.Fa "const char *list"
-.Fc
-.Ft int
-.Fo SSL_set1_curves
-.Fa "SSL *ssl"
-.Fa "const int *clist"
-.Fa "size_t clistlen"
-.Fc
-.Ft int
-.Fo SSL_set1_curves_list
-.Fa "SSL *ssl"
-.Fa "const char *list"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_set1_groups
-sets the supported groups for
-.Fa ctx
-to the
-.Fa glistlen
-groups in the array
-.Fa glist .
-The array consists of group NIDs in preference order.
-For a TLS client, the groups are used directly in the supported groups
-extension.
-For a TLS server, the groups are used to determine the set of shared
-groups.
-.Pp
-.Fn SSL_CTX_set1_groups_list
-sets the supported groups for
-.Fa ctx
-to the
-.Fa list
-represented as a colon separated list of group NIDs or names, for example
-"P-521:P-384:P-256".
-.Pp
-.Fn SSL_set1_groups
-and
-.Fn SSL_set1_groups_list
-are similar except that they set supported groups for the SSL structure
-.Fa ssl
-only.
-.Pp
-The curve functions are deprecated synonyms for the equivalently
-named group functions and are identical in every respect except
-that they are implemented as macros.
-They exist because prior to TLS1.3, there was only the concept of
-supported curves.
-In TLS1.3, this was renamed to supported groups and extended to include
-Diffie Hellman groups.
-.Pp
-If an application wishes to make use of several of these functions for
-configuration purposes either on a command line or in a file, it should
-consider using the SSL_CONF interface instead of manually parsing
-options.
-.Sh RETURN VALUES
-All these functions return 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_add_extra_chain_cert 3 ,
-.Xr SSL_CTX_set_cipher_list 3 ,
-.Xr SSL_CTX_set_options 3 ,
-.Xr SSL_new 3
-.Sh HISTORY
-The curve functions first appeared in OpenSSL 1.0.2
-and the group functions in OpenSSL 1.1.1.
-Both have been available since
-.Ox 6.1 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
deleted file mode 100644
index 2317c57af4..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
+++ /dev/null
@@ -1,305 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.11 2025/02/04 14:00:05 tb Exp $
-.\"     OpenSSL 87b81496 Apr 19 12:38:27 2017 -0400
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Todd Short <tshort@akamai.com>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: February 4 2025 $
-.Dt SSL_CTX_SET_ALPN_SELECT_CB 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_alpn_protos ,
-.Nm SSL_set_alpn_protos ,
-.Nm SSL_CTX_set_alpn_select_cb ,
-.Nm SSL_select_next_proto ,
-.Nm SSL_get0_alpn_selected
-.Nd handle application layer protocol negotiation (ALPN)
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_CTX_set_alpn_protos
-.Fa "SSL_CTX *ctx"
-.Fa "const unsigned char *protos"
-.Fa "unsigned int protos_len"
-.Fc
-.Ft int
-.Fo SSL_set_alpn_protos
-.Fa "SSL *ssl"
-.Fa "const unsigned char *protos"
-.Fa "unsigned int protos_len"
-.Fc
-.Ft void
-.Fo SSL_CTX_set_alpn_select_cb
-.Fa "SSL_CTX *ctx"
-.Fa "int (*cb)(SSL *ssl, const unsigned char **out,\
- unsigned char *outlen, const unsigned char *in,\
- unsigned int inlen, void *arg)"
-.Fa "void *arg"
-.Fc
-.Ft int
-.Fo SSL_select_next_proto
-.Fa "unsigned char **out"
-.Fa "unsigned char *outlen"
-.Fa "const unsigned char *peer_list"
-.Fa "unsigned int peer_list_len"
-.Fa "const unsigned char *supported_list"
-.Fa "unsigned int supported_list_len"
-.Fc
-.Ft void
-.Fo SSL_get0_alpn_selected
-.Fa "const SSL *ssl"
-.Fa "const unsigned char **data"
-.Fa "unsigned int *len"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_alpn_protos
-and
-.Fn SSL_set_alpn_protos
-are used by the client to set the list of protocols available to be
-negotiated.
-The
-.Fa protos
-must be in protocol-list format, described below.
-The length of
-.Fa protos
-is specified in
-.Fa protos_len .
-.Pp
-.Fn SSL_CTX_set_alpn_select_cb
-sets the application callback
-.Fa cb
-used by a server to select which protocol to use for the incoming
-connection.
-When
-.Fa cb
-is
-.Dv NULL ,
-ALPN is not used.
-The
-.Fa arg
-value is a pointer which is passed to the application callback.
-.Pp
-.Fa cb
-is the application defined callback.
-The
-.Fa in ,
-.Fa inlen
-parameters are a vector in protocol-list format.
-The value of the
-.Fa out ,
-.Fa outlen
-vector should be set to the value of a single protocol selected from the
-.Fa in ,
-.Fa inlen
-vector.
-The
-.Fa out
-buffer may point directly into
-.Fa in ,
-or to a buffer that outlives the handshake.
-The
-.Fa arg
-parameter is the pointer set via
-.Fn SSL_CTX_set_alpn_select_cb .
-.Pp
-.Fn SSL_select_next_proto
-is a helper function used to select protocols.
-It is expected that this function is called from the application
-callback
-.Fa cb .
-If
-.Fn SSL_select_next_proto
-returns
-.Dv OPENSSL_NPN_NO_OVERLAP ,
-.Fa cb
-should ignore
-.Fa out
-and fail by returning
-.Dv SSL_TLSEXT_ERR_ALERT_FATAL .
-The protocol data in
-.Fa peer_list ,
-.Fa peer_list_len
-and
-.Fa supported_list ,
-.Fa supported_list_len
-must be two non-empty lists, validly encoded
-in the protocol-list format described below.
-The first item in the
-.Fa peer_list
-that matches an item in the
-.Fa supported_list
-is selected, and returned in
-.Fa out ,
-.Fa outlen .
-The
-.Fa out
-value will point into either
-.Fa peer_list
-or
-.Fa supported_list ,
-so it must not be modified and
-should be copied immediately.
-If no match is found, the first item in
-.Fa supported_list
-is returned in
-.Fa out ,
-.Fa outlen .
-.Pp
-.Fn SSL_get0_alpn_selected
-returns a pointer to the selected protocol in
-.Fa data
-with length
-.Fa len .
-It is not NUL-terminated.
-.Fa data
-is set to
-.Dv NULL
-and
-.Fa len
-is set to 0 if no protocol has been selected.
-.Fa data
-must not be freed.
-.Pp
-The protocol-lists must be in wire-format, which is defined as a vector
-of non-empty, 8-bit length-prefixed byte strings.
-The length-prefix byte is not included in the length.
-Each string is limited to 255 bytes.
-A byte-string length of 0 is invalid.
-The length of the vector is not in the vector itself, but in a separate
-variable.
-.Pp
-For example:
-.Bd -literal
-const unsigned char *vector = "\ex06" "spdy/1" "\ex08" "http/1.1";
-unsigned int length = strlen(vector);
-.Ed
-.Pp
-The ALPN callback is executed after the servername callback; as that
-servername callback may update the SSL_CTX, and subsequently, the ALPN
-callback.
-.Pp
-If there is no ALPN proposed in the ClientHello, the ALPN callback is
-not invoked.
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_alpn_protos
-and
-.Fn SSL_set_alpn_protos
-return 0 on success or non-zero on failure.
-WARNING: these functions reverse the return value convention.
-.Pp
-.Fn SSL_select_next_proto
-returns one of the following:
-.Bl -tag -width Ds
-.It OPENSSL_NPN_NEGOTIATED
-A match was found and is returned in
-.Fa out ,
-.Fa outlen .
-.It OPENSSL_NPN_NO_OVERLAP
-No match was found.
-The first item in
-.Fa supported_list ,
-.Fa supported_list_len
-is returned in
-.Fa out ,
-.Fa outlen .
-.El
-.Pp
-The ALPN select callback
-.Fa cb
-must return one of the following:
-.Bl -tag -width Ds
-.It SSL_TLSEXT_ERR_OK
-ALPN protocol selected.
-.It SSL_TLSEXT_ERR_ALERT_FATAL
-There was no overlap between the client's supplied list and the
-server configuration.
-.It SSL_TLSEXT_ERR_NOACK
-ALPN protocol not selected, e.g., because no ALPN protocols are
-configured for this connection.
-.El
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_tlsext_servername_arg 3 ,
-.Xr SSL_CTX_set_tlsext_servername_callback 3
-.Sh STANDARDS
-.Rs
-.%T TLS Application-Layer Protocol Negotiation Extension
-.%R RFC 7301
-.Re
-.Pp
-.Rs
-.%T TLS Next Protocol Negotiation Extension
-.%U https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg
-.Re
-.Sh HISTORY
-.Fn SSL_select_next_proto
-first appeared in OpenSSL 1.0.1 and has been available since
-.Ox 5.3 .
-.Pp
-.Fn SSL_CTX_set_alpn_protos ,
-.Fn SSL_set_alpn_protos ,
-.Fn SSL_CTX_set_alpn_select_cb ,
-and
-.Fn SSL_get0_alpn_selected
-first appeared in OpenSSL 1.0.2 and have been available since
-.Ox 5.7 .
-.Sh CAVEATS
-The fallback to the first supported protocol in
-.Fn SSL_select_next_proto
-comes from the opportunistic fallback mechanism in the NPN extension.
-This behavior does not make sense for ALPN,
-where missing protocol overlap should result in a handshake failure.
-To avoid accidental selection of a protocol that the server does not
-support, it is recommended to pass the locally configured protocols
-as second pair of protocols in the ALPN callback.
-.Sh BUGS
-The
-.Fa out
-argument of
-.Fn SSL_select_next_proto
-should have been const.
diff --git a/src/lib/libssl/man/SSL_CTX_set_cert_store.3 b/src/lib/libssl/man/SSL_CTX_set_cert_store.3
deleted file mode 100644
index 1be1ba2f68..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_cert_store.3
+++ /dev/null
@@ -1,146 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_cert_store.3,v 1.8 2024/08/03 04:53:01 tb Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2002, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 3 2024 $
-.Dt SSL_CTX_SET_CERT_STORE 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_cert_store ,
-.Nm SSL_CTX_set1_cert_store ,
-.Nm SSL_CTX_get_cert_store
-.Nd manipulate X509 certificate verification storage
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fn SSL_CTX_set_cert_store "SSL_CTX *ctx" "X509_STORE *store"
-.Ft void
-.Fn SSL_CTX_set1_cert_store "SSL_CTX *ctx" "X509_STORE *store"
-.Ft X509_STORE *
-.Fn SSL_CTX_get_cert_store "const SSL_CTX *ctx"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_cert_store
-sets the verification storage of
-.Fa ctx
-to or replaces it with
-.Fa store .
-If another
-.Vt X509_STORE
-object is currently set in
-.Fa ctx ,
-it will be freed.
-.Pp
-.Fn SSL_CTX_set1_cert_store
-sets the verification storage of
-.Fa ctx
-to or replaces it with
-.Fa store .
-The
-.Fa store Ns 's
-reference count is incremented.
-.Pp
-.Fn SSL_CTX_get_cert_store
-returns a pointer to the current certificate verification storage.
-.Pp
-In order to verify the certificates presented by the peer, trusted CA
-certificates must be accessed.
-These CA certificates are made available via lookup methods, handled inside the
-.Vt X509_STORE .
-From the
-.Vt X509_STORE
-the
-.Vt X509_STORE_CTX
-used when verifying certificates is created.
-.Pp
-Typically the trusted certificate store is handled indirectly via using
-.Xr SSL_CTX_load_verify_locations 3 .
-Using the
-.Fn SSL_CTX_set_cert_store
-and
-.Fn SSL_CTX_get_cert_store
-functions it is possible to manipulate the
-.Vt X509_STORE
-object beyond the
-.Xr SSL_CTX_load_verify_locations 3
-call.
-.Pp
-Currently no detailed documentation on how to use the
-.Vt X509_STORE
-object is available.
-Not all members of the
-.Vt X509_STORE
-are used when the verification takes place.
-So will, for example, the
-.Fn verify_callback
-be overridden with the
-.Fn verify_callback
-set via the
-.Xr SSL_CTX_set_verify 3
-family of functions.
-This document must therefore be updated when documentation about the
-.Vt X509_STORE
-object and its handling becomes available.
-.Sh RETURN VALUES
-.Fn SSL_CTX_get_cert_store
-returns the current setting.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_load_verify_locations 3 ,
-.Xr SSL_CTX_set_verify 3 ,
-.Xr X509_STORE_new 3
-.Sh HISTORY
-.Fn SSL_CTX_set_cert_store
-and
-.Fn SSL_CTX_get_cert_store
-first appeared in SSLeay 0.8.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_CTX_set1_cert_store
-first appeared in OpenSSL 1.1.1 and has been available since
-.Ox 7.6 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 b/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
deleted file mode 100644
index 0e12b48c78..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
+++ /dev/null
@@ -1,163 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_cert_verify_callback.3,v 1.5 2019/06/08 15:25:43 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2002 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 8 2019 $
-.Dt SSL_CTX_SET_CERT_VERIFY_CALLBACK 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_cert_verify_callback
-.Nd set peer certificate verification procedure
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fo SSL_CTX_set_cert_verify_callback
-.Fa "SSL_CTX *ctx"
-.Fa "int (*callback)(X509_STORE_CTX *, void *)"
-.Fa "void *arg"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_cert_verify_callback
-sets the verification callback function for
-.Fa ctx .
-.Vt SSL
-objects that are created from
-.Fa ctx
-inherit the setting valid at the time when
-.Xr SSL_new 3
-is called.
-.Pp
-Whenever a certificate is verified during a SSL/TLS handshake,
-a verification function is called.
-If the application does not explicitly specify a verification callback
-function, the built-in verification function is used.
-If a verification callback
-.Fa callback
-is specified via
-.Fn SSL_CTX_set_cert_verify_callback ,
-the supplied callback function is called instead.
-By setting
-.Fa callback
-to
-.Dv NULL ,
-the default behaviour is restored.
-.Pp
-When the verification must be performed,
-.Fa callback
-will be called with the arguments
-.Fn callback "X509_STORE_CTX *x509_store_ctx" "void *arg" .
-The argument
-.Fa arg
-is specified by the application when setting
-.Fa callback .
-.Pp
-.Fa callback
-should return 1 to indicate verification success and 0 to indicate verification
-failure.
-If
-.Dv SSL_VERIFY_PEER
-is set and
-.Fa callback
-returns 0, the handshake will fail.
-As the verification procedure may allow the connection to continue in case of
-failure (by always returning 1) the verification result must be set in any case
-using the
-.Fa error
-member of
-.Fa x509_store_ctx
-so that the calling application will be informed about the detailed result of
-the verification procedure!
-.Pp
-Within
-.Fa x509_store_ctx ,
-.Fa callback
-has access to the
-.Fa verify_callback
-function set using
-.Xr SSL_CTX_set_verify 3 .
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_load_verify_locations 3 ,
-.Xr SSL_CTX_set_verify 3 ,
-.Xr SSL_get_verify_result 3
-.Sh HISTORY
-.Fn SSL_CTX_set_cert_verify_callback
-first appeared in SSLeay 0.6.1 and has been available since
-.Ox 2.4 .
-.Pp
-Previous to OpenSSL 0.9.7, the
-.Fa arg
-argument to
-.Fn SSL_CTX_set_cert_verify_callback
-was ignored, and
-.Fa callback
-was called
-simply as
-.Ft int
-.Fn (*callback) "X509_STORE_CTX *" .
-To compile software written for previous versions of OpenSSL,
-a dummy argument will have to be added to
-.Fa callback .
-.Sh CAVEATS
-Do not mix the verification callback described in this function with the
-.Fa verify_callback
-function called during the verification process.
-The latter is set using the
-.Xr SSL_CTX_set_verify 3
-family of functions.
-.Pp
-Providing a complete verification procedure including certificate purpose
-settings, etc., is a complex task.
-The built-in procedure is quite powerful and in most cases it should be
-sufficient to modify its behaviour using the
-.Fa verify_callback
-function.
-.Sh BUGS
-.Fn SSL_CTX_set_cert_verify_callback
-does not provide diagnostic information.
diff --git a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
deleted file mode 100644
index b3f0dc3541..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
+++ /dev/null
@@ -1,375 +0,0 @@
-.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.18 2025/01/18 12:20:02 tb Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2018, 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: January 18 2025 $
-.Dt SSL_CTX_SET_CIPHER_LIST 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_cipher_list ,
-.Nm SSL_set_cipher_list
-.Nd choose list of available SSL_CIPHERs
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_CTX_set_cipher_list "SSL_CTX *ctx" "const char *control"
-.Ft int
-.Fn SSL_set_cipher_list "SSL *ssl" "const char *control"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_cipher_list
-sets the list of available cipher suites for
-.Fa ctx
-using the
-.Fa control
-string.
-The list of cipher suites is inherited by all
-.Fa ssl
-objects created from
-.Fa ctx .
-.Pp
-.Fn SSL_set_cipher_list
-sets the list of cipher suites only for
-.Fa ssl .
-.Pp
-The control string consists of one or more control words
-separated by colon characters
-.Pq Ql \&: .
-Space
-.Pq Ql \ \& ,
-semicolon
-.Pq Ql \&; ,
-and comma
-.Pq Ql \&,
-characters can also be used as separators.
-Each control words selects a set of cipher suites
-and can take one of the following optional prefix characters:
-.Bl -tag -width Ds
-.It \&No prefix:
-Those of the selected cipher suites that have not been made available
-yet are added to the end of the list of available cipher suites,
-preserving their order.
-.It Prefixed minus sign Pq Ql \- :
-Those of the selected cipher suites that have been made available
-earlier are moved back from the list of available cipher suites to
-the beginning of the list of unavailable cipher suites,
-also preserving their order.
-.It Prefixed plus sign Pq Ql + :
-Those of the selected cipher suites have been made available earlier
-are moved to end of the list of available cipher suites, reducing
-their priority, but preserving the order among themselves.
-.It Prefixed exclamation mark Pq Ql \&! :
-The selected cipher suites are permanently deleted, no matter whether
-they had earlier been made available or not, and can no longer
-be added or re-added by later words.
-.El
-.Pp
-The following special words can only be used without a prefix:
-.Bl -tag -width Ds
-.It Cm DEFAULT
-An alias for
-.Sm off
-.Cm ALL No :! Cm aNULL No :! Cm eNULL .
-.Sm on
-It can only be used as the first word.
-The
-.Cm DEFAULT
-cipher list can be displayed with the
-.Xr openssl 1
-.Cm ciphers
-command.
-.It Cm @SECLEVEL=n
-Set the security level to n, which should be a number between
-zero and five.
-See
-.Xr SSL_CTX_set_security_level 3
-for details.
-.It Cm @STRENGTH
-Sort the list by decreasing encryption strength,
-preserving the order of cipher suites that have the same strength.
-It is usually given as the last word.
-.El
-.Pp
-The following words can be used to select groups of cipher suites,
-with or without a prefix character.
-If two or more of these words are joined with plus signs
-.Pq Ql +
-to form a longer word, only the intersection of the specified sets
-is selected.
-.Bl -tag -width Ds
-.It Cm ADH
-Cipher suites using ephemeral DH for key exchange
-without doing any server authentication.
-Equivalent to
-.Cm DH Ns + Ns Cm aNULL .
-.It Cm AEAD
-Cipher suites using Authenticated Encryption with Additional Data.
-.It Cm AECDH
-Cipher suites using ephemeral ECDH for key exchange
-without doing any server authentication.
-Equivalent to
-.Cm ECDH Ns + Ns Cm aNULL .
-.It Cm aECDSA
-Cipher suites using ECDSA server authentication.
-.It Cm AES
-Cipher suites using AES or AESGCM for symmetric encryption.
-.It Cm AES128
-Cipher suites using AES(128) or AESGCM(128) for symmetric encryption.
-.It Cm AES256
-Cipher suites using AES(256) or AESGCM(256) for symmetric encryption.
-.It Cm AESGCM
-Cipher suites using AESGCM for symmetric encryption.
-.It Cm aGOST
-An alias for
-.Cm aGOST01 .
-.It Cm aGOST01
-Cipher suites using GOST R 34.10-2001 server authentication.
-.It Cm ALL
-All cipher suites except those selected by
-.Cm eNULL .
-.It Cm aNULL
-Cipher suites that don't do any server authentication.
-Not enabled by
-.Cm DEFAULT .
-Beware of man-in-the-middle attacks.
-.It Cm aRSA
-Cipher suites using RSA server authentication.
-.It Cm CAMELLIA
-Cipher suites using Camellia for symmetric encryption.
-.It Cm CAMELLIA128
-Cipher suites using Camellia(128) for symmetric encryption.
-.It Cm CAMELLIA256
-Cipher suites using Camellia(256) for symmetric encryption.
-.It Cm CHACHA20
-Cipher suites using ChaCha20-Poly1305 for symmetric encryption.
-.It Cm COMPLEMENTOFALL
-Cipher suites that are not included in
-.Cm ALL .
-Currently an alias for
-.Cm eNULL .
-.It Cm COMPLEMENTOFDEFAULT
-Cipher suites that are included in
-.Cm ALL ,
-but not included in
-.Cm DEFAULT .
-Currently similar to
-.Cm aNULL Ns :! Ns Cm eNULL
-except for the order of the cipher suites which are
-.Em not
-selected.
-.It Cm 3DES
-Cipher suites using triple DES for symmetric encryption.
-.It Cm DH
-Cipher suites using ephemeral DH for key exchange.
-.It Cm DHE
-Cipher suites using ephemeral DH for key exchange,
-but excluding those that don't do any server authentication.
-Similar to
-.Cm DH Ns :! Ns Cm aNULL
-except for the order of the cipher suites which are
-.Em not
-selected.
-.It Cm ECDH
-Cipher suites using ephemeral ECDH for key exchange.
-.It Cm ECDHE
-Cipher suites using ephemeral ECDH for key exchange,
-but excluding those that don't do any server authentication.
-Similar to
-.Cm ECDH Ns :! Ns Cm aNULL
-except for the order of the cipher suites which are
-.Em not
-selected.
-.It Cm ECDSA
-An alias for
-.Cm aECDSA .
-.It Cm eNULL
-Cipher suites that do not use any encryption.
-Not enabled by
-.Cm DEFAULT ,
-and not even included in
-.Cm ALL .
-.It Cm GOST89MAC
-Cipher suites using GOST 28147-89 for message authentication
-instead of HMAC.
-.It Cm GOST94
-Cipher suites using HMAC based on GOST R 34.11-94
-for message authentication.
-.It Cm HIGH
-Cipher suites of high strength.
-.It Cm kGOST
-Cipher suites using VKO 34.10 key exchange, specified in RFC 4357.
-.It Cm kRSA
-Cipher suites using RSA key exchange.
-.It Cm LOW
-Cipher suites of low strength.
-.It Cm MD5
-Cipher suites using MD5 for message authentication.
-.It Cm MEDIUM
-Cipher suites of medium strength.
-.It Cm NULL
-An alias for
-.Cm eNULL .
-.It Cm RC4
-Cipher suites using RC4 for symmetric encryption.
-.It Cm RSA
-Cipher suites using RSA for both key exchange and server authentication.
-Equivalent to
-.Cm kRSA Ns + Ns Cm aRSA .
-.It Cm SHA
-An alias for
-.Cm SHA1 .
-.It Cm SHA1
-Cipher suites using SHA1 for message authentication.
-.It Cm SHA256
-Cipher suites using SHA256 for message authentication.
-.It Cm SHA384
-Cipher suites using SHA384 for message authentication.
-.It Cm SSLv3
-An alias for
-.Cm TLSv1 .
-.It Cm STREEBOG256
-Cipher suites using STREEBOG256 for message authentication.
-.It Cm TLSv1
-Cipher suites usable with the TLSv1.0, TLSv1.1, and TLSv1.2 protocols.
-.It Cm TLSv1.2
-Cipher suites for the TLSv1.2 protocol.
-.It Cm TLSv1.3
-Cipher suites for the TLSv1.3 protocol.
-If the
-.Fa control
-string selects at least one cipher suite but neither contains the word
-.Cm TLSv1.3
-nor specifically includes nor excludes any TLSv1.3 cipher suites, all the
-.Cm TLSv1.3
-cipher suites are made available, too.
-.El
-.Pp
-The full words returned by the
-.Xr openssl 1
-.Cm ciphers
-command can be used to select individual cipher suites.
-.Pp
-The following are deprecated aliases:
-.Pp
-.Bl -column kEECDH ECDHE -compact -offset indent
-.It    avoid: Ta    use:
-.It Cm EDH    Ta Cm DHE
-.It Cm EECDH  Ta Cm ECDHE
-.It Cm kEDH   Ta Cm DH
-.It Cm kEECDH Ta Cm ECDH
-.El
-.Pp
-Unknown words are silently ignored, selecting no cipher suites.
-Failure is only flagged if the
-.Fa control
-string contains invalid bytes
-or if no matching cipher suites are available at all.
-.Pp
-On the client side, including a cipher suite into the list of
-available cipher suites is sufficient for using it.
-On the server side, all cipher suites have additional requirements.
-ADH ciphers don't need a certificate, but DH-parameters must have been set.
-All other cipher suites need a corresponding certificate and key.
-.Pp
-A RSA cipher can only be chosen when an RSA certificate is available.
-RSA ciphers using DHE need a certificate and key and additional DH-parameters
-(see
-.Xr SSL_CTX_set_tmp_dh_callback 3 ) .
-.Pp
-When these conditions are not met
-for any cipher suite in the list (for example, a
-client only supports export RSA ciphers with an asymmetric key length of 512
-bits and the server is not configured to use temporary RSA keys), the
-.Dq no shared cipher
-.Pq Dv SSL_R_NO_SHARED_CIPHER
-error is generated and the handshake will fail.
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_cipher_list
-and
-.Fn SSL_set_cipher_list
-return 1 if any cipher suite could be selected and 0 on complete failure.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set1_groups 3 ,
-.Xr SSL_CTX_set_tmp_dh_callback 3 ,
-.Xr SSL_CTX_use_certificate 3 ,
-.Xr SSL_get_ciphers 3
-.Sh HISTORY
-.Fn SSL_CTX_set_cipher_list
-and
-.Fn SSL_set_cipher_list
-first appeared in SSLeay 0.5.2 and have been available since
-.Ox 2.4 .
-.Sh CAVEATS
-In LibreSSL,
-.Fn SSL_CTX_set_cipher_list
-and
-.Fn SSL_set_cipher_list
-can be used to configure the list of available cipher suites for
-all versions of the TLS protocol, whereas in OpenSSL, they only
-control cipher suites for protocols up to TLSv1.2.
-If compatibility with OpenSSL is required, the list of
-available TLSv1.3 cipher suites can only be changed with
-.Fn SSL_set_ciphersuites .
diff --git a/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3 b/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3
deleted file mode 100644
index d19fb93ed0..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3
+++ /dev/null
@@ -1,183 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_client_CA_list.3,v 1.6 2020/03/30 10:28:59 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 30 2020 $
-.Dt SSL_CTX_SET_CLIENT_CA_LIST 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_client_CA_list ,
-.Nm SSL_set_client_CA_list ,
-.Nm SSL_CTX_add_client_CA ,
-.Nm  SSL_add_client_CA
-.Nd set list of CAs sent to the client when requesting a client certificate
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fn SSL_CTX_set_client_CA_list "SSL_CTX *ctx" "STACK_OF(X509_NAME) *list"
-.Ft void
-.Fn SSL_set_client_CA_list "SSL *s" "STACK_OF(X509_NAME) *list"
-.Ft int
-.Fn SSL_CTX_add_client_CA "SSL_CTX *ctx" "X509 *cacert"
-.Ft int
-.Fn SSL_add_client_CA "SSL *ssl" "X509 *cacert"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_client_CA_list
-sets the
-.Fa list
-of CAs sent to the client when requesting a client certificate for
-.Fa ctx .
-.Pp
-.Fn SSL_set_client_CA_list
-sets the
-.Fa list
-of CAs sent to the client when requesting a client certificate for the chosen
-.Fa ssl ,
-overriding the setting valid for
-.Fa ssl Ns 's
-.Vt SSL_CTX
-object.
-.Pp
-.Fn SSL_CTX_add_client_CA
-adds the CA name extracted from
-.Fa cacert
-to the list of CAs sent to the client when requesting a client certificate for
-.Fa ctx .
-.Pp
-.Fn SSL_add_client_CA
-adds the CA name extracted from
-.Fa cacert
-to the list of CAs sent to the client when requesting a client certificate for
-the chosen
-.Fa ssl ,
-overriding the setting valid for
-.Fa ssl Ns 's
-.Va SSL_CTX
-object.
-.Pp
-When a TLS/SSL server requests a client certificate (see
-.Fn SSL_CTX_set_verify ) ,
-it sends a list of CAs for which it will accept certificates to the client.
-.Pp
-This list must explicitly be set using
-.Fn SSL_CTX_set_client_CA_list
-for
-.Fa ctx
-and
-.Fn SSL_set_client_CA_list
-for the specific
-.Fa ssl .
-The list specified overrides the previous setting.
-The CAs listed do not become trusted
-.Po
-.Fa list
-only contains the names, not the complete certificates
-.Pc ;
-use
-.Xr SSL_CTX_load_verify_locations 3
-to additionally load them for verification.
-.Pp
-If the list of acceptable CAs is compiled in a file, the
-.Xr SSL_load_client_CA_file 3
-function can be used to help importing the necessary data.
-.Pp
-.Fn SSL_CTX_add_client_CA
-and
-.Fn SSL_add_client_CA
-can be used to add additional items the list of client CAs.
-If no list was specified before using
-.Fn SSL_CTX_set_client_CA_list
-or
-.Fn SSL_set_client_CA_list ,
-a new client CA list for
-.Fa ctx
-or
-.Fa ssl
-(as appropriate) is opened.
-.Pp
-These functions are only useful for TLS/SSL servers.
-.Sh RETURN VALUES
-.Fn SSL_CTX_add_client_CA
-and
-.Fn SSL_add_client_CA
-have the following return values:
-.Bl -tag -width Ds
-.It 0
-A failure while manipulating the
-.Dv STACK_OF Ns
-.Pq Vt X509_NAME
-object occurred or the
-.Vt X509_NAME
-could not be extracted from
-.Fa cacert .
-Check the error stack to find out the reason.
-.It 1
-The operation succeeded.
-.El
-.Sh EXAMPLES
-Scan all certificates in
-.Fa CAfile
-and list them as acceptable CAs:
-.Bd -literal
-SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
-.Ed
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_load_verify_locations 3 ,
-.Xr SSL_get_client_CA_list 3 ,
-.Xr SSL_load_client_CA_file 3 ,
-.Xr X509_NAME_new 3
-.Sh HISTORY
-.Fn SSL_CTX_set_client_CA_list ,
-.Fn SSL_set_client_CA_list ,
-.Fn SSL_CTX_add_client_CA ,
-and
-.Fn SSL_add_client_CA
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 b/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
deleted file mode 100644
index a2433b5e92..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
+++ /dev/null
@@ -1,191 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_client_cert_cb.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2002 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_CTX_SET_CLIENT_CERT_CB 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_client_cert_cb ,
-.Nm SSL_CTX_get_client_cert_cb
-.Nd handle client certificate callback function
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fo SSL_CTX_set_client_cert_cb
-.Fa "SSL_CTX *ctx"
-.Fa "int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)"
-.Fc
-.Ft int
-.Fo "(*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))"
-.Fa "SSL *ssl" "X509 **x509" "EVP_PKEY **pkey"
-.Fc
-.Ft int
-.Fn "(*client_cert_cb)" "SSL *ssl" "X509 **x509" "EVP_PKEY **pkey"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_client_cert_cb
-sets the
-.Fa client_cert_cb()
-callback that is called when a client certificate is requested by a server and
-no certificate was yet set for the SSL object.
-.Pp
-When
-.Fa client_cert_cb
-is
-.Dv NULL ,
-no callback function is used.
-.Pp
-.Fn SSL_CTX_get_client_cert_cb
-returns a pointer to the currently set callback function.
-.Pp
-.Fn client_cert_cb
-is the application-defined callback.
-If it wants to set a certificate,
-a certificate/private key combination must be set using the
-.Fa x509
-and
-.Fa pkey
-arguments and 1 must be returned.
-The certificate will be installed into
-.Fa ssl .
-If no certificate should be set,
-0 has to be returned and no certificate will be sent.
-A negative return value will suspend the handshake and the handshake function
-will return immediately.
-.Xr SSL_get_error 3
-will return
-.Dv SSL_ERROR_WANT_X509_LOOKUP
-to indicate that the handshake was suspended.
-The next call to the handshake function will again lead to the call of
-.Fa client_cert_cb() .
-It is the job of the
-.Fa client_cert_cb()
-to store information
-about the state of the last call, if required to continue.
-.Pp
-During a handshake (or renegotiation)
-a server may request a certificate from the client.
-A client certificate must only be sent when the server did send the request.
-.Pp
-When a certificate has been set using the
-.Xr SSL_CTX_use_certificate 3
-family of functions,
-it will be sent to the server.
-The TLS standard requires that only a certificate is sent if it matches the
-list of acceptable CAs sent by the server.
-This constraint is violated by the default behavior of the OpenSSL library.
-Using the callback function it is possible to implement a proper selection
-routine or to allow a user interaction to choose the certificate to be sent.
-.Pp
-If a callback function is defined and no certificate was yet defined for the
-.Vt SSL
-object, the callback function will be called.
-If the callback function returns a certificate, the OpenSSL library
-will try to load the private key and certificate data into the
-.Vt SSL
-object using the
-.Fn SSL_use_certificate
-and
-.Fn SSL_use_private_key
-functions.
-Thus it will permanently install the certificate and key for this SSL object.
-It will not be reset by calling
-.Xr SSL_clear 3 .
-If the callback returns no certificate, the OpenSSL library will not send a
-certificate.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_CTX_add_extra_chain_cert 3 ,
-.Xr SSL_CTX_use_certificate 3 ,
-.Xr SSL_free 3 ,
-.Xr SSL_get_client_CA_list 3
-.Sh HISTORY
-.Fn SSL_CTX_set_client_cert_cb
-and
-.Fn SSL_CTX_get_client_cert_cb
-first appeared in SSLeay 0.6.6 and have been available since
-.Ox 2.4 .
-.Sh BUGS
-The
-.Fa client_cert_cb()
-cannot return a complete certificate chain;
-it can only return one client certificate.
-If the chain only has a length of 2,
-the root CA certificate may be omitted according to the TLS standard and
-thus a standard conforming answer can be sent to the server.
-For a longer chain, the client must send the complete chain
-(with the option to leave out the root CA certificate).
-This can be accomplished only by either adding the intermediate CA certificates
-into the trusted certificate store for the
-.Vt SSL_CTX
-object (resulting in having to add CA certificates that otherwise maybe would
-not be trusted), or by adding the chain certificates using the
-.Xr SSL_CTX_add_extra_chain_cert 3
-function, which is only available for the
-.Vt SSL_CTX
-object as a whole and that therefore probably can only apply for one client
-certificate, making the concept of the callback function
-(to allow the choice from several certificates) questionable.
-.Pp
-Once the
-.Vt SSL
-object has been used in conjunction with the callback function,
-the certificate will be set for the
-.Vt SSL
-object and will not be cleared even when
-.Xr SSL_clear 3
-is called.
-It is therefore
-.Em mandatory
-to destroy the
-.Vt SSL
-object using
-.Xr SSL_free 3
-and create a new one to return to the previous state.
diff --git a/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 b/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
deleted file mode 100644
index 94b4ea543d..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
+++ /dev/null
@@ -1,216 +0,0 @@
-.\" $OpenBSD: SSL_CTX_set_default_passwd_cb.3,v 1.9 2023/09/19 09:40:35 schwarze Exp $
-.\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
-.\" selective merge up to: OpenSSL 18bad535 Apr 9 15:13:55 2019 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Lutz Jaenicke <jaenicke@openssl.org>
-.\" and Christian Heimes <cheimes@redhat.com>.
-.\" Copyright (c) 2000, 2001, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 19 2023 $
-.Dt SSL_CTX_SET_DEFAULT_PASSWD_CB 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_default_passwd_cb ,
-.Nm SSL_CTX_set_default_passwd_cb_userdata ,
-.Nm SSL_CTX_get_default_passwd_cb ,
-.Nm SSL_CTX_get_default_passwd_cb_userdata
-.Nd set or get passwd callback for encrypted PEM file handling
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fn SSL_CTX_set_default_passwd_cb "SSL_CTX *ctx" "pem_password_cb *cb"
-.Ft void
-.Fn SSL_CTX_set_default_passwd_cb_userdata "SSL_CTX *ctx" "void *userdata"
-.Ft pem_password_cb *
-.Fn SSL_CTX_get_default_passwd_cb "SSL_CTX *ctx"
-.Ft void *
-.Fn SSL_CTX_get_default_passwd_cb_userdata "SSL_CTX *ctx"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_default_passwd_cb
-sets the password callback for loading a certificate or private key
-from encrypted PEM format.
-In particular, the callback is used by
-.Xr SSL_CTX_use_certificate_file 3 ,
-.Xr SSL_use_certificate_file 3 ,
-.Xr SSL_CTX_use_certificate_chain_file 3 ,
-.Xr SSL_use_certificate_chain_file 3 ,
-.Xr SSL_CTX_use_certificate_chain_mem 3 ,
-.Xr SSL_CTX_use_PrivateKey_file 3 ,
-.Xr SSL_use_PrivateKey_file 3 ,
-.Xr SSL_CTX_use_RSAPrivateKey_file 3 ,
-and
-.Xr SSL_use_RSAPrivateKey_file 3 .
-.Pp
-The function pointer type of the
-.Fa cb
-argument is documented in the
-.Xr pem_password_cb 3
-manual page.
-If
-.Fn SSL_CTX_set_default_passwd_cb
-is not called on
-.Fa ctx
-or if it is called with a
-.Fa cb
-argument of
-.Dv NULL ,
-.Xr PEM_def_callback 3
-is used instead.
-.Pp
-.Fn SSL_CTX_set_default_passwd_cb_userdata
-sets a pointer to the
-.Fa userdata
-which will be provided to the password callback on invocation.
-.Pp
-Since the
-.Fa cb
-passed to
-.Fn SSL_CTX_set_default_passwd_cb
-will only be used for reading and decryption and not for writing and
-encryption, the library will only call it with a
-.Fa verify
-argument of 0.
-.Pp
-If an application program only needs to read and decrypt
-one single private key, it can be practical to have the
-callback handle the password dialog interactively.
-This happens by default if neither
-.Fn SSL_CTX_set_default_passwd_cb
-nor
-.Fn SSL_CTX_set_default_passwd_cb_userdata
-is called.
-In that case, the library uses
-.Xr PEM_def_callback 3
-with a
-.Fa userdata
-argument of
-.Dv NULL .
-.Pp
-If several keys have to be handled, it can be practical
-to ask for the password once, for example using
-.Xr UI_UTIL_read_pw_string 3 ,
-then keep it in memory and use it several times by passing a pointer to it to
-.Fn SSL_CTX_set_default_passwd_cb_userdata .
-.Xr PEM_def_callback 3
-is able to handle this case, too, so calling
-.Fn SSL_CTX_set_default_passwd_cb
-is not needed in this case either.
-.Pp
-Other items in PEM formatting (certificates) can also be encrypted; it is
-however atypical, as certificate information is considered public.
-.Sh RETURN VALUES
-.Fn SSL_CTX_get_default_passwd_cb
-returns a function pointer to the password callback currently set in
-.Fa ctx ,
-or
-.Dv NULL
-if none is set.
-.Pp
-.Fn SSL_CTX_get_default_passwd_cb_userdata
-returns a pointer to the userdata currently set in
-.Fa ctx ,
-or
-.Dv NULL
-if none is set.
-.Sh EXAMPLES
-The following example provides a subset of the functionality of
-.Xr PEM_def_callback 3 ,
-except that
-.Xr PEM_def_callback 3
-does not NUL-terminate and copies up to
-.Fa size
-rather than
-.Fa size No \- 1
-bytes.
-It interprets
-.Fa userdata
-as a NUL-terminated string and copies it to the
-.Fa password
-buffer, truncating the copy if it does not fit.
-.Bd -literal
-int
-trivial_passwd_cb(char *password, int size, int verify, void *userdata)
-{
-        strlcpy(password, userdata, size);
-        return strlen(password);
-}
-.Ed
-.Sh SEE ALSO
-.Xr pem_password_cb 3 ,
-.Xr ssl 3 ,
-.Xr SSL_CTX_use_certificate 3
-.Sh HISTORY
-.Fn SSL_CTX_set_default_passwd_cb
-first appeared in SSLeay 0.6.2 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_CTX_set_default_passwd_cb_userdata
-first appeared in OpenSSL 0.9.4 and has been available since
-.Ox 2.6 .
-.Pp
-.Fn SSL_CTX_get_default_passwd_cb
-and
-.Fn SSL_CTX_get_default_passwd_cb_userdata
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.3 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3 b/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
deleted file mode 100644
index d85383d776..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
+++ /dev/null
@@ -1,221 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.5 2018/03/22 21:09:18 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2014 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 22 2018 $
-.Dt SSL_CTX_SET_GENERATE_SESSION_ID 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_generate_session_id ,
-.Nm SSL_set_generate_session_id ,
-.Nm SSL_has_matching_session_id ,
-.Nm GEN_SESSION_CB
-.Nd manipulate generation of SSL session IDs (server only)
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft typedef int
-.Fo (*GEN_SESSION_CB)
-.Fa "const SSL *ssl"
-.Fa "unsigned char *id"
-.Fa "unsigned int *id_len"
-.Fc
-.Ft int
-.Fn SSL_CTX_set_generate_session_id "SSL_CTX *ctx" "GEN_SESSION_CB cb"
-.Ft int
-.Fn SSL_set_generate_session_id "SSL *ssl" "GEN_SESSION_CB cb"
-.Ft int
-.Fo SSL_has_matching_session_id
-.Fa "const SSL *ssl" "const unsigned char *id" "unsigned int id_len"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_generate_session_id
-sets the callback function for generating new session ids for SSL/TLS sessions
-for
-.Fa ctx
-to be
-.Fa cb .
-.Pp
-.Fn SSL_set_generate_session_id
-sets the callback function for generating new session ids for SSL/TLS sessions
-for
-.Fa ssl
-to be
-.Fa cb .
-.Pp
-.Fn SSL_has_matching_session_id
-checks, whether a session with id
-.Fa id
-(of length
-.Fa id_len )
-is already contained in the internal session cache
-of the parent context of
-.Fa ssl .
-.Pp
-When a new session is established between client and server,
-the server generates a session id.
-The session id is an arbitrary sequence of bytes.
-The length of the session id is between 1 and 32 bytes.
-The session id is not security critical but must be unique for the server.
-Additionally, the session id is transmitted in the clear when reusing the
-session so it must not contain sensitive information.
-.Pp
-Without a callback being set, an OpenSSL server will generate a unique session
-id from pseudo random numbers of the maximum possible length.
-Using the callback function, the session id can be changed to contain
-additional information like, e.g., a host id in order to improve load balancing
-or external caching techniques.
-.Pp
-The callback function receives a pointer to the memory location to put
-.Fa id
-into and a pointer to the maximum allowed length
-.Fa id_len .
-The buffer at location
-.Fa id
-is only guaranteed to have the size
-.Fa id_len .
-The callback is only allowed to generate a shorter id and reduce
-.Fa id_len ;
-the callback
-.Em must never
-increase
-.Fa id_len
-or write to the location
-.Fa id
-exceeding the given limit.
-.Pp
-The location
-.Fa id
-is filled with 0x00 before the callback is called,
-so the callback may only fill part of the possible length and leave
-.Fa id_len
-untouched while maintaining reproducibility.
-.Pp
-Since the sessions must be distinguished, session ids must be unique.
-Without the callback a random number is used,
-so that the probability of generating the same session id is extremely small
-(2^256 for TLSv1).
-In order to ensure the uniqueness of the generated session id,
-the callback must call
-.Fn SSL_has_matching_session_id
-and generate another id if a conflict occurs.
-If an id conflict is not resolved, the handshake will fail.
-If the application codes, e.g., a unique host id, a unique process number, and
-a unique sequence number into the session id, uniqueness could easily be
-achieved without randomness added (it should however be taken care that
-no confidential information is leaked this way).
-If the application cannot guarantee uniqueness,
-it is recommended to use the maximum
-.Fa id_len
-and fill in the bytes not used to code special information with random data to
-avoid collisions.
-.Pp
-.Fn SSL_has_matching_session_id
-will only query the internal session cache, not the external one.
-Since the session id is generated before the handshake is completed,
-it is not immediately added to the cache.
-If another thread is using the same internal session cache,
-a race condition can occur in that another thread generates the same session id.
-Collisions can also occur when using an external session cache,
-since the external cache is not tested with
-.Fn SSL_has_matching_session_id
-and the same race condition applies.
-.Pp
-The callback must return 0 if it cannot generate a session id for whatever
-reason and return 1 on success.
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_generate_session_id
-and
-.Fn SSL_set_generate_session_id
-always return 1.
-.Pp
-.Fn SSL_has_matching_session_id
-returns 1 if another session with the same id is already in the cache.
-.Sh EXAMPLES
-The callback function listed will generate a session id with the server id
-given, and will fill the rest with pseudo random bytes:
-.Bd -literal
-const char session_id_prefix = "www-18";
-
-#define MAX_SESSION_ID_ATTEMPTS 10
-static int
-generate_session_id(const SSL *ssl, unsigned char *id,
-    unsigned int *id_len)
-{
-        unsigned int count = 0;
-
-        do {
-                RAND_pseudo_bytes(id, *id_len);
-                /*
-                 * Prefix the session_id with the required prefix. NB: If
-                 * our prefix is too long, clip it \(en but there will be
-                 * worse effects anyway, e.g., the server could only
-                 * possibly create one session ID (the prefix!) so all
-                 * future session negotiations will fail due to conflicts.
-                 */
-                memcpy(id, session_id_prefix,
-                    (strlen(session_id_prefix) < *id_len) ?
-                    strlen(session_id_prefix) : *id_len);
-        } while (SSL_has_matching_session_id(ssl, id, *id_len) &&
-            (++count < MAX_SESSION_ID_ATTEMPTS));
-
-        if (count >= MAX_SESSION_ID_ATTEMPTS)
-                return 0;
-        return 1;
-}
-.Ed
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_get_version 3
-.Sh HISTORY
-.Fn SSL_CTX_set_generate_session_id ,
-.Fn SSL_set_generate_session_id
-and
-.Fn SSL_has_matching_session_id
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_info_callback.3 b/src/lib/libssl/man/SSL_CTX_set_info_callback.3
deleted file mode 100644
index 76eb8bee61..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_info_callback.3
+++ /dev/null
@@ -1,233 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_info_callback.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2005, 2014 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_CTX_SET_INFO_CALLBACK 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_info_callback ,
-.Nm SSL_CTX_get_info_callback ,
-.Nm SSL_set_info_callback ,
-.Nm SSL_get_info_callback
-.Nd handle information callback for SSL connections
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fo SSL_CTX_set_info_callback
-.Fa "SSL_CTX *ctx"
-.Fa "void (*callback)(const SSL *ssl, int where, int ret)"
-.Fc
-.Ft void
-.Fo "(*SSL_CTX_get_info_callback(const SSL_CTX *ctx))"
-.Fa "const SSL *ssl"
-.Fa "int where"
-.Fa "int ret"
-.Fc
-.Ft void
-.Fo SSL_set_info_callback
-.Fa "SSL *ssl"
-.Fa "void (*callback)(const SSL *ssl, int where, int ret)"
-.Fc
-.Ft void
-.Fo "(*SSL_get_info_callback(const SSL *ssl))"
-.Fa "const SSL *ssl"
-.Fa "int where"
-.Fa "int ret"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_info_callback
-sets the
-.Fa callback
-function that can be used to obtain state information for SSL objects created
-from
-.Fa ctx
-during connection setup and use.
-The setting for
-.Fa ctx
-is overridden from the setting for a specific SSL object, if specified.
-When
-.Fa callback
-is
-.Dv NULL ,
-no callback function is used.
-.Pp
-.Fn SSL_set_info_callback
-sets the
-.Fa callback
-function that can be used to
-obtain state information for
-.Fa ssl
-during connection setup and use.
-When
-.Fa callback
-is
-.Dv NULL ,
-the callback setting currently valid for
-.Fa ctx
-is used.
-.Pp
-.Fn SSL_CTX_get_info_callback
-returns a pointer to the currently set information callback function for
-.Fa ctx .
-.Pp
-.Fn SSL_get_info_callback
-returns a pointer to the currently set information callback function for
-.Fa ssl .
-.Pp
-When setting up a connection and during use,
-it is possible to obtain state information from the SSL/TLS engine.
-When set, an information callback function is called whenever the state changes,
-an alert appears, or an error occurs.
-.Pp
-The callback function is called as
-.Fn callback "SSL *ssl" "int where" "int ret" .
-The
-.Fa where
-argument specifies information about where (in which context)
-the callback function was called.
-If
-.Fa ret
-is 0, an error condition occurred.
-If an alert is handled,
-.Dv SSL_CB_ALERT
-is set and
-.Fa ret
-specifies the alert information.
-.Pp
-.Fa where
-is a bitmask made up of the following bits:
-.Bl -tag -width Ds
-.It Dv SSL_CB_LOOP
-Callback has been called to indicate state change inside a loop.
-.It Dv SSL_CB_EXIT
-Callback has been called to indicate error exit of a handshake function.
-(May be soft error with retry option for non-blocking setups.)
-.It Dv SSL_CB_READ
-Callback has been called during read operation.
-.It Dv SSL_CB_WRITE
-Callback has been called during write operation.
-.It Dv SSL_CB_ALERT
-Callback has been called due to an alert being sent or received.
-.It Dv SSL_CB_READ_ALERT
-.It Dv SSL_CB_WRITE_ALERT
-.It Dv SSL_CB_ACCEPT_LOOP
-.It Dv SSL_CB_ACCEPT_EXIT
-.It Dv SSL_CB_CONNECT_LOOP
-.It Dv SSL_CB_CONNECT_EXIT
-.It Dv SSL_CB_HANDSHAKE_START
-Callback has been called because a new handshake is started.
-.It Dv SSL_CB_HANDSHAKE_DONE
-Callback has been called because a handshake is finished.
-.El
-.Pp
-The current state information can be obtained using the
-.Xr SSL_state_string 3
-family of functions.
-.Pp
-The
-.Fa ret
-information can be evaluated using the
-.Xr SSL_alert_type_string 3
-family of functions.
-.Sh RETURN VALUES
-.Fn SSL_CTX_get_info_callback
-and
-.Fn SSL_get_info_callback
-return a pointer to the current callback or
-.Dv NULL
-if none is set.
-.Sh EXAMPLES
-The following example callback function prints state strings,
-information about alerts being handled and error messages to the
-.Va bio_err
-.Vt BIO .
-.Bd -literal
-void
-apps_ssl_info_callback(SSL *s, int where, int ret)
-{
-        const char *str;
-        int w;
-
-        w = where & ~SSL_ST_MASK;
-
-        if (w & SSL_ST_CONNECT)
-                str = "SSL_connect";
-        else if (w & SSL_ST_ACCEPT)
-                str = "SSL_accept";
-        else
-                str = "undefined";
-
-        if (where & SSL_CB_LOOP) {
-                BIO_printf(bio_err, "%s:%s\en", str,
-                    SSL_state_string_long(s));
-        } else if (where & SSL_CB_ALERT) {
-                str = (where & SSL_CB_READ) ? "read" : "write";
-                BIO_printf(bio_err, "SSL3 alert %s:%s:%s\en", str,
-                        SSL_alert_type_string_long(ret),
-                        SSL_alert_desc_string_long(ret));
-        } else if (where & SSL_CB_EXIT) {
-                if (ret == 0)
-                        BIO_printf(bio_err, "%s:failed in %s\en",
-                                str, SSL_state_string_long(s));
-                else if (ret < 0) {
-                        BIO_printf(bio_err, "%s:error in %s\en",
-                                str, SSL_state_string_long(s));
-                }
-        }
-}
-.Ed
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_alert_type_string 3 ,
-.Xr SSL_state_string 3
-.Sh HISTORY
-These functions first appeared in SSLeay 0.6.0
-and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3 b/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
deleted file mode 100644
index 24b8f9992f..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
+++ /dev/null
@@ -1,56 +0,0 @@
-.\" $OpenBSD: SSL_CTX_set_keylog_callback.3,v 1.3 2024/05/16 08:39:30 tb Exp $
-.\" OpenSSL pod checked up to: 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" Copyright (c) 2021 Bob Beck <beck@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: May 16 2024 $
-.Dt SSL_CTX_SET_KEYLOG_CALLBACK 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_keylog_callback ,
-.Nm SSL_CTX_get_keylog_callback
-.Nd set and get the unused key logging callback
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft typedef void
-.Fo (*SSL_CTX_keylog_cb_func)
-.Fa "const SSL *ssl"
-.Fa "const char *line"
-.Fc
-.Ft void
-.Fn SSL_CTX_set_keylog_callback "SSL_CTX *ctx" "SSL_CTX_keylog_cb_func cb"
-.Ft SSL_CTX_keylog_cb_func
-.Fn SSL_CTX_get_keylog_callback "const SSL_CTX *ctx"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_keylog_callback
-sets the TLS key logging callback.
-This callback is never called in LibreSSL.
-.Pp
-.Fn SSL_CTX_get_keylog_callback
-retrieves the previously set TLS key logging callback.
-.Pp
-These functions are provided only for compatibility with OpenSSL.
-.Sh RETURN VALUES
-.Fn SSL_CTX_get_keylog_callback
-returns the previously set TLS key logging callback, or
-.Dv NULL
-if no callback has been set.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_new 3
-.Sh HISTORY
-These function first appeared in OpenSSL 1.1.1
-and have been available since
-.Ox 7.1 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3 b/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3
deleted file mode 100644
index 89513b1006..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3
+++ /dev/null
@@ -1,154 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_max_cert_list.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_CTX_SET_MAX_CERT_LIST 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_max_cert_list ,
-.Nm SSL_CTX_get_max_cert_list ,
-.Nm SSL_set_max_cert_list ,
-.Nm SSL_get_max_cert_list
-.Nd manipulate allowed size for the peer's certificate chain
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fn SSL_CTX_set_max_cert_list "SSL_CTX *ctx" "long size"
-.Ft long
-.Fn SSL_CTX_get_max_cert_list "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_set_max_cert_list "SSL *ssl" "long size"
-.Ft long
-.Fn SSL_get_max_cert_list "SSL *ctx"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_max_cert_list
-sets the maximum size allowed for the peer's certificate chain for all
-.Vt SSL
-objects created from
-.Fa ctx
-to be
-.Fa size
-bytes.
-The
-.Vt SSL
-objects inherit the setting valid for
-.Fa ctx
-at the time
-.Xr SSL_new 3
-is being called.
-.Pp
-.Fn SSL_CTX_get_max_cert_list
-returns the currently set maximum size for
-.Fa ctx .
-.Pp
-.Fn SSL_set_max_cert_list
-sets the maximum size allowed for the peer's certificate chain for
-.Fa ssl
-to be
-.Fa size
-bytes.
-This setting stays valid until a new value is set.
-.Pp
-.Fn SSL_get_max_cert_list
-returns the currently set maximum size for
-.Fa ssl .
-.Pp
-During the handshake process, the peer may send a certificate chain.
-The TLS/SSL standard does not give any maximum size of the certificate chain.
-The OpenSSL library handles incoming data by a dynamically allocated buffer.
-In order to prevent this buffer from growing without bound due to data
-received from a faulty or malicious peer, a maximum size for the certificate
-chain is set.
-.Pp
-The default value for the maximum certificate chain size is 100kB (30kB
-on the 16bit DOS platform).
-This should be sufficient for usual certificate chains
-(OpenSSL's default maximum chain length is 10, see
-.Xr SSL_CTX_set_verify 3 ,
-and certificates without special extensions have a typical size of 1-2kB).
-.Pp
-For special applications it can be necessary to extend the maximum certificate
-chain size allowed to be sent by the peer.
-See for example the work on
-.%T "Internet X.509 Public Key Infrastructure Proxy Certificate Profile"
-and
-.%T "TLS Delegation Protocol"
-at
-.Lk https://www.ietf.org/
-and
-.Lk http://www.globus.org/ .
-.Pp
-Under normal conditions it should never be necessary to set a value smaller
-than the default, as the buffer is handled dynamically and only uses the
-memory actually required by the data sent by the peer.
-.Pp
-If the maximum certificate chain size allowed is exceeded, the handshake will
-fail with a
-.Dv SSL_R_EXCESSIVE_MESSAGE_SIZE
-error.
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_max_cert_list
-and
-.Fn SSL_set_max_cert_list
-return the previously set value.
-.Pp
-.Fn SSL_CTX_get_max_cert_list
-and
-.Fn SSL_get_max_cert_list
-return the currently set value.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_ctrl 3 ,
-.Xr SSL_CTX_set_verify 3 ,
-.Xr SSL_new 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7
-and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 b/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
deleted file mode 100644
index a2597cda83..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
+++ /dev/null
@@ -1,156 +0,0 @@
-.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.5 2021/04/15 16:40:32 tb Exp $
-.\" full merge up to: OpenSSL 3edabd3c Sep 14 09:28:39 2017 +0200
-.\"
-.\" This file was written by Kurt Roeckx <kurt@roeckx.be> and
-.\" Christian Heimes <christian@python.org>.
-.\" Copyright (c) 2015, 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 15 2021 $
-.Dt SSL_CTX_SET_MIN_PROTO_VERSION 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_min_proto_version ,
-.Nm SSL_CTX_set_max_proto_version ,
-.Nm SSL_CTX_get_min_proto_version ,
-.Nm SSL_CTX_get_max_proto_version ,
-.Nm SSL_set_min_proto_version ,
-.Nm SSL_set_max_proto_version ,
-.Nm SSL_get_min_proto_version ,
-.Nm SSL_get_max_proto_version
-.Nd get and set minimum and maximum supported protocol version
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_CTX_set_min_proto_version
-.Fa "SSL_CTX *ctx"
-.Fa "uint16_t version"
-.Fc
-.Ft int
-.Fo SSL_CTX_set_max_proto_version
-.Fa "SSL_CTX *ctx"
-.Fa "uint16_t version"
-.Fc
-.Ft int
-.Fo SSL_CTX_get_min_proto_version
-.Fa "SSL_CTX *ctx"
-.Fc
-.Ft int
-.Fo SSL_CTX_get_max_proto_version
-.Fa "SSL_CTX *ctx"
-.Fc
-.Ft int
-.Fo SSL_set_min_proto_version
-.Fa "SSL *ssl"
-.Fa "uint16_t version"
-.Fc
-.Ft int
-.Fo SSL_set_max_proto_version
-.Fa "SSL *ssl"
-.Fa "uint16_t version"
-.Fc
-.Ft int
-.Fo SSL_get_min_proto_version
-.Fa "SSL *ssl"
-.Fc
-.Ft int
-.Fo SSL_get_max_proto_version
-.Fa "SSL *ssl"
-.Fc
-.Sh DESCRIPTION
-These functions get or set the minimum and maximum supported protocol
-versions for
-.Fa ctx
-or
-.Fa ssl .
-This works in combination with the options set via
-.Xr SSL_CTX_set_options 3
-that also make it possible to disable specific protocol versions.
-Use these functions instead of disabling specific protocol versions.
-.Pp
-Setting the minimum or maximum version to 0 will enable protocol
-versions down to the lowest or up to the highest version supported
-by the library, respectively.
-.Pp
-Currently supported versions are
-.Dv TLS1_VERSION ,
-.Dv TLS1_1_VERSION ,
-and
-.Dv TLS1_2_VERSION
-for TLS and
-.Dv DTLS1_VERSION
-and
-.Dv DTLS1_2_VERSION
-for DTLS.
-.Pp
-In other implementations, these functions may be implemented as macros.
-.Sh RETURN VALUES
-The setter functions return 1 on success or 0 on failure.
-.Pp
-The getter functions return the configured version or 0 if
-.Fa ctx
-or
-.Fa ssl
-has been configured to automatically use the lowest or highest
-version supported by the library.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_new 3 ,
-.Xr SSL_CTX_set_options 3
-.Sh HISTORY
-The setter functions first appeared in BoringSSL in December 2014,
-with shorter names without the
-.Sy proto_
-part.
-Two years later, OpenSSL included them in their 1.1.0 release,
-gratuitously changing the names; Google shrugged and adopted
-the longer names one month later.
-They have been available since
-.Ox 6.2 .
-.Pp
-The getter functions first appeared in OpenSSL 1.1.0g
-and have been available since
-.Ox 6.3 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_mode.3 b/src/lib/libssl/man/SSL_CTX_set_mode.3
deleted file mode 100644
index fca1a977d0..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_mode.3
+++ /dev/null
@@ -1,204 +0,0 @@
-.\" $OpenBSD: SSL_CTX_set_mode.3,v 1.7 2020/10/08 16:02:38 tb Exp $
-.\" full merge up to: OpenSSL 8671b898 Jun 3 02:48:34 2008 +0000
-.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
-.\" Ben Laurie <ben@openssl.org>.
-.\" Copyright (c) 2001, 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: October 8 2020 $
-.Dt SSL_CTX_SET_MODE 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_mode ,
-.Nm SSL_set_mode ,
-.Nm SSL_CTX_clear_mode ,
-.Nm SSL_clear_mode ,
-.Nm SSL_CTX_get_mode ,
-.Nm SSL_get_mode
-.Nd manipulate SSL engine mode
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fn SSL_CTX_set_mode "SSL_CTX *ctx" "long mode"
-.Ft long
-.Fn SSL_set_mode "SSL *ssl" "long mode"
-.Ft long
-.Fn SSL_CTX_clear_mode "SSL_CTX *ctx" "long mode"
-.Ft long
-.Fn SSL_clear_mode "SSL *ssl" "long mode"
-.Ft long
-.Fn SSL_CTX_get_mode "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_get_mode "SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_mode
-and
-.Fn SSL_set_mode
-enable the options contained in the bitmask
-.Fa mode
-for the
-.Fa ctx
-or
-.Fa ssl
-object, respectively.
-Options that were already enabled before the call are not disabled.
-.Pp
-.Fn SSL_CTX_clear_mode
-and
-.Fn SSL_clear_mode
-disable the options contained in the bitmask
-.Fa mode
-for the
-.Fa ctx
-or
-.Fa ssl
-object.
-.Pp
-.Fn SSL_CTX_get_mode
-and
-.Fn SSL_get_mode
-return a bitmask representing the options
-that are currently enabled for the
-.Fa ctx
-or
-.Fa ssl
-object.
-.Pp
-The following options are available:
-.Bl -tag -width Ds
-.It Dv SSL_MODE_ENABLE_PARTIAL_WRITE
-Allow
-.Fn SSL_write ... n
-to return
-.Ms r
-with
-.EQ
-0 < r < n
-.EN
-(i.e., report success when just a single record has been written).
-When not set (the default),
-.Xr SSL_write 3
-will only report success once the complete chunk was written.
-Once
-.Xr SSL_write 3
-returns with
-.Ms r ,
-.Ms r
-bytes have been successfully written and the next call to
-.Xr SSL_write 3
-must only send the
-.Ms n \(mi r
-bytes left, imitating the behaviour of
-.Xr write 2 .
-.It Dv SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
-Make it possible to retry
-.Xr SSL_write 3
-with changed buffer location (the buffer contents must stay the same).
-This is not the default to avoid the misconception that non-blocking
-.Xr SSL_write 3
-behaves like non-blocking
-.Xr write 2 .
-.It Dv SSL_MODE_AUTO_RETRY
-Never bother the application with retries if the transport is blocking.
-If a renegotiation takes place during normal operation, a
-.Xr SSL_read 3
-or
-.Xr SSL_write 3
-would return
-with \(mi1 and indicate the need to retry with
-.Dv SSL_ERROR_WANT_READ .
-In a non-blocking environment applications must be prepared to handle
-incomplete read/write operations.
-In a blocking environment, applications are not always prepared to deal with
-read/write operations returning without success report.
-The flag
-.Dv SSL_MODE_AUTO_RETRY
-will cause read/write operations to only return after the handshake and
-successful completion.
-.It Dv SSL_MODE_RELEASE_BUFFERS
-When we no longer need a read buffer or a write buffer for a given
-.Vt SSL ,
-then release the memory we were using to hold it.
-Using this flag can save around 34k per idle SSL connection.
-This flag has no effect on SSL v2 connections, or on DTLS connections.
-.El
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_mode ,
-.Fn SSL_set_mode ,
-.Fn SSL_CTX_clear_mode ,
-and
-.Fn SSL_clear_mode
-return the new mode bitmask after adding or clearing
-.Fa mode .
-.Pp
-.Fn SSL_CTX_get_mode
-and
-.Fn SSL_get_mode
-return the current bitmask.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_ctrl 3 ,
-.Xr SSL_read 3 ,
-.Xr SSL_write 3
-.Sh HISTORY
-.Fn SSL_CTX_set_mode ,
-.Fn SSL_set_mode ,
-.Fn SSL_CTX_get_mode ,
-and
-.Fn SSL_get_mode
-first appeared in OpenSSL 0.9.4 and have been available since
-.Ox 2.6 .
-.Pp
-.Fn SSL_CTX_clear_mode
-and
-.Fn SSL_clear_mode
-first appeared in OpenSSL 0.9.8m and have been available since
-.Ox 4.9 .
-.Pp
-.Dv SSL_MODE_AUTO_RETRY
-was added in OpenSSL 0.9.6.
diff --git a/src/lib/libssl/man/SSL_CTX_set_msg_callback.3 b/src/lib/libssl/man/SSL_CTX_set_msg_callback.3
deleted file mode 100644
index a27333e6d9..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_msg_callback.3
+++ /dev/null
@@ -1,183 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_msg_callback.3,v 1.5 2021/04/15 16:43:27 tb Exp $
-.\"     OpenSSL SSL_CTX_set_msg_callback.pod e9b77246 Jan 20 19:58:49 2017 +0100
-.\"     OpenSSL SSL_CTX_set_msg_callback.pod b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Bodo Moeller <bodo@openssl.org>.
-.\" Copyright (c) 2001, 2014, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 15 2021 $
-.Dt SSL_CTX_SET_MSG_CALLBACK 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_msg_callback ,
-.Nm SSL_CTX_set_msg_callback_arg ,
-.Nm SSL_set_msg_callback ,
-.Nm SSL_set_msg_callback_arg
-.Nd install callback for observing protocol messages
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fo SSL_CTX_set_msg_callback
-.Fa "SSL_CTX *ctx"
-.Fa "void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)"
-.Fc
-.Ft void
-.Fn SSL_CTX_set_msg_callback_arg "SSL_CTX *ctx" "void *arg"
-.Ft void
-.Fo SSL_set_msg_callback
-.Fa "SSL *ssl"
-.Fa "void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)"
-.Fc
-.Ft void
-.Fn SSL_set_msg_callback_arg "SSL *ssl" "void *arg"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_msg_callback
-or
-.Fn SSL_set_msg_callback
-can be used to define a message callback function
-.Fa cb
-for observing all SSL/TLS protocol messages (such as handshake messages)
-that are received or sent.
-.Fn SSL_CTX_set_msg_callback_arg
-and
-.Fn SSL_set_msg_callback_arg
-can be used to set argument
-.Fa arg
-to the callback function, which is available for arbitrary application use.
-.Pp
-.Fn SSL_CTX_set_msg_callback
-and
-.Fn SSL_CTX_set_msg_callback_arg
-specify default settings that will be copied to new
-.Vt SSL
-objects by
-.Xr SSL_new 3 .
-.Fn SSL_set_msg_callback
-and
-.Fn SSL_set_msg_callback_arg
-modify the actual settings of an
-.Vt SSL
-object.
-Using a
-.Dv NULL
-pointer for
-.Fa cb
-disables the message callback.
-.Pp
-When
-.Fa cb
-is called by the SSL/TLS library for a protocol message,
-the function arguments have the following meaning:
-.Bl -tag -width Ds
-.It Fa write_p
-This flag is 0 when a protocol message has been received and 1 when a protocol
-message has been sent.
-.It Fa version
-The protocol version according to which the protocol message is
-interpreted by the library, such as
-.Dv TLS1_VERSION ,
-.Dv TLS1_1_VERSION ,
-.Dv TLS1_2_VERSION ,
-.Dv DTLS1_VERSION ,
-or
-.Dv DTLS1_2_VERSION .
-.It Fa content_type
-This is one of the
-.Em ContentType
-values defined in the protocol specification
-.Po
-.Dv SSL3_RT_CHANGE_CIPHER_SPEC ,
-.Dv SSL3_RT_ALERT ,
-.Dv SSL3_RT_HANDSHAKE ,
-but never
-.Dv SSL3_RT_APPLICATION_DATA
-because the callback will only be called for protocol messages.
-.Pc
-.It Fa buf , Fa len
-.Fa buf
-points to a buffer containing the protocol message, which consists of
-.Fa len
-bytes.
-The buffer is no longer valid after the callback function has returned.
-.It Fa ssl
-The
-.Vt SSL
-object that received or sent the message.
-.It Fa arg
-The user-defined argument optionally defined by
-.Fn SSL_CTX_set_msg_callback_arg
-or
-.Fn SSL_set_msg_callback_arg .
-.El
-.Pp
-Protocol messages are passed to the callback function after decryption
-and fragment collection where applicable.
-(Thus record boundaries are not visible.)
-.Pp
-If processing a received protocol message results in an error,
-the callback function may not be called.
-For example, the callback function will never see messages that are considered
-too large to be processed.
-.Pp
-Due to automatic protocol version negotiation,
-.Fa version
-is not necessarily the protocol version used by the sender of the message:
-If a TLS 1.0 ClientHello message is received by an SSL 3.0-only server,
-.Fa version
-will be
-.Dv SSL3_VERSION .
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_new 3
-.Sh HISTORY
-.Fn SSL_CTX_set_msg_callback ,
-.Fn SSL_CTX_set_msg_callback_arg ,
-.Fn SSL_set_msg_callback
-and
-.Fn SSL_set_msg_callback_arg
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_num_tickets.3 b/src/lib/libssl/man/SSL_CTX_set_num_tickets.3
deleted file mode 100644
index cb6d7e000a..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_num_tickets.3
+++ /dev/null
@@ -1,63 +0,0 @@
-.\" $OpenBSD: SSL_CTX_set_num_tickets.3,v 1.2 2021/10/23 17:20:50 schwarze Exp $
-.\" OpenSSL pod checked up to: 5402f96a Sep 11 09:58:52 2021 +0100
-.\"
-.\" Copyright (c) 2021 Bob Beck <beck@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 23 2021 $
-.Dt SSL_CTX_SET_NUM_TICKETS 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_num_tickets ,
-.Nm SSL_CTX_get_num_tickets ,
-.Nm SSL_set_num_tickets ,
-.Nm SSL_get_num_tickets
-.Nd set and get the number of TLS 1.3 session tickets to be sent
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_CTX_set_num_tickets "SSL_CTX *ctx" "size_t num_tickets"
-.Ft size_t
-.Fn SSL_CTX_get_num_tickets "const SSL_CTX *ctx"
-.Ft int
-.Fn SSL_set_num_tickets "SSL *ssl" "size_t num_tickets"
-.Ft size_t
-.Fn SSL_get_num_tickets "const SSL *ssl"
-.Sh DESCRIPTION
-These functions set and retrieve
-the configured number of session tickets for
-.Fa ctx
-and
-.Fa ssl ,
-respectively.
-.Pp
-They are provided only for compatibility with OpenSSL
-and have no effect in LibreSSL.
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_num_tickets
-and
-.Fn SSL_set_num_tickets
-always return 1.
-.Pp
-.Fn SSL_CTX_get_num_tickets
-and
-.Fn SSL_get_num_tickets
-return the previously set number of tickets, or 0 if it has not been set.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_new 3
-.Sh HISTORY
-These function first appeared in OpenSSL 1.1.1
-and have been available since
-.Ox 7.1 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_options.3 b/src/lib/libssl/man/SSL_CTX_set_options.3
deleted file mode 100644
index 5df0b07785..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_options.3
+++ /dev/null
@@ -1,374 +0,0 @@
-.\" $OpenBSD: SSL_CTX_set_options.3,v 1.16 2022/03/31 17:27:18 naddy Exp $
-.\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100
-.\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>,
-.\" Bodo Moeller <bodo@openssl.org>, and
-.\" Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2001-2003, 2005, 2007, 2009, 2010, 2013-2015
-.\" The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 31 2022 $
-.Dt SSL_CTX_SET_OPTIONS 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_options ,
-.Nm SSL_set_options ,
-.Nm SSL_CTX_clear_options ,
-.Nm SSL_clear_options ,
-.Nm SSL_CTX_get_options ,
-.Nm SSL_get_options ,
-.Nm SSL_get_secure_renegotiation_support
-.Nd manipulate SSL options
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fn SSL_CTX_set_options "SSL_CTX *ctx" "long options"
-.Ft long
-.Fn SSL_set_options "SSL *ssl" "long options"
-.Ft long
-.Fn SSL_CTX_clear_options "SSL_CTX *ctx" "long options"
-.Ft long
-.Fn SSL_clear_options "SSL *ssl" "long options"
-.Ft long
-.Fn SSL_CTX_get_options "SSL_CTX *ctx"
-.Ft long
-.Fn SSL_get_options "SSL *ssl"
-.Ft long
-.Fn SSL_get_secure_renegotiation_support "SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_options
-adds the options set via bitmask in
-.Fa options
-to
-.Fa ctx .
-Options already set before are not cleared!
-.Pp
-.Fn SSL_set_options
-adds the options set via bitmask in
-.Fa options
-to
-.Fa ssl .
-Options already set before are not cleared!
-.Pp
-.Fn SSL_CTX_clear_options
-clears the options set via bitmask in
-.Fa options
-to
-.Fa ctx .
-.Pp
-.Fn SSL_clear_options
-clears the options set via bitmask in
-.Fa options
-to
-.Fa ssl .
-.Pp
-.Fn SSL_CTX_get_options
-returns the options set for
-.Fa ctx .
-.Pp
-.Fn SSL_get_options
-returns the options set for
-.Fa ssl .
-.Pp
-.Fn SSL_get_secure_renegotiation_support
-indicates whether the peer supports secure renegotiation.
-.Pp
-All these functions are implemented using macros.
-.Pp
-The behaviour of the SSL library can be changed by setting several options.
-The options are coded as bitmasks and can be combined by a bitwise OR
-operation (|).
-.Pp
-.Fn SSL_CTX_set_options
-and
-.Fn SSL_set_options
-affect the (external) protocol behaviour of the SSL library.
-The (internal) behaviour of the API can be changed by using the similar
-.Xr SSL_CTX_set_mode 3
-and
-.Xr SSL_set_mode 3
-functions.
-.Pp
-During a handshake, the option settings of the SSL object are used.
-When a new SSL object is created from a context using
-.Xr SSL_new 3 ,
-the current option setting is copied.
-Changes to
-.Fa ctx
-do not affect already created
-.Vt SSL
-objects.
-.Fn SSL_clear
-does not affect the settings.
-.Pp
-The following
-.Em bug workaround
-options are available:
-.Bl -tag -width Ds
-.It Dv SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-Disables a countermeasure against a TLS 1.0 protocol vulnerability
-affecting CBC ciphers, which cannot be handled by some broken SSL
-implementations.
-This option has no effect for connections using other ciphers.
-.It Dv SSL_OP_ALL
-This is currently an alias for
-.Dv SSL_OP_LEGACY_SERVER_CONNECT .
-.El
-.Pp
-It is usually safe to use
-.Dv SSL_OP_ALL
-to enable the bug workaround options if compatibility with somewhat broken
-implementations is desired.
-.Pp
-The following
-.Em modifying
-options are available:
-.Bl -tag -width Ds
-.It Dv SSL_OP_CIPHER_SERVER_PREFERENCE
-When choosing a cipher, use the server's preferences instead of the client
-preferences.
-When not set, the server will always follow the client's preferences.
-When set, the server will choose following its own preferences.
-.It Dv SSL_OP_COOKIE_EXCHANGE
-Turn on Cookie Exchange as described in RFC 4347 Section 4.2.1.
-Only affects DTLS connections.
-.It Dv SSL_OP_LEGACY_SERVER_CONNECT
-Allow legacy insecure renegotiation between OpenSSL and unpatched servers
-.Em only :
-this option is currently set by default.
-See the
-.Sx SECURE RENEGOTIATION
-section for more details.
-.It Dv SSL_OP_NO_DTLSv1
-Do not use the DTLSv1 protocol.
-Deprecated; use
-.Xr SSL_CTX_set_min_proto_version 3
-instead.
-.It Dv SSL_OP_NO_DTLSv1_2
-Do not use the DTLSv1.2 protocol.
-Deprecated; use
-.Xr SSL_CTX_set_min_proto_version 3
-instead.
-.It Dv SSL_OP_NO_QUERY_MTU
-Do not query the MTU.
-Only affects DTLS connections.
-.It Dv SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
-When performing renegotiation as a server, always start a new session (i.e.,
-session resumption requests are only accepted in the initial handshake).
-This option is not needed for clients.
-.It Dv SSL_OP_NO_TICKET
-Normally clients and servers using TLSv1.2 and earlier will, where possible,
-transparently make use of
-RFC 5077 tickets for stateless session resumption.
-.Pp
-If this option is set, this functionality is disabled and tickets will not be
-used by clients or servers.
-.It Dv SSL_OP_NO_TLSv1
-Do not use the TLSv1.0 protocol.
-Deprecated; use
-.Xr SSL_CTX_set_min_proto_version 3
-instead.
-.It Dv SSL_OP_NO_TLSv1_1
-Do not use the TLSv1.1 protocol.
-Deprecated; use
-.Xr SSL_CTX_set_min_proto_version 3
-instead.
-.It Dv SSL_OP_NO_TLSv1_2
-Do not use the TLSv1.2 protocol.
-Deprecated; use
-.Xr SSL_CTX_set_max_proto_version 3
-instead.
-.El
-.Pp
-The following options used to be supported at some point in the past
-and no longer have any effect:
-.Dv SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION ,
-.Dv SSL_OP_EPHEMERAL_RSA ,
-.Dv SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER ,
-.Dv SSL_OP_MICROSOFT_SESS_ID_BUG ,
-.Dv SSL_OP_NETSCAPE_CA_DN_BUG ,
-.Dv SSL_OP_NETSCAPE_CHALLENGE_BUG ,
-.Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG ,
-.Dv SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG ,
-.Dv SSL_OP_NO_COMPRESSION ,
-.Dv SSL_OP_NO_SSLv2 ,
-.Dv SSL_OP_NO_SSLv3 ,
-.Dv SSL_OP_PKCS1_CHECK_1 ,
-.Dv SSL_OP_PKCS1_CHECK_2 ,
-.Dv SSL_OP_SAFARI_ECDHE_ECDSA_BUG ,
-.Dv SSL_OP_SINGLE_DH_USE ,
-.Dv SSL_OP_SINGLE_ECDH_USE ,
-.Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG ,
-.Dv SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG ,
-.Dv SSL_OP_TLS_BLOCK_PADDING_BUG ,
-.Dv SSL_OP_TLS_D5_BUG ,
-.Dv SSL_OP_TLS_ROLLBACK_BUG ,
-.Dv SSL_OP_TLSEXT_PADDING .
-.Sh SECURE RENEGOTIATION
-OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
-described in RFC 5746.
-This counters the prefix attack described in CVE-2009-3555 and elsewhere.
-.Pp
-This attack has far-reaching consequences which application writers should be
-aware of.
-In the description below an implementation supporting secure renegotiation is
-referred to as
-.Dq patched .
-A server not supporting secure
-renegotiation is referred to as
-.Dq unpatched .
-.Pp
-The following sections describe the operations permitted by OpenSSL's secure
-renegotiation implementation.
-.Ss Patched client and server
-Connections and renegotiation are always permitted by OpenSSL implementations.
-.Ss Unpatched client and patched OpenSSL server
-The initial connection succeeds but client renegotiation is denied by the
-server with a
-.Em no_renegotiation
-warning alert.
-.Pp
-If the patched OpenSSL server attempts to renegotiate, a fatal
-.Em handshake_failure
-alert is sent.
-This is because the server code may be unaware of the unpatched nature of the
-client.
-.Pp
-Note that a bug in OpenSSL clients earlier than 0.9.8m (all of which
-are unpatched) will result in the connection hanging if it receives a
-.Em no_renegotiation
-alert.
-OpenSSL versions 0.9.8m and later will regard a
-.Em no_renegotiation
-alert as fatal and respond with a fatal
-.Em handshake_failure
-alert.
-This is because the OpenSSL API currently has no provision to indicate to an
-application that a renegotiation attempt was refused.
-.Ss Patched OpenSSL client and unpatched server
-If the option
-.Dv SSL_OP_LEGACY_SERVER_CONNECT
-is set then initial connections and renegotiation between patched OpenSSL
-clients and unpatched servers succeeds.
-If neither option is set then initial connections to unpatched servers will
-fail.
-.Pp
-The option
-.Dv SSL_OP_LEGACY_SERVER_CONNECT
-is currently set by default even though it has security implications:
-otherwise it would be impossible to connect to unpatched servers (i.e., all of
-them initially) and this is clearly not acceptable.
-Renegotiation is permitted because this does not add any additional security
-issues: during an attack clients do not see any renegotiations anyway.
-.Pp
-As more servers become patched, the option
-.Dv SSL_OP_LEGACY_SERVER_CONNECT
-will
-.Em not
-be set by default in a future version of OpenSSL.
-.Pp
-OpenSSL client applications wishing to ensure they can connect to unpatched
-servers should always
-.Em set
-.Dv SSL_OP_LEGACY_SERVER_CONNECT .
-.Pp
-OpenSSL client applications that want to ensure they can
-.Em not
-connect to unpatched servers (and thus avoid any security issues) should always
-.Em clear
-.Dv SSL_OP_LEGACY_SERVER_CONNECT
-using
-.Fn SSL_CTX_clear_options
-or
-.Fn SSL_clear_options .
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_options
-and
-.Fn SSL_set_options
-return the new options bitmask after adding
-.Fa options .
-.Pp
-.Fn SSL_CTX_clear_options
-and
-.Fn SSL_clear_options
-return the new options bitmask after clearing
-.Fa options .
-.Pp
-.Fn SSL_CTX_get_options
-and
-.Fn SSL_get_options
-return the current bitmask.
-.Pp
-.Fn SSL_get_secure_renegotiation_support
-returns 1 is the peer supports secure renegotiation and 0 if it does not.
-.Sh SEE ALSO
-.Xr openssl 1 ,
-.Xr ssl 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_CTX_ctrl 3 ,
-.Xr SSL_CTX_set_min_proto_version 3 ,
-.Xr SSL_new 3
-.Sh HISTORY
-.Fn SSL_CTX_set_options
-and
-.Fn SSL_set_options
-first appeared in SSLeay 0.9.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_CTX_get_options
-and
-.Fn SSL_get_options
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
-.Pp
-.Fn SSL_CTX_clear_options ,
-.Fn SSL_clear_options ,
-and
-.Fn SSL_get_secure_renegotiation_support
-first appeared in OpenSSL 0.9.8m and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 b/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
deleted file mode 100644
index 71463f1eca..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
+++ /dev/null
@@ -1,161 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_quiet_shutdown.3,v 1.6 2020/03/30 10:28:59 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 30 2020 $
-.Dt SSL_CTX_SET_QUIET_SHUTDOWN 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_quiet_shutdown ,
-.Nm SSL_CTX_get_quiet_shutdown ,
-.Nm SSL_set_quiet_shutdown ,
-.Nm SSL_get_quiet_shutdown
-.Nd manipulate shutdown behaviour
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fn SSL_CTX_set_quiet_shutdown "SSL_CTX *ctx" "int mode"
-.Ft int
-.Fn SSL_CTX_get_quiet_shutdown "const SSL_CTX *ctx"
-.Ft void
-.Fn SSL_set_quiet_shutdown "SSL *ssl" "int mode"
-.Ft int
-.Fn SSL_get_quiet_shutdown "const SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_quiet_shutdown
-sets the
-.Dq quiet shutdown
-flag for
-.Fa ctx
-to be
-.Fa mode .
-.Vt SSL
-objects created from
-.Fa ctx
-inherit the
-.Fa mode
-valid at the time
-.Xr SSL_new 3
-is called.
-.Fa mode
-may be 0 or 1.
-.Pp
-.Fn SSL_CTX_get_quiet_shutdown
-returns the
-.Dq quiet shutdown
-setting of
-.Fa ctx .
-.Pp
-.Fn SSL_set_quiet_shutdown
-sets the
-.Dq quiet shutdown
-flag for
-.Fa ssl
-to be
-.Fa mode .
-The setting stays valid until
-.Fa ssl
-is removed with
-.Xr SSL_free 3
-or
-.Fn SSL_set_quiet_shutdown
-is called again.
-It is not changed when
-.Xr SSL_clear 3
-is called.
-.Fa mode
-may be 0 or 1.
-.Pp
-.Fn SSL_get_quiet_shutdown
-returns the
-.Dq quiet shutdown
-setting of
-.Fa ssl .
-.Pp
-Normally when a SSL connection is finished, the parties must send out
-.Dq close notify
-alert messages using
-.Xr SSL_shutdown 3
-for a clean shutdown.
-.Pp
-When setting the
-.Dq quiet shutdown
-flag to 1,
-.Xr SSL_shutdown 3
-will set the internal flags to
-.Dv SSL_SENT_SHUTDOWN Ns | Ns Dv SSL_RECEIVED_SHUTDOWN
-.Po
-.Xr SSL_shutdown 3
-then behaves like
-.Xr SSL_set_shutdown 3
-called with
-.Dv SSL_SENT_SHUTDOWN Ns | Ns Dv SSL_RECEIVED_SHUTDOWN
-.Pc .
-The session is thus considered to be shut down, but no
-.Dq close notify
-alert is sent to the peer.
-This behaviour violates the TLS standard.
-.Pp
-The default is normal shutdown behaviour as described by the TLS standard.
-.Sh RETURN VALUES
-.Fn SSL_CTX_get_quiet_shutdown
-and
-.Fn SSL_get_quiet_shutdown
-return the current setting.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_free 3 ,
-.Xr SSL_new 3 ,
-.Xr SSL_set_shutdown 3 ,
-.Xr SSL_shutdown 3
-.Sh HISTORY
-These functions first appeared in SSLeay 0.8.1
-and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_read_ahead.3 b/src/lib/libssl/man/SSL_CTX_set_read_ahead.3
deleted file mode 100644
index eae76eb472..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_read_ahead.3
+++ /dev/null
@@ -1,144 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_read_ahead.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2015, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_CTX_SET_READ_AHEAD 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_read_ahead ,
-.Nm SSL_CTX_get_read_ahead ,
-.Nm SSL_set_read_ahead ,
-.Nm SSL_get_read_ahead ,
-.Nm SSL_CTX_get_default_read_ahead
-.Nd manage whether to read as many input bytes as possible
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fo SSL_CTX_set_read_ahead
-.Fa "SSL_CTX *ctx"
-.Fa "int yes"
-.Fc
-.Ft long
-.Fo SSL_CTX_get_read_ahead
-.Fa "SSL_CTX *ctx"
-.Fc
-.Ft void
-.Fo SSL_set_read_ahead
-.Fa "SSL *s"
-.Fa "int yes"
-.Fc
-.Ft long
-.Fo SSL_get_read_ahead
-.Fa "const SSL *s"
-.Fc
-.Ft long
-.Fo SSL_CTX_get_default_read_ahead
-.Fa "SSL_CTX *ctx"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_read_ahead
-and
-.Fn SSL_set_read_ahead
-set whether as many input bytes as possible are read for non-blocking
-reads.
-For example if
-.Ar x
-bytes are currently required by OpenSSL, but
-.Ar y
-bytes are available from the underlying BIO (where
-.Ar y No > Ar x ) ,
-then OpenSSL will read all
-.Ar y
-bytes into its buffer (provided that the buffer is large enough) if
-reading ahead is on, or
-.Ar x
-bytes otherwise.
-The parameter
-.Fa yes
-should be 0 to ensure reading ahead is off, or non zero otherwise.
-.Pp
-.Fn SSL_CTX_get_read_ahead
-and
-.Fn SSL_get_read_ahead
-indicate whether reading ahead is set or not.
-.Pp
-.Fn SSL_CTX_get_default_read_ahead
-is identical to
-.Fn SSL_CTX_get_read_ahead .
-.Pp
-These functions are implemented as macros.
-.Pp
-These functions have no effect when used with DTLS.
-.Sh RETURN VALUES
-.Fn SSL_CTX_get_read_ahead
-and
-.Fn SSL_get_read_ahead
-return 0 if reading ahead is off or non-zero otherwise,
-except that the return values are undefined for DTLS.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_pending 3
-.Sh HISTORY
-.Fn SSL_set_read_ahead
-and
-.Fn SSL_get_read_ahead
-appeared in SSLeay 0.4 or earlier and have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_CTX_set_read_ahead ,
-.Fn SSL_CTX_get_read_ahead ,
-and
-.Fn SSL_CTX_get_default_read_ahead
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
-.Sh CAVEATS
-Switching read ahead on can impact the behaviour of the
-.Xr SSL_pending 3
-function.
diff --git a/src/lib/libssl/man/SSL_CTX_set_security_level.3 b/src/lib/libssl/man/SSL_CTX_set_security_level.3
deleted file mode 100644
index 89adb3d65d..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_security_level.3
+++ /dev/null
@@ -1,159 +0,0 @@
-.\" $OpenBSD: SSL_CTX_set_security_level.3,v 1.2 2025/01/18 10:45:12 tb Exp $
-.\"
-.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: January 18 2025 $
-.Dt SSL_CTX_SET_SECURITY_LEVEL 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_security_level ,
-.Nm SSL_set_security_level ,
-.Nm SSL_CTX_get_security_level ,
-.Nm SSL_get_security_level
-.Nd change security level for TLS
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fo SSL_CTX_set_security_level
-.Fa "SSL_CTX *ctx"
-.Fa "int level"
-.Fc
-.Ft void
-.Fo SSL_set_security_level
-.Fa "SSL *s"
-.Fa "int level"
-.Fc
-.Ft int
-.Fo SSL_CTX_get_security_level
-.Fa "const SSL_CTX *ctx"
-.Fc
-.Ft int
-.Fo SSL_get_security_level
-.Fa "const SSL *s"
-.Fc
-.Sh DESCRIPTION
-A security level is a set of restrictions on algorithms, key lengths,
-protocol versions, and other features in TLS connections.
-These restrictions apply in addition to those that exist from individually
-selecting supported features, for example ciphers, curves, or algorithms.
-.Pp
-The following table shows properties of the various security levels:
-.Bl -column # sec 15360 ECC TLS SHA1 -offset indent
-.It # Ta   sec Ta   \0\0RSA Ta   ECC Ta TLS Ta MAC
-.It 0 Ta \0\00 Ta \0\0\0\00 Ta \0\00 Ta 1.0 Ta MD5
-.It 1 Ta  \080 Ta    \01024 Ta   160 Ta 1.0 Ta RC4
-.It 2 Ta   112 Ta    \02048 Ta   224 Ta 1.0 Ta
-.It 3 Ta   128 Ta    \03072 Ta   256 Ta 1.1 Ta SHA1
-.It 4 Ta   192 Ta    \07680 Ta   384 Ta 1.2 Ta
-.It 5 Ta   256 Ta     15360 Ta   512 Ta 1.2 Ta
-.El
-.Pp
-The meaning of the columns is as follows:
-.Pp
-.Bl -tag -width features -compact
-.It #
-The number of the
-.Fa level .
-.It sec
-The minimum security strength measured in bits, which is approximately
-the binary logarithm of the number of operations an attacker has
-to perform in order to break a cryptographic key.
-This minimum strength is enforced for all relevant parameters
-including cipher suite encryption algorithms, ECC curves, signature
-algorithms, DH parameter sizes, and certificate algorithms and key
-sizes.
-See SP800-57 below
-.Sx SEE ALSO
-for details on individual algorithms.
-.It RSA
-The minimum key length in bits for the RSA and DH algorithms.
-.It ECC
-The minimum key length in bits for ECC algorithms.
-.It TLS
-The minimum TLS protocol version.
-.It MAC
-Cipher suites using the given MACs are allowed on this level
-and on lower levels, but not on higher levels.
-.El
-.Pp
-Level 0 is only provided for backward compatibility and permits everything.
-.Pp
-Level 3 and higher disable support for session tickets
-and only accept cipher suites that provide forward secrecy.
-.Pp
-The functions
-.Fn SSL_CTX_set_security_level
-and
-.Fn SSL_set_security_level
-choose the security
-.Fa level
-for
-.Fa ctx
-or
-.Fa s ,
-respectively.
-If not set, security level 1 is used.
-.Pp
-.Xr SSL_CTX_new 3
-initializes the security level of the new object to 1.
-.Pp
-.Xr SSL_new 3
-and
-.Xr SSL_set_SSL_CTX 3
-copy the security level from the context to the SSL object.
-.Pp
-.Xr SSL_dup 3
-copies the security level from the old to the new object.
-.Sh RETURN VALUES
-.Fn SSL_CTX_get_security_level
-and
-.Fn SSL_get_security_level
-return the security level configured in
-.Fa ctx
-or
-.Fa s ,
-respectively.
-.Sh SEE ALSO
-.Xr EVP_PKEY_security_bits 3 ,
-.Xr RSA_security_bits 3 ,
-.Xr ssl 3 ,
-.Xr SSL_CTX_new 3 ,
-.Xr SSL_new 3
-.Rs
-.%A Elaine Barker
-.%T Recommendation for Key Management
-.%I U.S. National Institute of Standards and Technology
-.%R NIST Special Publication 800-57 Part 1 Revision 5
-.%U https://doi.org/10.6028/NIST.SP.800-57pt1r5
-.%C Gaithersburg, MD
-.%D May 2020
-.Re
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.1.0
-and have been available since
-.Ox 7.2 .
-.Sh CAVEATS
-Applications which do not check the return values
-of configuration functions will misbehave.
-For example, if an application does not check the return value
-after trying to set a certificate and the certificate is rejected
-because of the security level, the application may behave as if
-no certificate had been provided at all.
-.Pp
-While some restrictions may be handled gracefully by negotiations
-between the client and the server, other restrictions may be
-fatal and abort the TLS handshake.
-For example, this can happen if the peer certificate contains a key
-that is too short or if the DH parameter size is too small.
diff --git a/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 b/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
deleted file mode 100644
index 1fe67b2a7e..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
+++ /dev/null
@@ -1,198 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_session_cache_mode.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
-.\"     OpenSSL 67adf0a7 Dec 25 19:58:38 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
-.\" Geoff Thorpe <geoff@openssl.org>.
-.\" Copyright (c) 2001, 2002 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_CTX_SET_SESSION_CACHE_MODE 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_session_cache_mode ,
-.Nm SSL_CTX_get_session_cache_mode
-.Nd enable/disable session caching
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fn SSL_CTX_set_session_cache_mode "SSL_CTX ctx" "long mode"
-.Ft long
-.Fn SSL_CTX_get_session_cache_mode "SSL_CTX ctx"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_session_cache_mode
-enables/disables session caching by setting the operational mode for
-.Ar ctx
-to
-.Ar mode .
-.Pp
-.Fn SSL_CTX_get_session_cache_mode
-returns the currently used cache mode.
-.Pp
-The OpenSSL library can store/retrieve SSL/TLS sessions for later reuse.
-The sessions can be held in memory for each
-.Fa ctx ,
-if more than one
-.Vt SSL_CTX
-object is being maintained, the sessions are unique for each
-.Vt SSL_CTX
-object.
-.Pp
-In order to reuse a session, a client must send the session's id to the server.
-It can only send exactly one id.
-The server then either agrees to reuse the session or it starts a full
-handshake (to create a new session).
-.Pp
-A server will look up the session in its internal session storage.
-If the session is not found in internal storage or lookups for the internal
-storage have been deactivated
-.Pq Dv SSL_SESS_CACHE_NO_INTERNAL_LOOKUP ,
-the server will try the external storage if available.
-.Pp
-Since a client may try to reuse a session intended for use in a different
-context, the session id context must be set by the server (see
-.Xr SSL_CTX_set_session_id_context 3 ) .
-.Pp
-The following session cache modes and modifiers are available:
-.Bl -tag -width Ds
-.It Dv SSL_SESS_CACHE_OFF
-No session caching for client or server takes place.
-.It Dv SSL_SESS_CACHE_CLIENT
-Client sessions are added to the session cache.
-As there is no reliable way for the OpenSSL library to know whether a session
-should be reused or which session to choose (due to the abstract BIO layer the
-SSL engine does not have details about the connection),
-the application must select the session to be reused by using the
-.Xr SSL_set_session 3
-function.
-This option is not activated by default.
-.It Dv SSL_SESS_CACHE_SERVER
-Server sessions are added to the session cache.
-When a client proposes a session to be reused, the server looks for the
-corresponding session in (first) the internal session cache (unless
-.Dv SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
-is set), then (second) in the external cache if available.
-If the session is found, the server will try to reuse the session.
-This is the default.
-.It Dv SSL_SESS_CACHE_BOTH
-Enable both
-.Dv SSL_SESS_CACHE_CLIENT
-and
-.Dv SSL_SESS_CACHE_SERVER
-at the same time.
-.It Dv SSL_SESS_CACHE_NO_AUTO_CLEAR
-Normally the session cache is checked for expired sessions every 255
-connections using the
-.Xr SSL_CTX_flush_sessions 3
-function.
-Since this may lead to a delay which cannot be controlled,
-the automatic flushing may be disabled and
-.Xr SSL_CTX_flush_sessions 3
-can be called explicitly by the application.
-.It Dv SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
-By setting this flag, session-resume operations in an SSL/TLS server will not
-automatically look up sessions in the internal cache,
-even if sessions are automatically stored there.
-If external session caching callbacks are in use,
-this flag guarantees that all lookups are directed to the external cache.
-As automatic lookup only applies for SSL/TLS servers,
-the flag has no effect on clients.
-.It Dv SSL_SESS_CACHE_NO_INTERNAL_STORE
-Depending on the presence of
-.Dv SSL_SESS_CACHE_CLIENT
-and/or
-.Dv SSL_SESS_CACHE_SERVER ,
-sessions negotiated in an SSL/TLS handshake may be cached for possible reuse.
-Normally a new session is added to the internal cache as well as any external
-session caching (callback) that is configured for the
-.Vt SSL_CTX .
-This flag will prevent sessions being stored in the internal cache
-(though the application can add them manually using
-.Xr SSL_CTX_add_session 3 ) .
-Note:
-in any SSL/TLS servers where external caching is configured, any successful
-session lookups in the external cache (e.g., for session-resume requests) would
-normally be copied into the local cache before processing continues \(en this
-flag prevents these additions to the internal cache as well.
-.It Dv SSL_SESS_CACHE_NO_INTERNAL
-Enable both
-.Dv SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
-and
-.Dv SSL_SESS_CACHE_NO_INTERNAL_STORE
-at the same time.
-.El
-.Pp
-The default mode is
-.Dv SSL_SESS_CACHE_SERVER .
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_session_cache_mode
-returns the previously set cache mode.
-.Pp
-.Fn SSL_CTX_get_session_cache_mode
-returns the currently set cache mode.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_add_session 3 ,
-.Xr SSL_CTX_ctrl 3 ,
-.Xr SSL_CTX_flush_sessions 3 ,
-.Xr SSL_CTX_sess_number 3 ,
-.Xr SSL_CTX_sess_set_cache_size 3 ,
-.Xr SSL_CTX_sess_set_get_cb 3 ,
-.Xr SSL_CTX_set_session_id_context 3 ,
-.Xr SSL_CTX_set_timeout 3 ,
-.Xr SSL_session_reused 3 ,
-.Xr SSL_set_session 3
-.Sh HISTORY
-.Fn SSL_CTX_set_session_cache_mode
-and
-.Fn SSL_CTX_get_session_cache_mode
-first appeared in SSLeay 0.6.1 and have been available since
-.Ox 2.4 .
-.Pp
-.Dv SSL_SESS_CACHE_NO_INTERNAL_STORE
-and
-.Dv SSL_SESS_CACHE_NO_INTERNAL
-were introduced in OpenSSL 0.9.6h.
diff --git a/src/lib/libssl/man/SSL_CTX_set_session_id_context.3 b/src/lib/libssl/man/SSL_CTX_set_session_id_context.3
deleted file mode 100644
index 06fd9348ae..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_session_id_context.3
+++ /dev/null
@@ -1,160 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_session_id_context.3,v 1.6 2019/06/08 15:25:43 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2004 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 8 2019 $
-.Dt SSL_CTX_SET_SESSION_ID_CONTEXT 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_session_id_context ,
-.Nm SSL_set_session_id_context
-.Nd set context within which session can be reused (server side only)
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_CTX_set_session_id_context
-.Fa "SSL_CTX *ctx"
-.Fa "const unsigned char *sid_ctx"
-.Fa "unsigned int sid_ctx_len"
-.Fc
-.Ft int
-.Fo SSL_set_session_id_context
-.Fa "SSL *ssl"
-.Fa "const unsigned char *sid_ctx"
-.Fa "unsigned int sid_ctx_len"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_session_id_context
-sets the context
-.Fa sid_ctx
-of length
-.Fa sid_ctx_len
-within which a session can be reused for the
-.Fa ctx
-object.
-.Pp
-.Fn SSL_set_session_id_context
-sets the context
-.Fa sid_ctx
-of length
-.Fa sid_ctx_len
-within which a session can be reused for the
-.Fa ssl
-object.
-.Pp
-Sessions are generated within a certain context.
-When exporting/importing sessions with
-.Xr i2d_SSL_SESSION 3
-and
-.Xr d2i_SSL_SESSION 3 ,
-it would be possible to re-import a session generated from another context
-(e.g., another application), which might lead to malfunctions.
-Therefore each application must set its own session id context
-.Fa sid_ctx
-which is used to distinguish the contexts and is stored in exported sessions.
-The
-.Fa sid_ctx
-can be any kind of binary data with a given length; it is therefore possible
-to use, for instance, the name of the application, the hostname, the service
-name...
-.Pp
-The session id context becomes part of the session.
-The session id context is set by the SSL/TLS server.
-The
-.Fn SSL_CTX_set_session_id_context
-and
-.Fn SSL_set_session_id_context
-functions are therefore only useful on the server side.
-.Pp
-OpenSSL clients will check the session id context returned by the server when
-reusing a session.
-.Pp
-The maximum length of the
-.Fa sid_ctx
-is limited to
-.Dv SSL_MAX_SSL_SESSION_ID_LENGTH .
-.Sh WARNINGS
-If the session id context is not set on an SSL/TLS server and client
-certificates are used, stored sessions will not be reused but a fatal error
-will be flagged and the handshake will fail.
-.Pp
-If a server returns a different session id context to an OpenSSL client
-when reusing a session, an error will be flagged and the handshake will
-fail.
-OpenSSL servers will always return the correct session id context,
-as an OpenSSL server checks the session id context itself before reusing
-a session as described above.
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_session_id_context
-and
-.Fn SSL_set_session_id_context
-return the following values:
-.Bl -tag -width Ds
-.It 0
-The length
-.Fa sid_ctx_len
-of the session id context
-.Fa sid_ctx
-exceeded
-the maximum allowed length of
-.Dv SSL_MAX_SSL_SESSION_ID_LENGTH .
-The error is logged to the error stack.
-.It 1
-The operation succeeded.
-.El
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_SESSION_set1_id_context 3
-.Sh HISTORY
-.Fn SSL_set_session_id_context
-first appeared in OpenSSL 0.9.2b.
-.Fn SSL_CTX_set_session_id_context
-first appeared in OpenSSL 0.9.3.
-Both functions have been available since
-.Ox 2.6 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_ssl_version.3 b/src/lib/libssl/man/SSL_CTX_set_ssl_version.3
deleted file mode 100644
index b1bdb92bb0..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_ssl_version.3
+++ /dev/null
@@ -1,146 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_ssl_version.3,v 1.5 2021/05/11 19:48:56 tb Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 11 2021 $
-.Dt SSL_CTX_SET_SSL_VERSION 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_ssl_version ,
-.Nm SSL_set_ssl_method ,
-.Nm SSL_CTX_get_ssl_method ,
-.Nm SSL_get_ssl_method
-.Nd choose a new TLS/SSL method
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_CTX_set_ssl_version "SSL_CTX *ctx" "const SSL_METHOD *method"
-.Ft int
-.Fn SSL_set_ssl_method "SSL *s" "const SSL_METHOD *method"
-.Ft const SSL_METHOD *
-.Fn SSL_CTX_get_ssl_method "SSL_CTX *ctx"
-.Ft const SSL_METHOD *
-.Fn SSL_get_ssl_method "SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_ssl_version
-sets a new default TLS/SSL
-.Fa method
-for
-.Vt SSL
-objects newly created from this
-.Fa ctx .
-.Vt SSL
-objects already created with
-.Xr SSL_new 3
-are not affected, except when
-.Xr SSL_clear 3
-is called.
-.Pp
-.Fn SSL_set_ssl_method
-sets a new TLS/SSL
-.Fa method
-for a particular
-.Vt SSL
-object
-.Fa s .
-It may be reset when
-.Xr SSL_clear 3
-is called.
-.Pp
-.Fn SSL_CTX_get_ssl_method
-and
-.Fn SSL_get_ssl_method
-return a function pointer to the TLS/SSL method set in
-.Fa ctx
-and
-.Fa ssl ,
-respectively.
-.Pp
-The available
-.Fa method
-choices are described in
-.Xr SSL_CTX_new 3 .
-.Pp
-When
-.Xr SSL_clear 3
-is called and no session is connected to an
-.Vt SSL
-object, the method of the
-.Vt SSL
-object is reset to the method currently set in the corresponding
-.Vt SSL_CTX
-object.
-.Sh RETURN VALUES
-The following return values can occur for
-.Fn SSL_CTX_set_ssl_version
-and
-.Fn SSL_set_ssl_method :
-.Bl -tag -width Ds
-.It  0
-The new choice failed.
-Check the error stack to find out the reason.
-.It  1
-The operation succeeded.
-.El
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_CTX_new 3 ,
-.Xr SSL_new 3 ,
-.Xr SSL_set_connect_state 3
-.Sh HISTORY
-.Fn SSL_CTX_set_ssl_version ,
-.Fn SSL_set_ssl_method ,
-and
-.Fn SSL_get_ssl_method
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Fn SSL_CTX_get_ssl_method
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.0 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_timeout.3 b/src/lib/libssl/man/SSL_CTX_set_timeout.3
deleted file mode 100644
index ab99e2016e..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_timeout.3
+++ /dev/null
@@ -1,118 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_timeout.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_CTX_SET_TIMEOUT 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_timeout ,
-.Nm SSL_CTX_get_timeout
-.Nd manipulate timeout values for session caching
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fn SSL_CTX_set_timeout "SSL_CTX *ctx" "long t"
-.Ft long
-.Fn SSL_CTX_get_timeout "SSL_CTX *ctx"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_timeout
-sets the timeout for newly created sessions for
-.Fa ctx
-to
-.Fa t .
-The timeout value
-.Fa t
-must be given in seconds.
-.Pp
-.Fn SSL_CTX_get_timeout
-returns the currently set timeout value for
-.Fa ctx .
-.Pp
-Whenever a new session is created, it is assigned a maximum lifetime.
-This lifetime is specified by storing the creation time of the session and the
-timeout value valid at this time.
-If the actual time is later than creation time plus timeout,
-the session is not reused.
-.Pp
-Due to this realization, all sessions behave according to the timeout value
-valid at the time of the session negotiation.
-Changes of the timeout value do not affect already established sessions.
-.Pp
-The expiration time of a single session can be modified using the
-.Xr SSL_SESSION_get_time 3
-family of functions.
-.Pp
-Expired sessions are removed from the internal session cache, whenever
-.Xr SSL_CTX_flush_sessions 3
-is called, either directly by the application or automatically (see
-.Xr SSL_CTX_set_session_cache_mode 3 ) .
-.Pp
-The default value for session timeout is decided on a per-protocol basis; see
-.Xr SSL_get_default_timeout 3 .
-All currently supported protocols have the same default timeout value of 300
-seconds.
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_timeout
-returns the previously set timeout value.
-.Pp
-.Fn SSL_CTX_get_timeout
-returns the currently set timeout value.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_flush_sessions 3 ,
-.Xr SSL_CTX_set_session_cache_mode 3 ,
-.Xr SSL_get_default_timeout 3 ,
-.Xr SSL_SESSION_get_time 3
-.Sh HISTORY
-.Fn SSL_CTX_set_timeout
-and
-.Fn SSL_CTX_get_timeout
-first appeared in SSLeay 0.6.1 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
deleted file mode 100644
index 2b54406de8..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
+++ /dev/null
@@ -1,247 +0,0 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.6 2021/09/01 13:56:03 schwarze Exp $
-.\" full merge up to: OpenSSL 190b9a03 Jun 28 15:46:13 2017 +0800
-.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
-.\"
-.\" This file was written by Jon Spillett <jon.spillett@oracle.com>,
-.\" Paul Yang <yang dot yang at baishancloud dot com>, and
-.\" Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2017, 2019 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 1 2021 $
-.Dt SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_tlsext_servername_callback ,
-.Nm SSL_CTX_set_tlsext_servername_arg ,
-.Nm SSL_get_servername_type ,
-.Nm SSL_get_servername ,
-.Nm SSL_set_tlsext_host_name
-.Nd handle server name indication (SNI)
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fo SSL_CTX_set_tlsext_servername_callback
-.Fa "SSL_CTX *ctx"
-.Fa "int (*cb)(SSL *ssl, int *alert, void *arg)"
-.Fc
-.Ft long
-.Fo SSL_CTX_set_tlsext_servername_arg
-.Fa "SSL_CTX *ctx"
-.Fa "void *arg"
-.Fc
-.Ft const char *
-.Fo SSL_get_servername
-.Fa "const SSL *ssl"
-.Fa "const int type"
-.Fc
-.Ft int
-.Fo SSL_get_servername_type
-.Fa "const SSL *ssl"
-.Fc
-.Ft int
-.Fo SSL_set_tlsext_host_name
-.Fa "const SSL *ssl"
-.Fa "const char *name"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_tlsext_servername_callback
-sets the application callback
-.Fa cb
-used by a server to perform any actions or configuration required based
-on the servername extension received in the incoming connection.
-Like the ALPN callback, it is executed during Client Hello processing.
-When
-.Fa cb
-is
-.Dv NULL ,
-SNI is not used.
-.Pp
-The servername callback should return one of the following values:
-.Bl -tag -width Ds
-.It Dv SSL_TLSEXT_ERR_OK
-This is used to indicate that the servername requested by the client
-has been accepted.
-Typically a server will call
-.Xr SSL_set_SSL_CTX 3
-in the callback to set up a different configuration
-for the selected servername in this case.
-.It Dv SSL_TLSEXT_ERR_ALERT_FATAL
-In this case the servername requested by the client is not accepted
-and the handshake will be aborted.
-The value of the alert to be used should be stored in the location
-pointed to by the
-.Fa alert
-parameter to the callback.
-By default this value is initialised to
-.Dv SSL_AD_UNRECOGNIZED_NAME .
-.It Dv SSL_TLSEXT_ERR_ALERT_WARNING
-If this value is returned, then the servername is not accepted by the server.
-However, the handshake will continue and send a warning alert instead.
-The value of the alert should be stored in the location pointed to by the
-.Fa alert
-parameter as for
-.Dv SSL_TLSEXT_ERR_ALERT_FATAL
-above.
-Note that TLSv1.3 does not support warning alerts, so if TLSv1.3 has
-been negotiated then this return value is treated the same way as
-.Dv SSL_TLSEXT_ERR_NOACK .
-.It Dv SSL_TLSEXT_ERR_NOACK
-This return value indicates
-that the servername is not accepted by the server.
-No alerts are sent
-and the server will not acknowledge the requested servername.
-.El
-.Pp
-.Fn SSL_CTX_set_tlsext_servername_arg
-sets a context-specific argument to be passed into the callback via the
-.Fa arg
-parameter for
-.Fa ctx .
-.ig end_of_get_servername_details
-.\" I would suggest to comment out that second wall text of dubious
-.\" usefulness and see if we can meet all these documented API
-.\" requirements in the future or decide that it's not worth the
-.\" effort.  -- tb@ Aug 30, 2021
-.Pp
-The behaviour of
-.Fn SSL_get_servername
-depends on a number of different factors.
-In particular note that in TLSv1.3,
-the servername is negotiated in every handshake.
-In TLSv1.2 the servername is only negotiated on initial handshakes
-and not on resumption handshakes.
-.Bl -tag -width Ds
-.It On the client, before the handshake:
-If a servername has been set via a call to
-.Fn SSL_set_tlsext_host_name ,
-then it will return that servername.
-If one has not been set, but a TLSv1.2 resumption is being attempted
-and the session from the original handshake had a servername
-accepted by the server, then it will return that servername.
-Otherwise it returns
-.Dv NULL .
-.It On the client, during or after the handshake,\
- if a TLSv1.2 (or below) resumption occurred:
-If the session from the original handshake had a servername accepted by the
-server, then it will return that servername.
-Otherwise it returns the servername set via
-.Fn SSL_set_tlsext_host_name
-or
-.Dv NULL
-if it was not called.
-.It On the client, during or after the handshake,\
- if a TLSv1.2 (or below) resumption did not occur:
-It will return the servername set via
-.Fn SSL_set_tlsext_host_name
-or
-.Dv NULL
-if it was not called.
-.It On the server, before the handshake:
-The function will always return
-.Dv NULL
-before the handshake.
-.It On the server, after the servername extension has been processed,\
- if a TLSv1.2 (or below) resumption occurred:
-If a servername was accepted by the server in the original handshake,
-then it will return that servername, or
-.Dv NULL
-otherwise.
-.It On the server, after the servername extension has been processed,\
- if a TLSv1.2 (or below) resumption did not occur:
-The function will return the servername
-requested by the client in this handshake or
-.Dv NULL
-if none was requested.
-.El
-.Pp
-Note that the early callback occurs before a servername extension
-from the client is processed.
-The servername, certificate and ALPN callbacks occur
-after a servername extension from the client is processed.
-.end_of_get_servername_details
-.Pp
-.Fn SSL_set_tlsext_host_name
-sets the server name indication ClientHello extension
-to contain the value
-.Fa name ,
-or clears it if
-.Fa name
-is
-.Dv NULL .
-The type of server name indication
-extension is set to
-.Dv TLSEXT_NAMETYPE_host_name
-as defined in RFC 3546.
-.Pp
-All three functions are implemented as macros.
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_tlsext_servername_callback
-and
-.Fn SSL_CTX_set_tlsext_servername_arg
-always return 1 indicating success.
-.Pp
-.Fn SSL_get_servername
-returns a servername extension value of the specified type if provided
-in the Client Hello, or
-.Dv NULL
-otherwise.
-.Pp
-.Fn SSL_get_servername_type
-returns the servername type or -1 if no servername is present.
-Currently the only supported type (defined in RFC 3546) is
-.Dv TLSEXT_NAMETYPE_host_name .
-.Pp
-.Fn SSL_set_tlsext_host_name
-returns 1 on success or 0 in case of an error.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_callback_ctrl 3 ,
-.Xr SSL_CTX_set_alpn_select_cb 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.8f
-and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
deleted file mode 100644
index d5979af1e8..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
+++ /dev/null
@@ -1,238 +0,0 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_status_cb.3,v 1.8 2021/09/11 18:58:41 schwarze Exp $
-.\" full merge up to: OpenSSL 43c34894 Nov 30 16:04:51 2015 +0000
-.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2015, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 11 2021 $
-.Dt SSL_CTX_SET_TLSEXT_STATUS_CB 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_tlsext_status_cb ,
-.Nm SSL_CTX_get_tlsext_status_cb ,
-.Nm SSL_CTX_set_tlsext_status_arg ,
-.Nm SSL_CTX_get_tlsext_status_arg ,
-.Nm SSL_set_tlsext_status_type ,
-.Nm SSL_get_tlsext_status_type ,
-.Nm SSL_get_tlsext_status_ocsp_resp ,
-.Nm SSL_set_tlsext_status_ocsp_resp
-.Nd OCSP Certificate Status Request functions
-.Sh SYNOPSIS
-.In openssl/tls1.h
-.Ft long
-.Fo SSL_CTX_set_tlsext_status_cb
-.Fa "SSL_CTX *ctx"
-.Fa "int (*callback)(SSL *, void *)"
-.Fc
-.Ft long
-.Fo SSL_CTX_get_tlsext_status_cb
-.Fa "SSL_CTX *ctx"
-.Fa "int (*callback)(SSL *, void *)"
-.Fc
-.Ft long
-.Fo SSL_CTX_set_tlsext_status_arg
-.Fa "SSL_CTX *ctx"
-.Fa "void *arg"
-.Fc
-.Ft long
-.Fo SSL_CTX_get_tlsext_status_arg
-.Fa "SSL_CTX *ctx"
-.Fa "void **arg"
-.Fc
-.Ft long
-.Fo SSL_set_tlsext_status_type
-.Fa "SSL *s"
-.Fa "int type"
-.Fc
-.Ft long
-.Fo SSL_get_tlsext_status_type
-.Fa "SSL *s"
-.Fc
-.Ft long
-.Fo SSL_get_tlsext_status_ocsp_resp
-.Fa ssl
-.Fa "unsigned char **resp"
-.Fc
-.Ft long
-.Fo SSL_set_tlsext_status_ocsp_resp
-.Fa ssl
-.Fa "unsigned char *resp"
-.Fa "int len"
-.Fc
-.Sh DESCRIPTION
-A client application may request that a server send back an OCSP status
-response (also known as OCSP stapling).
-To do so the client should call the
-.Fn SSL_set_tlsext_status_type
-function on an individual
-.Vt SSL
-object prior to the start of the handshake.
-Currently the only supported type is
-.Dv TLSEXT_STATUSTYPE_ocsp .
-This value should be passed in the
-.Fa type
-argument.
-.Pp
-The client should additionally provide a callback function to decide
-what to do with the returned OCSP response by calling
-.Fn SSL_CTX_set_tlsext_status_cb .
-The callback function should determine whether the returned OCSP
-response is acceptable or not.
-The callback will be passed as an argument the value previously set via
-a call to
-.Fn SSL_CTX_set_tlsext_status_arg .
-Note that the callback will not be called in the event of a handshake
-where session resumption occurs (because there are no Certificates
-exchanged in such a handshake).
-.Pp
-The callback previously set via
-.Fn SSL_CTX_set_tlsext_status_cb
-can be retrieved by calling
-.Fn SSL_CTX_get_tlsext_status_cb ,
-and the argument by calling
-.Fn SSL_CTX_get_tlsext_status_arg .
-.Pp
-On the client side,
-.Fn SSL_get_tlsext_status_type
-can be used to determine whether the client has previously called
-.Fn SSL_set_tlsext_status_type .
-It will return
-.Dv TLSEXT_STATUSTYPE_ocsp
-if it has been called or \-1 otherwise.
-On the server side,
-.Fn SSL_get_tlsext_status_type
-can be used to determine whether the client requested OCSP stapling.
-If the client requested it, then this function will return
-.Dv TLSEXT_STATUSTYPE_ocsp ,
-or \-1 otherwise.
-.Pp
-The response returned by the server can be obtained via a call to
-.Fn SSL_get_tlsext_status_ocsp_resp .
-The value
-.Pf * Fa resp
-will be updated to point to the OCSP response data and the return value
-will be the length of that data.
-If the server has not provided any response data, then
-.Pf * Fa resp
-will be
-.Dv NULL
-and the return value from
-.Fn SSL_get_tlsext_status_ocsp_resp
-will be -1.
-.Pp
-A server application must also call the
-.Fn SSL_CTX_set_tlsext_status_cb
-function if it wants to be able to provide clients with OCSP Certificate
-Status responses.
-Typically the server callback would obtain the server certificate that
-is being sent back to the client via a call to
-.Xr SSL_get_certificate 3 ,
-obtain the OCSP response to be sent back, and then set that response
-data by calling
-.Fn SSL_set_tlsext_status_ocsp_resp .
-A pointer to the response data should be provided in the
-.Fa resp
-argument, and the length of that data should be in the
-.Fa len
-argument.
-.Sh RETURN VALUES
-The callback when used on the client side should return a negative
-value on error, 0 if the response is not acceptable (in which case
-the handshake will fail), or a positive value if it is acceptable.
-.Pp
-The callback when used on the server side should return with either
-.Dv SSL_TLSEXT_ERR_OK
-(meaning that the OCSP response that has been set should be returned),
-.Dv SSL_TLSEXT_ERR_NOACK
-(meaning that an OCSP response should not be returned), or
-.Dv SSL_TLSEXT_ERR_ALERT_FATAL
-(meaning that a fatal error has occurred).
-.Pp
-.Fn SSL_CTX_set_tlsext_status_cb ,
-.Fn SSL_CTX_get_tlsext_status_cb ,
-.Fn SSL_CTX_set_tlsext_status_arg ,
-.Fn SSL_CTX_get_tlsext_status_arg ,
-.Fn SSL_set_tlsext_status_type ,
-and
-.Fn SSL_set_tlsext_status_ocsp_resp
-always return 1, indicating success.
-.Pp
-.Fn SSL_get_tlsext_status_type
-returns
-.Dv TLSEXT_STATUSTYPE_ocsp
-on the client side if
-.Fn SSL_set_tlsext_status_type
-was previously called, or on the server side
-if the client requested OCSP stapling.
-Otherwise \-1 is returned.
-.Pp
-.Fn SSL_get_tlsext_status_ocsp_resp
-returns the length of the OCSP response data
-or \-1 if there is no OCSP response data.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_callback_ctrl 3
-.Sh HISTORY
-.Fn SSL_CTX_set_tlsext_status_cb ,
-.Fn SSL_CTX_set_tlsext_status_arg ,
-.Fn SSL_set_tlsext_status_type ,
-.Fn SSL_get_tlsext_status_ocsp_resp ,
-and
-.Fn SSL_set_tlsext_status_ocsp_resp
-first appeared in OpenSSL 0.9.8h and have been available since
-.Ox 4.5 .
-.Pp
-.Fn SSL_CTX_get_tlsext_status_cb
-and
-.Fn SSL_CTX_get_tlsext_status_arg
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 6.3 .
-.Pp
-.Fn SSL_get_tlsext_status_type
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.0 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
deleted file mode 100644
index b6ccabaeca..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
+++ /dev/null
@@ -1,300 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_tlsext_ticket_key_cb.3,v 1.8 2022/01/25 18:01:20 tb Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Rich Salz <rsalz@akamai.com>
-.\" Copyright (c) 2014, 2015, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: January 25 2022 $
-.Dt SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_tlsext_ticket_key_cb
-.Nd set a callback for session ticket processing
-.Sh SYNOPSIS
-.In openssl/tls1.h
-.Ft long
-.Fo SSL_CTX_set_tlsext_ticket_key_cb
-.Fa "SSL_CTX sslctx"
-.Fa "int (*cb)(SSL *s, unsigned char key_name[16],\
- unsigned char iv[EVP_MAX_IV_LENGTH],\
- EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_tlsext_ticket_key_cb
-sets a callback function
-.Fa cb
-for handling session tickets for the ssl context
-.Fa sslctx .
-Session tickets, defined in RFC 5077, provide an enhanced session
-resumption capability where the server implementation is not required to
-maintain per session state.
-.Pp
-The callback function
-.Fa cb
-will be called for every client instigated TLS session when session
-ticket extension is presented in the TLS hello message.
-It is the responsibility of this function to create or retrieve the
-cryptographic parameters and to maintain their state.
-.Pp
-The OpenSSL library uses the callback function to help implement a
-common TLS ticket construction state according to RFC 5077 Section 4 such
-that per session state is unnecessary and a small set of cryptographic
-variables needs to be maintained by the callback function
-implementation.
-.Pp
-In order to reuse a session, a TLS client must send a session ticket
-extension to the server.
-The client can only send exactly one session ticket.
-The server, through the callback function, either agrees to reuse the
-session ticket information or it starts a full TLS handshake to create a
-new session ticket.
-.Pp
-The callback is called with
-.Fa ctx
-and
-.Fa hctx
-which were newly allocated with
-.Xr EVP_CIPHER_CTX_new 3
-and
-.Xr HMAC_CTX_new 3 ,
-respectively.
-.Pp
-For new sessions tickets, when the client doesn't present a session
-ticket, or an attempted retrieval of the ticket failed, or a renew
-option was indicated, the callback function will be called with
-.Fa enc
-equal to 1.
-The OpenSSL library expects that the function will set an arbitrary
-.Fa key_name ,
-initialize
-.Fa iv ,
-and set the cipher context
-.Fa ctx
-and the hash context
-.Fa hctx .
-.Pp
-The
-.Fa key_name
-is 16 characters long and is used as a key identifier.
-.Pp
-The
-.Fa iv
-length is the length of the IV of the corresponding cipher.
-The maximum IV length is
-.Dv EVP_MAX_IV_LENGTH
-bytes defined in
-.In openssl/evp.h .
-.Pp
-The initialization vector
-.Fa iv
-should be a random value.
-The cipher context
-.Fa ctx
-should use the initialisation vector
-.Fa iv .
-The cipher context can be set using
-.Xr EVP_EncryptInit_ex 3 .
-The hmac context can be set using
-.Xr HMAC_Init_ex 3 .
-.Pp
-When the client presents a session ticket, the callback function
-with be called with
-.Fa enc
-set to 0 indicating that the
-.Fa cb
-function should retrieve a set of parameters.
-In this case
-.Fa key_name
-and
-.Fa iv
-have already been parsed out of the session ticket.
-The OpenSSL library expects that the
-.Em key_name
-will be used to retrieve a cryptographic parameters and that the
-cryptographic context
-.Fa ctx
-will be set with the retrieved parameters and the initialization vector
-.Fa iv
-using a function like
-.Xr EVP_DecryptInit_ex 3 .
-The
-.Fa hctx
-needs to be set using
-.Xr HMAC_Init_ex 3 .
-.Pp
-If the
-.Fa key_name
-is still valid but a renewal of the ticket is required, the callback
-function should return 2.
-The library will call the callback again with an argument of
-.Fa enc
-equal to 1 to set the new ticket.
-.Pp
-The return value of the
-.Fa cb
-function is used by OpenSSL to determine what further processing will
-occur.
-The following return values have meaning:
-.Bl -tag -width Ds
-.It 2
-This indicates that the
-.Fa ctx
-and
-.Fa hctx
-have been set and the session can continue on those parameters.
-Additionally it indicates that the session ticket is in a renewal period
-and should be replaced.
-The OpenSSL library will call
-.Fa cb
-again with an
-.Fa enc
-argument of 1 to set the new ticket (see RFC 5077 3.3 paragraph 2).
-.It 1
-This indicates that the
-.Fa ctx
-and
-.Fa hctx
-have been set and the session can continue on those parameters.
-.It 0
-This indicates that it was not possible to set/retrieve a session ticket
-and the SSL/TLS session will continue by negotiating a set of
-cryptographic parameters or using the alternate SSL/TLS resumption
-mechanism, session ids.
-.Pp
-If called with
-.Fa enc
-equal to 0, the library will call the
-.Fa cb
-again to get a new set of parameters.
-.It less than 0
-This indicates an error.
-.El
-.Pp
-Session resumption shortcuts the TLS so that the client certificate
-negotiation don't occur.
-It makes up for this by storing client certificate and all other
-negotiated state information encrypted within the ticket.
-In a resumed session the applications will have all this state
-information available exactly as if a full negotiation had occurred.
-.Pp
-If an attacker can obtain the key used to encrypt a session ticket, they
-can obtain the master secret for any ticket using that key and decrypt
-any traffic using that session: even if the ciphersuite supports forward
-secrecy.
-As a result applications may wish to use multiple keys and avoid using
-long term keys stored in files.
-.Pp
-Applications can use longer keys to maintain a consistent level of
-security.
-For example if a ciphersuite uses 256 bit ciphers but only a 128 bit
-ticket key the overall security is only 128 bits because breaking the
-ticket key will enable an attacker to obtain the session keys.
-.Sh RETURN VALUES
-This function returns 0 to indicate that the callback function was set.
-.Sh EXAMPLES
-Reference Implementation:
-.Bd -literal
-SSL_CTX_set_tlsext_ticket_key_cb(SSL, ssl_tlsext_ticket_key_cb);
-\&....
-static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16],
-    unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)
-{
-        if (enc) { /* create new session */
-                if (RAND_bytes(iv, EVP_MAX_IV_LENGTH))
-                        return -1; /* insufficient random */
-
-                key = currentkey(); /* something you need to implement */
-                if (!key) {
-                        /* current key doesn't exist or isn't valid */
-                        key = createkey();
-                            /* something that you need to implement.
-                             * createkey needs to initialise a name,
-                             * an aes_key, a hmac_key, and optionally
-                             * an expire time. */
-                        if (!key) /* key couldn't be created */
-                                return 0;
-                }
-                memcpy(key_name, key->name, 16);
-
-                EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
-                    key->aes_key, iv);
-                HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL);
-
-                return 1;
-
-        } else { /* retrieve session */
-                key = findkey(name);
-
-                if  (!key || key->expire < now())
-                        return 0;
-
-                HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL);
-                EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
-                    key->aes_key, iv );
-
-                if (key->expire < (now() - RENEW_TIME))
-                    /* this session will get a new ticket
-                     * even though the current is still valid */
-                    return 2;
-
-                return 1;
-        }
-}
-.Ed
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_add_session 3 ,
-.Xr SSL_CTX_callback_ctrl 3 ,
-.Xr SSL_CTX_sess_number 3 ,
-.Xr SSL_CTX_sess_set_get_cb 3 ,
-.Xr SSL_CTX_set_session_id_context 3 ,
-.Xr SSL_session_reused 3 ,
-.Xr SSL_set_session 3
-.Sh HISTORY
-.Fn SSL_CTX_set_tlsext_ticket_key_cb
-first appeared in OpenSSL 0.9.8h and has been available since
-.Ox 4.5 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3
deleted file mode 100644
index 04c4833c6a..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3
+++ /dev/null
@@ -1,197 +0,0 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_use_srtp.3,v 1.6 2021/06/11 19:41:39 jmc Exp $
-.\" full merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 11 2021 $
-.Dt SSL_CTX_SET_TLSEXT_USE_SRTP 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_tlsext_use_srtp ,
-.Nm SSL_set_tlsext_use_srtp ,
-.Nm SSL_get_srtp_profiles ,
-.Nm SSL_get_selected_srtp_profile
-.Nd Configure and query SRTP support
-.Sh SYNOPSIS
-.In openssl/srtp.h
-.Ft int
-.Fo SSL_CTX_set_tlsext_use_srtp
-.Fa "SSL_CTX *ctx"
-.Fa "const char *profiles"
-.Fc
-.Ft int
-.Fo SSL_set_tlsext_use_srtp
-.Fa "SSL *ssl"
-.Fa "const char *profiles"
-.Fc
-.Ft STACK_OF(SRTP_PROTECTION_PROFILE) *
-.Fo SSL_get_srtp_profiles
-.Fa "SSL *ssl"
-.Fc
-.Ft SRTP_PROTECTION_PROFILE *
-.Fo SSL_get_selected_srtp_profile
-.Fa "SSL *ssl"
-.Fc
-.Sh DESCRIPTION
-SRTP is the Secure Real-Time Transport Protocol.
-OpenSSL implements support for the "use_srtp" DTLS extension
-defined in RFC 5764.
-This provides a mechanism for establishing SRTP keying material,
-algorithms and parameters using DTLS.
-This capability may be used as part of an implementation that
-conforms to RFC 5763.
-OpenSSL does not implement SRTP itself or RFC 5763.
-Note that OpenSSL does not support the use of SRTP Master Key
-Identifiers (MKIs).
-Also note that this extension is only supported in DTLS.
-Any SRTP configuration is ignored if a TLS connection is attempted.
-.Pp
-An OpenSSL client wishing to send the "use_srtp" extension should call
-.Fn SSL_CTX_set_tlsext_use_srtp
-to set its use for all
-.Vt SSL
-objects subsequently created from
-.Fa ctx .
-Alternatively a client may call
-.Fn SSL_set_tlsext_use_srtp
-to set its use for an individual
-.Vt SSL
-object.
-The
-.Fa profiles
-parameter should point to a NUL-terminated, colon delimited list of
-SRTP protection profile names.
-.Pp
-The currently supported protection profile names are:
-.Bl -tag -width Ds
-.It Dv SRTP_AES128_CM_SHA1_80
-This corresponds to SRTP_AES128_CM_HMAC_SHA1_80 defined in RFC 5764.
-.It Dv SRTP_AES128_CM_SHA1_32
-This corresponds to SRTP_AES128_CM_HMAC_SHA1_32 defined in RFC 5764.
-.It Dv SRTP_AEAD_AES_128_GCM
-This corresponds to SRTP_AEAD_AES_128_GCM defined in RFC 7714.
-.It Dv SRTP_AEAD_AES_256_GCM
-This corresponds to SRTP_AEAD_AES_256_GCM defined in RFC 7714.
-.El
-.Pp
-Supplying an unrecognised protection profile name results in an error.
-.Pp
-An OpenSSL server wishing to support the "use_srtp" extension should
-also call
-.Fn SSL_CTX_set_tlsext_use_srtp
-or
-.Fn SSL_set_tlsext_use_srtp
-to indicate the protection profiles that it is willing to negotiate.
-.Pp
-The currently configured list of protection profiles for either a client
-or a server can be obtained by calling
-.Fn SSL_get_srtp_profiles .
-This returns a stack of
-.Vt SRTP_PROTECTION_PROFILE
-objects.
-The memory pointed to in the return value of this function should not be
-freed by the caller.
-.Pp
-After a handshake has been completed, the negotiated SRTP protection
-profile (if any) can be obtained (on the client or the server) by
-calling
-.Fn SSL_get_selected_srtp_profile .
-This function returns
-.Dv NULL
-if no SRTP protection profile was negotiated.
-The memory returned from this function should not be freed by the
-caller.
-.Pp
-If an SRTP protection profile has been successfully negotiated,
-then the SRTP keying material (on both the client and server)
-should be obtained by calling
-.Xr SSL_export_keying_material 3
-with a
-.Fa label
-of
-.Qq EXTRACTOR-dtls_srtp ,
-a
-.Fa context
-of
-.Dv NULL ,
-and a
-.Fa use_context
-argument of 0.
-The total length of keying material obtained should be equal to two
-times the sum of the master key length and the salt length as defined
-for the protection profile in use.
-This provides the client write master key, the server write master key,
-the client write master salt and the server write master salt in that
-order.
-.Sh RETURN VALUES
-Contrary to OpenSSL conventions,
-.Fn SSL_CTX_set_tlsext_use_srtp
-and
-.Fn SSL_set_tlsext_use_srtp
-return 0 on success or 1 on error.
-.Pp
-.Fn SSL_get_srtp_profiles
-returns a stack of
-.Vt SRTP_PROTECTION_PROFILE
-objects on success or
-.Dv NULL
-on error or if no protection profiles have been configured.
-.Pp
-.Fn SSL_get_selected_srtp_profile
-returns a pointer to an
-.Vt SRTP_PROTECTION_PROFILE
-object if one has been negotiated or
-.Dv NULL
-otherwise.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_export_keying_material 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.0.1
-and have been available since
-.Ox 5.3 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
deleted file mode 100644
index c6f5253431..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
+++ /dev/null
@@ -1,229 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.11 2025/01/18 10:45:12 tb Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2014, 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: January 18 2025 $
-.Dt SSL_CTX_SET_TMP_DH_CALLBACK 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_tmp_dh_callback ,
-.Nm SSL_CTX_set_tmp_dh ,
-.Nm SSL_set_tmp_dh_callback ,
-.Nm SSL_set_tmp_dh
-.Nd handle DH keys for ephemeral key exchange
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fo SSL_CTX_set_tmp_dh_callback
-.Fa "SSL_CTX *ctx"
-.Fa "DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)"
-.Fc
-.Ft long
-.Fn SSL_CTX_set_tmp_dh "SSL_CTX *ctx" "DH *dh"
-.Ft void
-.Fo SSL_set_tmp_dh_callback
-.Fa "SSL *ssl"
-.Fa "DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength"
-.Fc
-.Ft long
-.Fn SSL_set_tmp_dh "SSL *ssl" "DH *dh"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_tmp_dh_callback
-sets the callback function for
-.Fa ctx
-to be used when a DH parameters are required to
-.Fa tmp_dh_callback .
-The callback is inherited by all
-.Vt ssl
-objects created from
-.Fa ctx .
-.Pp
-.Fn SSL_CTX_set_tmp_dh
-sets DH parameters to be used by
-.Fa ctx .
-The key is inherited by all
-.Fa ssl
-objects created from
-.Fa ctx .
-.Pp
-.Fn SSL_set_tmp_dh_callback
-sets the callback only for
-.Fa ssl .
-.Pp
-.Fn SSL_set_tmp_dh
-sets the parameters only for
-.Fa ssl .
-.Pp
-These functions apply to SSL/TLS servers only.
-.Pp
-When using a cipher with RSA authentication,
-an ephemeral DH key exchange can take place.
-In these cases, the session data are negotiated using the ephemeral/temporary
-DH key and the key supplied and certified by the certificate chain is only used
-for signing.
-Anonymous ciphers (without a permanent server key) also use ephemeral DH keys.
-.Pp
-Using ephemeral DH key exchange yields forward secrecy,
-as the connection can only be decrypted when the DH key is known.
-By generating a temporary DH key inside the server application that is lost
-when the application is left, it becomes impossible for attackers to decrypt
-past sessions, even if they get hold of the normal (certified) key,
-as this key was only used for signing.
-.Pp
-In order to perform a DH key exchange, the server must use a DH group
-(DH parameters) and generate a DH key.
-The server will always generate a new DH key during the negotiation.
-.Pp
-As generating DH parameters is extremely time consuming, an application should
-not generate the parameters on the fly but supply the parameters.
-DH parameters can be reused,
-as the actual key is newly generated during the negotiation.
-The risk in reusing DH parameters is that an attacker may specialize on a very
-often used DH group.
-Applications should therefore generate their own DH parameters during the
-installation process using the
-.Xr openssl 1
-.Cm dhparam
-application.
-This application guarantees that "strong" primes are used.
-.Pp
-Files
-.Pa dh2048.pem
-and
-.Pa dh4096.pem
-in the
-.Pa apps
-directory of the current version of the OpenSSL distribution contain the
-.Sq SKIP
-DH parameters,
-which use safe primes and were generated verifiably pseudo-randomly.
-These files can be converted into C code using the
-.Fl C
-option of the
-.Xr openssl 1
-.Cm dhparam
-application.
-Generation of custom DH parameters during installation should still
-be preferred to stop an attacker from specializing on a commonly
-used group.
-The file
-.Pa dh1024.pem
-contains old parameters that must not be used by applications.
-.Pp
-An application may either directly specify the DH parameters or can supply the
-DH parameters via a callback function.
-.Pp
-Previous versions of the callback used
-.Fa is_export
-and
-.Fa keylength
-parameters to control parameter generation for export and non-export
-cipher suites.
-Modern servers that do not support export ciphersuites are advised
-to either use
-.Fn SSL_CTX_set_tmp_dh
-or alternatively, use the callback but ignore
-.Fa keylength
-and
-.Fa is_export
-and simply supply at least 2048-bit parameters in the callback.
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_tmp_dh
-and
-.Fn SSL_set_tmp_dh
-do return 1 on success and 0 on failure.
-Check the error queue to find out the reason of failure.
-.Sh EXAMPLES
-Set up DH parameters with a key length of 2048 bits.
-Error handling is partly left out.
-.Pp
-Command-line parameter generation:
-.Pp
-.Dl openssl dhparam -out dh_param_2048.pem 2048
-.Pp
-Code for setting up parameters during server initialization:
-.Bd -literal
-SSL_CTX ctx = SSL_CTX_new();
-\&...
-
-/* Set up ephemeral DH parameters. */
-DH *dh_2048 = NULL;
-FILE *paramfile;
-paramfile = fopen("dh_param_2048.pem", "r");
-if (paramfile) {
-        dh_2048 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
-        fclose(paramfile);
-} else {
-        /* Error. */
-}
-if (dh_2048 == NULL) {
-        /* Error. */
-}
-if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) {
-        /* Error. */
-}
-.Ed
-.Sh SEE ALSO
-.Xr openssl 1 ,
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_cipher_list 3 ,
-.Xr SSL_CTX_set_options 3 ,
-.Xr SSL_set_tmp_ecdh 3
-.Sh HISTORY
-.Fn SSL_CTX_set_tmp_dh_callback
-and
-.Fn SSL_CTX_set_tmp_dh
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_set_tmp_dh_callback
-and
-.Fn SSL_set_tmp_dh
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
deleted file mode 100644
index b4c3a3c647..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
+++ /dev/null
@@ -1,114 +0,0 @@
-.\"     $OpenBSD: SSL_CTX_set_tmp_rsa_callback.3,v 1.9 2022/03/29 14:27:59 naddy Exp $
-.\"     OpenSSL 0b30fc90 Dec 19 15:23:05 2013 -0500
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2006, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 29 2022 $
-.Dt SSL_CTX_SET_TMP_RSA_CALLBACK 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_tmp_rsa_callback ,
-.Nm SSL_CTX_set_tmp_rsa ,
-.Nm SSL_CTX_need_tmp_RSA ,
-.Nm SSL_set_tmp_rsa_callback ,
-.Nm SSL_set_tmp_rsa ,
-.Nm SSL_need_tmp_RSA
-.Nd handle RSA keys for ephemeral key exchange
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fo SSL_CTX_set_tmp_rsa_callback
-.Fa "SSL_CTX *ctx"
-.Fa "RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)"
-.Fc
-.Ft long
-.Fn SSL_CTX_set_tmp_rsa "SSL_CTX *ctx" "RSA *rsa"
-.Ft long
-.Fn SSL_CTX_need_tmp_RSA "SSL_CTX *ctx"
-.Ft void
-.Fo SSL_set_tmp_rsa_callback
-.Fa "SSL_CTX *ctx"
-.Fa "RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)"
-.Fc
-.Ft long
-.Fn SSL_set_tmp_rsa "SSL *ssl" "RSA *rsa"
-.Ft long
-.Fn SSL_need_tmp_RSA "SSL *ssl"
-.Sh DESCRIPTION
-Since they mattered only for deliberately insecure RSA authentication
-mandated by historical U.S. export restrictions, these functions
-are all deprecated and have no effect except that
-.Fn SSL_CTX_set_tmp_rsa_callback ,
-.Fn SSL_CTX_set_tmp_rsa ,
-.Fn SSL_set_tmp_rsa_callback ,
-and
-.Fn SSL_set_tmp_rsa
-issue error messages when called.
-.Sh RETURN VALUES
-These functions always return 0, indicating failure.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_cipher_list 3 ,
-.Xr SSL_CTX_set_options 3 ,
-.Xr SSL_CTX_set_tmp_dh_callback 3 ,
-.Xr SSL_new 3 ,
-.Xr SSL_set_tmp_ecdh 3
-.Sh HISTORY
-.Fn SSL_CTX_set_tmp_rsa_callback ,
-.Fn SSL_CTX_set_tmp_rsa ,
-and
-.Fn SSL_CTX_need_tmp_RSA
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_set_tmp_rsa_callback ,
-.Fn SSL_set_tmp_rsa ,
-and
-.Fn SSL_need_tmp_RSA
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
diff --git a/src/lib/libssl/man/SSL_CTX_set_verify.3 b/src/lib/libssl/man/SSL_CTX_set_verify.3
deleted file mode 100644
index 1ed86407e9..0000000000
--- a/src/lib/libssl/man/SSL_CTX_set_verify.3
+++ /dev/null
@@ -1,479 +0,0 @@
-.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.9 2021/06/12 16:59:53 jmc Exp $
-.\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
-.\" selective merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2002, 2003, 2014 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 12 2021 $
-.Dt SSL_CTX_SET_VERIFY 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_verify ,
-.Nm SSL_set_verify ,
-.Nm SSL_CTX_set_verify_depth ,
-.Nm SSL_set_verify_depth
-.Nd set peer certificate verification parameters
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fo SSL_CTX_set_verify
-.Fa "SSL_CTX *ctx"
-.Fa "int mode"
-.Fa "int (*verify_callback)(int, X509_STORE_CTX *)"
-.Fc
-.Ft void
-.Fo SSL_set_verify
-.Fa "SSL *s"
-.Fa "int mode"
-.Fa "int (*verify_callback)(int, X509_STORE_CTX *)"
-.Fc
-.Ft void
-.Fn SSL_CTX_set_verify_depth "SSL_CTX *ctx" "int depth"
-.Ft void
-.Fn SSL_set_verify_depth "SSL *s" "int depth"
-.Ft int
-.Fn verify_callback "int preverify_ok" "X509_STORE_CTX *x509_ctx"
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_verify
-sets the verification flags for
-.Fa ctx
-to be
-.Fa mode
-and
-specifies the
-.Fa verify_callback
-function to be used.
-If no callback function shall be specified, the
-.Dv NULL
-pointer can be used for
-.Fa verify_callback .
-.Pp
-.Fn SSL_set_verify
-sets the verification flags for
-.Fa ssl
-to be
-.Fa mode
-and specifies the
-.Fa verify_callback
-function to be used.
-If no callback function shall be specified, the
-.Dv NULL
-pointer can be used for
-.Fa verify_callback .
-In this case last
-.Fa verify_callback
-set specifically for this
-.Fa ssl
-remains.
-If no special callback was set before, the default callback for the underlying
-.Fa ctx
-is used, that was valid at the time
-.Fa ssl
-was created with
-.Xr SSL_new 3 .
-Within the callback function,
-.Xr SSL_get_ex_data_X509_STORE_CTX_idx 3
-can be called to get the data index of the current
-.Vt SSL
-object that is doing the verification.
-.Pp
-.Fn SSL_CTX_set_verify_depth
-sets the maximum
-.Fa depth
-for the certificate chain verification that shall be allowed for
-.Fa ctx .
-(See the
-.Sx BUGS
-section.)
-.Pp
-.Fn SSL_set_verify_depth
-sets the maximum
-.Fa depth
-for the certificate chain verification that shall be allowed for
-.Fa ssl .
-(See the
-.Sx BUGS
-section.)
-.Pp
-The verification of certificates can be controlled by a set of bitwise ORed
-.Fa mode
-flags:
-.Bl -tag -width Ds
-.It Dv SSL_VERIFY_NONE
-.Em Server mode :
-the server will not send a client certificate request to the client,
-so the client will not send a certificate.
-.Pp
-.Em Client mode :
-if not using an anonymous cipher (by default disabled),
-the server will send a certificate which will be checked.
-The result of the certificate verification process can be checked after the
-TLS/SSL handshake using the
-.Xr SSL_get_verify_result 3
-function.
-The handshake will be continued regardless of the verification result.
-.It Dv SSL_VERIFY_PEER
-.Em Server mode :
-the server sends a client certificate request to the client.
-The certificate returned (if any) is checked.
-If the verification process fails,
-the TLS/SSL handshake is immediately terminated with an alert message
-containing the reason for the verification failure.
-The behaviour can be controlled by the additional
-.Dv SSL_VERIFY_FAIL_IF_NO_PEER_CERT
-and
-.Dv SSL_VERIFY_CLIENT_ONCE
-flags.
-.Pp
-.Em Client mode :
-the server certificate is verified.
-If the verification process fails,
-the TLS/SSL handshake is immediately terminated with an alert message
-containing the reason for the verification failure.
-If no server certificate is sent, because an anonymous cipher is used,
-.Dv SSL_VERIFY_PEER
-is ignored.
-.It Dv SSL_VERIFY_FAIL_IF_NO_PEER_CERT
-.Em Server mode :
-if the client did not return a certificate, the TLS/SSL
-handshake is immediately terminated with a
-.Dq handshake failure
-alert.
-This flag must be used together with
-.Dv SSL_VERIFY_PEER .
-.Pp
-.Em Client mode :
-ignored
-.It Dv SSL_VERIFY_CLIENT_ONCE
-.Em Server mode :
-only request a client certificate on the initial TLS/SSL handshake.
-Do not ask for a client certificate again in case of a renegotiation.
-This flag must be used together with
-.Dv SSL_VERIFY_PEER .
-.Pp
-.Em Client mode :
-ignored
-.El
-.Pp
-Exactly one of the
-.Fa mode
-flags
-.Dv SSL_VERIFY_NONE
-and
-.Dv SSL_VERIFY_PEER
-must be set at any time.
-.Pp
-The actual verification procedure is performed either using the built-in
-verification procedure or using another application provided verification
-function set with
-.Xr SSL_CTX_set_cert_verify_callback 3 .
-The following descriptions apply in the case of the built-in procedure.
-An application provided procedure also has access to the verify depth
-information and the
-.Fa verify_callback Ns ()
-function, but the way this information is used may be different.
-.Pp
-.Fn SSL_CTX_set_verify_depth
-and
-.Fn SSL_set_verify_depth
-set the limit up to which depth certificates in a chain are used during the
-verification procedure.
-If the certificate chain is longer than allowed,
-the certificates above the limit are ignored.
-Error messages are generated as if these certificates would not be present,
-most likely a
-.Dv X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
-will be issued.
-The depth count is
-.Dq level 0: peer certificate ,
-.Dq level 1: CA certificate ,
-.Dq level 2: higher level CA certificate ,
-and so on.
-Setting the maximum depth to 2 allows the levels 0, 1, and 2.
-The default depth limit is 100,
-allowing for the peer certificate and an additional 100 CA certificates.
-.Pp
-The
-.Fa verify_callback
-function is used to control the behaviour when the
-.Dv SSL_VERIFY_PEER
-flag is set.
-It must be supplied by the application and receives two arguments:
-.Fa preverify_ok
-indicates whether the verification of the certificate in question was passed
-(preverify_ok=1) or not (preverify_ok=0).
-.Fa x509_ctx
-is a pointer to the complete context used
-for the certificate chain verification.
-.Pp
-The certificate chain is checked starting with the deepest nesting level
-(the root CA certificate) and worked upward to the peer's certificate.
-At each level signatures and issuer attributes are checked.
-Whenever a verification error is found, the error number is stored in
-.Fa x509_ctx
-and
-.Fa verify_callback
-is called with
-.Fa preverify_ok
-equal to 0.
-By applying
-.Fn X509_CTX_store_*
-functions
-.Fa verify_callback
-can locate the certificate in question and perform additional steps (see
-.Sx EXAMPLES ) .
-If no error is found for a certificate,
-.Fa verify_callback
-is called with
-.Fa preverify_ok
-equal to 1 before advancing to the next level.
-.Pp
-The return value of
-.Fa verify_callback
-controls the strategy of the further verification process.
-If
-.Fa verify_callback
-returns 0, the verification process is immediately stopped with
-.Dq verification failed
-state.
-If
-.Dv SSL_VERIFY_PEER
-is set, a verification failure alert is sent to the peer and the TLS/SSL
-handshake is terminated.
-If
-.Fa verify_callback
-returns 1, the verification process is continued.
-If
-.Fa verify_callback
-always returns 1,
-the TLS/SSL handshake will not be terminated with respect to verification
-failures and the connection will be established.
-The calling process can however retrieve the error code of the last
-verification error using
-.Xr SSL_get_verify_result 3
-or by maintaining its own error storage managed by
-.Fa verify_callback .
-.Pp
-If no
-.Fa verify_callback
-is specified, the default callback will be used.
-Its return value is identical to
-.Fa preverify_ok ,
-so that any verification
-failure will lead to a termination of the TLS/SSL handshake with an
-alert message, if
-.Dv SSL_VERIFY_PEER
-is set.
-.Sh EXAMPLES
-The following code sequence realizes an example
-.Fa verify_callback
-function that will always continue the TLS/SSL handshake regardless of
-verification failure, if wished.
-The callback realizes a verification depth limit with more informational output.
-.Pp
-All verification errors are printed;
-information about the certificate chain is printed on request.
-The example is realized for a server that does allow but not require client
-certificates.
-.Pp
-The example makes use of the ex_data technique to store application data
-into/retrieve application data from the
-.Vt SSL
-structure (see
-.Xr SSL_get_ex_new_index 3 ,
-.Xr SSL_get_ex_data_X509_STORE_CTX_idx 3 ) .
-.Bd -literal
-\&...
-
-typedef struct {
-        int     verbose_mode;
-        int     verify_depth;
-        int     always_continue;
-} mydata_t;
-int mydata_index;
-\&...
-static int
-verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
-{
-        char buf[256];
-        X509 *err_cert;
-        int err, depth;
-        SSL *ssl;
-        mydata_t *mydata;
-
-        err_cert = X509_STORE_CTX_get_current_cert(ctx);
-        err = X509_STORE_CTX_get_error(ctx);
-        depth = X509_STORE_CTX_get_error_depth(ctx);
-
-        /*
-         * Retrieve the pointer to the SSL of the connection currently
-         * treated * and the application specific data stored into the
-         * SSL object.
-         */
-        ssl = X509_STORE_CTX_get_ex_data(ctx,
-            SSL_get_ex_data_X509_STORE_CTX_idx());
-        mydata = SSL_get_ex_data(ssl, mydata_index);
-
-        X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
-
-        /*
-         * Catch a too long certificate chain. The depth limit set using
-         * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so
-         * that whenever the "depth>verify_depth" condition is met, we
-         * have violated the limit and want to log this error condition.
-         * We must do it here, because the CHAIN_TOO_LONG error would not
-         * be found explicitly; only errors introduced by cutting off the
-         * additional certificates would be logged.
-         */
-        if (depth > mydata->verify_depth) {
-                preverify_ok = 0;
-                err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
-                X509_STORE_CTX_set_error(ctx, err);
-        }
-        if (!preverify_ok) {
-                printf("verify error:num=%d:%s:depth=%d:%s\en", err,
-                    X509_verify_cert_error_string(err), depth, buf);
-        } else if (mydata->verbose_mode) {
-                printf("depth=%d:%s\en", depth, buf);
-        }
-
-        /*
-         * At this point, err contains the last verification error.
-         * We can use it for something special
-         */
-        if (!preverify_ok && (err ==
-            X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
-                X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),
-                    buf, 256);
-                printf("issuer= %s\en", buf);
-        }
-
-        if (mydata->always_continue)
-                return 1;
-        else
-                return preverify_ok;
-}
-\&...
-
-mydata_t mydata;
-
-\&...
-
-mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL);
-
-\&...
-
-SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
-    verify_callback);
-
-/*
- * Let the verify_callback catch the verify_depth error so that we get
- * an appropriate error in the logfile.
- */
-SSL_CTX_set_verify_depth(verify_depth + 1);
-
-/*
- * Set up the SSL specific data into "mydata" and store it into the SSL
- * structure.
- */
-mydata.verify_depth = verify_depth; ...
-SSL_set_ex_data(ssl, mydata_index, &mydata);
-
-\&...
-
-SSL_accept(ssl); /* check of success left out for clarity */
-if (peer = SSL_get_peer_certificate(ssl)) {
-        if (SSL_get_verify_result(ssl) == X509_V_OK) {
-                /* The client sent a certificate which verified OK */
-        }
-}
-.Ed
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_get_verify_mode 3 ,
-.Xr SSL_CTX_load_verify_locations 3 ,
-.Xr SSL_CTX_set_cert_verify_callback 3 ,
-.Xr SSL_get_ex_data_X509_STORE_CTX_idx 3 ,
-.Xr SSL_get_ex_new_index 3 ,
-.Xr SSL_get_peer_certificate 3 ,
-.Xr SSL_get_verify_result 3 ,
-.Xr SSL_new 3 ,
-.Xr SSL_set1_host 3
-.Sh HISTORY
-.Fn SSL_set_verify
-appeared in SSLeay 0.4 or earlier.
-.Fn SSL_CTX_set_verify
-first appeared in SSLeay 0.6.4.
-Both functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_CTX_set_verify_depth
-and
-.Fn SSL_set_verify_depth
-first appeared in OpenSSL 0.9.3 and have been available since
-.Ox 2.6 .
-.Sh BUGS
-In client mode, it is not checked whether the
-.Dv SSL_VERIFY_PEER
-flag is set, but whether
-.Dv SSL_VERIFY_NONE
-is not set.
-This can lead to unexpected behaviour, if the
-.Dv SSL_VERIFY_PEER
-and
-.Dv SSL_VERIFY_NONE
-are not used as required (exactly one must be set at any time).
-.Pp
-The certificate verification depth set with
-.Fn SSL[_CTX]_verify_depth
-stops the verification at a certain depth.
-The error message produced will be that of an incomplete certificate chain and
-not
-.Dv X509_V_ERR_CERT_CHAIN_TOO_LONG
-as may be expected.
diff --git a/src/lib/libssl/man/SSL_CTX_use_certificate.3 b/src/lib/libssl/man/SSL_CTX_use_certificate.3
deleted file mode 100644
index c88a6971b2..0000000000
--- a/src/lib/libssl/man/SSL_CTX_use_certificate.3
+++ /dev/null
@@ -1,451 +0,0 @@
-.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.17 2025/01/18 10:45:12 tb Exp $
-.\" full merge up to: OpenSSL 3aaa1bd0 Mar 28 16:35:25 2017 +1000
-.\" selective merge up to: OpenSSL d1f7a1e6 Apr 26 14:05:40 2018 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2002, 2003, 2005 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: January 18 2025 $
-.Dt SSL_CTX_USE_CERTIFICATE 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_use_certificate ,
-.Nm SSL_CTX_use_certificate_ASN1 ,
-.Nm SSL_CTX_use_certificate_file ,
-.Nm SSL_use_certificate ,
-.Nm SSL_use_certificate_ASN1 ,
-.Nm SSL_use_certificate_chain_file ,
-.Nm SSL_use_certificate_file ,
-.Nm SSL_CTX_use_certificate_chain_file ,
-.Nm SSL_CTX_use_certificate_chain_mem ,
-.Nm SSL_CTX_use_PrivateKey ,
-.Nm SSL_CTX_use_PrivateKey_ASN1 ,
-.Nm SSL_CTX_use_PrivateKey_file ,
-.Nm SSL_CTX_use_RSAPrivateKey ,
-.Nm SSL_CTX_use_RSAPrivateKey_ASN1 ,
-.Nm SSL_CTX_use_RSAPrivateKey_file ,
-.Nm SSL_use_PrivateKey_file ,
-.Nm SSL_use_PrivateKey_ASN1 ,
-.Nm SSL_use_PrivateKey ,
-.Nm SSL_use_RSAPrivateKey ,
-.Nm SSL_use_RSAPrivateKey_ASN1 ,
-.Nm SSL_use_RSAPrivateKey_file ,
-.Nm SSL_CTX_check_private_key ,
-.Nm SSL_check_private_key
-.Nd load certificate and key data
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_CTX_use_certificate "SSL_CTX *ctx" "X509 *x"
-.Ft int
-.Fn SSL_CTX_use_certificate_ASN1 "SSL_CTX *ctx" "int len" "unsigned char *d"
-.Ft int
-.Fn SSL_CTX_use_certificate_file "SSL_CTX *ctx" "const char *file" "int type"
-.Ft int
-.Fn SSL_use_certificate "SSL *ssl" "X509 *x"
-.Ft int
-.Fn SSL_use_certificate_ASN1 "SSL *ssl" "unsigned char *d" "int len"
-.Ft int
-.Fn SSL_use_certificate_chain_file "SSL *ssl" "const char *file"
-.Ft int
-.Fn SSL_use_certificate_file "SSL *ssl" "const char *file" "int type"
-.Ft int
-.Fn SSL_CTX_use_certificate_chain_file "SSL_CTX *ctx" "const char *file"
-.Ft int
-.Fn SSL_CTX_use_certificate_chain_mem "SSL_CTX *ctx" "void *buf" "int len"
-.Ft int
-.Fn SSL_CTX_use_PrivateKey "SSL_CTX *ctx" "EVP_PKEY *pkey"
-.Ft int
-.Fo SSL_CTX_use_PrivateKey_ASN1
-.Fa "int pk" "SSL_CTX *ctx" "unsigned char *d" "long len"
-.Fc
-.Ft int
-.Fn SSL_CTX_use_PrivateKey_file "SSL_CTX *ctx" "const char *file" "int type"
-.Ft int
-.Fn SSL_CTX_use_RSAPrivateKey "SSL_CTX *ctx" "RSA *rsa"
-.Ft int
-.Fn SSL_CTX_use_RSAPrivateKey_ASN1 "SSL_CTX *ctx" "unsigned char *d" "long len"
-.Ft int
-.Fn SSL_CTX_use_RSAPrivateKey_file "SSL_CTX *ctx" "const char *file" "int type"
-.Ft int
-.Fn SSL_use_PrivateKey "SSL *ssl" "EVP_PKEY *pkey"
-.Ft int
-.Fn SSL_use_PrivateKey_ASN1 "int pk" "SSL *ssl" "unsigned char *d" "long len"
-.Ft int
-.Fn SSL_use_PrivateKey_file "SSL *ssl" "const char *file" "int type"
-.Ft int
-.Fn SSL_use_RSAPrivateKey "SSL *ssl" "RSA *rsa"
-.Ft int
-.Fn SSL_use_RSAPrivateKey_ASN1 "SSL *ssl" "const unsigned char *d" "long len"
-.Ft int
-.Fn SSL_use_RSAPrivateKey_file "SSL *ssl" "const char *file" "int type"
-.Ft int
-.Fn SSL_CTX_check_private_key "const SSL_CTX *ctx"
-.Ft int
-.Fn SSL_check_private_key "const SSL *ssl"
-.Sh DESCRIPTION
-These functions load the certificates and private keys into the
-.Vt SSL_CTX
-or
-.Vt SSL
-object, respectively.
-.Pp
-The
-.Fn SSL_CTX_*
-class of functions loads the certificates and keys into the
-.Vt SSL_CTX
-object
-.Fa ctx .
-The information is passed to
-.Vt SSL
-objects
-.Fa ssl
-created from
-.Fa ctx
-with
-.Xr SSL_new 3
-by copying, so that changes applied to
-.Fa ctx
-do not propagate to already existing
-.Vt SSL
-objects.
-.Pp
-The
-.Fn SSL_*
-class of functions only loads certificates and keys into a specific
-.Vt SSL
-object.
-The specific information is kept when
-.Xr SSL_clear 3
-is called for this
-.Vt SSL
-object.
-.Pp
-.Fn SSL_CTX_use_certificate
-loads the certificate
-.Fa x
-into
-.Fa ctx ;
-.Fn SSL_use_certificate
-loads
-.Fa x
-into
-.Fa ssl .
-The rest of the certificates needed to form the complete certificate chain can
-be specified using the
-.Xr SSL_CTX_add_extra_chain_cert 3
-function.
-.Pp
-.Fn SSL_CTX_use_certificate_ASN1
-loads the ASN1 encoded certificate from the memory location
-.Fa d
-(with length
-.Fa len )
-into
-.Fa ctx ;
-.Fn SSL_use_certificate_ASN1
-loads the ASN1 encoded certificate into
-.Fa ssl .
-.Pp
-.Fn SSL_CTX_use_certificate_file
-loads the first certificate stored in
-.Fa file
-into
-.Fa ctx .
-The formatting
-.Fa type
-of the certificate must be specified from the known types
-.Dv SSL_FILETYPE_PEM
-and
-.Dv SSL_FILETYPE_ASN1 .
-.Fn SSL_use_certificate_file
-loads the certificate from
-.Fa file
-into
-.Fa ssl .
-See the
-.Sx NOTES
-section on why
-.Fn SSL_CTX_use_certificate_chain_file
-should be preferred.
-.Pp
-The
-.Fn SSL_CTX_use_certificate_chain*
-functions load a certificate chain into
-.Fa ctx .
-The certificates must be in PEM format and must be sorted starting with the
-subject's certificate (actual client or server certificate),
-followed by intermediate CA certificates if applicable,
-and ending at the highest level (root) CA.
-With the exception of
-.Fn SSL_use_certificate_chain_file ,
-there is no corresponding function working on a single
-.Vt SSL
-object.
-.Pp
-.Fn SSL_CTX_use_PrivateKey
-adds
-.Fa pkey
-as private key to
-.Fa ctx .
-.Fn SSL_CTX_use_RSAPrivateKey
-adds the private key
-.Fa rsa
-of type RSA to
-.Fa ctx .
-.Fn SSL_use_PrivateKey
-adds
-.Fa pkey
-as private key to
-.Fa ssl ;
-.Fn SSL_use_RSAPrivateKey
-adds
-.Fa rsa
-as private key of type RSA to
-.Fa ssl .
-If a certificate has already been set and the private does not belong to the
-certificate, an error is returned.
-To change a certificate private key pair,
-the new certificate needs to be set with
-.Fn SSL_use_certificate
-or
-.Fn SSL_CTX_use_certificate
-before setting the private key with
-.Fn SSL_CTX_use_PrivateKey
-or
-.Fn SSL_use_PrivateKey .
-.Pp
-.Fn SSL_CTX_use_PrivateKey_ASN1
-adds the private key of type
-.Fa pk
-stored at memory location
-.Fa d
-(length
-.Fa len )
-to
-.Fa ctx .
-.Fn SSL_CTX_use_RSAPrivateKey_ASN1
-adds the private key of type RSA stored at memory location
-.Fa d
-(length
-.Fa len )
-to
-.Fa ctx .
-.Fn SSL_use_PrivateKey_ASN1
-and
-.Fn SSL_use_RSAPrivateKey_ASN1
-add the private key to
-.Fa ssl .
-.Pp
-.Fn SSL_CTX_use_PrivateKey_file
-adds the first private key found in
-.Fa file
-to
-.Fa ctx .
-The formatting
-.Fa type
-of the private key must be specified from the known types
-.Dv SSL_FILETYPE_PEM
-and
-.Dv SSL_FILETYPE_ASN1 .
-.Fn SSL_CTX_use_RSAPrivateKey_file
-adds the first private RSA key found in
-.Fa file
-to
-.Fa ctx .
-.Fn SSL_use_PrivateKey_file
-adds the first private key found in
-.Fa file
-to
-.Fa ssl ;
-.Fn SSL_use_RSAPrivateKey_file
-adds the first private RSA key found to
-.Fa ssl .
-.Pp
-The
-.Fn SSL_CTX_check_private_key
-function is seriously misnamed.
-It compares the
-.Em public
-key components and parameters of an OpenSSL private key with the
-corresponding certificate loaded into
-.Fa ctx .
-If more than one key/certificate pair (RSA/ECDSA) is installed,
-the last item installed will be compared.
-If, e.g., the last item was an RSA certificate or key,
-the RSA key/certificate pair will be checked.
-.Fn SSL_check_private_key
-performs the same
-.Em public
-key comparison for
-.Fa ssl .
-If no key/certificate was explicitly added for this
-.Fa ssl ,
-the last item added into
-.Fa ctx
-will be checked.
-.Pp
-Despite the name, neither
-.Fn SSL_CTX_check_private_key
-nor
-.Fn SSL_check_private_key
-checks whether the private key component is indeed a private key,
-nor whether it matches the public key component.
-They merely compare the public materials (e.g. exponent and modulus of
-an RSA key) and/or key parameters (e.g. EC params of an EC key) of a
-key pair.
-.Sh NOTES
-The internal certificate store of OpenSSL can hold several private
-key/certificate pairs at a time.
-The certificate used depends on the cipher selected.
-See also
-.Xr SSL_CTX_set_cipher_list 3 .
-.Pp
-When reading certificates and private keys from file, files of type
-.Dv SSL_FILETYPE_ASN1
-(also known as
-.Em DER ,
-binary encoding) can only contain one certificate or private key; consequently,
-.Fn SSL_CTX_use_certificate_chain_file
-is only applicable to PEM formatting.
-Files of type
-.Dv SSL_FILETYPE_PEM
-can contain more than one item.
-.Pp
-.Fn SSL_CTX_use_certificate_chain_file
-adds the first certificate found in the file to the certificate store.
-The other certificates are added to the store of chain certificates using
-.Xr SSL_CTX_add1_chain_cert 3 .
-It is recommended to use the
-.Fn SSL_CTX_use_certificate_chain_file
-instead of the
-.Fn SSL_CTX_use_certificate_file
-function in order to allow the use of complete certificate chains even when no
-trusted CA storage is used or when the CA issuing the certificate shall not be
-added to the trusted CA storage.
-.Pp
-If additional certificates are needed to complete the chain during the TLS
-negotiation, CA certificates are additionally looked up in the locations of
-trusted CA certificates (see
-.Xr SSL_CTX_load_verify_locations 3 ) .
-.Pp
-The private keys loaded from file can be encrypted.
-In order to successfully load encrypted keys,
-a function returning the passphrase must have been supplied (see
-.Xr SSL_CTX_set_default_passwd_cb 3 ) .
-(Certificate files might be encrypted as well from the technical point of view,
-it however does not make sense as the data in the certificate is considered
-public anyway.)
-.Sh RETURN VALUES
-On success, the functions return 1.
-Otherwise check out the error stack to find out the reason.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_CTX_add1_chain_cert 3 ,
-.Xr SSL_CTX_add_extra_chain_cert 3 ,
-.Xr SSL_CTX_load_verify_locations 3 ,
-.Xr SSL_CTX_set_cipher_list 3 ,
-.Xr SSL_CTX_set_client_CA_list 3 ,
-.Xr SSL_CTX_set_client_cert_cb 3 ,
-.Xr SSL_CTX_set_default_passwd_cb 3 ,
-.Xr SSL_new 3 ,
-.Xr X509_check_private_key 3
-.Sh HISTORY
-.Fn SSL_use_certificate ,
-.Fn SSL_use_certificate_file ,
-.Fn SSL_use_RSAPrivateKey ,
-and
-.Fn SSL_use_RSAPrivateKey_file
-appeared in SSLeay 0.4 or earlier.
-.Fn SSL_use_certificate_ASN1
-and
-.Fn SSL_use_RSAPrivateKey_ASN1
-first appeared in SSLeay 0.5.1.
-.Fn SSL_use_PrivateKey_file ,
-.Fn SSL_use_PrivateKey_ASN1 ,
-and
-.Fn SSL_use_PrivateKey
-first appeared in SSLeay 0.6.0.
-.Fn SSL_CTX_use_certificate ,
-.Fn SSL_CTX_use_certificate_ASN1 ,
-.Fn SSL_CTX_use_certificate_file ,
-.Fn SSL_CTX_use_PrivateKey ,
-.Fn SSL_CTX_use_PrivateKey_ASN1 ,
-.Fn SSL_CTX_use_PrivateKey_file ,
-.Fn SSL_CTX_use_RSAPrivateKey ,
-.Fn SSL_CTX_use_RSAPrivateKey_ASN1 ,
-and
-.Fn SSL_CTX_use_RSAPrivateKey_file
-first appeared in SSLeay 0.6.1.
-.Fn SSL_CTX_check_private_key
-and
-.Fn SSL_check_private_key
-first appeared in SSLeay 0.6.5.
-All these functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_CTX_use_certificate_chain_file
-first appeared in OpenSSL 0.9.4 and has been available since
-.Ox 2.6 .
-.Pp
-.Fn SSL_use_certificate_chain_file
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.9 .
-.Pp
-Support for DER encoded private keys
-.Pq Dv SSL_FILETYPE_ASN1
-in
-.Fn SSL_CTX_use_PrivateKey_file
-and
-.Fn SSL_use_PrivateKey_file
-was added in 0.9.8.
-.Pp
-.Fn SSL_CTX_use_certificate_chain_mem
-first appeared in
-.Ox 5.7 .
diff --git a/src/lib/libssl/man/SSL_SESSION_free.3 b/src/lib/libssl/man/SSL_SESSION_free.3
deleted file mode 100644
index 3f785e95e5..0000000000
--- a/src/lib/libssl/man/SSL_SESSION_free.3
+++ /dev/null
@@ -1,148 +0,0 @@
-.\" $OpenBSD: SSL_SESSION_free.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
-.\" full merge up to: OpenSSL b31db505 Mar 24 16:01:50 2017 +0000
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>
-.\" and Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2009, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_SESSION_FREE 3
-.Os
-.Sh NAME
-.Nm SSL_SESSION_up_ref ,
-.Nm SSL_SESSION_free
-.Nd SSL_SESSION reference counting
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_SESSION_up_ref "SSL_SESSION *session"
-.Ft void
-.Fn SSL_SESSION_free "SSL_SESSION *session"
-.Sh DESCRIPTION
-.Fn SSL_SESSION_up_ref
-increments the reference count of the given
-.Fa session
-by 1.
-.Pp
-.Fn SSL_SESSION_free
-decrements the reference count of the given
-.Fa session
-by 1.
-If the reference count reaches 0, it frees the memory used by the
-.Fa session .
-If
-.Fa session
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Vt SSL_SESSION
-objects are allocated when a TLS/SSL handshake operation is successfully
-completed.
-Depending on the settings, see
-.Xr SSL_CTX_set_session_cache_mode 3 ,
-the
-.Vt SSL_SESSION
-objects are internally referenced by the
-.Vt SSL_CTX
-and linked into its session cache.
-.Vt SSL
-objects may be using the
-.Vt SSL_SESSION
-object; as a session may be reused, several
-.Vt SSL
-objects may be using one
-.Vt SSL_SESSION
-object at the same time.
-It is therefore crucial to keep the reference count (usage information) correct
-and not delete a
-.Vt SSL_SESSION
-object that is still used, as this may lead to program failures due to dangling
-pointers.
-These failures may also appear delayed, e.g., when an
-.Vt SSL_SESSION
-object is completely freed as the reference count incorrectly becomes 0, but it
-is still referenced in the internal session cache and the cache list is
-processed during a
-.Xr SSL_CTX_flush_sessions 3
-operation.
-.Pp
-.Fn SSL_SESSION_free
-must only be called for
-.Vt SSL_SESSION
-objects, for which the reference count was explicitly incremented (e.g., by
-calling
-.Xr SSL_get1_session 3 ;
-see
-.Xr SSL_get_session 3 )
-or when the
-.Vt SSL_SESSION
-object was generated outside a TLS handshake operation, e.g., by using
-.Xr d2i_SSL_SESSION 3 .
-It must not be called on other
-.Vt SSL_SESSION
-objects, as this would cause incorrect reference counts and therefore program
-failures.
-.Sh RETURN VALUES
-.Fn SSL_SESSION_up_ref
-returns 1 on success or 0 on error.
-.Sh SEE ALSO
-.Xr d2i_SSL_SESSION 3 ,
-.Xr ssl 3 ,
-.Xr SSL_CTX_flush_sessions 3 ,
-.Xr SSL_CTX_set_session_cache_mode 3 ,
-.Xr SSL_get_session 3 ,
-.Xr SSL_SESSION_new 3
-.Sh HISTORY
-.Fn SSL_SESSION_free
-first appeared in SSLeay 0.5.2 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_SESSION_up_ref
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libssl/man/SSL_SESSION_get0_cipher.3 b/src/lib/libssl/man/SSL_SESSION_get0_cipher.3
deleted file mode 100644
index 239a426dbd..0000000000
--- a/src/lib/libssl/man/SSL_SESSION_get0_cipher.3
+++ /dev/null
@@ -1,94 +0,0 @@
-.\" $OpenBSD: SSL_SESSION_get0_cipher.3,v 1.1 2021/05/12 14:16:25 tb Exp $
-.\" full merge up to: OpenSSL d42e7759f Mar 30 19:40:04 2017 +0200
-.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Rich Salz <rsalz@openssl.org>.
-.\" Copyright (c) 2016, 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 12 2021 $
-.Dt SSL_SESSION_GET0_CIPHER 3
-.Os
-.Sh NAME
-.Nm SSL_SESSION_get0_cipher
-.Nd retrieve the SSL cipher associated with a session
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft const SSL_CIPHER *
-.Fo SSL_SESSION_get0_cipher
-.Fa "const SSL_SESSION *session"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_SESSION_get0_cipher
-retrieves the cipher that was used by the connection when the session
-was created, or
-.Dv NULL
-if it cannot be determined.
-.Pp
-The value returned is a pointer to an object maintained within
-.Fa session
-and should not be released.
-.Sh RETURN VALUES
-.Fn SSL_SESSION_get0_cipher
-returns the
-.Vt SSL_CIPHER
-associated with
-.Fa session
-or
-.Dv NULL
-if it cannot be determined.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CIPHER_get_name 3 ,
-.Xr SSL_get_current_cipher 3 ,
-.Xr SSL_get_session 3 ,
-.Xr SSL_SESSION_new 3
-.Sh HISTORY
-The
-.Fn SSL_SESSION_get0_cipher
-function first appeared in OpenSSL 1.1.0
-and has been available since
-.Ox 7.0 .
diff --git a/src/lib/libssl/man/SSL_SESSION_get0_peer.3 b/src/lib/libssl/man/SSL_SESSION_get0_peer.3
deleted file mode 100644
index 6b1ef6680e..0000000000
--- a/src/lib/libssl/man/SSL_SESSION_get0_peer.3
+++ /dev/null
@@ -1,80 +0,0 @@
-.\"     $OpenBSD: SSL_SESSION_get0_peer.3,v 1.2 2018/03/23 05:50:30 schwarze Exp $
-.\"     OpenSSL SSL_SESSION_get0_peer.pod b31db505 Mar 24 16:01:50 2017 +0000
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 23 2018 $
-.Dt SSL_SESSION_GET0_PEER 3
-.Os
-.Sh NAME
-.Nm SSL_SESSION_get0_peer
-.Nd get details about peer's certificate for a session
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft X509 *
-.Fo SSL_SESSION_get0_peer
-.Fa "SSL_SESSION *s"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_SESSION_get0_peer
-returns a pointer to the peer certificate associated with the session
-.Fa s
-or
-.Dv NULL
-if no peer certificate is available.
-The caller should not free the returned value, unless
-.Xr X509_up_ref 3
-has also been called.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_get_session 3 ,
-.Xr SSL_SESSION_new 3
-.Sh HISTORY
-.Fn SSL_SESSION_get0_peer
-first appeared in OpenSSL 1.0.1 and has been available since
-.Ox 5.3 .
diff --git a/src/lib/libssl/man/SSL_SESSION_get_compress_id.3 b/src/lib/libssl/man/SSL_SESSION_get_compress_id.3
deleted file mode 100644
index aedc216a15..0000000000
--- a/src/lib/libssl/man/SSL_SESSION_get_compress_id.3
+++ /dev/null
@@ -1,78 +0,0 @@
-.\"     $OpenBSD: SSL_SESSION_get_compress_id.3,v 1.3 2018/03/23 05:50:30 schwarze Exp $
-.\"     OpenSSL SSL_SESSION_get_compress_id.pod b31db505 Mar 24 16:01:50 2017
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 23 2018 $
-.Dt SSL_SESSION_GET_COMPRESS_ID 3
-.Os
-.Sh NAME
-.Nm SSL_SESSION_get_compress_id
-.Nd get details about the compression associated with a session
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft unsigned int
-.Fo SSL_SESSION_get_compress_id
-.Fa "const SSL_SESSION *s"
-.Fc
-.Sh DESCRIPTION
-If compression has been negotiated for an ssl session,
-.Fn SSL_SESSION_get_compress_id
-returns the id for the compression method, or 0 otherwise.
-The only built-in supported compression method is zlib,
-which has an id of 1.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_get_session 3 ,
-.Xr SSL_SESSION_get_id 3 ,
-.Xr SSL_SESSION_get_protocol_version 3 ,
-.Xr SSL_SESSION_new 3
-.Sh HISTORY
-.Fn SSL_SESSION_get_compress_id
-first appeared in OpenSSL 1.0.1 and has been available since
-.Ox 5.3 .
diff --git a/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 b/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
deleted file mode 100644
index 9fd6949b6a..0000000000
--- a/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
+++ /dev/null
@@ -1,134 +0,0 @@
-.\"     $OpenBSD: SSL_SESSION_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $
-.\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 21 2018 $
-.Dt SSL_SESSION_GET_EX_NEW_INDEX 3
-.Os
-.Sh NAME
-.Nm SSL_SESSION_get_ex_new_index ,
-.Nm SSL_SESSION_set_ex_data ,
-.Nm SSL_SESSION_get_ex_data
-.Nd internal application specific data functions
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_SESSION_get_ex_new_index
-.Fa "long argl"
-.Fa "void *argp"
-.Fa "CRYPTO_EX_new *new_func"
-.Fa "CRYPTO_EX_dup *dup_func"
-.Fa "CRYPTO_EX_free *free_func"
-.Fc
-.Ft int
-.Fn SSL_SESSION_set_ex_data "SSL_SESSION *session" "int idx" "void *arg"
-.Ft void *
-.Fn SSL_SESSION_get_ex_data "const SSL_SESSION *session" "int idx"
-.Bd -literal
- typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
-                int idx, long argl, void *argp);
- typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
-                int idx, long argl, void *argp);
- typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d,
-                int idx, long argl, void *argp);
-.Ed
-.Sh DESCRIPTION
-Several OpenSSL structures can have application specific data attached to them.
-These functions are used internally by OpenSSL to manipulate
-application-specific data attached to a specific structure.
-.Pp
-.Fn SSL_SESSION_get_ex_new_index
-is used to register a new index for application-specific data.
-.Pp
-.Fn SSL_SESSION_set_ex_data
-is used to store application data at
-.Fa arg
-for
-.Fa idx
-into the
-.Fa session
-object.
-.Pp
-.Fn SSL_SESSION_get_ex_data
-is used to retrieve the information for
-.Fa idx
-from
-.Fa session .
-.Pp
-A detailed description for the
-.Fn *_get_ex_new_index
-functionality
-can be found in
-.Xr RSA_get_ex_new_index 3 .
-The
-.Fn *_get_ex_data
-and
-.Fn *_set_ex_data
-functionality is described in
-.Xr CRYPTO_set_ex_data 3 .
-.Sh WARNINGS
-The application data is only maintained for sessions held in memory.
-The application data is not included when dumping the session with
-.Xr i2d_SSL_SESSION 3
-(and all functions indirectly calling the dump functions like
-.Xr PEM_write_SSL_SESSION 3
-and
-.Xr PEM_write_bio_SSL_SESSION 3 )
-and can therefore not be restored.
-.Sh SEE ALSO
-.Xr CRYPTO_set_ex_data 3 ,
-.Xr RSA_get_ex_new_index 3 ,
-.Xr ssl 3
-.Sh HISTORY
-.Fn SSL_SESSION_get_ex_new_index ,
-.Fn SSL_SESSION_set_ex_data ,
-and
-.Fn SSL_SESSION_get_ex_data
-first appeared in SSLeay 0.9.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_SESSION_get_id.3 b/src/lib/libssl/man/SSL_SESSION_get_id.3
deleted file mode 100644
index 6d0de1e52e..0000000000
--- a/src/lib/libssl/man/SSL_SESSION_get_id.3
+++ /dev/null
@@ -1,112 +0,0 @@
-.\" $OpenBSD: SSL_SESSION_get_id.3,v 1.6 2018/03/24 00:55:37 schwarze Exp $
-.\" full merge up to:
-.\" OpenSSL SSL_SESSION_set1_id 17b60280 Dec 21 09:08:25 2017 +0100
-.\"
-.\" This file was written by Remi Gacogne <rgacogne-github@coredump.fr>
-.\" and Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2016, 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 24 2018 $
-.Dt SSL_SESSION_GET_ID 3
-.Os
-.Sh NAME
-.Nm SSL_SESSION_get_id ,
-.Nm SSL_SESSION_set1_id
-.Nd get and set the SSL session ID
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft const unsigned char *
-.Fo SSL_SESSION_get_id
-.Fa "const SSL_SESSION *s"
-.Fa "unsigned int *len"
-.Fc
-.Ft int
-.Fo SSL_SESSION_set1_id
-.Fa "SSL_SESSION *s"
-.Fa "const unsigned char *sid"
-.Fa "unsigned int sid_len"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_SESSION_get_id
-returns a pointer to the internal session ID value for the session
-.Fa s .
-The length of the ID in bytes is stored in
-.Pf * Fa len .
-The length may be 0.
-The caller should not free the returned pointer directly.
-.Pp
-.Fn SSL_SESSION_set1_id
-sets the session ID for
-.Fa s
-to a copy of the
-.Fa sid
-of length
-.Fa sid_len .
-.Sh RETURN VALUES
-.Fn SSL_SESSION_get_id
-returns a pointer to the session ID value.
-.Pp
-.Fn SSL_SESSION_set1_id
-returns 1 for success and 0 for failure,
-for example if the supplied session ID length exceeds
-.Dv SSL_MAX_SSL_SESSION_ID_LENGTH .
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_copy_session_id 3 ,
-.Xr SSL_get_session 3 ,
-.Xr SSL_SESSION_get_compress_id 3 ,
-.Xr SSL_SESSION_get_protocol_version 3 ,
-.Xr SSL_SESSION_has_ticket 3 ,
-.Xr SSL_SESSION_new 3
-.Sh HISTORY
-.Fn SSL_SESSION_get_id
-first appeared in OpenSSL 0.9.8 and has been available since
-.Ox 4.5 .
-.Pp
-.Fn SSL_SESSION_set1_id
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3 b/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3
deleted file mode 100644
index f14c0490e9..0000000000
--- a/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3
+++ /dev/null
@@ -1,84 +0,0 @@
-.\" $OpenBSD: SSL_SESSION_get_protocol_version.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by TJ Saunders <tj@castaglia.org>
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 24 2018 $
-.Dt SSL_SESSION_GET_PROTOCOL_VERSION 3
-.Os
-.Sh NAME
-.Nm SSL_SESSION_get_protocol_version
-.Nd get the session protocol version
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_SESSION_get_protocol_version
-.Fa "const SSL_SESSION *s"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_SESSION_get_protocol_version
-returns the protocol version number used by the session
-.Fa s .
-.Sh RETURN VALUES
-.Fn SSL_SESSION_get_protocol_version
-returns a constant like
-.Dv TLS1_VERSION
-or
-.Dv TLS1_2_VERSION .
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_get_session 3 ,
-.Xr SSL_SESSION_get0_peer 3 ,
-.Xr SSL_SESSION_get_compress_id 3 ,
-.Xr SSL_SESSION_get_id 3 ,
-.Xr SSL_SESSION_get_time 3 ,
-.Xr SSL_SESSION_new 3
-.Sh HISTORY
-.Fn SSL_SESSION_get_protocol_version
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libssl/man/SSL_SESSION_get_time.3 b/src/lib/libssl/man/SSL_SESSION_get_time.3
deleted file mode 100644
index aaadec5137..0000000000
--- a/src/lib/libssl/man/SSL_SESSION_get_time.3
+++ /dev/null
@@ -1,165 +0,0 @@
-.\"     $OpenBSD: SSL_SESSION_get_time.3,v 1.8 2019/06/08 15:25:43 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2005, 2006, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 8 2019 $
-.Dt SSL_SESSION_GET_TIME 3
-.Os
-.Sh NAME
-.Nm SSL_SESSION_get_time ,
-.Nm SSL_SESSION_set_time ,
-.Nm SSL_SESSION_get_timeout ,
-.Nm SSL_SESSION_set_timeout ,
-.Nm SSL_get_time ,
-.Nm SSL_set_time ,
-.Nm SSL_get_timeout ,
-.Nm SSL_set_timeout
-.Nd retrieve and manipulate session time and timeout settings
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fn SSL_SESSION_get_time "const SSL_SESSION *s"
-.Ft long
-.Fn SSL_SESSION_set_time "SSL_SESSION *s" "long tm"
-.Ft long
-.Fn SSL_SESSION_get_timeout "const SSL_SESSION *s"
-.Ft long
-.Fn SSL_SESSION_set_timeout "SSL_SESSION *s" "long tm"
-.Ft long
-.Fn SSL_get_time "const SSL_SESSION *s"
-.Ft long
-.Fn SSL_set_time "SSL_SESSION *s" "long tm"
-.Ft long
-.Fn SSL_get_timeout "const SSL_SESSION *s"
-.Ft long
-.Fn SSL_set_timeout "SSL_SESSION *s" "long tm"
-.Sh DESCRIPTION
-.Fn SSL_SESSION_get_time
-returns the time at which the session
-.Fa s
-was established.
-The time is given in seconds since the Epoch and therefore compatible to the
-time delivered by the
-.Xr time 3
-call.
-.Pp
-.Fn SSL_SESSION_set_time
-replaces the creation time of the session
-.Fa s
-with
-the chosen value
-.Fa tm .
-.Pp
-.Fn SSL_SESSION_get_timeout
-returns the timeout value set for session
-.Fa s
-in seconds.
-.Pp
-.Fn SSL_SESSION_set_timeout
-sets the timeout value for session
-.Fa s
-in seconds to
-.Fa tm .
-.Pp
-The
-.Fn SSL_get_time ,
-.Fn SSL_set_time ,
-.Fn SSL_get_timeout ,
-and
-.Fn SSL_set_timeout
-functions are synonyms for the
-.Fn SSL_SESSION_*
-counterparts.
-.Pp
-Sessions are expired by examining the creation time and the timeout value.
-Both are set at creation time of the session to the actual time and the default
-timeout value at creation, respectively, as set by
-.Xr SSL_CTX_set_timeout 3 .
-Using these functions it is possible to extend or shorten the lifetime of the
-session.
-.Sh RETURN VALUES
-.Fn SSL_SESSION_get_time
-and
-.Fn SSL_SESSION_get_timeout
-return the currently valid values.
-.Pp
-.Fn SSL_SESSION_set_time
-and
-.Fn SSL_SESSION_set_timeout
-return 1 on success.
-.Pp
-If any of the function is passed the
-.Dv NULL
-pointer for the session
-.Fa s ,
-0 is returned.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_timeout 3 ,
-.Xr SSL_get_default_timeout 3 ,
-.Xr SSL_get_session 3 ,
-.Xr SSL_SESSION_has_ticket 3 ,
-.Xr SSL_SESSION_new 3
-.Sh HISTORY
-.Fn SSL_get_time ,
-.Fn SSL_get_timeout ,
-and
-.Fn SSL_set_timeout
-appeared in SSLeay 0.4 or earlier.
-.Fn SSL_set_time
-first appeared in SSLeay 0.5.2.
-.Fn SSL_SESSION_get_time ,
-.Fn SSL_SESSION_set_time ,
-.Fn SSL_SESSION_get_timeout ,
-and
-.Fn SSL_SESSION_set_timeout
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_SESSION_has_ticket.3 b/src/lib/libssl/man/SSL_SESSION_has_ticket.3
deleted file mode 100644
index 322b49feef..0000000000
--- a/src/lib/libssl/man/SSL_SESSION_has_ticket.3
+++ /dev/null
@@ -1,85 +0,0 @@
-.\" $OpenBSD: SSL_SESSION_has_ticket.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
-.\" full merge up to: OpenSSL f2baac27 Feb 8 15:43:16 2015 +0000
-.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 24 2018 $
-.Dt SSL_SESSION_HAS_TICKET 3
-.Os
-.Sh NAME
-.Nm SSL_SESSION_has_ticket ,
-.Nm SSL_SESSION_get_ticket_lifetime_hint
-.Nd get details about the ticket associated with a session
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_SESSION_has_ticket
-.Fa "const SSL_SESSION *s"
-.Fc
-.Ft unsigned long
-.Fo SSL_SESSION_get_ticket_lifetime_hint
-.Fa "const SSL_SESSION *s"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_SESSION_has_ticket
-returns 1 if there is a Session Ticket associated with
-.Fa s
-or 0 otherwise.
-.Pp
-.Fn SSL_SESSION_get_ticket_lifetime_hint
-returns the lifetime hint in seconds associated with the session ticket.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_SESSION_get_id 3 ,
-.Xr SSL_SESSION_get_time 3 ,
-.Xr SSL_SESSION_new 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.1.0
-and have been available since
-.Ox 6.3 .
diff --git a/src/lib/libssl/man/SSL_SESSION_is_resumable.3 b/src/lib/libssl/man/SSL_SESSION_is_resumable.3
deleted file mode 100644
index 48d7d17889..0000000000
--- a/src/lib/libssl/man/SSL_SESSION_is_resumable.3
+++ /dev/null
@@ -1,81 +0,0 @@
-.\" $OpenBSD: SSL_SESSION_is_resumable.3,v 1.1 2021/09/14 14:08:15 schwarze Exp $
-.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 14 2021 $
-.Dt SSL_SESSION_IS_RESUMABLE 3
-.Os
-.Sh NAME
-.Nm SSL_SESSION_is_resumable
-.Nd determine whether an SSL_SESSION object can be used for resumption
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_SESSION_is_resumable
-.Fa "const SSL_SESSION *session"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_SESSION_is_resumable
-determines whether the
-.Fa session
-object can be used to resume a session.
-Note that attempting to resume with a non-resumable session
-will result in a full handshake.
-.Sh RETURN VALUES
-.Fn SSL_SESSION_is_resumable
-returns 1 if the session is resumable or 0 otherwise.
-It always returns 0 with LibreSSL.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_sess_set_new_cb 3 ,
-.Xr SSL_get_session 3
-.Sh HISTORY
-.Fn SSL_SESSION_is_resumable
-first appeared in OpenSSL 1.1.1 and has been available since
-.Ox 7.0 .
diff --git a/src/lib/libssl/man/SSL_SESSION_new.3 b/src/lib/libssl/man/SSL_SESSION_new.3
deleted file mode 100644
index 2dcdb264c1..0000000000
--- a/src/lib/libssl/man/SSL_SESSION_new.3
+++ /dev/null
@@ -1,78 +0,0 @@
-.\" $OpenBSD: SSL_SESSION_new.3,v 1.9 2021/09/14 14:08:15 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 14 2021 $
-.Dt SSL_SESSION_NEW 3
-.Os
-.Sh NAME
-.Nm SSL_SESSION_new
-.Nd construct a new SSL_SESSION object
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft SSL_SESSION *
-.Fn SSL_SESSION_new void
-.Sh DESCRIPTION
-.Fn SSL_SESSION_new
-allocates and initializes a new
-.Vt SSL_SESSION
-object.
-The reference count is set to 1, the time to the current time, and
-the timeout to five minutes.
-.Pp
-When the object is no longer needed, it can be destructed with
-.Xr SSL_SESSION_free 3 .
-.Pp
-.Fn SSL_SESSION_new
-is used internally, for example by
-.Xr SSL_connect 3 .
-.Sh RETURN VALUES
-.Fn SSL_SESSION_new
-returns the new
-.Vt SSL_SESSION
-object or
-.Dv NULL
-if insufficient memory is available.
-.Pp
-After failure,
-.Xr ERR_get_error 3
-returns
-.Dv ERR_R_MALLOC_FAILURE .
-.Sh SEE ALSO
-.Xr d2i_SSL_SESSION 3 ,
-.Xr PEM_read_SSL_SESSION 3 ,
-.Xr ssl 3 ,
-.Xr SSL_connect 3 ,
-.Xr SSL_copy_session_id 3 ,
-.Xr SSL_CTX_add_session 3 ,
-.Xr SSL_CTX_sess_set_get_cb 3 ,
-.Xr SSL_get_session 3 ,
-.Xr SSL_SESSION_free 3 ,
-.Xr SSL_SESSION_get0_peer 3 ,
-.Xr SSL_SESSION_get_compress_id 3 ,
-.Xr SSL_SESSION_get_ex_new_index 3 ,
-.Xr SSL_SESSION_get_id 3 ,
-.Xr SSL_SESSION_get_master_key 3 ,
-.Xr SSL_SESSION_get_protocol_version 3 ,
-.Xr SSL_SESSION_get_time 3 ,
-.Xr SSL_SESSION_has_ticket 3 ,
-.Xr SSL_SESSION_is_resumable 3 ,
-.Xr SSL_SESSION_print 3 ,
-.Xr SSL_SESSION_set1_id_context 3 ,
-.Xr SSL_set_session 3
-.Sh HISTORY
-.Fn SSL_SESSION_new
-first appeared in SSLeay 0.5.2 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_SESSION_print.3 b/src/lib/libssl/man/SSL_SESSION_print.3
deleted file mode 100644
index e92debde0e..0000000000
--- a/src/lib/libssl/man/SSL_SESSION_print.3
+++ /dev/null
@@ -1,74 +0,0 @@
-.\" $OpenBSD: SSL_SESSION_print.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_SESSION_PRINT 3
-.Os
-.Sh NAME
-.Nm SSL_SESSION_print ,
-.Nm SSL_SESSION_print_fp
-.Nd print some properties of an SSL_SESSION object
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_SESSION_print
-.Fa "BIO *bp"
-.Fa "const SSL_SESSION *session"
-.Fc
-.Ft int
-.Fo SSL_SESSION_print_fp
-.Fa "FILE *fp"
-.Fa "const SSL_SESSION *session"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_SESSION_print
-prints some properties of
-.Fa session
-in a human-readable format to the
-.Fa "BIO *bp" ,
-including protocol version, cipher name, session ID,
-session ID context, master key, session ticket lifetime hint,
-session ticket, start time, timeout, and verify return code.
-.Pp
-.Fn SSL_SESSION_print_fp
-does the same as
-.Fn SSL_SESSION_print
-except that it prints to the
-.Fa "FILE *fp" .
-.Sh RETURN VALUES
-.Fn SSL_SESSION_print
-and
-.Fn SSL_SESSION_print_fp
-return 1 for success or 0 for failure.
-.Pp
-In some cases, the reason for failure can be determined with
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr d2i_SSL_SESSION 3 ,
-.Xr PEM_read_SSL_SESSION 3 ,
-.Xr ssl 3 ,
-.Xr SSL_get_session 3 ,
-.Xr SSL_SESSION_free 3 ,
-.Xr SSL_SESSION_get_ex_new_index 3 ,
-.Xr SSL_SESSION_get_time 3 ,
-.Xr SSL_SESSION_new 3
-.Sh HISTORY
-.Fn SSL_SESSION_print
-first appeared in SSLeay 0.5.2.
-.Fn SSL_SESSION_print_fp
-first appeared in SSLeay 0.6.0.
-Both functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_SESSION_set1_id_context.3 b/src/lib/libssl/man/SSL_SESSION_set1_id_context.3
deleted file mode 100644
index dd7595baca..0000000000
--- a/src/lib/libssl/man/SSL_SESSION_set1_id_context.3
+++ /dev/null
@@ -1,113 +0,0 @@
-.\" $OpenBSD: SSL_SESSION_set1_id_context.3,v 1.4 2018/03/24 00:55:37 schwarze Exp $
-.\" full merge up to:
-.\" OpenSSL SSL_SESSION_get0_id_context b31db505 Mar 24 16:01:50 2017
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 24 2018 $
-.Dt SSL_SESSION_SET1_ID_CONTEXT 3
-.Os
-.Sh NAME
-.Nm SSL_SESSION_get0_id_context ,
-.Nm SSL_SESSION_set1_id_context
-.Nd get and set the SSL ID context associated with a session
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft const unsigned char *
-.Fo SSL_SESSION_get0_id_context
-.Fa "const SSL_SESSION *s"
-.Fa "unsigned int *len"
-.Fc
-.Ft int
-.Fo SSL_SESSION_set1_id_context
-.Fa "SSL_SESSION *s"
-.Fa "const unsigned char *sid_ctx"
-.Fa "unsigned int sid_ctx_len"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_SESSION_get0_id_context
-returns the ID context associated with
-.Fa s .
-The length of the ID context in bytes is written to
-.Pf * Fa len
-if
-.Fa len
-is not
-.Dv NULL .
-.Pp
-.Fn SSL_SESSION_set1_id_context
-takes a copy of the provided ID context given in
-.Fa sid_ctx
-and associates it with the session
-.Fa s .
-The length of the ID context is given by
-.Fa sid_ctx_len
-which must not exceed
-.Dv SSL_MAX_SID_CTX_LENGTH
-bytes.
-.Sh RETURN VALUES
-.Fn SSL_SESSION_get0_id_context
-returns an internal pointer to an object maintained within
-.Fa s
-that should not be freed by the caller.
-.Pp
-.Fn SSL_SESSION_set1_id_context
-returns 1 on success or 0 on error.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_session_id_context 3 ,
-.Xr SSL_get_session 3 ,
-.Xr SSL_SESSION_new 3
-.Sh HISTORY
-.Fn SSL_SESSION_set1_id_context
-first appeared in OpenSSL 1.0.1 and has been available since
-.Ox 5.3 .
-.Pp
-.Fn SSL_SESSION_get0_id_context
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libssl/man/SSL_accept.3 b/src/lib/libssl/man/SSL_accept.3
deleted file mode 100644
index fb1d89eb57..0000000000
--- a/src/lib/libssl/man/SSL_accept.3
+++ /dev/null
@@ -1,155 +0,0 @@
-.\"     $OpenBSD: SSL_accept.3,v 1.6 2019/06/08 15:25:43 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2002, 2003 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 8 2019 $
-.Dt SSL_ACCEPT 3
-.Os
-.Sh NAME
-.Nm SSL_accept
-.Nd wait for a TLS/SSL client to initiate a TLS/SSL handshake
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_accept "SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_accept
-waits for a TLS/SSL client to initiate the TLS/SSL handshake.
-The communication channel must already have been set and assigned to the
-.Fa ssl
-object by setting an underlying
-.Vt BIO .
-.Pp
-The behaviour of
-.Fn SSL_accept
-depends on the underlying
-.Vt BIO .
-.Pp
-If the underlying
-.Vt BIO
-is
-.Em blocking ,
-.Fn SSL_accept
-will only return once the handshake has been finished or an error occurred.
-.Pp
-If the underlying
-.Vt BIO
-is
-.Em non-blocking ,
-.Fn SSL_accept
-will also return when the underlying
-.Vt BIO
-could not satisfy the needs of
-.Fn SSL_accept
-to continue the handshake, indicating the problem by the return value \(mi1.
-In this case a call to
-.Xr SSL_get_error 3
-with the
-return value of
-.Fn SSL_accept
-will yield
-.Dv SSL_ERROR_WANT_READ
-or
-.Dv SSL_ERROR_WANT_WRITE .
-The calling process then must repeat the call after taking appropriate action
-to satisfy the needs of
-.Fn SSL_accept .
-The action depends on the underlying
-.Dv BIO .
-When using a non-blocking socket, nothing is to be done, but
-.Xr select 2
-can be used to check for the required condition.
-When using a buffering
-.Vt BIO ,
-like a
-.Vt BIO
-pair, data must be written into or retrieved out of the
-.Vt BIO
-before being able to continue.
-.Sh RETURN VALUES
-The following return values can occur:
-.Bl -tag -width Ds
-.It 0
-The TLS/SSL handshake was not successful but was shut down controlled and by
-the specifications of the TLS/SSL protocol.
-Call
-.Xr SSL_get_error 3
-with the return value
-.Fa ret
-to find out the reason.
-.It 1
-The TLS/SSL handshake was successfully completed,
-and a TLS/SSL connection has been established.
-.It <0
-The TLS/SSL handshake was not successful because a fatal error occurred either
-at the protocol level or a connection failure occurred.
-The shutdown was not clean.
-It can also occur of action is need to continue the operation for non-blocking
-.Vt BIO Ns
-s.
-Call
-.Xr SSL_get_error 3
-with the return value
-.Fa ret
-to find out the reason.
-.El
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr ssl 3 ,
-.Xr SSL_connect 3 ,
-.Xr SSL_CTX_new 3 ,
-.Xr SSL_do_handshake 3 ,
-.Xr SSL_get_error 3 ,
-.Xr SSL_set_connect_state 3 ,
-.Xr SSL_shutdown 3
-.Sh HISTORY
-.Fn SSL_accept
-appeared in SSLeay 0.4 or earlier and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_alert_type_string.3 b/src/lib/libssl/man/SSL_alert_type_string.3
deleted file mode 100644
index 354865e546..0000000000
--- a/src/lib/libssl/man/SSL_alert_type_string.3
+++ /dev/null
@@ -1,253 +0,0 @@
-.\"     $OpenBSD: SSL_alert_type_string.3,v 1.7 2024/10/13 08:25:09 jsg Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2011 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: October 13 2024 $
-.Dt SSL_ALERT_TYPE_STRING 3
-.Os
-.Sh NAME
-.Nm SSL_alert_type_string ,
-.Nm SSL_alert_type_string_long ,
-.Nm SSL_alert_desc_string ,
-.Nm SSL_alert_desc_string_long
-.Nd get textual description of alert information
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft const char *
-.Fn SSL_alert_type_string "int value"
-.Ft const char *
-.Fn SSL_alert_type_string_long "int value"
-.Ft const char *
-.Fn SSL_alert_desc_string "int value"
-.Ft const char *
-.Fn SSL_alert_desc_string_long "int value"
-.Sh DESCRIPTION
-.Fn SSL_alert_type_string
-returns a one letter string indicating the type of the alert specified by
-.Fa value .
-.Pp
-.Fn SSL_alert_type_string_long
-returns a string indicating the type of the alert specified by
-.Fa value .
-.Pp
-.Fn SSL_alert_desc_string
-returns a two letter string as a short form describing the reason of the alert
-specified by
-.Fa value .
-.Pp
-.Fn SSL_alert_desc_string_long
-returns a string describing the reason of the alert specified by
-.Fa value .
-.Pp
-When one side of an SSL/TLS communication wants to inform the peer about
-a special situation, it sends an alert.
-The alert is sent as a special message and does not influence the normal data
-stream (unless its contents results in the communication being canceled).
-.Pp
-A warning alert is sent, when a non-fatal error condition occurs.
-The
-.Dq close notify
-alert is sent as a warning alert.
-Other examples for non-fatal errors are certificate errors
-.Po
-.Dq certificate expired ,
-.Dq unsupported certificate
-.Pc ,
-for which a warning alert may be sent.
-(The sending party may, however, decide to send a fatal error.)
-The receiving side may cancel the connection on reception of a warning alert at
-its discretion.
-.Pp
-Several alert messages must be sent as fatal alert messages as specified
-by the TLS RFC.
-A fatal alert always leads to a connection abort.
-.Sh RETURN VALUES
-The following strings can occur for
-.Fn SSL_alert_type_string
-or
-.Fn SSL_alert_type_string_long :
-.Bl -tag -width Ds
-.It \(dqW\(dq/\(dqwarning\(dq
-.It \(dqF\(dq/\(dqfatal\(dq
-.It \(dqU\(dq/\(dqunknown\(dq
-This indicates that no support is available for this alert type.
-Probably
-.Fa value
-does not contain a correct alert message.
-.El
-.Pp
-The following strings can occur for
-.Fn SSL_alert_desc_string
-or
-.Fn SSL_alert_desc_string_long :
-.Bl -tag -width Ds
-.It \(dqCN\(dq/\(dqclose notify\(dq
-The connection shall be closed.
-This is a warning alert.
-.It \(dqUM\(dq/\(dqunexpected message\(dq
-An inappropriate message was received.
-This alert is always fatal and should never be observed in communication
-between proper implementations.
-.It \(dqBM\(dq/\(dqbad record mac\(dq
-This alert is returned if a record is received with an incorrect MAC.
-This message is always fatal.
-.It \(dqDF\(dq/\(dqdecompression failure\(dq
-The decompression function received improper input
-(e.g., data that would expand to excessive length).
-This message is always fatal.
-.It \(dqHF\(dq/\(dqhandshake failure\(dq
-Reception of a handshake_failure alert message indicates that the sender was
-unable to negotiate an acceptable set of security parameters given the options
-available.
-This is a fatal error.
-.It \(dqNC\(dq/\(dqno certificate\(dq
-A client, that was asked to send a certificate, does not send a certificate
-(SSLv3 only).
-.It \(dqBC\(dq/\(dqbad certificate\(dq
-A certificate was corrupt, contained signatures that did not verify correctly,
-etc.
-.It \(dqUC\(dq/\(dqunsupported certificate\(dq
-A certificate was of an unsupported type.
-.It \(dqCR\(dq/\(dqcertificate revoked\(dq
-A certificate was revoked by its signer.
-.It \(dqCE\(dq/\(dqcertificate expired\(dq
-A certificate has expired or is not currently valid.
-.It \(dqCU\(dq/\(dqcertificate unknown\(dq
-Some other (unspecified) issue arose in processing the certificate,
-rendering it unacceptable.
-.It \(dqIP\(dq/\(dqillegal parameter\(dq
-A field in the handshake was out of range or inconsistent with other fields.
-This is always fatal.
-.It \(dqDC\(dq/\(dqdecryption failed\(dq
-A TLSCiphertext decrypted in an invalid way: either it wasn't an even multiple
-of the block length or its padding values, when checked, weren't correct.
-This message is always fatal.
-.It \(dqRO\(dq/\(dqrecord overflow\(dq
-A TLSCiphertext record was received which had a length more than
-2^14+2048 bytes, or a record decrypted to a TLSCompressed record with more than
-2^14+1024 bytes.
-This message is always fatal.
-.It \(dqCA\(dq/\(dqunknown CA\(dq
-A valid certificate chain or partial chain was received,
-but the certificate was not accepted because the CA certificate could not be
-located or couldn't be matched with a known, trusted CA.
-This message is always fatal.
-.It \(dqAD\(dq/\(dqaccess denied\(dq
-A valid certificate was received, but when access control was applied,
-the sender decided not to proceed with negotiation.
-This message is always fatal.
-.It \(dqDE\(dq/\(dqdecode error\(dq
-A message could not be decoded because some field was out of the specified
-range or the length of the message was incorrect.
-This message is always fatal.
-.It \(dqCY\(dq/\(dqdecrypt error\(dq
-A handshake cryptographic operation failed, including being unable to correctly
-verify a signature, decrypt a key exchange, or validate a finished message.
-.It \(dqER\(dq/\(dqexport restriction\(dq
-A negotiation not in compliance with export restrictions was detected;
-for example, attempting to transfer a 1024 bit ephemeral RSA key for the
-RSA_EXPORT handshake method.
-This message is always fatal.
-.It \(dqPV\(dq/\(dqprotocol version\(dq
-The protocol version the client has attempted to negotiate is recognized,
-but not supported.
-(For example, old protocol versions might be avoided for security reasons.)
-This message is always fatal.
-.It \(dqIS\(dq/\(dqinsufficient security\(dq
-Returned instead of handshake_failure when a negotiation has failed
-specifically because the server requires ciphers more secure than those
-supported by the client.
-This message is always fatal.
-.It \(dqIE\(dq/\(dqinternal error\(dq
-An internal error unrelated to the peer or the correctness of the protocol
-makes it impossible to continue (such as a memory allocation failure).
-This message is always fatal.
-.It \(dqIF\(dq/\(dqinappropriate fallback\(dq
-Sent by a server in response to an invalid connection retry attempt from
-a client (see RFC 7507).
-.It \(dqUS\(dq/\(dquser canceled\(dq
-This handshake is being canceled for some reason unrelated to a protocol
-failure.
-If the user cancels an operation after the handshake is complete,
-just closing the connection by sending a close_notify is more appropriate.
-This alert should be followed by a close_notify.
-This message is generally a warning.
-.It \(dqNR\(dq/\(dqno renegotiation\(dq
-Sent by the client in response to a hello request or by the server in response
-to a client hello after initial handshaking.
-Either of these would normally lead to renegotiation; when that is not
-appropriate, the recipient should respond with this alert; at that point,
-the original requester can decide whether to proceed with the connection.
-One case where this would be appropriate would be where a server has spawned a
-process to satisfy a request; the process might receive security parameters
-(key length, authentication, etc.) at startup and it might be difficult to
-communicate changes to these parameters after that point.
-This message is always a warning.
-.It \(dqUP\(dq/\(dqunknown PSK identity\(dq
-Sent by the server to indicate that it does not recognize a PSK identity or an
-SRP identity.
-.It \(dqCQ\(dq/\(dqcertificate required\(dq
-Sent by servers when a client certificate is desired but none was provided
-by the client.
-.It \(dqAP\(dq/\(dqno application protocol\(dq
-Sent by servers when a client ALPN extension advertises only protocols that
-the server does not support (see RFC 7301).
-.It \(dqUK\(dq/\(dqunknown\(dq
-This indicates that no description is available for this alert type.
-Probably
-.Fa value
-does not contain a correct alert message.
-.El
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_info_callback 3
-.Sh HISTORY
-These functions first appeared in SSLeay 0.8.0
-and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_clear.3 b/src/lib/libssl/man/SSL_clear.3
deleted file mode 100644
index 809c3b20f4..0000000000
--- a/src/lib/libssl/man/SSL_clear.3
+++ /dev/null
@@ -1,144 +0,0 @@
-.\"     $OpenBSD: SSL_clear.3,v 1.5 2021/06/11 19:41:39 jmc Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2002, 2011, 2015 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 11 2021 $
-.Dt SSL_CLEAR 3
-.Os
-.Sh NAME
-.Nm SSL_clear
-.Nd reset SSL object to allow another connection
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_clear "SSL *ssl"
-.Sh DESCRIPTION
-Reset
-.Fa ssl
-to allow another connection.
-All settings (method, ciphers, BIOs) are kept.
-.Pp
-.Fn SSL_clear
-is used to prepare an
-.Vt SSL
-object for a new connection.
-While all settings are kept,
-a side effect is the handling of the current SSL session.
-If a session is still
-.Em open ,
-it is considered bad and will be removed from the session cache,
-as required by RFC 2246.
-A session is considered open if
-.Xr SSL_shutdown 3
-was not called for the connection or at least
-.Xr SSL_set_shutdown 3
-was used to
-set the
-.Dv SSL_SENT_SHUTDOWN
-state.
-.Pp
-If a session was closed cleanly,
-the session object will be kept and all settings corresponding.
-This explicitly means that for example the special method used during the
-session will be kept for the next handshake.
-So if the session was a TLSv1 session, a
-.Vt SSL
-client object will use a TLSv1 client method for the next handshake and a
-.Vt SSL
-server object will use a TLSv1 server method, even if
-.Fn TLS_*_method Ns s
-were chosen on startup.
-This might lead to connection failures (see
-.Xr SSL_new 3 )
-for a description of the method's properties.
-.Sh RETURN VALUES
-The following return values can occur:
-.Bl -tag -width Ds
-.It 0
-The
-.Fn SSL_clear
-operation could not be performed.
-Check the error stack to find out the reason.
-.It 1
-The
-.Fn SSL_clear
-operation was successful.
-.El
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_client_cert_cb 3 ,
-.Xr SSL_CTX_set_options 3 ,
-.Xr SSL_free 3 ,
-.Xr SSL_new 3 ,
-.Xr SSL_set_shutdown 3 ,
-.Xr SSL_shutdown 3
-.Sh HISTORY
-.Fn SSL_clear
-first appeared in SSLeay 0.4.5b and has been available since
-.Ox 2.4 .
-.Sh CAVEATS
-.Fn SSL_clear
-resets the
-.Vt SSL
-object to allow for another connection.
-The reset operation however keeps several settings of the last sessions
-(some of these settings were made automatically during the last handshake).
-It only makes sense for a new connection with the exact same peer that shares
-these settings,
-and may fail if that peer changes its settings between connections.
-Use the sequence
-.Xr SSL_get_session 3 ;
-.Xr SSL_new 3 ;
-.Xr SSL_set_session 3 ;
-.Xr SSL_free 3
-instead to avoid such failures (or simply
-.Xr SSL_free 3 ;
-.Xr SSL_new 3
-if session reuse is not desired).
diff --git a/src/lib/libssl/man/SSL_connect.3 b/src/lib/libssl/man/SSL_connect.3
deleted file mode 100644
index d5b962a480..0000000000
--- a/src/lib/libssl/man/SSL_connect.3
+++ /dev/null
@@ -1,154 +0,0 @@
-.\"     $OpenBSD: SSL_connect.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2002, 2003 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_CONNECT 3
-.Os
-.Sh NAME
-.Nm SSL_connect
-.Nd initiate the TLS/SSL handshake with a TLS/SSL server
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_connect "SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_connect
-initiates the TLS/SSL handshake with a server.
-The communication channel must already have been set and assigned to the
-.Fa ssl
-by setting an underlying
-.Vt BIO .
-.Pp
-The behaviour of
-.Fn SSL_connect
-depends on the underlying
-.Vt BIO .
-.Pp
-If the underlying
-.Vt BIO
-is
-.Em blocking ,
-.Fn SSL_connect
-will only return once the handshake has been finished or an error occurred.
-.Pp
-If the underlying
-.Vt BIO
-is
-.Em non-blocking ,
-.Fn SSL_connect
-will also return when the underlying
-.Vt BIO
-could not satisfy the needs of
-.Fn SSL_connect
-to continue the handshake, indicating the problem with the return value \(mi1.
-In this case a call to
-.Xr SSL_get_error 3
-with the return value of
-.Fn SSL_connect
-will yield
-.Dv SSL_ERROR_WANT_READ
-or
-.Dv SSL_ERROR_WANT_WRITE .
-The calling process then must repeat the call after taking appropriate action
-to satisfy the needs of
-.Fn SSL_connect .
-The action depends on the underlying
-.Vt BIO .
-When using a non-blocking socket, nothing is to be done, but
-.Xr select 2
-can be used to check for the required condition.
-When using a buffering
-.Vt BIO ,
-like a
-.Vt BIO
-pair, data must be written into or retrieved out of the
-.Vt BIO
-before being able to continue.
-.Sh RETURN VALUES
-The following return values can occur:
-.Bl -tag -width Ds
-.It 0
-The TLS/SSL handshake was not successful but was shut down controlled and
-by the specifications of the TLS/SSL protocol.
-Call
-.Xr SSL_get_error 3
-with the return value
-.Fa ret
-to find out the reason.
-.It 1
-The TLS/SSL handshake was successfully completed,
-and a TLS/SSL connection has been established.
-.It <0
-The TLS/SSL handshake was not successful, because either a fatal error occurred
-at the protocol level or a connection failure occurred.
-The shutdown was not clean.
-It can also occur if action is needed to continue the operation for
-non-blocking
-.Vt BIO Ns s .
-Call
-.Xr SSL_get_error 3
-with the return value
-.Fa ret
-to find out the reason.
-.El
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr ssl 3 ,
-.Xr SSL_accept 3 ,
-.Xr SSL_CTX_new 3 ,
-.Xr SSL_do_handshake 3 ,
-.Xr SSL_get_error 3 ,
-.Xr SSL_set_connect_state 3 ,
-.Xr SSL_shutdown 3
-.Sh HISTORY
-.Fn SSL_connect
-appeared in SSLeay 0.4 or earlier and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_copy_session_id.3 b/src/lib/libssl/man/SSL_copy_session_id.3
deleted file mode 100644
index a7a7a8aa99..0000000000
--- a/src/lib/libssl/man/SSL_copy_session_id.3
+++ /dev/null
@@ -1,79 +0,0 @@
-.\" $OpenBSD: SSL_copy_session_id.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_COPY_SESSION_ID 3
-.Os
-.Sh NAME
-.Nm SSL_copy_session_id
-.Nd copy session details between SSL objects
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_copy_session_id
-.Fa "SSL *to"
-.Fa "const SSL *from"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_copy_session_id
-copies the following data from
-.Fa from
-to
-.Fa to :
-.Bl -dash
-.It
-the pointer to the
-.Vt SSL_SESSION
-object, incrementing its reference count by 1
-.It
-the pointer to the
-.Vt SSL_METHOD
-object; if that changes the method, protocol-specific data is
-reinitialized
-.It
-the pointer to the
-.Vt CERT
-object, incrementing its reference count by 1
-.It
-the session ID context
-.El
-.Pp
-This function is used internally by
-.Xr SSL_dup 3
-and by
-.Xr BIO_ssl_copy_session_id 3 .
-.Sh RETURN VALUES
-.Fn SSL_copy_session_id
-returns 1 on success and 0 on error.
-.Sh SEE ALSO
-.Xr BIO_ssl_copy_session_id 3 ,
-.Xr ssl 3 ,
-.Xr SSL_dup 3 ,
-.Xr SSL_get_session 3 ,
-.Xr SSL_SESSION_get_id 3 ,
-.Xr SSL_SESSION_new 3 ,
-.Xr SSL_set_session 3 ,
-.Xr SSL_set_session_id_context 3
-.Sh HISTORY
-.Fn SSL_copy_session_id
-appeared in SSLeay 0.4 or earlier and has been available since
-.Ox 2.4 .
-.Sh BUGS
-Failures of
-.Xr CRYPTO_add 3
-are silently ignored and may leave
-.Fa to
-in an invalid or inconsistent state.
diff --git a/src/lib/libssl/man/SSL_do_handshake.3 b/src/lib/libssl/man/SSL_do_handshake.3
deleted file mode 100644
index e9327b4229..0000000000
--- a/src/lib/libssl/man/SSL_do_handshake.3
+++ /dev/null
@@ -1,152 +0,0 @@
-.\"     $OpenBSD: SSL_do_handshake.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Martin Sjoegren <martin@strakt.com>.
-.\" Copyright (c) 2002 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_DO_HANDSHAKE 3
-.Os
-.Sh NAME
-.Nm SSL_do_handshake
-.Nd perform a TLS/SSL handshake
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_do_handshake "SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_do_handshake
-will wait for a SSL/TLS handshake to take place.
-If the connection is in client mode, the handshake will be started.
-The handshake routines may have to be explicitly set in advance using either
-.Xr SSL_set_connect_state 3
-or
-.Xr SSL_set_accept_state 3 .
-.Pp
-The behaviour of
-.Fn SSL_do_handshake
-depends on the underlying
-.Vt BIO .
-.Pp
-If the underlying
-.Vt BIO
-is
-.Em blocking ,
-.Fn SSL_do_handshake
-will only return once the handshake has been finished or an error occurred.
-.Pp
-If the underlying
-.Vt BIO
-is
-.Em non-blocking ,
-.Fn SSL_do_handshake
-will also return when the underlying
-.Vt BIO
-could not satisfy the needs of
-.Fn SSL_do_handshake
-to continue the handshake.
-In this case a call to
-.Xr SSL_get_error 3
-with the return value of
-.Fn SSL_do_handshake
-will yield
-.Dv SSL_ERROR_WANT_READ
-or
-.Dv SSL_ERROR_WANT_WRITE .
-The calling process then must repeat the call after taking appropriate action
-to satisfy the needs of
-.Fn SSL_do_handshake .
-The action depends on the underlying
-.Vt BIO .
-When using a non-blocking socket, nothing is to be done, but
-.Xr select 2
-can be used to check for the required condition.
-When using a buffering
-.Vt BIO ,
-like a
-.Vt BIO
-pair, data must be written into or retrieved out of the
-.Vt BIO
-before being able to continue.
-.Sh RETURN VALUES
-The following return values can occur:
-.Bl -tag -width Ds
-.It 0
-The TLS/SSL handshake was not successful but was shut down controlled and
-by the specifications of the TLS/SSL protocol.
-Call
-.Xr SSL_get_error 3
-with the return value
-.Fa ret
-to find out the reason.
-.It 1
-The TLS/SSL handshake was successfully completed,
-and a TLS/SSL connection has been established.
-.It <0
-The TLS/SSL handshake was not successful because either a fatal error occurred
-at the protocol level or a connection failure occurred.
-The shutdown was not clean.
-It can also occur if action is needed to continue the operation for
-non-blocking
-.Vt BIO Ns s .
-Call
-.Xr SSL_get_error 3
-with the return value
-.Fa ret
-to find out the reason.
-.El
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr ssl 3 ,
-.Xr SSL_accept 3 ,
-.Xr SSL_connect 3 ,
-.Xr SSL_get_error 3 ,
-.Xr SSL_set_connect_state 3
-.Sh HISTORY
-.Fn SSL_do_handshake
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_dup.3 b/src/lib/libssl/man/SSL_dup.3
deleted file mode 100644
index a83440b431..0000000000
--- a/src/lib/libssl/man/SSL_dup.3
+++ /dev/null
@@ -1,62 +0,0 @@
-.\" $OpenBSD: SSL_dup.3,v 1.5 2022/07/13 22:05:53 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 13 2022 $
-.Dt SSL_DUP 3
-.Os
-.Sh NAME
-.Nm SSL_dup
-.Nd deep copy of an SSL object
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft SSL *
-.Fo SSL_dup
-.Fa "SSL *ssl"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_dup
-constructs a new
-.Vt SSL
-object in the same context as
-.Fa ssl
-and copies much of the contained data from
-.Fa ssl
-to the new
-.Vt SSL
-object, but many fields, for example tlsext data, are not copied.
-.Pp
-As an exception from deep copying, if a session is already established,
-the new object shares
-.Fa ssl->cert
-with the original object.
-.Sh RETURN VALUES
-.Fn SSL_dup
-returns the new
-.Vt SSL
-object or
-.Dv NULL
-on failure.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_copy_session_id 3 ,
-.Xr SSL_free 3 ,
-.Xr SSL_new 3 ,
-.Xr SSL_set_security_level 3
-.Sh HISTORY
-.Fn SSL_dup
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_dup_CA_list.3 b/src/lib/libssl/man/SSL_dup_CA_list.3
deleted file mode 100644
index d073b07176..0000000000
--- a/src/lib/libssl/man/SSL_dup_CA_list.3
+++ /dev/null
@@ -1,54 +0,0 @@
-.\" $OpenBSD: SSL_dup_CA_list.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_DUP_CA_LIST 3
-.Os
-.Sh NAME
-.Nm SSL_dup_CA_list
-.Nd deep copy of a stack of X.509 Name objects
-.\" The capital "N" in "Name" is intentional (X.509 syntax).
-.Sh SYNOPSIS
-.Ft STACK_OF(X509_NAME) *
-.Fo SSL_dup_CA_list
-.Fa "const STACK_OF(X509_NAME) *sk"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_dup_CA_list
-constructs a new
-.Vt STACK_OF(X509_NAME)
-object and places copies of all the
-.Vt X509_NAME
-objects found on
-.Fa sk
-on it.
-.Sh RETURN VALUES
-.Fn SSL_dup_CA_list
-returns the new
-.Vt STACK_OF(X509_NAME)
-or
-.Dv NULL
-on failure.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_client_CA_list 3 ,
-.Xr SSL_get_client_CA_list 3 ,
-.Xr SSL_load_client_CA_file 3 ,
-.Xr X509_NAME_new 3
-.Sh HISTORY
-.Fn SSL_dup_CA_list
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_export_keying_material.3 b/src/lib/libssl/man/SSL_export_keying_material.3
deleted file mode 100644
index e32a5c5d61..0000000000
--- a/src/lib/libssl/man/SSL_export_keying_material.3
+++ /dev/null
@@ -1,133 +0,0 @@
-.\"     $OpenBSD: SSL_export_keying_material.3,v 1.3 2019/06/12 09:36:30 schwarze Exp $
-.\"     OpenSSL a599574b Jun 28 17:18:27 2017 +0100
-.\"     OpenSSL 23cec1f4 Jun 21 13:55:02 2017 +0100
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_EXPORT_KEYING_MATERIAL 3
-.Os
-.Sh NAME
-.Nm SSL_export_keying_material
-.Nd obtain keying material for application use
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_export_keying_material
-.Fa "SSL *s"
-.Fa "unsigned char *out"
-.Fa "size_t olen"
-.Fa "const char *label"
-.Fa "size_t llen"
-.Fa "const unsigned char *context"
-.Fa "size_t contextlen"
-.Fa "int use_context"
-.Fc
-.Sh DESCRIPTION
-During the creation of a TLS or DTLS connection,
-shared keying material is established between the two endpoints.
-The function
-.Fn SSL_export_keying_material
-enables an application to use some of this keying material
-for its own purposes in accordance with RFC 5705.
-.Pp
-An application may need to securely establish the context
-within which this keying material will be used.
-For example, this may include identifiers for the application session,
-application algorithms or parameters, or the lifetime of the context.
-The context value is left to the application but must be the same on
-both sides of the communication.
-.Pp
-For a given SSL connection
-.Fa s ,
-.Fa olen
-bytes of data will be written to
-.Fa out .
-The application specific context should be supplied
-in the location pointed to by
-.Fa context
-and should be
-.Fa contextlen
-bytes long.
-Provision of a context is optional.
-If the context should be omitted entirely, then
-.Fa use_context
-should be set to 0.
-Otherwise it should be any other value.
-If
-.Fa use_context
-is 0, then the values of
-.Fa context
-and
-.Fa contextlen
-are ignored.
-.Pp
-In TLSv1.2 and below, a zero length context is treated differently
-from no context at all, and will result in different keying material
-being returned.
-.Pp
-An application specific label should be provided in the location pointed
-to by
-.Fa label
-and should be
-.Fa llen
-bytes long.
-Typically this will be a value from the
-.Lk https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels "IANA Exporter Label Registry" .
-.Pp
-Alternatively, labels beginning with "EXPERIMENTAL" are permitted by the
-standard to be used without registration.
-.Sh RETURN VALUES
-.Fn SSL_export_keying_material
-returns 1 on success or 0 or -1 on failure.
-.Sh SEE ALSO
-.Xr ssl 3
-.Sh HISTORY
-.Fn SSL_export_keying_material
-first appeared in OpenSSL 1.0.1 and has been available since
-.Ox 5.3 .
diff --git a/src/lib/libssl/man/SSL_free.3 b/src/lib/libssl/man/SSL_free.3
deleted file mode 100644
index c713ded121..0000000000
--- a/src/lib/libssl/man/SSL_free.3
+++ /dev/null
@@ -1,115 +0,0 @@
-.\"     $OpenBSD: SSL_free.3,v 1.6 2021/06/11 19:41:39 jmc Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 11 2021 $
-.Dt SSL_FREE 3
-.Os
-.Sh NAME
-.Nm SSL_free
-.Nd free an allocated SSL structure
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fn SSL_free "SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_free
-decrements the reference count of
-.Fa ssl ,
-and removes the
-.Vt SSL
-structure pointed to by
-.Fa ssl
-and frees up the allocated memory if the reference count has reached 0.
-If
-.Fa ssl
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn SSL_free
-also calls the
-.Xr free 3 Ns
-ing procedures for indirectly affected items, if applicable: the buffering
-.Vt BIO ,
-the read and write
-.Vt BIOs ,
-cipher lists specially created for this
-.Fa ssl ,
-the
-.Sy SSL_SESSION .
-Do not explicitly free these indirectly freed up items before or after calling
-.Fn SSL_free ,
-as trying to free things twice may lead to program failure.
-.Pp
-The
-.Fa ssl
-session has reference counts from two users: the
-.Vt SSL
-object, for which the reference count is removed by
-.Fn SSL_free
-and the internal session cache.
-If the session is considered bad, because
-.Xr SSL_shutdown 3
-was not called for the connection and
-.Xr SSL_set_shutdown 3
-was not used to set the
-.Vt SSL_SENT_SHUTDOWN
-state, the session will also be removed from the session cache as required by
-RFC 2246.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_new 3 ,
-.Xr SSL_set_shutdown 3 ,
-.Xr SSL_shutdown 3
-.Sh HISTORY
-.Fn SSL_free
-appeared in SSLeay 0.4 or earlier and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_get_SSL_CTX.3 b/src/lib/libssl/man/SSL_get_SSL_CTX.3
deleted file mode 100644
index 60fda555bc..0000000000
--- a/src/lib/libssl/man/SSL_get_SSL_CTX.3
+++ /dev/null
@@ -1,79 +0,0 @@
-.\"     $OpenBSD: SSL_get_SSL_CTX.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_GET_SSL_CTX 3
-.Os
-.Sh NAME
-.Nm SSL_get_SSL_CTX
-.Nd get the SSL_CTX from which an SSL is created
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft SSL_CTX *
-.Fn SSL_get_SSL_CTX "const SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_get_SSL_CTX
-returns a pointer to the
-.Vt SSL_CTX
-object from which
-.Fa ssl
-was created with
-.Xr SSL_new 3 .
-.Sh RETURN VALUES
-The pointer to the
-.Vt SSL_CTX
-object is returned.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_new 3
-.Sh HISTORY
-.Fn SSL_get_SSL_CTX
-first appeared in SSLeay 0.5.1 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_get_certificate.3 b/src/lib/libssl/man/SSL_get_certificate.3
deleted file mode 100644
index eb53ea49bf..0000000000
--- a/src/lib/libssl/man/SSL_get_certificate.3
+++ /dev/null
@@ -1,64 +0,0 @@
-.\" $OpenBSD: SSL_get_certificate.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_GET_CERTIFICATE 3
-.Os
-.Sh NAME
-.Nm SSL_get_certificate ,
-.Nm SSL_get_privatekey
-.Nd get SSL certificate and private key
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft X509 *
-.Fo SSL_get_certificate
-.Fa "const SSL *ssl"
-.Fc
-.Ft EVP_PKEY *
-.Fo SSL_get_privatekey
-.Fa "const SSL *ssl"
-.Fc
-.Sh DESCRIPTION
-These functions retrieve certificate and key data from an
-.Vt SSL
-object.
-They return internal pointers that must not be freed by the application
-program.
-.Sh RETURN VALUES
-.Fn SSL_get_certificate
-returns the active X.509 certificate currently used by
-.Fa ssl
-or
-.Dv NULL
-if none is active.
-.Pp
-.Fn SSL_get_privatekey
-returns the active private key currently used by
-.Fa ssl
-or
-.Dv NULL
-if none is active.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_check_private_key 3 ,
-.Xr SSL_use_certificate 3
-.Sh HISTORY
-.Fn SSL_get_certificate
-first appeared in SSLeay 0.5.2a.
-.Fn SSL_get_privatekey
-first appeared in SSLeay 0.8.0.
-Both functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_get_ciphers.3 b/src/lib/libssl/man/SSL_get_ciphers.3
deleted file mode 100644
index 8030f0bbb1..0000000000
--- a/src/lib/libssl/man/SSL_get_ciphers.3
+++ /dev/null
@@ -1,249 +0,0 @@
-.\" $OpenBSD: SSL_get_ciphers.3,v 1.11 2020/09/16 07:25:15 schwarze Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\" selective merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Lutz Jaenicke <jaenicke@openssl.org>,
-.\" Nick Mathewson <nickm@torproject.org>, Kurt Roeckx <kurt@roeckx.be>,
-.\" Kazuki Yamaguchi <k@rhe.jp>, and Benjamin Kaduk <bkaduk@akamai.com>.
-.\" Copyright (c) 2000, 2005, 2015, 2016, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 16 2020 $
-.Dt SSL_GET_CIPHERS 3
-.Os
-.Sh NAME
-.Nm SSL_get_ciphers ,
-.Nm SSL_CTX_get_ciphers ,
-.Nm SSL_get1_supported_ciphers ,
-.Nm SSL_get_client_ciphers ,
-.Nm SSL_get_cipher_list
-.Nd get lists of available SSL_CIPHERs
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft STACK_OF(SSL_CIPHER) *
-.Fn SSL_get_ciphers "const SSL *ssl"
-.Ft STACK_OF(SSL_CIPHER) *
-.Fn SSL_CTX_get_ciphers "const SSL_CTX *ctx"
-.Ft STACK_OF(SSL_CIPHER) *
-.Fn SSL_get1_supported_ciphers "SSL *ssl"
-.Ft STACK_OF(SSL_CIPHER) *
-.Fn SSL_get_client_ciphers "const SSL *ssl"
-.Ft const char *
-.Fn SSL_get_cipher_list "const SSL *ssl" "int priority"
-.Sh DESCRIPTION
-.Fn SSL_get_ciphers
-returns the stack of available
-.Vt SSL_CIPHER Ns s
-for
-.Fa ssl ,
-sorted by preference.
-.Pp
-.Fn SSL_CTX_get_ciphers
-returns the stack of available
-.Vt SSL_CIPHER Ns s
-for
-.Fa ctx .
-.Pp
-.Fn SSL_get1_supported_ciphers
-returns a stack of enabled
-.Vt SSL_CIPHER Ns s
-for
-.Fa ssl
-as it would be sent in a ClientHello, sorted by preference.
-The list depends on settings like the cipher list, the supported
-protocol versions, the security level, and the enabled signature
-algorithms.
-The list of ciphers that would be sent in a ClientHello can differ
-from the list of ciphers that would be acceptable when acting as a
-server.
-For example,
-additional ciphers may be usable by a server if there is a gap in the
-list of supported protocols, and some ciphers may not be usable by a
-server if there is not a suitable certificate configured.
-.Pp
-.Fn SSL_get_client_ciphers
-returns the stack of available
-.Vt SSL_CIPHER Ns s
-matching the list received from the client on
-.Fa ssl .
-.Pp
-The details of the ciphers obtained by
-.Fn SSL_get_ciphers ,
-.Fn SSL_CTX_get_ciphers ,
-.Fn SSL_get1_supported_ciphers ,
-and
-.Fn SSL_get_client_ciphers
-can be obtained using the
-.Xr SSL_CIPHER_get_name 3
-family of functions.
-.Pp
-.Fn SSL_get_cipher_list
-is deprecated \(em use
-.Fn SSL_get_ciphers
-instead \(em and badly misnamed; it does not return a list
-but the name of one element of the return value of
-.Fn SSL_get_ciphers ,
-with the index given by the
-.Fa priority
-argument.
-Passing 0 selects the cipher with the highest priority.
-To iterate over all available ciphers in decreasing priority,
-repeatedly increment the argument by 1 until
-.Dv NULL
-is returned.
-.Sh RETURN VALUES
-.Fn SSL_get_ciphers
-returns an internal pointer to a list of ciphers or
-.Dv NULL
-if
-.Fa ssl
-is
-.Dv NULL
-or if no ciphers are available.
-The returned pointer may not only become invalid when
-.Fa ssl
-is destroyed or when
-.Xr SSL_set_cipher_list 3
-is called on it, but also when the
-.Vt SSL_CTX
-object in use by
-.Fa ssl
-at the time of the call is freed or when
-.Xr SSL_CTX_set_cipher_list 3
-is called on that context object.
-.Pp
-.Fn SSL_CTX_get_ciphers
-returns an internal pointer to a list of ciphers or
-.Dv NULL
-if
-.Fa ctx
-is
-.Dv NULL
-or if no ciphers are available.
-The returned pointer becomes invalid when
-.Fa ctx
-is destroyed or when
-.Xr SSL_CTX_set_cipher_list 3
-is called on it.
-.Pp
-.Fn SSL_get1_supported_ciphers
-returns a newly allocated list of ciphers or
-.Dv NULL
-if
-.Fa ssl
-is
-.Dv NULL ,
-if no ciphers are available, or if an error occurs.
-When the returned pointer is no longer needed, the caller is
-responsible for freeing it using
-.Fn sk_SSL_CIPHER_free .
-.Pp
-.Fn SSL_get_client_ciphers
-returns an internal pointer to a list of ciphers or
-.Dv NULL
-if
-.Fa ssl
-is
-.Dv NULL ,
-has no active session,
-or is not operating in server mode.
-The returned pointer becomes invalid when the
-.Vt SSL_SESSION
-object is destroyed, even if the
-.Fa ssl
-object remains valid.
-It may also become invalid in other circumstances,
-for example when processing a new ClientHello.
-.Pp
-.Fn SSL_get_cipher_list
-returns an internal pointer to a string or
-.Dv NULL
-if
-.Fa ssl
-is
-.Dv NULL ,
-if no ciphers are available, or if
-.Fa priority
-is greater than or equal to the number of available ciphers.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CIPHER_get_name 3 ,
-.Xr SSL_CTX_set_cipher_list 3
-.Sh HISTORY
-.Fn SSL_get_cipher_list
-first appeared in SSLeay 0.5.2.
-.Fn SSL_get_ciphers
-first appeared in SSLeay 0.8.0.
-Both functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_CTX_get_ciphers
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
-.Pp
-.Fn SSL_get1_supported_ciphers
-and
-.Fn SSL_get_client_ciphers
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.5 .
diff --git a/src/lib/libssl/man/SSL_get_client_CA_list.3 b/src/lib/libssl/man/SSL_get_client_CA_list.3
deleted file mode 100644
index e80e5cb6f5..0000000000
--- a/src/lib/libssl/man/SSL_get_client_CA_list.3
+++ /dev/null
@@ -1,96 +0,0 @@
-.\"     $OpenBSD: SSL_get_client_CA_list.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2002, 2005 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_GET_CLIENT_CA_LIST 3
-.Os
-.Sh NAME
-.Nm SSL_get_client_CA_list ,
-.Nm SSL_CTX_get_client_CA_list
-.Nd get list of client CAs
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft STACK_OF(X509_NAME) *
-.Fn SSL_get_client_CA_list "const SSL *s"
-.Ft STACK_OF(X509_NAME) *
-.Fn SSL_CTX_get_client_CA_list "const SSL_CTX *ctx"
-.Sh DESCRIPTION
-.Fn SSL_CTX_get_client_CA_list
-returns the list of client CAs explicitly set for
-.Fa ctx
-using
-.Xr SSL_CTX_set_client_CA_list 3 .
-.Pp
-.Fn SSL_get_client_CA_list
-returns the list of client CAs explicitly set for
-.Fa ssl
-using
-.Fn SSL_set_client_CA_list
-or
-.Fa ssl Ns 's
-.Vt SSL_CTX
-object with
-.Xr SSL_CTX_set_client_CA_list 3 ,
-when in server mode.
-In client mode,
-.Fn SSL_get_client_CA_list
-returns the list of client CAs sent from the server, if any.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_client_CA_list 3 ,
-.Xr SSL_CTX_set_client_cert_cb 3 ,
-.Xr X509_NAME_new 3
-.Sh HISTORY
-.Fn SSL_get_client_CA_list
-and
-.Fn SSL_CTX_get_client_CA_list
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_get_client_random.3 b/src/lib/libssl/man/SSL_get_client_random.3
deleted file mode 100644
index eda74db355..0000000000
--- a/src/lib/libssl/man/SSL_get_client_random.3
+++ /dev/null
@@ -1,150 +0,0 @@
-.\" $OpenBSD: SSL_get_client_random.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
-.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
-.\"
-.\" This file was written by Nick Mathewson <nickm@torproject.org>
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 24 2018 $
-.Dt SSL_GET_CLIENT_RANDOM 3
-.Os
-.Sh NAME
-.Nm SSL_get_client_random ,
-.Nm SSL_get_server_random ,
-.Nm SSL_SESSION_get_master_key
-.Nd get internal TLS handshake random values and master key
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft size_t
-.Fo SSL_get_client_random
-.Fa "const SSL *ssl"
-.Fa "unsigned char *out"
-.Fa "size_t outlen"
-.Fc
-.Ft size_t
-.Fo SSL_get_server_random
-.Fa "const SSL *ssl"
-.Fa "unsigned char *out"
-.Fa "size_t outlen"
-.Fc
-.Ft size_t
-.Fo SSL_SESSION_get_master_key
-.Fa "const SSL_SESSION *session"
-.Fa "unsigned char *out"
-.Fa "size_t outlen"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_get_client_random
-extracts the random value that was sent from the client to the server
-during the initial TLS handshake.
-It copies at most
-.Fa outlen
-bytes of this value into the buffer
-.Fa out .
-If
-.Fa outlen
-is zero, nothing is copied.
-.Pp
-.Fn SSL_get_server_random
-behaves the same, but extracts the random value that was sent
-from the server to the client during the initial TLS handshake.
-.Pp
-.Fn SSL_SESSION_get_master_key
-behaves the same, but extracts the master secret used to guarantee the
-security of the TLS session.
-The security of the TLS session depends on keeping the master key
-secret: do not expose it, or any information about it, to anybody.
-To calculate another secret value that depends on the master secret,
-use
-.Xr SSL_export_keying_material 3
-instead.
-.Pp
-All these functions expose internal values from the TLS handshake,
-for use in low-level protocols.
-Avoid using them unless implementing a feature
-that requires access to the internal protocol details.
-.Pp
-Despite the names of
-.Fn SSL_get_client_random
-and
-.Fn SSL_get_server_random ,
-they are not random number generators.
-Instead, they return the mostly-random values that were already
-generated and used in the TLS protocol.
-.Pp
-In current versions of the TLS protocols,
-the length of client_random and server_random is always
-.Dv SSL3_RANDOM_SIZE
-bytes.
-Support for other
-.Fa outlen
-arguments is provided for the unlikely event that a future
-version or variant of TLS uses some other length.
-.Pp
-Finally, though the client_random and server_random values are called
-.Dq random ,
-many TLS implementations generate four bytes of those values
-based on their view of the current time.
-.Sh RETURN VALUES
-If
-.Fa outlen
-is greater than 0, these functions return the number of bytes
-actually copied, which is less than or equal to
-.Fa outlen .
-If
-.Fa outlen
-is 0, these functions return the maximum number of bytes they would
-copy \(em that is, the length of the underlying field.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_export_keying_material 3 ,
-.Xr SSL_SESSION_get_id 3 ,
-.Xr SSL_SESSION_get_time 3 ,
-.Xr SSL_SESSION_new 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.1.0
-and have been available since
-.Ox 6.3 .
diff --git a/src/lib/libssl/man/SSL_get_current_cipher.3 b/src/lib/libssl/man/SSL_get_current_cipher.3
deleted file mode 100644
index 6b951d03ca..0000000000
--- a/src/lib/libssl/man/SSL_get_current_cipher.3
+++ /dev/null
@@ -1,122 +0,0 @@
-.\"     $OpenBSD: SSL_get_current_cipher.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2005, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_GET_CURRENT_CIPHER 3
-.Os
-.Sh NAME
-.Nm SSL_get_current_cipher ,
-.Nm SSL_get_cipher ,
-.Nm SSL_get_cipher_name ,
-.Nm  SSL_get_cipher_bits ,
-.Nm SSL_get_cipher_version
-.Nd get SSL_CIPHER of a connection
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft const SSL_CIPHER *
-.Fn SSL_get_current_cipher "const SSL *ssl"
-.Ft const char *
-.Fn SSL_get_cipher "const SSL *ssl"
-.Ft const char *
-.Fn SSL_get_cipher_name "const SSL *ssl"
-.Ft int
-.Fn SSL_get_cipher_bits "const SSL *ssl" "int *np"
-.Ft char *
-.Fn SSL_get_cipher_version "const SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_get_current_cipher
-returns a pointer to an
-.Vt SSL_CIPHER
-object containing the description of the actually used cipher of a connection
-established with the
-.Fa ssl
-object.
-See
-.Xr SSL_CIPHER_get_name 3
-for more details.
-.Pp
-.Fn SSL_get_cipher_name
-obtains the name of the currently used cipher.
-.Fn SSL_get_cipher
-is identical to
-.Fn SSL_get_cipher_name .
-.Pp
-.Fn SSL_get_cipher_bits
-obtains the number of secret/algorithm bits used and
-.Fn SSL_get_cipher_version
-returns the protocol name.
-.Pp
-.Fn SSL_get_cipher ,
-.Fn SSL_get_cipher_name ,
-.Fn SSL_get_cipher_bits ,
-and
-.Fn SSL_get_cipher_version
-are implemented as macros.
-.Sh RETURN VALUES
-.Fn SSL_get_current_cipher
-returns the cipher actually used, or
-.Dv NULL
-if no session has been established.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CIPHER_get_name 3
-.Sh HISTORY
-.Fn SSL_get_cipher
-appeared in SSLeay 0.4 or earlier.
-.Fn SSL_get_cipher_bits
-first appeared in SSLeay 0.6.4.
-.Fn SSL_get_cipher_name
-and
-.Fn SSL_get_cipher_version
-first appeared in SSLeay 0.8.0.
-.Fn SSL_get_current_cipher
-first appeared in SSLeay 0.8.1.
-These functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_get_default_timeout.3 b/src/lib/libssl/man/SSL_get_default_timeout.3
deleted file mode 100644
index 47737d8ee0..0000000000
--- a/src/lib/libssl/man/SSL_get_default_timeout.3
+++ /dev/null
@@ -1,85 +0,0 @@
-.\"     $OpenBSD: SSL_get_default_timeout.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_GET_DEFAULT_TIMEOUT 3
-.Os
-.Sh NAME
-.Nm SSL_get_default_timeout
-.Nd get default session timeout value
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fn SSL_get_default_timeout "const SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_get_default_timeout
-returns the default timeout value assigned to
-.Vt SSL_SESSION
-objects negotiated for the protocol valid for
-.Fa ssl .
-.Pp
-Whenever a new session is negotiated, it is assigned a timeout value,
-after which it will not be accepted for session reuse.
-If the timeout value was not explicitly set using
-.Xr SSL_CTX_set_timeout 3 ,
-the hardcoded default timeout for the protocol will be used.
-.Pp
-.Fn SSL_get_default_timeout
-return this hardcoded value, which is 300 seconds for all currently supported
-protocols (SSLv2, SSLv3, and TLSv1).
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_flush_sessions 3 ,
-.Xr SSL_CTX_set_session_cache_mode 3 ,
-.Xr SSL_SESSION_get_time 3
-.Sh HISTORY
-.Fn SSL_get_default_timeout
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_get_error.3 b/src/lib/libssl/man/SSL_get_error.3
deleted file mode 100644
index 5d325b3f56..0000000000
--- a/src/lib/libssl/man/SSL_get_error.3
+++ /dev/null
@@ -1,217 +0,0 @@
-.\"     $OpenBSD: SSL_get_error.3,v 1.5 2018/04/29 07:37:01 guenther Exp $
-.\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
-.\"
-.\" This file was written by Bodo Moeller <bodo@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2002, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 29 2018 $
-.Dt SSL_GET_ERROR 3
-.Os
-.Sh NAME
-.Nm SSL_get_error
-.Nd obtain result code for TLS/SSL I/O operation
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_get_error "const SSL *ssl" "int ret"
-.Sh DESCRIPTION
-.Fn SSL_get_error
-returns a result code (suitable for the C
-.Dq switch
-statement) for a preceding call to
-.Xr SSL_connect 3 ,
-.Xr SSL_accept 3 ,
-.Xr SSL_do_handshake 3 ,
-.Xr SSL_read 3 ,
-.Xr SSL_peek 3 ,
-or
-.Xr SSL_write 3
-on
-.Fa ssl .
-The value returned by that TLS/SSL I/O function must be passed to
-.Fn SSL_get_error
-in parameter
-.Fa ret .
-.Pp
-In addition to
-.Fa ssl
-and
-.Fa ret ,
-.Fn SSL_get_error
-inspects the current thread's OpenSSL error queue.
-Thus,
-.Fn SSL_get_error
-must be used in the same thread that performed the TLS/SSL I/O operation,
-and no other OpenSSL function calls should appear in between.
-The current thread's error queue must be empty before the TLS/SSL I/O operation
-is attempted, or
-.Fn SSL_get_error
-will not work reliably.
-.Sh RETURN VALUES
-The following return values can currently occur:
-.Bl -tag -width Ds
-.It Dv SSL_ERROR_NONE
-The TLS/SSL I/O operation completed.
-This result code is returned if and only if
-.Fa ret
-> 0.
-.It Dv SSL_ERROR_ZERO_RETURN
-The TLS/SSL connection has been closed.
-If the protocol version is SSL 3.0 or TLS 1.0, this result code is returned
-only if a closure alert has occurred in the protocol, i.e., if the connection
-has been closed cleanly.
-Note that in this case
-.Dv SSL_ERROR_ZERO_RETURN
-does not necessarily indicate that the underlying transport has been closed.
-.It Dv SSL_ERROR_WANT_READ , Dv SSL_ERROR_WANT_WRITE
-The operation did not complete;
-the same TLS/SSL I/O function should be called again later.
-If, by then, the underlying
-.Vt BIO
-has data available for reading (if the result code is
-.Dv SSL_ERROR_WANT_READ )
-or allows writing data
-.Pq Dv SSL_ERROR_WANT_WRITE ,
-then some TLS/SSL protocol progress will take place,
-i.e., at least part of a TLS/SSL record will be read or written.
-Note that the retry may again lead to a
-.Dv SSL_ERROR_WANT_READ
-or
-.Dv SSL_ERROR_WANT_WRITE
-condition.
-There is no fixed upper limit for the number of iterations that may be
-necessary until progress becomes visible at application protocol level.
-.Pp
-For socket
-.Fa BIO Ns
-s (e.g., when
-.Fn SSL_set_fd
-was used),
-.Xr select 2
-or
-.Xr poll 2
-on the underlying socket can be used to find out when the TLS/SSL I/O function
-should be retried.
-.Pp
-Caveat: Any TLS/SSL I/O function can lead to either of
-.Dv SSL_ERROR_WANT_READ
-and
-.Dv SSL_ERROR_WANT_WRITE .
-In particular,
-.Xr SSL_read 3
-or
-.Xr SSL_peek 3
-may want to write data and
-.Xr SSL_write 3
-may want
-to read data.
-This is mainly because TLS/SSL handshakes may occur at any time during the
-protocol (initiated by either the client or the server);
-.Xr SSL_read 3 ,
-.Xr SSL_peek 3 ,
-and
-.Xr SSL_write 3
-will handle any pending handshakes.
-.It Dv SSL_ERROR_WANT_CONNECT , Dv SSL_ERROR_WANT_ACCEPT
-The operation did not complete; the same TLS/SSL I/O function should be
-called again later.
-The underlying BIO was not connected yet to the peer and the call would block
-in
-.Xr connect 2 Ns / Ns
-.Xr accept 2 .
-The SSL function should be
-called again when the connection is established.
-These messages can only appear with a
-.Xr BIO_s_connect 3
-or
-.Xr BIO_s_accept 3
-.Vt BIO ,
-respectively.
-In order to find out when the connection has been successfully established,
-on many platforms
-.Xr select 2
-or
-.Xr poll 2
-for writing on the socket file descriptor can be used.
-.It Dv SSL_ERROR_WANT_X509_LOOKUP
-The operation did not complete because an application callback set by
-.Xr SSL_CTX_set_client_cert_cb 3
-has asked to be called again.
-The TLS/SSL I/O function should be called again later.
-Details depend on the application.
-.It Dv SSL_ERROR_SYSCALL
-Some I/O error occurred.
-The OpenSSL error queue may contain more information on the error.
-If the error queue is empty (i.e.,
-.Fn ERR_get_error
-returns 0),
-.Fa ret
-can be used to find out more about the error:
-If
-.Fa ret
-== 0, an
-.Dv EOF
-was observed that violates the protocol.
-If
-.Fa ret
-== \(mi1, the underlying
-.Vt BIO
-reported an
-I/O error (for socket I/O on Unix systems, consult
-.Dv errno
-for details).
-.It Dv SSL_ERROR_SSL
-A failure in the SSL library occurred, usually a protocol error.
-The OpenSSL error queue contains more information on the error.
-.El
-.Sh SEE ALSO
-.Xr err 3 ,
-.Xr ssl 3
-.Sh HISTORY
-.Fn SSL_get_error
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 b/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
deleted file mode 100644
index a249cda6ac..0000000000
--- a/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
+++ /dev/null
@@ -1,116 +0,0 @@
-.\"     $OpenBSD: SSL_get_ex_data_X509_STORE_CTX_idx.3,v 1.5 2022/02/06 00:29:02 jsg Exp $
-.\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: February 6 2022 $
-.Dt SSL_GET_EX_DATA_X509_STORE_CTX_IDX 3
-.Os
-.Sh NAME
-.Nm SSL_get_ex_data_X509_STORE_CTX_idx
-.Nd get ex_data index to access SSL structure from X509_STORE_CTX
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_get_ex_data_X509_STORE_CTX_idx void
-.Sh DESCRIPTION
-.Fn SSL_get_ex_data_X509_STORE_CTX_idx
-returns the index number under which the pointer to the
-.Vt SSL
-object is stored into the
-.Vt X509_STORE_CTX
-object.
-.Pp
-Whenever a
-.Vt X509_STORE_CTX
-object is created for the verification of the peer's certificate during a
-handshake, a pointer to the
-.Vt SSL
-object is stored into the
-.Vt X509_STORE_CTX
-object to identify the connection affected.
-To retrieve this pointer the
-.Xr X509_STORE_CTX_get_ex_data 3
-function can be used with the correct index.
-This index is globally the same for all
-.Vt X509_STORE_CTX
-objects and can be retrieved using
-.Fn SSL_get_ex_data_X509_STORE_CTX_idx .
-The index value is set when
-.Fn SSL_get_ex_data_X509_STORE_CTX_idx
-is first called either by the application program directly or indirectly during
-other SSL setup functions or during the handshake.
-.Pp
-The value depends on other index values defined for
-.Vt X509_STORE_CTX
-objects before the SSL index is created.
-.Sh RETURN VALUES
-.Bl -tag -width Ds
-.It \(>=0
-The index value to access the pointer.
-.It <0
-An error occurred, check the error stack for a detailed error message.
-.El
-.Sh EXAMPLES
-The index returned from
-.Fn SSL_get_ex_data_X509_STORE_CTX_idx
-provides access to
-.Vt SSL
-object for the connection during the
-.Fn verify_callback
-when checking the peer's certificate.
-Check the example in
-.Xr SSL_CTX_set_verify 3 .
-.Sh SEE ALSO
-.Xr CRYPTO_set_ex_data 3 ,
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_verify 3
-.Sh HISTORY
-.Fn SSL_get_ex_data_X509_STORE_CTX_idx
-first appeared in SSLeay 0.9.1 and has been available since
-.Ox 2.6 .
diff --git a/src/lib/libssl/man/SSL_get_ex_new_index.3 b/src/lib/libssl/man/SSL_get_ex_new_index.3
deleted file mode 100644
index cecd25fa44..0000000000
--- a/src/lib/libssl/man/SSL_get_ex_new_index.3
+++ /dev/null
@@ -1,136 +0,0 @@
-.\"     $OpenBSD: SSL_get_ex_new_index.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_GET_EX_NEW_INDEX 3
-.Os
-.Sh NAME
-.Nm SSL_get_ex_new_index ,
-.Nm SSL_set_ex_data ,
-.Nm SSL_get_ex_data
-.Nd internal application specific data functions
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_get_ex_new_index
-.Fa "long argl"
-.Fa "void *argp"
-.Fa "CRYPTO_EX_new *new_func"
-.Fa "CRYPTO_EX_dup *dup_func"
-.Fa "CRYPTO_EX_free *free_func"
-.Fc
-.Ft int
-.Fn SSL_set_ex_data "SSL *ssl" "int idx" "void *arg"
-.Ft void *
-.Fn SSL_get_ex_data "const SSL *ssl" "int idx"
-.Bd -literal
-typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
-               int idx, long argl, void *argp);
-typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
-               int idx, long argl, void *argp);
-typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d,
-               int idx, long argl, void *argp);
-.Ed
-.Sh DESCRIPTION
-Several OpenSSL structures can have application specific data attached to them.
-These functions are used internally by OpenSSL to manipulate application
-specific data attached to a specific structure.
-.Pp
-.Fn SSL_get_ex_new_index
-is used to register a new index for application specific data.
-.Pp
-.Fn SSL_set_ex_data
-is used to store application data at
-.Fa arg
-for
-.Fa idx
-into the
-.Fa ssl
-object.
-.Pp
-.Fn SSL_get_ex_data
-is used to retrieve the information for
-.Fa idx
-from
-.Fa ssl .
-.Pp
-A detailed description for the
-.Fn *_get_ex_new_index
-functionality can be found in
-.Xr RSA_get_ex_new_index 3 .
-The
-.Fn *_get_ex_data
-and
-.Fn *_set_ex_data
-functionality is described in
-.Xr CRYPTO_set_ex_data 3 .
-.Sh EXAMPLES
-An example of how to use the functionality is included in the example
-.Fn verify_callback
-in
-.Xr SSL_CTX_set_verify 3 .
-.Sh SEE ALSO
-.Xr CRYPTO_set_ex_data 3 ,
-.Xr RSA_get_ex_new_index 3 ,
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_verify 3
-.Sh HISTORY
-Precursor functions
-.Fn SSL_set_app_data
-and
-.Fn SSL_get_app_data
-first appeared in SSLeay 0.6.1.
-.Pp
-.Fn SSL_get_ex_new_index ,
-.Fn SSL_set_ex_data ,
-and
-.Fn SSL_get_ex_data
-first appeared in SSLeay 0.9.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_get_fd.3 b/src/lib/libssl/man/SSL_get_fd.3
deleted file mode 100644
index 1e093424cb..0000000000
--- a/src/lib/libssl/man/SSL_get_fd.3
+++ /dev/null
@@ -1,103 +0,0 @@
-.\"     $OpenBSD: SSL_get_fd.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2005, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_GET_FD 3
-.Os
-.Sh NAME
-.Nm SSL_get_fd ,
-.Nm SSL_get_rfd ,
-.Nm SSL_get_wfd
-.Nd get file descriptor linked to an SSL object
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_get_fd "const SSL *ssl"
-.Ft int
-.Fn SSL_get_rfd "const SSL *ssl"
-.Ft int
-.Fn SSL_get_wfd "const SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_get_fd
-returns the file descriptor which is linked to
-.Fa ssl .
-.Fn SSL_get_rfd
-and
-.Fn SSL_get_wfd
-return the file descriptors for the read or the write channel,
-which can be different.
-If the read and the write channel are different,
-.Fn SSL_get_fd
-will return the file descriptor of the read channel.
-.Sh RETURN VALUES
-The following return values can occur:
-.Bl -tag -width Ds
-.It \(mi1
-The operation failed, because the underlying
-.Vt BIO
-is not of the correct type (suitable for file descriptors).
-.It \(>=0
-The file descriptor linked to
-.Fa ssl .
-.El
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr ssl 3 ,
-.Xr SSL_set_fd 3
-.Sh HISTORY
-.Fn SSL_get_fd
-appeared in SSLeay 0.4 or earlier and has been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_get_rfd
-and
-.Fn SSL_get_wfd
-first appeared in OpenSSL 0.9.6c and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libssl/man/SSL_get_finished.3 b/src/lib/libssl/man/SSL_get_finished.3
deleted file mode 100644
index 3cfb655ea0..0000000000
--- a/src/lib/libssl/man/SSL_get_finished.3
+++ /dev/null
@@ -1,77 +0,0 @@
-.\" $OpenBSD: SSL_get_finished.3,v 1.2 2021/01/30 10:48:15 tb Exp $
-.\"
-.\" Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: January 30 2021 $
-.Dt SSL_GET_FINISHED 3
-.Os
-.Sh NAME
-.Nm SSL_get_finished ,
-.Nm SSL_get_peer_finished
-.Nd get last sent or last expected finished message
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft size_t
-.Fn SSL_get_finished "const SSL *ssl" "void *buf" "size_t count"
-.Ft size_t
-.Fn SSL_get_peer_finished "const SSL *ssl" "void *buf" "size_t count"
-.Sh DESCRIPTION
-.Fn SSL_get_finished
-and
-.Fn SSL_get_peer_finished
-copy
-.Fa count
-bytes from the last finished message sent to the peer
-or expected from the peer into the
-caller-provided buffer
-.Fa buf .
-.Pp
-The finished message is computed from a checksum of the handshake records
-exchanged with the peer.
-Its length depends on the ciphersuite in use and is at most
-.Dv EVP_MAX_MD_SIZE ,
-i.e., 64 bytes.
-.\" In TLSv1.3 the length is equal to the length of the hash algorithm
-.\" used by the hash-based message authentication code (HMAC),
-.\" which is currently either 32 bytes for SHA-256 or 48 bytes for SHA-384.
-.\" In TLSv1.2 the length defaults to 12 bytes, but it can explicitly be
-.\" specified by the ciphersuite to be longer.
-.\" In TLS versions 1.1 and 1.0, the finished message has a fixed length
-.\" of 12 bytes.
-.Sh RETURN VALUES
-.Fn SSL_get_finished
-and
-.Fn SSL_get_peer_finished
-return the number of bytes copied into
-.Fa buf .
-The return value is zero if the handshake has not reached the
-finished message.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_get_session 3 ,
-.Xr SSL_set_session 3
-.Sh STANDARDS
-RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3,
-section 4.4.4: Finished.
-.Pp
-RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2,
-section 7.4.9: Finished.
-.Sh HISTORY
-.Fn SSL_get_finished
-and
-.Fn SSL_get_peer_finished
-first appeared in SSLeay 0.9.5
-and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libssl/man/SSL_get_peer_cert_chain.3 b/src/lib/libssl/man/SSL_get_peer_cert_chain.3
deleted file mode 100644
index eb2ae53dc4..0000000000
--- a/src/lib/libssl/man/SSL_get_peer_cert_chain.3
+++ /dev/null
@@ -1,107 +0,0 @@
-.\"     $OpenBSD: SSL_get_peer_cert_chain.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL SSL_get_peer_cert_chain.pod 1f164c6f Jan 18 01:40:36 2017 +0100
-.\"     OpenSSL SSL_get_peer_cert_chain.pod 9b86974e Aug 17 15:21:33 2015 -0400
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2005, 2014, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_GET_PEER_CERT_CHAIN 3
-.Os
-.Sh NAME
-.Nm SSL_get_peer_cert_chain
-.Nd get the X509 certificate chain sent by the peer
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft STACK_OF(X509) *
-.Fn SSL_get_peer_cert_chain "const SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_get_peer_cert_chain
-returns a pointer to
-.Dv STACK_OF Ns Po Vt X509 Pc
-certificates forming the certificate chain of the peer.
-If called on the client side, the stack also contains the peer's certificate;
-if called on the server side, the peer's certificate must be obtained
-separately using
-.Xr SSL_get_peer_certificate 3 .
-If the peer did not present a certificate,
-.Dv NULL
-is returned.
-.Pp
-.Fn SSL_get_peer_cert_chain
-returns the peer chain as sent by the peer: it only consists of
-certificates the peer has sent (in the order the peer has sent them)
-and it is not a verified chain.
-.Pp
-If the session is resumed, peers do not send certificates, so a
-.Dv NULL
-pointer is returned.
-Applications can call
-.Fn SSL_session_reused
-to determine whether a session is resumed.
-.Pp
-The reference count of the
-.Dv STACK_OF Ns Po Vt X509 Pc
-object is not incremented.
-If the corresponding session is freed, the pointer must not be used any longer.
-.Sh RETURN VALUES
-The following return values can occur:
-.Bl -tag -width Ds
-.It Dv NULL
-No certificate was presented by the peer or no connection was established or
-the certificate chain is no longer available when a session is reused.
-.It Pointer to a Dv STACK_OF Ns Po X509 Pc
-The return value points to the certificate chain presented by the peer.
-.El
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_get_peer_certificate 3
-.Sh HISTORY
-.Fn SSL_get_peer_cert_chain
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_get_peer_certificate.3 b/src/lib/libssl/man/SSL_get_peer_certificate.3
deleted file mode 100644
index 99f9330288..0000000000
--- a/src/lib/libssl/man/SSL_get_peer_certificate.3
+++ /dev/null
@@ -1,105 +0,0 @@
-.\" $OpenBSD: SSL_get_peer_certificate.3,v 1.6 2021/06/26 17:36:28 tb Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 26 2021 $
-.Dt SSL_GET_PEER_CERTIFICATE 3
-.Os
-.Sh NAME
-.Nm SSL_get_peer_certificate
-.Nd get the X509 certificate of the peer
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft X509 *
-.Fn SSL_get_peer_certificate "const SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_get_peer_certificate
-returns a pointer to the X509 certificate the peer presented.
-If the peer did not present a certificate,
-.Dv NULL
-is returned.
-.Pp
-Due to the protocol definition, a TLS/SSL server will always send a
-certificate, if present.
-A client will only send a certificate when explicitly requested to do so by the
-server (see
-.Xr SSL_CTX_set_verify 3 ) .
-If an anonymous cipher is used, no certificates are sent.
-.Pp
-That a certificate is returned does not indicate information about the
-verification state.
-Use
-.Xr SSL_get_verify_result 3
-to check the verification state.
-.Pp
-The reference count of the
-.Vt X509
-object is incremented by one, so that it will not be destroyed when the session
-containing the peer certificate is freed.
-The
-.Vt X509
-object must be explicitly freed using
-.Xr X509_free 3 .
-.Sh RETURN VALUES
-The following return values can occur:
-.Bl -tag -width Ds
-.It Dv NULL
-No certificate was presented by the peer or no connection was established.
-.It Pointer to an X509 certificate
-The return value points to the certificate presented by the peer.
-.El
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_verify 3 ,
-.Xr SSL_get0_peername 3 ,
-.Xr SSL_get_verify_result 3
-.Sh HISTORY
-.Fn SSL_get_peer_certificate
-appeared in SSLeay 0.4 or earlier and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_get_rbio.3 b/src/lib/libssl/man/SSL_get_rbio.3
deleted file mode 100644
index 38096fbecf..0000000000
--- a/src/lib/libssl/man/SSL_get_rbio.3
+++ /dev/null
@@ -1,98 +0,0 @@
-.\"     $OpenBSD: SSL_get_rbio.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_GET_RBIO 3
-.Os
-.Sh NAME
-.Nm SSL_get_rbio ,
-.Nm SSL_get_wbio
-.Nd get BIO linked to an SSL object
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft BIO *
-.Fn SSL_get_rbio "SSL *ssl"
-.Ft BIO *
-.Fn SSL_get_wbio "SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_get_rbio
-and
-.Fn SSL_get_wbio
-return pointers to the
-.Vt BIO Ns s
-for the read or the write channel, which can be different.
-The reference count of the
-.Vt BIO
-is not incremented.
-.Sh RETURN VALUES
-The following return values can occur:
-.Bl -tag -width Ds
-.It Dv NULL
-No
-.Vt BIO
-was connected to the
-.Vt SSL
-object.
-.It Any other pointer
-The
-.Vt BIO
-linked to
-.Fa ssl .
-.El
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr ssl 3 ,
-.Xr SSL_set_bio 3
-.Sh HISTORY
-.Fn SSL_get_rbio
-and
-.Fn SSL_get_wbio
-first appeared in SSLeay 0.6.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_get_server_tmp_key.3 b/src/lib/libssl/man/SSL_get_server_tmp_key.3
deleted file mode 100644
index aeeb358240..0000000000
--- a/src/lib/libssl/man/SSL_get_server_tmp_key.3
+++ /dev/null
@@ -1,89 +0,0 @@
-.\"     $OpenBSD: SSL_get_server_tmp_key.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
-.\"     OpenSSL SSL_get_server_tmp_key.pod 508fafd8 Apr 3 15:41:21 2017 +0100
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_GET_SERVER_TMP_KEY 3
-.Os
-.Sh NAME
-.Nm SSL_get_server_tmp_key
-.Nd temporary server key during a handshake
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fo SSL_get_server_tmp_key
-.Fa "SSL *ssl"
-.Fa "EVP_PKEY **key"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_get_server_tmp_key
-retrieves the temporary key provided by the server
-and used during key exchange.
-For example, if ECDHE is in use,
-this represents the server's public ECDHE key.
-.Pp
-In case of success, a copy of the key is stored in
-.Pf * Fa key .
-It is the caller's responsibility to free this key after use using
-.Xr EVP_PKEY_free 3 .
-.Pp
-This function may only be called by the client.
-.Pp
-This function is implemented as a macro.
-.Sh RETURN VALUES
-.Fn SSL_get_server_tmp_key
-returns 1 on success or 0 on failure.
-.Sh SEE ALSO
-.Xr EVP_PKEY_free 3 ,
-.Xr ssl 3 ,
-.Xr SSL_ctrl 3
-.Sh HISTORY
-.Fn SSL_get_server_tmp_key
-first appeared in OpenSSL 1.0.2 and has been available since
-.Ox 6.1 .
diff --git a/src/lib/libssl/man/SSL_get_session.3 b/src/lib/libssl/man/SSL_get_session.3
deleted file mode 100644
index 2ab43fdd3e..0000000000
--- a/src/lib/libssl/man/SSL_get_session.3
+++ /dev/null
@@ -1,163 +0,0 @@
-.\"     $OpenBSD: SSL_get_session.3,v 1.8 2022/03/31 17:27:18 naddy Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2005, 2013, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 31 2022 $
-.Dt SSL_GET_SESSION 3
-.Os
-.Sh NAME
-.Nm SSL_get_session ,
-.Nm SSL_get0_session ,
-.Nm SSL_get1_session
-.Nd retrieve TLS/SSL session data
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft SSL_SESSION *
-.Fn SSL_get_session "const SSL *ssl"
-.Ft SSL_SESSION *
-.Fn SSL_get0_session "const SSL *ssl"
-.Ft SSL_SESSION *
-.Fn SSL_get1_session "SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_get_session
-returns a pointer to the
-.Vt SSL_SESSION
-actually used in
-.Fa ssl .
-The reference count of the
-.Vt SSL_SESSION
-is not incremented, so that the pointer can become invalid by other operations.
-.Pp
-.Fn SSL_get0_session
-is the same as
-.Fn SSL_get_session .
-.Pp
-.Fn SSL_get1_session
-is the same as
-.Fn SSL_get_session ,
-but the reference count of the
-.Vt SSL_SESSION
-is incremented by one.
-.Pp
-The
-.Fa ssl
-session contains all information required to re-establish the connection
-without a new handshake.
-.Pp
-.Fn SSL_get0_session
-returns a pointer to the actual session.
-As the reference counter is not incremented,
-the pointer is only valid while the connection is in use.
-If
-.Xr SSL_clear 3
-or
-.Xr SSL_free 3
-is called, the session may be removed completely (if considered bad),
-and the pointer obtained will become invalid.
-Even if the session is valid,
-it can be removed at any time due to timeout during
-.Xr SSL_CTX_flush_sessions 3 .
-.Pp
-If the data is to be kept,
-.Fn SSL_get1_session
-will increment the reference count, so that the session will not be implicitly
-removed by other operations but stays in memory.
-In order to remove the session,
-.Xr SSL_SESSION_free 3
-must be explicitly called once to decrement the reference count again.
-.Pp
-.Vt SSL_SESSION
-objects keep internal link information about the session cache list when being
-inserted into one
-.Vt SSL_CTX
-object's session cache.
-One
-.Vt SSL_SESSION
-object, regardless of its reference count, must therefore only be used with one
-.Vt SSL_CTX
-object (and the
-.Vt SSL
-objects created from this
-.Vt SSL_CTX
-object).
-.Sh RETURN VALUES
-The following return values can occur:
-.Bl -tag -width Ds
-.It Dv NULL
-There is no session available in
-.Fa ssl .
-.It Pointer to an Vt SSL_SESSION
-The return value points to the data of an
-.Vt SSL
-session.
-.El
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_free 3 ,
-.Xr SSL_SESSION_free 3 ,
-.Xr SSL_SESSION_get0_peer 3 ,
-.Xr SSL_SESSION_get_compress_id 3 ,
-.Xr SSL_SESSION_get_id 3 ,
-.Xr SSL_SESSION_get_protocol_version 3 ,
-.Xr SSL_SESSION_get_time 3 ,
-.Xr SSL_SESSION_new 3 ,
-.Xr SSL_SESSION_print 3 ,
-.Xr SSL_set_session 3
-.Sh HISTORY
-.Fn SSL_get_session
-first appeared in SSLeay 0.5.2 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_get0_session
-and
-.Fn SSL_get1_session
-first appeared in OpenSSL 0.9.5 and have been available since
-.Ox 2.7 .
diff --git a/src/lib/libssl/man/SSL_get_shared_ciphers.3 b/src/lib/libssl/man/SSL_get_shared_ciphers.3
deleted file mode 100644
index 207e8c42eb..0000000000
--- a/src/lib/libssl/man/SSL_get_shared_ciphers.3
+++ /dev/null
@@ -1,103 +0,0 @@
-.\" $OpenBSD: SSL_get_shared_ciphers.3,v 1.5 2021/01/09 10:50:02 tb Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: January 9 2021 $
-.Dt SSL_GET_SHARED_CIPHERS 3
-.Os
-.Sh NAME
-.Nm SSL_get_shared_ciphers
-.Nd ciphers supported by both client and server
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft char *
-.Fo SSL_get_shared_ciphers
-.Fa "const SSL *ssl"
-.Fa "char *buf"
-.Fa "int len"
-.Fc
-.Sh DESCRIPTION
-If
-.Fa ssl
-contains a session in server mode,
-.Fn SSL_get_shared_ciphers
-puts as many names of ciphers that are supported by both the client
-and the server into the buffer
-.Fa buf
-as the buffer is long enough to contain.
-Names are separated by colons.
-At most
-.Fa len
-bytes are written to
-.Fa buf
-including the terminating NUL character.
-.Sh RETURN VALUES
-.Fn SSL_get_shared_ciphers
-returns
-.Fa buf
-on success or
-.Dv NULL
-on failure.
-The following situations cause failure:
-.Bl -bullet
-.It
-.Xr SSL_is_server 3
-is false, i.e.,
-.Ar ssl
-is not set to server mode.
-.It
-.Xr SSL_get_ciphers 3
-is
-.Dv NULL
-or empty, i.e., no ciphers are available for use by the server.
-.It
-.Xr SSL_get_session 3
-is
-.Dv NULL ,
-i.e.,
-.Ar ssl
-contains no session.
-.It
-.Xr SSL_get_client_ciphers 3
-is
-.Dv NULL
-or empty, i.e.,
-.Ar ssl
-contains no information about ciphers supported by the client,
-or the client does not support any ciphers.
-.It
-The
-.Fa len
-argument is less than 2.
-.El
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_get_ciphers 3
-.Sh HISTORY
-.Fn SSL_get_shared_ciphers
-first appeared in SSLeay 0.4.5b and has been available since
-.Ox 2.4 .
-.Sh BUGS
-If the list is too long to fit into
-.Fa len
-bytes, it is silently truncated after the last cipher name that fits,
-and all following ciphers are skipped.
-If the buffer is very short such that even the first cipher name
-does not fit, an empty string is returned even when some shared
-ciphers are actually available.
-.Pp
-There is no easy way to find out how much space is required for
-.Fa buf
-or whether the supplied space was sufficient.
diff --git a/src/lib/libssl/man/SSL_get_state.3 b/src/lib/libssl/man/SSL_get_state.3
deleted file mode 100644
index 297bbce876..0000000000
--- a/src/lib/libssl/man/SSL_get_state.3
+++ /dev/null
@@ -1,161 +0,0 @@
-.\" $OpenBSD: SSL_get_state.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_GET_STATE 3
-.Os
-.Sh NAME
-.Nm SSL_get_state ,
-.Nm SSL_state ,
-.Nm SSL_in_accept_init ,
-.Nm SSL_in_before ,
-.Nm SSL_in_connect_init ,
-.Nm SSL_in_init ,
-.Nm SSL_is_init_finished
-.Nd inspect the state of the SSL state machine
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_get_state
-.Fa "const SSL *ssl"
-.Fc
-.Ft int
-.Fo SSL_state
-.Fa "const SSL *ssl"
-.Fc
-.Ft int
-.Fo SSL_in_accept_init
-.Fa "const SSL *ssl"
-.Fc
-.Ft int
-.Fo SSL_in_before
-.Fa "const SSL *ssl"
-.Fc
-.Ft int
-.Fo SSL_in_connect_init
-.Fa "const SSL *ssl"
-.Fc
-.Ft int
-.Fo SSL_in_init
-.Fa "const SSL *ssl"
-.Fc
-.Ft int
-.Fo SSL_is_init_finished
-.Fa "const SSL *ssl"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_get_state
-returns an encoded representation of the current state of the SSL
-state machine.
-.Fn SSL_state
-is a deprecated alias for
-.Fn SSL_get_state .
-.Pp
-The following bits may be set:
-.Bl -tag -width Ds
-.It Dv SSL_ST_ACCEPT
-This bit is set by
-.Xr SSL_accept 3
-and by
-.Xr SSL_set_accept_state 3 .
-It indicates that
-.Fa ssl
-is set up for server mode and no client initiated the TLS handshake yet.
-The function
-.Fn SSL_in_accept_init
-returns non-zero if this bit is set or 0 otherwise.
-.It Dv SSL_ST_BEFORE
-This bit is set by the
-.Xr SSL_accept 3 ,
-.Xr SSL_connect 3 ,
-.Xr SSL_set_accept_state 3 ,
-and
-.Xr SSL_set_connect_state 3
-functions.
-It indicates that the TLS handshake was not initiated yet.
-The function
-.Fn SSL_in_before
-returns non-zero if this bit is set or 0 otherwise.
-.It Dv SSL_ST_CONNECT
-This bit is set by
-.Xr SSL_connect 3
-and by
-.Xr SSL_set_connect_state 3 .
-It indicates that
-.Fa ssl
-is set up for client mode and no TLS handshake was initiated yet.
-The function
-.Fn SSL_in_connect_init
-returns non-zero if this bit is set or 0 otherwise.
-.El
-.Pp
-The following masks can be used:
-.Bl -tag -width Ds
-.It Dv SSL_ST_INIT
-Set if
-.Dv SSL_ST_ACCEPT
-or
-.Dv SSL_ST_CONNECT
-is set.
-The function
-.Fn SSL_in_init
-returns a non-zero value if one of these is set or 0 otherwise.
-.It Dv SSL_ST_MASK
-This mask includes all bits except
-.Dv SSL_ST_ACCEPT ,
-.Dv SSL_ST_BEFORE ,
-and
-.Dv SSL_ST_CONNECT .
-.It Dv SSL_ST_OK
-The state is set to this value when a connection is established.
-The function
-.Fn SSL_is_init_finished
-returns a non-zero value if the state equals this constant, or 0 otherwise.
-.It Dv SSL_ST_RENEGOTIATE
-The program is about to renegotiate, for example when entering
-.Xr SSL_read 3
-or
-.Xr SSL_write 3
-right after
-.Xr SSL_renegotiate 3
-was called.
-.El
-.Pp
-The meaning of other bits is protocol-dependent.
-Application programs usually do not need to inspect any of those
-other bits.
-.Pp
-All these functions may be implemented as macros.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_renegotiate 3 ,
-.Xr SSL_set_connect_state 3
-.Sh HISTORY
-.Fn SSL_is_init_finished
-first appeared in SSLeay 0.4.5b.
-.Fn SSL_state
-first appeared in SSLeay 0.5.2.
-.Fn SSL_in_accept_init ,
-.Fn SSL_in_connect_init ,
-and
-.Fn SSL_in_init
-first appeared in SSLeay 0.6.0.
-.Fn SSL_in_before
-first appeared in SSLeay 0.8.0.
-.Fn SSL_get_state
-first appeared in SSLeay 0.9.0.
-All these functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_get_verify_result.3 b/src/lib/libssl/man/SSL_get_verify_result.3
deleted file mode 100644
index 180cf1bb73..0000000000
--- a/src/lib/libssl/man/SSL_get_verify_result.3
+++ /dev/null
@@ -1,102 +0,0 @@
-.\" $OpenBSD: SSL_get_verify_result.3,v 1.6 2021/06/26 17:36:28 tb Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 26 2021 $
-.Dt SSL_GET_VERIFY_RESULT 3
-.Os
-.Sh NAME
-.Nm SSL_get_verify_result
-.Nd get result of peer certificate verification
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fn SSL_get_verify_result "const SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_get_verify_result
-returns the result of the verification of the X509 certificate presented by the
-peer, if any.
-.Pp
-.Fn SSL_get_verify_result
-can only return one error code while the verification of a certificate can fail
-because of many reasons at the same time.
-Only the last verification error that occurred during the processing is
-available from
-.Fn SSL_get_verify_result .
-.Pp
-The verification result is part of the established session and is restored when
-a session is reused.
-.Sh RETURN VALUES
-The following return values can currently occur:
-.Bl -tag -width Ds
-.It Dv X509_V_OK
-The verification succeeded or no peer certificate was presented.
-.It Any other value
-Documented in
-.Xr openssl 1 .
-.El
-.Sh SEE ALSO
-.Xr openssl 1 ,
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_verify 3 ,
-.Xr SSL_get0_peername 3 ,
-.Xr SSL_get_peer_certificate 3 ,
-.Xr SSL_set_verify_result 3
-.Sh HISTORY
-.Fn SSL_get_verify_result
-first appeared in SSLeay 0.6.1 and has been available since
-.Ox 2.4 .
-.Sh BUGS
-If no peer certificate was presented, the returned result code is
-.Dv X509_V_OK .
-This is because no verification error occurred;
-however, it does not indicate success.
-.Fn SSL_get_verify_result
-is only useful in connection with
-.Xr SSL_get_peer_certificate 3 .
diff --git a/src/lib/libssl/man/SSL_get_version.3 b/src/lib/libssl/man/SSL_get_version.3
deleted file mode 100644
index a6cefb055b..0000000000
--- a/src/lib/libssl/man/SSL_get_version.3
+++ /dev/null
@@ -1,123 +0,0 @@
-.\" $OpenBSD: SSL_get_version.3,v 1.9 2021/04/15 16:13:22 tb Exp $
-.\" full merge up to: OpenSSL e417070c Jun 8 11:37:06 2016 -0400
-.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2005, 2014 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: April 15 2021 $
-.Dt SSL_GET_VERSION 3
-.Os
-.Sh NAME
-.Nm SSL_get_version ,
-.Nm SSL_is_dtls ,
-.Nm SSL_version
-.\" The following are intentionally undocumented because
-.\" - the longer term plan is to remove them
-.\" - nothing appears to be using them in the wild
-.\" - and they have the wrong namespace prefix
-.\" Nm TLS1_get_version
-.\" Nm TLS1_get_client_version
-.Nd get the protocol information of a connection
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft const char *
-.Fn SSL_get_version "const SSL *ssl"
-.Ft int
-.Fn SSL_is_dtls "const SSL *ssl"
-.Ft int
-.Fn SSL_version "const SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_get_version
-returns the name of the protocol used for the connection
-.Fa ssl .
-.Pp
-.Fn SSL_is_dtls
-returns 1 if the connection is using DTLS, 0 if not.
-.Pp
-.Fn SSL_version
-returns an integer constant representing that protocol.
-.Pp
-These functions only return reliable results
-after the initial handshake has been completed.
-.Sh RETURN VALUES
-The following strings or integers can be returned by
-.Fn SSL_get_version
-and
-.Fn SSL_version :
-.Bl -tag -width Ds
-.It Qo TLSv1 Qc No or Dv TLS1_VERSION
-The connection uses the TLSv1.0 protocol.
-.It Qo TLSv1.1 Qc No or Dv TLS1_1_VERSION
-The connection uses the TLSv1.1 protocol.
-.It Qo TLSv1.2 Qc No or Dv TLS1_2_VERSION
-The connection uses the TLSv1.2 protocol.
-.It Qo TLSv1.3 Qc No or Dv TLS1_3_VERSION
-The connection uses the TLSv1.3 protocol.
-.It Qo DTLSv1 Qc No or Dv DTLS1_VERSION
-The connection uses the Datagram Transport Layer Security 1.0 protocol.
-.It Qo DTLSv1.2 Qc No or Dv DTLS1_2_VERSION
-The connection uses the Datagram Transport Layer Security 1.2 protocol.
-.It Qq unknown
-This indicates an unknown protocol version;
-it cannot currently happen with LibreSSL.
-.El
-.Pp
-.Fn SSL_is_dtls
-returns 1 if the connection uses DTLS, 0 if not.
-.Sh SEE ALSO
-.Xr ssl 3
-.Sh HISTORY
-.Fn SSL_get_version
-and
-.Fn SSL_version
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_is_dtls
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.9 .
diff --git a/src/lib/libssl/man/SSL_library_init.3 b/src/lib/libssl/man/SSL_library_init.3
deleted file mode 100644
index 053c1e6fcb..0000000000
--- a/src/lib/libssl/man/SSL_library_init.3
+++ /dev/null
@@ -1,98 +0,0 @@
-.\"     $OpenBSD: SSL_library_init.3,v 1.7 2019/06/14 13:41:31 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2006, 2010 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 14 2019 $
-.Dt SSL_LIBRARY_INIT 3
-.Os
-.Sh NAME
-.Nm SSL_library_init ,
-.Nm OpenSSL_add_ssl_algorithms ,
-.Nm SSLeay_add_ssl_algorithms
-.Nd initialize SSL library by registering algorithms
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_library_init void
-.Ft int
-.Fn OpenSSL_add_ssl_algorithms void
-.Ft int
-.Fn SSLeay_add_ssl_algorithms void
-.Sh DESCRIPTION
-These functions are deprecated.
-It is never useful for any application program to call any of them explicitly.
-The library automatically calls them internally whenever needed.
-.Pp
-.Fn SSL_library_init
-registers the available ciphers and digests
-which are used directly or indirectly by TLS.
-.Pp
-.Fn OpenSSL_add_ssl_algorithms
-and
-.Fn SSLeay_add_ssl_algorithms
-are synonyms for
-.Fn SSL_library_init
-and are implemented as macros.
-.Sh RETURN VALUES
-.Fn SSL_library_init
-always returns 1.
-.Sh SEE ALSO
-.Xr ssl 3
-.Sh HISTORY
-.Fn SSLeay_add_ssl_algorithms
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_library_init
-first appeared in OpenSSL 0.9.2b and has been available since
-.Ox 2.6 .
-.Pp
-.Fn OpenSSL_add_ssl_algorithms
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .
diff --git a/src/lib/libssl/man/SSL_load_client_CA_file.3 b/src/lib/libssl/man/SSL_load_client_CA_file.3
deleted file mode 100644
index f782d96dce..0000000000
--- a/src/lib/libssl/man/SSL_load_client_CA_file.3
+++ /dev/null
@@ -1,185 +0,0 @@
-.\"     $OpenBSD: SSL_load_client_CA_file.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file is a derived work.
-.\" The changes are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The original file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_LOAD_CLIENT_CA_FILE 3
-.Os
-.Sh NAME
-.Nm SSL_load_client_CA_file ,
-.Nm SSL_add_file_cert_subjects_to_stack ,
-.Nm SSL_add_dir_cert_subjects_to_stack
-.Nd load certificate names from files
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft STACK_OF(X509_NAME) *
-.Fn SSL_load_client_CA_file "const char *file"
-.Ft int
-.Fo SSL_add_file_cert_subjects_to_stack
-.Fa "STACK_OF(X509_NAME) *stack"
-.Fa "const char *file"
-.Fc
-.Ft int
-.Fo SSL_add_dir_cert_subjects_to_stack
-.Fa "STACK_OF(X509_NAME) *stack"
-.Fa "const char *dir"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_load_client_CA_file
-reads PEM formatted certificates from
-.Fa file
-and returns a new
-.Vt STACK_OF(X509_NAME)
-with the subject names found.
-While the name suggests the specific usage as a support function for
-.Xr SSL_CTX_set_client_CA_list 3 ,
-it is not limited to CA certificates.
-.Pp
-.Fn SSL_add_file_cert_subjects_to_stack
-is similar except that the names are added to the existing
-.Fa stack .
-.Pp
-.Fn SSL_add_dir_cert_subjects_to_stack
-calls
-.Fn SSL_add_file_cert_subjects_to_stack
-on every file in the directory
-.Fa dir .
-.Pp
-If a name is already on the stack, all these functions skip it and
-do not add it again.
-.Sh RETURN VALUES
-.Fn SSL_load_client_CA_file
-returns a pointer to the new
-.Vt STACK_OF(X509_NAME)
-or
-.Dv NULL on failure .
-.Pp
-.Fn SSL_add_file_cert_subjects_to_stack
-and
-.Fn SSL_add_dir_cert_subjects_to_stack
-return 1 for success or 0 for failure.
-.Pp
-All these functions treat empty files and directories as failures.
-.Pp
-In some cases of failure, the reason can be determined with
-.Xr ERR_get_error 3 .
-.Sh EXAMPLES
-Load names of CAs from a file and use it as a client CA list:
-.Bd -literal
-SSL_CTX *ctx;
-STACK_OF(X509_NAME) *cert_names;
-\&...
-cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem");
-if (cert_names != NULL)
-        SSL_CTX_set_client_CA_list(ctx, cert_names);
-else
-        error_handling();
-\&...
-.Ed
-.Sh SEE ALSO
-.Xr PEM_read_bio_X509 3 ,
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_client_CA_list 3 ,
-.Xr X509_get_subject_name 3 ,
-.Xr X509_NAME_new 3
-.Sh HISTORY
-.Fn SSL_load_client_CA_file
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_add_file_cert_subjects_to_stack
-and
-.Fn SSL_add_dir_cert_subjects_to_stack
-first appeared in OpenSSL 0.9.2b and have been available since
-.Ox 2.6 .
-.Sh AUTHORS
-.Fn SSL_add_file_cert_subjects_to_stack
-and
-.Fn SSL_add_dir_cert_subjects_to_stack
-were written by
-.An Ben Laurie Aq Mt ben@openssl.org
-in 1999.
-.Sh BUGS
-In some cases of failure, for example for empty files and directories,
-these functions fail to report an error, in the sense that
-.Xr ERR_get_error 3
-does not work.
-.Pp
-Even in case of failure, for example when parsing one of the
-files or certificates fails,
-.Fn SSL_add_file_cert_subjects_to_stack
-and
-.Fn SSL_add_dir_cert_subjects_to_stack
-may still have added some certificates to the stack.
-.Pp
-The behaviour of
-.Fn SSL_add_dir_cert_subjects_to_stack
-is non-deterministic.
-If parsing one file fails, parsing of the whole directory is aborted.
-Files in the directory are not parsed in any specific order.
-For example, adding an empty file to
-.Fa dir
-may or may not cause some of the other files to be ignored.
diff --git a/src/lib/libssl/man/SSL_new.3 b/src/lib/libssl/man/SSL_new.3
deleted file mode 100644
index 22c5dbf2db..0000000000
--- a/src/lib/libssl/man/SSL_new.3
+++ /dev/null
@@ -1,110 +0,0 @@
-.\" $OpenBSD: SSL_new.3,v 1.7 2022/07/13 22:05:53 schwarze Exp $
-.\" full merge up to: OpenSSL 1c7ae3dd Mar 29 19:17:55 2017 +1000
-.\"
-.\" This file was written by Richard Levitte <levitte@openssl.org>
-.\" and Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2000, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 13 2022 $
-.Dt SSL_NEW 3
-.Os
-.Sh NAME
-.Nm SSL_new ,
-.Nm SSL_up_ref
-.Nd create a new SSL structure for a connection
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft SSL *
-.Fn SSL_new "SSL_CTX *ctx"
-.Ft int
-.Fn SSL_up_ref "SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_new
-creates a new
-.Vt SSL
-structure which is needed to hold the data for a TLS/SSL connection.
-The new structure inherits the settings of the underlying context
-.Fa ctx :
-connection method, options, verification settings,
-timeout settings, security level.
-The reference count of the new structure is set to 1.
-.Pp
-.Fn SSL_up_ref
-increments the reference count of
-.Fa ssl
-by 1.
-.Sh RETURN VALUES
-The following return values can occur:
-.Bl -tag -width Ds
-.It Dv NULL
-The creation of a new
-.Vt SSL
-structure failed.
-Check the error stack to find out the reason.
-.It Pointer to an Vt SSL No structure
-The return value points to an allocated
-.Vt SSL
-structure.
-.El
-.Pp
-.Fn SSL_up_ref
-returns 1 for success or 0 for failure.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_CTX_set_options 3 ,
-.Xr SSL_CTX_set_security_level 3 ,
-.Xr SSL_free 3 ,
-.Xr SSL_get_SSL_CTX 3
-.Sh HISTORY
-.Fn SSL_new
-appeared in SSLeay 0.4 or earlier and has been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_up_ref
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libssl/man/SSL_num_renegotiations.3 b/src/lib/libssl/man/SSL_num_renegotiations.3
deleted file mode 100644
index 6a81b76a60..0000000000
--- a/src/lib/libssl/man/SSL_num_renegotiations.3
+++ /dev/null
@@ -1,75 +0,0 @@
-.\" $OpenBSD: SSL_num_renegotiations.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
-.\"
-.\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_NUM_RENEGOTIATIONS 3
-.Os
-.Sh NAME
-.Nm SSL_num_renegotiations ,
-.Nm SSL_clear_num_renegotiations ,
-.Nm SSL_total_renegotiations
-.Nd renegotiation counters
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fo SSL_num_renegotiations
-.Fa "SSL *ssl"
-.Fc
-.Ft long
-.Fo SSL_clear_num_renegotiations
-.Fa "SSL *ssl"
-.Fc
-.Ft long
-.Fo SSL_total_renegotiations
-.Fa "SSL *ssl"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_num_renegotiations
-reports the number of renegotiations initiated in
-.Fa ssl
-since
-.Xr SSL_new 3 ,
-.Xr SSL_clear 3 ,
-or
-.Fn SSL_clear_num_renegotiations
-was last called on that object.
-.Pp
-.Fn SSL_clear_num_renegotiations
-does the same and additionally resets the renegotiation counter to 0.
-.Pp
-.Fn SSL_total_renegotiations
-reports the number of renegotiations initiated in
-.Fa ssl
-since
-.Xr SSL_new 3
-or
-.Xr SSL_clear 3
-was last called on that object.
-.Pp
-These functions are implemented as macros.
-.Sh RETURN VALUES
-All these functions return a number of renegotiations.
-.Sh SEE ALSO
-.Xr BIO_set_ssl_renegotiate_bytes 3 ,
-.Xr ssl 3 ,
-.Xr SSL_ctrl 3 ,
-.Xr SSL_read 3 ,
-.Xr SSL_renegotiate 3 ,
-.Xr SSL_write 3
-.Sh HISTORY
-These functions first appeared in SSLeay 0.9.0
-and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_pending.3 b/src/lib/libssl/man/SSL_pending.3
deleted file mode 100644
index bbc2e9bdd2..0000000000
--- a/src/lib/libssl/man/SSL_pending.3
+++ /dev/null
@@ -1,90 +0,0 @@
-.\"     $OpenBSD: SSL_pending.3,v 1.5 2020/01/23 03:40:18 beck Exp $
-.\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>,
-.\" Bodo Moeller <bodo@openssl.org>, and Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2000, 2005, 2015, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: January 23 2020 $
-.Dt SSL_PENDING 3
-.Os
-.Sh NAME
-.Nm SSL_pending
-.Nd obtain number of readable bytes buffered in an SSL object
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_pending "const SSL *ssl"
-.Sh DESCRIPTION
-Data is received in whole blocks known as records from the peer.
-A whole record is processed, for example decrypted, in one go and
-is buffered until it is read by the application via a call to
-.Xr SSL_read 3 .
-.Pp
-.Fn SSL_pending
-returns the number of bytes of application data which are available
-for immediate read.
-.Pp
-.Fn SSL_pending
-takes into account only bytes from the TLS/SSL record that is
-currently being processed (if any).
-.Sh RETURN VALUES
-.Fn SSL_pending
-returns the number of buffered and processed application data
-bytes that are pending and are available for immediate read.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_read 3
-.Sh HISTORY
-.Fn SSL_pending
-appeared in SSLeay 0.4 or earlier and has been available since
-.Ox 2.4 .
-.Sh BUGS
-Up to OpenSSL 0.9.6,
-.Fn SSL_pending
-did not check if the record type of pending data is application data.
diff --git a/src/lib/libssl/man/SSL_read.3 b/src/lib/libssl/man/SSL_read.3
deleted file mode 100644
index bb72a8ed82..0000000000
--- a/src/lib/libssl/man/SSL_read.3
+++ /dev/null
@@ -1,278 +0,0 @@
-.\" $OpenBSD: SSL_read.3,v 1.8 2021/10/24 15:10:13 schwarze Exp $
-.\" full merge up to: OpenSSL 5a2443ae Nov 14 11:37:36 2016 +0000
-.\" partial merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
-.\" Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2008, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: October 24 2021 $
-.Dt SSL_READ 3
-.Os
-.Sh NAME
-.Nm SSL_read_ex ,
-.Nm SSL_read ,
-.Nm SSL_peek_ex ,
-.Nm SSL_peek
-.Nd read bytes from a TLS connection
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_read_ex "SSL *ssl" "void *buf" "size_t num" "size_t *readbytes"
-.Ft int
-.Fn SSL_read "SSL *ssl" "void *buf" "int num"
-.Ft int
-.Fn SSL_peek_ex "SSL *ssl" "void *buf" "size_t num" "size_t *readbytes"
-.Ft int
-.Fn SSL_peek "SSL *ssl" "void *buf" "int num"
-.Sh DESCRIPTION
-.Fn SSL_read_ex
-and
-.Fn SSL_read
-try to read
-.Fa num
-bytes from the specified
-.Fa ssl
-into the buffer
-.Fa buf .
-On success
-.Fn SSL_read_ex
-stores the number of bytes actually read in
-.Pf * Fa readbytes .
-.Pp
-.Fn SSL_peek_ex
-and
-.Fn SSL_peek
-are identical to
-.Fn SSL_read_ex
-and
-.Fn SSL_read ,
-respectively,
-except that no bytes are removed from the underlying BIO during
-the read, such that a subsequent call to
-.Fn SSL_read_ex
-or
-.Fn SSL_read
-will yield at least the same bytes once again.
-.Pp
-In the following,
-.Fn SSL_read_ex ,
-.Fn SSL_read ,
-.Fn SSL_peek_ex ,
-and
-.Fn SSL_peek
-are called
-.Dq read functions .
-.Pp
-If necessary, a read function will negotiate a TLS session, if
-not already explicitly performed by
-.Xr SSL_connect 3
-or
-.Xr SSL_accept 3 .
-If the peer requests a re-negotiation, it will be performed
-transparently during the read function operation.
-The behaviour of the read functions depends on the underlying
-.Vt BIO .
-.Pp
-For the transparent negotiation to succeed, the
-.Fa ssl
-must have been initialized to client or server mode.
-This is done by calling
-.Xr SSL_set_connect_state 3
-or
-.Xr SSL_set_accept_state 3
-before the first call to a read function.
-.Pp
-The read functions work based on the TLS records.
-The data are received in records (with a maximum record size of 16kB).
-Only when a record has been completely received, it can be processed
-(decrypted and checked for integrity).
-Therefore, data that was not retrieved at the last read call can
-still be buffered inside the TLS layer and will be retrieved on the
-next read call.
-If
-.Fa num
-is higher than the number of bytes buffered, the read functions
-will return with the bytes buffered.
-If no more bytes are in the buffer, the read functions will trigger
-the processing of the next record.
-Only when the record has been received and processed completely
-will the read functions return reporting success.
-At most the contents of the record will be returned.
-As the size of a TLS record may exceed the maximum packet size
-of the underlying transport (e.g., TCP), it may be necessary to
-read several packets from the transport layer before the record is
-complete and the read call can succeed.
-.Pp
-If the underlying
-.Vt BIO
-is blocking,
-a read function will only return once the read operation has been
-finished or an error occurred, except when a renegotiation takes
-place, in which case an
-.Dv SSL_ERROR_WANT_READ
-may occur.
-This behavior can be controlled with the
-.Dv SSL_MODE_AUTO_RETRY
-flag of the
-.Xr SSL_CTX_set_mode 3
-call.
-.Pp
-If the underlying
-.Vt BIO
-is non-blocking, a read function will also return when the underlying
-.Vt BIO
-could not satisfy the needs of the function to continue the operation.
-In this case a call to
-.Xr SSL_get_error 3
-with the return value of the read function will yield
-.Dv SSL_ERROR_WANT_READ
-or
-.Dv SSL_ERROR_WANT_WRITE .
-As at any time a re-negotiation is possible, a read function may
-also cause write operations.
-The calling process must then repeat the call after taking appropriate
-action to satisfy the needs of the read function.
-The action depends on the underlying
-.Vt BIO .
-When using a non-blocking socket, nothing is to be done, but
-.Xr select 2
-can be used to check for the required condition.
-When using a buffering
-.Vt BIO ,
-like a
-.Vt BIO
-pair, data must be written into or retrieved out of the
-.Vt BIO
-before being able to continue.
-.Pp
-.Xr SSL_pending 3
-can be used to find out whether there are buffered bytes available for
-immediate retrieval.
-In this case a read function can be called without blocking or
-actually receiving new data from the underlying socket.
-.Pp
-When a read function operation has to be repeated because of
-.Dv SSL_ERROR_WANT_READ
-or
-.Dv SSL_ERROR_WANT_WRITE ,
-it must be repeated with the same arguments.
-.Sh RETURN VALUES
-.Fn SSL_read_ex
-and
-.Fn SSL_peek_ex
-return 1 for success or 0 for failure.
-Success means that one or more application data bytes
-have been read from the SSL connection.
-Failure means that no bytes could be read from the SSL connection.
-Failures can be retryable (e.g. we are waiting for more bytes to be
-delivered by the network) or non-retryable (e.g. a fatal network error).
-In the event of a failure, call
-.Xr SSL_get_error 3
-to find out the reason which indicates whether the call is retryable or not.
-.Pp
-For
-.Fn SSL_read
-and
-.Fn SSL_peek ,
-the following return values can occur:
-.Bl -tag -width Ds
-.It >0
-The read operation was successful.
-The return value is the number of bytes actually read from the
-TLS connection.
-.It 0
-The read operation was not successful.
-The reason may either be a clean shutdown due to a
-.Dq close notify
-alert sent by the peer (in which case the
-.Dv SSL_RECEIVED_SHUTDOWN
-flag in the ssl shutdown state is set (see
-.Xr SSL_shutdown 3
-and
-.Xr SSL_set_shutdown 3 ) .
-It is also possible that the peer simply shut down the underlying transport and
-the shutdown is incomplete.
-Call
-.Xr SSL_get_error 3
-with the return value to find out whether an error occurred or the connection
-was shut down cleanly
-.Pq Dv SSL_ERROR_ZERO_RETURN .
-.It <0
-The read operation was not successful, because either an error occurred or
-action must be taken by the calling process.
-Call
-.Xr SSL_get_error 3
-with the return value to find out the reason.
-.El
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr ssl 3 ,
-.Xr SSL_accept 3 ,
-.Xr SSL_connect 3 ,
-.Xr SSL_CTX_new 3 ,
-.Xr SSL_CTX_set_mode 3 ,
-.Xr SSL_get_error 3 ,
-.Xr SSL_pending 3 ,
-.Xr SSL_set_connect_state 3 ,
-.Xr SSL_set_shutdown 3 ,
-.Xr SSL_shutdown 3 ,
-.Xr SSL_write 3
-.Sh HISTORY
-.Fn SSL_read
-appeared in SSLeay 0.4 or earlier.
-.Fn SSL_peek
-first appeared in SSLeay 0.6.6.
-Both functions have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_read_ex
-and
-.Fn SSL_peek_ex
-first appeared in OpenSSL 1.1.1 and have been available since
-.Ox 7.1 .
diff --git a/src/lib/libssl/man/SSL_read_early_data.3 b/src/lib/libssl/man/SSL_read_early_data.3
deleted file mode 100644
index 1435c15935..0000000000
--- a/src/lib/libssl/man/SSL_read_early_data.3
+++ /dev/null
@@ -1,174 +0,0 @@
-.\" $OpenBSD: SSL_read_early_data.3,v 1.4 2021/11/26 13:48:22 jsg Exp $
-.\" content checked up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 26 2021 $
-.Dt SSL_READ_EARLY_DATA 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_max_early_data ,
-.Nm SSL_set_max_early_data ,
-.Nm SSL_SESSION_set_max_early_data ,
-.Nm SSL_CTX_get_max_early_data ,
-.Nm SSL_get_max_early_data ,
-.Nm SSL_SESSION_get_max_early_data ,
-.Nm SSL_write_early_data ,
-.Nm SSL_read_early_data ,
-.Nm SSL_get_early_data_status
-.Nd transmit application data during the handshake
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_CTX_set_max_early_data
-.Fa "SSL_CTX *ctx"
-.Fa "uint32_t max_bytes"
-.Fc
-.Ft int
-.Fo SSL_set_max_early_data
-.Fa "SSL *ssl"
-.Fa "uint32_t max_bytes"
-.Fc
-.Ft int
-.Fo SSL_SESSION_set_max_early_data
-.Fa "SSL_SESSION *session"
-.Fa "uint32_t max_bytes"
-.Fc
-.Ft uint32_t
-.Fo SSL_CTX_get_max_early_data
-.Fa "const SSL_CTX *ctx"
-.Fc
-.Ft uint32_t
-.Fo SSL_get_max_early_data
-.Fa "const SSL *ssl"
-.Fc
-.Ft uint32_t
-.Fo SSL_SESSION_get_max_early_data
-.Fa "const SSL_SESSION *session"
-.Fc
-.Ft int
-.Fo SSL_write_early_data
-.Fa "SSL *ssl"
-.Fa "const void *buf"
-.Fa "size_t len"
-.Fa "size_t *written"
-.Fc
-.Ft int
-.Fo SSL_read_early_data
-.Fa "SSL *ssl"
-.Fa "void *buf"
-.Fa "size_t maxlen"
-.Fa "size_t *readbytes"
-.Fc
-.Ft int
-.Fo SSL_get_early_data_status
-.Fa "const SSL *ssl"
-.Fc
-.Sh DESCRIPTION
-In LibreSSL, these functions have no effect.
-They are only provided because some application programs
-expect the API to be available when TLSv1.3 is supported.
-Using these functions is strongly discouraged because they provide
-marginal benefit in the first place even when implemented and
-used as designed, because they have absurdly complicated semantics,
-and because when they are used, inconspicuous oversights are likely
-to cause serious security vulnerabilities.
-.Pp
-If these functions are used, other TLS implementations
-may allow the transfer of application data during the initial handshake.
-Even when used as designed, security of the connection is compromised;
-in particular, application data is exchanged with unauthenticated peers,
-and there is no forward secrecy.
-Other downsides include an increased risk of replay attacks.
-.Pp
-.Fn SSL_CTX_set_max_early_data ,
-.Fn SSL_set_max_early_data ,
-and
-.Fn SSL_SESSION_set_max_early_data
-are intended to configure the maximum number of bytes per session
-that can be transmitted during the handshake.
-With LibreSSL, all arguments are ignored.
-.Pp
-An endpoint can attempt to send application data with
-.Fn SSL_write_early_data
-during the handshake.
-With LibreSSL, such attempts always fail and set
-.Pf * Fa written
-to 0.
-.Pp
-A server can attempt to read application data from the client using
-.Fn SSL_read_early_data
-during the handshake.
-With LibreSSL, no such data is ever accepted and
-.Pf * Fa readbytes
-is always set to 0.
-.Sh RETURN VALUES
-.Fn SSL_CTX_set_max_early_data ,
-.Fn SSL_set_max_early_data ,
-and
-.Fn SSL_SESSION_set_max_early_data
-return 1 for success or 0 for failure.
-With LibreSSL, they always succeed.
-.Pp
-.Fn SSL_CTX_get_max_early_data ,
-.Fn SSL_get_max_early_data ,
-and
-.Fn SSL_SESSION_get_max_early_data
-return the maximum number of bytes of application data
-that will be accepted from the peer during the handshake.
-With LibreSSL, they always return 0.
-.Pp
-.Fn SSL_write_early_data
-returns 1 for success or 0 for failure.
-With LibreSSL, it always fails.
-.Pp
-With LibreSSL,
-.Fn SSL_read_early_data
-always returns
-.Dv SSL_READ_EARLY_DATA_FINISH
-on the server side and
-.Dv SSL_READ_EARLY_DATA_ERROR
-on the client side.
-.Dv SSL_READ_EARLY_DATA_SUCCESS
-can occur with other implementations, but not with LibreSSL.
-.Pp
-With LibreSSL,
-.Fn SSL_get_early_data_status
-always returns
-.Dv SSL_EARLY_DATA_REJECTED .
-With other implementations, it might also return
-.Dv SSL_EARLY_DATA_NOT_SENT
-or
-.Dv SSL_EARLY_DATA_ACCEPTED .
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_read 3 ,
-.Xr SSL_write 3
-.Sh STANDARDS
-RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3:
-.Bl -tag -width "section 4.2.10" -compact
-.It Section 2.3
-0-RTT data
-.It Section 4.2.10
-Early Data Indication
-.It Section 8
-0-RTT and Anti-Replay
-.It Appendix E.5
-Replay Attacks on 0-RTT
-.El
-.Sh HISTORY
-These functions first appeared in OpenSSL 1.1.1
-and have been available since
-.Ox 7.0 .
diff --git a/src/lib/libssl/man/SSL_renegotiate.3 b/src/lib/libssl/man/SSL_renegotiate.3
deleted file mode 100644
index 8188d37323..0000000000
--- a/src/lib/libssl/man/SSL_renegotiate.3
+++ /dev/null
@@ -1,166 +0,0 @@
-.\"     $OpenBSD: SSL_renegotiate.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
-.\"     OpenSSL SSL_key_update.pod 4fbfe86a Feb 16 17:04:40 2017 +0000
-.\"
-.\" This file is a derived work.
-.\" Some parts are covered by the following Copyright and license:
-.\"
-.\" Copyright (c) 2016, 2017 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" Other parts were written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_RENEGOTIATE 3
-.Os
-.Sh NAME
-.Nm SSL_renegotiate ,
-.Nm SSL_renegotiate_abbreviated ,
-.Nm SSL_renegotiate_pending
-.Nd initiate a new TLS handshake
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_renegotiate
-.Fa "SSL *ssl"
-.Fc
-.Ft int
-.Fo SSL_renegotiate_abbreviated
-.Fa "SSL *ssl"
-.Fc
-.Ft int
-.Fo SSL_renegotiate_pending
-.Fa "SSL *ssl"
-.Fc
-.Sh DESCRIPTION
-When called from the client side,
-.Fn SSL_renegotiate
-schedules a completely new handshake over an existing TLS connection.
-The next time an I/O operation such as
-.Fn SSL_read
-or
-.Fn SSL_write
-takes place on the connection, a check is performed to confirm
-that it is a suitable time to start a renegotiation.
-If so, a new handshake is initiated immediately.
-An existing session associated with the connection is not resumed.
-.Pp
-This function is automatically called by
-.Xr SSL_read 3
-and
-.Xr SSL_write 3
-whenever the renegotiation byte count set by
-.Xr BIO_set_ssl_renegotiate_bytes 3
-or the timeout set by
-.Xr BIO_set_ssl_renegotiate_timeout 3
-are exceeded.
-.Pp
-When called from the client side,
-.Fn SSL_renegotiate_abbreviated
-is similar to
-.Fn SSL_renegotiate
-except that resuming the session associated with the current
-connection is attempted in the new handshake.
-.Pp
-When called from the server side,
-.Fn SSL_renegotiate
-and
-.Fn SSL_renegotiate_abbreviated
-behave identically.
-They both schedule a request for a new handshake to be sent to the client.
-The next time an I/O operation is performed, the same checks as on
-the client side are performed and then, if appropriate, the request
-is sent.
-The client may or may not respond with a new handshake and it may
-or may not attempt to resume an existing session.
-If a new handshake is started, it is handled transparently during
-any I/O function.
-.Pp
-If a LibreSSL client receives a renegotiation request from a server,
-it is also handled transparently during any I/O function.
-The client attempts to resume the current session in the new
-handshake.
-For historical reasons, DTLS clients do not attempt to resume
-the session in the new handshake.
-.Sh RETURN VALUES
-.Fn SSL_renegotiate
-and
-.Fn SSL_renegotiate_abbreviated
-return 1 on success or 0 on error.
-.Pp
-.Fn SSL_renegotiate_pending
-returns 1 if a renegotiation or renegotiation request has been
-scheduled but not yet acted on, or 0 otherwise.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_do_handshake 3 ,
-.Xr SSL_num_renegotiations 3 ,
-.Xr SSL_read 3 ,
-.Xr SSL_write 3
-.Sh HISTORY
-.Fn SSL_renegotiate
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_renegotiate_pending
-first appeared in OpenSSL 0.9.7 and has been available since
-.Ox 3.2 .
-.Pp
-.Fn SSL_renegotiate_abbreviated
-first appeared in OpenSSL 1.0.1 and has been available since
-.Ox 5.3 .
diff --git a/src/lib/libssl/man/SSL_rstate_string.3 b/src/lib/libssl/man/SSL_rstate_string.3
deleted file mode 100644
index 99613ba3c0..0000000000
--- a/src/lib/libssl/man/SSL_rstate_string.3
+++ /dev/null
@@ -1,108 +0,0 @@
-.\"     $OpenBSD: SSL_rstate_string.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_RSTATE_STRING 3
-.Os
-.Sh NAME
-.Nm SSL_rstate_string ,
-.Nm SSL_rstate_string_long
-.Nd get textual description of state of an SSL object during read operation
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft const char *
-.Fn SSL_rstate_string "SSL *ssl"
-.Ft const char *
-.Fn SSL_rstate_string_long "SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_rstate_string
-returns a 2-letter string indicating the current read state of the
-.Vt SSL
-object
-.Fa ssl .
-.Pp
-.Fn SSL_rstate_string_long
-returns a string indicating the current read state of the
-.Vt SSL
-object
-.Fa ssl .
-.Pp
-When performing a read operation, the SSL/TLS engine must parse the record,
-consisting of header and body.
-When working in a blocking environment,
-.Fn SSL_rstate_string[_long]
-should always return
-.Qo RD Qc Ns / Ns Qo read done Qc .
-.Pp
-This function should only seldom be needed in applications.
-.Sh RETURN VALUES
-.Fn SSL_rstate_string
-and
-.Fn SSL_rstate_string_long
-can return the following values:
-.Bl -tag -width Ds
-.It Qo RH Qc Ns / Ns Qo read header Qc
-The header of the record is being evaluated.
-.It Qo RB Qc Ns / Ns Qo read body Qc
-The body of the record is being evaluated.
-.It Qo RD Qc Ns / Ns Qo read done Qc
-The record has been completely processed.
-.It Qo unknown Qc Ns / Ns Qo unknown Qc
-The read state is unknown.
-This should never happen.
-.El
-.Sh SEE ALSO
-.Xr ssl 3
-.Sh HISTORY
-.Fn SSL_rstate_string
-and
-.Fn SSL_rstate_string_long
-first appeared in SSLeay 0.6.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_session_reused.3 b/src/lib/libssl/man/SSL_session_reused.3
deleted file mode 100644
index add61a904b..0000000000
--- a/src/lib/libssl/man/SSL_session_reused.3
+++ /dev/null
@@ -1,84 +0,0 @@
-.\"     $OpenBSD: SSL_session_reused.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_SESSION_REUSED 3
-.Os
-.Sh NAME
-.Nm SSL_session_reused
-.Nd query whether a reused session was negotiated during handshake
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_session_reused "SSL *ssl"
-.Sh DESCRIPTION
-Query whether a reused session was negotiated during the handshake.
-.Pp
-During the negotiation, a client can propose to reuse a session.
-The server then looks up the session in its cache.
-If both client and server agree on the session,
-it will be reused and a flag is set that can be queried by the application.
-.Sh RETURN VALUES
-The following return values can occur:
-.Bl -tag -width Ds
-.It 0
-A new session was negotiated.
-.It 1
-A session was reused.
-.El
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_ctrl 3 ,
-.Xr SSL_CTX_set_session_cache_mode 3 ,
-.Xr SSL_set_session 3
-.Sh HISTORY
-.Fn SSL_session_reused
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_set1_host.3 b/src/lib/libssl/man/SSL_set1_host.3
deleted file mode 100644
index 2a3935c3f2..0000000000
--- a/src/lib/libssl/man/SSL_set1_host.3
+++ /dev/null
@@ -1,172 +0,0 @@
-.\" $OpenBSD: SSL_set1_host.3,v 1.4 2021/03/31 16:56:46 tb Exp $
-.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
-.\"
-.\" This file was written by Viktor Dukhovni <viktor@openssl.org>
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 31 2021 $
-.Dt SSL_SET1_HOST 3
-.Os
-.Sh NAME
-.Nm SSL_set1_host ,
-.Nm SSL_set_hostflags ,
-.Nm SSL_get0_peername
-.Nd SSL server verification parameters
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fo SSL_set1_host
-.Fa "SSL *ssl"
-.Fa "const char *hostname"
-.Fc
-.Ft void
-.Fo SSL_set_hostflags
-.Fa "SSL *ssl"
-.Fa "unsigned int flags"
-.Fc
-.Ft const char *
-.Fo SSL_get0_peername
-.Fa "SSL *ssl"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_set1_host
-configures a server hostname check in the
-.Fa ssl
-client, setting the expected DNS hostname to
-.Fa hostname
-and clearing any previously specified hostname.
-If
-.Fa hostname
-is
-.Dv NULL
-or the empty string, name checks are not performed on the peer certificate.
-If a nonempty
-.Fa hostname
-is specified, certificate verification automatically checks the peer
-hostname via
-.Xr X509_check_host 3
-with
-.Fa flags
-set to 0.
-.Pp
-.Fn SSL_set_hostflags
-sets the flags that will be passed to
-.Xr X509_check_host 3
-when name checks are applicable,
-by default the flags value is 0.
-See
-.Xr X509_check_host 3
-for the list of available flags and their meaning.
-.Pp
-.Fn SSL_get0_peername
-returns the DNS hostname or subject CommonName from the peer certificate
-that matched one of the reference identifiers.
-Unless wildcard matching is disabled, the name matched in the peer
-certificate may be a wildcard name.
-A reference identifier starting with
-.Sq \&.
-indicates a parent domain prefix rather than a fixed name.
-In this case, the matched peername may be a sub-domain
-of the reference identifier.
-The returned string is owned by the library and is no longer valid
-once the associated
-.Fa ssl
-object is cleared or freed, or if a renegotiation takes place.
-Applications must not free the return value.
-.Pp
-SSL clients are advised to use these functions in preference to
-explicitly calling
-.Xr X509_check_host 3 .
-.Sh RETURN VALUES
-.Fn SSL_set1_host
-returns 1 for success or 0 for failure.
-.Pp
-.Fn SSL_get0_peername
-returns the matched peername or
-.Dv NULL
-if peername verification is not applicable
-or no trusted peername was matched.
-Use
-.Xr SSL_get_verify_result 3
-to determine whether verification succeeded.
-.Sh EXAMPLES
-The calls below check the hostname.
-Wildcards are supported, but they must match the entire label.
-The actual name matched in the certificate (which might be a wildcard)
-is retrieved, and must be copied by the application if it is to be
-retained beyond the lifetime of the SSL connection.
-.Bd -literal
-if (!SSL_set1_host(ssl, "smtp.example.com"))
-        /* error */
-
-/* XXX: Perform SSL_connect() handshake and handle errors here */
-
-if (SSL_get_verify_result(ssl) == X509_V_OK) {
-        const char *peername = SSL_get0_peername(ssl);
-
-        if (peername != NULL)
-                /* Name checks were in scope and matched the peername */
-}
-.Ed
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_verify 3 ,
-.Xr SSL_get_peer_certificate 3 ,
-.Xr SSL_get_verify_result 3 ,
-.Xr X509_check_host 3 ,
-.Xr X509_VERIFY_PARAM_set1_host 3
-.Sh HISTORY
-All three functions first appeared in OpenSSL 1.1.0.
-.Fn SSL_set1_host
-has been available since
-.Ox 6.5 ,
-and
-.Fn SSL_set_hostflags
-and
-.Fn SSL_get0_peername
-since
-.Ox 6.9 .
diff --git a/src/lib/libssl/man/SSL_set1_param.3 b/src/lib/libssl/man/SSL_set1_param.3
deleted file mode 100644
index cd8ad40ad0..0000000000
--- a/src/lib/libssl/man/SSL_set1_param.3
+++ /dev/null
@@ -1,137 +0,0 @@
-.\" $OpenBSD: SSL_set1_param.3,v 1.6 2022/09/10 10:22:46 jsg Exp $
-.\" full merge up to:
-.\" OpenSSL man3/SSL_CTX_get0_param 99d63d46 Oct 26 13:56:48 2016 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: September 10 2022 $
-.Dt SSL_SET1_PARAM 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_get0_param ,
-.Nm SSL_get0_param ,
-.Nm SSL_CTX_set1_param ,
-.Nm SSL_set1_param
-.Nd get and set verification parameters
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft X509_VERIFY_PARAM *
-.Fo SSL_CTX_get0_param
-.Fa "SSL_CTX *ctx"
-.Fc
-.Ft X509_VERIFY_PARAM *
-.Fo SSL_get0_param
-.Fa "SSL *ssl"
-.Fc
-.Ft int
-.Fo SSL_CTX_set1_param
-.Fa "SSL_CTX *ctx"
-.Fa "X509_VERIFY_PARAM *vpm"
-.Fc
-.Ft int
-.Fo SSL_set1_param
-.Fa "SSL *ssl"
-.Fa "X509_VERIFY_PARAM *vpm"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_get0_param
-and
-.Fn SSL_get0_param
-retrieve an internal pointer to the verification parameters for
-.Fa ctx
-or
-.Fa ssl ,
-respectively.
-The returned pointer must not be freed by the calling application,
-but the application can modify the parameters pointed to,
-to suit its needs: for example to add a hostname check.
-.Pp
-.Fn SSL_CTX_set1_param
-and
-.Fn SSL_set1_param
-set the verification parameters to
-.Fa vpm
-for
-.Fa ctx
-or
-.Fa ssl .
-.Sh RETURN VALUES
-.Fn SSL_CTX_get0_param
-and
-.Fn SSL_get0_param
-return a pointer to an
-.Vt X509_VERIFY_PARAM
-structure.
-.Pp
-.Fn SSL_CTX_set1_param
-and
-.Fn SSL_set1_param
-return 1 for success or 0 for failure.
-.Sh EXAMPLES
-Check that the hostname matches
-.Pa www.foo.com
-in the peer certificate:
-.Bd -literal -offset indent
-X509_VERIFY_PARAM *vpm = SSL_get0_param(ssl);
-X509_VERIFY_PARAM_set1_host(vpm, "www.foo.com", 0);
-.Ed
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr X509_VERIFY_PARAM_set_flags 3
-.Sh HISTORY
-.Fn SSL_CTX_set1_param
-and
-.Fn SSL_set1_param
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
-.Pp
-.Fn SSL_CTX_get0_param
-and
-.Fn SSL_get0_param
-first appeared in OpenSSL 1.0.2 and have been available since
-.Ox 6.3 .
diff --git a/src/lib/libssl/man/SSL_set_SSL_CTX.3 b/src/lib/libssl/man/SSL_set_SSL_CTX.3
deleted file mode 100644
index 2abaefb292..0000000000
--- a/src/lib/libssl/man/SSL_set_SSL_CTX.3
+++ /dev/null
@@ -1,67 +0,0 @@
-.\" $OpenBSD: SSL_set_SSL_CTX.3,v 1.4 2022/07/13 22:05:53 schwarze Exp $
-.\"
-.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 13 2022 $
-.Dt SSL_SET_SSL_CTX 3
-.Os
-.Sh NAME
-.Nm SSL_set_SSL_CTX
-.Nd modify an SSL connection object to use another context
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft SSL_CTX *
-.Fo SSL_set_SSL_CTX
-.Fa "SSL *ssl"
-.Fa "SSL_CTX* ctx"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_set_SSL_CTX
-causes
-.Fa ssl
-to use the context
-.Fa ctx .
-.Pp
-If
-.Fa ctx
-is
-.Dv NULL ,
-.Fa ssl
-reverts to using the context that it was initially created from with
-.Xr SSL_new 3 .
-.Pp
-If
-.Fa ssl
-already uses
-.Fa ctx ,
-no action occurs.
-.Sh RETURN VALUES
-.Fn SSL_set_SSL_CTX
-returns an internal pointer to the context that
-.Fa ssl
-is using as a result of the call, or
-.Dv NULL
-if memory allocation fails.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_CTX_new 3 ,
-.Xr SSL_get_SSL_CTX 3 ,
-.Xr SSL_new 3 ,
-.Xr SSL_set_security_level 3
-.Sh HISTORY
-.Fn SSL_set_SSL_CTX
-first appeared in OpenSSL 0.9.8f and has been available since
-.Ox 4.5 .
diff --git a/src/lib/libssl/man/SSL_set_bio.3 b/src/lib/libssl/man/SSL_set_bio.3
deleted file mode 100644
index e727f442d6..0000000000
--- a/src/lib/libssl/man/SSL_set_bio.3
+++ /dev/null
@@ -1,99 +0,0 @@
-.\"     $OpenBSD: SSL_set_bio.3,v 1.6 2020/10/08 18:21:30 tb Exp $
-.\"     OpenSSL acb5b343 Sep 16 16:00:38 2000 +0000
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: October 8 2020 $
-.Dt SSL_SET_BIO 3
-.Os
-.Sh NAME
-.Nm SSL_set_bio
-.Nd connect the SSL object with a BIO
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fn SSL_set_bio "SSL *ssl" "BIO *rbio" "BIO *wbio"
-.Sh DESCRIPTION
-.Fn SSL_set_bio
-connects the
-.Vt BIO Ns
-s
-.Fa rbio
-and
-.Fa wbio
-for the read and write operations of the TLS/SSL (encrypted) side of
-.Fa ssl .
-.Pp
-The SSL engine inherits the behaviour of
-.Fa rbio
-and
-.Fa wbio ,
-respectively.
-If a
-.Vt BIO
-is non-blocking, the
-.Fa ssl
-will also have non-blocking behaviour.
-.Pp
-If there was already a
-.Vt BIO
-connected to
-.Fa ssl ,
-.Xr BIO_free 3
-will be called (for both the reading and writing side, if different).
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr ssl 3 ,
-.Xr SSL_accept 3 ,
-.Xr SSL_connect 3 ,
-.Xr SSL_get_rbio 3 ,
-.Xr SSL_shutdown 3
-.Sh HISTORY
-.Fn SSL_set_bio
-first appeared in SSLeay 0.6.0 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_set_connect_state.3 b/src/lib/libssl/man/SSL_set_connect_state.3
deleted file mode 100644
index c2072c4370..0000000000
--- a/src/lib/libssl/man/SSL_set_connect_state.3
+++ /dev/null
@@ -1,153 +0,0 @@
-.\" $OpenBSD: SSL_set_connect_state.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
-.\" full merge up to OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
-.\" selective merge up to: OpenSSL dbd007d7 Jul 28 13:31:27 2017 +0800
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>
-.\" and Paul Yang <yang.yang@baishancloud.com>.
-.\" Copyright (c) 2001, 2017 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_SET_CONNECT_STATE 3
-.Os
-.Sh NAME
-.Nm SSL_set_connect_state ,
-.Nm SSL_set_accept_state ,
-.Nm SSL_is_server
-.Nd prepare SSL object to work in client or server mode
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fn SSL_set_connect_state "SSL *ssl"
-.Ft void
-.Fn SSL_set_accept_state "SSL *ssl"
-.Ft int
-.Fn SSL_is_server "const SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_set_connect_state
-sets
-.Fa ssl
-to work in client mode.
-.Pp
-.Fn SSL_set_accept_state
-sets
-.Fa ssl
-to work in server mode.
-.Pp
-.Fn SSL_is_server
-checks whether
-.Fa ssl
-is set to server mode.
-.Pp
-When the
-.Vt SSL_CTX
-object was created with
-.Xr SSL_CTX_new 3 ,
-it was either assigned a dedicated client method, a dedicated server method, or
-a generic method, that can be used for both client and server connections.
-(The method might have been changed with
-.Xr SSL_CTX_set_ssl_version 3
-or
-.Xr SSL_set_ssl_method 3 . )
-.Pp
-When beginning a new handshake, the SSL engine must know whether it must call
-the connect (client) or accept (server) routines.
-Even though it may be clear from the method chosen whether client or server
-mode was requested, the handshake routines must be explicitly set.
-.Pp
-When using the
-.Xr SSL_connect 3
-or
-.Xr SSL_accept 3
-routines, the correct handshake routines are automatically set.
-When performing a transparent negotiation using
-.Xr SSL_write 3
-or
-.Xr SSL_read 3 ,
-the handshake routines must be explicitly set in advance using either
-.Fn SSL_set_connect_state
-or
-.Fn SSL_set_accept_state .
-.Pp
-If
-.Fn SSL_is_server
-is called before
-.Fn SSL_set_connect_state
-or
-.Fn SSL_set_accept_state
-was called either automatically or explicitly,
-the result depends on what method was used when the
-.Fa SSL_CTX
-was created.
-If a generic method or a dedicated server method was passed to
-.Xr SSL_CTX_new 3 ,
-.Fn SSL_is_server
-returns 1; otherwise, it returns 0.
-.Sh RETURN VALUES
-.Fn SSL_is_server
-returns 1 if
-.Fa ssl
-is set to server mode or 0 if it is set to client mode.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_accept 3 ,
-.Xr SSL_connect 3 ,
-.Xr SSL_CTX_new 3 ,
-.Xr SSL_CTX_set_ssl_version 3 ,
-.Xr SSL_do_handshake 3 ,
-.Xr SSL_new 3 ,
-.Xr SSL_read 3 ,
-.Xr SSL_write 3
-.Sh HISTORY
-.Fn SSL_set_connect_state
-and
-.Fn SSL_set_accept_state
-first appeared in SSLeay 0.6.0 and have been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_is_server
-first appeared in OpenSSL 1.0.2 and has been available since
-.Ox 6.3 .
diff --git a/src/lib/libssl/man/SSL_set_fd.3 b/src/lib/libssl/man/SSL_set_fd.3
deleted file mode 100644
index 7b9727e9ad..0000000000
--- a/src/lib/libssl/man/SSL_set_fd.3
+++ /dev/null
@@ -1,129 +0,0 @@
-.\"     $OpenBSD: SSL_set_fd.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_SET_FD 3
-.Os
-.Sh NAME
-.Nm SSL_set_fd ,
-.Nm SSL_set_rfd ,
-.Nm SSL_set_wfd
-.Nd connect the SSL object with a file descriptor
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_set_fd "SSL *ssl" "int fd"
-.Ft int
-.Fn SSL_set_rfd "SSL *ssl" "int fd"
-.Ft int
-.Fn SSL_set_wfd "SSL *ssl" "int fd"
-.Sh DESCRIPTION
-.Fn SSL_set_fd
-sets the file descriptor
-.Fa fd
-as the input/output facility for the TLS/SSL (encrypted) side of
-.Fa ssl .
-.Fa fd
-will typically be the socket file descriptor of a network connection.
-.Pp
-When performing the operation, a socket
-.Vt BIO
-is automatically created to interface between the
-.Fa ssl
-and
-.Fa fd .
-The
-.Vt BIO
-and hence the SSL engine inherit the behaviour of
-.Fa fd .
-If
-.Fa fd
-is non-blocking, the
-.Fa ssl
-will also have non-blocking behaviour.
-.Pp
-If there was already a
-.Vt BIO
-connected to
-.Fa ssl ,
-.Xr BIO_free 3
-will be called (for both the reading and writing side, if different).
-.Pp
-.Fn SSL_set_rfd
-and
-.Fn SSL_set_wfd
-perform the respective action, but only for the read channel or the write
-channel, which can be set independently.
-.Sh RETURN VALUES
-The following return values can occur:
-.Bl -tag -width Ds
-.It 0
-The operation failed.
-Check the error stack to find out why.
-.It 1
-The operation succeeded.
-.El
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr ssl 3 ,
-.Xr SSL_accept 3 ,
-.Xr SSL_connect 3 ,
-.Xr SSL_get_fd 3 ,
-.Xr SSL_set_bio 3 ,
-.Xr SSL_shutdown 3
-.Sh HISTORY
-.Fn SSL_set_fd
-appeared in SSLeay 0.4 or earlier.
-.Fn SSL_set_rfd
-and
-.Fn SSL_set_wfd
-first appeared in SSLeay 0.6.0.
-These functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_set_max_send_fragment.3 b/src/lib/libssl/man/SSL_set_max_send_fragment.3
deleted file mode 100644
index 7de087a743..0000000000
--- a/src/lib/libssl/man/SSL_set_max_send_fragment.3
+++ /dev/null
@@ -1,97 +0,0 @@
-.\"     $OpenBSD: SSL_set_max_send_fragment.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
-.\"     OpenSSL doc/man3/SSL_CTX_set_split_send_fragment.pod
-.\"     OpenSSL 6782e5fd Oct 21 16:16:20 2016 +0100
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 12 2019 $
-.Dt SSL_SET_MAX_SEND_FRAGMENT 3
-.Os
-.Sh NAME
-.Nm SSL_CTX_set_max_send_fragment ,
-.Nm SSL_set_max_send_fragment
-.Nd control fragment sizes
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fo SSL_CTX_set_max_send_fragment
-.Fa "SSL_CTX *ctx"
-.Fa "long m"
-.Fc
-.Ft long
-.Fo SSL_set_max_send_fragment
-.Fa "SSL *ssl"
-.Fa "long m"
-.Fc
-.Sh DESCRIPTION
-.Fn SSL_CTX_set_max_send_fragment
-and
-.Fn SSL_set_max_send_fragment
-set the
-.Sy max_send_fragment
-parameter for SSL_CTX and SSL objects respectively.
-This value restricts the amount of plaintext bytes that will be sent in
-any one SSL/TLS record.
-By default its value is SSL3_RT_MAX_PLAIN_LENGTH (16384).
-These functions will only accept a value in the range 512 -
-SSL3_RT_MAX_PLAIN_LENGTH.
-.Pp
-These functions are implemented using macros.
-.Sh RETURN VALUES
-These functions return 1 on success or 0 on failure.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_ctrl 3 ,
-.Xr SSL_CTX_set_read_ahead 3 ,
-.Xr SSL_pending 3
-.Sh HISTORY
-.Fn SSL_CTX_set_max_send_fragment
-and
-.Fn SSL_set_max_send_fragment
-first appeared in OpenSSL 1.0.0 and have been available since
-.Ox 4.9 .
diff --git a/src/lib/libssl/man/SSL_set_psk_use_session_callback.3 b/src/lib/libssl/man/SSL_set_psk_use_session_callback.3
deleted file mode 100644
index 7f2bfcc010..0000000000
--- a/src/lib/libssl/man/SSL_set_psk_use_session_callback.3
+++ /dev/null
@@ -1,86 +0,0 @@
-.\" $OpenBSD: SSL_set_psk_use_session_callback.3,v 1.1 2021/09/14 14:30:57 schwarze Exp $
-.\" OpenSSL man3/SSL_CTX_set_psk_client_callback.pod
-.\" checked up to 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 14 2021 $
-.Dt SSL_SET_PSK_USE_SESSION_CALLBACK 3
-.Os
-.Sh NAME
-.Nm SSL_set_psk_use_session_callback ,
-.Nm SSL_psk_use_session_cb_func
-.Nd set TLS pre-shared key client callback
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft typedef int
-.Fo (*SSL_psk_use_session_cb_func)
-.Fa "SSL *ssl"
-.Fa "const EVP_MD *md"
-.Fa "const unsigned char **id"
-.Fa "size_t *idlen"
-.Fa "SSL_SESSION **session"
-.Fc
-.Ft void
-.Fo SSL_set_psk_use_session_callback
-.Fa "SSL *ssl"
-.Fa "SSL_psk_use_session_cb_func cb"
-.Fc
-.Sh DESCRIPTION
-LibreSSL provides the stub function
-.Fn SSL_set_psk_use_session_callback
-to allow compiling application programs
-that contain optional support for TLSv1.3 pre-shared keys.
-.Pp
-LibreSSL does not support TLS pre-shared keys,
-and no action occurs when
-.Fn SSL_set_psk_use_session_callback
-is called.
-In particular, both arguments are ignored.
-During session negotiation,
-LibreSSL never calls the callback
-.Fa cb
-and always behaves as if that callback succeeded and set the
-.Pf * Fa session
-pointer to
-.Dv NULL .
-That is, LibreSSL never sends a pre-shared key to the server
-and never aborts the handshake for lack of a pre-shared key.
-.Pp
-With OpenSSL, a client application wishing to use TLSv1.3 pre-shared keys
-can install a callback function
-.Fa cb
-using
-.Fn SSL_set_psk_use_session_callback .
-The OpenSSL library may call
-.Fa cb
-once or twice during session negotiation.
-If the callback fails, OpenSSL aborts connection setup.
-If the callback succeeds but sets the
-.Pf * Fa session
-pointer to
-.Dv NULL ,
-OpenSSL continues the handshake
-but does not send a pre-shared key to the server.
-.Sh RETURN VALUES
-The
-.Fn SSL_psk_use_session_cb_func
-callback is expected to return 1 on success or 0 on failure.
-.Sh HISTORY
-.Fn SSL_set_psk_use_session_callback
-and
-.Fn SSL_psk_use_session_cb_func
-first appeared in OpenSSL 1.1.1 and have been available since
-.Ox 7.0 .
diff --git a/src/lib/libssl/man/SSL_set_session.3 b/src/lib/libssl/man/SSL_set_session.3
deleted file mode 100644
index 7d85f5ad0c..0000000000
--- a/src/lib/libssl/man/SSL_set_session.3
+++ /dev/null
@@ -1,119 +0,0 @@
-.\"     $OpenBSD: SSL_set_session.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL 05ea606a May 20 20:52:46 2016 -0400
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2016 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_SET_SESSION 3
-.Os
-.Sh NAME
-.Nm SSL_set_session
-.Nd set a TLS/SSL session to be used during TLS/SSL connect
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_set_session "SSL *ssl" "SSL_SESSION *session"
-.Sh DESCRIPTION
-.Fn SSL_set_session
-sets
-.Fa session
-to be used when the TLS/SSL connection is to be established.
-.Fn SSL_set_session
-is only useful for TLS/SSL clients.
-When the session is set, the reference count of
-.Fa session
-is incremented
-by 1.
-If the session is not reused, the reference count is decremented again during
-.Fn SSL_connect .
-Whether the session was reused can be queried with the
-.Xr SSL_session_reused 3
-call.
-.Pp
-If there is already a session set inside
-.Fa ssl
-(because it was set with
-.Fn SSL_set_session
-before or because the same
-.Fa ssl
-was already used for a connection),
-.Xr SSL_SESSION_free 3
-will be called for that session.
-.Pp
-.Vt SSL_SESSION
-objects keep internal link information about the session cache list when being
-inserted into one
-.Vt SSL_CTX
-object's session cache.
-One
-.Vt SSL_SESSION
-object, regardless of its reference count, must therefore only be used with one
-.Vt SSL_CTX
-object (and the
-.Vt SSL
-objects created from this
-.Vt SSL_CTX
-object).
-.Sh RETURN VALUES
-The following return values can occur:
-.Bl -tag -width Ds
-.It 0
-The operation failed; check the error stack to find out the reason.
-.It 1
-The operation succeeded.
-.El
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_session_cache_mode 3 ,
-.Xr SSL_get_session 3 ,
-.Xr SSL_SESSION_free 3 ,
-.Xr SSL_session_reused 3
-.Sh HISTORY
-.Fn SSL_set_session
-first appeared in SSLeay 0.5.2 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_set_shutdown.3 b/src/lib/libssl/man/SSL_set_shutdown.3
deleted file mode 100644
index ef8c004f76..0000000000
--- a/src/lib/libssl/man/SSL_set_shutdown.3
+++ /dev/null
@@ -1,138 +0,0 @@
-.\"     $OpenBSD: SSL_set_shutdown.3,v 1.7 2024/12/19 06:45:21 jmc Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 19 2024 $
-.Dt SSL_SET_SHUTDOWN 3
-.Os
-.Sh NAME
-.Nm SSL_set_shutdown ,
-.Nm SSL_get_shutdown
-.Nd manipulate shutdown state of an SSL connection
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fn SSL_set_shutdown "SSL *ssl" "int mode"
-.Ft int
-.Fn SSL_get_shutdown "const SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_set_shutdown
-sets the shutdown state of
-.Fa ssl
-to
-.Fa mode .
-.Pp
-.Fn SSL_get_shutdown
-returns the shutdown mode of
-.Fa ssl .
-.Pp
-The shutdown state of an ssl connection is a bitmask of:
-.Bl -tag -width Ds
-.It 0
-No shutdown setting, yet.
-.It Dv SSL_SENT_SHUTDOWN
-A
-.Dq close notify
-shutdown alert was sent to the peer; the connection is being considered closed
-and the session is closed and correct.
-.It Dv SSL_RECEIVED_SHUTDOWN
-A shutdown alert was received from the peer, either a normal
-.Dq close notify
-or a fatal error.
-.El
-.Pp
-.Dv SSL_SENT_SHUTDOWN
-and
-.Dv SSL_RECEIVED_SHUTDOWN
-can be set at the same time.
-.Pp
-The shutdown state of the connection is used to determine the state of the
-.Fa ssl
-session.
-If the session is still open when
-.Xr SSL_clear 3
-or
-.Xr SSL_free 3
-is called, it is considered bad and removed according to RFC 2246.
-The actual condition for a correctly closed session is
-.Dv SSL_SENT_SHUTDOWN
-(according to the TLS RFC, it is acceptable to only send the
-.Dq close notify
-alert but to not wait for the peer's answer when the underlying connection is
-closed).
-.Fn SSL_set_shutdown
-can be used to set this state without sending a close alert to the peer (see
-.Xr SSL_shutdown 3 ) .
-.Pp
-If a
-.Dq close notify
-was received,
-.Dv SSL_RECEIVED_SHUTDOWN
-will be set, but to set
-.Dv SSL_SENT_SHUTDOWN
-the application must still call
-.Xr SSL_shutdown 3
-or
-.Fn SSL_set_shutdown
-itself.
-.Sh RETURN VALUES
-.Fn SSL_get_shutdown
-returns the current setting.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_CTX_set_quiet_shutdown 3 ,
-.Xr SSL_free 3 ,
-.Xr SSL_shutdown 3
-.Sh HISTORY
-.Fn SSL_set_shutdown
-and
-.Fn SSL_get_shutdown
-first appeared in SSLeay 0.8.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_set_tmp_ecdh.3 b/src/lib/libssl/man/SSL_set_tmp_ecdh.3
deleted file mode 100644
index 8fd2d9fd5b..0000000000
--- a/src/lib/libssl/man/SSL_set_tmp_ecdh.3
+++ /dev/null
@@ -1,119 +0,0 @@
-.\"     $OpenBSD: SSL_set_tmp_ecdh.3,v 1.6 2021/11/30 15:58:08 jsing Exp $
-.\"
-.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: November 30 2021 $
-.Dt SSL_SET_TMP_ECDH 3
-.Os
-.Sh NAME
-.Nm SSL_set_tmp_ecdh ,
-.Nm SSL_CTX_set_tmp_ecdh ,
-.Nm SSL_set_ecdh_auto ,
-.Nm SSL_CTX_set_ecdh_auto ,
-.Nm SSL_set_tmp_ecdh_callback ,
-.Nm SSL_CTX_set_tmp_ecdh_callback
-.Nd select a curve for ECDH ephemeral key exchange
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft long
-.Fo SSL_set_tmp_ecdh
-.Fa "SSL *ssl"
-.Fa "EC_KEY *ecdh"
-.Fc
-.Ft long
-.Fo SSL_CTX_set_tmp_ecdh
-.Fa "SSL_CTX *ctx"
-.Fa "EC_KEY *ecdh"
-.Fc
-.Ft long
-.Fo SSL_set_ecdh_auto
-.Fa "SSL *ssl"
-.Fa "int state"
-.Fc
-.Ft long
-.Fo SSL_CTX_set_ecdh_auto
-.Fa "SSL_CTX *ctx"
-.Fa "int state"
-.Fc
-.Ft void
-.Fo SSL_set_tmp_ecdh_callback
-.Fa "SSL *ssl"
-.Fa "EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength)"
-.Fc
-.Ft void
-.Fo SSL_CTX_set_tmp_ecdh_callback
-.Fa "SSL_CTX *ctx"
-.Fa "EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength)"
-.Fc
-.Sh DESCRIPTION
-Automatic EC curve selection and generation is always enabled in
-LibreSSL, and applications cannot manually provide EC keys for use
-with ECDH key exchange.
-.Pp
-The only remaining effect of
-.Fn SSL_set_tmp_ecdh
-is that the curve of the given
-.Fa ecdh
-key becomes the only curve enabled for the
-.Fa ssl
-connection, so it is equivalent to calling
-.Xr SSL_set1_groups_list 3
-with the same single curve name.
-.Pp
-.Fn SSL_CTX_set_tmp_ecdh
-has the same effect on all connections that will be created from
-.Fa ctx
-in the future.
-.Pp
-The functions
-.Fn SSL_set_ecdh_auto ,
-.Fn SSL_CTX_set_ecdh_auto ,
-.Fn SSL_set_tmp_ecdh_callback ,
-and
-.Fn SSL_CTX_set_tmp_ecdh_callback
-are deprecated and have no effect.
-.Sh RETURN VALUES
-.Fn SSL_set_tmp_ecdh
-and
-.Fn SSL_CTX_set_tmp_ecdh
-return 1 on success or 0 on failure.
-.Pp
-.Fn SSL_set_ecdh_auto ,
-.Fn SSL_CTX_set_ecdh_auto ,
-.Fn SSL_set_tmp_ecdh_callback ,
-and
-.Fn SSL_CTX_set_tmp_ecdh_callback
-always return 1.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set1_groups 3 ,
-.Xr SSL_CTX_set_cipher_list 3 ,
-.Xr SSL_CTX_set_options 3 ,
-.Xr SSL_CTX_set_tmp_dh_callback 3 ,
-.Xr SSL_new 3
-.Sh HISTORY
-.Fn SSL_set_tmp_ecdh ,
-.Fn SSL_CTX_set_tmp_ecdh ,
-.Fn SSL_set_tmp_ecdh_callback ,
-and
-.Fn SSL_CTX_set_tmp_ecdh_callback
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
-.Fn SSL_CTX_set_ecdh_auto
-and
-.Fn SSL_set_ecdh_auto
-first appeared in OpenSSL 1.0.2 and have been available since
-.Ox 5.7 .
diff --git a/src/lib/libssl/man/SSL_set_verify_result.3 b/src/lib/libssl/man/SSL_set_verify_result.3
deleted file mode 100644
index 4b7cc6ec3c..0000000000
--- a/src/lib/libssl/man/SSL_set_verify_result.3
+++ /dev/null
@@ -1,90 +0,0 @@
-.\"     $OpenBSD: SSL_set_verify_result.3,v 1.5 2020/03/29 17:05:02 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 29 2020 $
-.Dt SSL_SET_VERIFY_RESULT 3
-.Os
-.Sh NAME
-.Nm SSL_set_verify_result
-.Nd override result of peer certificate verification
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft void
-.Fn SSL_set_verify_result "SSL *ssl" "long verify_result"
-.Sh DESCRIPTION
-.Fn SSL_set_verify_result
-sets
-.Fa verify_result
-of the object
-.Fa ssl
-to be the result of the verification of the X509 certificate presented by the
-peer, if any.
-.Pp
-.Fn SSL_set_verify_result
-overrides the verification result.
-It only changes the verification result of the
-.Fa ssl
-object.
-It does not become part of the established session, so if the session is to be
-reused later, the original value will reappear.
-.Pp
-The valid codes for
-.Fa verify_result
-are documented in
-.Xr openssl 1 .
-.Sh SEE ALSO
-.Xr openssl 1 ,
-.Xr ssl 3 ,
-.Xr SSL_get_peer_certificate 3 ,
-.Xr SSL_get_verify_result 3
-.Sh HISTORY
-.Fn SSL_set_verify_result
-first appeared in SSLeay 0.6.1 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_shutdown.3 b/src/lib/libssl/man/SSL_shutdown.3
deleted file mode 100644
index bfb1e91ea7..0000000000
--- a/src/lib/libssl/man/SSL_shutdown.3
+++ /dev/null
@@ -1,253 +0,0 @@
-.\"     $OpenBSD: SSL_shutdown.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2004, 2014 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_SHUTDOWN 3
-.Os
-.Sh NAME
-.Nm SSL_shutdown
-.Nd shut down a TLS/SSL connection
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_shutdown "SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_shutdown
-shuts down an active TLS/SSL connection.
-It sends the
-.Dq close notify
-shutdown alert to the peer.
-.Pp
-.Fn SSL_shutdown
-tries to send the
-.Dq close notify
-shutdown alert to the peer.
-Whether the operation succeeds or not, the
-.Dv SSL_SENT_SHUTDOWN
-flag is set and a currently open session is considered closed and good and will
-be kept in the session cache for further reuse.
-.Pp
-The shutdown procedure consists of 2 steps: the sending of the
-.Dq close notify
-shutdown alert and the reception of the peer's
-.Dq close notify
-shutdown alert.
-According to the TLS standard, it is acceptable for an application to only send
-its shutdown alert and then close the underlying connection without waiting for
-the peer's response (this way resources can be saved, as the process can
-already terminate or serve another connection).
-When the underlying connection shall be used for more communications,
-the complete shutdown procedure (bidirectional
-.Dq close notify
-alerts) must be performed, so that the peers stay synchronized.
-.Pp
-.Fn SSL_shutdown
-supports both uni- and bidirectional shutdown by its 2 step behavior.
-.Pp
-When the application is the first party to send the
-.Dq close notify
-alert,
-.Fn SSL_shutdown
-will only send the alert and then set the
-.Dv SSL_SENT_SHUTDOWN
-flag (so that the session is considered good and will be kept in cache).
-.Fn SSL_shutdown
-will then return 0.
-If a unidirectional shutdown is enough
-(the underlying connection shall be closed anyway), this first call to
-.Fn SSL_shutdown
-is sufficient.
-In order to complete the bidirectional shutdown handshake,
-.Fn SSL_shutdown
-must be called again.
-The second call will make
-.Fn SSL_shutdown
-wait for the peer's
-.Dq close notify
-shutdown alert.
-On success, the second call to
-.Fn SSL_shutdown
-will return 1.
-.Pp
-If the peer already sent the
-.Dq close notify
-alert and it was already processed implicitly inside another function
-.Pq Xr SSL_read 3 ,
-the
-.Dv SSL_RECEIVED_SHUTDOWN
-flag is set.
-.Fn SSL_shutdown
-will send the
-.Dq close notify
-alert, set the
-.Dv SSL_SENT_SHUTDOWN
-flag and will immediately return with 1.
-Whether
-.Dv SSL_RECEIVED_SHUTDOWN
-is already set can be checked using the
-.Fn SSL_get_shutdown
-(see also the
-.Xr SSL_set_shutdown 3
-call).
-.Pp
-It is therefore recommended to check the return value of
-.Fn SSL_shutdown
-and call
-.Fn SSL_shutdown
-again, if the bidirectional shutdown is not yet complete (return value of the
-first call is 0).
-.Pp
-The behaviour of
-.Fn SSL_shutdown
-additionally depends on the underlying
-.Vt BIO .
-.Pp
-If the underlying
-.Vt BIO
-is
-.Em blocking ,
-.Fn SSL_shutdown
-will only return once the
-handshake step has been finished or an error occurred.
-.Pp
-If the underlying
-.Vt BIO
-is
-.Em non-blocking ,
-.Fn SSL_shutdown
-will also return when the underlying
-.Vt BIO
-could not satisfy the needs of
-.Fn SSL_shutdown
-to continue the handshake.
-In this case a call to
-.Xr SSL_get_error 3
-with the
-return value of
-.Fn SSL_shutdown
-will yield
-.Dv SSL_ERROR_WANT_READ
-or
-.Dv SSL_ERROR_WANT_WRITE .
-The calling process then must repeat the call after taking appropriate action
-to satisfy the needs of
-.Fn SSL_shutdown .
-The action depends on the underlying
-.Vt BIO .
-When using a non-blocking socket, nothing is to be done, but
-.Xr select 2
-can be used to check for the required condition.
-When using a buffering
-.Vt BIO ,
-like a
-.Vt BIO
-pair, data must be written into or retrieved out of the
-.Vt BIO
-before being able to continue.
-.Pp
-.Fn SSL_shutdown
-can be modified to only set the connection to
-.Dq shutdown
-state but not actually send the
-.Dq close notify
-alert messages; see
-.Xr SSL_CTX_set_quiet_shutdown 3 .
-When
-.Dq quiet shutdown
-is enabled,
-.Fn SSL_shutdown
-will always succeed and return 1.
-.Sh RETURN VALUES
-The following return values can occur:
-.Bl -tag -width Ds
-.It 0
-The shutdown is not yet finished.
-Call
-.Fn SSL_shutdown
-for a second time, if a bidirectional shutdown shall be performed.
-The output of
-.Xr SSL_get_error 3
-may be misleading, as an erroneous
-.Dv SSL_ERROR_SYSCALL
-may be flagged even though no error occurred.
-.It 1
-The shutdown was successfully completed.
-The
-.Dq close notify
-alert was sent and the peer's
-.Dq close notify
-alert was received.
-.It \(mi1
-The shutdown was not successful because a fatal error occurred either
-at the protocol level or a connection failure occurred.
-It can also occur if action is need to continue the operation for non-blocking
-.Vt BIO Ns
-s.
-Call
-.Xr SSL_get_error 3
-with the return value
-.Fa ret
-to find out the reason.
-.El
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr ssl 3 ,
-.Xr SSL_accept 3 ,
-.Xr SSL_clear 3 ,
-.Xr SSL_connect 3 ,
-.Xr SSL_CTX_set_quiet_shutdown 3 ,
-.Xr SSL_free 3 ,
-.Xr SSL_get_error 3 ,
-.Xr SSL_set_shutdown 3
-.Sh HISTORY
-.Fn SSL_shutdown
-first appeared in SSLeay 0.8.0 and has been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_state_string.3 b/src/lib/libssl/man/SSL_state_string.3
deleted file mode 100644
index 1070335448..0000000000
--- a/src/lib/libssl/man/SSL_state_string.3
+++ /dev/null
@@ -1,110 +0,0 @@
-.\"     $OpenBSD: SSL_state_string.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_STATE_STRING 3
-.Os
-.Sh NAME
-.Nm SSL_state_string ,
-.Nm SSL_state_string_long
-.Nd get textual description of state of an SSL object
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft const char *
-.Fn SSL_state_string "const SSL *ssl"
-.Ft const char *
-.Fn SSL_state_string_long "const SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_state_string
-returns a 6 letter string indicating the current state of the
-.Vt SSL
-object
-.Fa ssl .
-.Pp
-.Fn SSL_state_string_long
-returns a string indicating the current state of the
-.Vt SSL
-object
-.Fa ssl .
-.Pp
-During its use, an
-.Vt SSL
-object passes several states.
-The state is internally maintained.
-Querying the state information is not very informative before or when a
-connection has been established.
-It however can be of significant interest during the handshake.
-.Pp
-When using non-blocking sockets,
-the function call performing the handshake may return with
-.Dv SSL_ERROR_WANT_READ
-or
-.Dv SSL_ERROR_WANT_WRITE
-condition, so that
-.Fn SSL_state_string[_long]
-may be called.
-.Pp
-For both blocking or non-blocking sockets,
-the details state information can be used within the
-.Fn info_callback
-function set with the
-.Xr SSL_set_info_callback 3
-call.
-.Sh RETURN VALUES
-Detailed description of possible states to be included later.
-.Sh SEE ALSO
-.Xr ssl 3 ,
-.Xr SSL_CTX_set_info_callback 3
-.Sh HISTORY
-.Fn SSL_state_string
-and
-.Fn SSL_state_string_long
-first appeared in SSLeay 0.6.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_want.3 b/src/lib/libssl/man/SSL_want.3
deleted file mode 100644
index 24e8645ba8..0000000000
--- a/src/lib/libssl/man/SSL_want.3
+++ /dev/null
@@ -1,161 +0,0 @@
-.\"     $OpenBSD: SSL_want.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
-.\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2005 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 27 2018 $
-.Dt SSL_WANT 3
-.Os
-.Sh NAME
-.Nm SSL_want ,
-.Nm SSL_want_nothing ,
-.Nm SSL_want_read ,
-.Nm SSL_want_write ,
-.Nm SSL_want_x509_lookup
-.Nd obtain state information TLS/SSL I/O operation
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_want "const SSL *ssl"
-.Ft int
-.Fn SSL_want_nothing "const SSL *ssl"
-.Ft int
-.Fn SSL_want_read "const SSL *ssl"
-.Ft int
-.Fn SSL_want_write "const SSL *ssl"
-.Ft int
-.Fn SSL_want_x509_lookup "const SSL *ssl"
-.Sh DESCRIPTION
-.Fn SSL_want
-returns state information for the
-.Vt SSL
-object
-.Fa ssl .
-.Pp
-The other
-.Fn SSL_want_*
-calls are shortcuts for the possible states returned by
-.Fn SSL_want .
-.Pp
-.Fn SSL_want
-examines the internal state information of the
-.Vt SSL
-object.
-Its return values are similar to those of
-.Xr SSL_get_error 3 .
-Unlike
-.Xr SSL_get_error 3 ,
-which also evaluates the error queue,
-the results are obtained by examining an internal state flag only.
-The information must therefore only be used for normal operation under
-non-blocking I/O.
-Error conditions are not handled and must be treated using
-.Xr SSL_get_error 3 .
-.Pp
-The result returned by
-.Fn SSL_want
-should always be consistent with the result of
-.Xr SSL_get_error 3 .
-.Sh RETURN VALUES
-The following return values can currently occur for
-.Fn SSL_want :
-.Bl -tag -width Ds
-.It Dv SSL_NOTHING
-There is no data to be written or to be read.
-.It Dv SSL_WRITING
-There are data in the SSL buffer that must be written to the underlying
-.Vt BIO
-layer in order to complete the actual
-.Fn SSL_*
-operation.
-A call to
-.Xr SSL_get_error 3
-should return
-.Dv SSL_ERROR_WANT_WRITE .
-.It Dv SSL_READING
-More data must be read from the underlying
-.Vt BIO
-layer in order to
-complete the actual
-.Fn SSL_*
-operation.
-A call to
-.Xr SSL_get_error 3
-should return
-.Dv SSL_ERROR_WANT_READ .
-.It Dv SSL_X509_LOOKUP
-The operation did not complete because an application callback set by
-.Xr SSL_CTX_set_client_cert_cb 3
-has asked to be called again.
-A call to
-.Xr SSL_get_error 3
-should return
-.Dv SSL_ERROR_WANT_X509_LOOKUP .
-.El
-.Pp
-.Fn SSL_want_nothing ,
-.Fn SSL_want_read ,
-.Fn SSL_want_write ,
-and
-.Fn SSL_want_x509_lookup
-return 1 when the corresponding condition is true or 0 otherwise.
-.Sh SEE ALSO
-.Xr err 3 ,
-.Xr ssl 3 ,
-.Xr SSL_get_error 3
-.Sh HISTORY
-.Fn SSL_want ,
-.Fn SSL_want_nothing ,
-.Fn SSL_want_read ,
-and
-.Fn SSL_want_write
-first appeared in SSLeay 0.5.2.
-.Fn SSL_want_x509_lookup
-first appeared in SSLeay 0.6.0.
-These functions have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/SSL_write.3 b/src/lib/libssl/man/SSL_write.3
deleted file mode 100644
index 2c6fbcef08..0000000000
--- a/src/lib/libssl/man/SSL_write.3
+++ /dev/null
@@ -1,249 +0,0 @@
-.\" $OpenBSD: SSL_write.3,v 1.7 2021/10/24 15:10:13 schwarze Exp $
-.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\" partial merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>
-.\" and Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2000, 2001, 2002, 2016 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: October 24 2021 $
-.Dt SSL_WRITE 3
-.Os
-.Sh NAME
-.Nm SSL_write_ex ,
-.Nm SSL_write
-.Nd write bytes to a TLS connection
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft int
-.Fn SSL_write_ex "SSL *ssl" "const void *buf" "size_t num" "size_t *written"
-.Ft int
-.Fn SSL_write "SSL *ssl" "const void *buf" "int num"
-.Sh DESCRIPTION
-.Fn SSL_write_ex
-and
-.Fn SSL_write
-write
-.Fa num
-bytes from the buffer
-.Fa buf
-into the specified
-.Fa ssl
-connection.
-On success
-.Fn SSL_write_ex
-stores the number of bytes written in
-.Pf * Fa written .
-.Pp
-In the following,
-.Fn SSL_write_ex
-and
-.Fn SSL_write
-are called
-.Dq write functions .
-.Pp
-If necessary, a write function negotiates a TLS session,
-if not already explicitly performed by
-.Xr SSL_connect 3
-or
-.Xr SSL_accept 3 .
-If the peer requests a re-negotiation,
-it will be performed transparently during the
-write function operation.
-The behaviour of the write functions depends on the underlying
-.Vt BIO .
-.Pp
-For the transparent negotiation to succeed, the
-.Fa ssl
-must have been initialized to client or server mode.
-This is done by calling
-.Xr SSL_set_connect_state 3
-or
-.Xr SSL_set_accept_state 3
-before the first call to a write function.
-.Pp
-If the underlying
-.Vt BIO
-is
-.Em blocking ,
-the write function
-will only return once the write operation has been finished or an error
-occurred, except when a renegotiation takes place, in which case a
-.Dv SSL_ERROR_WANT_READ
-may occur.
-This behaviour can be controlled with the
-.Dv SSL_MODE_AUTO_RETRY
-flag of the
-.Xr SSL_CTX_set_mode 3
-call.
-.Pp
-If the underlying
-.Vt BIO
-is
-.Em non-blocking ,
-the write function will also return when the underlying
-.Vt BIO
-could not satisfy the needs of the function to continue the operation.
-In this case a call to
-.Xr SSL_get_error 3
-with the return value of the write function will yield
-.Dv SSL_ERROR_WANT_READ
-or
-.Dv SSL_ERROR_WANT_WRITE .
-As at any time a re-negotiation is possible, a call to
-a write function can also cause read operations.
-The calling process then must repeat the call after taking appropriate action
-to satisfy the needs of the write function.
-The action depends on the underlying
-.Vt BIO .
-When using a non-blocking socket, nothing is to be done, but
-.Xr select 2
-can be used to check for the required condition.
-When using a buffering
-.Vt BIO ,
-like a
-.Vt BIO
-pair, data must be written into or retrieved out of the BIO before being able
-to continue.
-.Pp
-The write functions
-will only return with success when the complete contents of
-.Fa buf
-of length
-.Fa num
-have been written.
-This default behaviour can be changed with the
-.Dv SSL_MODE_ENABLE_PARTIAL_WRITE
-option of
-.Xr SSL_CTX_set_mode 3 .
-When this flag is set, the write functions will also return with
-success when a partial write has been successfully completed.
-In this case the write function operation is considered completed.
-The bytes are sent and a new write call with a new buffer (with the
-already sent bytes removed) must be started.
-A partial write is performed with the size of a message block,
-which is 16kB.
-.Pp
-When a write function call has to be repeated because
-.Xr SSL_get_error 3
-returned
-.Dv SSL_ERROR_WANT_READ
-or
-.Dv SSL_ERROR_WANT_WRITE ,
-it must be repeated with the same arguments.
-.Pp
-When calling
-.Fn SSL_write
-with
-.Fa num Ns =0
-bytes to be sent, the behaviour is undefined.
-.Fn SSL_write_ex
-can be called with
-.Fa num Ns =0 ,
-but will not send application data to the peer.
-.Sh RETURN VALUES
-.Fn SSL_write_ex
-returns 1 for success or 0 for failure.
-Success means that all requested application data bytes have been
-written to the TLS connection or, if
-.Dv SSL_MODE_ENABLE_PARTIAL_WRITE
-is in use, at least one application data byte has been written
-to the TLS connection.
-Failure means that not all the requested bytes have been written yet (if
-.Dv SSL_MODE_ENABLE_PARTIAL_WRITE
-is not in use) or no bytes could be written to the TLS connection (if
-.Dv SSL_MODE_ENABLE_PARTIAL_WRITE
-is in use).
-Failures can be retryable (e.g. the network write buffer has temporarily
-filled up) or non-retryable (e.g. a fatal network error).
-In the event of a failure, call
-.Xr SSL_get_error 3
-to find out the reason
-which indicates whether the call is retryable or not.
-.Pp
-For
-.Fn SSL_write ,
-the following return values can occur:
-.Bl -tag -width Ds
-.It >0
-The write operation was successful.
-The return value is the number of bytes actually written to the TLS
-connection.
-.It 0
-The write operation was not successful.
-Probably the underlying connection was closed.
-Call
-.Xr SSL_get_error 3
-with the return value to find out whether an error occurred or the connection
-was shut down cleanly
-.Pq Dv SSL_ERROR_ZERO_RETURN .
-.It <0
-The write operation was not successful, because either an error occurred or
-action must be taken by the calling process.
-Call
-.Xr SSL_get_error 3
-with the return value to find out the reason.
-.El
-.Sh SEE ALSO
-.Xr BIO_new 3 ,
-.Xr ssl 3 ,
-.Xr SSL_accept 3 ,
-.Xr SSL_connect 3 ,
-.Xr SSL_CTX_new 3 ,
-.Xr SSL_CTX_set_mode 3 ,
-.Xr SSL_get_error 3 ,
-.Xr SSL_read 3 ,
-.Xr SSL_set_connect_state 3
-.Sh HISTORY
-.Fn SSL_write
-appeared in SSLeay 0.4 or earlier and has been available since
-.Ox 2.4 .
-.Pp
-.Fn SSL_write_ex
-first appeared in OpenSSL 1.1.1 and has been available since
-.Ox 7.1 .
diff --git a/src/lib/libssl/man/d2i_SSL_SESSION.3 b/src/lib/libssl/man/d2i_SSL_SESSION.3
deleted file mode 100644
index 7a2bc529ab..0000000000
--- a/src/lib/libssl/man/d2i_SSL_SESSION.3
+++ /dev/null
@@ -1,181 +0,0 @@
-.\"     $OpenBSD: d2i_SSL_SESSION.3,v 1.7 2019/06/08 15:25:43 schwarze Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
-.\" Copyright (c) 2001, 2005, 2014 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: June 8 2019 $
-.Dt D2I_SSL_SESSION 3
-.Os
-.Sh NAME
-.Nm d2i_SSL_SESSION ,
-.Nm i2d_SSL_SESSION
-.Nd convert SSL_SESSION object from/to ASN1 representation
-.Sh SYNOPSIS
-.In openssl/ssl.h
-.Ft  SSL_SESSION *
-.Fn d2i_SSL_SESSION "SSL_SESSION **a" "const unsigned char **pp" "long length"
-.Ft  int
-.Fn i2d_SSL_SESSION "SSL_SESSION *in" "unsigned char **pp"
-.Sh DESCRIPTION
-.Fn d2i_SSL_SESSION
-transforms the external ASN1 representation of an SSL/TLS session,
-stored as binary data at location
-.Fa pp
-with length
-.Fa length ,
-into
-an
-.Vt SSL_SESSION
-object.
-.Pp
-.Fn i2d_SSL_SESSION
-transforms the
-.Vt SSL_SESSION
-object
-.Fa in
-into the ASN1 representation and stores it into the memory location pointed to
-by
-.Fa pp .
-The length of the resulting ASN1 representation is returned.
-If
-.Fa pp
-is the
-.Dv NULL
-pointer, only the length is calculated and returned.
-.Pp
-The
-.Vt SSL_SESSION
-object is built from several
-.Xr malloc 3 Ns
--ed parts; it can therefore not be moved, copied or stored directly.
-In order to store session data on disk or into a database,
-it must be transformed into a binary ASN1 representation.
-.Pp
-When using
-.Fn d2i_SSL_SESSION ,
-the
-.Vt SSL_SESSION
-object is automatically allocated.
-The reference count is 1, so that the session must be explicitly removed using
-.Xr SSL_SESSION_free 3 ,
-unless the
-.Vt SSL_SESSION
-object is completely taken over, when being called inside the
-.Fn get_session_cb ,
-see
-.Xr SSL_CTX_sess_set_get_cb 3 .
-.Pp
-.Vt SSL_SESSION
-objects keep internal link information about the session cache list when being
-inserted into one
-.Vt SSL_CTX
-object's session cache.
-One
-.Vt SSL_SESSION
-object, regardless of its reference count, must therefore only be used with one
-.Vt SSL_CTX
-object (and the
-.Vt SSL
-objects created from this
-.Vt SSL_CTX
-object).
-.Pp
-When using
-.Fn i2d_SSL_SESSION ,
-the memory location pointed to by
-.Fa pp
-must be large enough to hold the binary representation of the session.
-There is no known limit on the size of the created ASN1 representation,
-so call
-.Fn i2d_SSL_SESSION
-first with
-.Fa pp Ns = Ns Dv NULL
-to obtain the encoded size, before allocating the required amount of memory and
-calling
-.Fn i2d_SSL_SESSION
-again.
-Note that this will advance the value contained in
-.Fa *pp
-so it is necessary to save a copy of the original allocation.
-For example:
-.Bd -literal -offset indent
-char    *p, *pp;
-int      elen, len;
-
-elen = i2d_SSL_SESSION(sess, NULL);
-p = pp = malloc(elen);
-if (p != NULL) {
-        len = i2d_SSL_SESSION(sess, &pp);
-        assert(elen == len);
-        assert(p + len == pp);
-}
-.Ed
-.Sh RETURN VALUES
-.Fn d2i_SSL_SESSION
-returns a pointer to the newly allocated
-.Vt SSL_SESSION
-object.
-In case of failure a
-.Dv NULL
-pointer is returned and the error message can be retrieved from the error
-stack.
-.Pp
-.Fn i2d_SSL_SESSION
-returns the size of the ASN1 representation in bytes.
-When the session is not valid, 0 is returned and no operation is performed.
-.Sh SEE ALSO
-.Xr d2i_X509 3 ,
-.Xr ssl 3 ,
-.Xr SSL_CTX_sess_set_get_cb 3 ,
-.Xr SSL_SESSION_free 3
-.Sh HISTORY
-.Fn d2i_SSL_SESSION
-and
-.Fn i2d_SSL_SESSION
-first appeared in SSLeay 0.5.2 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libssl/man/ssl.3 b/src/lib/libssl/man/ssl.3
deleted file mode 100644
index 314a1b0a94..0000000000
--- a/src/lib/libssl/man/ssl.3
+++ /dev/null
@@ -1,353 +0,0 @@
-.\" $OpenBSD: ssl.3,v 1.26 2024/08/31 10:51:48 tb Exp $
-.\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100
-.\" selective merge up to: OpenSSL 322755cc Sep 1 08:40:51 2018 +0800
-.\"
-.\" This file was written by Ralf S. Engelschall <rse@openssl.org>,
-.\" Ben Laurie <ben@openssl.org>, and Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 1998-2002, 2005, 2013, 2015 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: August 31 2024 $
-.Dt SSL 3
-.Os
-.Sh NAME
-.Nm ssl
-.Nd OpenSSL TLS library
-.Sh DESCRIPTION
-The
-.Nm ssl
-library implements the Transport Layer Security (TLS) protocol,
-the successor to the Secure Sockets Layer (SSL) protocol.
-.Pp
-An
-.Vt SSL_CTX
-object is created as a framework to establish TLS/SSL enabled connections (see
-.Xr SSL_CTX_new 3 ) .
-Various options regarding certificates, algorithms, etc., can be set in this
-object.
-.Pp
-When a network connection has been created, it can be assigned to an
-.Vt SSL
-object.
-After the
-.Vt SSL
-object has been created using
-.Xr SSL_new 3 ,
-.Xr SSL_set_fd 3
-or
-.Xr SSL_set_bio 3
-can be used to associate the network connection with the object.
-.Pp
-Then the TLS/SSL handshake is performed using
-.Xr SSL_accept 3
-or
-.Xr SSL_connect 3
-respectively.
-.Xr SSL_read 3
-and
-.Xr SSL_write 3
-are used to read and write data on the TLS/SSL connection.
-.Xr SSL_shutdown 3
-can be used to shut down the TLS/SSL connection.
-.Sh DATA STRUCTURES
-Currently the
-.Nm ssl
-library functions deal with the following data structures:
-.Bl -tag -width Ds
-.It Vt SSL_METHOD No (SSL Method)
-That's a dispatch structure describing the internal
-.Nm ssl
-library methods/functions which implement the various protocol versions.
-It's needed to create an
-.Vt SSL_CTX .
-See
-.Xr TLS_method 3
-for constructors.
-.It Vt SSL_CIPHER No (SSL Cipher)
-This structure holds the algorithm information for a particular cipher which
-is a core part of the SSL/TLS protocol.
-The available ciphers are configured on an
-.Vt SSL_CTX
-basis and the actually used ones are then part of the
-.Vt SSL_SESSION .
-.It Vt SSL_CTX No (SSL Context)
-That's the global context structure which is created by a server or client
-once per program lifetime and which holds mainly default values for the
-.Vt SSL
-structures which are later created for the connections.
-.It Vt SSL_SESSION No (SSL Session)
-This is a structure containing the current TLS/SSL session details for a
-connection:
-.Vt SSL_CIPHER Ns s ,
-client and server certificates, keys, etc.
-.It Vt SSL No (SSL Connection)
-That's the main SSL/TLS structure which is created by a server or client per
-established connection.
-This actually is the core structure in the SSL API.
-At run-time the application usually deals with this structure which has
-links to mostly all other structures.
-.El
-.Sh HEADER FILES
-Currently the
-.Nm ssl
-library provides the following C header files containing the prototypes for the
-data structures and functions:
-.Bl -tag -width Ds
-.It Pa ssl.h
-That's the common header file for the SSL/TLS API.
-Include it into your program to make the API of the
-.Nm ssl
-library available.
-It internally includes both more private SSL headers and headers from the
-.Em crypto
-library.
-Whenever you need hardcore details on the internals of the SSL API, look inside
-this header file.
-.It Pa ssl3.h
-That's the sub header file dealing with the SSLv3 protocol only.
-.Bf Em
-Usually you don't have to include it explicitly because it's already included
-by
-.Pa ssl.h .
-.Ef
-.It Pa tls1.h
-That's the sub header file dealing with the TLSv1 protocol only.
-.Bf Em
-Usually you don't have to include it explicitly because it's already included
-by
-.Pa ssl.h .
-.Ef
-.El
-.Sh API FUNCTIONS
-.Ss Ciphers
-The following pages describe functions acting on
-.Vt SSL_CIPHER
-objects:
-.Xr SSL_get_ciphers 3 ,
-.Xr SSL_get_current_cipher 3 ,
-.Xr SSL_CIPHER_get_name 3
-.Ss Protocol contexts
-The following pages describe functions acting on
-.Vt SSL_CTX
-objects.
-.Pp
-Constructors and destructors:
-.Xr SSL_CTX_new 3 ,
-.Xr SSL_CTX_set_ssl_version 3 ,
-.Xr SSL_CTX_free 3
-.Pp
-Certificate configuration:
-.Xr SSL_CTX_add_extra_chain_cert 3 ,
-.Xr SSL_CTX_get0_certificate 3 ,
-.Xr SSL_CTX_load_verify_locations 3 ,
-.Xr SSL_CTX_set_cert_store 3 ,
-.Xr SSL_CTX_set_cert_verify_callback 3 ,
-.Xr SSL_CTX_set_client_cert_cb 3 ,
-.Xr SSL_CTX_set_default_passwd_cb 3 ,
-.Xr SSL_CTX_set_tlsext_status_cb 3
-.Pp
-Session configuration:
-.Xr SSL_CTX_add_session 3 ,
-.Xr SSL_CTX_flush_sessions 3 ,
-.Xr SSL_CTX_sess_number 3 ,
-.Xr SSL_CTX_sess_set_cache_size 3 ,
-.Xr SSL_CTX_sess_set_get_cb 3 ,
-.Xr SSL_CTX_sessions 3 ,
-.Xr SSL_CTX_set_session_cache_mode 3 ,
-.Xr SSL_CTX_set_timeout 3 ,
-.Xr SSL_CTX_set_tlsext_ticket_key_cb 3
-.Pp
-Various configuration:
-.Xr SSL_CTX_get_ex_new_index 3 ,
-.Xr SSL_CTX_set_tlsext_servername_callback 3
-.Ss Common configuration of contexts and connections
-The functions on the following pages each come in two variants:
-one to directly configure a single
-.Vt SSL
-connection and another to be called on an
-.Vt SSL_CTX
-object, to set up defaults for all future
-.Vt SSL
-connections created from that context.
-.Pp
-Protocol and algorithm configuration:
-.Xr SSL_CTX_set_alpn_select_cb 3 ,
-.Xr SSL_CTX_set_cipher_list 3 ,
-.Xr SSL_CTX_set_min_proto_version 3 ,
-.Xr SSL_CTX_set_options 3 ,
-.Xr SSL_CTX_set_security_level 3 ,
-.Xr SSL_CTX_set_tlsext_use_srtp 3 ,
-.Xr SSL_CTX_set_tmp_dh_callback 3 ,
-.Xr SSL_CTX_set1_groups 3
-.Pp
-Certificate configuration:
-.Xr SSL_CTX_add1_chain_cert 3 ,
-.Xr SSL_CTX_get_verify_mode 3 ,
-.Xr SSL_CTX_set_client_CA_list 3 ,
-.Xr SSL_CTX_set_max_cert_list 3 ,
-.Xr SSL_CTX_set_verify 3 ,
-.Xr SSL_CTX_use_certificate 3 ,
-.Xr SSL_get_client_CA_list 3
-.Xr SSL_set1_param 3
-.Pp
-Session configuration:
-.Xr SSL_CTX_set_generate_session_id 3 ,
-.Xr SSL_CTX_set_session_id_context 3
-.Pp
-Various configuration:
-.Xr SSL_CTX_ctrl 3 ,
-.Xr SSL_CTX_set_info_callback 3 ,
-.Xr SSL_CTX_set_mode 3 ,
-.Xr SSL_CTX_set_msg_callback 3 ,
-.Xr SSL_CTX_set_quiet_shutdown 3 ,
-.Xr SSL_CTX_set_read_ahead 3 ,
-.Xr SSL_set_max_send_fragment 3
-.Ss Sessions
-The following pages describe functions acting on
-.Vt SSL_SESSION
-objects.
-.Pp
-Constructors and destructors:
-.Xr SSL_SESSION_new 3 ,
-.Xr SSL_SESSION_free 3
-.Pp
-Accessors:
-.Xr SSL_SESSION_get_compress_id 3 ,
-.Xr SSL_SESSION_get_ex_new_index 3 ,
-.Xr SSL_SESSION_get_id 3 ,
-.Xr SSL_SESSION_get_protocol_version 3 ,
-.Xr SSL_SESSION_get_time 3 ,
-.Xr SSL_SESSION_get0_peer 3 ,
-.Xr SSL_SESSION_has_ticket 3 ,
-.Xr SSL_SESSION_set1_id_context 3
-.Pp
-Encoding and decoding:
-.Xr d2i_SSL_SESSION 3 ,
-.Xr PEM_read_SSL_SESSION 3 ,
-.Xr SSL_SESSION_print 3
-.Ss Connections
-The following pages describe functions acting on
-.Vt SSL
-connection objects:
-.Pp
-Constructors and destructors:
-.Xr SSL_new 3 ,
-.Xr SSL_dup 3 ,
-.Xr SSL_free 3 ,
-.Xr BIO_f_ssl 3
-.Pp
-To change the configuration:
-.Xr SSL_clear 3 ,
-.Xr SSL_set_SSL_CTX 3 ,
-.Xr SSL_copy_session_id 3 ,
-.Xr SSL_set_bio 3 ,
-.Xr SSL_set_connect_state 3 ,
-.Xr SSL_set_fd 3 ,
-.Xr SSL_set_session 3 ,
-.Xr SSL_set1_host 3 ,
-.Xr SSL_set_verify_result 3
-.Pp
-To inspect the configuration:
-.Xr SSL_get_certificate 3 ,
-.Xr SSL_get_default_timeout 3 ,
-.Xr SSL_get_ex_new_index 3 ,
-.Xr SSL_get_fd 3 ,
-.Xr SSL_get_rbio 3 ,
-.Xr SSL_get_SSL_CTX 3
-.Pp
-To transmit data:
-.Xr DTLSv1_listen 3 ,
-.Xr SSL_accept 3 ,
-.Xr SSL_connect 3 ,
-.Xr SSL_do_handshake 3 ,
-.Xr SSL_read 3 ,
-.Xr SSL_read_early_data 3 ,
-.Xr SSL_renegotiate 3 ,
-.Xr SSL_shutdown 3 ,
-.Xr SSL_write 3
-.Pp
-To inspect the state after a connection is established:
-.Xr SSL_export_keying_material 3 ,
-.Xr SSL_get_client_random 3 ,
-.Xr SSL_get_ex_data_X509_STORE_CTX_idx 3 ,
-.Xr SSL_get_peer_cert_chain 3 ,
-.Xr SSL_get_peer_certificate 3 ,
-.Xr SSL_get_server_tmp_key 3 ,
-.Xr SSL_get_servername 3 ,
-.Xr SSL_get_session 3 ,
-.Xr SSL_get_shared_ciphers 3 ,
-.Xr SSL_get_verify_result 3 ,
-.Xr SSL_get_version 3 ,
-.Xr SSL_session_reused 3
-.Pp
-To inspect the state during ongoing communication:
-.Xr SSL_get_error 3 ,
-.Xr SSL_get_shutdown 3 ,
-.Xr SSL_get_state 3 ,
-.Xr SSL_num_renegotiations 3 ,
-.Xr SSL_pending 3 ,
-.Xr SSL_rstate_string 3 ,
-.Xr SSL_state_string 3 ,
-.Xr SSL_want 3
-.Ss Utility functions
-.Xr SSL_alert_type_string 3 ,
-.Xr SSL_dup_CA_list 3 ,
-.Xr SSL_load_client_CA_file 3
-.Ss Obsolete functions
-.Xr OPENSSL_init_ssl 3 ,
-.Xr SSL_COMP_get_compression_methods 3 ,
-.Xr SSL_CTX_set_tmp_rsa_callback 3 ,
-.Xr SSL_library_init 3 ,
-.Xr SSL_set_tmp_ecdh 3
-.Sh SEE ALSO
-.Xr openssl 1 ,
-.Xr crypto 3 ,
-.Xr tls_init 3
-.Sh HISTORY
-The
-.Nm
-document appeared in OpenSSL 0.9.2.