Remove trailing whitespace.

no objection jmc@

37 files changed, 176 insertions, 176 deletions

diff --git a/src/lib/libssl/src/doc/apps/asn1parse.pod b/src/lib/libssl/src/doc/apps/asn1parse.pod
index f7bb926211..18f5de1212 100644
--- a/src/lib/libssl/src/doc/apps/asn1parse.pod
+++ b/src/lib/libssl/src/doc/apps/asn1parse.pod
@@ -76,7 +76,7 @@ L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)> format. If B<file> only is
 present then the string is obtained from the default section using the name
 B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
 though it came from a file, the contents can thus be examined and written to a
-file using the B<out> option. 
+file using the B<out> option.
 
 =back
 
@@ -84,20 +84,20 @@ file using the B<out> option.
 
 The output will typically contain lines like this:
 
-  0:d=0  hl=4 l= 681 cons: SEQUENCE          
+  0:d=0  hl=4 l= 681 cons: SEQUENCE
 
 .....
 
-  229:d=3  hl=3 l= 141 prim: BIT STRING        
-  373:d=2  hl=3 l= 162 cons: cont [ 3 ]        
-  376:d=3  hl=3 l= 159 cons: SEQUENCE          
-  379:d=4  hl=2 l=  29 cons: SEQUENCE          
+  229:d=3  hl=3 l= 141 prim: BIT STRING
+  373:d=2  hl=3 l= 162 cons: cont [ 3 ]
+  376:d=3  hl=3 l= 159 cons: SEQUENCE
+  379:d=4  hl=2 l=  29 cons: SEQUENCE
   381:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
-  386:d=5  hl=2 l=  22 prim: OCTET STRING      
-  410:d=4  hl=2 l= 112 cons: SEQUENCE          
+  386:d=5  hl=2 l=  22 prim: OCTET STRING
+  410:d=4  hl=2 l= 112 cons: SEQUENCE
   412:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
-  417:d=5  hl=2 l= 105 prim: OCTET STRING      
-  524:d=4  hl=2 l=  12 cons: SEQUENCE          
+  417:d=5  hl=2 l= 105 prim: OCTET STRING
+  524:d=4  hl=2 l=  12 cons: SEQUENCE
 
 .....
 
@@ -109,20 +109,20 @@ the contents octets.
 
 The B<-i> option can be used to make the output more readable.
 
-Some knowledge of the ASN.1 structure is needed to interpret the output. 
+Some knowledge of the ASN.1 structure is needed to interpret the output.
 
 In this example the BIT STRING at offset 229 is the certificate public key.
 The contents octets of this will contain the public key information. This can
 be examined using the option B<-strparse 229> to yield:
 
-    0:d=0  hl=3 l= 137 cons: SEQUENCE          
+    0:d=0  hl=3 l= 137 cons: SEQUENCE
     3:d=1  hl=3 l= 129 prim: INTEGER           :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
   135:d=1  hl=2 l=   3 prim: INTEGER           :010001
 
 =head1 NOTES
 
 If an OID is not part of OpenSSL's internal table it will be represented in
-numerical form (for example 1.2.3.4). The file passed to the B<-oid> option 
+numerical form (for example 1.2.3.4). The file passed to the B<-oid> option
 allows additional OIDs to be included. Each line consists of three columns,
 the first column is the OID in numerical format and should be followed by white
 space. The second column is the "short name" which is a single word followed
diff --git a/src/lib/libssl/src/doc/apps/ca.pod b/src/lib/libssl/src/doc/apps/ca.pod
index 9ff0cc3612..7294627d16 100644
--- a/src/lib/libssl/src/doc/apps/ca.pod
+++ b/src/lib/libssl/src/doc/apps/ca.pod
@@ -88,7 +88,7 @@ section for information on the required format.
 =item B<-infiles>
 
 if present this should be the last option, all subsequent arguments
-are assumed to the the names of files containing certificate requests. 
+are assumed to the the names of files containing certificate requests.
 
 =item B<-out filename>
 
@@ -180,7 +180,7 @@ need this option.
 =item B<-preserveDN>
 
 Normally the DN order of a certificate is the same as the order of the
-fields in the relevant policy section. When this option is set the order 
+fields in the relevant policy section. When this option is set the order
 is the same as the request. This is largely for compatibility with the
 older IE enrollment control which would only accept certificates if their
 DNs match the order of the request. This is not needed for Xenroll.
@@ -230,7 +230,7 @@ characters may be escaped by \ (backslash), no spaces are skipped.
 
 =item B<-utf8>
 
-this option causes field values to be interpreted as UTF8 strings, by 
+this option causes field values to be interpreted as UTF8 strings, by
 default they are interpreted as ASCII. This means that the field
 values, whether prompted from a terminal or obtained from a
 configuration file, must be valid UTF8 strings.
@@ -336,7 +336,7 @@ any) used.
 This specifies a file containing additional B<OBJECT IDENTIFIERS>.
 Each line of the file should consist of the numerical form of the
 object identifier followed by white space then the short name followed
-by white space and finally the long name. 
+by white space and finally the long name.
 
 =item B<oid_section>
 
@@ -368,7 +368,7 @@ an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
 =item B<default_days>
 
 the same as the B<-days> option. The number of days to certify
-a certificate for. 
+a certificate for.
 
 =item B<default_startdate>
 
@@ -491,7 +491,7 @@ this can be regarded more of a quirk than intended behaviour.
 
 The input to the B<-spkac> command line option is a Netscape
 signed public key and challenge. This will usually come from
-the B<KEYGEN> tag in an HTML form to create a new private key. 
+the B<KEYGEN> tag in an HTML form to create a new private key.
 It is however possible to create SPKACs using the B<spkac> utility.
 
 The file should contain the variable SPKAC set to the value of
@@ -547,18 +547,18 @@ A sample configuration file with the relevant sections for B<ca>:
 
  [ ca ]
  default_ca      = CA_default            # The default ca section
- 
+
  [ CA_default ]
 
  dir            = ./demoCA              # top dir
  database       = $dir/index.txt        # index file.
  new_certs_dir  = $dir/newcerts         # new certs dir
- 
+
  certificate    = $dir/cacert.pem       # The CA cert
  serial         = $dir/serial           # serial no file
  private_key    = $dir/private/cakey.pem# CA private key
  RANDFILE       = $dir/private/.rand    # random number file
- 
+
  default_days   = 365                   # how long to certify for
  default_crl_days= 30                   # how long before next CRL
  default_md     = md5                   # md to use
@@ -602,7 +602,7 @@ be overridden by the B<-config> command line option.
 
 =head1 RESTRICTIONS
 
-The text database index file is a critical part of the process and 
+The text database index file is a critical part of the process and
 if corrupted it can be difficult to fix. It is theoretically possible
 to rebuild the index file from all the issued certificates and a current
 CRL: however there is no option to do this.
@@ -670,6 +670,6 @@ then even if a certificate is issued with CA:TRUE it will not be valid.
 =head1 SEE ALSO
 
 L<req(1)|req(1)>, L<spkac(1)|spkac(1)>, L<x509(1)|x509(1)>, L<CA.pl(1)|CA.pl(1)>,
-L<config(5)|config(5)>, L<x509v3_config(5)|x509v3_config(5)> 
+L<config(5)|config(5)>, L<x509v3_config(5)|x509v3_config(5)>
 
 =cut
diff --git a/src/lib/libssl/src/doc/apps/ciphers.pod b/src/lib/libssl/src/doc/apps/ciphers.pod
index f44aa00a2f..757e0221b7 100644
--- a/src/lib/libssl/src/doc/apps/ciphers.pod
+++ b/src/lib/libssl/src/doc/apps/ciphers.pod
@@ -251,10 +251,10 @@ cipher suites using MD5.
 
 cipher suites using SHA1.
 
-=item B<aGOST> 
+=item B<aGOST>
 
 cipher suites using GOST R 34.10 (either 2001 or 94) for authenticaction
-(needs an engine supporting GOST algorithms). 
+(needs an engine supporting GOST algorithms).
 
 =item B<aGOST01>
 
diff --git a/src/lib/libssl/src/doc/apps/cms.pod b/src/lib/libssl/src/doc/apps/cms.pod
index a09588a18d..f32f5c71fa 100644
--- a/src/lib/libssl/src/doc/apps/cms.pod
+++ b/src/lib/libssl/src/doc/apps/cms.pod
@@ -143,13 +143,13 @@ B<EncrytedData> type and output the content.
 
 =item B<-sign_receipt>
 
-Generate and output a signed receipt for the supplied message. The input 
+Generate and output a signed receipt for the supplied message. The input
 message B<must> contain a signed receipt request. Functionality is otherwise
 similar to the B<-sign> operation.
 
 =item B<-verify_receipt receipt>
 
-Verify a signed receipt in filename B<receipt>. The input message B<must> 
+Verify a signed receipt in filename B<receipt>. The input message B<must>
 contain the original receipt request. Functionality is otherwise similar
 to the B<-verify> operation.
 
@@ -213,7 +213,7 @@ is S/MIME and it uses the multipart/signed MIME content type.
 
 this option adds plain text (text/plain) MIME headers to the supplied
 message if encrypting or signing. If decrypting or verifying it strips
-off text headers: if the decrypted or verified message is not of MIME 
+off text headers: if the decrypted or verified message is not of MIME
 type text/plain then an error occurs.
 
 =item B<-noout>
@@ -247,11 +247,11 @@ default digest algorithm for the signing key will be used (usually SHA1).
 
 the encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
 or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
-EVP_get_cipherbyname() function) can also be used preceded by a dash, for 
+EVP_get_cipherbyname() function) can also be used preceded by a dash, for
 example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for a list of ciphers
 supported by your version of OpenSSL.
 
-If not specified triple DES is used. Only used with B<-encrypt> and 
+If not specified triple DES is used. Only used with B<-encrypt> and
 B<-EncryptedData_create> commands.
 
 =item B<-nointern>
@@ -338,7 +338,7 @@ address where receipts should be supplied.
 
 =item B<-receipt_request_to emailaddress>
 
-Add an explicit email address where signed receipts should be sent to. This 
+Add an explicit email address where signed receipts should be sent to. This
 option B<must> but supplied if a signed receipt it requested.
 
 =item B<-receipt_request_print>
@@ -366,7 +366,7 @@ B<KEKRecipientInfo> structures.
 
 set the encapsulated content type to B<type> if not supplied the B<Data> type
 is used. The B<type> argument can be any valid OID name in either text or
-numerical format. 
+numerical format.
 
 =item B<-inkey file>
 
@@ -392,7 +392,7 @@ all others.
 =item B<cert.pem...>
 
 one or more certificates of message recipients: used when encrypting
-a message. 
+a message.
 
 =item B<-to, -from, -subject>
 
@@ -454,7 +454,7 @@ remains DER.
 
 the operation was completely successfully.
 
-=item 1 
+=item 1
 
 an error occurred parsing the command options.
 
@@ -557,7 +557,7 @@ it with:
  -----BEGIN PKCS7-----
  -----END PKCS7-----
 
-and using the command, 
+and using the command,
 
  openssl cms -verify -inform PEM -in signature.pem -content content.txt
 
diff --git a/src/lib/libssl/src/doc/apps/config.pod b/src/lib/libssl/src/doc/apps/config.pod
index 25c5381b9d..d018dfce50 100644
--- a/src/lib/libssl/src/doc/apps/config.pod
+++ b/src/lib/libssl/src/doc/apps/config.pod
@@ -63,14 +63,14 @@ functionality: any sub command uses the master OpenSSL configuration file
 unless an option is used in the sub command to use an alternative configuration
 file.
 
-To enable library configuration the default section needs to contain an 
+To enable library configuration the default section needs to contain an
 appropriate line which points to the main configuration section. The default
 name is B<openssl_conf> which is used by the B<openssl> utility. Other
 applications may use an alternative name such as B<myapplicaton_conf>.
 
 The configuration section should consist of a set of name value pairs which
 contain specific module configuration information. The B<name> represents
-the name of the I<configuration module> the meaning of the B<value> is 
+the name of the I<configuration module> the meaning of the B<value> is
 module specific: it may, for example, represent a further configuration
 section containing configuration module specific information. E.g.
 
@@ -103,7 +103,7 @@ B<all> the B<openssl> utility sub commands can see the new objects as well
 as any compliant applications. For example:
 
  [new_oids]
- 
+
  some_new_oid = 1.2.3.4
  some_other_oid = 1.2.3.5
 
@@ -142,7 +142,7 @@ For example:
  [bar_section]
  ... "bar" ENGINE specific commands ...
 
-The command B<engine_id> is used to give the ENGINE name. If used this 
+The command B<engine_id> is used to give the ENGINE name. If used this
 command must be first. For example:
 
  [engine_section]
@@ -169,7 +169,7 @@ The command B<default_algorithms> sets the default algorithms an ENGINE will
 supply using the functions B<ENGINE_set_default_string()>
 
 If the name matches none of the above command names it is assumed to be a
-ctrl command which is sent to the ENGINE. The value of the command is the 
+ctrl command which is sent to the ENGINE. The value of the command is the
 argument to the ctrl command. If the value is the string B<EMPTY> then no
 value is sent to the command.
 
@@ -220,7 +220,7 @@ Here is a sample configuration file using some of the features
 mentioned above.
 
  # This is the default section.
- 
+
  HOME=/temp
  RANDFILE= ${ENV::HOME}/.rnd
  configdir=$ENV::HOME/config
@@ -250,7 +250,7 @@ the the B<TEMP> or B<TMP> environment variables but they may not be
 set to any value at all. If you just include the environment variable
 names and the variable doesn't exist then this will cause an error when
 an attempt is made to load the configuration file. By making use of the
-default section both values can be looked up with B<TEMP> taking 
+default section both values can be looked up with B<TEMP> taking
 priority and B</tmp> used if neither is defined:
 
  TMP=/tmp
diff --git a/src/lib/libssl/src/doc/apps/crl.pod b/src/lib/libssl/src/doc/apps/crl.pod
index 1ad76a5f8c..f037428209 100644
--- a/src/lib/libssl/src/doc/apps/crl.pod
+++ b/src/lib/libssl/src/doc/apps/crl.pod
@@ -36,7 +36,7 @@ the DER form with header and footer lines.
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
diff --git a/src/lib/libssl/src/doc/apps/crl2pkcs7.pod b/src/lib/libssl/src/doc/apps/crl2pkcs7.pod
index 3797bc0df4..37bd03e316 100644
--- a/src/lib/libssl/src/doc/apps/crl2pkcs7.pod
+++ b/src/lib/libssl/src/doc/apps/crl2pkcs7.pod
@@ -69,7 +69,7 @@ Create a PKCS#7 structure from a certificate and CRL:
 Creates a PKCS#7 structure in DER format with no CRL from several
 different certificates:
 
- openssl crl2pkcs7 -nocrl -certfile newcert.pem 
+ openssl crl2pkcs7 -nocrl -certfile newcert.pem
         -certfile demoCA/cacert.pem -outform DER -out p7.der
 
 =head1 NOTES
diff --git a/src/lib/libssl/src/doc/apps/dgst.pod b/src/lib/libssl/src/doc/apps/dgst.pod
index b035edf08e..da690472a3 100644
--- a/src/lib/libssl/src/doc/apps/dgst.pod
+++ b/src/lib/libssl/src/doc/apps/dgst.pod
@@ -6,7 +6,7 @@ dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 - message digests
 
 =head1 SYNOPSIS
 
-B<openssl> B<dgst> 
+B<openssl> B<dgst>
 [B<-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1>]
 [B<-c>]
 [B<-d>]
@@ -117,7 +117,7 @@ Following options are supported by both by B<HMAC> and B<gost-mac>:
 =over 8
 
 =item B<key:string>
-        
+
 Specifies MAC key as alphnumeric string (use if key contain printable
 characters only). String length must conform to any restrictions of
 the MAC algorithm for example exactly 32 chars for gost-mac.
@@ -136,7 +136,7 @@ a file or files containing random data used to seed the random number
 generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
 Multiple files can be specified separated by a OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others. 
+all others.
 
 =item B<file...>
 
diff --git a/src/lib/libssl/src/doc/apps/dhparam.pod b/src/lib/libssl/src/doc/apps/dhparam.pod
index 9edb4ff4e1..9ca63b7625 100644
--- a/src/lib/libssl/src/doc/apps/dhparam.pod
+++ b/src/lib/libssl/src/doc/apps/dhparam.pod
@@ -38,7 +38,7 @@ additional header and footer lines.
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in> I<filename>
@@ -81,7 +81,7 @@ all others.
 
 this option specifies that a parameter set should be generated of size
 I<numbits>. It must be the last option. If not present then a value of 512
-is used. If this option is present then the input file is ignored and 
+is used. If this option is present then the input file is ignored and
 parameters are generated instead.
 
 =item B<-noout>
@@ -110,7 +110,7 @@ for all available algorithms.
 
 The program B<dhparam> combines the functionality of the programs B<dh> and
 B<gendh> in previous versions of OpenSSL and SSLeay. The B<dh> and B<gendh>
-programs are retained for now but may have different purposes in future 
+programs are retained for now but may have different purposes in future
 versions of OpenSSL.
 
 =head1 NOTES
diff --git a/src/lib/libssl/src/doc/apps/dsa.pod b/src/lib/libssl/src/doc/apps/dsa.pod
index ddbc9327fa..d3edad0a4a 100644
--- a/src/lib/libssl/src/doc/apps/dsa.pod
+++ b/src/lib/libssl/src/doc/apps/dsa.pod
@@ -48,7 +48,7 @@ PKCS#8 format is also accepted.
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -76,7 +76,7 @@ see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
 
 =item B<-des|-des3|-idea>
 
-These options encrypt the private key with the DES, triple DES, or the 
+These options encrypt the private key with the DES, triple DES, or the
 IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
 If none of these options is specified the key is written in plain text. This
 means that using the B<dsa> utility to read in an encrypted key with no
@@ -138,7 +138,7 @@ To encrypt a private key using triple DES:
 
  openssl dsa -in key.pem -des3 -out keyout.pem
 
-To convert a private key from PEM to DER format: 
+To convert a private key from PEM to DER format:
 
  openssl dsa -in key.pem -outform DER -out keyout.der
 
diff --git a/src/lib/libssl/src/doc/apps/dsaparam.pod b/src/lib/libssl/src/doc/apps/dsaparam.pod
index ba5ec4d72c..cb067bbd17 100644
--- a/src/lib/libssl/src/doc/apps/dsaparam.pod
+++ b/src/lib/libssl/src/doc/apps/dsaparam.pod
@@ -36,7 +36,7 @@ of the B<DER> format base64 encoded with additional header and footer lines.
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
diff --git a/src/lib/libssl/src/doc/apps/ec.pod b/src/lib/libssl/src/doc/apps/ec.pod
index 95190a9a2e..a1b2024d3b 100644
--- a/src/lib/libssl/src/doc/apps/ec.pod
+++ b/src/lib/libssl/src/doc/apps/ec.pod
@@ -28,7 +28,7 @@ B<openssl> B<ec>
 =head1 DESCRIPTION
 
 The B<ec> command processes EC keys. They can be converted between various
-forms and their components printed out. B<Note> OpenSSL uses the 
+forms and their components printed out. B<Note> OpenSSL uses the
 private key format specified in 'SEC 1: Elliptic Curve Cryptography'
 (http://www.secg.org/). To convert a OpenSSL EC private key into the
 PKCS#8 private key format use the B<pkcs8> command.
@@ -48,7 +48,7 @@ PKCS#8 format is also accepted.
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -76,7 +76,7 @@ see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
 
 =item B<-des|-des3|-idea>
 
-These options encrypt the private key with the DES, triple DES, IDEA or 
+These options encrypt the private key with the DES, triple DES, IDEA or
 any other cipher supported by OpenSSL before outputting it. A pass phrase is
 prompted for.
 If none of these options is specified the key is written in plain text. This
@@ -120,7 +120,7 @@ the point conversion forms please read the X9.62 standard.
 This specifies how the elliptic curve parameters are encoded.
 Possible value are: B<named_curve>, i.e. the ec parameters are
 specified by a OID, or B<explicit> where the ec parameters are
-explicitly given (see RFC 3279 for the definition of the 
+explicitly given (see RFC 3279 for the definition of the
 EC parameters structures). The default value is B<named_curve>.
 B<Note> the B<implicitlyCA> alternative ,as specified in RFC 3279,
 is currently not implemented in OpenSSL.
@@ -152,7 +152,7 @@ To encrypt a private key using triple DES:
 
  openssl ec -in key.pem -des3 -out keyout.pem
 
-To convert a private key from PEM to DER format: 
+To convert a private key from PEM to DER format:
 
  openssl ec -in key.pem -outform DER -out keyout.der
 
diff --git a/src/lib/libssl/src/doc/apps/ecparam.pod b/src/lib/libssl/src/doc/apps/ecparam.pod
index d11c0a27f9..d25cee50f9 100644
--- a/src/lib/libssl/src/doc/apps/ecparam.pod
+++ b/src/lib/libssl/src/doc/apps/ecparam.pod
@@ -36,12 +36,12 @@ This command is used to manipulate or generate EC parameter files.
 
 This specifies the input format. The B<DER> option uses an ASN.1 DER encoded
 form compatible with RFC 3279 EcpkParameters. The PEM form is the default
-format: it consists of the B<DER> format base64 encoded with additional 
+format: it consists of the B<DER> format base64 encoded with additional
 header and footer lines.
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -94,7 +94,7 @@ the point conversion forms please read the X9.62 standard.
 This specifies how the elliptic curve parameters are encoded.
 Possible value are: B<named_curve>, i.e. the ec parameters are
 specified by a OID, or B<explicit> where the ec parameters are
-explicitly given (see RFC 3279 for the definition of the 
+explicitly given (see RFC 3279 for the definition of the
 EC parameters structures). The default value is B<named_curve>.
 B<Note> the B<implicitlyCA> alternative ,as specified in RFC 3279,
 is currently not implemented in OpenSSL.
@@ -133,7 +133,7 @@ PEM format EC parameters use the header and footer lines:
  -----END EC PARAMETERS-----
 
 OpenSSL is currently not able to generate new groups and therefore
-B<ecparam> can only create EC parameters from known (named) curves. 
+B<ecparam> can only create EC parameters from known (named) curves.
 
 =head1 EXAMPLES
 
diff --git a/src/lib/libssl/src/doc/apps/enc.pod b/src/lib/libssl/src/doc/apps/enc.pod
index 3dee4ed992..05d454b303 100644
--- a/src/lib/libssl/src/doc/apps/enc.pod
+++ b/src/lib/libssl/src/doc/apps/enc.pod
@@ -100,7 +100,7 @@ the B<-pass> argument.
 
 =item B<-nosalt>
 
-do not use a salt 
+do not use a salt
 
 =item B<-salt>
 
@@ -251,7 +251,7 @@ ones provided by configured engines.
  desx               DESX algorithm.
 
  gost89             GOST 28147-89 in CFB mode (provided by ccgost engine)
- gost89-cnt        `GOST 28147-89 in CNT mode (provided by ccgost engine) 
+ gost89-cnt        `GOST 28147-89 in CNT mode (provided by ccgost engine)
 
  idea-cbc           IDEA algorithm in CBC mode
  idea               same as idea-cbc
@@ -293,11 +293,11 @@ Just base64 encode a binary file:
 
 Decode the same file
 
- openssl base64 -d -in file.b64 -out file.bin 
+ openssl base64 -d -in file.b64 -out file.bin
 
 Encrypt a file using triple DES in CBC mode using a prompted password:
 
- openssl des3 -salt -in file.txt -out file.des3 
+ openssl des3 -salt -in file.txt -out file.des3
 
 Decrypt a file using a supplied password:
 
diff --git a/src/lib/libssl/src/doc/apps/errstr.pod b/src/lib/libssl/src/doc/apps/errstr.pod
index b3c6ccfc9c..b209faf75f 100644
--- a/src/lib/libssl/src/doc/apps/errstr.pod
+++ b/src/lib/libssl/src/doc/apps/errstr.pod
@@ -11,7 +11,7 @@ B<openssl errstr error_code>
 =head1 DESCRIPTION
 
 Sometimes an application will not load error message and only
-numerical forms will be available. The B<errstr> utility can be used to 
+numerical forms will be available. The B<errstr> utility can be used to
 display the meaning of the hex code. The hex code is the hex digits after the
 second colon.
 
@@ -22,7 +22,7 @@ The error code:
  27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107:
 
 can be displayed with:
- 
+
  openssl errstr 2006D080
 
 to produce the error message:
diff --git a/src/lib/libssl/src/doc/apps/gendsa.pod b/src/lib/libssl/src/doc/apps/gendsa.pod
index 8c7f114ca0..8488c7cef8 100644
--- a/src/lib/libssl/src/doc/apps/gendsa.pod
+++ b/src/lib/libssl/src/doc/apps/gendsa.pod
@@ -26,7 +26,7 @@ The B<gendsa> command generates a DSA private key from a DSA parameter file
 
 =item B<-des|-des3|-idea>
 
-These options encrypt the private key with the DES, triple DES, or the 
+These options encrypt the private key with the DES, triple DES, or the
 IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
 If none of these options is specified no encryption is used.
 
diff --git a/src/lib/libssl/src/doc/apps/genpkey.pod b/src/lib/libssl/src/doc/apps/genpkey.pod
index c74d097fb3..80e91ed496 100644
--- a/src/lib/libssl/src/doc/apps/genpkey.pod
+++ b/src/lib/libssl/src/doc/apps/genpkey.pod
@@ -29,7 +29,7 @@ The B<genpkey> command generates a private key.
 =item B<-out filename>
 
 the output filename. If this argument is not specified then standard output is
-used.  
+used.
 
 =item B<-outform DER|PEM>
 
@@ -181,7 +181,7 @@ can be used.
 
 Generate an RSA private key using default parameters:
 
- openssl genpkey -algorithm RSA -out key.pem 
+ openssl genpkey -algorithm RSA -out key.pem
 
 Encrypt output private key using 128 bit AES and the passphrase "hello":
 
@@ -199,7 +199,7 @@ Generate 1024 bit DSA parameters:
 
 Generate DSA key from parameters:
 
- openssl genpkey -paramfile dsap.pem -out dsakey.pem 
+ openssl genpkey -paramfile dsap.pem -out dsakey.pem
 
 Generate 1024 bit DH parameters:
 
@@ -208,7 +208,7 @@ Generate 1024 bit DH parameters:
 
 Generate DH key from parameters:
 
- openssl genpkey -paramfile dhp.pem -out dhkey.pem 
+ openssl genpkey -paramfile dhp.pem -out dhkey.pem
 
 
 =cut
diff --git a/src/lib/libssl/src/doc/apps/genrsa.pod b/src/lib/libssl/src/doc/apps/genrsa.pod
index 7dcac2a779..608f237b13 100644
--- a/src/lib/libssl/src/doc/apps/genrsa.pod
+++ b/src/lib/libssl/src/doc/apps/genrsa.pod
@@ -29,7 +29,7 @@ The B<genrsa> command generates an RSA private key.
 =item B<-out filename>
 
 the output filename. If this argument is not specified then standard output is
-used.  
+used.
 
 =item B<-passout arg>
 
@@ -38,7 +38,7 @@ see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
 
 =item B<-des|-des3|-idea>
 
-These options encrypt the private key with the DES, triple DES, or the 
+These options encrypt the private key with the DES, triple DES, or the
 IDEA ciphers respectively before outputting it. If none of these options is
 specified no encryption is used. If encryption is used a pass phrase is prompted
 for if it is not supplied via the B<-passout> argument.
diff --git a/src/lib/libssl/src/doc/apps/ocsp.pod b/src/lib/libssl/src/doc/apps/ocsp.pod
index af2e12e418..435c83fb85 100644
--- a/src/lib/libssl/src/doc/apps/ocsp.pod
+++ b/src/lib/libssl/src/doc/apps/ocsp.pod
@@ -210,7 +210,7 @@ check is not performed.
 =item B<-md5|-sha1|-sha256|-ripemod160|...>
 
 this option sets digest algorithm to use for certificate identification
-in the OCSP request. By default SHA-1 is used. 
+in the OCSP request. By default SHA-1 is used.
 
 =back
 
@@ -263,12 +263,12 @@ option.
 
 =item B<-nrequest number>
 
-The OCSP server will exit after receiving B<number> requests, default unlimited. 
+The OCSP server will exit after receiving B<number> requests, default unlimited.
 
 =item B<-nmin minutes>, B<-ndays days>
 
 Number of minutes or days when fresh revocation information is available: used in the
-B<nextUpdate> field. If neither option is present then the B<nextUpdate> field is 
+B<nextUpdate> field. If neither option is present then the B<nextUpdate> field is
 omitted meaning fresh revocation information is immediately available.
 
 =back
@@ -338,7 +338,7 @@ Create an OCSP request and write it to a file:
 
  openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
 
-Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the 
+Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the
 response to a file and print it out in text form
 
  openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \
diff --git a/src/lib/libssl/src/doc/apps/openssl.pod b/src/lib/libssl/src/doc/apps/openssl.pod
index 64a160c20a..c40b50d950 100644
--- a/src/lib/libssl/src/doc/apps/openssl.pod
+++ b/src/lib/libssl/src/doc/apps/openssl.pod
@@ -23,12 +23,12 @@ v2/v3) and Transport Layer Security (TLS v1) network protocols and related
 cryptography standards required by them.
 
 The B<openssl> program is a command line tool for using the various
-cryptography functions of OpenSSL's B<crypto> library from the shell. 
-It can be used for 
+cryptography functions of OpenSSL's B<crypto> library from the shell.
+It can be used for
 
  o  Creation and management of private keys, public keys and parameters
  o  Public key cryptographic operations
- o  Creation of X.509 certificates, CSRs and CRLs 
+ o  Creation of X.509 certificates, CSRs and CRLs
  o  Calculation of Message Digests
  o  Encryption and Decryption with Ciphers
  o  SSL/TLS Client and Server Tests
@@ -75,7 +75,7 @@ Parse an ASN.1 sequence.
 
 =item L<B<ca>|ca(1)>
 
-Certificate Authority (CA) Management.  
+Certificate Authority (CA) Management.
 
 =item L<B<ciphers>|ciphers(1)>
 
@@ -104,7 +104,7 @@ Obsoleted by L<B<dhparam>|dhparam(1)>.
 
 =item L<B<dhparam>|dhparam(1)>
 
-Generation and Management of Diffie-Hellman Parameters. Superseded by 
+Generation and Management of Diffie-Hellman Parameters. Superseded by
 L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
 
 
@@ -114,7 +114,7 @@ DSA Data Management.
 
 =item L<B<dsaparam>|dsaparam(1)>
 
-DSA Parameter Generation and Management. Superseded by 
+DSA Parameter Generation and Management. Superseded by
 L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
 
 =item L<B<ec>|ec(1)>
@@ -144,7 +144,7 @@ Obsoleted by L<B<dhparam>|dhparam(1)>.
 
 =item L<B<gendsa>|gendsa(1)>
 
-Generation of DSA Private Key from Parameters. Superseded by 
+Generation of DSA Private Key from Parameters. Superseded by
 L<B<genpkey>|genpkey(1)> and L<B<pkey>|pkey(1)>
 
 =item L<B<genpkey>|genpkey(1)>
@@ -279,11 +279,11 @@ MDC2 Digest
 
 RMD-160 Digest
 
-=item B<sha>            
+=item B<sha>
 
 SHA Digest
 
-=item B<sha1>           
+=item B<sha1>
 
 SHA-1 Digest
 
@@ -408,7 +408,7 @@ L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
 L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
 L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
 L<verify(1)|verify(1)>, L<version(1)|version(1)>, L<x509(1)|x509(1)>,
-L<crypto(3)|crypto(3)>, L<ssl(3)|ssl(3)>, L<x509v3_config(5)|x509v3_config(5)> 
+L<crypto(3)|crypto(3)>, L<ssl(3)|ssl(3)>, L<x509v3_config(5)|x509v3_config(5)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libssl/src/doc/apps/pkcs12.pod b/src/lib/libssl/src/doc/apps/pkcs12.pod
index 8e0d91798a..4070c58e53 100644
--- a/src/lib/libssl/src/doc/apps/pkcs12.pod
+++ b/src/lib/libssl/src/doc/apps/pkcs12.pod
@@ -322,7 +322,7 @@ Output only client certificates to a file:
  openssl pkcs12 -in file.p12 -clcerts -out file.pem
 
 Don't encrypt the private key:
- 
+
  openssl pkcs12 -in file.p12 -out file.pem -nodes
 
 Print some info about a PKCS#12 file:
diff --git a/src/lib/libssl/src/doc/apps/pkcs7.pod b/src/lib/libssl/src/doc/apps/pkcs7.pod
index acfb8100f0..13c5cad262 100644
--- a/src/lib/libssl/src/doc/apps/pkcs7.pod
+++ b/src/lib/libssl/src/doc/apps/pkcs7.pod
@@ -32,7 +32,7 @@ the DER form with header and footer lines.
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -95,7 +95,7 @@ For compatibility with some CAs it will also accept:
 
 There is no option to print out all the fields of a PKCS#7 file.
 
-This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they 
+This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they
 cannot currently parse, for example, the new CMS as described in RFC2630.
 
 =head1 SEE ALSO
diff --git a/src/lib/libssl/src/doc/apps/pkcs8.pod b/src/lib/libssl/src/doc/apps/pkcs8.pod
index 84abee78f3..d15c89bbbc 100644
--- a/src/lib/libssl/src/doc/apps/pkcs8.pod
+++ b/src/lib/libssl/src/doc/apps/pkcs8.pod
@@ -49,7 +49,7 @@ private key is used.
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -109,7 +109,7 @@ the public and private keys respectively.
 This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8
 private keys are encrypted with the password based encryption algorithm
 called B<pbeWithMD5AndDES-CBC> this uses 56 bit DES encryption but it
-was the strongest encryption algorithm supported in PKCS#5 v1.5. Using 
+was the strongest encryption algorithm supported in PKCS#5 v1.5. Using
 the B<-v2> option PKCS#5 v2.0 algorithms are used which can use any
 encryption algorithm such as 168 bit triple DES or 128 bit RC2 however
 not many implementations support PKCS#5 v2.0 yet. If you are just using
@@ -238,6 +238,6 @@ the old format at present.
 =head1 SEE ALSO
 
 L<dsa(1)|dsa(1)>, L<rsa(1)|rsa(1)>, L<genrsa(1)|genrsa(1)>,
-L<gendsa(1)|gendsa(1)> 
+L<gendsa(1)|gendsa(1)>
 
 =cut
diff --git a/src/lib/libssl/src/doc/apps/pkey.pod b/src/lib/libssl/src/doc/apps/pkey.pod
index 4851223f3f..77166dd877 100644
--- a/src/lib/libssl/src/doc/apps/pkey.pod
+++ b/src/lib/libssl/src/doc/apps/pkey.pod
@@ -37,7 +37,7 @@ This specifies the input format DER or PEM.
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -71,7 +71,7 @@ name accepted by EVP_get_cipherbyname() is acceptable such as B<des3>.
 =item B<-text>
 
 prints out the various public or private key components in
-plain text in addition to the encoded version. 
+plain text in addition to the encoded version.
 
 =item B<-text_pub>
 
@@ -111,7 +111,7 @@ To encrypt a private key using triple DES:
 
  openssl pkey -in key.pem -des3 -out keyout.pem
 
-To convert a private key from PEM to DER format: 
+To convert a private key from PEM to DER format:
 
  openssl pkey -in key.pem -outform DER -out keyout.der
 
@@ -130,6 +130,6 @@ To just output the public part of a private key:
 =head1 SEE ALSO
 
 L<genpkey(1)|genpkey(1)>, L<rsa(1)|rsa(1)>, L<pkcs8(1)|pkcs8(1)>,
-L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>, L<gendsa(1)|gendsa(1)> 
+L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>, L<gendsa(1)|gendsa(1)>
 
 =cut
diff --git a/src/lib/libssl/src/doc/apps/pkeyparam.pod b/src/lib/libssl/src/doc/apps/pkeyparam.pod
index 154f6721af..81495d2d52 100644
--- a/src/lib/libssl/src/doc/apps/pkeyparam.pod
+++ b/src/lib/libssl/src/doc/apps/pkeyparam.pod
@@ -35,7 +35,7 @@ this option is not specified.
 
 =item B<-text>
 
-prints out the parameters in plain text in addition to the encoded version. 
+prints out the parameters in plain text in addition to the encoded version.
 
 =item B<-noout>
 
@@ -64,6 +64,6 @@ PEM format is supported because the key type is determined by the PEM headers.
 =head1 SEE ALSO
 
 L<genpkey(1)|genpkey(1)>, L<rsa(1)|rsa(1)>, L<pkcs8(1)|pkcs8(1)>,
-L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>, L<gendsa(1)|gendsa(1)> 
+L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>, L<gendsa(1)|gendsa(1)>
 
 =cut
diff --git a/src/lib/libssl/src/doc/apps/pkeyutl.pod b/src/lib/libssl/src/doc/apps/pkeyutl.pod
index 27be9a9007..a88380a7a8 100644
--- a/src/lib/libssl/src/doc/apps/pkeyutl.pod
+++ b/src/lib/libssl/src/doc/apps/pkeyutl.pod
@@ -80,11 +80,11 @@ for all available algorithms.
 
 =item B<-pubin>
 
-the input file is a public key. 
+the input file is a public key.
 
 =item B<-certin>
 
-the input is a certificate containing a public key. 
+the input is a certificate containing a public key.
 
 =item B<-rev>
 
@@ -141,7 +141,7 @@ EVP_get_digestbyname() function for example B<sha1>.
 =head1 RSA ALGORITHM
 
 The RSA algorithm supports encrypt, decrypt, sign, verify and verifyrecover
-operations in general. Some padding modes only support some of these 
+operations in general. Some padding modes only support some of these
 operations however.
 
 =over 4
@@ -152,7 +152,7 @@ This sets the RSA padding mode. Acceptable values for B<mode> are B<pkcs1> for
 PKCS#1 padding, B<sslv23> for SSLv23 padding, B<none> for no padding, B<oaep>
 for B<OAEP> mode, B<x931> for X9.31 mode and B<pss> for PSS.
 
-In PKCS#1 padding if the message digest is not set then the supplied data is 
+In PKCS#1 padding if the message digest is not set then the supplied data is
 signed or verified directly instead of using a B<DigestInfo> structure. If a
 digest is set then the a B<DigestInfo> structure is used and its the length
 must correspond to the digest type.
diff --git a/src/lib/libssl/src/doc/apps/req.pod b/src/lib/libssl/src/doc/apps/req.pod
index 0730d117b3..4f6d64766d 100644
--- a/src/lib/libssl/src/doc/apps/req.pod
+++ b/src/lib/libssl/src/doc/apps/req.pod
@@ -68,7 +68,7 @@ footer lines.
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -261,7 +261,7 @@ a variety of purposes.
 
 =item B<-utf8>
 
-this option causes field values to be interpreted as UTF8 strings, by 
+this option causes field values to be interpreted as UTF8 strings, by
 default they are interpreted as ASCII. This means that the field
 values, whether prompted from a terminal or obtained from a
 configuration file, must be valid UTF8 strings.
@@ -276,7 +276,7 @@ set multiple options. See the L<x509(1)|x509(1)> manual page for details.
 =item B<-reqopt>
 
 customise the output format used with B<-text>. The B<option> argument can be
-a single option or multiple options separated by commas. 
+a single option or multiple options separated by commas.
 
 See discission of the  B<-certopt> parameter in the L<B<x509>|x509(1)>
 command.
@@ -363,7 +363,7 @@ overridden by the B<-keyout> option.
 This specifies a file containing additional B<OBJECT IDENTIFIERS>.
 Each line of the file should consist of the numerical form of the
 object identifier followed by white space then the short name followed
-by white space and finally the long name. 
+by white space and finally the long name.
 
 =item B<oid_section>
 
@@ -396,7 +396,7 @@ This option masks out the use of certain string types in certain
 fields. Most users will not need to change this option.
 
 It can be set to several values B<default> which is also the default
-option uses PrintableStrings, T61Strings and BMPStrings if the 
+option uses PrintableStrings, T61Strings and BMPStrings if the
 B<pkix> value is used then only PrintableStrings and BMPStrings will
 be used. This follows the PKIX recommendation in RFC2459. If the
 B<utf8only> option is used then only UTF8Strings will be used: this
@@ -408,7 +408,7 @@ problems with BMPStrings and UTF8Strings: in particular Netscape.
 
 this specifies the configuration file section containing a list of
 extensions to add to the certificate request. It can be overridden
-by the B<-reqexts> command line switch. See the 
+by the B<-reqexts> command line switch. See the
 L<x509v3_config(5)|x509v3_config(5)> manual page for details of the
 extension section format.
 
@@ -673,6 +673,6 @@ address in subjectAltName should be input by the user.
 
 L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
 L<gendsa(1)|gendsa(1)>, L<config(5)|config(5)>,
-L<x509v3_config(5)|x509v3_config(5)> 
+L<x509v3_config(5)|x509v3_config(5)>
 
 =cut
diff --git a/src/lib/libssl/src/doc/apps/rsa.pod b/src/lib/libssl/src/doc/apps/rsa.pod
index d7d784d52b..e1ba8e629f 100644
--- a/src/lib/libssl/src/doc/apps/rsa.pod
+++ b/src/lib/libssl/src/doc/apps/rsa.pod
@@ -51,7 +51,7 @@ section.
 
 =item B<-outform DER|NET|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -84,7 +84,7 @@ keys.
 
 =item B<-des|-des3|-idea>
 
-These options encrypt the private key with the DES, triple DES, or the 
+These options encrypt the private key with the DES, triple DES, or the
 IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
 If none of these options is specified the key is written in plain text. This
 means that using the B<rsa> utility to read in an encrypted key with no
@@ -95,7 +95,7 @@ These options can only be used with PEM format output files.
 =item B<-text>
 
 prints out the various public or private key components in
-plain text in addition to the encoded version. 
+plain text in addition to the encoded version.
 
 =item B<-noout>
 
@@ -172,7 +172,7 @@ To encrypt a private key using triple DES:
 
  openssl rsa -in key.pem -des3 -out keyout.pem
 
-To convert a private key from PEM to DER format: 
+To convert a private key from PEM to DER format:
 
  openssl rsa -in key.pem -outform DER -out keyout.der
 
@@ -199,6 +199,6 @@ without having to manually edit them.
 =head1 SEE ALSO
 
 L<pkcs8(1)|pkcs8(1)>, L<dsa(1)|dsa(1)>, L<genrsa(1)|genrsa(1)>,
-L<gendsa(1)|gendsa(1)> 
+L<gendsa(1)|gendsa(1)>
 
 =cut
diff --git a/src/lib/libssl/src/doc/apps/rsautl.pod b/src/lib/libssl/src/doc/apps/rsautl.pod
index 1a498c2f62..6b23cbcc56 100644
--- a/src/lib/libssl/src/doc/apps/rsautl.pod
+++ b/src/lib/libssl/src/doc/apps/rsautl.pod
@@ -47,11 +47,11 @@ the input key file, by default it should be an RSA private key.
 
 =item B<-pubin>
 
-the input file is an RSA public key. 
+the input file is an RSA public key.
 
 =item B<-certin>
 
-the input is a certificate containing an RSA public key. 
+the input is a certificate containing an RSA public key.
 
 =item B<-sign>
 
@@ -126,24 +126,24 @@ example in certs/pca-cert.pem . Running B<asn1parse> as follows yields:
 
  openssl asn1parse -in pca-cert.pem
 
-    0:d=0  hl=4 l= 742 cons: SEQUENCE          
-    4:d=1  hl=4 l= 591 cons:  SEQUENCE          
-    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]        
+    0:d=0  hl=4 l= 742 cons: SEQUENCE
+    4:d=1  hl=4 l= 591 cons:  SEQUENCE
+    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
    10:d=3  hl=2 l=   1 prim:    INTEGER           :02
    13:d=2  hl=2 l=   1 prim:   INTEGER           :00
-   16:d=2  hl=2 l=  13 cons:   SEQUENCE          
+   16:d=2  hl=2 l=  13 cons:   SEQUENCE
    18:d=3  hl=2 l=   9 prim:    OBJECT            :md5WithRSAEncryption
-   29:d=3  hl=2 l=   0 prim:    NULL              
-   31:d=2  hl=2 l=  92 cons:   SEQUENCE          
-   33:d=3  hl=2 l=  11 cons:    SET               
-   35:d=4  hl=2 l=   9 cons:     SEQUENCE          
+   29:d=3  hl=2 l=   0 prim:    NULL
+   31:d=2  hl=2 l=  92 cons:   SEQUENCE
+   33:d=3  hl=2 l=  11 cons:    SET
+   35:d=4  hl=2 l=   9 cons:     SEQUENCE
    37:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
    42:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :AU
   ....
-  599:d=1  hl=2 l=  13 cons:  SEQUENCE          
+  599:d=1  hl=2 l=  13 cons:  SEQUENCE
   601:d=2  hl=2 l=   9 prim:   OBJECT            :md5WithRSAEncryption
-  612:d=2  hl=2 l=   0 prim:   NULL              
-  614:d=1  hl=3 l= 129 prim:  BIT STRING        
+  612:d=2  hl=2 l=   0 prim:   NULL
+  614:d=1  hl=3 l= 129 prim:  BIT STRING
 
 
 The final BIT STRING contains the actual signature. It can be extracted with:
@@ -151,18 +151,18 @@ The final BIT STRING contains the actual signature. It can be extracted with:
  openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614
 
 The certificate public key can be extracted with:
- 
+
  openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem
 
 The signature can be analysed with:
 
  openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin
 
-    0:d=0  hl=2 l=  32 cons: SEQUENCE          
-    2:d=1  hl=2 l=  12 cons:  SEQUENCE          
+    0:d=0  hl=2 l=  32 cons: SEQUENCE
+    2:d=1  hl=2 l=  12 cons:  SEQUENCE
     4:d=2  hl=2 l=   8 prim:   OBJECT            :md5
-   14:d=2  hl=2 l=   0 prim:   NULL              
-   16:d=1  hl=2 l=  16 prim:  OCTET STRING      
+   14:d=2  hl=2 l=   0 prim:   NULL
+   16:d=1  hl=2 l=  16 prim:  OCTET STRING
       0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5   .F...Js.7...H%..
 
 This is the parsed version of an ASN1 DigestInfo structure. It can be seen that
diff --git a/src/lib/libssl/src/doc/apps/s_client.pod b/src/lib/libssl/src/doc/apps/s_client.pod
index 445260d91a..5e55c928b9 100644
--- a/src/lib/libssl/src/doc/apps/s_client.pod
+++ b/src/lib/libssl/src/doc/apps/s_client.pod
@@ -217,7 +217,7 @@ print out a hex dump of any TLS extensions received from the server.
 
 =item B<-no_ticket>
 
-disable RFC4507bis session ticket support. 
+disable RFC4507bis session ticket support.
 
 =item B<-sess_out filename>
 
diff --git a/src/lib/libssl/src/doc/apps/s_server.pod b/src/lib/libssl/src/doc/apps/s_server.pod
index 6758ba3080..b5096cf735 100644
--- a/src/lib/libssl/src/doc/apps/s_server.pod
+++ b/src/lib/libssl/src/doc/apps/s_server.pod
@@ -231,7 +231,7 @@ print out a hex dump of any TLS extensions received from the server.
 
 =item B<-no_ticket>
 
-disable RFC4507bis session ticket support. 
+disable RFC4507bis session ticket support.
 
 =item B<-www>
 
@@ -282,7 +282,7 @@ all others.
 
 If a connection request is established with an SSL client and neither the
 B<-www> nor the B<-WWW> option has been used then normally any data received
-from the client is displayed and any key presses will be sent to the client. 
+from the client is displayed and any key presses will be sent to the client.
 
 Certain single letter commands are also recognized which perform special
 operations: these are listed below.
diff --git a/src/lib/libssl/src/doc/apps/sess_id.pod b/src/lib/libssl/src/doc/apps/sess_id.pod
index 9988d2cd3d..fea70b22e2 100644
--- a/src/lib/libssl/src/doc/apps/sess_id.pod
+++ b/src/lib/libssl/src/doc/apps/sess_id.pod
@@ -35,7 +35,7 @@ format base64 encoded with additional header and footer lines.
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -51,7 +51,7 @@ output if this option is not specified.
 =item B<-text>
 
 prints out the various public or private key components in
-plain text in addition to the encoded version. 
+plain text in addition to the encoded version.
 
 =item B<-cert>
 
diff --git a/src/lib/libssl/src/doc/apps/smime.pod b/src/lib/libssl/src/doc/apps/smime.pod
index e4e89af847..3bc5c4fde1 100644
--- a/src/lib/libssl/src/doc/apps/smime.pod
+++ b/src/lib/libssl/src/doc/apps/smime.pod
@@ -132,7 +132,7 @@ is S/MIME and it uses the multipart/signed MIME content type.
 
 this option adds plain text (text/plain) MIME headers to the supplied
 message if encrypting or signing. If decrypting or verifying it strips
-off text headers: if the decrypted or verified message is not of MIME 
+off text headers: if the decrypted or verified message is not of MIME
 type text/plain then an error occurs.
 
 =item B<-CAfile file>
@@ -155,7 +155,7 @@ default digest algorithm for the signing key will be used (usually SHA1).
 
 the encryption algorithm to use. For example DES  (56 bits) - B<-des>,
 triple DES (168 bits) - B<-des3>,
-EVP_get_cipherbyname() function) can also be used preceded by a dash, for 
+EVP_get_cipherbyname() function) can also be used preceded by a dash, for
 example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for list of ciphers
 supported by your version of OpenSSL.
 
@@ -250,7 +250,7 @@ all others.
 =item B<cert.pem...>
 
 one or more certificates of message recipients: used when encrypting
-a message. 
+a message.
 
 =item B<-to, -from, -subject>
 
@@ -312,7 +312,7 @@ remains DER.
 
 the operation was completely successfully.
 
-=item 1 
+=item 1
 
 an error occurred parsing the command options.
 
@@ -397,7 +397,7 @@ it with:
  -----BEGIN PKCS7-----
  -----END PKCS7-----
 
-and using the command: 
+and using the command:
 
  openssl smime -verify -inform PEM -in signature.pem -content content.txt
 
diff --git a/src/lib/libssl/src/doc/apps/ts.pod b/src/lib/libssl/src/doc/apps/ts.pod
index d6aa47d314..1abf9df566 100644
--- a/src/lib/libssl/src/doc/apps/ts.pod
+++ b/src/lib/libssl/src/doc/apps/ts.pod
@@ -121,7 +121,7 @@ parameter is specified. (Optional)
 It is possible to specify the message imprint explicitly without the data
 file. The imprint must be specified in a hexadecimal format, two characters
 per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or
-1AF601...). The number of bytes must match the message digest algorithm 
+1AF601...). The number of bytes must match the message digest algorithm
 in use. (Optional)
 
 =item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>
@@ -283,7 +283,7 @@ data file. The B<-verify> command does not use the configuration file.
 =item B<-data> file_to_hash
 
 The response or token must be verified against file_to_hash. The file
-is hashed with the message digest algorithm specified in the token. 
+is hashed with the message digest algorithm specified in the token.
 The B<-digest> and B<-queryfile> options must not be specified with this one.
 (Optional)
 
@@ -318,9 +318,9 @@ details. Either this option or B<-CAfile> must be specified. (Optional)
 
 =item B<-CAfile> trusted_certs.pem
 
-The name of the file containing a set of trusted self-signed CA 
-certificates in PEM format. See the similar option of 
-L<verify(1)|verify(1)> for additional details. Either this option 
+The name of the file containing a set of trusted self-signed CA
+certificates in PEM format. See the similar option of
+L<verify(1)|verify(1)> for additional details. Either this option
 or B<-CApath> must be specified.
 (Optional)
 
@@ -348,7 +348,7 @@ switch always overrides the settings in the config file.
 
 =over 4
 
-=item B<tsa> section, B<default_tsa>    
+=item B<tsa> section, B<default_tsa>
 
 This is the main section and it specifies the name of another section
 that contains all the options for the B<-reply> command. This default
@@ -375,8 +375,8 @@ generation a new file is created with serial number 1. (Mandatory)
 
 =item B<crypto_device>
 
-Specifies the OpenSSL engine that will be set as the default for 
-all available algorithms. The default value is builtin, you can specify 
+Specifies the OpenSSL engine that will be set as the default for
+all available algorithms. The default value is builtin, you can specify
 any other engines supported by OpenSSL (e.g. use chil for the NCipher HSM).
 (Optional)
 
@@ -419,7 +419,7 @@ the components is missing zero is assumed for that field. (Optional)
 
 =item B<clock_precision_digits>
 
-Specifies the maximum number of digits, which represent the fraction of 
+Specifies the maximum number of digits, which represent the fraction of
 seconds, that  need to be included in the time field. The trailing zeroes
 must be removed from the time, so there might actually be fewer digits,
 or no fraction of seconds at all. Supported only on UNIX platforms.
@@ -458,12 +458,12 @@ overridden by the B<-config> command line option.
 =head1 EXAMPLES
 
 All the examples below presume that B<OPENSSL_CONF> is set to a proper
-configuration file, e.g. the example configuration file 
+configuration file, e.g. the example configuration file
 openssl/apps/openssl.cnf will do.
 
 =head2 Time Stamp Request
 
-To create a time stamp request for design1.txt with SHA-1 
+To create a time stamp request for design1.txt with SHA-1
 without nonce and policy and no certificate is required in the response:
 
   openssl ts -query -data design1.txt -no_nonce \
@@ -479,7 +479,7 @@ To print the content of the previous request in human readable format:
 
   openssl ts -query -in design1.tsq -text
 
-To create a time stamp request which includes the MD-5 digest 
+To create a time stamp request which includes the MD-5 digest
 of design2.txt, requests the signer certificate and nonce,
 specifies a policy id (assuming the tsa_policy1 name is defined in the
 OID section of the config file):
@@ -559,8 +559,8 @@ Zoltan Glozik <zglozik@opentsa.org>. Known issues:
 =over 4
 
 =item * No support for time stamps over SMTP, though it is quite easy
-to implement an automatic e-mail based TSA with L<procmail(1)|procmail(1)> 
-and L<perl(1)|perl(1)>. HTTP server support is provided in the form of 
+to implement an automatic e-mail based TSA with L<procmail(1)|procmail(1)>
+and L<perl(1)|perl(1)>. HTTP server support is provided in the form of
 a separate apache module. HTTP client support is provided by
 L<tsget(1)|tsget(1)>. Pure TCP/IP protocol is not supported.
 
@@ -587,8 +587,8 @@ Zoltan Glozik <zglozik@opentsa.org>, OpenTSA project (http://www.opentsa.org)
 
 =head1 SEE ALSO
 
-L<tsget(1)|tsget(1)>, L<openssl(1)|openssl(1)>, L<req(1)|req(1)>, 
-L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>, 
+L<tsget(1)|tsget(1)>, L<openssl(1)|openssl(1)>, L<req(1)|req(1)>,
+L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
 L<config(5)|config(5)>
 
 =cut
diff --git a/src/lib/libssl/src/doc/apps/verify.pod b/src/lib/libssl/src/doc/apps/verify.pod
index f1d5384b9a..df448ce40d 100644
--- a/src/lib/libssl/src/doc/apps/verify.pod
+++ b/src/lib/libssl/src/doc/apps/verify.pod
@@ -108,7 +108,7 @@ Print out diagnostics related to policy processing.
 =item B<-crl_check>
 
 Checks end entity certificate validity by attempting to look up a valid CRL.
-If a valid CRL cannot be found an error occurs. 
+If a valid CRL cannot be found an error occurs.
 
 =item B<-crl_check_all>
 
@@ -171,14 +171,14 @@ The verify operation consists of a number of separate steps.
 Firstly a certificate chain is built up starting from the supplied certificate
 and ending in the root CA. It is an error if the whole chain cannot be built
 up. The chain is built up by looking up the issuers certificate of the current
-certificate. If a certificate is found which is its own issuer it is assumed 
+certificate. If a certificate is found which is its own issuer it is assumed
 to be the root CA.
 
 The process of 'looking up the issuers certificate' itself involves a number
 of steps. In versions of OpenSSL before 0.9.5a the first certificate whose
 subject name matched the issuer of the current certificate was assumed to be
 the issuers certificate. In OpenSSL 0.9.6 and later all certificates
-whose subject name matches the issuer name of the current certificate are 
+whose subject name matches the issuer name of the current certificate are
 subject to further tests. The relevant authority key identifier components
 of the current certificate (if present) must match the subject key identifier
 (if present) and issuer and serial number of the candidate issuer, in addition
@@ -201,7 +201,7 @@ the B<CERTIFICATE EXTENSIONS> section of the B<x509> utility.
 The third operation is to check the trust settings on the root CA. The root
 CA should be trusted for the supplied purpose. For compatibility with previous
 versions of SSLeay and OpenSSL a certificate with no trust settings is considered
-to be valid for all purposes. 
+to be valid for all purposes.
 
 The final operation is to check the validity of the certificate chain. The validity
 period is checked against the current system time and the notBefore and notAfter
diff --git a/src/lib/libssl/src/doc/apps/x509.pod b/src/lib/libssl/src/doc/apps/x509.pod
index 314018f086..e6ea9cd9d2 100644
--- a/src/lib/libssl/src/doc/apps/x509.pod
+++ b/src/lib/libssl/src/doc/apps/x509.pod
@@ -83,7 +83,7 @@ obsolete.
 
 =item B<-outform DER|PEM|NET>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -300,7 +300,7 @@ can thus behave like a "mini CA".
 =item B<-signkey filename>
 
 this option causes the input file to be self signed using the supplied
-private key. 
+private key.
 
 If the input file is a certificate it sets the issuer name to the
 subject name (i.e.  makes it self signed) changes the public key to the
@@ -376,7 +376,7 @@ an even number of hex digits with the serial number to use. After each
 use the serial number is incremented and written out to the file again.
 
 The default filename consists of the CA certificate file base name with
-".srl" appended. For example if the CA certificate file is called 
+".srl" appended. For example if the CA certificate file is called
 "mycacert.pem" it expects to find a serial number file called "mycacert.srl".
 
 =item B<-CAcreateserial>
@@ -811,7 +811,7 @@ if the keyUsage extension is present.
 The extended key usage extension must be absent or include the "email
 protection" OID. Netscape certificate type must be absent or must have the
 S/MIME CA bit set: this is used as a work around if the basicConstraints
-extension is absent. 
+extension is absent.
 
 =item B<CRL Signing>
 
@@ -846,7 +846,7 @@ OpenSSL 0.9.5 and later.
 
 L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
 L<gendsa(1)|gendsa(1)>, L<verify(1)|verify(1)>,
-L<x509v3_config(5)|x509v3_config(5)> 
+L<x509v3_config(5)|x509v3_config(5)>
 
 =head1 HISTORY
 
diff --git a/src/lib/libssl/src/doc/apps/x509v3_config.pod b/src/lib/libssl/src/doc/apps/x509v3_config.pod
index 0450067cf1..09e1d3a6e3 100644
--- a/src/lib/libssl/src/doc/apps/x509v3_config.pod
+++ b/src/lib/libssl/src/doc/apps/x509v3_config.pod
@@ -202,7 +202,7 @@ Examples:
 The issuer alternative name option supports all the literal options of
 subject alternative name. It does B<not> support the email:copy option because
 that would not make sense. It does support an additional issuer:copy option
-that will copy all the subject alternative name values from the issuer 
+that will copy all the subject alternative name values from the issuer
 certificate (if possible).
 
 Example:
@@ -301,7 +301,7 @@ Example:
  O=Organisation
  CN=Some Name
 
- 
+
 =head2 Certificate Policies.
 
 This is a I<raw> extension. All the fields of this extension can be set by
@@ -380,7 +380,7 @@ Example:
 The name constraints extension is a multi-valued extension. The name should
 begin with the word B<permitted> or B<excluded> followed by a B<;>. The rest of
 the name and the value follows the syntax of subjectAltName except email:copy
-is not supported and the B<IP> form should consist of an IP addresses and 
+is not supported and the B<IP> form should consist of an IP addresses and
 subnet mask separated by a B</>.
 
 Examples:
@@ -491,7 +491,7 @@ will produce an error but the equivalent form:
  [subject_alt_section]
  subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
 
-is valid. 
+is valid.
 
 Due to the behaviour of the OpenSSL B<conf> library the same field name
 can only occur once in a section. This means that: