210 files changed, 1051 insertions, 5109 deletions

diff --git a/src/lib/libssl/LICENSE b/src/lib/libssl/LICENSE
index 892e14a450..c41ff4d1ca 100644
--- a/src/lib/libssl/LICENSE
+++ b/src/lib/libssl/LICENSE
@@ -1,7 +1,7 @@
 
-  LibReSSL files are retained under the copyright of the authors. New
+  LibreSSL files are retained under the copyright of the authors. New
   additions are ISC licensed as per OpenBSD's normal licensing policy,
-  or are placed in the public domain. 
+  or are placed in the public domain.
 
   The OpenSSL code is distributed under the terms of the original OpenSSL
   licenses which follow:
@@ -25,7 +25,7 @@
  * are met:
  *
  * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
+ *    notice, this list of conditions and the following disclaimer.
  *
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
@@ -80,21 +80,21 @@
  * This package is an SSL implementation written
  * by Eric Young (eay@cryptsoft.com).
  * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
  * This library is free for commercial and non-commercial use as long as
  * the following conditions are aheared to.  The following conditions
  * apply to all code found in this distribution, be it the RC4, RSA,
  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  * included with this distribution is covered by the same copyright terms
  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
+ *
  * Copyright remains Eric Young's, and as such any Copyright notices in
  * the code are not to be removed.
  * If this package is used in a product, Eric Young should be given attribution
  * as the author of the parts of the library used.
  * This can be in the form of a textual message at program startup or
  * in documentation (online or textual) provided with the package.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -109,10 +109,10 @@
  *     Eric Young (eay@cryptsoft.com)"
  *    The word 'cryptographic' can be left out if the rouines from the library
  *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
  *    the apps directory (application code) you must include an acknowledgement:
  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -124,7 +124,7 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
- * 
+ *
  * The licence and distribution terms for any publically available version or
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
diff --git a/src/lib/libssl/Makefile b/src/lib/libssl/Makefile
index 652ad4238f..7e423b0b43 100644
--- a/src/lib/libssl/Makefile
+++ b/src/lib/libssl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.85 2024/08/11 13:04:46 jsing Exp $
+# $OpenBSD: Makefile,v 1.86 2026/04/03 07:26:20 jsing Exp $
 
 .include <bsd.own.mk>
 .ifndef NOMAN
@@ -57,7 +57,6 @@ SRCS= \
         ssl_kex.c \
         ssl_lib.c \
         ssl_methods.c \
-        ssl_packet.c \
         ssl_pkt.c \
         ssl_rsa.c \
         ssl_seclevel.c \
diff --git a/src/lib/libssl/Symbols.list b/src/lib/libssl/Symbols.list
index 65cd3e7f86..0d82c7c726 100644
--- a/src/lib/libssl/Symbols.list
+++ b/src/lib/libssl/Symbols.list
@@ -137,6 +137,7 @@ SSL_CTX_use_certificate_ASN1
 SSL_CTX_use_certificate_chain_file
 SSL_CTX_use_certificate_chain_mem
 SSL_CTX_use_certificate_file
+SSL_SESSION_dup
 SSL_SESSION_free
 SSL_SESSION_get0_cipher
 SSL_SESSION_get0_id_context
diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c
index 6dd1699606..13e4f30539 100644
--- a/src/lib/libssl/bio_ssl.c
+++ b/src/lib/libssl/bio_ssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_ssl.c,v 1.40 2023/07/19 13:34:33 tb Exp $ */
+/* $OpenBSD: bio_ssl.c,v 1.41 2025/06/02 12:18:22 jsg Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -229,9 +229,7 @@ ssl_write(BIO *b, const char *out, int outl)
 
         BIO_clear_retry_flags(b);
 
-/*      ret=SSL_do_handshake(ssl);
-        if (ret > 0) */
-                ret = SSL_write(ssl, out, outl);
+        ret = SSL_write(ssl, out, outl);
 
         switch (SSL_get_error(ssl, ret)) {
         case SSL_ERROR_NONE:
diff --git a/src/lib/libssl/hidden/openssl/ssl.h b/src/lib/libssl/hidden/openssl/ssl.h
index b854dd7b73..b010488d7f 100644
--- a/src/lib/libssl/hidden/openssl/ssl.h
+++ b/src/lib/libssl/hidden/openssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.9 2024/08/31 10:51:48 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.10 2025/10/24 11:36:08 tb Exp $ */
 /*
  * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
  *
@@ -182,6 +182,7 @@ LSSL_USED(SSL_SESSION_set1_id_context);
 LSSL_USED(SSL_SESSION_is_resumable);
 LSSL_USED(SSL_SESSION_new);
 LSSL_USED(SSL_SESSION_free);
+LSSL_USED(SSL_SESSION_dup);
 LSSL_USED(SSL_SESSION_up_ref);
 LSSL_USED(SSL_SESSION_get_id);
 LSSL_USED(SSL_SESSION_get0_id_context);
diff --git a/src/lib/libssl/hidden/ssl_namespace.h b/src/lib/libssl/hidden/ssl_namespace.h
index 5d26516f3c..763dcd700f 100644
--- a/src/lib/libssl/hidden/ssl_namespace.h
+++ b/src/lib/libssl/hidden/ssl_namespace.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_namespace.h,v 1.3 2024/07/12 05:26:34 miod Exp $  */
+/*      $OpenBSD: ssl_namespace.h,v 1.4 2025/08/18 16:00:53 tb Exp $    */
 /*
  * Copyright (c) 2016 Philip Guenther <guenther@openbsd.org>
  *
@@ -35,7 +35,11 @@
 #else
 #define LSSL_UNUSED(x)
 #define LSSL_USED(x)
+#ifdef _MSC_VER
+#define LSSL_ALIAS(x)
+#else
 #define LSSL_ALIAS(x)           asm("")
+#endif /* _MSC_VER */
 #endif
 
 #endif  /* _LIBSSL_SSL_NAMESPACE_H_ */
diff --git a/src/lib/libssl/man/BIO_f_ssl.3 b/src/lib/libssl/man/BIO_f_ssl.3
index 3b74a3d6a4..e23a15e121 100644
--- a/src/lib/libssl/man/BIO_f_ssl.3
+++ b/src/lib/libssl/man/BIO_f_ssl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_f_ssl.3,v 1.16 2024/01/13 18:37:51 tb Exp $
+.\" $OpenBSD: BIO_f_ssl.3,v 1.17 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL f672aee4 Feb 9 11:52:40 2016 -0500
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 13 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_F_SSL 3
 .Os
 .Sh NAME
@@ -69,6 +69,7 @@
 .Nm BIO_do_handshake
 .Nd SSL BIO
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/bio.h
 .In openssl/ssl.h
 .Ft const BIO_METHOD *
diff --git a/src/lib/libssl/man/DTLSv1_listen.3 b/src/lib/libssl/man/DTLSv1_listen.3
index 047ec0a7ff..bdba1c59b0 100644
--- a/src/lib/libssl/man/DTLSv1_listen.3
+++ b/src/lib/libssl/man/DTLSv1_listen.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DTLSv1_listen.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: DTLSv1_listen.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 7795475f Dec 18 13:18:31 2015 -0500
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DTLSV1_LISTEN 3
 .Os
 .Sh NAME
 .Nm DTLSv1_listen
 .Nd listen for incoming DTLS connections
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo DTLSv1_listen
diff --git a/src/lib/libssl/man/OPENSSL_init_ssl.3 b/src/lib/libssl/man/OPENSSL_init_ssl.3
index f37dccfaac..ec840f5e1c 100644
--- a/src/lib/libssl/man/OPENSSL_init_ssl.3
+++ b/src/lib/libssl/man/OPENSSL_init_ssl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OPENSSL_init_ssl.3,v 1.4 2019/06/14 13:41:31 schwarze Exp $
+.\" $OpenBSD: OPENSSL_init_ssl.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 14 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OPENSSL_INIT_SSL 3
 .Os
 .Sh NAME
 .Nm OPENSSL_init_ssl
 .Nd initialise the crypto and ssl libraries
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo OPENSSL_init_ssl
diff --git a/src/lib/libssl/man/PEM_read_SSL_SESSION.3 b/src/lib/libssl/man/PEM_read_SSL_SESSION.3
index 3eb1414c62..93bd0b8ebd 100644
--- a/src/lib/libssl/man/PEM_read_SSL_SESSION.3
+++ b/src/lib/libssl/man/PEM_read_SSL_SESSION.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PEM_read_SSL_SESSION.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: PEM_read_SSL_SESSION.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL doc/man3/PEM_read_CMS.pod b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Rich Salz <rsalz@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PEM_READ_SSL_SESSION 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm PEM_write_bio_SSL_SESSION
 .Nd encode and decode SSL session objects in PEM format
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_SESSION *
 .Fo PEM_read_SSL_SESSION
diff --git a/src/lib/libssl/man/SSL_CIPHER_get_name.3 b/src/lib/libssl/man/SSL_CIPHER_get_name.3
index 86c1d3c0ba..fc92eb9723 100644
--- a/src/lib/libssl/man/SSL_CIPHER_get_name.3
+++ b/src/lib/libssl/man/SSL_CIPHER_get_name.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.17 2024/07/16 10:19:38 tb Exp $
+.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.19 2025/06/13 18:34:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 16 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt SSL_CIPHER_GET_NAME 3
 .Os
 .Sh NAME
@@ -70,6 +70,7 @@
 .Nm SSL_CIPHER_description
 .Nd get SSL_CIPHER properties
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_CIPHER_get_name "const SSL_CIPHER *cipher"
@@ -81,7 +82,7 @@
 .Fn SSL_CIPHER_get_cipher_nid "const SSL_CIPHER *cipher"
 .Ft int
 .Fn SSL_CIPHER_get_digest_nid "const SSL_CIPHER *cipher"
-.Ft "const EVP_MD *"
+.Ft const EVP_MD *
 .Fn SSL_CIPHER_get_handshake_digest "const SSL_CIPHER *cipher"
 .Ft int
 .Fn SSL_CIPHER_get_kx_nid "const SSL_CIPHER *cipher"
diff --git a/src/lib/libssl/man/SSL_COMP_add_compression_method.3 b/src/lib/libssl/man/SSL_COMP_add_compression_method.3
index f9e25358d7..0b990ca88e 100644
--- a/src/lib/libssl/man/SSL_COMP_add_compression_method.3
+++ b/src/lib/libssl/man/SSL_COMP_add_compression_method.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_COMP_add_compression_method.3,v 1.7 2024/08/31 10:51:48 tb Exp $
+.\" $OpenBSD: SSL_COMP_add_compression_method.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 31 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_COMP_ADD_COMPRESSION_METHOD 3
 .Os
 .Sh NAME
 .Nm SSL_COMP_get_compression_methods
 .Nd handle SSL/TLS integrated compression methods
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(SSL_COMP) *
 .Fn SSL_COMP_get_compression_methods void
diff --git a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
index 86eb27a523..91c4c80758 100644
--- a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
+++ b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.2 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_ADD1_CHAIN_CERT 3
 .Os
 .Sh NAME
@@ -67,6 +67,7 @@
 .Nm SSL_clear_chain_certs
 .Nd extra chain certificate processing
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set0_chain
diff --git a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
index b9694b0cbc..891c22a40a 100644
--- a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
+++ b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.8 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_CTX_clear_extra_chain_certs
 .Nd add, retrieve, and clear extra chain certificates
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_add_extra_chain_cert "SSL_CTX *ctx" "X509 *x509"
diff --git a/src/lib/libssl/man/SSL_CTX_add_session.3 b/src/lib/libssl/man/SSL_CTX_add_session.3
index 443bdb542a..df634bcdda 100644
--- a/src/lib/libssl/man/SSL_CTX_add_session.3
+++ b/src/lib/libssl/man/SSL_CTX_add_session.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_add_session.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_add_session.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_add_session.pod 1722496f Jun 8 15:18:38 2017 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_ADD_SESSION 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_remove_session
 .Nd manipulate session cache
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_add_session "SSL_CTX *ctx" "SSL_SESSION *c"
diff --git a/src/lib/libssl/man/SSL_CTX_ctrl.3 b/src/lib/libssl/man/SSL_CTX_ctrl.3
index c91ddff374..4d254d8f48 100644
--- a/src/lib/libssl/man/SSL_CTX_ctrl.3
+++ b/src/lib/libssl/man/SSL_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_ctrl.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_ctrl.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_callback_ctrl
 .Nd internal handling functions for SSL_CTX and SSL objects
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_ctrl "SSL_CTX *ctx" "int cmd" "long larg" "void *parg"
diff --git a/src/lib/libssl/man/SSL_CTX_flush_sessions.3 b/src/lib/libssl/man/SSL_CTX_flush_sessions.3
index 2ef781cb4a..deabf5200a 100644
--- a/src/lib/libssl/man/SSL_CTX_flush_sessions.3
+++ b/src/lib/libssl/man/SSL_CTX_flush_sessions.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_flush_sessions.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_flush_sessions.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_flush_sessions.pod 1722496f Jun 8 15:18:38 2017 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_FLUSH_SESSIONS 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_flush_sessions
 .Nd remove expired sessions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_flush_sessions "SSL_CTX *ctx" "long tm"
diff --git a/src/lib/libssl/man/SSL_CTX_free.3 b/src/lib/libssl/man/SSL_CTX_free.3
index 47f247631b..0afef7cd0e 100644
--- a/src/lib/libssl/man/SSL_CTX_free.3
+++ b/src/lib/libssl/man/SSL_CTX_free.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_free.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_free.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_FREE 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_free
 .Nd free an allocated SSL_CTX object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_free "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_get0_certificate.3 b/src/lib/libssl/man/SSL_CTX_get0_certificate.3
index 63c86bd5e0..226e6cd87a 100644
--- a/src/lib/libssl/man/SSL_CTX_get0_certificate.3
+++ b/src/lib/libssl/man/SSL_CTX_get0_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_get0_certificate.3,v 1.3 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_get0_certificate.3,v 1.4 2025/06/08 22:47:20 schwarze Exp $
 .\"
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,15 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_GET0_CERTIFICATE 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_get0_certificate
 .Nd get the active certificate from an SSL context
 .Sh SYNOPSIS
+.Lb libssl libcrypto
+.In openssl/ssl.h
 .Ft X509 *
 .Fo SSL_CTX_get0_certificate
 .Fa "const SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3 b/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3
index 3dbaf2e981..30a02cc317 100644
--- a/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3
+++ b/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_get_ex_new_index.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_ex_data
 .Nd internal application specific data functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_get_ex_new_index
diff --git a/src/lib/libssl/man/SSL_CTX_get_verify_mode.3 b/src/lib/libssl/man/SSL_CTX_get_verify_mode.3
index 7c87775069..88187f7f3c 100644
--- a/src/lib/libssl/man/SSL_CTX_get_verify_mode.3
+++ b/src/lib/libssl/man/SSL_CTX_get_verify_mode.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_get_verify_mode.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_get_verify_mode.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_GET_VERIFY_MODE 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_CTX_get_verify_callback
 .Nd get currently set verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_get_verify_mode "const SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_load_verify_locations.3 b/src/lib/libssl/man/SSL_CTX_load_verify_locations.3
index 373df2402e..0cc22f433d 100644
--- a/src/lib/libssl/man/SSL_CTX_load_verify_locations.3
+++ b/src/lib/libssl/man/SSL_CTX_load_verify_locations.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_load_verify_locations.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_load_verify_locations.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_LOAD_VERIFY_LOCATIONS 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_set_default_verify_paths
 .Nd set default locations for trusted CA certificates
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_load_verify_locations
diff --git a/src/lib/libssl/man/SSL_CTX_new.3 b/src/lib/libssl/man/SSL_CTX_new.3
index 4b50a03de4..2afad5378c 100644
--- a/src/lib/libssl/man/SSL_CTX_new.3
+++ b/src/lib/libssl/man/SSL_CTX_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_new.3,v 1.17 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_new.3,v 1.18 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 21cd6e00 Oct 21 14:40:15 2015 +0100
 .\" selective merge up to: OpenSSL 8f75443f May 24 14:04:26 2019 +0200
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_NEW 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm DTLSv1_2_client_method
 .Nd create a new SSL_CTX object as a framework for TLS enabled functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_CTX *
 .Fn SSL_CTX_new "const SSL_METHOD *method"
diff --git a/src/lib/libssl/man/SSL_CTX_sess_number.3 b/src/lib/libssl/man/SSL_CTX_sess_number.3
index 76d436cd17..854f6256eb 100644
--- a/src/lib/libssl/man/SSL_CTX_sess_number.3
+++ b/src/lib/libssl/man/SSL_CTX_sess_number.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sess_number.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_sess_number.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_sess_number.pod 7bd27895 Mar 29 11:45:29 2017 +1000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESS_NUMBER 3
 .Os
 .Sh NAME
@@ -66,6 +66,7 @@
 .Nm SSL_CTX_sess_cache_full
 .Nd obtain session cache statistics
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_sess_number "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 b/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
index 6d5fede0b6..e8bfe50a3c 100644
--- a/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
+++ b/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sess_set_cache_size.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_sess_set_cache_size.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESS_SET_CACHE_SIZE 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_CTX_sess_get_cache_size
 .Nd manipulate session cache size
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_sess_set_cache_size "SSL_CTX *ctx" "long t"
diff --git a/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 b/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
index e99f2be671..62a6698399 100644
--- a/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sess_set_get_cb.3,v 1.7 2022/03/29 18:15:52 naddy Exp $
+.\"     $OpenBSD: SSL_CTX_sess_set_get_cb.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESS_SET_GET_CB 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm SSL_CTX_sess_get_get_cb
 .Nd provide callback functions for server side external session caching
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_sess_set_new_cb
diff --git a/src/lib/libssl/man/SSL_CTX_sessions.3 b/src/lib/libssl/man/SSL_CTX_sessions.3
index 964d1a7346..627c694cd8 100644
--- a/src/lib/libssl/man/SSL_CTX_sessions.3
+++ b/src/lib/libssl/man/SSL_CTX_sessions.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sessions.3,v 1.5 2018/04/25 14:19:39 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_sessions.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESSIONS 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_sessions
 .Nd access internal session cache
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft LHASH_OF(SSL_SESSION) *
 .Fn SSL_CTX_sessions "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_set1_groups.3 b/src/lib/libssl/man/SSL_CTX_set1_groups.3
index 0d1eb36ea7..8cd620d3b4 100644
--- a/src/lib/libssl/man/SSL_CTX_set1_groups.3
+++ b/src/lib/libssl/man/SSL_CTX_set1_groups.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set1_groups.3,v 1.2 2017/08/19 19:36:39 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set1_groups.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_set1_curves.pod de4d764e Nov 9 14:51:06 2016 +0000
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 19 2017 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET1_GROUPS 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm SSL_set1_curves_list
 .Nd choose supported EC groups
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set1_groups
diff --git a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
index 2317c57af4..ff69408247 100644
--- a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.11 2025/02/04 14:00:05 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.12 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 87b81496 Apr 19 12:38:27 2017 -0400
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 4 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_ALPN_SELECT_CB 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_get0_alpn_selected
 .Nd handle application layer protocol negotiation (ALPN)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_alpn_protos
diff --git a/src/lib/libssl/man/SSL_CTX_set_cert_store.3 b/src/lib/libssl/man/SSL_CTX_set_cert_store.3
index 1be1ba2f68..75c145fd78 100644
--- a/src/lib/libssl/man/SSL_CTX_set_cert_store.3
+++ b/src/lib/libssl/man/SSL_CTX_set_cert_store.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_cert_store.3,v 1.8 2024/08/03 04:53:01 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_cert_store.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 3 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CERT_STORE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_cert_store
 .Nd manipulate X509 certificate verification storage
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_cert_store "SSL_CTX *ctx" "X509_STORE *store"
diff --git a/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 b/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
index 0e12b48c78..2e2beac850 100644
--- a/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_cert_verify_callback.3,v 1.5 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_cert_verify_callback.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CERT_VERIFY_CALLBACK 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_cert_verify_callback
 .Nd set peer certificate verification procedure
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_cert_verify_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
index b3f0dc3541..6201dc9f55 100644
--- a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
+++ b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.18 2025/01/18 12:20:02 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.19 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CIPHER_LIST 3
 .Os
 .Sh NAME
@@ -73,6 +73,7 @@
 .Nm SSL_set_cipher_list
 .Nd choose list of available SSL_CIPHERs
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_set_cipher_list "SSL_CTX *ctx" "const char *control"
diff --git a/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3 b/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3
index d19fb93ed0..520be04318 100644
--- a/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3
+++ b/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_client_CA_list.3,v 1.6 2020/03/30 10:28:59 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_client_CA_list.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,16 +48,17 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 30 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CLIENT_CA_LIST 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_client_CA_list ,
 .Nm SSL_set_client_CA_list ,
 .Nm SSL_CTX_add_client_CA ,
-.Nm  SSL_add_client_CA
+.Nm SSL_add_client_CA
 .Nd set list of CAs sent to the client when requesting a client certificate
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_client_CA_list "SSL_CTX *ctx" "STACK_OF(X509_NAME) *list"
diff --git a/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 b/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
index a2433b5e92..2cf8275602 100644
--- a/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_client_cert_cb.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_client_cert_cb.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CLIENT_CERT_CB 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_CTX_get_client_cert_cb
 .Nd handle client certificate callback function
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_client_cert_cb
diff --git a/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 b/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
index 94b4ea543d..e3da1bec66 100644
--- a/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_default_passwd_cb.3,v 1.9 2023/09/19 09:40:35 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_default_passwd_cb.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\" selective merge up to: OpenSSL 18bad535 Apr 9 15:13:55 2019 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_DEFAULT_PASSWD_CB 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm SSL_CTX_get_default_passwd_cb_userdata
 .Nd set or get passwd callback for encrypted PEM file handling
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_default_passwd_cb "SSL_CTX *ctx" "pem_password_cb *cb"
diff --git a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3 b/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
index d85383d776..29c102ac50 100644
--- a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
+++ b/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.5 2018/03/22 21:09:18 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 22 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_GENERATE_SESSION_ID 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm GEN_SESSION_CB
 .Nd manipulate generation of SSL session IDs (server only)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft typedef int
 .Fo (*GEN_SESSION_CB)
diff --git a/src/lib/libssl/man/SSL_CTX_set_info_callback.3 b/src/lib/libssl/man/SSL_CTX_set_info_callback.3
index 76eb8bee61..ec251b5b69 100644
--- a/src/lib/libssl/man/SSL_CTX_set_info_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_info_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_info_callback.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_info_callback.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_INFO_CALLBACK 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_info_callback
 .Nd handle information callback for SSL connections
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_info_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3 b/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
index 24b8f9992f..0cb36b07c6 100644
--- a/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_keylog_callback.3,v 1.3 2024/05/16 08:39:30 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_keylog_callback.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\" OpenSSL pod checked up to: 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" Copyright (c) 2021 Bob Beck <beck@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 16 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_KEYLOG_CALLBACK 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm SSL_CTX_get_keylog_callback
 .Nd set and get the unused key logging callback
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft typedef void
 .Fo (*SSL_CTX_keylog_cb_func)
diff --git a/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3 b/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3
index 89513b1006..700f534f54 100644
--- a/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3
+++ b/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_max_cert_list.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_max_cert_list.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MAX_CERT_LIST 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_max_cert_list
 .Nd manipulate allowed size for the peer's certificate chain
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_max_cert_list "SSL_CTX *ctx" "long size"
diff --git a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 b/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
index a2597cda83..50a5fc448d 100644
--- a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
+++ b/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.5 2021/04/15 16:40:32 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 3edabd3c Sep 14 09:28:39 2017 +0200
 .\"
 .\" This file was written by Kurt Roeckx <kurt@roeckx.be> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MIN_PROTO_VERSION 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm SSL_get_max_proto_version
 .Nd get and set minimum and maximum supported protocol version
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_min_proto_version
diff --git a/src/lib/libssl/man/SSL_CTX_set_mode.3 b/src/lib/libssl/man/SSL_CTX_set_mode.3
index fca1a977d0..62a7a6deda 100644
--- a/src/lib/libssl/man/SSL_CTX_set_mode.3
+++ b/src/lib/libssl/man/SSL_CTX_set_mode.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_mode.3,v 1.7 2020/10/08 16:02:38 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_mode.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 8671b898 Jun 3 02:48:34 2008 +0000
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 8 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MODE 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm SSL_get_mode
 .Nd manipulate SSL engine mode
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_mode "SSL_CTX *ctx" "long mode"
diff --git a/src/lib/libssl/man/SSL_CTX_set_msg_callback.3 b/src/lib/libssl/man/SSL_CTX_set_msg_callback.3
index a27333e6d9..65df06016a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_msg_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_msg_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_msg_callback.3,v 1.5 2021/04/15 16:43:27 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_msg_callback.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_set_msg_callback.pod e9b77246 Jan 20 19:58:49 2017 +0100
 .\"     OpenSSL SSL_CTX_set_msg_callback.pod b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MSG_CALLBACK 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_set_msg_callback_arg
 .Nd install callback for observing protocol messages
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_msg_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_num_tickets.3 b/src/lib/libssl/man/SSL_CTX_set_num_tickets.3
index cb6d7e000a..093387725a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_num_tickets.3
+++ b/src/lib/libssl/man/SSL_CTX_set_num_tickets.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_num_tickets.3,v 1.2 2021/10/23 17:20:50 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_num_tickets.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" OpenSSL pod checked up to: 5402f96a Sep 11 09:58:52 2021 +0100
 .\"
 .\" Copyright (c) 2021 Bob Beck <beck@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 23 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_NUM_TICKETS 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm SSL_get_num_tickets
 .Nd set and get the number of TLS 1.3 session tickets to be sent
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_set_num_tickets "SSL_CTX *ctx" "size_t num_tickets"
diff --git a/src/lib/libssl/man/SSL_CTX_set_options.3 b/src/lib/libssl/man/SSL_CTX_set_options.3
index 5df0b07785..5e81c978bd 100644
--- a/src/lib/libssl/man/SSL_CTX_set_options.3
+++ b/src/lib/libssl/man/SSL_CTX_set_options.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_options.3,v 1.16 2022/03/31 17:27:18 naddy Exp $
+.\" $OpenBSD: SSL_CTX_set_options.3,v 1.17 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100
 .\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000
 .\"
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_OPTIONS 3
 .Os
 .Sh NAME
@@ -65,6 +65,7 @@
 .Nm SSL_get_secure_renegotiation_support
 .Nd manipulate SSL options
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_options "SSL_CTX *ctx" "long options"
diff --git a/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 b/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
index 71463f1eca..20b882167b 100644
--- a/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
+++ b/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_quiet_shutdown.3,v 1.6 2020/03/30 10:28:59 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_quiet_shutdown.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 30 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_QUIET_SHUTDOWN 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_quiet_shutdown
 .Nd manipulate shutdown behaviour
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_quiet_shutdown "SSL_CTX *ctx" "int mode"
diff --git a/src/lib/libssl/man/SSL_CTX_set_read_ahead.3 b/src/lib/libssl/man/SSL_CTX_set_read_ahead.3
index eae76eb472..208ecfbf1a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_read_ahead.3
+++ b/src/lib/libssl/man/SSL_CTX_set_read_ahead.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_read_ahead.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_read_ahead.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_READ_AHEAD 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_CTX_get_default_read_ahead
 .Nd manage whether to read as many input bytes as possible
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_read_ahead
diff --git a/src/lib/libssl/man/SSL_CTX_set_security_level.3 b/src/lib/libssl/man/SSL_CTX_set_security_level.3
index 89adb3d65d..2d3afa5785 100644
--- a/src/lib/libssl/man/SSL_CTX_set_security_level.3
+++ b/src/lib/libssl/man/SSL_CTX_set_security_level.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_security_level.3,v 1.2 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_security_level.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SECURITY_LEVEL 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm SSL_get_security_level
 .Nd change security level for TLS
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_security_level
diff --git a/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 b/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
index 1fe67b2a7e..d19ff79545 100644
--- a/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
+++ b/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_session_cache_mode.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_session_cache_mode.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 67adf0a7 Dec 25 19:58:38 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SESSION_CACHE_MODE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_session_cache_mode
 .Nd enable/disable session caching
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_session_cache_mode "SSL_CTX ctx" "long mode"
diff --git a/src/lib/libssl/man/SSL_CTX_set_session_id_context.3 b/src/lib/libssl/man/SSL_CTX_set_session_id_context.3
index 06fd9348ae..53923888db 100644
--- a/src/lib/libssl/man/SSL_CTX_set_session_id_context.3
+++ b/src/lib/libssl/man/SSL_CTX_set_session_id_context.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_session_id_context.3,v 1.6 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_session_id_context.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SESSION_ID_CONTEXT 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_set_session_id_context
 .Nd set context within which session can be reused (server side only)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_session_id_context
diff --git a/src/lib/libssl/man/SSL_CTX_set_ssl_version.3 b/src/lib/libssl/man/SSL_CTX_set_ssl_version.3
index b1bdb92bb0..fe9febe431 100644
--- a/src/lib/libssl/man/SSL_CTX_set_ssl_version.3
+++ b/src/lib/libssl/man/SSL_CTX_set_ssl_version.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_ssl_version.3,v 1.5 2021/05/11 19:48:56 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_ssl_version.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SSL_VERSION 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_ssl_method
 .Nd choose a new TLS/SSL method
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_set_ssl_version "SSL_CTX *ctx" "const SSL_METHOD *method"
diff --git a/src/lib/libssl/man/SSL_CTX_set_timeout.3 b/src/lib/libssl/man/SSL_CTX_set_timeout.3
index ab99e2016e..da2f811528 100644
--- a/src/lib/libssl/man/SSL_CTX_set_timeout.3
+++ b/src/lib/libssl/man/SSL_CTX_set_timeout.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_timeout.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_timeout.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TIMEOUT 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_CTX_get_timeout
 .Nd manipulate timeout values for session caching
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_timeout "SSL_CTX *ctx" "long t"
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
index 79169a004b..b6cece259c 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.7 2025/04/18 08:35:34 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 190b9a03 Jun 28 15:46:13 2017 +0800
 .\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm SSL_set_tlsext_host_name
 .Nd handle server name indication (SNI)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_CTX_set_tlsext_servername_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
index d5979af1e8..c9763f9d2f 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_status_cb.3,v 1.8 2021/09/11 18:58:41 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_status_cb.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 43c34894 Nov 30 16:04:51 2015 +0000
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_STATUS_CB 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm SSL_set_tlsext_status_ocsp_resp
 .Nd OCSP Certificate Status Request functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/tls1.h
 .Ft long
 .Fo SSL_CTX_set_tlsext_status_cb
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
index b6ccabaeca..0427f7dcf5 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_tlsext_ticket_key_cb.3,v 1.8 2022/01/25 18:01:20 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_tlsext_ticket_key_cb.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Rich Salz <rsalz@akamai.com>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 25 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_tlsext_ticket_key_cb
 .Nd set a callback for session ticket processing
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/tls1.h
 .Ft long
 .Fo SSL_CTX_set_tlsext_ticket_key_cb
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3
index 04c4833c6a..4acd452ad5 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_use_srtp.3,v 1.6 2021/06/11 19:41:39 jmc Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_use_srtp.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_USE_SRTP 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_selected_srtp_profile
 .Nd Configure and query SRTP support
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/srtp.h
 .Ft int
 .Fo SSL_CTX_set_tlsext_use_srtp
diff --git a/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
index c6f5253431..9fa830656a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.11 2025/01/18 10:45:12 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.12 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TMP_DH_CALLBACK 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_set_tmp_dh
 .Nd handle DH keys for ephemeral key exchange
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_tmp_dh_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
index b4c3a3c647..7009ac6ab5 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_tmp_rsa_callback.3,v 1.9 2022/03/29 14:27:59 naddy Exp $
+.\"     $OpenBSD: SSL_CTX_set_tmp_rsa_callback.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 0b30fc90 Dec 19 15:23:05 2013 -0500
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TMP_RSA_CALLBACK 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_need_tmp_RSA
 .Nd handle RSA keys for ephemeral key exchange
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_tmp_rsa_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_verify.3 b/src/lib/libssl/man/SSL_CTX_set_verify.3
index 1ed86407e9..656c85afd4 100644
--- a/src/lib/libssl/man/SSL_CTX_set_verify.3
+++ b/src/lib/libssl/man/SSL_CTX_set_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.9 2021/06/12 16:59:53 jmc Exp $
+.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\" selective merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_VERIFY 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_set_verify_depth
 .Nd set peer certificate verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_verify
diff --git a/src/lib/libssl/man/SSL_CTX_use_certificate.3 b/src/lib/libssl/man/SSL_CTX_use_certificate.3
index c88a6971b2..27ec834d16 100644
--- a/src/lib/libssl/man/SSL_CTX_use_certificate.3
+++ b/src/lib/libssl/man/SSL_CTX_use_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.17 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.18 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 3aaa1bd0 Mar 28 16:35:25 2017 +1000
 .\" selective merge up to: OpenSSL d1f7a1e6 Apr 26 14:05:40 2018 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_USE_CERTIFICATE 3
 .Os
 .Sh NAME
@@ -79,6 +79,7 @@
 .Nm SSL_check_private_key
 .Nd load certificate and key data
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_use_certificate "SSL_CTX *ctx" "X509 *x"
diff --git a/src/lib/libssl/man/SSL_SESSION_free.3 b/src/lib/libssl/man/SSL_SESSION_free.3
index 3f785e95e5..af02a273a0 100644
--- a/src/lib/libssl/man/SSL_SESSION_free.3
+++ b/src/lib/libssl/man/SSL_SESSION_free.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_free.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_free.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b31db505 Mar 24 16:01:50 2017 +0000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_FREE 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_SESSION_free
 .Nd SSL_SESSION reference counting
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_SESSION_up_ref "SSL_SESSION *session"
diff --git a/src/lib/libssl/man/SSL_SESSION_get0_cipher.3 b/src/lib/libssl/man/SSL_SESSION_get0_cipher.3
index 239a426dbd..4e5b0bb057 100644
--- a/src/lib/libssl/man/SSL_SESSION_get0_cipher.3
+++ b/src/lib/libssl/man/SSL_SESSION_get0_cipher.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_get0_cipher.3,v 1.1 2021/05/12 14:16:25 tb Exp $
+.\" $OpenBSD: SSL_SESSION_get0_cipher.3,v 1.2 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL d42e7759f Mar 30 19:40:04 2017 +0200
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 12 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET0_CIPHER 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get0_cipher
 .Nd retrieve the SSL cipher associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const SSL_CIPHER *
 .Fo SSL_SESSION_get0_cipher
diff --git a/src/lib/libssl/man/SSL_SESSION_get0_peer.3 b/src/lib/libssl/man/SSL_SESSION_get0_peer.3
index 6b1ef6680e..98ae1bab9d 100644
--- a/src/lib/libssl/man/SSL_SESSION_get0_peer.3
+++ b/src/lib/libssl/man/SSL_SESSION_get0_peer.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get0_peer.3,v 1.2 2018/03/23 05:50:30 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get0_peer.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_SESSION_get0_peer.pod b31db505 Mar 24 16:01:50 2017 +0000
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET0_PEER 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get0_peer
 .Nd get details about peer's certificate for a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509 *
 .Fo SSL_SESSION_get0_peer
diff --git a/src/lib/libssl/man/SSL_SESSION_get_compress_id.3 b/src/lib/libssl/man/SSL_SESSION_get_compress_id.3
index aedc216a15..da0d48ff6c 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_compress_id.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_compress_id.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get_compress_id.3,v 1.3 2018/03/23 05:50:30 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get_compress_id.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_SESSION_get_compress_id.pod b31db505 Mar 24 16:01:50 2017
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_COMPRESS_ID 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get_compress_id
 .Nd get details about the compression associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft unsigned int
 .Fo SSL_SESSION_get_compress_id
diff --git a/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 b/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
index 9fd6949b6a..55cde1c66b 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get_ex_new_index.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_get_ex_data
 .Nd internal application specific data functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_get_ex_new_index
diff --git a/src/lib/libssl/man/SSL_SESSION_get_id.3 b/src/lib/libssl/man/SSL_SESSION_get_id.3
index 6d0de1e52e..eb14d24111 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_id.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_id.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_get_id.3,v 1.6 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_get_id.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL SSL_SESSION_set1_id 17b60280 Dec 21 09:08:25 2017 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_ID 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_SESSION_set1_id
 .Nd get and set the SSL session ID
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const unsigned char *
 .Fo SSL_SESSION_get_id
diff --git a/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3 b/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3
index f14c0490e9..dad9eab7ef 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_get_protocol_version.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_get_protocol_version.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by TJ Saunders <tj@castaglia.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_PROTOCOL_VERSION 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get_protocol_version
 .Nd get the session protocol version
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_get_protocol_version
diff --git a/src/lib/libssl/man/SSL_SESSION_get_time.3 b/src/lib/libssl/man/SSL_SESSION_get_time.3
index aaadec5137..28aeedf72c 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_time.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_time.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get_time.3,v 1.8 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get_time.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_TIME 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm SSL_set_timeout
 .Nd retrieve and manipulate session time and timeout settings
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_SESSION_get_time "const SSL_SESSION *s"
diff --git a/src/lib/libssl/man/SSL_SESSION_has_ticket.3 b/src/lib/libssl/man/SSL_SESSION_has_ticket.3
index 322b49feef..07b894c4f8 100644
--- a/src/lib/libssl/man/SSL_SESSION_has_ticket.3
+++ b/src/lib/libssl/man/SSL_SESSION_has_ticket.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_has_ticket.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_has_ticket.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL f2baac27 Feb 8 15:43:16 2015 +0000
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_HAS_TICKET 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_get_ticket_lifetime_hint
 .Nd get details about the ticket associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_has_ticket
diff --git a/src/lib/libssl/man/SSL_SESSION_is_resumable.3 b/src/lib/libssl/man/SSL_SESSION_is_resumable.3
index 48d7d17889..ddc037c1aa 100644
--- a/src/lib/libssl/man/SSL_SESSION_is_resumable.3
+++ b/src/lib/libssl/man/SSL_SESSION_is_resumable.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_is_resumable.3,v 1.1 2021/09/14 14:08:15 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_is_resumable.3,v 1.2 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 14 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_IS_RESUMABLE 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_is_resumable
 .Nd determine whether an SSL_SESSION object can be used for resumption
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_is_resumable
diff --git a/src/lib/libssl/man/SSL_SESSION_new.3 b/src/lib/libssl/man/SSL_SESSION_new.3
index 2dcdb264c1..182266a311 100644
--- a/src/lib/libssl/man/SSL_SESSION_new.3
+++ b/src/lib/libssl/man/SSL_SESSION_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_new.3,v 1.9 2021/09/14 14:08:15 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_new.3,v 1.12 2025/10/24 13:18:22 tb Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,16 +14,20 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 14 2021 $
+.Dd $Mdocdate: October 24 2025 $
 .Dt SSL_SESSION_NEW 3
 .Os
 .Sh NAME
-.Nm SSL_SESSION_new
+.Nm SSL_SESSION_new ,
+.Nm SSL_SESSION_dup
 .Nd construct a new SSL_SESSION object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_SESSION *
 .Fn SSL_SESSION_new void
+.Ft SSL_SESSION *
+.Fn SSL_SESSION_dup "const SSL_SESSION *src"
 .Sh DESCRIPTION
 .Fn SSL_SESSION_new
 allocates and initializes a new
@@ -38,9 +42,20 @@ When the object is no longer needed, it can be destructed with
 .Fn SSL_SESSION_new
 is used internally, for example by
 .Xr SSL_connect 3 .
+.Pp
+.Fn SSL_SESSION_dup
+creates a deep copy of
+.Fa src
+with the exception that
+the reference count is set to 1, that
+the peer certificate is shared with
+.Fa src ,
+and that the new session is not part of any session cache.
 .Sh RETURN VALUES
 .Fn SSL_SESSION_new
-returns the new
+and
+.Fn SSL_SESSION_dup
+return the new
 .Vt SSL_SESSION
 object or
 .Dv NULL
@@ -76,3 +91,7 @@ returns
 .Fn SSL_SESSION_new
 first appeared in SSLeay 0.5.2 and has been available since
 .Ox 2.4 .
+.Pp
+.Fn SSL_SESSION_dup
+first appeared in OpenSSL 1.1.1 and has been available since
+.Ox 7.9 .
diff --git a/src/lib/libssl/man/SSL_SESSION_print.3 b/src/lib/libssl/man/SSL_SESSION_print.3
index e92debde0e..65742140d0 100644
--- a/src/lib/libssl/man/SSL_SESSION_print.3
+++ b/src/lib/libssl/man/SSL_SESSION_print.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_print.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_print.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_PRINT 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm SSL_SESSION_print_fp
 .Nd print some properties of an SSL_SESSION object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_print
diff --git a/src/lib/libssl/man/SSL_SESSION_set1_id_context.3 b/src/lib/libssl/man/SSL_SESSION_set1_id_context.3
index dd7595baca..24f1de4fda 100644
--- a/src/lib/libssl/man/SSL_SESSION_set1_id_context.3
+++ b/src/lib/libssl/man/SSL_SESSION_set1_id_context.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_set1_id_context.3,v 1.4 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_set1_id_context.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL SSL_SESSION_get0_id_context b31db505 Mar 24 16:01:50 2017
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_SET1_ID_CONTEXT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_set1_id_context
 .Nd get and set the SSL ID context associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const unsigned char *
 .Fo SSL_SESSION_get0_id_context
diff --git a/src/lib/libssl/man/SSL_accept.3 b/src/lib/libssl/man/SSL_accept.3
index fb1d89eb57..ecb757aaa5 100644
--- a/src/lib/libssl/man/SSL_accept.3
+++ b/src/lib/libssl/man/SSL_accept.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_accept.3,v 1.6 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_accept.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_ACCEPT 3
 .Os
 .Sh NAME
 .Nm SSL_accept
 .Nd wait for a TLS/SSL client to initiate a TLS/SSL handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_accept "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_alert_type_string.3 b/src/lib/libssl/man/SSL_alert_type_string.3
index 354865e546..0f051cc0a6 100644
--- a/src/lib/libssl/man/SSL_alert_type_string.3
+++ b/src/lib/libssl/man/SSL_alert_type_string.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_alert_type_string.3,v 1.7 2024/10/13 08:25:09 jsg Exp $
+.\"     $OpenBSD: SSL_alert_type_string.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 13 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_ALERT_TYPE_STRING 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_alert_desc_string_long
 .Nd get textual description of alert information
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_alert_type_string "int value"
diff --git a/src/lib/libssl/man/SSL_clear.3 b/src/lib/libssl/man/SSL_clear.3
index 809c3b20f4..5e4da1257f 100644
--- a/src/lib/libssl/man/SSL_clear.3
+++ b/src/lib/libssl/man/SSL_clear.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_clear.3,v 1.5 2021/06/11 19:41:39 jmc Exp $
+.\"     $OpenBSD: SSL_clear.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CLEAR 3
 .Os
 .Sh NAME
 .Nm SSL_clear
 .Nd reset SSL object to allow another connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_clear "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_connect.3 b/src/lib/libssl/man/SSL_connect.3
index d5b962a480..a0cd8f8443 100644
--- a/src/lib/libssl/man/SSL_connect.3
+++ b/src/lib/libssl/man/SSL_connect.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_connect.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_connect.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CONNECT 3
 .Os
 .Sh NAME
 .Nm SSL_connect
 .Nd initiate the TLS/SSL handshake with a TLS/SSL server
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_connect "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_copy_session_id.3 b/src/lib/libssl/man/SSL_copy_session_id.3
index a7a7a8aa99..75a52e8879 100644
--- a/src/lib/libssl/man/SSL_copy_session_id.3
+++ b/src/lib/libssl/man/SSL_copy_session_id.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_copy_session_id.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_copy_session_id.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_COPY_SESSION_ID 3
 .Os
 .Sh NAME
 .Nm SSL_copy_session_id
 .Nd copy session details between SSL objects
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_copy_session_id
diff --git a/src/lib/libssl/man/SSL_do_handshake.3 b/src/lib/libssl/man/SSL_do_handshake.3
index e9327b4229..78b41db2f4 100644
--- a/src/lib/libssl/man/SSL_do_handshake.3
+++ b/src/lib/libssl/man/SSL_do_handshake.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_do_handshake.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_do_handshake.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Martin Sjoegren <martin@strakt.com>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_DO_HANDSHAKE 3
 .Os
 .Sh NAME
 .Nm SSL_do_handshake
 .Nd perform a TLS/SSL handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_do_handshake "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_dup.3 b/src/lib/libssl/man/SSL_dup.3
index a83440b431..f7d999fb62 100644
--- a/src/lib/libssl/man/SSL_dup.3
+++ b/src/lib/libssl/man/SSL_dup.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_dup.3,v 1.5 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_dup.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_DUP 3
 .Os
 .Sh NAME
 .Nm SSL_dup
 .Nd deep copy of an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL *
 .Fo SSL_dup
diff --git a/src/lib/libssl/man/SSL_dup_CA_list.3 b/src/lib/libssl/man/SSL_dup_CA_list.3
index d073b07176..553c03bd8c 100644
--- a/src/lib/libssl/man/SSL_dup_CA_list.3
+++ b/src/lib/libssl/man/SSL_dup_CA_list.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_dup_CA_list.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_dup_CA_list.3,v 1.7 2025/06/08 22:47:20 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_DUP_CA_LIST 3
 .Os
 .Sh NAME
@@ -22,6 +22,8 @@
 .Nd deep copy of a stack of X.509 Name objects
 .\" The capital "N" in "Name" is intentional (X.509 syntax).
 .Sh SYNOPSIS
+.Lb libssl libcrypto
+.In openssl/ssl.h
 .Ft STACK_OF(X509_NAME) *
 .Fo SSL_dup_CA_list
 .Fa "const STACK_OF(X509_NAME) *sk"
diff --git a/src/lib/libssl/man/SSL_export_keying_material.3 b/src/lib/libssl/man/SSL_export_keying_material.3
index e32a5c5d61..d3daa3a5a3 100644
--- a/src/lib/libssl/man/SSL_export_keying_material.3
+++ b/src/lib/libssl/man/SSL_export_keying_material.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_export_keying_material.3,v 1.3 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_export_keying_material.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL a599574b Jun 28 17:18:27 2017 +0100
 .\"     OpenSSL 23cec1f4 Jun 21 13:55:02 2017 +0100
 .\"
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_EXPORT_KEYING_MATERIAL 3
 .Os
 .Sh NAME
 .Nm SSL_export_keying_material
 .Nd obtain keying material for application use
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_export_keying_material
diff --git a/src/lib/libssl/man/SSL_free.3 b/src/lib/libssl/man/SSL_free.3
index c713ded121..b630bc8a2e 100644
--- a/src/lib/libssl/man/SSL_free.3
+++ b/src/lib/libssl/man/SSL_free.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_free.3,v 1.6 2021/06/11 19:41:39 jmc Exp $
+.\"     $OpenBSD: SSL_free.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_FREE 3
 .Os
 .Sh NAME
 .Nm SSL_free
 .Nd free an allocated SSL structure
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_free "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_SSL_CTX.3 b/src/lib/libssl/man/SSL_get_SSL_CTX.3
index 60fda555bc..eaf1b6ff11 100644
--- a/src/lib/libssl/man/SSL_get_SSL_CTX.3
+++ b/src/lib/libssl/man/SSL_get_SSL_CTX.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_SSL_CTX.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_SSL_CTX.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SSL_CTX 3
 .Os
 .Sh NAME
 .Nm SSL_get_SSL_CTX
 .Nd get the SSL_CTX from which an SSL is created
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_CTX *
 .Fn SSL_get_SSL_CTX "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_certificate.3 b/src/lib/libssl/man/SSL_get_certificate.3
index eb53ea49bf..72ae7ec541 100644
--- a/src/lib/libssl/man/SSL_get_certificate.3
+++ b/src/lib/libssl/man/SSL_get_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_certificate.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_get_certificate.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CERTIFICATE 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm SSL_get_privatekey
 .Nd get SSL certificate and private key
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509 *
 .Fo SSL_get_certificate
diff --git a/src/lib/libssl/man/SSL_get_ciphers.3 b/src/lib/libssl/man/SSL_get_ciphers.3
index 8030f0bbb1..d723f7959e 100644
--- a/src/lib/libssl/man/SSL_get_ciphers.3
+++ b/src/lib/libssl/man/SSL_get_ciphers.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_ciphers.3,v 1.11 2020/09/16 07:25:15 schwarze Exp $
+.\" $OpenBSD: SSL_get_ciphers.3,v 1.12 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" selective merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
@@ -69,7 +69,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 16 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CIPHERS 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm SSL_get_cipher_list
 .Nd get lists of available SSL_CIPHERs
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(SSL_CIPHER) *
 .Fn SSL_get_ciphers "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_client_CA_list.3 b/src/lib/libssl/man/SSL_get_client_CA_list.3
index e80e5cb6f5..8be7020489 100644
--- a/src/lib/libssl/man/SSL_get_client_CA_list.3
+++ b/src/lib/libssl/man/SSL_get_client_CA_list.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_client_CA_list.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_client_CA_list.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CLIENT_CA_LIST 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_client_CA_list
 .Nd get list of client CAs
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(X509_NAME) *
 .Fn SSL_get_client_CA_list "const SSL *s"
diff --git a/src/lib/libssl/man/SSL_get_client_random.3 b/src/lib/libssl/man/SSL_get_client_random.3
index eda74db355..131972b688 100644
--- a/src/lib/libssl/man/SSL_get_client_random.3
+++ b/src/lib/libssl/man/SSL_get_client_random.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_client_random.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_get_client_random.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Nick Mathewson <nickm@torproject.org>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CLIENT_RANDOM 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_get_master_key
 .Nd get internal TLS handshake random values and master key
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft size_t
 .Fo SSL_get_client_random
diff --git a/src/lib/libssl/man/SSL_get_current_cipher.3 b/src/lib/libssl/man/SSL_get_current_cipher.3
index 6b951d03ca..37f6409023 100644
--- a/src/lib/libssl/man/SSL_get_current_cipher.3
+++ b/src/lib/libssl/man/SSL_get_current_cipher.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_current_cipher.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_current_cipher.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,17 +48,18 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CURRENT_CIPHER 3
 .Os
 .Sh NAME
 .Nm SSL_get_current_cipher ,
 .Nm SSL_get_cipher ,
 .Nm SSL_get_cipher_name ,
-.Nm  SSL_get_cipher_bits ,
+.Nm SSL_get_cipher_bits ,
 .Nm SSL_get_cipher_version
 .Nd get SSL_CIPHER of a connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const SSL_CIPHER *
 .Fn SSL_get_current_cipher "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_default_timeout.3 b/src/lib/libssl/man/SSL_get_default_timeout.3
index 47737d8ee0..ef119780a3 100644
--- a/src/lib/libssl/man/SSL_get_default_timeout.3
+++ b/src/lib/libssl/man/SSL_get_default_timeout.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_default_timeout.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_default_timeout.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_DEFAULT_TIMEOUT 3
 .Os
 .Sh NAME
 .Nm SSL_get_default_timeout
 .Nd get default session timeout value
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_get_default_timeout "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_error.3 b/src/lib/libssl/man/SSL_get_error.3
index 5d325b3f56..ba64b779ac 100644
--- a/src/lib/libssl/man/SSL_get_error.3
+++ b/src/lib/libssl/man/SSL_get_error.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_error.3,v 1.5 2018/04/29 07:37:01 guenther Exp $
+.\"     $OpenBSD: SSL_get_error.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Bodo Moeller <bodo@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 29 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_ERROR 3
 .Os
 .Sh NAME
 .Nm SSL_get_error
 .Nd obtain result code for TLS/SSL I/O operation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_get_error "const SSL *ssl" "int ret"
diff --git a/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 b/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
index a249cda6ac..234034ac2d 100644
--- a/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
+++ b/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_ex_data_X509_STORE_CTX_idx.3,v 1.5 2022/02/06 00:29:02 jsg Exp $
+.\"     $OpenBSD: SSL_get_ex_data_X509_STORE_CTX_idx.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 6 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_EX_DATA_X509_STORE_CTX_IDX 3
 .Os
 .Sh NAME
 .Nm SSL_get_ex_data_X509_STORE_CTX_idx
 .Nd get ex_data index to access SSL structure from X509_STORE_CTX
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_get_ex_data_X509_STORE_CTX_idx void
diff --git a/src/lib/libssl/man/SSL_get_ex_new_index.3 b/src/lib/libssl/man/SSL_get_ex_new_index.3
index cecd25fa44..811df94fc7 100644
--- a/src/lib/libssl/man/SSL_get_ex_new_index.3
+++ b/src/lib/libssl/man/SSL_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_ex_new_index.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_ex_new_index.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_get_ex_data
 .Nd internal application specific data functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_get_ex_new_index
diff --git a/src/lib/libssl/man/SSL_get_fd.3 b/src/lib/libssl/man/SSL_get_fd.3
index 1e093424cb..3a7948d35f 100644
--- a/src/lib/libssl/man/SSL_get_fd.3
+++ b/src/lib/libssl/man/SSL_get_fd.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_fd.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_fd.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_FD 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_get_wfd
 .Nd get file descriptor linked to an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_get_fd "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_finished.3 b/src/lib/libssl/man/SSL_get_finished.3
index 3cfb655ea0..e5c8a36cf6 100644
--- a/src/lib/libssl/man/SSL_get_finished.3
+++ b/src/lib/libssl/man/SSL_get_finished.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_finished.3,v 1.2 2021/01/30 10:48:15 tb Exp $
+.\" $OpenBSD: SSL_get_finished.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 30 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_FINISHED 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm SSL_get_peer_finished
 .Nd get last sent or last expected finished message
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft size_t
 .Fn SSL_get_finished "const SSL *ssl" "void *buf" "size_t count"
diff --git a/src/lib/libssl/man/SSL_get_peer_cert_chain.3 b/src/lib/libssl/man/SSL_get_peer_cert_chain.3
index eb2ae53dc4..c4f778aac6 100644
--- a/src/lib/libssl/man/SSL_get_peer_cert_chain.3
+++ b/src/lib/libssl/man/SSL_get_peer_cert_chain.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_peer_cert_chain.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_peer_cert_chain.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_get_peer_cert_chain.pod 1f164c6f Jan 18 01:40:36 2017 +0100
 .\"     OpenSSL SSL_get_peer_cert_chain.pod 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
@@ -50,13 +50,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_PEER_CERT_CHAIN 3
 .Os
 .Sh NAME
 .Nm SSL_get_peer_cert_chain
 .Nd get the X509 certificate chain sent by the peer
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(X509) *
 .Fn SSL_get_peer_cert_chain "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_peer_certificate.3 b/src/lib/libssl/man/SSL_get_peer_certificate.3
index 99f9330288..9ac35a607d 100644
--- a/src/lib/libssl/man/SSL_get_peer_certificate.3
+++ b/src/lib/libssl/man/SSL_get_peer_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_peer_certificate.3,v 1.6 2021/06/26 17:36:28 tb Exp $
+.\" $OpenBSD: SSL_get_peer_certificate.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_PEER_CERTIFICATE 3
 .Os
 .Sh NAME
 .Nm SSL_get_peer_certificate
 .Nd get the X509 certificate of the peer
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509 *
 .Fn SSL_get_peer_certificate "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_rbio.3 b/src/lib/libssl/man/SSL_get_rbio.3
index 38096fbecf..7179277f71 100644
--- a/src/lib/libssl/man/SSL_get_rbio.3
+++ b/src/lib/libssl/man/SSL_get_rbio.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_rbio.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_rbio.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_RBIO 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_get_wbio
 .Nd get BIO linked to an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft BIO *
 .Fn SSL_get_rbio "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_server_tmp_key.3 b/src/lib/libssl/man/SSL_get_server_tmp_key.3
index aeeb358240..c55036d526 100644
--- a/src/lib/libssl/man/SSL_get_server_tmp_key.3
+++ b/src/lib/libssl/man/SSL_get_server_tmp_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_server_tmp_key.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_get_server_tmp_key.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_get_server_tmp_key.pod 508fafd8 Apr 3 15:41:21 2017 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SERVER_TMP_KEY 3
 .Os
 .Sh NAME
 .Nm SSL_get_server_tmp_key
 .Nd temporary server key during a handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_get_server_tmp_key
diff --git a/src/lib/libssl/man/SSL_get_session.3 b/src/lib/libssl/man/SSL_get_session.3
index 2ab43fdd3e..597888a0bd 100644
--- a/src/lib/libssl/man/SSL_get_session.3
+++ b/src/lib/libssl/man/SSL_get_session.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_session.3,v 1.8 2022/03/31 17:27:18 naddy Exp $
+.\"     $OpenBSD: SSL_get_session.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SESSION 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get1_session
 .Nd retrieve TLS/SSL session data
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_SESSION *
 .Fn SSL_get_session "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_shared_ciphers.3 b/src/lib/libssl/man/SSL_get_shared_ciphers.3
index 207e8c42eb..9011780527 100644
--- a/src/lib/libssl/man/SSL_get_shared_ciphers.3
+++ b/src/lib/libssl/man/SSL_get_shared_ciphers.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_shared_ciphers.3,v 1.5 2021/01/09 10:50:02 tb Exp $
+.\" $OpenBSD: SSL_get_shared_ciphers.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SHARED_CIPHERS 3
 .Os
 .Sh NAME
 .Nm SSL_get_shared_ciphers
 .Nd ciphers supported by both client and server
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft char *
 .Fo SSL_get_shared_ciphers
diff --git a/src/lib/libssl/man/SSL_get_state.3 b/src/lib/libssl/man/SSL_get_state.3
index 297bbce876..0e1a20e6f7 100644
--- a/src/lib/libssl/man/SSL_get_state.3
+++ b/src/lib/libssl/man/SSL_get_state.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_state.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_get_state.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_STATE 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm SSL_is_init_finished
 .Nd inspect the state of the SSL state machine
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_get_state
diff --git a/src/lib/libssl/man/SSL_get_verify_result.3 b/src/lib/libssl/man/SSL_get_verify_result.3
index 180cf1bb73..32a397f4a2 100644
--- a/src/lib/libssl/man/SSL_get_verify_result.3
+++ b/src/lib/libssl/man/SSL_get_verify_result.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_verify_result.3,v 1.6 2021/06/26 17:36:28 tb Exp $
+.\" $OpenBSD: SSL_get_verify_result.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_VERIFY_RESULT 3
 .Os
 .Sh NAME
 .Nm SSL_get_verify_result
 .Nd get result of peer certificate verification
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_get_verify_result "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_version.3 b/src/lib/libssl/man/SSL_get_version.3
index a6cefb055b..d32dd34e0e 100644
--- a/src/lib/libssl/man/SSL_get_version.3
+++ b/src/lib/libssl/man/SSL_get_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_version.3,v 1.9 2021/04/15 16:13:22 tb Exp $
+.\" $OpenBSD: SSL_get_version.3,v 1.10 2025/06/08 22:49:42 schwarze Exp $
 .\" full merge up to: OpenSSL e417070c Jun 8 11:37:06 2016 -0400
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -49,21 +49,16 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_VERSION 3
 .Os
 .Sh NAME
 .Nm SSL_get_version ,
 .Nm SSL_is_dtls ,
 .Nm SSL_version
-.\" The following are intentionally undocumented because
-.\" - the longer term plan is to remove them
-.\" - nothing appears to be using them in the wild
-.\" - and they have the wrong namespace prefix
-.\" Nm TLS1_get_version
-.\" Nm TLS1_get_client_version
 .Nd get the protocol information of a connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_get_version "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_library_init.3 b/src/lib/libssl/man/SSL_library_init.3
index 053c1e6fcb..d25a248617 100644
--- a/src/lib/libssl/man/SSL_library_init.3
+++ b/src/lib/libssl/man/SSL_library_init.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_library_init.3,v 1.7 2019/06/14 13:41:31 schwarze Exp $
+.\"     $OpenBSD: SSL_library_init.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 14 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_LIBRARY_INIT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSLeay_add_ssl_algorithms
 .Nd initialize SSL library by registering algorithms
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_library_init void
diff --git a/src/lib/libssl/man/SSL_load_client_CA_file.3 b/src/lib/libssl/man/SSL_load_client_CA_file.3
index f782d96dce..e57900c941 100644
--- a/src/lib/libssl/man/SSL_load_client_CA_file.3
+++ b/src/lib/libssl/man/SSL_load_client_CA_file.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_load_client_CA_file.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_load_client_CA_file.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_LOAD_CLIENT_CA_FILE 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm SSL_add_dir_cert_subjects_to_stack
 .Nd load certificate names from files
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(X509_NAME) *
 .Fn SSL_load_client_CA_file "const char *file"
diff --git a/src/lib/libssl/man/SSL_new.3 b/src/lib/libssl/man/SSL_new.3
index 22c5dbf2db..3906a346d7 100644
--- a/src/lib/libssl/man/SSL_new.3
+++ b/src/lib/libssl/man/SSL_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_new.3,v 1.7 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_new.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 1c7ae3dd Mar 29 19:17:55 2017 +1000
 .\"
 .\" This file was written by Richard Levitte <levitte@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_NEW 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_up_ref
 .Nd create a new SSL structure for a connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL *
 .Fn SSL_new "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_num_renegotiations.3 b/src/lib/libssl/man/SSL_num_renegotiations.3
index 6a81b76a60..d366f97c4a 100644
--- a/src/lib/libssl/man/SSL_num_renegotiations.3
+++ b/src/lib/libssl/man/SSL_num_renegotiations.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_num_renegotiations.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_num_renegotiations.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_NUM_RENEGOTIATIONS 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm SSL_total_renegotiations
 .Nd renegotiation counters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_num_renegotiations
diff --git a/src/lib/libssl/man/SSL_pending.3 b/src/lib/libssl/man/SSL_pending.3
index bbc2e9bdd2..c304302ed8 100644
--- a/src/lib/libssl/man/SSL_pending.3
+++ b/src/lib/libssl/man/SSL_pending.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_pending.3,v 1.5 2020/01/23 03:40:18 beck Exp $
+.\"     $OpenBSD: SSL_pending.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>,
@@ -50,13 +50,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 23 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_PENDING 3
 .Os
 .Sh NAME
 .Nm SSL_pending
 .Nd obtain number of readable bytes buffered in an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_pending "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_read.3 b/src/lib/libssl/man/SSL_read.3
index bb72a8ed82..3d42fd8a90 100644
--- a/src/lib/libssl/man/SSL_read.3
+++ b/src/lib/libssl/man/SSL_read.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_read.3,v 1.8 2021/10/24 15:10:13 schwarze Exp $
+.\" $OpenBSD: SSL_read.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 5a2443ae Nov 14 11:37:36 2016 +0000
 .\" partial merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 24 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_READ 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm SSL_peek
 .Nd read bytes from a TLS connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_read_ex "SSL *ssl" "void *buf" "size_t num" "size_t *readbytes"
diff --git a/src/lib/libssl/man/SSL_read_early_data.3 b/src/lib/libssl/man/SSL_read_early_data.3
index 1435c15935..d36b1e49f7 100644
--- a/src/lib/libssl/man/SSL_read_early_data.3
+++ b/src/lib/libssl/man/SSL_read_early_data.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_read_early_data.3,v 1.4 2021/11/26 13:48:22 jsg Exp $
+.\" $OpenBSD: SSL_read_early_data.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" content checked up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_READ_EARLY_DATA 3
 .Os
 .Sh NAME
@@ -30,6 +30,7 @@
 .Nm SSL_get_early_data_status
 .Nd transmit application data during the handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_max_early_data
diff --git a/src/lib/libssl/man/SSL_renegotiate.3 b/src/lib/libssl/man/SSL_renegotiate.3
index 8188d37323..badfe8c6cb 100644
--- a/src/lib/libssl/man/SSL_renegotiate.3
+++ b/src/lib/libssl/man/SSL_renegotiate.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_renegotiate.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_renegotiate.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_key_update.pod 4fbfe86a Feb 16 17:04:40 2017 +0000
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_RENEGOTIATE 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm SSL_renegotiate_pending
 .Nd initiate a new TLS handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_renegotiate
diff --git a/src/lib/libssl/man/SSL_rstate_string.3 b/src/lib/libssl/man/SSL_rstate_string.3
index 99613ba3c0..624c1b08ab 100644
--- a/src/lib/libssl/man/SSL_rstate_string.3
+++ b/src/lib/libssl/man/SSL_rstate_string.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_rstate_string.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_rstate_string.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_RSTATE_STRING 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_rstate_string_long
 .Nd get textual description of state of an SSL object during read operation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_rstate_string "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_session_reused.3 b/src/lib/libssl/man/SSL_session_reused.3
index add61a904b..3340144660 100644
--- a/src/lib/libssl/man/SSL_session_reused.3
+++ b/src/lib/libssl/man/SSL_session_reused.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_session_reused.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_session_reused.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_REUSED 3
 .Os
 .Sh NAME
 .Nm SSL_session_reused
 .Nd query whether a reused session was negotiated during handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_session_reused "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_set1_host.3 b/src/lib/libssl/man/SSL_set1_host.3
index 2a3935c3f2..2c6cdbe5a1 100644
--- a/src/lib/libssl/man/SSL_set1_host.3
+++ b/src/lib/libssl/man/SSL_set1_host.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set1_host.3,v 1.4 2021/03/31 16:56:46 tb Exp $
+.\" $OpenBSD: SSL_set1_host.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
 .\" This file was written by Viktor Dukhovni <viktor@openssl.org>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET1_HOST 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_get0_peername
 .Nd SSL server verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_set1_host
diff --git a/src/lib/libssl/man/SSL_set1_param.3 b/src/lib/libssl/man/SSL_set1_param.3
index cd8ad40ad0..2d255a0991 100644
--- a/src/lib/libssl/man/SSL_set1_param.3
+++ b/src/lib/libssl/man/SSL_set1_param.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set1_param.3,v 1.6 2022/09/10 10:22:46 jsg Exp $
+.\" $OpenBSD: SSL_set1_param.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/SSL_CTX_get0_param 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 10 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET1_PARAM 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_set1_param
 .Nd get and set verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509_VERIFY_PARAM *
 .Fo SSL_CTX_get0_param
diff --git a/src/lib/libssl/man/SSL_set_SSL_CTX.3 b/src/lib/libssl/man/SSL_set_SSL_CTX.3
index 2abaefb292..3a909dabe6 100644
--- a/src/lib/libssl/man/SSL_set_SSL_CTX.3
+++ b/src/lib/libssl/man/SSL_set_SSL_CTX.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set_SSL_CTX.3,v 1.4 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_set_SSL_CTX.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_SSL_CTX 3
 .Os
 .Sh NAME
 .Nm SSL_set_SSL_CTX
 .Nd modify an SSL connection object to use another context
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_CTX *
 .Fo SSL_set_SSL_CTX
diff --git a/src/lib/libssl/man/SSL_set_bio.3 b/src/lib/libssl/man/SSL_set_bio.3
index e727f442d6..98ce9a7080 100644
--- a/src/lib/libssl/man/SSL_set_bio.3
+++ b/src/lib/libssl/man/SSL_set_bio.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_bio.3,v 1.6 2020/10/08 18:21:30 tb Exp $
+.\"     $OpenBSD: SSL_set_bio.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL acb5b343 Sep 16 16:00:38 2000 +0000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 8 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_BIO 3
 .Os
 .Sh NAME
 .Nm SSL_set_bio
 .Nd connect the SSL object with a BIO
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_bio "SSL *ssl" "BIO *rbio" "BIO *wbio"
diff --git a/src/lib/libssl/man/SSL_set_connect_state.3 b/src/lib/libssl/man/SSL_set_connect_state.3
index c2072c4370..b7d126d046 100644
--- a/src/lib/libssl/man/SSL_set_connect_state.3
+++ b/src/lib/libssl/man/SSL_set_connect_state.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set_connect_state.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\" $OpenBSD: SSL_set_connect_state.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL dbd007d7 Jul 28 13:31:27 2017 +0800
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_CONNECT_STATE 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_is_server
 .Nd prepare SSL object to work in client or server mode
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_connect_state "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_set_fd.3 b/src/lib/libssl/man/SSL_set_fd.3
index 7b9727e9ad..3c4441e677 100644
--- a/src/lib/libssl/man/SSL_set_fd.3
+++ b/src/lib/libssl/man/SSL_set_fd.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_fd.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_set_fd.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_FD 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_set_wfd
 .Nd connect the SSL object with a file descriptor
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_set_fd "SSL *ssl" "int fd"
diff --git a/src/lib/libssl/man/SSL_set_max_send_fragment.3 b/src/lib/libssl/man/SSL_set_max_send_fragment.3
index 7de087a743..d5265ebb74 100644
--- a/src/lib/libssl/man/SSL_set_max_send_fragment.3
+++ b/src/lib/libssl/man/SSL_set_max_send_fragment.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_max_send_fragment.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_set_max_send_fragment.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL doc/man3/SSL_CTX_set_split_send_fragment.pod
 .\"     OpenSSL 6782e5fd Oct 21 16:16:20 2016 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_MAX_SEND_FRAGMENT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_set_max_send_fragment
 .Nd control fragment sizes
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_CTX_set_max_send_fragment
diff --git a/src/lib/libssl/man/SSL_set_psk_use_session_callback.3 b/src/lib/libssl/man/SSL_set_psk_use_session_callback.3
index 7f2bfcc010..d53f5b97c9 100644
--- a/src/lib/libssl/man/SSL_set_psk_use_session_callback.3
+++ b/src/lib/libssl/man/SSL_set_psk_use_session_callback.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set_psk_use_session_callback.3,v 1.1 2021/09/14 14:30:57 schwarze Exp $
+.\" $OpenBSD: SSL_set_psk_use_session_callback.3,v 1.2 2025/06/08 22:52:00 schwarze Exp $
 .\" OpenSSL man3/SSL_CTX_set_psk_client_callback.pod
 .\" checked up to 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 14 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_PSK_USE_SESSION_CALLBACK 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm SSL_psk_use_session_cb_func
 .Nd set TLS pre-shared key client callback
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft typedef int
 .Fo (*SSL_psk_use_session_cb_func)
diff --git a/src/lib/libssl/man/SSL_set_session.3 b/src/lib/libssl/man/SSL_set_session.3
index 7d85f5ad0c..db3fc6a85c 100644
--- a/src/lib/libssl/man/SSL_set_session.3
+++ b/src/lib/libssl/man/SSL_set_session.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_session.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_set_session.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_SESSION 3
 .Os
 .Sh NAME
 .Nm SSL_set_session
 .Nd set a TLS/SSL session to be used during TLS/SSL connect
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_set_session "SSL *ssl" "SSL_SESSION *session"
diff --git a/src/lib/libssl/man/SSL_set_shutdown.3 b/src/lib/libssl/man/SSL_set_shutdown.3
index ef8c004f76..1c1d59e927 100644
--- a/src/lib/libssl/man/SSL_set_shutdown.3
+++ b/src/lib/libssl/man/SSL_set_shutdown.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_shutdown.3,v 1.7 2024/12/19 06:45:21 jmc Exp $
+.\"     $OpenBSD: SSL_set_shutdown.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 19 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_SHUTDOWN 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_get_shutdown
 .Nd manipulate shutdown state of an SSL connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_shutdown "SSL *ssl" "int mode"
diff --git a/src/lib/libssl/man/SSL_set_tmp_ecdh.3 b/src/lib/libssl/man/SSL_set_tmp_ecdh.3
index 8fd2d9fd5b..0794efdfb7 100644
--- a/src/lib/libssl/man/SSL_set_tmp_ecdh.3
+++ b/src/lib/libssl/man/SSL_set_tmp_ecdh.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_tmp_ecdh.3,v 1.6 2021/11/30 15:58:08 jsing Exp $
+.\"     $OpenBSD: SSL_set_tmp_ecdh.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 30 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_TMP_ECDH 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm SSL_CTX_set_tmp_ecdh_callback
 .Nd select a curve for ECDH ephemeral key exchange
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_set_tmp_ecdh
diff --git a/src/lib/libssl/man/SSL_set_verify_result.3 b/src/lib/libssl/man/SSL_set_verify_result.3
index 4b7cc6ec3c..f43d375bc9 100644
--- a/src/lib/libssl/man/SSL_set_verify_result.3
+++ b/src/lib/libssl/man/SSL_set_verify_result.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_verify_result.3,v 1.5 2020/03/29 17:05:02 schwarze Exp $
+.\"     $OpenBSD: SSL_set_verify_result.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_VERIFY_RESULT 3
 .Os
 .Sh NAME
 .Nm SSL_set_verify_result
 .Nd override result of peer certificate verification
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_verify_result "SSL *ssl" "long verify_result"
diff --git a/src/lib/libssl/man/SSL_shutdown.3 b/src/lib/libssl/man/SSL_shutdown.3
index bfb1e91ea7..ad49a47d8e 100644
--- a/src/lib/libssl/man/SSL_shutdown.3
+++ b/src/lib/libssl/man/SSL_shutdown.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_shutdown.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_shutdown.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SHUTDOWN 3
 .Os
 .Sh NAME
 .Nm SSL_shutdown
 .Nd shut down a TLS/SSL connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_shutdown "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_state_string.3 b/src/lib/libssl/man/SSL_state_string.3
index 1070335448..d202056eec 100644
--- a/src/lib/libssl/man/SSL_state_string.3
+++ b/src/lib/libssl/man/SSL_state_string.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_state_string.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_state_string.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_STATE_STRING 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_state_string_long
 .Nd get textual description of state of an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_state_string "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_want.3 b/src/lib/libssl/man/SSL_want.3
index 24e8645ba8..c7c2ee4885 100644
--- a/src/lib/libssl/man/SSL_want.3
+++ b/src/lib/libssl/man/SSL_want.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_want.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_want.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_WANT 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_want_x509_lookup
 .Nd obtain state information TLS/SSL I/O operation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_want "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_write.3 b/src/lib/libssl/man/SSL_write.3
index 2c6fbcef08..54d0953e82 100644
--- a/src/lib/libssl/man/SSL_write.3
+++ b/src/lib/libssl/man/SSL_write.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_write.3,v 1.7 2021/10/24 15:10:13 schwarze Exp $
+.\" $OpenBSD: SSL_write.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" partial merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 24 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_WRITE 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_write
 .Nd write bytes to a TLS connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_write_ex "SSL *ssl" "const void *buf" "size_t num" "size_t *written"
diff --git a/src/lib/libssl/man/d2i_SSL_SESSION.3 b/src/lib/libssl/man/d2i_SSL_SESSION.3
index 7a2bc529ab..6b0dfc86b9 100644
--- a/src/lib/libssl/man/d2i_SSL_SESSION.3
+++ b/src/lib/libssl/man/d2i_SSL_SESSION.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_SSL_SESSION.3,v 1.7 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: d2i_SSL_SESSION.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_SSL_SESSION 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm i2d_SSL_SESSION
 .Nd convert SSL_SESSION object from/to ASN1 representation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft  SSL_SESSION *
 .Fn d2i_SSL_SESSION "SSL_SESSION **a" "const unsigned char **pp" "long length"
diff --git a/src/lib/libssl/pqueue.c b/src/lib/libssl/pqueue.c
index 602969deb0..aafd0a704e 100644
--- a/src/lib/libssl/pqueue.c
+++ b/src/lib/libssl/pqueue.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pqueue.c,v 1.5 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: pqueue.c,v 1.7 2025/05/04 10:53:38 tb Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -68,7 +68,7 @@ typedef struct _pqueue {
 } pqueue_s;
 
 pitem *
-pitem_new(unsigned char *prio64be, void *data)
+pitem_new(const unsigned char *prio64be, void *data)
 {
         pitem *item = malloc(sizeof(pitem));
 
@@ -154,7 +154,7 @@ pqueue_pop(pqueue_s *pq)
 }
 
 pitem *
-pqueue_find(pqueue_s *pq, unsigned char *prio64be)
+pqueue_find(pqueue_s *pq, const unsigned char *prio64be)
 {
         pitem *next;
 
diff --git a/src/lib/libssl/pqueue.h b/src/lib/libssl/pqueue.h
index cdda4a3961..79ddf7a105 100644
--- a/src/lib/libssl/pqueue.h
+++ b/src/lib/libssl/pqueue.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pqueue.h,v 1.4 2016/11/04 18:28:58 guenther Exp $ */
+/* $OpenBSD: pqueue.h,v 1.7 2025/05/04 10:53:38 tb Exp $ */
 
 /*
  * DTLS implementation written by Nagendra Modadugu
@@ -61,7 +61,7 @@
 #ifndef HEADER_PQUEUE_H
 #define HEADER_PQUEUE_H
 
-__BEGIN_HIDDEN_DECLS 
+__BEGIN_HIDDEN_DECLS
 
 typedef struct _pqueue *pqueue;
 
@@ -73,7 +73,7 @@ typedef struct _pitem {
 
 typedef struct _pitem *piterator;
 
-pitem *pitem_new(unsigned char *prio64be, void *data);
+pitem *pitem_new(const unsigned char *prio64be, void *data);
 void   pitem_free(pitem *item);
 
 pqueue pqueue_new(void);
@@ -82,12 +82,12 @@ void   pqueue_free(pqueue pq);
 pitem *pqueue_insert(pqueue pq, pitem *item);
 pitem *pqueue_peek(pqueue pq);
 pitem *pqueue_pop(pqueue pq);
-pitem *pqueue_find(pqueue pq, unsigned char *prio64be);
+pitem *pqueue_find(pqueue pq, const unsigned char *prio64be);
 pitem *pqueue_iterator(pqueue pq);
 pitem *pqueue_next(piterator *iter);
 
 int    pqueue_size(pqueue pq);
 
-__END_HIDDEN_DECLS 
+__END_HIDDEN_DECLS
 
 #endif /* ! HEADER_PQUEUE_H */
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 86b32aec15..bcf26bec40 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.257 2024/07/23 14:40:53 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.258 2025/12/04 21:16:17 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1286,6 +1286,7 @@ ssl3_free(SSL *s)
         sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
         sk_X509_pop_free(s->s3->hs.verified_chain, X509_free);
         tls_key_share_free(s->s3->hs.key_share);
+        tls_key_share_free(s->s3->hs.tls13.key_share);
 
         tls13_secrets_destroy(s->s3->hs.tls13.secrets);
         freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
@@ -1337,6 +1338,8 @@ ssl3_clear(SSL *s)
 
         tls_key_share_free(s->s3->hs.key_share);
         s->s3->hs.key_share = NULL;
+        tls_key_share_free(s->s3->hs.tls13.key_share);
+        s->s3->hs.tls13.key_share = NULL;
 
         tls13_secrets_destroy(s->s3->hs.tls13.secrets);
         s->s3->hs.tls13.secrets = NULL;
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version
index c2665004b4..dc886efa77 100644
--- a/src/lib/libssl/shlib_version
+++ b/src/lib/libssl/shlib_version
@@ -1,3 +1,3 @@
 # Don't forget to give libtls the same type of bump!
-major=59
-minor=1
+major=60
+minor=2
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index e8a11ebdb9..4ad73af722 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.248 2025/04/18 07:34:01 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.250 2026/04/03 13:11:00 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -369,15 +369,6 @@ typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
 /* Allow initial connection to servers that don't support RI */
 #define SSL_OP_LEGACY_SERVER_CONNECT                    0x00000004L
 
-/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
- * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
- * the workaround is not needed.
- * Unfortunately some broken SSL/TLS implementations cannot handle it
- * at all, which is why it was previously included in SSL_OP_ALL.
- * Now it's not.
- */
-#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x00000800L
-
 /* DTLS options */
 #define SSL_OP_NO_QUERY_MTU                             0x00001000L
 /* Turn on Cookie Exchange (on relevant for servers) */
@@ -439,6 +430,7 @@ typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
 #define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x0
 #define SSL_OP_TLS_D5_BUG                               0x0
 #define SSL_OP_TLS_ROLLBACK_BUG                         0x0
+#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              0x0
 
 /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
  * when just a single record has been written): */
@@ -1199,6 +1191,7 @@ int SSL_SESSION_is_resumable(const SSL_SESSION *s);
 
 SSL_SESSION *SSL_SESSION_new(void);
 void    SSL_SESSION_free(SSL_SESSION *ses);
+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src);
 int     SSL_SESSION_up_ref(SSL_SESSION *ss);
 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *ss,
             unsigned int *len);
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index 995f1c4601..90f497553b 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.47 2024/02/03 15:58:33 beck Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.49 2026/04/03 13:11:00 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -358,14 +358,11 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max)
         }
 
         /* Feed this message into MAC computation. */
-        if (s->mac_packet) {
-                tls1_transcript_record(s, (unsigned char *)s->init_buf->data,
-                    s->init_num + SSL3_HM_HEADER_LENGTH);
+        tls1_transcript_record(s, (unsigned char *)s->init_buf->data,
+            s->init_num + SSL3_HM_HEADER_LENGTH);
 
-                ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE,
-                    s->init_buf->data,
-                    (size_t)s->init_num + SSL3_HM_HEADER_LENGTH);
-        }
+        ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, s->init_buf->data,
+            (size_t)s->init_num + SSL3_HM_HEADER_LENGTH);
 
         return 1;
 
@@ -516,7 +513,6 @@ ssl3_setup_read_buffer(SSL *s)
 int
 ssl3_setup_write_buffer(SSL *s)
 {
-        unsigned char *p;
         size_t len, align, headerlen;
 
         if (SSL_is_dtls(s))
@@ -529,13 +525,9 @@ ssl3_setup_write_buffer(SSL *s)
         if (s->s3->wbuf.buf == NULL) {
                 len = s->max_send_fragment +
                     SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align;
-                if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
-                        len += headerlen + align +
-                            SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD;
 
-                if ((p = calloc(1, len)) == NULL)
+                if ((s->s3->wbuf.buf = calloc(1, len)) == NULL)
                         goto err;
-                s->s3->wbuf.buf = p;
                 s->s3->wbuf.len = len;
         }
 
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 0d3dcf78af..6ef81a1706 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.169 2025/03/09 15:53:36 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.171 2026/04/03 12:58:19 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -233,6 +233,13 @@ ssl3_connect(SSL *s)
                                 goto end;
                         }
 
+                        /* Ensure that we cannot negotiate TLSv1.1 or lower. */
+                        if (s->s3->hs.our_min_tls_version < TLS1_2_VERSION) {
+                                SSLerror(s, ERR_R_INTERNAL_ERROR);
+                                ret = -1;
+                                goto end;
+                        }
+
                         if (!ssl_security_version(s,
                             s->s3->hs.our_min_tls_version)) {
                                 SSLerror(s, SSL_R_VERSION_TOO_LOW);
@@ -1195,7 +1202,7 @@ ssl3_get_server_kex_dhe(SSL *s, CBS *cbs)
                 }
                 goto err;
         }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
+        if (!tls_key_share_client_peer_public(s->s3->hs.key_share, cbs,
             &decode_error, &invalid_key)) {
                 if (decode_error) {
                         SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
@@ -1264,7 +1271,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
         if ((s->s3->hs.key_share = tls_key_share_new(group_id)) == NULL)
                 goto err;
 
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
+        if (!tls_key_share_client_peer_public(s->s3->hs.key_share, &public,
             &decode_error, NULL)) {
                 if (decode_error)
                         goto decode_err;
@@ -1859,7 +1866,7 @@ ssl3_send_client_kex_dhe(SSL *s, CBB *cbb)
                 goto err;
         }
 
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_client_generate(s->s3->hs.key_share))
                 goto err;
         if (!tls_key_share_public(s->s3->hs.key_share, cbb))
                 goto err;
@@ -1898,7 +1905,7 @@ ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb)
                 goto err;
         }
 
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_client_generate(s->s3->hs.key_share))
                 goto err;
 
         if (!CBB_add_u8_length_prefixed(cbb, &public))
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index eac2d9e61f..90822490e2 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_err.c,v 1.53 2024/10/09 08:00:29 tb Exp $ */
+/* $OpenBSD: ssl_err.c,v 1.55 2025/05/10 05:49:21 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -669,8 +669,7 @@ SSL_state_func_code(int state) {
 }
 
 void
-SSL_error_internal(const SSL *s, int r, char *f, int l)
+SSL_error_internal(const SSL *s, int r, const char *f, int l)
 {
-        ERR_PUT_error(ERR_LIB_SSL,
-            (SSL_state_func_code(s->s3->hs.state)), r, f, l);
+        ERR_PUT_error(ERR_LIB_SSL, SSL_state_func_code(s->s3->hs.state), r, f, l);
 }
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index ce68981493..630724e670 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.331 2025/03/12 14:03:55 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.333 2025/06/09 10:14:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1298,7 +1298,7 @@ SSL_shutdown(SSL *s)
                 return (-1);
         }
 
-        if (s != NULL && !SSL_in_init(s))
+        if (!SSL_in_init(s))
                 return (s->method->ssl_shutdown(s));
 
         return (1);
@@ -3008,8 +3008,9 @@ SSL_dup(SSL *s)
 
         /* Dup the client_CA list */
         if (s->client_CA != NULL) {
-                if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
-                        ret->client_CA = sk;
+                if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL)
+                        goto err;
+                ret->client_CA = sk;
                 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
                         xn = sk_X509_NAME_value(sk, i);
                         if (sk_X509_NAME_set(sk, i,
diff --git a/src/lib/libssl/ssl_local.h b/src/lib/libssl/ssl_local.h
index 3a377030b0..6484c8dea3 100644
--- a/src/lib/libssl/ssl_local.h
+++ b/src/lib/libssl/ssl_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_local.h,v 1.29 2025/04/18 08:07:36 tb Exp $ */
+/* $OpenBSD: ssl_local.h,v 1.37 2026/04/03 13:11:00 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -490,6 +490,9 @@ typedef struct ssl_handshake_tls13_st {
         /* Certificate selected for use (static pointer). */
         const SSL_CERT_PKEY *cpk;
 
+        /* Client's extra predicted key share */
+        struct tls_key_share *key_share;
+
         /* Version proposed by peer server. */
         uint16_t server_version;
 
@@ -1054,8 +1057,6 @@ struct ssl_st {
 
         int rstate;     /* where we are when reading */
 
-        int mac_packet;
-
         int empty_record_count;
 
         size_t num_tickets; /* Unused, for OpenSSL compatibility */
@@ -1098,10 +1099,6 @@ typedef struct ssl3_state_st {
         int alert_dispatch;
         unsigned char send_alert[2];
 
-        /* flags for countermeasure against known-IV weakness */
-        int need_empty_fragments;
-        int empty_fragment_done;
-
         /* Unprocessed Alert/Handshake protocol data. */
         struct tls_buffer *alert_fragment;
         struct tls_buffer *handshake_fragment;
@@ -1240,7 +1237,7 @@ int ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk,
 int ssl_security_shared_group(const SSL *ssl, uint16_t group_id);
 int ssl_security_supported_group(const SSL *ssl, uint16_t group_id);
 
-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int include_ticket);
+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int include_ticket);
 int ssl_get_new_session(SSL *s, int session);
 int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block,
     int *alert);
@@ -1439,9 +1436,10 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out,
     unsigned int mac_secret_length);
 int SSL_state_func_code(int _state);
 
-#define SSLerror(s, r) SSL_error_internal(s, r, OPENSSL_FILE, OPENSSL_LINE)
-#define SSLerrorx(r) ERR_PUT_error(ERR_LIB_SSL,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-void SSL_error_internal(const SSL *s, int r, char *f, int l);
+void SSL_error_internal(const SSL *s, int r, const char *f, int l);
+#define SSLerror(s, r)  SSL_error_internal(s, r, OPENSSL_FILE, OPENSSL_LINE)
+#define SSLerrorx(r)    ERR_PUT_error(ERR_LIB_SSL,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
+#define SYSerror(r)     ERR_PUT_error(ERR_LIB_SYS,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
 
 #ifndef OPENSSL_NO_SRTP
 
diff --git a/src/lib/libssl/ssl_methods.c b/src/lib/libssl/ssl_methods.c
index dee52decf1..dd620c1008 100644
--- a/src/lib/libssl/ssl_methods.c
+++ b/src/lib/libssl/ssl_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_methods.c,v 1.32 2024/07/23 14:40:54 jsing Exp $ */
+/* $OpenBSD: ssl_methods.c,v 1.33 2026/04/03 12:58:19 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -538,17 +538,11 @@ const SSL_METHOD *
 ssl_get_method(uint16_t version)
 {
         if (version == TLS1_3_VERSION)
-                return (TLS_method());
+                return TLS_method();
         if (version == TLS1_2_VERSION)
-                return (TLSv1_2_method());
-        if (version == TLS1_1_VERSION)
-                return (TLSv1_1_method());
-        if (version == TLS1_VERSION)
-                return (TLSv1_method());
-        if (version == DTLS1_VERSION)
-                return (DTLSv1_method());
+                return TLSv1_2_method();
         if (version == DTLS1_2_VERSION)
-                return (DTLSv1_2_method());
+                return DTLSv1_2_method();
 
-        return (NULL);
+        return NULL;
 }
diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c
deleted file mode 100644
index 32d6cceb7a..0000000000
--- a/src/lib/libssl/ssl_packet.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/* $OpenBSD: ssl_packet.c,v 1.16 2024/06/28 13:37:49 jsing Exp $ */
-/*
- * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "bytestring.h"
-#include "ssl_local.h"
-
-static int
-ssl_is_sslv3_handshake(CBS *header)
-{
-        uint16_t record_version;
-        uint8_t record_type;
-        CBS cbs;
-
-        CBS_dup(header, &cbs);
-
-        if (!CBS_get_u8(&cbs, &record_type) ||
-            !CBS_get_u16(&cbs, &record_version))
-                return 0;
-
-        if (record_type != SSL3_RT_HANDSHAKE)
-                return 0;
-        if ((record_version >> 8) != SSL3_VERSION_MAJOR)
-                return 0;
-
-        return 1;
-}
-
-/*
- * Potentially do legacy processing on the first packet received by a TLS
- * server. We return 1 if we want SSLv3/TLS record processing to continue
- * normally, otherwise we must set an SSLerr and return -1.
- */
-int
-ssl_server_legacy_first_packet(SSL *s)
-{
-        const char *data;
-        CBS header;
-
-        if (SSL_is_dtls(s))
-                return 1;
-
-        CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH);
-
-        if (ssl_is_sslv3_handshake(&header) == 1)
-                return 1;
-
-        /* Only continue if this is not a version locked method. */
-        if (s->method->min_tls_version == s->method->max_tls_version)
-                return 1;
-
-        /* Ensure that we have SSL3_RT_HEADER_LENGTH (5 bytes) of the packet. */
-        if (CBS_len(&header) != SSL3_RT_HEADER_LENGTH) {
-                SSLerror(s, ERR_R_INTERNAL_ERROR);
-                return -1;
-        }
-        data = (const char *)CBS_data(&header);
-
-        /* Is this a cleartext protocol? */
-        if (strncmp("GET ", data, 4) == 0 ||
-            strncmp("POST ", data, 5) == 0 ||
-            strncmp("HEAD ", data, 5) == 0 ||
-            strncmp("PUT ", data, 4) == 0) {
-                SSLerror(s, SSL_R_HTTP_REQUEST);
-                return -1;
-        }
-        if (strncmp("CONNE", data, 5) == 0) {
-                SSLerror(s, SSL_R_HTTPS_PROXY_REQUEST);
-                return -1;
-        }
-
-        SSLerror(s, SSL_R_UNKNOWN_PROTOCOL);
-
-        return -1;
-}
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index 7032175aac..6440ef210f 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_pkt.c,v 1.69 2025/03/12 14:03:55 jsing Exp $ */
+/* $OpenBSD: ssl_pkt.c,v 1.72 2026/04/03 13:11:00 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -350,15 +350,8 @@ ssl3_get_record(SSL *s)
                 if (n <= 0)
                         return (n);
 
-                s->mac_packet = 1;
                 s->rstate = SSL_ST_READ_BODY;
 
-                if (s->server && s->first_packet) {
-                        if ((ret = ssl_server_legacy_first_packet(s)) != 1)
-                                return (ret);
-                        ret = -1;
-                }
-
                 CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH);
 
                 /* Pull apart the header into the SSL3_RECORD_INTERNAL */
@@ -513,16 +506,8 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
                 }
 
                 if ((i == (int)n) || (type == SSL3_RT_APPLICATION_DATA &&
-                    (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) {
-                        /*
-                         * Next chunk of data should get another prepended
-                         * empty fragment in ciphersuites with known-IV
-                         * weakness.
-                         */
-                        s->s3->empty_fragment_done = 0;
-
+                    (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
                         return tot + i;
-                }
 
                 n -= i;
                 tot += i;
@@ -533,8 +518,6 @@ static int
 do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
 {
         SSL3_BUFFER_INTERNAL *wb = &(s->s3->wbuf);
-        SSL_SESSION *sess = s->session;
-        int need_empty_fragment = 0;
         size_t align, out_len;
         CBB cbb;
         int ret;
@@ -567,26 +550,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
         if (len == 0)
                 return 0;
 
-        /*
-         * Countermeasure against known-IV weakness in CBC ciphersuites
-         * (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this
-         * is unnecessary for AEAD.
-         */
-        if (sess != NULL && tls12_record_layer_write_protected(s->rl)) {
-                if (s->s3->need_empty_fragments &&
-                    !s->s3->empty_fragment_done &&
-                    type == SSL3_RT_APPLICATION_DATA)
-                        need_empty_fragment = 1;
-        }
-
-        /*
-         * An extra fragment would be a couple of cipher blocks, which would
-         * be a multiple of SSL3_ALIGN_PAYLOAD, so if we want to align the real
-         * payload, then we can just simply pretend we have two headers.
-         */
         align = (size_t)wb->buf + SSL3_RT_HEADER_LENGTH;
-        if (need_empty_fragment)
-                align += SSL3_RT_HEADER_LENGTH;
         align = (-align) & (SSL3_ALIGN_PAYLOAD - 1);
         wb->offset = align;
 
@@ -595,13 +559,6 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
 
         tls12_record_layer_set_version(s->rl, s->version);
 
-        if (need_empty_fragment) {
-                if (!tls12_record_layer_seal_record(s->rl, type,
-                    buf, 0, &cbb))
-                        goto err;
-                s->s3->empty_fragment_done = 1;
-        }
-
         if (!tls12_record_layer_seal_record(s->rl, type, buf, len, &cbb))
                 goto err;
 
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 6c8a2be3d3..1490e10ba4 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.51 2023/12/30 06:25:56 tb Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.53 2025/08/14 15:55:54 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index a5cfc33c04..7f16061b48 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.129 2025/03/09 15:53:36 tb Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.131 2025/10/24 11:36:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -247,7 +247,7 @@ SSL_SESSION_new(void)
 LSSL_ALIAS(SSL_SESSION_new);
 
 SSL_SESSION *
-ssl_session_dup(SSL_SESSION *sess, int include_ticket)
+ssl_session_dup(const SSL_SESSION *sess, int include_ticket)
 {
         SSL_SESSION *copy;
         CBS cbs;
@@ -313,7 +313,7 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket)
                 goto err;
 
         if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, &copy->ex_data,
-            &sess->ex_data))
+            (CRYPTO_EX_DATA *)&sess->ex_data))
                 goto err;
 
         /* Omit prev/next: the new session gets its own slot in the cache. */
@@ -345,6 +345,13 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket)
         return NULL;
 }
 
+SSL_SESSION *
+SSL_SESSION_dup(const SSL_SESSION *src)
+{
+        return ssl_session_dup(src, 1);
+}
+LSSL_ALIAS(SSL_SESSION_dup);
+
 const unsigned char *
 SSL_SESSION_get_id(const SSL_SESSION *ss, unsigned int *len)
 {
diff --git a/src/lib/libssl/ssl_sigalgs.c b/src/lib/libssl/ssl_sigalgs.c
index 18d71f6b95..ee4088f6ab 100644
--- a/src/lib/libssl/ssl_sigalgs.c
+++ b/src/lib/libssl/ssl_sigalgs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sigalgs.c,v 1.50 2024/07/09 13:43:57 beck Exp $ */
+/* $OpenBSD: ssl_sigalgs.c,v 1.53 2026/03/30 06:20:08 tb Exp $ */
 /*
  * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
@@ -90,21 +90,21 @@ const struct ssl_sigalg sigalgs[] = {
         },
         {
                 .value = SIGALG_RSA_PSS_PSS_SHA256,
-                .key_type = EVP_PKEY_RSA,
+                .key_type = EVP_PKEY_RSA_PSS,
                 .md = EVP_sha256,
                 .security_level = 3,
                 .flags = SIGALG_FLAG_RSA_PSS,
         },
         {
                 .value = SIGALG_RSA_PSS_PSS_SHA384,
-                .key_type = EVP_PKEY_RSA,
+                .key_type = EVP_PKEY_RSA_PSS,
                 .md = EVP_sha384,
                 .security_level = 4,
                 .flags = SIGALG_FLAG_RSA_PSS,
         },
         {
                 .value = SIGALG_RSA_PSS_PSS_SHA512,
-                .key_type = EVP_PKEY_RSA,
+                .key_type = EVP_PKEY_RSA_PSS,
                 .md = EVP_sha512,
                 .security_level = 5,
                 .flags = SIGALG_FLAG_RSA_PSS,
@@ -147,12 +147,15 @@ const struct ssl_sigalg sigalgs[] = {
 /* Sigalgs for TLSv1.3, in preference order. */
 const uint16_t tls13_sigalgs[] = {
         SIGALG_RSA_PSS_RSAE_SHA512,
+        SIGALG_RSA_PSS_PSS_SHA512,
         SIGALG_RSA_PKCS1_SHA512,
         SIGALG_ECDSA_SECP521R1_SHA512,
         SIGALG_RSA_PSS_RSAE_SHA384,
+        SIGALG_RSA_PSS_PSS_SHA384,
         SIGALG_RSA_PKCS1_SHA384,
         SIGALG_ECDSA_SECP384R1_SHA384,
         SIGALG_RSA_PSS_RSAE_SHA256,
+        SIGALG_RSA_PSS_PSS_SHA256,
         SIGALG_RSA_PKCS1_SHA256,
         SIGALG_ECDSA_SECP256R1_SHA256,
 };
@@ -161,12 +164,15 @@ const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0
 /* Sigalgs for TLSv1.2, in preference order. */
 const uint16_t tls12_sigalgs[] = {
         SIGALG_RSA_PSS_RSAE_SHA512,
+        SIGALG_RSA_PSS_PSS_SHA512,
         SIGALG_RSA_PKCS1_SHA512,
         SIGALG_ECDSA_SECP521R1_SHA512,
         SIGALG_RSA_PSS_RSAE_SHA384,
+        SIGALG_RSA_PSS_PSS_SHA384,
         SIGALG_RSA_PKCS1_SHA384,
         SIGALG_ECDSA_SECP384R1_SHA384,
         SIGALG_RSA_PSS_RSAE_SHA256,
+        SIGALG_RSA_PSS_PSS_SHA256,
         SIGALG_RSA_PKCS1_SHA256,
         SIGALG_ECDSA_SECP256R1_SHA256,
         SIGALG_RSA_PKCS1_SHA1, /* XXX */
@@ -271,12 +277,14 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
 {
         if (sigalg == NULL || pkey == NULL)
                 return 0;
+
         if (sigalg->key_type != EVP_PKEY_id(pkey))
                 return 0;
 
         /* RSA PSS must have a sufficiently large RSA key. */
         if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
-                if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA ||
+                if ((EVP_PKEY_id(pkey) != EVP_PKEY_RSA &&
+                    EVP_PKEY_id(pkey) != EVP_PKEY_RSA_PSS) ||
                     EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
                         return 0;
         }
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index db4ba38b51..af4b20f6ce 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.166 2025/03/09 15:53:36 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.168 2026/04/03 12:58:19 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -238,6 +238,13 @@ ssl3_accept(SSL *s)
                                 goto end;
                         }
 
+                        /* Ensure that we cannot negotiate TLSv1.1 or lower. */
+                        if (s->s3->hs.our_min_tls_version < TLS1_2_VERSION) {
+                                SSLerror(s, ERR_R_INTERNAL_ERROR);
+                                ret = -1;
+                                goto end;
+                        }
+
                         if (!ssl_security_version(s,
                             s->s3->hs.our_min_tls_version)) {
                                 SSLerror(s, SSL_R_VERSION_TOO_LOW);
@@ -1357,7 +1364,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
                         goto err;
         }
 
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_server_generate(s->s3->hs.key_share))
                 goto err;
 
         if (!tls_key_share_params(s->s3->hs.key_share, cbb))
@@ -1393,7 +1400,7 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
         if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
                 goto err;
 
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_server_generate(s->s3->hs.key_share))
                 goto err;
 
         /*
@@ -1744,7 +1751,7 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
                 goto err;
         }
 
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
+        if (!tls_key_share_server_peer_public(s->s3->hs.key_share, cbs,
             &decode_error, &invalid_key)) {
                 if (decode_error) {
                         SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
@@ -1792,7 +1799,7 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
                 goto err;
         }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
+        if (!tls_key_share_server_peer_public(s->s3->hs.key_share, &public,
             &decode_error, NULL)) {
                 if (decode_error) {
                         SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
index b19944ca83..9966217ca3 100644
--- a/src/lib/libssl/ssl_stat.c
+++ b/src/lib/libssl/ssl_stat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_stat.c,v 1.23 2024/10/12 03:54:18 tb Exp $ */
+/* $OpenBSD: ssl_stat.c,v 1.24 2025/05/22 08:25:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -438,72 +438,7 @@ LSSL_ALIAS(SSL_alert_type_string);
 const char *
 SSL_alert_desc_string(int value)
 {
-        switch (value & 0xff) {
-        case SSL_AD_CLOSE_NOTIFY:
-                return "CN";
-        case SSL_AD_UNEXPECTED_MESSAGE:
-                return "UM";
-        case SSL_AD_BAD_RECORD_MAC:
-                return "BM";
-        case SSL_AD_RECORD_OVERFLOW:
-                return "RO";
-        case SSL_AD_DECOMPRESSION_FAILURE:
-                return "DF";
-        case SSL_AD_HANDSHAKE_FAILURE:
-                return "HF";
-        case SSL_AD_BAD_CERTIFICATE:
-                return "BC";
-        case SSL_AD_UNSUPPORTED_CERTIFICATE:
-                return "UC";
-        case SSL_AD_CERTIFICATE_REVOKED:
-                return "CR";
-        case SSL_AD_CERTIFICATE_EXPIRED:
-                return "CE";
-        case SSL_AD_CERTIFICATE_UNKNOWN:
-                return "CU";
-        case SSL_AD_ILLEGAL_PARAMETER:
-                return "IP";
-        case SSL_AD_UNKNOWN_CA:
-                return "CA";
-        case SSL_AD_ACCESS_DENIED:
-                return "AD";
-        case SSL_AD_DECODE_ERROR:
-                return "DE";
-        case SSL_AD_DECRYPT_ERROR:
-                return "CY";
-        case SSL_AD_PROTOCOL_VERSION:
-                return "PV";
-        case SSL_AD_INSUFFICIENT_SECURITY:
-                return "IS";
-        case SSL_AD_INTERNAL_ERROR:
-                return "IE";
-        case SSL_AD_INAPPROPRIATE_FALLBACK:
-                return "IF";
-        case SSL_AD_USER_CANCELLED:
-                return "US";
-        case SSL_AD_NO_RENEGOTIATION:
-                return "NR";
-        case SSL_AD_MISSING_EXTENSION:
-                return "ME";
-        case SSL_AD_UNSUPPORTED_EXTENSION:
-                return "UE";
-        case SSL_AD_CERTIFICATE_UNOBTAINABLE:
-                return "CO";
-        case SSL_AD_UNRECOGNIZED_NAME:
-                return "UN";
-        case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
-                return "BR";
-        case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
-                return "BH";
-        case SSL_AD_UNKNOWN_PSK_IDENTITY:
-                return "UP";
-        case SSL_AD_CERTIFICATE_REQUIRED:
-                return "CQ"; /* XXX */
-        case SSL_AD_NO_APPLICATION_PROTOCOL:
-                return "AP";
-        default:
-                return "UK";
-        }
+        return "!!";
 }
 LSSL_ALIAS(SSL_alert_desc_string);
 
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 57efb75d32..d879b3304e 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.155 2025/04/30 13:50:50 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.159 2025/12/04 21:16:17 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1445,7 +1445,7 @@ tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
 static int
 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
 {
-        CBB client_shares, key_exchange;
+        CBB client_shares, key_exchange, key_exchange2;
 
         if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
                 return 0;
@@ -1458,6 +1458,31 @@ tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
         if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
                 return 0;
 
+        /*
+         * We wish to include a second key share prediction in a TLS 1.3 client
+         * hello if we have more than one preferred group. We never wish to do
+         * this in response to a server selected group (Either from a TLS 1.2
+         * server, or from a hello retry request after having negotiated TLS
+         * 1.3).
+         *
+         * Therefore we only do this if we have not yet negotiated
+         * a version, and our max version could negotiate TLS 1.3.
+         */
+        if (s->s3->hs.negotiated_tls_version == 0 &&
+            s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
+                if (s->s3->hs.tls13.key_share != NULL) {
+                        if (!CBB_add_u16(&client_shares,
+                            tls_key_share_group(s->s3->hs.tls13.key_share)))
+                                return 0;
+                        if (!CBB_add_u16_length_prefixed(&client_shares,
+                            &key_exchange2))
+                                return 0;
+                        if (!tls_key_share_public(s->s3->hs.tls13.key_share,
+                            &key_exchange2))
+                                return 0;
+                }
+        }
+
         if (!CBB_flush(cbb))
                 return 0;
 
@@ -1523,7 +1548,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                         *alert = SSL_AD_INTERNAL_ERROR;
                         return 0;
                 }
-                if (!tls_key_share_peer_public(s->s3->hs.key_share,
+                if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
                     &key_exchange, &decode_error, NULL)) {
                         if (!decode_error)
                                 *alert = SSL_AD_INTERNAL_ERROR;
@@ -1554,6 +1579,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                 for (j = 0; j < server_groups_len; j++) {
                         if (server_groups[j] == client_groups[i]) {
                                 client_preferred_group = client_groups[i];
+                                s->s3->hs.tls13.server_group = client_preferred_group;
                                 preferred_group_found = 1;
                                 break;
                         }
@@ -1613,7 +1639,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                         *alert = SSL_AD_INTERNAL_ERROR;
                         return 0;
                 }
-                if (!tls_key_share_peer_public(s->s3->hs.key_share,
+                if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
                     &key_exchange, &decode_error, NULL)) {
                         if (!decode_error)
                                 *alert = SSL_AD_INTERNAL_ERROR;
@@ -1686,11 +1712,33 @@ tlsext_keyshare_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                 *alert = SSL_AD_INTERNAL_ERROR;
                 return 0;
         }
+
+        if (s->s3->hs.tls13.server_version >= TLS1_3_VERSION &&
+            tls_key_share_group(s->s3->hs.key_share) != group &&
+            s->s3->hs.tls13.key_share != NULL &&
+            tls_key_share_group(s->s3->hs.tls13.key_share) == group) {
+                /*
+                 * Server chose our second key share prediction, switch to it,
+                 * and discard the first one.
+                 */
+                tls_key_share_free(s->s3->hs.key_share);
+                s->s3->hs.key_share = s->s3->hs.tls13.key_share;
+                s->s3->hs.tls13.key_share = NULL;
+        }
+
         if (tls_key_share_group(s->s3->hs.key_share) != group) {
                 *alert = SSL_AD_INTERNAL_ERROR;
                 return 0;
         }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share,
+
+        /*
+         * Discard our now unused second key share prediction if we had made one
+         * with our initial 1.3 client hello
+         */
+        tls_key_share_free(s->s3->hs.tls13.key_share);
+        s->s3->hs.tls13.key_share = NULL;
+
+        if (!tls_key_share_client_peer_public(s->s3->hs.key_share,
             &key_exchange, &decode_error, NULL)) {
                 if (!decode_error)
                         *alert = SSL_AD_INTERNAL_ERROR;
@@ -2414,8 +2462,8 @@ tlsext_randomize_build_order(SSL *s)
         free(s->tlsext_build_order);
         s->tlsext_build_order_len = 0;
 
-        if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
-            N_TLS_EXTENSIONS)) == NULL)
+        if ((s->tlsext_build_order = calloc(N_TLS_EXTENSIONS,
+            sizeof(*s->tlsext_build_order))) == NULL)
                 return 0;
         s->tlsext_build_order_len = N_TLS_EXTENSIONS;
 
@@ -2443,8 +2491,8 @@ tlsext_linearize_build_order(SSL *s)
         free(s->tlsext_build_order);
         s->tlsext_build_order_len = 0;
 
-        if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
-            N_TLS_EXTENSIONS)) == NULL)
+        if ((s->tlsext_build_order = calloc(N_TLS_EXTENSIONS,
+            sizeof(*s->tlsext_build_order))) == NULL)
                 return 0;
         s->tlsext_build_order_len = N_TLS_EXTENSIONS;
 
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 64e1dd5b63..1a93b0d37e 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.158 2024/07/20 04:04:23 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.159 2026/04/03 13:11:00 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -389,25 +389,6 @@ tls1_setup_key_block(SSL *s)
         s->s3->hs.tls12.key_block = key_block;
         key_block = NULL;
 
-        if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
-            s->method->version <= TLS1_VERSION) {
-                /*
-                 * Enable vulnerability countermeasure for CBC ciphers with
-                 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
-                 */
-                s->s3->need_empty_fragments = 1;
-
-                if (s->s3->hs.cipher != NULL) {
-                        if (s->s3->hs.cipher->algorithm_enc == SSL_eNULL)
-                                s->s3->need_empty_fragments = 0;
-
-#ifndef OPENSSL_NO_RC4
-                        if (s->s3->hs.cipher->algorithm_enc == SSL_RC4)
-                                s->s3->need_empty_fragments = 0;
-#endif
-                }
-        }
-
         ret = 1;
 
  err:
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index b200f78098..912bea592a 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.204 2025/01/18 14:17:05 tb Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.207 2025/12/04 21:16:17 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -151,6 +151,7 @@ tls1_clear(SSL *s)
 }
 
 struct supported_group {
+        uint16_t group_id;
         int nid;
         int bits;
 };
@@ -160,122 +161,156 @@ struct supported_group {
  * https://www.iana.org/assignments/tls-parameters/#tls-parameters-8
  */
 static const struct supported_group nid_list[] = {
-        [1] = {
+        {
+                .group_id = 1,
                 .nid = NID_sect163k1,
                 .bits = 80,
         },
-        [2] = {
+        {
+                .group_id = 2,
                 .nid = NID_sect163r1,
                 .bits = 80,
         },
-        [3] = {
+        {
+                .group_id = 3,
                 .nid = NID_sect163r2,
                 .bits = 80,
         },
-        [4] = {
+        {
+                .group_id = 4,
                 .nid = NID_sect193r1,
                 .bits = 80,
         },
-        [5] = {
+        {
+                .group_id = 5,
                 .nid = NID_sect193r2,
                 .bits = 80,
         },
-        [6] = {
+        {
+                .group_id = 6,
                 .nid = NID_sect233k1,
                 .bits = 112,
         },
-        [7] = {
+        {
+                .group_id = 7,
                 .nid = NID_sect233r1,
                 .bits = 112,
         },
-        [8] = {
+        {
+                .group_id = 8,
                 .nid = NID_sect239k1,
                 .bits = 112,
         },
-        [9] = {
+        {
+                .group_id = 9,
                 .nid = NID_sect283k1,
                 .bits = 128,
         },
-        [10] = {
+        {
+                .group_id = 10,
                 .nid = NID_sect283r1,
                 .bits = 128,
         },
-        [11] = {
+        {
+                .group_id = 11,
                 .nid = NID_sect409k1,
                 .bits = 192,
         },
-        [12] = {
+        {
+                .group_id = 12,
                 .nid = NID_sect409r1,
                 .bits = 192,
         },
-        [13] = {
+        {
+                .group_id = 13,
                 .nid = NID_sect571k1,
                 .bits = 256,
         },
-        [14] = {
+        {
+                .group_id = 14,
                 .nid = NID_sect571r1,
                 .bits = 256,
         },
-        [15] = {
+        {
+                .group_id = 15,
                 .nid = NID_secp160k1,
                 .bits = 80,
         },
-        [16] = {
+        {
+                .group_id = 16,
                 .nid = NID_secp160r1,
                 .bits = 80,
         },
-        [17] = {
+        {
+                .group_id = 17,
                 .nid = NID_secp160r2,
                 .bits = 80,
         },
-        [18] = {
+        {
+                .group_id = 18,
                 .nid = NID_secp192k1,
                 .bits = 80,
         },
-        [19] = {
+        {
+                .group_id = 19,
                 .nid = NID_X9_62_prime192v1,    /* aka secp192r1 */
                 .bits = 80,
         },
-        [20] = {
+        {
+                .group_id = 20,
                 .nid = NID_secp224k1,
                 .bits = 112,
         },
-        [21] = {
+        {
+                .group_id = 21,
                 .nid = NID_secp224r1,
                 .bits = 112,
         },
-        [22] = {
+        {
+                .group_id = 22,
                 .nid = NID_secp256k1,
                 .bits = 128,
         },
-        [23] = {
+        {
+                .group_id = 23,
                 .nid = NID_X9_62_prime256v1,    /* aka secp256r1 */
                 .bits = 128,
         },
-        [24] = {
+        {
+                .group_id = 24,
                 .nid = NID_secp384r1,
                 .bits = 192,
         },
-        [25] = {
+        {
+                .group_id = 25,
                 .nid = NID_secp521r1,
                 .bits = 256,
         },
-        [26] = {
+        {
+                .group_id = 26,
                 .nid = NID_brainpoolP256r1,
                 .bits = 128,
         },
-        [27] = {
+        {
+                .group_id = 27,
                 .nid = NID_brainpoolP384r1,
                 .bits = 192,
         },
-        [28] = {
+        {
+                .group_id = 28,
                 .nid = NID_brainpoolP512r1,
                 .bits = 256,
         },
-        [29] = {
+        {
+                .group_id = 29,
                 .nid = NID_X25519,
                 .bits = 128,
         },
+        {
+                .group_id = 4588,
+                .nid = NID_X25519MLKEM768,
+                .bits = 128,
+        },
 };
 
 #define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0]))
@@ -292,41 +327,21 @@ static const uint8_t ecformats_default[] = {
         TLSEXT_ECPOINTFORMAT_uncompressed,
 };
 
-#if 0
-static const uint16_t ecgroups_list[] = {
+static const uint16_t ecgroups_tls12_client_default[] = {
         29,                     /* X25519 (29) */
-        14,                     /* sect571r1 (14) */
-        13,                     /* sect571k1 (13) */
-        25,                     /* secp521r1 (25) */
-        28,                     /* brainpoolP512r1 (28) */
-        11,                     /* sect409k1 (11) */
-        12,                     /* sect409r1 (12) */
-        27,                     /* brainpoolP384r1 (27) */
+        23,                     /* secp256r1 (23) */
         24,                     /* secp384r1 (24) */
-        9,                      /* sect283k1 (9) */
-        10,                     /* sect283r1 (10) */
-        26,                     /* brainpoolP256r1 (26) */
-        22,                     /* secp256k1 (22) */
+        25,                     /* secp521r1 (25) */
+};
+
+static const uint16_t ecgroups_tls12_server_default[] = {
+        29,                     /* X25519 (29) */
         23,                     /* secp256r1 (23) */
-        8,                      /* sect239k1 (8) */
-        6,                      /* sect233k1 (6) */
-        7,                      /* sect233r1 (7) */
-        20,                     /* secp224k1 (20) */
-        21,                     /* secp224r1 (21) */
-        4,                      /* sect193r1 (4) */
-        5,                      /* sect193r2 (5) */
-        18,                     /* secp192k1 (18) */
-        19,                     /* secp192r1 (19) */
-        1,                      /* sect163k1 (1) */
-        2,                      /* sect163r1 (2) */
-        3,                      /* sect163r2 (3) */
-        15,                     /* secp160k1 (15) */
-        16,                     /* secp160r1 (16) */
-        17,                     /* secp160r2 (17) */
+        24,                     /* secp384r1 (24) */
 };
-#endif
 
 static const uint16_t ecgroups_client_default[] = {
+        4588,                   /* X25519MLKEM768 (4588) */
         29,                     /* X25519 (29) */
         23,                     /* secp256r1 (23) */
         24,                     /* secp384r1 (24) */
@@ -334,23 +349,47 @@ static const uint16_t ecgroups_client_default[] = {
 };
 
 static const uint16_t ecgroups_server_default[] = {
+        4588,                   /* X25519MLKEM768 (4588) */
         29,                     /* X25519 (29) */
         23,                     /* secp256r1 (23) */
         24,                     /* secp384r1 (24) */
 };
 
+static const struct supported_group *
+tls1_supported_group_by_id(uint16_t group_id)
+{
+        int i;
+
+        for (i = 0; i < NID_LIST_LEN; i++) {
+                if (group_id == nid_list[i].group_id)
+                        return &nid_list[i];
+        }
+
+        return NULL;
+}
+
+static const struct supported_group *
+tls1_supported_group_by_nid(int nid)
+{
+        int i;
+
+        for (i = 0; i < NID_LIST_LEN; i++) {
+                if (nid == nid_list[i].nid)
+                        return &nid_list[i];
+        }
+
+        return NULL;
+}
+
 int
 tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
 {
-        int nid;
-
-        if (group_id >= NID_LIST_LEN)
-                return 0;
+        const struct supported_group *sg;
 
-        if ((nid = nid_list[group_id].nid) == 0)
+        if ((sg = tls1_supported_group_by_id(group_id)) == NULL)
                 return 0;
 
-        *out_nid = nid;
+        *out_nid = sg->nid;
 
         return 1;
 }
@@ -358,15 +397,12 @@ tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
 int
 tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
 {
-        int bits;
+        const struct supported_group *sg;
 
-        if (group_id >= NID_LIST_LEN)
+        if ((sg = tls1_supported_group_by_id(group_id)) == NULL)
                 return 0;
 
-        if ((bits = nid_list[group_id].bits) == 0)
-                return 0;
-
-        *out_bits = bits;
+        *out_bits = sg->bits;
 
         return 1;
 }
@@ -374,19 +410,14 @@ tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
 int
 tls1_ec_nid2group_id(int nid, uint16_t *out_group_id)
 {
-        uint16_t group_id;
+        const struct supported_group *sg;
 
-        if (nid == 0)
+        if ((sg = tls1_supported_group_by_nid(nid)) == NULL)
                 return 0;
 
-        for (group_id = 0; group_id < NID_LIST_LEN; group_id++) {
-                if (nid_list[group_id].nid == nid) {
-                        *out_group_id = group_id;
-                        return 1;
-                }
-        }
+        *out_group_id = sg->group_id;
 
-        return 0;
+        return 1;
 }
 
 /*
@@ -433,11 +464,21 @@ tls1_get_group_list(const SSL *s, int client_groups, const uint16_t **pgroups,
                 return;
 
         if (!s->server) {
-                *pgroups = ecgroups_client_default;
-                *pgroupslen = sizeof(ecgroups_client_default) / 2;
+                if (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
+                        *pgroups = ecgroups_client_default;
+                        *pgroupslen = sizeof(ecgroups_client_default) / 2;
+                } else {
+                        *pgroups = ecgroups_tls12_client_default;
+                        *pgroupslen = sizeof(ecgroups_tls12_client_default) / 2;
+                }
         } else {
-                *pgroups = ecgroups_server_default;
-                *pgroupslen = sizeof(ecgroups_server_default) / 2;
+                if (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
+                        *pgroups = ecgroups_server_default;
+                        *pgroupslen = sizeof(ecgroups_server_default) / 2;
+                } else {
+                        *pgroups = ecgroups_tls12_server_default;
+                        *pgroupslen = sizeof(ecgroups_tls12_server_default) / 2;
+                }
         }
 }
 
diff --git a/src/lib/libssl/test/CAss.cnf b/src/lib/libssl/test/CAss.cnf
deleted file mode 100644
index 336e82fd52..0000000000
--- a/src/lib/libssl/test/CAss.cnf
+++ /dev/null
@@ -1,76 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-RANDFILE                = ./.rnd
-
-####################################################################
-[ req ]
-default_bits            = 2048
-default_keyfile         = keySS.pem
-distinguished_name      = req_distinguished_name
-encrypt_rsa_key         = no
-default_md              = sha1
-
-[ req_distinguished_name ]
-countryName                     = Country Name (2 letter code)
-countryName_default             = AU
-countryName_value               = AU
-
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Dodgy Brothers
-
-commonName                      = Common Name (eg, YOUR name)
-commonName_value                = Dodgy CA
-
-####################################################################
-[ ca ]
-default_ca      = CA_default            # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir             = ./demoCA              # Where everything is kept
-certs           = $dir/certs            # Where the issued certs are kept
-crl_dir         = $dir/crl              # Where the issued crl are kept
-database        = $dir/index.txt        # database index file.
-#unique_subject = no                    # Set to 'no' to allow creation of
-                                        # several certificates with same subject.
-new_certs_dir   = $dir/newcerts         # default place for new certs.
-
-certificate     = $dir/cacert.pem       # The CA certificate
-serial          = $dir/serial           # The current serial number
-crl             = $dir/crl.pem          # The current CRL
-private_key     = $dir/private/cakey.pem# The private key
-RANDFILE        = $dir/private/.rand    # private random number file
-
-x509_extensions = v3_ca                 # The extensions to add to the cert
-
-name_opt        = ca_default            # Subject Name options
-cert_opt        = ca_default            # Certificate field options
-
-default_days    = 365                   # how long to certify for
-default_crl_days= 30                    # how long before next CRL
-default_md      = md5                   # which md to use.
-preserve        = no                    # keep passed DN ordering
-
-policy          = policy_anything
-
-[ policy_anything ]
-countryName             = optional
-stateOrProvinceName     = optional
-localityName            = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-
-
-[ v3_ca ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:true,pathlen:1
-keyUsage = cRLSign, keyCertSign
-issuerAltName=issuer:copy
diff --git a/src/lib/libssl/test/CAssdh.cnf b/src/lib/libssl/test/CAssdh.cnf
deleted file mode 100644
index 4e0a908679..0000000000
--- a/src/lib/libssl/test/CAssdh.cnf
+++ /dev/null
@@ -1,24 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-# hacked by iang to do DH certs - CA
-
-RANDFILE              = ./.rnd
-
-####################################################################
-[ req ]
-distinguished_name    = req_distinguished_name
-encrypt_rsa_key               = no
-
-[ req_distinguished_name ]
-countryName                   = Country Name (2 letter code)
-countryName_default           = CU
-countryName_value             = CU
-
-organizationName              = Organization Name (eg, company)
-organizationName_value                = La Junta de la Revolucion
-
-commonName                    = Common Name (eg, YOUR name)
-commonName_value              = Junta
-
diff --git a/src/lib/libssl/test/CAssdsa.cnf b/src/lib/libssl/test/CAssdsa.cnf
deleted file mode 100644
index a6b4d1810c..0000000000
--- a/src/lib/libssl/test/CAssdsa.cnf
+++ /dev/null
@@ -1,23 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-# hacked by iang to do DSA certs - CA
-
-RANDFILE              = ./.rnd
-
-####################################################################
-[ req ]
-distinguished_name    = req_distinguished_name
-encrypt_rsa_key               = no
-
-[ req_distinguished_name ]
-countryName                   = Country Name (2 letter code)
-countryName_default           = ES
-countryName_value             = ES
-
-organizationName              = Organization Name (eg, company)
-organizationName_value                = Hermanos Locos
-
-commonName                    = Common Name (eg, YOUR name)
-commonName_value              = Hermanos Locos CA
diff --git a/src/lib/libssl/test/CAssrsa.cnf b/src/lib/libssl/test/CAssrsa.cnf
deleted file mode 100644
index eb24a6dfc0..0000000000
--- a/src/lib/libssl/test/CAssrsa.cnf
+++ /dev/null
@@ -1,24 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-# create RSA certs - CA
-
-RANDFILE              = ./.rnd
-
-####################################################################
-[ req ]
-distinguished_name    = req_distinguished_name
-encrypt_key           = no
-
-[ req_distinguished_name ]
-countryName                   = Country Name (2 letter code)
-countryName_default           = ES
-countryName_value             = ES
-
-organizationName              = Organization Name (eg, company)
-organizationName_value                = Hermanos Locos
-
-commonName                    = Common Name (eg, YOUR name)
-commonName_value              = Hermanos Locos CA
-
diff --git a/src/lib/libssl/test/CAtsa.cnf b/src/lib/libssl/test/CAtsa.cnf
deleted file mode 100644
index b497b50452..0000000000
--- a/src/lib/libssl/test/CAtsa.cnf
+++ /dev/null
@@ -1,163 +0,0 @@
-
-#
-# This config is used by the Time Stamp Authority tests.
-#
-
-RANDFILE                = ./.rnd
-
-# Extra OBJECT IDENTIFIER info:
-oid_section             = new_oids
-
-TSDNSECT                = ts_cert_dn
-INDEX                   = 1
-
-[ new_oids ]
-
-# Policies used by the TSA tests.
-tsa_policy1 = 1.2.3.4.1
-tsa_policy2 = 1.2.3.4.5.6
-tsa_policy3 = 1.2.3.4.5.7
-
-#----------------------------------------------------------------------
-[ ca ]
-default_ca      = CA_default            # The default ca section
-
-[ CA_default ]
-
-dir             = ./demoCA
-certs           = $dir/certs            # Where the issued certs are kept
-database        = $dir/index.txt        # database index file.
-new_certs_dir   = $dir/newcerts         # default place for new certs.
-
-certificate     = $dir/cacert.pem       # The CA certificate
-serial          = $dir/serial           # The current serial number
-private_key     = $dir/private/cakey.pem# The private key
-RANDFILE        = $dir/private/.rand    # private random number file
-
-default_days    = 365                   # how long to certify for
-default_md      = sha1                  # which md to use.
-preserve        = no                    # keep passed DN ordering
-
-policy          = policy_match
-
-# For the CA policy
-[ policy_match ]
-countryName             = supplied
-stateOrProvinceName     = supplied
-organizationName        = supplied
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-#----------------------------------------------------------------------
-[ req ]
-default_bits            = 1024
-default_md              = sha1
-distinguished_name      = $ENV::TSDNSECT
-encrypt_rsa_key         = no
-prompt                  = no
-# attributes            = req_attributes
-x509_extensions = v3_ca # The extensions to add to the self signed cert
-
-string_mask = nombstr
-
-[ ts_ca_dn ]
-countryName                     = HU
-stateOrProvinceName             = Budapest
-localityName                    = Budapest
-organizationName                = Gov-CA Ltd.
-commonName                      = ca1
-
-[ ts_cert_dn ]
-countryName                     = HU
-stateOrProvinceName             = Budapest
-localityName                    = Buda
-organizationName                = Hun-TSA Ltd.
-commonName                      = tsa$ENV::INDEX
-
-[ tsa_cert ]
-
-# TSA server cert is not a CA cert.
-basicConstraints=CA:FALSE
-
-# The following key usage flags are needed for TSA server certificates.
-keyUsage = nonRepudiation, digitalSignature
-extendedKeyUsage = critical,timeStamping
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-[ non_tsa_cert ]
-
-# This is not a CA cert and not a TSA cert, either (timeStamping usage missing)
-basicConstraints=CA:FALSE
-
-# The following key usage flags are needed for TSA server certificates.
-keyUsage = nonRepudiation, digitalSignature
-# timeStamping is not supported by this certificate
-# extendedKeyUsage = critical,timeStamping
-
-# PKIX recommendations harmless if included in all certificates.
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-
-[ v3_req ]
-
-# Extensions to add to a certificate request
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature
-
-[ v3_ca ]
-
-# Extensions for a typical CA
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = critical,CA:true
-keyUsage = cRLSign, keyCertSign
-
-#----------------------------------------------------------------------
-[ tsa ]
-
-default_tsa = tsa_config1       # the default TSA section
-
-[ tsa_config1 ]
-
-# These are used by the TSA reply generation only.
-dir             = .                     # TSA root directory
-serial          = $dir/tsa_serial       # The current serial number (mandatory)
-signer_cert     = $dir/tsa_cert1.pem    # The TSA signing certificate
-                                        # (optional)
-certs           = $dir/tsaca.pem        # Certificate chain to include in reply
-                                        # (optional)
-signer_key      = $dir/tsa_key1.pem     # The TSA private key (optional)
-
-default_policy  = tsa_policy1           # Policy if request did not specify it
-                                        # (optional)
-other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
-digests         = md5, sha1             # Acceptable message digests (mandatory)
-accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)
-ordering                = yes   # Is ordering defined for timestamps?
-                                # (optional, default: no)
-tsa_name                = yes   # Must the TSA name be included in the reply?
-                                # (optional, default: no)
-ess_cert_id_chain       = yes   # Must the ESS cert id chain be included?
-                                # (optional, default: no)
-
-[ tsa_config2 ]
-
-# This configuration uses a certificate which doesn't have timeStamping usage.
-# These are used by the TSA reply generation only.
-dir             = .                     # TSA root directory
-serial          = $dir/tsa_serial       # The current serial number (mandatory)
-signer_cert     = $dir/tsa_cert2.pem    # The TSA signing certificate
-                                        # (optional)
-certs           = $dir/demoCA/cacert.pem# Certificate chain to include in reply
-                                        # (optional)
-signer_key      = $dir/tsa_key2.pem     # The TSA private key (optional)
-
-default_policy  = tsa_policy1           # Policy if request did not specify it
-                                        # (optional)
-other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
-digests         = md5, sha1             # Acceptable message digests (mandatory)
diff --git a/src/lib/libssl/test/P1ss.cnf b/src/lib/libssl/test/P1ss.cnf
deleted file mode 100644
index 326cce2ba8..0000000000
--- a/src/lib/libssl/test/P1ss.cnf
+++ /dev/null
@@ -1,37 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-RANDFILE                = ./.rnd
-
-####################################################################
-[ req ]
-default_bits            = 1024
-default_keyfile         = keySS.pem
-distinguished_name      = req_distinguished_name
-encrypt_rsa_key         = no
-default_md              = md2
-
-[ req_distinguished_name ]
-countryName                     = Country Name (2 letter code)
-countryName_default             = AU
-countryName_value               = AU
-
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Dodgy Brothers
-
-0.commonName                    = Common Name (eg, YOUR name)
-0.commonName_value              = Brother 1
-
-1.commonName                    = Common Name (eg, YOUR name)
-1.commonName_value              = Brother 2
-
-2.commonName                    = Common Name (eg, YOUR name)
-2.commonName_value              = Proxy 1
-
-[ v3_proxy ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
diff --git a/src/lib/libssl/test/P2ss.cnf b/src/lib/libssl/test/P2ss.cnf
deleted file mode 100644
index 8b502321b8..0000000000
--- a/src/lib/libssl/test/P2ss.cnf
+++ /dev/null
@@ -1,45 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-RANDFILE                = ./.rnd
-
-####################################################################
-[ req ]
-default_bits            = 1024
-default_keyfile         = keySS.pem
-distinguished_name      = req_distinguished_name
-encrypt_rsa_key         = no
-default_md              = md2
-
-[ req_distinguished_name ]
-countryName                     = Country Name (2 letter code)
-countryName_default             = AU
-countryName_value               = AU
-
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Dodgy Brothers
-
-0.commonName                    = Common Name (eg, YOUR name)
-0.commonName_value              = Brother 1
-
-1.commonName                    = Common Name (eg, YOUR name)
-1.commonName_value              = Brother 2
-
-2.commonName                    = Common Name (eg, YOUR name)
-2.commonName_value              = Proxy 1
-
-3.commonName                    = Common Name (eg, YOUR name)
-3.commonName_value              = Proxy 2
-
-[ v3_proxy ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-proxyCertInfo=critical,@proxy_ext
-
-[ proxy_ext ]
-language=id-ppl-anyLanguage
-pathlen=0
-policy=text:BC
diff --git a/src/lib/libssl/test/Sssdsa.cnf b/src/lib/libssl/test/Sssdsa.cnf
deleted file mode 100644
index 8e170a28ef..0000000000
--- a/src/lib/libssl/test/Sssdsa.cnf
+++ /dev/null
@@ -1,27 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-# hacked by iang to do DSA certs - Server
-
-RANDFILE              = ./.rnd
-
-####################################################################
-[ req ]
-distinguished_name    = req_distinguished_name
-encrypt_rsa_key               = no
-
-[ req_distinguished_name ]
-countryName                   = Country Name (2 letter code)
-countryName_default           = ES
-countryName_value             = ES
-
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Tortilleras S.A.
-
-0.commonName                  = Common Name (eg, YOUR name)
-0.commonName_value            = Torti
-
-1.commonName                  = Common Name (eg, YOUR name)
-1.commonName_value            = Gordita
-
diff --git a/src/lib/libssl/test/Sssrsa.cnf b/src/lib/libssl/test/Sssrsa.cnf
deleted file mode 100644
index 8c79a03fca..0000000000
--- a/src/lib/libssl/test/Sssrsa.cnf
+++ /dev/null
@@ -1,26 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-# create RSA certs - Server
-
-RANDFILE              = ./.rnd
-
-####################################################################
-[ req ]
-distinguished_name    = req_distinguished_name
-encrypt_key           = no
-
-[ req_distinguished_name ]
-countryName                   = Country Name (2 letter code)
-countryName_default           = ES
-countryName_value             = ES
-
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Tortilleras S.A.
-
-0.commonName                  = Common Name (eg, YOUR name)
-0.commonName_value            = Torti
-
-1.commonName                  = Common Name (eg, YOUR name)
-1.commonName_value            = Gordita
diff --git a/src/lib/libssl/test/Uss.cnf b/src/lib/libssl/test/Uss.cnf
deleted file mode 100644
index 58ac0ca54d..0000000000
--- a/src/lib/libssl/test/Uss.cnf
+++ /dev/null
@@ -1,36 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-RANDFILE                = ./.rnd
-
-####################################################################
-[ req ]
-default_bits            = 2048
-default_keyfile         = keySS.pem
-distinguished_name      = req_distinguished_name
-encrypt_rsa_key         = no
-default_md              = sha256
-
-[ req_distinguished_name ]
-countryName                     = Country Name (2 letter code)
-countryName_default             = AU
-countryName_value               = AU
-
-organizationName                = Organization Name (eg, company)
-organizationName_value          = Dodgy Brothers
-
-0.commonName                    = Common Name (eg, YOUR name)
-0.commonName_value              = Brother 1
-
-1.commonName                    = Common Name (eg, YOUR name)
-1.commonName_value              = Brother 2
-
-[ v3_ee ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
-basicConstraints = CA:false
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-issuerAltName=issuer:copy
-
diff --git a/src/lib/libssl/test/VMSca-response.1 b/src/lib/libssl/test/VMSca-response.1
deleted file mode 100644
index 8b13789179..0000000000
--- a/src/lib/libssl/test/VMSca-response.1
+++ /dev/null
@@ -1 +0,0 @@
-
diff --git a/src/lib/libssl/test/VMSca-response.2 b/src/lib/libssl/test/VMSca-response.2
deleted file mode 100644
index 9b48ee4cf9..0000000000
--- a/src/lib/libssl/test/VMSca-response.2
+++ /dev/null
@@ -1,2 +0,0 @@
-y
-y
diff --git a/src/lib/libssl/test/bctest b/src/lib/libssl/test/bctest
deleted file mode 100644
index bdb3218f7a..0000000000
--- a/src/lib/libssl/test/bctest
+++ /dev/null
@@ -1,111 +0,0 @@
-#!/bin/sh
-
-# This script is used by test/Makefile.ssl to check whether a sane 'bc'
-# is installed.
-# ('make test_bn' should not try to run 'bc' if it does not exist or if
-# it is a broken 'bc' version that is known to cause trouble.)
-#
-# If 'bc' works, we also test if it knows the 'print' command.
-#
-# In any case, output an appropriate command line for running (or not
-# running) bc.
-
-
-IFS=:
-try_without_dir=true
-# First we try "bc", then "$dir/bc" for each item in $PATH.
-for dir in dummy:$PATH; do
-    if [ "$try_without_dir" = true ]; then
-      # first iteration
-      bc=bc
-      try_without_dir=false
-    else
-      # second and later iterations
-      bc="$dir/bc"
-      if [ ! -f "$bc" ]; then  # '-x' is not available on Ultrix
-        bc=''
-      fi
-    fi
-
-    if [ ! "$bc" = '' ]; then
-        failure=none
-
-
-        # Test for SunOS 5.[78] bc bug
-        "$bc" >tmp.bctest <<\EOF
-obase=16
-ibase=16
-a=AD88C418F31B3FC712D0425001D522B3AE9134FF3A98C13C1FCC1682211195406C1A6C66C6A\
-CEEC1A0EC16950233F77F1C2F2363D56DD71A36C57E0B2511FC4BA8F22D261FE2E9356D99AF57\
-10F3817C0E05BF79C423C3F66FDF321BE8D3F18F625D91B670931C1EF25F28E489BDA1C5422D1\
-C3F6F7A1AD21585746ECC4F10A14A778AF56F08898E965E9909E965E0CB6F85B514150C644759\
-3BE731877B16EA07B552088FF2EA728AC5E0FF3A23EB939304519AB8B60F2C33D6BA0945B66F0\
-4FC3CADF855448B24A9D7640BCF473E
-b=DCE91E7D120B983EA9A104B5A96D634DD644C37657B1C7860B45E6838999B3DCE5A555583C6\
-9209E41F413422954175A06E67FFEF6746DD652F0F48AEFECC3D8CAC13523BDAAD3F5AF4212BD\
-8B3CD64126E1A82E190228020C05B91C8B141F1110086FC2A4C6ED631EBA129D04BB9A19FC53D\
-3ED0E2017D60A68775B75481449
-(a/b)*b + (a%b) - a
-EOF
-        if [ 0 != "`cat tmp.bctest`" ]; then
-            failure=SunOStest
-        fi
-
-
-        if [ "$failure" = none ]; then
-            # Test for SCO bc bug.
-            "$bc" >tmp.bctest <<\EOF
-obase=16
-ibase=16
--FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4AEC6F15AC177F176F2274D2\
-9DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7F5ADFACEE54573F5D256A06\
-11B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99FB9812A0E4A5773D8B254117\
-1239157EC6E3D8D50199 * -FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4\
-AEC6F15AC177F176F2274D29DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7\
-F5ADFACEE54573F5D256A0611B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99F\
-B9812A0E4A5773D8B2541171239157EC6E3D8D50199 - FFBACC221682DA464B6D7F123482522\
-02EDAEDCA38C3B69E9B7BBCD6165A9CD8716C4903417F23C09A85B851961F92C217258CEEB866\
-85EFCC5DD131853A02C07A873B8E2AF2E40C6D5ED598CD0E8F35AD49F3C3A17FDB7653E4E2DC4\
-A8D23CC34686EE4AD01F7407A7CD74429AC6D36DBF0CB6A3E302D0E5BDFCD048A3B90C1BE5AA8\
-E16C3D5884F9136B43FF7BB443764153D4AEC176C681B078F4CC53D6EB6AB76285537DDEE7C18\
-8C72441B52EDBDDBC77E02D34E513F2AABF92F44109CAFE8242BD0ECBAC5604A94B02EA44D43C\
-04E9476E6FBC48043916BFA1485C6093603600273C9C33F13114D78064AE42F3DC466C7DA543D\
-89C8D71
-AD534AFBED2FA39EE9F40E20FCF9E2C861024DB98DDCBA1CD118C49CA55EEBC20D6BA51B2271C\
-928B693D6A73F67FEB1B4571448588B46194617D25D910C6A9A130CC963155CF34079CB218A44\
-8A1F57E276D92A33386DDCA3D241DB78C8974ABD71DD05B0FA555709C9910D745185E6FE108E3\
-37F1907D0C56F8BFBF52B9704 % -E557905B56B13441574CAFCE2BD257A750B1A8B2C88D0E36\
-E18EF7C38DAC80D3948E17ED63AFF3B3467866E3B89D09A81B3D16B52F6A3C7134D3C6F5123E9\
-F617E3145BBFBE9AFD0D6E437EA4FF6F04BC67C4F1458B4F0F47B64 - 1C2BBBB19B74E86FD32\
-9E8DB6A8C3B1B9986D57ED5419C2E855F7D5469E35E76334BB42F4C43E3F3A31B9697C171DAC4\
-D97935A7E1A14AD209D6CF811F55C6DB83AA9E6DFECFCD6669DED7171EE22A40C6181615CAF3F\
-5296964
-EOF
-            if [ "0
-0" != "`cat tmp.bctest`" ]; then
-                failure=SCOtest
-            fi
-        fi
-
-
-        if [ "$failure" = none ]; then
-            # bc works; now check if it knows the 'print' command.
-            if [ "OK" = "`echo 'print \"OK\"' | $bc 2>/dev/null`" ]
-            then
-                echo "$bc"
-            else
-                echo "sed 's/print.*//' | $bc"
-            fi
-            exit 0
-        fi
-
-        echo "$bc does not work properly ('$failure' failed).  Looking for another bc ..." >&2
-    fi
-done
-
-echo "No working bc found.  Consider installing GNU bc." >&2
-if [ "$1" = ignore ]; then
-  echo "cat >/dev/null"
-  exit 0
-fi
-exit 1
diff --git a/src/lib/libssl/test/cms-examples.pl b/src/lib/libssl/test/cms-examples.pl
deleted file mode 100644
index 2e95b48ba4..0000000000
--- a/src/lib/libssl/test/cms-examples.pl
+++ /dev/null
@@ -1,409 +0,0 @@
-# test/cms-examples.pl
-# Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-# project.
-#
-# ====================================================================
-# Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in
-#    the documentation and/or other materials provided with the
-#    distribution.
-#
-# 3. All advertising materials mentioning features or use of this
-#    software must display the following acknowledgment:
-#    "This product includes software developed by the OpenSSL Project
-#    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-#
-# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-#    endorse or promote products derived from this software without
-#    prior written permission. For written permission, please contact
-#    licensing@OpenSSL.org.
-#
-# 5. Products derived from this software may not be called "OpenSSL"
-#    nor may "OpenSSL" appear in their names without prior written
-#    permission of the OpenSSL Project.
-#
-# 6. Redistributions of any form whatsoever must retain the following
-#    acknowledgment:
-#    "This product includes software developed by the OpenSSL Project
-#    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-#
-# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-# OF THE POSSIBILITY OF SUCH DAMAGE.
-# ====================================================================
-
-# Perl script to run tests against S/MIME examples in RFC4134
-# Assumes RFC is in current directory and called "rfc4134.txt"
-
-use MIME::Base64;
-
-my $badttest = 0;
-my $verbose  = 1;
-
-my $cmscmd;
-my $exdir  = "./";
-my $exfile = "./rfc4134.txt";
-
-if (-f "../apps/openssl")
-        {
-        $cmscmd = "../util/shlib_wrap.sh ../apps/openssl cms";
-        }
-elsif (-f "..\\out32dll\\openssl.exe")
-        {
-        $cmscmd = "..\\out32dll\\openssl.exe cms";
-        }
-elsif (-f "..\\out32\\openssl.exe")
-        {
-        $cmscmd = "..\\out32\\openssl.exe cms";
-        }
-
-my @test_list = (
-    [ "3.1.bin"  => "dataout" ],
-    [ "3.2.bin"  => "encode, dataout" ],
-    [ "4.1.bin"  => "encode, verifyder, cont, dss" ],
-    [ "4.2.bin"  => "encode, verifyder, cont, rsa" ],
-    [ "4.3.bin"  => "encode, verifyder, cont_extern, dss" ],
-    [ "4.4.bin"  => "encode, verifyder, cont, dss" ],
-    [ "4.5.bin"  => "verifyder, cont, rsa" ],
-    [ "4.6.bin"  => "encode, verifyder, cont, dss" ],
-    [ "4.7.bin"  => "encode, verifyder, cont, dss" ],
-    [ "4.8.eml"  => "verifymime, dss" ],
-    [ "4.9.eml"  => "verifymime, dss" ],
-    [ "4.10.bin" => "encode, verifyder, cont, dss" ],
-    [ "4.11.bin" => "encode, certsout" ],
-    [ "5.1.bin"  => "encode, envelopeder, cont" ],
-    [ "5.2.bin"  => "encode, envelopeder, cont" ],
-    [ "5.3.eml"  => "envelopemime, cont" ],
-    [ "6.0.bin"  => "encode, digest, cont" ],
-    [ "7.1.bin"  => "encode, encrypted, cont" ],
-    [ "7.2.bin"  => "encode, encrypted, cont" ]
-);
-
-# Extract examples from RFC4134 text.
-# Base64 decode all examples, certificates and
-# private keys are converted to PEM format.
-
-my ( $filename, $data );
-
-my @cleanup = ( "cms.out", "cms.err", "tmp.der", "tmp.txt" );
-
-$data = "";
-
-open( IN, $exfile ) || die "Can't Open RFC examples file $exfile";
-
-while (<IN>) {
-    next unless (/^\|/);
-    s/^\|//;
-    next if (/^\*/);
-    if (/^>(.*)$/) {
-        $filename = $1;
-        next;
-    }
-    if (/^</) {
-        $filename = "$exdir/$filename";
-        if ( $filename =~ /\.bin$/ || $filename =~ /\.eml$/ ) {
-            $data = decode_base64($data);
-            open OUT, ">$filename";
-            binmode OUT;
-            print OUT $data;
-            close OUT;
-            push @cleanup, $filename;
-        }
-        elsif ( $filename =~ /\.cer$/ ) {
-            write_pem( $filename, "CERTIFICATE", $data );
-        }
-        elsif ( $filename =~ /\.pri$/ ) {
-            write_pem( $filename, "PRIVATE KEY", $data );
-        }
-        $data     = "";
-        $filename = "";
-    }
-    else {
-        $data .= $_;
-    }
-
-}
-
-my $secretkey =
-  "73:7c:79:1f:25:ea:d0:e0:46:29:25:43:52:f7:dc:62:91:e5:cb:26:91:7a:da:32";
-
-foreach (@test_list) {
-    my ( $file, $tlist ) = @$_;
-    print "Example file $file:\n";
-    if ( $tlist =~ /encode/ ) {
-        run_reencode_test( $exdir, $file );
-    }
-    if ( $tlist =~ /certsout/ ) {
-        run_certsout_test( $exdir, $file );
-    }
-    if ( $tlist =~ /dataout/ ) {
-        run_dataout_test( $exdir, $file );
-    }
-    if ( $tlist =~ /verify/ ) {
-        run_verify_test( $exdir, $tlist, $file );
-    }
-    if ( $tlist =~ /digest/ ) {
-        run_digest_test( $exdir, $tlist, $file );
-    }
-    if ( $tlist =~ /encrypted/ ) {
-        run_encrypted_test( $exdir, $tlist, $file, $secretkey );
-    }
-    if ( $tlist =~ /envelope/ ) {
-        run_envelope_test( $exdir, $tlist, $file );
-    }
-
-}
-
-foreach (@cleanup) {
-    unlink $_;
-}
-
-if ($badtest) {
-    print "\n$badtest TESTS FAILED!!\n";
-}
-else {
-    print "\n***All tests successful***\n";
-}
-
-sub write_pem {
-    my ( $filename, $str, $data ) = @_;
-
-    $filename =~ s/\.[^.]*$/.pem/;
-
-    push @cleanup, $filename;
-
-    open OUT, ">$filename";
-
-    print OUT "-----BEGIN $str-----\n";
-    print OUT $data;
-    print OUT "-----END $str-----\n";
-
-    close OUT;
-}
-
-sub run_reencode_test {
-    my ( $cmsdir, $tfile ) = @_;
-    unlink "tmp.der";
-
-    system( "$cmscmd -cmsout -inform DER -outform DER"
-          . " -in $cmsdir/$tfile -out tmp.der" );
-
-    if ($?) {
-        print "\tReencode command FAILED!!\n";
-        $badtest++;
-    }
-    elsif ( !cmp_files( "$cmsdir/$tfile", "tmp.der" ) ) {
-        print "\tReencode FAILED!!\n";
-        $badtest++;
-    }
-    else {
-        print "\tReencode passed\n" if $verbose;
-    }
-}
-
-sub run_certsout_test {
-    my ( $cmsdir, $tfile ) = @_;
-    unlink "tmp.der";
-    unlink "tmp.pem";
-
-    system( "$cmscmd -cmsout -inform DER -certsout tmp.pem"
-          . " -in $cmsdir/$tfile -out tmp.der" );
-
-    if ($?) {
-        print "\tCertificate output command FAILED!!\n";
-        $badtest++;
-    }
-    else {
-        print "\tCertificate output passed\n" if $verbose;
-    }
-}
-
-sub run_dataout_test {
-    my ( $cmsdir, $tfile ) = @_;
-    unlink "tmp.txt";
-
-    system(
-        "$cmscmd -data_out -inform DER" . " -in $cmsdir/$tfile -out tmp.txt" );
-
-    if ($?) {
-        print "\tDataout command FAILED!!\n";
-        $badtest++;
-    }
-    elsif ( !cmp_files( "$cmsdir/ExContent.bin", "tmp.txt" ) ) {
-        print "\tDataout compare FAILED!!\n";
-        $badtest++;
-    }
-    else {
-        print "\tDataout passed\n" if $verbose;
-    }
-}
-
-sub run_verify_test {
-    my ( $cmsdir, $tlist, $tfile ) = @_;
-    unlink "tmp.txt";
-
-    $form   = "DER"                     if $tlist =~ /verifyder/;
-    $form   = "SMIME"                   if $tlist =~ /verifymime/;
-    $cafile = "$cmsdir/CarlDSSSelf.pem" if $tlist =~ /dss/;
-    $cafile = "$cmsdir/CarlRSASelf.pem" if $tlist =~ /rsa/;
-
-    $cmd =
-        "$cmscmd -verify -inform $form"
-      . " -CAfile $cafile"
-      . " -in $cmsdir/$tfile -out tmp.txt";
-
-    $cmd .= " -content $cmsdir/ExContent.bin" if $tlist =~ /cont_extern/;
-
-    system("$cmd 2>cms.err 1>cms.out");
-
-    if ($?) {
-        print "\tVerify command FAILED!!\n";
-        $badtest++;
-    }
-    elsif ( $tlist =~ /cont/
-        && !cmp_files( "$cmsdir/ExContent.bin", "tmp.txt" ) )
-    {
-        print "\tVerify content compare FAILED!!\n";
-        $badtest++;
-    }
-    else {
-        print "\tVerify passed\n" if $verbose;
-    }
-}
-
-sub run_envelope_test {
-    my ( $cmsdir, $tlist, $tfile ) = @_;
-    unlink "tmp.txt";
-
-    $form = "DER"   if $tlist =~ /envelopeder/;
-    $form = "SMIME" if $tlist =~ /envelopemime/;
-
-    $cmd =
-        "$cmscmd -decrypt -inform $form"
-      . " -recip $cmsdir/BobRSASignByCarl.pem"
-      . " -inkey $cmsdir/BobPrivRSAEncrypt.pem"
-      . " -in $cmsdir/$tfile -out tmp.txt";
-
-    system("$cmd 2>cms.err 1>cms.out");
-
-    if ($?) {
-        print "\tDecrypt command FAILED!!\n";
-        $badtest++;
-    }
-    elsif ( $tlist =~ /cont/
-        && !cmp_files( "$cmsdir/ExContent.bin", "tmp.txt" ) )
-    {
-        print "\tDecrypt content compare FAILED!!\n";
-        $badtest++;
-    }
-    else {
-        print "\tDecrypt passed\n" if $verbose;
-    }
-}
-
-sub run_digest_test {
-    my ( $cmsdir, $tlist, $tfile ) = @_;
-    unlink "tmp.txt";
-
-    my $cmd =
-      "$cmscmd -digest_verify -inform DER" . " -in $cmsdir/$tfile -out tmp.txt";
-
-    system("$cmd 2>cms.err 1>cms.out");
-
-    if ($?) {
-        print "\tDigest verify command FAILED!!\n";
-        $badtest++;
-    }
-    elsif ( $tlist =~ /cont/
-        && !cmp_files( "$cmsdir/ExContent.bin", "tmp.txt" ) )
-    {
-        print "\tDigest verify content compare FAILED!!\n";
-        $badtest++;
-    }
-    else {
-        print "\tDigest verify passed\n" if $verbose;
-    }
-}
-
-sub run_encrypted_test {
-    my ( $cmsdir, $tlist, $tfile, $key ) = @_;
-    unlink "tmp.txt";
-
-    system( "$cmscmd -EncryptedData_decrypt -inform DER"
-          . " -secretkey $key"
-          . " -in $cmsdir/$tfile -out tmp.txt" );
-
-    if ($?) {
-        print "\tEncrypted Data command FAILED!!\n";
-        $badtest++;
-    }
-    elsif ( $tlist =~ /cont/
-        && !cmp_files( "$cmsdir/ExContent.bin", "tmp.txt" ) )
-    {
-        print "\tEncrypted Data content compare FAILED!!\n";
-        $badtest++;
-    }
-    else {
-        print "\tEncryptedData verify passed\n" if $verbose;
-    }
-}
-
-sub cmp_files {
-    my ( $f1, $f2 ) = @_;
-    my ( $fp1, $fp2 );
-
-    my ( $rd1, $rd2 );
-
-    if ( !open( $fp1, "<$f1" ) ) {
-        print STDERR "Can't Open file $f1\n";
-        return 0;
-    }
-
-    if ( !open( $fp2, "<$f2" ) ) {
-        print STDERR "Can't Open file $f2\n";
-        return 0;
-    }
-
-    binmode $fp1;
-    binmode $fp2;
-
-    my $ret = 0;
-
-    for ( ; ; ) {
-        $n1 = sysread $fp1, $rd1, 4096;
-        $n2 = sysread $fp2, $rd2, 4096;
-        last if ( $n1 != $n2 );
-        last if ( $rd1 ne $rd2 );
-
-        if ( $n1 == 0 ) {
-            $ret = 1;
-            last;
-        }
-
-    }
-
-    close $fp1;
-    close $fp2;
-
-    return $ret;
-
-}
-
diff --git a/src/lib/libssl/test/cms-test.pl b/src/lib/libssl/test/cms-test.pl
deleted file mode 100644
index dfef799be2..0000000000
--- a/src/lib/libssl/test/cms-test.pl
+++ /dev/null
@@ -1,459 +0,0 @@
-# test/cms-test.pl
-# Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-# project.
-#
-# ====================================================================
-# Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in
-#    the documentation and/or other materials provided with the
-#    distribution.
-#
-# 3. All advertising materials mentioning features or use of this
-#    software must display the following acknowledgment:
-#    "This product includes software developed by the OpenSSL Project
-#    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-#
-# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-#    endorse or promote products derived from this software without
-#    prior written permission. For written permission, please contact
-#    licensing@OpenSSL.org.
-#
-# 5. Products derived from this software may not be called "OpenSSL"
-#    nor may "OpenSSL" appear in their names without prior written
-#    permission of the OpenSSL Project.
-#
-# 6. Redistributions of any form whatsoever must retain the following
-#    acknowledgment:
-#    "This product includes software developed by the OpenSSL Project
-#    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-#
-# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-# OF THE POSSIBILITY OF SUCH DAMAGE.
-# ====================================================================
-
-# CMS, PKCS7 consistency test script. Run extensive tests on
-# OpenSSL PKCS#7 and CMS implementations.
-
-my $ossl_path;
-my $redir = " 2> cms.err > cms.out";
-# Make VMS work
-if ( $^O eq "VMS" && -f "OSSLX:openssl.exe" ) {
-    $ossl_path = "pipe mcr OSSLX:openssl";
-}
-# Make MSYS work
-elsif ( $^O eq "MSWin32" && -f "../apps/openssl.exe" ) {
-    $ossl_path = "cmd /c ..\\apps\\openssl";
-}
-elsif ( -f "../apps/openssl$ENV{EXE_EXT}" ) {
-    $ossl_path = "../util/shlib_wrap.sh ../apps/openssl";
-}
-elsif ( -f "..\\out32dll\\openssl.exe" ) {
-    $ossl_path = "..\\out32dll\\openssl.exe";
-}
-elsif ( -f "..\\out32\\openssl.exe" ) {
-    $ossl_path = "..\\out32\\openssl.exe";
-}
-else {
-    die "Can't find OpenSSL executable";
-}
-
-my $pk7cmd   = "$ossl_path smime ";
-my $cmscmd   = "$ossl_path cms ";
-my $smdir    = "smime-certs";
-my $halt_err = 1;
-
-my $badcmd = 0;
-my $ossl8 = `$ossl_path version -v` =~ /0\.9\.8/;
-
-my @smime_pkcs7_tests = (
-
-    [
-        "signed content DER format, RSA key",
-        "-sign -in smcont.txt -outform \"DER\" -nodetach"
-          . " -certfile $smdir/smroot.pem"
-          . " -signer $smdir/smrsa1.pem -out test.cms",
-        "-verify -in test.cms -inform \"DER\" "
-          . " \"-CAfile\" $smdir/smroot.pem -out smtst.txt"
-    ],
-
-    [
-        "signed detached content DER format, RSA key",
-        "-sign -in smcont.txt -outform \"DER\""
-          . " -signer $smdir/smrsa1.pem -out test.cms",
-        "-verify -in test.cms -inform \"DER\" "
-          . " \"-CAfile\" $smdir/smroot.pem -out smtst.txt -content smcont.txt"
-    ],
-
-    [
-        "signed content test streaming BER format, RSA",
-        "-sign -in smcont.txt -outform \"DER\" -nodetach"
-          . " -stream -signer $smdir/smrsa1.pem -out test.cms",
-        "-verify -in test.cms -inform \"DER\" "
-          . " \"-CAfile\" $smdir/smroot.pem -out smtst.txt"
-    ],
-
-    [
-        "signed content DER format, DSA key",
-        "-sign -in smcont.txt -outform \"DER\" -nodetach"
-          . " -signer $smdir/smdsa1.pem -out test.cms",
-        "-verify -in test.cms -inform \"DER\" "
-          . " \"-CAfile\" $smdir/smroot.pem -out smtst.txt"
-    ],
-
-    [
-        "signed detached content DER format, DSA key",
-        "-sign -in smcont.txt -outform \"DER\""
-          . " -signer $smdir/smdsa1.pem -out test.cms",
-        "-verify -in test.cms -inform \"DER\" "
-          . " \"-CAfile\" $smdir/smroot.pem -out smtst.txt -content smcont.txt"
-    ],
-
-    [
-        "signed detached content DER format, add RSA signer",
-        "-resign -inform \"DER\" -in test.cms -outform \"DER\""
-          . " -signer $smdir/smrsa1.pem -out test2.cms",
-        "-verify -in test2.cms -inform \"DER\" "
-          . " \"-CAfile\" $smdir/smroot.pem -out smtst.txt -content smcont.txt"
-    ],
-
-    [
-        "signed content test streaming BER format, DSA key",
-        "-sign -in smcont.txt -outform \"DER\" -nodetach"
-          . " -stream -signer $smdir/smdsa1.pem -out test.cms",
-        "-verify -in test.cms -inform \"DER\" "
-          . " \"-CAfile\" $smdir/smroot.pem -out smtst.txt"
-    ],
-
-    [
-        "signed content test streaming BER format, 2 DSA and 2 RSA keys",
-        "-sign -in smcont.txt -outform \"DER\" -nodetach"
-          . " -signer $smdir/smrsa1.pem -signer $smdir/smrsa2.pem"
-          . " -signer $smdir/smdsa1.pem -signer $smdir/smdsa2.pem"
-          . " -stream -out test.cms",
-        "-verify -in test.cms -inform \"DER\" "
-          . " \"-CAfile\" $smdir/smroot.pem -out smtst.txt"
-    ],
-
-    [
-"signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes",
-        "-sign -in smcont.txt -outform \"DER\" -noattr -nodetach"
-          . " -signer $smdir/smrsa1.pem -signer $smdir/smrsa2.pem"
-          . " -signer $smdir/smdsa1.pem -signer $smdir/smdsa2.pem"
-          . " -stream -out test.cms",
-        "-verify -in test.cms -inform \"DER\" "
-          . " \"-CAfile\" $smdir/smroot.pem -out smtst.txt"
-    ],
-
-    [
-        "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys",
-        "-sign -in smcont.txt -nodetach"
-          . " -signer $smdir/smrsa1.pem -signer $smdir/smrsa2.pem"
-          . " -signer $smdir/smdsa1.pem -signer $smdir/smdsa2.pem"
-          . " -stream -out test.cms",
-        "-verify -in test.cms " . " \"-CAfile\" $smdir/smroot.pem -out smtst.txt"
-    ],
-
-    [
-"signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys",
-        "-sign -in smcont.txt"
-          . " -signer $smdir/smrsa1.pem -signer $smdir/smrsa2.pem"
-          . " -signer $smdir/smdsa1.pem -signer $smdir/smdsa2.pem"
-          . " -stream -out test.cms",
-        "-verify -in test.cms " . " \"-CAfile\" $smdir/smroot.pem -out smtst.txt"
-    ],
-
-    [
-        "enveloped content test streaming S/MIME format, 3 recipients",
-        "-encrypt -in smcont.txt"
-          . " -stream -out test.cms"
-          . " $smdir/smrsa1.pem $smdir/smrsa2.pem $smdir/smrsa3.pem ",
-        "-decrypt -recip $smdir/smrsa1.pem -in test.cms -out smtst.txt"
-    ],
-
-    [
-"enveloped content test streaming S/MIME format, 3 recipients, 3rd used",
-        "-encrypt -in smcont.txt"
-          . " -stream -out test.cms"
-          . " $smdir/smrsa1.pem $smdir/smrsa2.pem $smdir/smrsa3.pem ",
-        "-decrypt -recip $smdir/smrsa3.pem -in test.cms -out smtst.txt"
-    ],
-
-    [
-"enveloped content test streaming S/MIME format, 3 recipients, key only used",
-        "-encrypt -in smcont.txt"
-          . " -stream -out test.cms"
-          . " $smdir/smrsa1.pem $smdir/smrsa2.pem $smdir/smrsa3.pem ",
-        "-decrypt -inkey $smdir/smrsa3.pem -in test.cms -out smtst.txt"
-    ],
-
-    [
-"enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients",
-        "-encrypt -in smcont.txt"
-          . " -aes256 -stream -out test.cms"
-          . " $smdir/smrsa1.pem $smdir/smrsa2.pem $smdir/smrsa3.pem ",
-        "-decrypt -recip $smdir/smrsa1.pem -in test.cms -out smtst.txt"
-    ],
-
-);
-
-my @smime_cms_tests = (
-
-    [
-        "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid",
-        "-sign -in smcont.txt -outform \"DER\" -nodetach -keyid"
-          . " -signer $smdir/smrsa1.pem -signer $smdir/smrsa2.pem"
-          . " -signer $smdir/smdsa1.pem -signer $smdir/smdsa2.pem"
-          . " -stream -out test.cms",
-        "-verify -in test.cms -inform \"DER\" "
-          . " \"-CAfile\" $smdir/smroot.pem -out smtst.txt"
-    ],
-
-    [
-        "signed content test streaming PEM format, 2 DSA and 2 RSA keys",
-        "-sign -in smcont.txt -outform PEM -nodetach"
-          . " -signer $smdir/smrsa1.pem -signer $smdir/smrsa2.pem"
-          . " -signer $smdir/smdsa1.pem -signer $smdir/smdsa2.pem"
-          . " -stream -out test.cms",
-        "-verify -in test.cms -inform PEM "
-          . " \"-CAfile\" $smdir/smroot.pem -out smtst.txt"
-    ],
-
-    [
-        "signed content MIME format, RSA key, signed receipt request",
-        "-sign -in smcont.txt -signer $smdir/smrsa1.pem -nodetach"
-          . " -receipt_request_to test\@openssl.org -receipt_request_all"
-          . " -out test.cms",
-        "-verify -in test.cms "
-          . " \"-CAfile\" $smdir/smroot.pem -out smtst.txt"
-    ],
-
-    [
-        "signed receipt MIME format, RSA key",
-        "-sign_receipt -in test.cms"
-          . " -signer $smdir/smrsa2.pem"
-          . " -out test2.cms",
-        "-verify_receipt test2.cms -in test.cms"
-          . " \"-CAfile\" $smdir/smroot.pem"
-    ],
-
-    [
-        "enveloped content test streaming S/MIME format, 3 recipients, keyid",
-        "-encrypt -in smcont.txt"
-          . " -stream -out test.cms -keyid"
-          . " $smdir/smrsa1.pem $smdir/smrsa2.pem $smdir/smrsa3.pem ",
-        "-decrypt -recip $smdir/smrsa1.pem -in test.cms -out smtst.txt"
-    ],
-
-    [
-        "enveloped content test streaming PEM format, KEK",
-        "-encrypt -in smcont.txt -outform PEM -aes128"
-          . " -stream -out test.cms "
-          . " -secretkey 000102030405060708090A0B0C0D0E0F "
-          . " -secretkeyid C0FEE0",
-        "-decrypt -in test.cms -out smtst.txt -inform PEM"
-          . " -secretkey 000102030405060708090A0B0C0D0E0F "
-          . " -secretkeyid C0FEE0"
-    ],
-
-    [
-        "enveloped content test streaming PEM format, KEK, key only",
-        "-encrypt -in smcont.txt -outform PEM -aes128"
-          . " -stream -out test.cms "
-          . " -secretkey 000102030405060708090A0B0C0D0E0F "
-          . " -secretkeyid C0FEE0",
-        "-decrypt -in test.cms -out smtst.txt -inform PEM"
-          . " -secretkey 000102030405060708090A0B0C0D0E0F "
-    ],
-
-    [
-        "data content test streaming PEM format",
-        "-data_create -in smcont.txt -outform PEM -nodetach"
-          . " -stream -out test.cms",
-        "-data_out -in test.cms -inform PEM -out smtst.txt"
-    ],
-
-    [
-        "encrypted content test streaming PEM format, 128 bit RC2 key",
-        "\"-EncryptedData_encrypt\" -in smcont.txt -outform PEM"
-          . " -rc2 -secretkey 000102030405060708090A0B0C0D0E0F"
-          . " -stream -out test.cms",
-        "\"-EncryptedData_decrypt\" -in test.cms -inform PEM "
-          . " -secretkey 000102030405060708090A0B0C0D0E0F -out smtst.txt"
-    ],
-
-    [
-        "encrypted content test streaming PEM format, 40 bit RC2 key",
-        "\"-EncryptedData_encrypt\" -in smcont.txt -outform PEM"
-          . " -rc2 -secretkey 0001020304"
-          . " -stream -out test.cms",
-        "\"-EncryptedData_decrypt\" -in test.cms -inform PEM "
-          . " -secretkey 0001020304 -out smtst.txt"
-    ],
-
-    [
-        "encrypted content test streaming PEM format, triple DES key",
-        "\"-EncryptedData_encrypt\" -in smcont.txt -outform PEM"
-          . " -des3 -secretkey 000102030405060708090A0B0C0D0E0F1011121314151617"
-          . " -stream -out test.cms",
-        "\"-EncryptedData_decrypt\" -in test.cms -inform PEM "
-          . " -secretkey 000102030405060708090A0B0C0D0E0F1011121314151617"
-          . " -out smtst.txt"
-    ],
-
-    [
-        "encrypted content test streaming PEM format, 128 bit AES key",
-        "\"-EncryptedData_encrypt\" -in smcont.txt -outform PEM"
-          . " -aes128 -secretkey 000102030405060708090A0B0C0D0E0F"
-          . " -stream -out test.cms",
-        "\"-EncryptedData_decrypt\" -in test.cms -inform PEM "
-          . " -secretkey 000102030405060708090A0B0C0D0E0F -out smtst.txt"
-    ],
-
-);
-
-my @smime_cms_comp_tests = (
-
-    [
-        "compressed content test streaming PEM format",
-        "-compress -in smcont.txt -outform PEM -nodetach"
-          . " -stream -out test.cms",
-        "-uncompress -in test.cms -inform PEM -out smtst.txt"
-    ]
-
-);
-
-print "CMS => PKCS#7 compatibility tests\n";
-
-run_smime_tests( \$badcmd, \@smime_pkcs7_tests, $cmscmd, $pk7cmd );
-
-print "CMS <= PKCS#7 compatibility tests\n";
-
-run_smime_tests( \$badcmd, \@smime_pkcs7_tests, $pk7cmd, $cmscmd );
-
-print "CMS <=> CMS consistency tests\n";
-
-run_smime_tests( \$badcmd, \@smime_pkcs7_tests, $cmscmd, $cmscmd );
-run_smime_tests( \$badcmd, \@smime_cms_tests,   $cmscmd, $cmscmd );
-
-if ( `$ossl_path version -f` =~ /ZLIB/ ) {
-    run_smime_tests( \$badcmd, \@smime_cms_comp_tests, $cmscmd, $cmscmd );
-}
-else {
-    print "Zlib not supported: compression tests skipped\n";
-}
-
-print "Running modified tests for OpenSSL 0.9.8 cms backport\n" if($ossl8);
-
-if ($badcmd) {
-    print "$badcmd TESTS FAILED!!\n";
-}
-else {
-    print "ALL TESTS SUCCESSFUL.\n";
-}
-
-unlink "test.cms";
-unlink "test2.cms";
-unlink "smtst.txt";
-unlink "cms.out";
-unlink "cms.err";
-
-sub run_smime_tests {
-    my ( $rv, $aref, $scmd, $vcmd ) = @_;
-
-    foreach $smtst (@$aref) {
-        my ( $tnam, $rscmd, $rvcmd ) = @$smtst;
-        if ($ossl8)
-                {
-                # Skip smime resign: 0.9.8 smime doesn't support -resign        
-                next if ($scmd =~ /smime/ && $rscmd =~ /-resign/);
-                # Disable streaming: option not supported in 0.9.8
-                $tnam =~ s/streaming//; 
-                $rscmd =~ s/-stream//;  
-                $rvcmd =~ s/-stream//;
-                }
-        system("$scmd$rscmd$redir");
-        if ($?) {
-            print "$tnam: generation error\n";
-            $$rv++;
-            exit 1 if $halt_err;
-            next;
-        }
-        system("$vcmd$rvcmd$redir");
-        if ($?) {
-            print "$tnam: verify error\n";
-            $$rv++;
-            exit 1 if $halt_err;
-            next;
-        }
-        if (!cmp_files("smtst.txt", "smcont.txt")) {
-            print "$tnam: content verify error\n";
-            $$rv++;
-            exit 1 if $halt_err;
-            next;
-        }
-        print "$tnam: OK\n";
-    }
-}
-
-sub cmp_files {
-    use FileHandle;
-    my ( $f1, $f2 ) = @_;
-    my $fp1 = FileHandle->new();
-    my $fp2 = FileHandle->new();
-
-    my ( $rd1, $rd2 );
-
-    if ( !open( $fp1, "<$f1" ) ) {
-        print STDERR "Can't Open file $f1\n";
-        return 0;
-    }
-
-    if ( !open( $fp2, "<$f2" ) ) {
-        print STDERR "Can't Open file $f2\n";
-        return 0;
-    }
-
-    binmode $fp1;
-    binmode $fp2;
-
-    my $ret = 0;
-
-    for ( ; ; ) {
-        $n1 = sysread $fp1, $rd1, 4096;
-        $n2 = sysread $fp2, $rd2, 4096;
-        last if ( $n1 != $n2 );
-        last if ( $rd1 ne $rd2 );
-
-        if ( $n1 == 0 ) {
-            $ret = 1;
-            last;
-        }
-
-    }
-
-    close $fp1;
-    close $fp2;
-
-    return $ret;
-
-}
-
diff --git a/src/lib/libssl/test/pkcs7-1.pem b/src/lib/libssl/test/pkcs7-1.pem
deleted file mode 100644
index c47b27af88..0000000000
--- a/src/lib/libssl/test/pkcs7-1.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN PKCS7-----
-MIICUAYJKoZIhvcNAQcCoIICQTCCAj0CAQExDjAMBggqhkiG9w0CAgUAMCgGCSqG
-SIb3DQEHAaAbBBlFdmVyeW9uZSBnZXRzIEZyaWRheSBvZmYuoIIBXjCCAVowggEE
-AgQUAAApMA0GCSqGSIb3DQEBAgUAMCwxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRF
-eGFtcGxlIE9yZ2FuaXphdGlvbjAeFw05MjA5MDkyMjE4MDZaFw05NDA5MDkyMjE4
-MDVaMEIxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlv
-bjEUMBIGA1UEAxMLVGVzdCBVc2VyIDEwWzANBgkqhkiG9w0BAQEFAANKADBHAkAK
-ZnkdxpiBaN56t3QZu3+wwAHGJxAnAHUUKULhmo2MUdBTs+N4Kh3l3Fr06+mUaBcB
-FKHf5nzcmpr1XWVWILurAgMBAAEwDQYJKoZIhvcNAQECBQADQQBFGqHhqncgSl/N
-9XYGnQL3MsJvNnsNV4puZPOakR9Hld8JlDQFEaDR30ogsmp3TMrvdfxpLlTCoZN8
-BxEmnZsWMYGbMIGYAgEBMDQwLDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFEV4YW1w
-bGUgT3JnYW5pemF0aW9uAgQUAAApMAwGCCqGSIb3DQICBQAwDQYJKoZIhvcNAQEB
-BQAEQAX6aoEvx9+L9PJUJQngPoRuEbnGIL4gCe+0QO+8xmkhaZSsBPNBtX0FIC1C
-j7Kie1x339mxW/w9VZNTUDQQweHh
------END PKCS7-----
diff --git a/src/lib/libssl/test/pkcs7.pem b/src/lib/libssl/test/pkcs7.pem
deleted file mode 100644
index d55c60b94e..0000000000
--- a/src/lib/libssl/test/pkcs7.pem
+++ /dev/null
@@ -1,54 +0,0 @@
-     MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCAMIIE+DCCBGGg
-     AwIBAgIQaGSF/JpbS1C223+yrc+N1DANBgkqhkiG9w0BAQQFADBiMREwDwYDVQQH
-     EwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1Zl
-     cmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwHhcNOTYw
-     ODEyMDAwMDAwWhcNOTYwODE3MjM1OTU5WjCCASAxETAPBgNVBAcTCEludGVybmV0
-     MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh
-     c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjE3MDUGA1UECxMuRGlnaXRh
-     bCBJRCBDbGFzcyAxIC0gU01JTUUgVmVyaVNpZ24sIEluYy4gVEVTVDFGMEQGA1UE
-     CxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUyBJbmNvcnAuIGJ5IFJl
-     Zi4sTElBQi5MVEQoYyk5NjEZMBcGA1UEAxMQQWxleGFuZHJlIERlYWNvbjEgMB4G
-     CSqGSIb3DQEJARYRYWxleEB2ZXJpc2lnbi5jb20wWzANBgkqhkiG9w0BAQEFAANK
-     ADBHAkAOy7xxCAIkOfuIA2LyRpxgKlDORl8htdXYhF5iBGUx1GYaK6KF+bK/CCI0
-     l4j2OfWGFBUrwGoWqxTNcWgTfMzRAgMBAAGjggIyMIICLjAJBgNVHRMEAjAAMIIC
-     HwYDVR0DBIICFjCCAhIwggIOMIICCgYLYIZIAYb4RQEHAQEwggH5FoIBp1RoaXMg
-     Y2VydGlmaWNhdGUgaW5jb3Jwb3JhdGVzIGJ5IHJlZmVyZW5jZSwgYW5kIGl0cyB1
-     c2UgaXMgc3RyaWN0bHkgc3ViamVjdCB0bywgdGhlIFZlcmlTaWduIENlcnRpZmlj
-     YXRpb24gUHJhY3RpY2UgU3RhdGVtZW50IChDUFMpLCBhdmFpbGFibGUgYXQ6IGh0
-     dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9DUFM7IGJ5IEUtbWFpbCBhdCBDUFMtcmVx
-     dWVzdHNAdmVyaXNpZ24uY29tOyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMu
-     LCAyNTkzIENvYXN0IEF2ZS4sIE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBU
-     ZWwuICsxICg0MTUpIDk2MS04ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2ln
-     biwgSW5jLiAgQWxsIFJpZ2h0cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVT
-     IERJU0NMQUlNRUQgYW5kIExJQUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcB
-     AQGhDgYMYIZIAYb4RQEHAQECMCwwKhYoaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
-     L3JlcG9zaXRvcnkvQ1BTIDANBgkqhkiG9w0BAQQFAAOBgQAimWMGQwwwxk+b3KAL
-     HlSWXtU7LWHe29CEG8XeVNTvrqs6SBqT7OoENOkGxpfdpVgZ3Qw2SKjxDvbvpfSF
-     slsqcxWSgB/hWuaVuZCkvTw/dYGGOxkTJGxvDCfl1PZjX4dKbatslsi9Z9HpGWT7
-     ttItRwKqcBKgmCJvKi1pGWED0zCCAnkwggHioAMCAQICEDURpVKQb+fQKaRAGdQR
-     /D4wDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlT
-     aWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRp
-     ZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDYyNzAwMDAwMFoXDTk3MDYyNzIzNTk1
-     OVowYjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMu
-     MTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJz
-     Y3JpYmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2FKbPTdAFDdjKI9Bv
-     qrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7jW80GqLd5HUQq7XPy
-     sVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cariQPJUObwW7s987Lrb
-     P2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABozMwMTAPBgNVHRMECDAGAQH/AgEBMAsG
-     A1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAgQwDQYJKoZIhvcNAQECBQADgYEA
-     KeXHoBmnbxRCgk0jM9e9mDppdxpsipIna/J8DOHEUuD4nONAr4+xOg73SBl026n7
-     Bk55A2wvAMGo7+kKTZ+rHaFDDcmq4O+rzFri2RIOeGAncj1IcGptAQhvXoIhFMG4
-     Jlzg1KlHZHqy7D3jex78zcSU7kKOu8f5tAX1jC3+sToAAKGAMIIBJzCBkTANBgkq
-     hkiG9w0BAQIFADBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNp
-     Z24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlk
-     dWFsIFN1YnNjcmliZXIXDTk2MDcwMTE3MzA0MFoXDTk3MDcwMTAwMDAwMFowDQYJ
-     KoZIhvcNAQECBQADgYEAGLuQ6PX8A7AiqBEtWzYtl6lZNSDI0bR5YUo+D2Jzkw30
-     dxQnJSbKXEc6XYuzAW5HvrzATXu5c19WWPT4cRDwmjH71i9QcDysWwf/wE0qGTiW
-     I3tQT0I5VGh7jIJD07nlBw3R4Xl8dH9kr85JsWinqDH5YKpIo9o8knY5n7+qjOow
-     ggEkMIGOMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5W
-     ZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBD
-     ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eRcNOTYwNzE2MjMxMTI5WhcNOTYwODE1MDAw
-     MDAwWjANBgkqhkiG9w0BAQIFAAOBgQAXsLE4vnsY6sY67QrmWec7iaU2ehzxanEK
-     /9wKHZNuhlNzk+qGZZw2evxfUe2OaRbYpl8zuZvhK9BHD3ad14OSe9/zx5hOPgP/
-     DQXt6R4R8Q/1JheBrolrgbavjvI2wKS8/Psp2prBrkF4T48+AKRmS8Zzh1guxgvP
-     b+xSu/jH0gAAMYAAAAAAAAAAAA==
diff --git a/src/lib/libssl/test/pkits-test.pl b/src/lib/libssl/test/pkits-test.pl
deleted file mode 100644
index f10da008c0..0000000000
--- a/src/lib/libssl/test/pkits-test.pl
+++ /dev/null
@@ -1,949 +0,0 @@
-# test/pkits-test.pl
-# Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
-# project.
-#
-# ====================================================================
-# Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-#
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-#
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in
-#    the documentation and/or other materials provided with the
-#    distribution.
-#
-# 3. All advertising materials mentioning features or use of this
-#    software must display the following acknowledgment:
-#    "This product includes software developed by the OpenSSL Project
-#    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
-#
-# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-#    endorse or promote products derived from this software without
-#    prior written permission. For written permission, please contact
-#    licensing@OpenSSL.org.
-#
-# 5. Products derived from this software may not be called "OpenSSL"
-#    nor may "OpenSSL" appear in their names without prior written
-#    permission of the OpenSSL Project.
-#
-# 6. Redistributions of any form whatsoever must retain the following
-#    acknowledgment:
-#    "This product includes software developed by the OpenSSL Project
-#    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
-#
-# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-# OF THE POSSIBILITY OF SUCH DAMAGE.
-# ====================================================================
-
-# Perl utility to run PKITS tests for RFC3280 compliance. 
-
-my $ossl_path;
-
-if ( -f "../apps/openssl" ) {
-    $ossl_path = "../util/shlib_wrap.sh ../apps/openssl";
-}
-elsif ( -f "..\\out32dll\\openssl.exe" ) {
-    $ossl_path = "..\\out32dll\\openssl.exe";
-}
-elsif ( -f "..\\out32\\openssl.exe" ) {
-    $ossl_path = "..\\out32\\openssl.exe";
-}
-else {
-    die "Can't find OpenSSL executable";
-}
-
-my $pkitsdir = "pkits/smime";
-my $pkitsta = "pkits/certs/TrustAnchorRootCertificate.crt";
-
-die "Can't find PKITS test data" if !-d $pkitsdir;
-
-my $nist1 = "2.16.840.1.101.3.2.1.48.1";
-my $nist2 = "2.16.840.1.101.3.2.1.48.2";
-my $nist3 = "2.16.840.1.101.3.2.1.48.3";
-my $nist4 = "2.16.840.1.101.3.2.1.48.4";
-my $nist5 = "2.16.840.1.101.3.2.1.48.5";
-my $nist6 = "2.16.840.1.101.3.2.1.48.6";
-
-my $apolicy = "X509v3 Any Policy";
-
-# This table contains the chapter headings of the accompanying PKITS
-# document. They provide useful informational output and their names
-# can be converted into the filename to test.
-
-my @testlists = (
-    [ "4.1", "Signature Verification" ],
-    [ "4.1.1", "Valid Signatures Test1",                        0 ],
-    [ "4.1.2", "Invalid CA Signature Test2",                    7 ],
-    [ "4.1.3", "Invalid EE Signature Test3",                    7 ],
-    [ "4.1.4", "Valid DSA Signatures Test4",                    0 ],
-    [ "4.1.5", "Valid DSA Parameter Inheritance Test5",         0 ],
-    [ "4.1.6", "Invalid DSA Signature Test6",                   7 ],
-    [ "4.2",   "Validity Periods" ],
-    [ "4.2.1", "Invalid CA notBefore Date Test1",               9 ],
-    [ "4.2.2", "Invalid EE notBefore Date Test2",               9 ],
-    [ "4.2.3", "Valid pre2000 UTC notBefore Date Test3",        0 ],
-    [ "4.2.4", "Valid GeneralizedTime notBefore Date Test4",    0 ],
-    [ "4.2.5", "Invalid CA notAfter Date Test5",                10 ],
-    [ "4.2.6", "Invalid EE notAfter Date Test6",                10 ],
-    [ "4.2.7", "Invalid pre2000 UTC EE notAfter Date Test7",    10 ],
-    [ "4.2.8", "Valid GeneralizedTime notAfter Date Test8",     0 ],
-    [ "4.3",   "Verifying Name Chaining" ],
-    [ "4.3.1", "Invalid Name Chaining EE Test1",                20 ],
-    [ "4.3.2", "Invalid Name Chaining Order Test2",             20 ],
-    [ "4.3.3", "Valid Name Chaining Whitespace Test3",          0 ],
-    [ "4.3.4", "Valid Name Chaining Whitespace Test4",          0 ],
-    [ "4.3.5", "Valid Name Chaining Capitalization Test5",      0 ],
-    [ "4.3.6", "Valid Name Chaining UIDs Test6",                0 ],
-    [ "4.3.7", "Valid RFC3280 Mandatory Attribute Types Test7", 0 ],
-    [ "4.3.8", "Valid RFC3280 Optional Attribute Types Test8",  0 ],
-    [ "4.3.9", "Valid UTF8String Encoded Names Test9",          0 ],
-    [ "4.3.10", "Valid Rollover from PrintableString to UTF8String Test10", 0 ],
-    [ "4.3.11", "Valid UTF8String Case Insensitive Match Test11",           0 ],
-    [ "4.4",    "Basic Certificate Revocation Tests" ],
-    [ "4.4.1",  "Missing CRL Test1",                                        3 ],
-    [ "4.4.2", "Invalid Revoked CA Test2",          23 ],
-    [ "4.4.3", "Invalid Revoked EE Test3",          23 ],
-    [ "4.4.4", "Invalid Bad CRL Signature Test4",   8 ],
-    [ "4.4.5", "Invalid Bad CRL Issuer Name Test5", 3 ],
-    [ "4.4.6", "Invalid Wrong CRL Test6",           3 ],
-    [ "4.4.7", "Valid Two CRLs Test7",              0 ],
-
-    # The test document suggests these should return certificate revoked...
-    # Subsequent discussion has concluded they should not due to unhandled
-    # critical CRL extensions.
-    [ "4.4.8", "Invalid Unknown CRL Entry Extension Test8", 36 ],
-    [ "4.4.9", "Invalid Unknown CRL Extension Test9",       36 ],
-
-    [ "4.4.10", "Invalid Unknown CRL Extension Test10",             36 ],
-    [ "4.4.11", "Invalid Old CRL nextUpdate Test11",                12 ],
-    [ "4.4.12", "Invalid pre2000 CRL nextUpdate Test12",            12 ],
-    [ "4.4.13", "Valid GeneralizedTime CRL nextUpdate Test13",      0 ],
-    [ "4.4.14", "Valid Negative Serial Number Test14",              0 ],
-    [ "4.4.15", "Invalid Negative Serial Number Test15",            23 ],
-    [ "4.4.16", "Valid Long Serial Number Test16",                  0 ],
-    [ "4.4.17", "Valid Long Serial Number Test17",                  0 ],
-    [ "4.4.18", "Invalid Long Serial Number Test18",                23 ],
-    [ "4.4.19", "Valid Separate Certificate and CRL Keys Test19",   0 ],
-    [ "4.4.20", "Invalid Separate Certificate and CRL Keys Test20", 23 ],
-
-    # CRL path is revoked so get a CRL path validation error
-    [ "4.4.21", "Invalid Separate Certificate and CRL Keys Test21",      54 ],
-    [ "4.5",    "Verifying Paths with Self-Issued Certificates" ],
-    [ "4.5.1",  "Valid Basic Self-Issued Old With New Test1",            0 ],
-    [ "4.5.2",  "Invalid Basic Self-Issued Old With New Test2",          23 ],
-    [ "4.5.3",  "Valid Basic Self-Issued New With Old Test3",            0 ],
-    [ "4.5.4",  "Valid Basic Self-Issued New With Old Test4",            0 ],
-    [ "4.5.5",  "Invalid Basic Self-Issued New With Old Test5",          23 ],
-    [ "4.5.6",  "Valid Basic Self-Issued CRL Signing Key Test6",         0 ],
-    [ "4.5.7",  "Invalid Basic Self-Issued CRL Signing Key Test7",       23 ],
-    [ "4.5.8",  "Invalid Basic Self-Issued CRL Signing Key Test8",       20 ],
-    [ "4.6",    "Verifying Basic Constraints" ],
-    [ "4.6.1",  "Invalid Missing basicConstraints Test1",                24 ],
-    [ "4.6.2",  "Invalid cA False Test2",                                24 ],
-    [ "4.6.3",  "Invalid cA False Test3",                                24 ],
-    [ "4.6.4",  "Valid basicConstraints Not Critical Test4",             0 ],
-    [ "4.6.5",  "Invalid pathLenConstraint Test5",                       25 ],
-    [ "4.6.6",  "Invalid pathLenConstraint Test6",                       25 ],
-    [ "4.6.7",  "Valid pathLenConstraint Test7",                         0 ],
-    [ "4.6.8",  "Valid pathLenConstraint Test8",                         0 ],
-    [ "4.6.9",  "Invalid pathLenConstraint Test9",                       25 ],
-    [ "4.6.10", "Invalid pathLenConstraint Test10",                      25 ],
-    [ "4.6.11", "Invalid pathLenConstraint Test11",                      25 ],
-    [ "4.6.12", "Invalid pathLenConstraint Test12",                      25 ],
-    [ "4.6.13", "Valid pathLenConstraint Test13",                        0 ],
-    [ "4.6.14", "Valid pathLenConstraint Test14",                        0 ],
-    [ "4.6.15", "Valid Self-Issued pathLenConstraint Test15",            0 ],
-    [ "4.6.16", "Invalid Self-Issued pathLenConstraint Test16",          25 ],
-    [ "4.6.17", "Valid Self-Issued pathLenConstraint Test17",            0 ],
-    [ "4.7",    "Key Usage" ],
-    [ "4.7.1",  "Invalid keyUsage Critical keyCertSign False Test1",     20 ],
-    [ "4.7.2",  "Invalid keyUsage Not Critical keyCertSign False Test2", 20 ],
-    [ "4.7.3",  "Valid keyUsage Not Critical Test3",                     0 ],
-    [ "4.7.4",  "Invalid keyUsage Critical cRLSign False Test4",         35 ],
-    [ "4.7.5",  "Invalid keyUsage Not Critical cRLSign False Test5",     35 ],
-
-    # Certificate policy tests need special handling. They can have several
-    # sub tests and we need to check the outputs are correct.
-
-    [ "4.8", "Certificate Policies" ],
-    [
-        "4.8.1.1",
-        "All Certificates Same Policy Test1",
-        "-policy anyPolicy -explicit_policy",
-        "True", $nist1, $nist1, 0
-    ],
-    [
-        "4.8.1.2",
-        "All Certificates Same Policy Test1",
-        "-policy $nist1 -explicit_policy",
-        "True", $nist1, $nist1, 0
-    ],
-    [
-        "4.8.1.3",
-        "All Certificates Same Policy Test1",
-        "-policy $nist2 -explicit_policy",
-        "True", $nist1, "<empty>", 43
-    ],
-    [
-        "4.8.1.4",
-        "All Certificates Same Policy Test1",
-        "-policy $nist1 -policy $nist2 -explicit_policy",
-        "True", $nist1, $nist1, 0
-    ],
-    [
-        "4.8.2.1",
-        "All Certificates No Policies Test2",
-        "-policy anyPolicy",
-        "False", "<empty>", "<empty>", 0
-    ],
-    [
-        "4.8.2.2",
-        "All Certificates No Policies Test2",
-        "-policy anyPolicy -explicit_policy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.8.3.1",
-        "Different Policies Test3",
-        "-policy anyPolicy",
-        "False", "<empty>", "<empty>", 0
-    ],
-    [
-        "4.8.3.2",
-        "Different Policies Test3",
-        "-policy anyPolicy -explicit_policy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.8.3.3",
-        "Different Policies Test3",
-        "-policy $nist1 -policy $nist2 -explicit_policy",
-        "True", "<empty>", "<empty>", 43
-    ],
-
-    [
-        "4.8.4",
-        "Different Policies Test4",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.8.5",
-        "Different Policies Test5",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.8.6.1",
-        "Overlapping Policies Test6",
-        "-policy anyPolicy",
-        "True", $nist1, $nist1, 0
-    ],
-    [
-        "4.8.6.2",
-        "Overlapping Policies Test6",
-        "-policy $nist1",
-        "True", $nist1, $nist1, 0
-    ],
-    [
-        "4.8.6.3",
-        "Overlapping Policies Test6",
-        "-policy $nist2",
-        "True", $nist1, "<empty>", 43
-    ],
-    [
-        "4.8.7",
-        "Different Policies Test7",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.8.8",
-        "Different Policies Test8",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.8.9",
-        "Different Policies Test9",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.8.10.1",
-        "All Certificates Same Policies Test10",
-        "-policy $nist1",
-        "True", "$nist1:$nist2", "$nist1", 0
-    ],
-    [
-        "4.8.10.2",
-        "All Certificates Same Policies Test10",
-        "-policy $nist2",
-        "True", "$nist1:$nist2", "$nist2", 0
-    ],
-    [
-        "4.8.10.3",
-        "All Certificates Same Policies Test10",
-        "-policy anyPolicy",
-        "True", "$nist1:$nist2", "$nist1:$nist2", 0
-    ],
-    [
-        "4.8.11.1",
-        "All Certificates AnyPolicy Test11",
-        "-policy anyPolicy",
-        "True", "$apolicy", "$apolicy", 0
-    ],
-    [
-        "4.8.11.2",
-        "All Certificates AnyPolicy Test11",
-        "-policy $nist1",
-        "True", "$apolicy", "$nist1", 0
-    ],
-    [
-        "4.8.12",
-        "Different Policies Test12",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.8.13.1",
-        "All Certificates Same Policies Test13",
-        "-policy $nist1",
-        "True", "$nist1:$nist2:$nist3", "$nist1", 0
-    ],
-    [
-        "4.8.13.2",
-        "All Certificates Same Policies Test13",
-        "-policy $nist2",
-        "True", "$nist1:$nist2:$nist3", "$nist2", 0
-    ],
-    [
-        "4.8.13.3",
-        "All Certificates Same Policies Test13",
-        "-policy $nist3",
-        "True", "$nist1:$nist2:$nist3", "$nist3", 0
-    ],
-    [
-        "4.8.14.1",       "AnyPolicy Test14",
-        "-policy $nist1", "True",
-        "$nist1",         "$nist1",
-        0
-    ],
-    [
-        "4.8.14.2",       "AnyPolicy Test14",
-        "-policy $nist2", "True",
-        "$nist1",         "<empty>",
-        43
-    ],
-    [
-        "4.8.15",
-        "User Notice Qualifier Test15",
-        "-policy anyPolicy",
-        "False", "$nist1", "$nist1", 0
-    ],
-    [
-        "4.8.16",
-        "User Notice Qualifier Test16",
-        "-policy anyPolicy",
-        "False", "$nist1", "$nist1", 0
-    ],
-    [
-        "4.8.17",
-        "User Notice Qualifier Test17",
-        "-policy anyPolicy",
-        "False", "$nist1", "$nist1", 0
-    ],
-    [
-        "4.8.18.1",
-        "User Notice Qualifier Test18",
-        "-policy $nist1",
-        "True", "$nist1:$nist2", "$nist1", 0
-    ],
-    [
-        "4.8.18.2",
-        "User Notice Qualifier Test18",
-        "-policy $nist2",
-        "True", "$nist1:$nist2", "$nist2", 0
-    ],
-    [
-        "4.8.19",
-        "User Notice Qualifier Test19",
-        "-policy anyPolicy",
-        "False", "$nist1", "$nist1", 0
-    ],
-    [
-        "4.8.20",
-        "CPS Pointer Qualifier Test20",
-        "-policy anyPolicy -explicit_policy",
-        "True", "$nist1", "$nist1", 0
-    ],
-    [ "4.9", "Require Explicit Policy" ],
-    [
-        "4.9.1",
-        "Valid RequireExplicitPolicy Test1",
-        "-policy anyPolicy",
-        "False", "<empty>", "<empty>", 0
-    ],
-    [
-        "4.9.2",
-        "Valid RequireExplicitPolicy Test2",
-        "-policy anyPolicy",
-        "False", "<empty>", "<empty>", 0
-    ],
-    [
-        "4.9.3",
-        "Invalid RequireExplicitPolicy Test3",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.9.4",
-        "Valid RequireExplicitPolicy Test4",
-        "-policy anyPolicy",
-        "True", "$nist1", "$nist1", 0
-    ],
-    [
-        "4.9.5",
-        "Invalid RequireExplicitPolicy Test5",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.9.6",
-        "Valid Self-Issued requireExplicitPolicy Test6",
-        "-policy anyPolicy",
-        "False", "<empty>", "<empty>", 0
-    ],
-    [
-        "4.9.7",
-        "Invalid Self-Issued requireExplicitPolicy Test7",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.9.8",
-        "Invalid Self-Issued requireExplicitPolicy Test8",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [ "4.10", "Policy Mappings" ],
-    [
-        "4.10.1.1",
-        "Valid Policy Mapping Test1",
-        "-policy $nist1",
-        "True", "$nist1", "$nist1", 0
-    ],
-    [
-        "4.10.1.2",
-        "Valid Policy Mapping Test1",
-        "-policy $nist2",
-        "True", "$nist1", "<empty>", 43
-    ],
-    [
-        "4.10.1.3",
-        "Valid Policy Mapping Test1",
-        "-policy anyPolicy -inhibit_map",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.10.2.1",
-        "Invalid Policy Mapping Test2",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.10.2.2",
-        "Invalid Policy Mapping Test2",
-        "-policy anyPolicy -inhibit_map",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.10.3.1",
-        "Valid Policy Mapping Test3",
-        "-policy $nist1",
-        "True", "$nist2", "<empty>", 43
-    ],
-    [
-        "4.10.3.2",
-        "Valid Policy Mapping Test3",
-        "-policy $nist2",
-        "True", "$nist2", "$nist2", 0
-    ],
-    [
-        "4.10.4",
-        "Invalid Policy Mapping Test4",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.10.5.1",
-        "Valid Policy Mapping Test5",
-        "-policy $nist1",
-        "True", "$nist1", "$nist1", 0
-    ],
-    [
-        "4.10.5.2",
-        "Valid Policy Mapping Test5",
-        "-policy $nist6",
-        "True", "$nist1", "<empty>", 43
-    ],
-    [
-        "4.10.6.1",
-        "Valid Policy Mapping Test6",
-        "-policy $nist1",
-        "True", "$nist1", "$nist1", 0
-    ],
-    [
-        "4.10.6.2",
-        "Valid Policy Mapping Test6",
-        "-policy $nist6",
-        "True", "$nist1", "<empty>", 43
-    ],
-    [ "4.10.7", "Invalid Mapping From anyPolicy Test7", 42 ],
-    [ "4.10.8", "Invalid Mapping To anyPolicy Test8",   42 ],
-    [
-        "4.10.9",
-        "Valid Policy Mapping Test9",
-        "-policy anyPolicy",
-        "True", "$nist1", "$nist1", 0
-    ],
-    [
-        "4.10.10",
-        "Invalid Policy Mapping Test10",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.10.11",
-        "Valid Policy Mapping Test11",
-        "-policy anyPolicy",
-        "True", "$nist1", "$nist1", 0
-    ],
-
-    # TODO: check notice display
-    [
-        "4.10.12.1",
-        "Valid Policy Mapping Test12",
-        "-policy $nist1",
-        "True", "$nist1:$nist2", "$nist1", 0
-    ],
-
-    # TODO: check notice display
-    [
-        "4.10.12.2",
-        "Valid Policy Mapping Test12",
-        "-policy $nist2",
-        "True", "$nist1:$nist2", "$nist2", 0
-    ],
-    [
-        "4.10.13",
-        "Valid Policy Mapping Test13",
-        "-policy anyPolicy",
-        "True", "$nist1", "$nist1", 0
-    ],
-
-    # TODO: check notice display
-    [
-        "4.10.14",
-        "Valid Policy Mapping Test14",
-        "-policy anyPolicy",
-        "True", "$nist1", "$nist1", 0
-    ],
-    [ "4.11", "Inhibit Policy Mapping" ],
-    [
-        "4.11.1",
-        "Invalid inhibitPolicyMapping Test1",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.11.2",
-        "Valid inhibitPolicyMapping Test2",
-        "-policy anyPolicy",
-        "True", "$nist1", "$nist1", 0
-    ],
-    [
-        "4.11.3",
-        "Invalid inhibitPolicyMapping Test3",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.11.4",
-        "Valid inhibitPolicyMapping Test4",
-        "-policy anyPolicy",
-        "True", "$nist2", "$nist2", 0
-    ],
-    [
-        "4.11.5",
-        "Invalid inhibitPolicyMapping Test5",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.11.6",
-        "Invalid inhibitPolicyMapping Test6",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.11.7",
-        "Valid Self-Issued inhibitPolicyMapping Test7",
-        "-policy anyPolicy",
-        "True", "$nist1", "$nist1", 0
-    ],
-    [
-        "4.11.8",
-        "Invalid Self-Issued inhibitPolicyMapping Test8",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.11.9",
-        "Invalid Self-Issued inhibitPolicyMapping Test9",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.11.10",
-        "Invalid Self-Issued inhibitPolicyMapping Test10",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.11.11",
-        "Invalid Self-Issued inhibitPolicyMapping Test11",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [ "4.12", "Inhibit Any Policy" ],
-    [
-        "4.12.1",
-        "Invalid inhibitAnyPolicy Test1",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.12.2",
-        "Valid inhibitAnyPolicy Test2",
-        "-policy anyPolicy",
-        "True", "$nist1", "$nist1", 0
-    ],
-    [
-        "4.12.3.1",
-        "inhibitAnyPolicy Test3",
-        "-policy anyPolicy",
-        "True", "$nist1", "$nist1", 0
-    ],
-    [
-        "4.12.3.2",
-        "inhibitAnyPolicy Test3",
-        "-policy anyPolicy -inhibit_any",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.12.4",
-        "Invalid inhibitAnyPolicy Test4",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.12.5",
-        "Invalid inhibitAnyPolicy Test5",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [
-        "4.12.6",
-        "Invalid inhibitAnyPolicy Test6",
-        "-policy anyPolicy",
-        "True", "<empty>", "<empty>", 43
-    ],
-    [ "4.12.7",  "Valid Self-Issued inhibitAnyPolicy Test7",      0 ],
-    [ "4.12.8",  "Invalid Self-Issued inhibitAnyPolicy Test8",    43 ],
-    [ "4.12.9",  "Valid Self-Issued inhibitAnyPolicy Test9",      0 ],
-    [ "4.12.10", "Invalid Self-Issued inhibitAnyPolicy Test10",   43 ],
-    [ "4.13",    "Name Constraints" ],
-    [ "4.13.1",  "Valid DN nameConstraints Test1",                0 ],
-    [ "4.13.2",  "Invalid DN nameConstraints Test2",              47 ],
-    [ "4.13.3",  "Invalid DN nameConstraints Test3",              47 ],
-    [ "4.13.4",  "Valid DN nameConstraints Test4",                0 ],
-    [ "4.13.5",  "Valid DN nameConstraints Test5",                0 ],
-    [ "4.13.6",  "Valid DN nameConstraints Test6",                0 ],
-    [ "4.13.7",  "Invalid DN nameConstraints Test7",              48 ],
-    [ "4.13.8",  "Invalid DN nameConstraints Test8",              48 ],
-    [ "4.13.9",  "Invalid DN nameConstraints Test9",              48 ],
-    [ "4.13.10", "Invalid DN nameConstraints Test10",             48 ],
-    [ "4.13.11", "Valid DN nameConstraints Test11",               0 ],
-    [ "4.13.12", "Invalid DN nameConstraints Test12",             47 ],
-    [ "4.13.13", "Invalid DN nameConstraints Test13",             47 ],
-    [ "4.13.14", "Valid DN nameConstraints Test14",               0 ],
-    [ "4.13.15", "Invalid DN nameConstraints Test15",             48 ],
-    [ "4.13.16", "Invalid DN nameConstraints Test16",             48 ],
-    [ "4.13.17", "Invalid DN nameConstraints Test17",             48 ],
-    [ "4.13.18", "Valid DN nameConstraints Test18",               0 ],
-    [ "4.13.19", "Valid Self-Issued DN nameConstraints Test19",   0 ],
-    [ "4.13.20", "Invalid Self-Issued DN nameConstraints Test20", 47 ],
-    [ "4.13.21", "Valid RFC822 nameConstraints Test21",           0 ],
-    [ "4.13.22", "Invalid RFC822 nameConstraints Test22",         47 ],
-    [ "4.13.23", "Valid RFC822 nameConstraints Test23",           0 ],
-    [ "4.13.24", "Invalid RFC822 nameConstraints Test24",         47 ],
-    [ "4.13.25", "Valid RFC822 nameConstraints Test25",           0 ],
-    [ "4.13.26", "Invalid RFC822 nameConstraints Test26",         48 ],
-    [ "4.13.27", "Valid DN and RFC822 nameConstraints Test27",    0 ],
-    [ "4.13.28", "Invalid DN and RFC822 nameConstraints Test28",  47 ],
-    [ "4.13.29", "Invalid DN and RFC822 nameConstraints Test29",  47 ],
-    [ "4.13.30", "Valid DNS nameConstraints Test30",              0 ],
-    [ "4.13.31", "Invalid DNS nameConstraints Test31",            47 ],
-    [ "4.13.32", "Valid DNS nameConstraints Test32",              0 ],
-    [ "4.13.33", "Invalid DNS nameConstraints Test33",            48 ],
-    [ "4.13.34", "Valid URI nameConstraints Test34",              0 ],
-    [ "4.13.35", "Invalid URI nameConstraints Test35",            47 ],
-    [ "4.13.36", "Valid URI nameConstraints Test36",              0 ],
-    [ "4.13.37", "Invalid URI nameConstraints Test37",            48 ],
-    [ "4.13.38", "Invalid DNS nameConstraints Test38",            47 ],
-    [ "4.14",    "Distribution Points" ],
-    [ "4.14.1",  "Valid distributionPoint Test1",                 0 ],
-    [ "4.14.2",  "Invalid distributionPoint Test2",               23 ],
-    [ "4.14.3",  "Invalid distributionPoint Test3",               44 ],
-    [ "4.14.4",  "Valid distributionPoint Test4",                 0 ],
-    [ "4.14.5",  "Valid distributionPoint Test5",                 0 ],
-    [ "4.14.6",  "Invalid distributionPoint Test6",               23 ],
-    [ "4.14.7",  "Valid distributionPoint Test7",                 0 ],
-    [ "4.14.8",  "Invalid distributionPoint Test8",               44 ],
-    [ "4.14.9",  "Invalid distributionPoint Test9",               44 ],
-    [ "4.14.10", "Valid No issuingDistributionPoint Test10",      0 ],
-    [ "4.14.11", "Invalid onlyContainsUserCerts CRL Test11",      44 ],
-    [ "4.14.12", "Invalid onlyContainsCACerts CRL Test12",        44 ],
-    [ "4.14.13", "Valid onlyContainsCACerts CRL Test13",          0 ],
-    [ "4.14.14", "Invalid onlyContainsAttributeCerts Test14",     44 ],
-    [ "4.14.15", "Invalid onlySomeReasons Test15",                23 ],
-    [ "4.14.16", "Invalid onlySomeReasons Test16",                23 ],
-    [ "4.14.17", "Invalid onlySomeReasons Test17",                3 ],
-    [ "4.14.18", "Valid onlySomeReasons Test18",                  0 ],
-    [ "4.14.19", "Valid onlySomeReasons Test19",                  0 ],
-    [ "4.14.20", "Invalid onlySomeReasons Test20",                23 ],
-    [ "4.14.21", "Invalid onlySomeReasons Test21",                23 ],
-    [ "4.14.22", "Valid IDP with indirectCRL Test22",             0 ],
-    [ "4.14.23", "Invalid IDP with indirectCRL Test23",           23 ],
-    [ "4.14.24", "Valid IDP with indirectCRL Test24",             0 ],
-    [ "4.14.25", "Valid IDP with indirectCRL Test25",             0 ],
-    [ "4.14.26", "Invalid IDP with indirectCRL Test26",           44 ],
-    [ "4.14.27", "Invalid cRLIssuer Test27",                      3 ],
-    [ "4.14.28", "Valid cRLIssuer Test28",                        0 ],
-    [ "4.14.29", "Valid cRLIssuer Test29",                        0 ],
-
-    # Although this test is valid it has a circular dependency. As a result
-    # an attempt is made to recursively check a CRL path and rejected due to
-    # a CRL path validation error. PKITS notes suggest this test does not
-    # need to be run due to this issue.
-    [ "4.14.30", "Valid cRLIssuer Test30",                                 54 ],
-    [ "4.14.31", "Invalid cRLIssuer Test31",                               23 ],
-    [ "4.14.32", "Invalid cRLIssuer Test32",                               23 ],
-    [ "4.14.33", "Valid cRLIssuer Test33",                                 0 ],
-    [ "4.14.34", "Invalid cRLIssuer Test34",                               23 ],
-    [ "4.14.35", "Invalid cRLIssuer Test35",                               44 ],
-    [ "4.15",    "Delta-CRLs" ],
-    [ "4.15.1",  "Invalid deltaCRLIndicator No Base Test1",                3 ],
-    [ "4.15.2",  "Valid delta-CRL Test2",                                  0 ],
-    [ "4.15.3",  "Invalid delta-CRL Test3",                                23 ],
-    [ "4.15.4",  "Invalid delta-CRL Test4",                                23 ],
-    [ "4.15.5",  "Valid delta-CRL Test5",                                  0 ],
-    [ "4.15.6",  "Invalid delta-CRL Test6",                                23 ],
-    [ "4.15.7",  "Valid delta-CRL Test7",                                  0 ],
-    [ "4.15.8",  "Valid delta-CRL Test8",                                  0 ],
-    [ "4.15.9",  "Invalid delta-CRL Test9",                                23 ],
-    [ "4.15.10", "Invalid delta-CRL Test10",                               12 ],
-    [ "4.16",    "Private Certificate Extensions" ],
-    [ "4.16.1",  "Valid Unknown Not Critical Certificate Extension Test1", 0 ],
-    [ "4.16.2",  "Invalid Unknown Critical Certificate Extension Test2",   34 ],
-);
-
-
-my $verbose = 1;
-
-my $numtest = 0;
-my $numfail = 0;
-
-my $ossl = "ossl/apps/openssl";
-
-my $ossl_cmd = "$ossl_path cms -verify -verify_retcode ";
-$ossl_cmd .= "-CAfile pkitsta.pem -crl_check_all -x509_strict ";
-
-# Check for expiry of trust anchor
-system "$ossl_path x509 -inform DER -in $pkitsta -checkend 0";
-if ($? == 256)
-        {
-        print STDERR "WARNING: using older expired data\n";
-        $ossl_cmd .= "-attime 1291940972 ";
-        }
-
-$ossl_cmd .= "-policy_check -extended_crl -use_deltas -out /dev/null 2>&1 ";
-
-system "$ossl_path x509 -inform DER -in $pkitsta -out pkitsta.pem";
-
-die "Can't create trust anchor file" if $?;
-
-print "Running PKITS tests:\n" if $verbose;
-
-foreach (@testlists) {
-    my $argnum = @$_;
-    if ( $argnum == 2 ) {
-        my ( $tnum, $title ) = @$_;
-        print "$tnum $title\n" if $verbose;
-    }
-    elsif ( $argnum == 3 ) {
-        my ( $tnum, $title, $exp_ret ) = @$_;
-        my $filename = $title;
-        $exp_ret += 32 if $exp_ret;
-        $filename =~ tr/ -//d;
-        $filename = "Signed${filename}.eml";
-        if ( !-f "$pkitsdir/$filename" ) {
-            print "\"$filename\" not found\n";
-        }
-        else {
-            my $ret;
-            my $test_fail = 0;
-            my $errmsg    = "";
-            my $cmd       = $ossl_cmd;
-            $cmd .= "-in $pkitsdir/$filename -policy anyPolicy";
-            my $cmdout = `$cmd`;
-            $ret = $? >> 8;
-            if ( $? & 0xff ) {
-                $errmsg .= "Abnormal OpenSSL termination\n";
-                $test_fail = 1;
-            }
-            if ( $exp_ret != $ret ) {
-                $errmsg .= "Return code:$ret, ";
-                $errmsg .= "expected $exp_ret\n";
-                $test_fail = 1;
-            }
-            if ($test_fail) {
-                print "$tnum $title : Failed!\n";
-                print "Filename: $pkitsdir/$filename\n";
-                print $errmsg;
-                print "Command output:\n$cmdout\n";
-                $numfail++;
-            }
-            $numtest++;
-        }
-    }
-    elsif ( $argnum == 7 ) {
-        my ( $tnum, $title, $exargs, $exp_epol, $exp_aset, $exp_uset, $exp_ret )
-          = @$_;
-        my $filename = $title;
-        $exp_ret += 32 if $exp_ret;
-        $filename =~ tr/ -//d;
-        $filename = "Signed${filename}.eml";
-        if ( !-f "$pkitsdir/$filename" ) {
-            print "\"$filename\" not found\n";
-        }
-        else {
-            my $ret;
-            my $cmdout    = "";
-            my $errmsg    = "";
-            my $epol      = "";
-            my $aset      = "";
-            my $uset      = "";
-            my $pol       = -1;
-            my $test_fail = 0;
-            my $cmd       = $ossl_cmd;
-            $cmd .= "-in $pkitsdir/$filename $exargs -policy_print";
-            @oparr = `$cmd`;
-            $ret   = $? >> 8;
-
-            if ( $? & 0xff ) {
-                $errmsg .= "Abnormal OpenSSL termination\n";
-                $test_fail = 1;
-            }
-            foreach (@oparr) {
-                my $test_failed = 0;
-                $cmdout .= $_;
-                if (/^Require explicit Policy: (.*)$/) {
-                    $epol = $1;
-                }
-                if (/^Authority Policies/) {
-                    if (/empty/) {
-                        $aset = "<empty>";
-                    }
-                    else {
-                        $pol = 1;
-                    }
-                }
-                $test_fail = 1 if (/leak/i);
-                if (/^User Policies/) {
-                    if (/empty/) {
-                        $uset = "<empty>";
-                    }
-                    else {
-                        $pol = 2;
-                    }
-                }
-                if (/\s+Policy: (.*)$/) {
-                    if ( $pol == 1 ) {
-                        $aset .= ":" if $aset ne "";
-                        $aset .= $1;
-                    }
-                    elsif ( $pol == 2 ) {
-                        $uset .= ":" if $uset ne "";
-                        $uset .= $1;
-                    }
-                }
-            }
-
-            if ( $epol ne $exp_epol ) {
-                $errmsg .= "Explicit policy:$epol, ";
-                $errmsg .= "expected $exp_epol\n";
-                $test_fail = 1;
-            }
-            if ( $aset ne $exp_aset ) {
-                $errmsg .= "Authority policy set :$aset, ";
-                $errmsg .= "expected $exp_aset\n";
-                $test_fail = 1;
-            }
-            if ( $uset ne $exp_uset ) {
-                $errmsg .= "User policy set :$uset, ";
-                $errmsg .= "expected $exp_uset\n";
-                $test_fail = 1;
-            }
-
-            if ( $exp_ret != $ret ) {
-                print "Return code:$ret, expected $exp_ret\n";
-                $test_fail = 1;
-            }
-
-            if ($test_fail) {
-                print "$tnum $title : Failed!\n";
-                print "Filename: $pkitsdir/$filename\n";
-                print "Command output:\n$cmdout\n";
-                $numfail++;
-            }
-            $numtest++;
-        }
-    }
-}
-
-if ($numfail) {
-    print "$numfail tests failed out of $numtest\n";
-}
-else {
-    print "All Tests Successful.\n";
-}
-
-unlink "pkitsta.pem";
-
diff --git a/src/lib/libssl/test/smcont.txt b/src/lib/libssl/test/smcont.txt
deleted file mode 100644
index e837c0b75b..0000000000
--- a/src/lib/libssl/test/smcont.txt
+++ /dev/null
@@ -1 +0,0 @@
-Some test content for OpenSSL CMS
\ No newline at end of file
diff --git a/src/lib/libssl/test/smime-certs/smdsa1.pem b/src/lib/libssl/test/smime-certs/smdsa1.pem
deleted file mode 100644
index d5677dbfbe..0000000000
--- a/src/lib/libssl/test/smime-certs/smdsa1.pem
+++ /dev/null
@@ -1,34 +0,0 @@
------BEGIN DSA PRIVATE KEY-----
-MIIBuwIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
-OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
-GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
-jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
-wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
-+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
-SJCBQw5zAoGATQlPPF+OeU8nu3rsdXGDiZdJzOkuCce3KQfTABA9C+Dk4CVcvBdd
-YRLGpnykumkNTO1sTO+4/Gphsuje1ujK9td4UEhdYqylCe5QjEMrszDlJtelDQF9
-C0yhdjKGTP0kxofLhsGckcuQvcKEKffT2pDDKJIy4vWQO0UyJl1vjLcCFG2uiGGx
-9fMUZq1v0ePD4Wo0Xkxo
------END DSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIDpDCCAw2gAwIBAgIJAMtotfHYdEsWMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
-ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggG3MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
-CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
-mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
-jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
-CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
-kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
-xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhAACgYBN
-CU88X455Tye7eux1cYOJl0nM6S4Jx7cpB9MAED0L4OTgJVy8F11hEsamfKS6aQ1M
-7WxM77j8amGy6N7W6Mr213hQSF1irKUJ7lCMQyuzMOUm16UNAX0LTKF2MoZM/STG
-h8uGwZyRy5C9woQp99PakMMokjLi9ZA7RTImXW+Mt6OBgzCBgDAdBgNVHQ4EFgQU
-4Qfbhpi5yqXaXuCLXj427mR25MkwHwYDVR0jBBgwFoAUE89Lp7uJLrM4Vxd2xput
-aFvl7RcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBsAwIAYDVR0RBBkwF4EV
-c21pbWVkc2ExQG9wZW5zc2wub3JnMA0GCSqGSIb3DQEBBQUAA4GBAFrdUzKK1pWO
-kd02S423KUBc4GWWyiGlVoEO7WxVhHLJ8sm67X7OtJOwe0UGt+Nc5qLtyJYSirw8
-phjiTdNpQCTJ8+Kc56tWkJ6H7NAI4vTJtPL5BM/EmeYrVSU9JI9xhqpyKw9IBD+n
-hRJ79W9FaiJRvaAOX+TkyTukJrxAWRyv
------END CERTIFICATE-----
diff --git a/src/lib/libssl/test/smime-certs/smdsa2.pem b/src/lib/libssl/test/smime-certs/smdsa2.pem
deleted file mode 100644
index ef86c115d7..0000000000
--- a/src/lib/libssl/test/smime-certs/smdsa2.pem
+++ /dev/null
@@ -1,34 +0,0 @@
------BEGIN DSA PRIVATE KEY-----
-MIIBvAIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
-OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
-GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
-jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
-wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
-+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
-SJCBQw5zAoGBAIPmO8BtJ+Yac58trrPwq9b/6VW3jQTWzTLWSH84/QQdqQa+Pz3v
-It/+hHM0daNF5uls8ICsPL1aLXmRx0pHvIyb0aAzYae4T4Jv/COPDMTdKbA1uitJ
-VbkGZrm+LIrs7I9lOkb4T0vI6kL/XdOCXY1469zsqCgJ/O2ibn6mq0nWAhR716o2
-Nf8SimTZYB0/CKje6M5ufA==
------END DSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIDpTCCAw6gAwIBAgIJAMtotfHYdEsXMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
-ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggG4MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
-CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
-mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
-jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
-CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
-kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
-xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhQACgYEA
-g+Y7wG0n5hpzny2us/Cr1v/pVbeNBNbNMtZIfzj9BB2pBr4/Pe8i3/6EczR1o0Xm
-6WzwgKw8vVoteZHHSke8jJvRoDNhp7hPgm/8I48MxN0psDW6K0lVuQZmub4siuzs
-j2U6RvhPS8jqQv9d04JdjXjr3OyoKAn87aJufqarSdajgYMwgYAwHQYDVR0OBBYE
-FHsAGNfVltSYUq4hC+YVYwsYtA+dMB8GA1UdIwQYMBaAFBPPS6e7iS6zOFcXdsab
-rWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgbAMCAGA1UdEQQZMBeB
-FXNtaW1lZHNhMkBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQCx9BtCbaYF
-FXjLClkuKXbESaDZA1biPgY25i00FsUzARuhCpqD2v+0tu5c33ZzIhL6xlvBRU5l
-6Atw/xpZhae+hdBEtxPJoGekLLrHOau7Md3XwDjV4lFgcEJkWZoaSOOIK+4D5jF0
-jZWtHjnwEzuLYlo7ScHSsbcQfjH0M1TP5A==
------END CERTIFICATE-----
diff --git a/src/lib/libssl/test/smime-certs/smdsa3.pem b/src/lib/libssl/test/smime-certs/smdsa3.pem
deleted file mode 100644
index eeb848dabc..0000000000
--- a/src/lib/libssl/test/smime-certs/smdsa3.pem
+++ /dev/null
@@ -1,34 +0,0 @@
------BEGIN DSA PRIVATE KEY-----
-MIIBvAIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
-OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
-GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
-jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
-wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
-+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
-SJCBQw5zAoGAYzOpPmh8Je1IDauEXhgaLz14wqYUHHcrj2VWVJ6fRm8GhdQFJSI7
-GUk08pgKZSKic2lNqxuzW7/vFxKQ/nvzfytY16b+2i+BR4Q6yvMzCebE1hHVg0Ju
-TwfUMwoFEOhYP6ZwHSUiQl9IBMH9TNJCMwYMxfY+VOrURFsjGTRUgpwCFQCIGt5g
-Y+XZd0Sv69CatDIRYWvaIA==
------END DSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIDpDCCAw2gAwIBAgIJAMtotfHYdEsYMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
-ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggG3MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
-CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
-mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
-jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
-CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
-kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
-xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhAACgYBj
-M6k+aHwl7UgNq4ReGBovPXjCphQcdyuPZVZUnp9GbwaF1AUlIjsZSTTymAplIqJz
-aU2rG7Nbv+8XEpD+e/N/K1jXpv7aL4FHhDrK8zMJ5sTWEdWDQm5PB9QzCgUQ6Fg/
-pnAdJSJCX0gEwf1M0kIzBgzF9j5U6tREWyMZNFSCnKOBgzCBgDAdBgNVHQ4EFgQU
-VhpVXqQ/EzUMdxLvP7o9EhJ8h70wHwYDVR0jBBgwFoAUE89Lp7uJLrM4Vxd2xput
-aFvl7RcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBsAwIAYDVR0RBBkwF4EV
-c21pbWVkc2EzQG9wZW5zc2wub3JnMA0GCSqGSIb3DQEBBQUAA4GBACM9e75EQa8m
-k/AZkH/tROqf3yeqijULl9x8FjFatqoY+29OM6oMGM425IqSkKd2ipz7OxO0SShu
-rE0O3edS7DvYBwvhWPviRaYBMyZ4iFJVup+fOzoYK/j/bASxS3BHQBwb2r4rhe25
-OlTyyFEk7DJyW18YFOG97S1P52oQ5f5x
------END CERTIFICATE-----
diff --git a/src/lib/libssl/test/smime-certs/smdsap.pem b/src/lib/libssl/test/smime-certs/smdsap.pem
deleted file mode 100644
index 249706c8c7..0000000000
--- a/src/lib/libssl/test/smime-certs/smdsap.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN DSA PARAMETERS-----
-MIIBHwKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3OjSG
-Lh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqtGcoA
-gsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2Jjt+d
-qk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qtwjqv
-Wp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK+FMO
-GnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4ZSJCB
-Qw5z
------END DSA PARAMETERS-----
diff --git a/src/lib/libssl/test/smime-certs/smroot.pem b/src/lib/libssl/test/smime-certs/smroot.pem
deleted file mode 100644
index a59eb2684c..0000000000
--- a/src/lib/libssl/test/smime-certs/smroot.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDBV1Z/Q5gPF7lojc8pKUdyz5+Jf2B3vs4he6egekugWnoJduki
-9Lnae/JchB/soIX0co3nLc11NuFFlnAWJNMDJr08l5AHAJLYNHevF5l/f9oDQwvZ
-speKh1xpIAJNqCTzVeQ/ZLx6/GccIXV/xDuKIiovqJTPgR5WPkYKaw++lQIDAQAB
-AoGALXnUj5SflJU4+B2652ydMKUjWl0KnL/VjkyejgGV/j6py8Ybaixz9q8Gv7oY
-JDlRqMC1HfZJCFQDQrHy5VJ+CywA/H9WrqKo/Ch9U4tJAZtkig1Cmay/BAYixVu0
-xBeim10aKF6hxHH4Chg9We+OCuzWBWJhqveNjuDedL/i7JUCQQDlejovcwBUCbhJ
-U12qKOwlaboolWbl7yF3XdckTJZg7+1UqQHZH5jYZlLZyZxiaC92SNV0SyTLJZnS
-Jh5CO+VDAkEA16/pPcuVtMMz/R6SSPpRSIAa1stLs0mFSs3NpR4pdm0n42mu05pO
-1tJEt3a1g7zkreQBf53+Dwb+lA841EkjRwJBAIFmt0DifKDnCkBu/jZh9SfzwsH3
-3Zpzik+hXxxdA7+ODCrdUul449vDd5zQD5t+XKU61QNLDGhxv5e9XvrCg7kCQH/a
-3ldsVF0oDaxxL+QkxoREtCQ5tLEd1u7F2q6Tl56FDE0pe6Ih6bQ8RtG+g9EI60IN
-U7oTrOO5kLWx5E0q4ccCQAZVgoenn9MhRU1agKOCuM6LT2DxReTu4XztJzynej+8
-0J93n3ebanB1MlRpn1XJwhQ7gAC8ImaQKLJK5jdJzFc=
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIICaTCCAdKgAwIBAgIJAP6VN47boiXRMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDdaFw0xNjA1MTExMzUzMDdaMEQx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRU
-ZXN0IFMvTUlNRSBSU0EgUm9vdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
-wVdWf0OYDxe5aI3PKSlHcs+fiX9gd77OIXunoHpLoFp6CXbpIvS52nvyXIQf7KCF
-9HKN5y3NdTbhRZZwFiTTAya9PJeQBwCS2DR3rxeZf3/aA0ML2bKXiodcaSACTagk
-81XkP2S8evxnHCF1f8Q7iiIqL6iUz4EeVj5GCmsPvpUCAwEAAaNjMGEwHQYDVR0O
-BBYEFBPPS6e7iS6zOFcXdsabrWhb5e0XMB8GA1UdIwQYMBaAFBPPS6e7iS6zOFcX
-dsabrWhb5e0XMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqG
-SIb3DQEBBQUAA4GBAIECprq5viDvnDbkyOaiSr9ubMUmWqvycfAJMdPZRKcOZczS
-l+L9R9lF3JSqbt3knOe9u6bGDBOTY2285PdCCuHRVMk2Af1f6El1fqAlRUwNqipp
-r68sWFuRqrcRNtk6QQvXfkOhrqQBuDa7te/OVQLa2lGN9Dr2mQsD8ijctatG
------END CERTIFICATE-----
diff --git a/src/lib/libssl/test/smime-certs/smrsa1.pem b/src/lib/libssl/test/smime-certs/smrsa1.pem
deleted file mode 100644
index 2cf3148e33..0000000000
--- a/src/lib/libssl/test/smime-certs/smrsa1.pem
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQC6A978j4pmPgUtUQqF+bjh6vdhwGOGZSD7xXgFTMjm88twfv+E
-ixkq2KXSDjD0ZXoQbdOaSbvGRQrIJpG2NGiKAFdYNrP025kCCdh5wF/aEI7KLEm7
-JlHwXpQsuj4wkMgmkFjL3Ty4Z55aNH+2pPQIa0k+ENJXm2gDuhqgBmduAwIDAQAB
-AoGBAJMuYu51aO2THyeHGwt81uOytcCbqGP7eoib62ZOJhxPRGYjpmuqX+R9/V5i
-KiwGavm63JYUx0WO9YP+uIZxm1BUATzkgkS74u5LP6ajhkZh6/Bck1oIYYkbVOXl
-JVrdENuH6U7nupznsyYgONByo+ykFPVUGmutgiaC7NMVo/MxAkEA6KLejWXdCIEn
-xr7hGph9NlvY9xuRIMexRV/WrddcFfCdjI1PciIupgrIkR65M9yr7atm1iU6/aRf
-KOr8rLZsSQJBAMyyXN71NsDNx4BP6rtJ/LJMP0BylznWkA7zWfGCbAYn9VhZVlSY
-Eu9Gyr7quD1ix7G3kInKVYOEEOpockBLz+sCQQCedyMmKjcQLfpMVYW8uhbAynvW
-h36qV5yXZxszO7nMcCTBsxhk5IfmLv5EbCs3+p9avCDGyoGOeUMg+kC33WORAkAg
-oUIarH4o5+SoeJTTfCzTA0KF9H5U0vYt2+73h7HOnWoHxl3zqDZEfEVvf50U8/0f
-QELDJETTbScBJtsnkq43AkEA38etvoZ2i4FJvvo7R/9gWBHVEcrGzcsCBYrNnIR1
-SZLRwHEGaiOK1wxMsWzqp7PJwL9z/M8A8DyOFBx3GPOniA==
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIICizCCAfSgAwIBAgIJAMtotfHYdEsTMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDhaFw0xNjA1MTAxMzUzMDhaMEUx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
-ZXN0IFMvTUlNRSBFRSBSU0EgIzEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
-ALoD3vyPimY+BS1RCoX5uOHq92HAY4ZlIPvFeAVMyObzy3B+/4SLGSrYpdIOMPRl
-ehBt05pJu8ZFCsgmkbY0aIoAV1g2s/TbmQIJ2HnAX9oQjsosSbsmUfBelCy6PjCQ
-yCaQWMvdPLhnnlo0f7ak9AhrST4Q0lebaAO6GqAGZ24DAgMBAAGjgYMwgYAwHQYD
-VR0OBBYEFE2vMvKz5jrC7Lbdg68XwZ95iL/QMB8GA1UdIwQYMBaAFBPPS6e7iS6z
-OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
-EQQZMBeBFXNtaW1lcnNhMUBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQAi
-O3GOkUl646oLnOimc36i9wxZ1tejsqs8vMjJ0Pym6Uq9FE2JoGzJ6OhB1GOsEVmj
-9cQ5UNQcRYL3cqOFtl6f4Dpu/lhzfbaqgmLjv29G1mS0uuTZrixhlyCXjwcbOkNC
-I/+wvHHENYIK5+T/79M9LaZ2Qk4F9MNE1VMljdz9Qw==
------END CERTIFICATE-----
diff --git a/src/lib/libssl/test/smime-certs/smrsa2.pem b/src/lib/libssl/test/smime-certs/smrsa2.pem
deleted file mode 100644
index d41f69c82f..0000000000
--- a/src/lib/libssl/test/smime-certs/smrsa2.pem
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICWwIBAAKBgQCwBfryW4Vu5U9wNIDKspJO/N9YF4CcTlrCUyzVlKgb+8urHlSe
-59i5verR9IOCCXkemjOzZ/3nALTGqYZlnEvHp0Rjk+KdKXnKBIB+SRPpeu3LcXMT
-WPgsThPa0UQxedNKG0g6aG+kLhsDlFBCoxd09jJtSpb9jmroJOq0ZYEHLwIDAQAB
-AoGAKa/w4677Je1W5+r3SYoLDnvi5TkDs4D3C6ipKJgBTEdQz+DqB4w/DpZE4551
-+rkFn1LDxcxuHGRVa+tAMhZW97fwq9YUbjVZEyOz79qrX+BMyl/NbHkf1lIKDo3q
-dWalzQvop7nbzeLC+VmmviwZfLQUbA61AQl3jm4dswT4XykCQQDloDadEv/28NTx
-bvvywvyGuvJkCkEIycm4JrIInvwsd76h/chZ3oymrqzc7hkEtK6kThqlS5y+WXl6
-QzPruTKTAkEAxD2ro/VUoN+scIVaLmn0RBmZ67+9Pdn6pNSfjlK3s0T0EM6/iUWS
-M06l6L9wFS3/ceu1tIifsh9BeqOGTa+udQJARIFnybTBaIqw/NZ/lA1YCVn8tpvY
-iyaoZ6gjtS65TQrsdKeh/i3HCHNUXxUpoZ3F/H7QtD+6o49ODou+EbVOwQJAVmex
-A2gp8wuJKaINqxIL81AybZLnCCzKJ3lXJ5tUNyLNM/lUbGStktm2Q1zHRQwTxV07
-jFn7trn8YrtNjzcjYQJAUKIJRt38A8Jw3HoPT+D0WS2IgxjVL0eYGsZX1lyeammG
-6rfnQ3u5uP7mEK2EH2o8mDUpAE0gclWBU9UkKxJsGA==
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIICizCCAfSgAwIBAgIJAMtotfHYdEsUMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDhaFw0xNjA1MTAxMzUzMDhaMEUx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
-ZXN0IFMvTUlNRSBFRSBSU0EgIzIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
-ALAF+vJbhW7lT3A0gMqykk7831gXgJxOWsJTLNWUqBv7y6seVJ7n2Lm96tH0g4IJ
-eR6aM7Nn/ecAtMaphmWcS8enRGOT4p0pecoEgH5JE+l67ctxcxNY+CxOE9rRRDF5
-00obSDpob6QuGwOUUEKjF3T2Mm1Klv2Oaugk6rRlgQcvAgMBAAGjgYMwgYAwHQYD
-VR0OBBYEFIL/u+mEvaw7RuKLRuElfVkxSQjYMB8GA1UdIwQYMBaAFBPPS6e7iS6z
-OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
-EQQZMBeBFXNtaW1lcnNhMkBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQC2
-rXR5bm/9RtOMQPleNpd3y6uUX3oy+0CafK5Yl3PMnItjjnKJ0l1/DbLbDj2twehe
-ewaB8CROcBCA3AMLSmGvPKgUCFMGtWam3328M4fBHzon5ka7qDXzM+imkAly/Yx2
-YNdR/aNOug+5sXygHmTSKqiCpQjOIClzXoPVVeEVHw==
------END CERTIFICATE-----
diff --git a/src/lib/libssl/test/smime-certs/smrsa3.pem b/src/lib/libssl/test/smime-certs/smrsa3.pem
deleted file mode 100644
index c8cbe55151..0000000000
--- a/src/lib/libssl/test/smime-certs/smrsa3.pem
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQC6syTZtZNe1hRScFc4PUVyVLsr7+C1HDIZnOHmwFoLayX6RHwy
-ep/TkdwiPHnemVLuwvpSjLMLZkXy/J764kSHJrNeVl3UvmCVCOm40hAtK1+F39pM
-h8phkbPPD7i+hwq4/Vs79o46nzwbVKmzgoZBJhZ+codujUSYM3LjJ4aq+wIDAQAB
-AoGAE1Zixrnr3bLGwBMqtYSDIOhtyos59whImCaLr17U9MHQWS+mvYO98if1aQZi
-iQ/QazJ+wvYXxWJ+dEB+JvYwqrGeuAU6He/rAb4OShG4FPVU2D19gzRnaButWMeT
-/1lgXV08hegGBL7RQNaN7b0viFYMcKnSghleMP0/q+Y/oaECQQDkXEwDYJW13X9p
-ijS20ykWdY5lLknjkHRhhOYux0rlhOqsyMZjoUmwI2m0qj9yrIysKhrk4MZaM/uC
-hy0xp3hdAkEA0Uv/UY0Kwsgc+W6YxeypECtg1qCE6FBib8n4iFy/6VcWqhvE5xrs
-OdhKv9/p6aLjLneGd1sU+F8eS9LGyKIbNwJBAJPgbNzXA7uUZriqZb5qeTXxBDfj
-RLfXSHYKAKEULxz3+JvRHB9SR4yHMiFrCdExiZrHXUkPgYLSHLGG5a4824UCQD6T
-9XvhquUARkGCAuWy0/3Eqoihp/t6BWSdQ9Upviu7YUhtUxsyXo0REZB7F4pGrJx5
-GlhXgFaewgUzuUHFzlMCQCzJMMWslWpoLntnR6sMhBMhBFHSw+Y5CbxBmFrdtSkd
-VdtNO1VuDCTxjjW7W3Khj7LX4KZ1ye/5jfAgnnnXisc=
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIICizCCAfSgAwIBAgIJAMtotfHYdEsVMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
-ZXN0IFMvTUlNRSBFRSBSU0EgIzMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
-ALqzJNm1k17WFFJwVzg9RXJUuyvv4LUcMhmc4ebAWgtrJfpEfDJ6n9OR3CI8ed6Z
-Uu7C+lKMswtmRfL8nvriRIcms15WXdS+YJUI6bjSEC0rX4Xf2kyHymGRs88PuL6H
-Crj9Wzv2jjqfPBtUqbOChkEmFn5yh26NRJgzcuMnhqr7AgMBAAGjgYMwgYAwHQYD
-VR0OBBYEFDsSFjNtYZzd0tTHafNS7tneQQj6MB8GA1UdIwQYMBaAFBPPS6e7iS6z
-OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
-EQQZMBeBFXNtaW1lcnNhM0BvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQBE
-tUDB+1Dqigu4p1xtdq7JRK6S+gfA7RWmhz0j2scb2zhpS12h37JLHsidGeKAzZYq
-jUjOrH/j3xcV5AnuJoqImJaN23nzzxtR4qGGX2mrq6EtObzdEGgCUaizsGM+0slJ
-PYxcy8KeY/63B1BpYhj2RjGkL6HrvuAaxVORa3acoA==
------END CERTIFICATE-----
diff --git a/src/lib/libssl/test/tcrl b/src/lib/libssl/test/tcrl
deleted file mode 100644
index 055269eab8..0000000000
--- a/src/lib/libssl/test/tcrl
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/bin/sh
-
-cmd='../util/shlib_wrap.sh ../apps/openssl crl'
-
-if [ "$1"x != "x" ]; then
-        t=$1
-else
-        t=testcrl.pem
-fi
-
-echo testing crl conversions
-cp $t fff.p
-
-echo "p -> d"
-$cmd -in fff.p -inform p -outform d >f.d
-if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in fff.p -inform p -outform t >f.t
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in fff.p -inform p -outform p >f.p
-if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> d"
-$cmd -in f.d -inform d -outform d >ff.d1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> d"
-#$cmd -in f.t -inform t -outform d >ff.d2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> d"
-$cmd -in f.p -inform p -outform d >ff.d3
-if [ $? != 0 ]; then exit 1; fi
-
-#echo "d -> t"
-#$cmd -in f.d -inform d -outform t >ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#echo "t -> t"
-#$cmd -in f.t -inform t -outform t >ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in f.p -inform p -outform t >ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> p"
-$cmd -in f.d -inform d -outform p >ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> p"
-#$cmd -in f.t -inform t -outform p >ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in f.p -inform p -outform p >ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-cmp fff.p f.p
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp fff.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-#cmp f.t ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-
-cmp f.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp f.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-/bin/rm -f f.* ff.* fff.*
-exit 0
diff --git a/src/lib/libssl/test/test.cnf b/src/lib/libssl/test/test.cnf
deleted file mode 100644
index 10834442a1..0000000000
--- a/src/lib/libssl/test/test.cnf
+++ /dev/null
@@ -1,88 +0,0 @@
-#
-# SSLeay example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-RANDFILE                = ./.rnd
-
-####################################################################
-[ ca ]
-default_ca      = CA_default            # The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir             = ./demoCA              # Where everything is kept
-certs           = $dir/certs            # Where the issued certs are kept
-crl_dir         = $dir/crl              # Where the issued crl are kept
-database        = $dir/index.txt        # database index file.
-new_certs_dir   = $dir/new_certs        # default place for new certs.
-
-certificate     = $dir/CAcert.pem       # The CA certificate
-serial          = $dir/serial           # The current serial number
-crl             = $dir/crl.pem          # The current CRL
-private_key     = $dir/private/CAkey.pem# The private key
-RANDFILE        = $dir/private/.rand    # private random number file
-
-default_days    = 365                   # how long to certify for
-default_crl_days= 30                    # how long before next CRL
-default_md      = md5                   # which md to use.
-
-# A few difference way of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy          = policy_match
-
-# For the CA policy
-[ policy_match ]
-countryName             = match
-stateOrProvinceName     = match
-organizationName        = match
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-# For the 'anything' policy
-# At this point in time, you must list all acceptable 'object'
-# types.
-[ policy_anything ]
-countryName             = optional
-stateOrProvinceName     = optional
-localityName            = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-
-####################################################################
-[ req ]
-default_bits            = 1024
-default_keyfile         = testkey.pem
-distinguished_name      = req_distinguished_name
-encrypt_rsa_key         = no
-
-[ req_distinguished_name ]
-countryName                     = Country Name (2 letter code)
-countryName_default             = AU
-countryName_value               = AU
-
-stateOrProvinceName             = State or Province Name (full name)
-stateOrProvinceName_default     = Queensland
-stateOrProvinceName_value       =
-
-localityName                    = Locality Name (eg, city)
-localityName_value              = Brisbane
-
-organizationName                = Organization Name (eg, company)
-organizationName_default        = 
-organizationName_value          = CryptSoft Pty Ltd
-
-organizationalUnitName          = Organizational Unit Name (eg, section)
-organizationalUnitName_default  =
-organizationalUnitName_value    = .
-
-commonName                      = Common Name (eg, YOUR name)
-commonName_value                = Eric Young
-
-emailAddress                    = Email Address
-emailAddress_value              = eay@mincom.oz.au
diff --git a/src/lib/libssl/test/test_aesni b/src/lib/libssl/test/test_aesni
deleted file mode 100644
index e8fb63ee2b..0000000000
--- a/src/lib/libssl/test/test_aesni
+++ /dev/null
@@ -1,69 +0,0 @@
-#!/bin/sh
-
-PROG=$1
-
-if [ -x $PROG ]; then
-    if expr "x`$PROG version`" : "xOpenSSL" > /dev/null; then
-        :
-    else
-        echo "$PROG is not OpenSSL executable"
-        exit 1
-    fi
-else
-    echo "$PROG is not executable"
-    exit 1;
-fi
-
-if $PROG engine aesni | grep -v no-aesni; then
-
-    HASH=`cat $PROG | $PROG dgst -hex`
-
-    AES_ALGS="  aes-128-ecb aes-192-ecb aes-256-ecb \
-                aes-128-cbc aes-192-cbc aes-256-cbc \
-                aes-128-cfb aes-192-cfb aes-256-cfb \
-                aes-128-ofb aes-192-ofb aes-256-ofb"
-    BUFSIZE="16 32 48 64 80 96 128 144 999"
-
-    nerr=0
-
-    for alg in $AES_ALGS; do
-        echo $alg
-        for bufsize in $BUFSIZE; do
-            TEST=`(     cat $PROG | \
-                $PROG enc -e -k "$HASH" -$alg -bufsize $bufsize -engine aesni | \
-                $PROG enc -d -k "$HASH" -$alg | \
-                $PROG dgst -hex ) 2>/dev/null`
-            if [ "$TEST" != "$HASH" ]; then
-                echo "-$alg/$bufsize encrypt test failed"
-                nerr=`expr $nerr + 1`
-            fi
-        done
-        for bufsize in $BUFSIZE; do 
-            TEST=`(     cat $PROG | \
-                $PROG enc -e -k "$HASH" -$alg | \
-                $PROG enc -d -k "$HASH" -$alg -bufsize $bufsize -engine aesni | \
-                $PROG dgst -hex ) 2>/dev/null`
-            if [ "$TEST" != "$HASH" ]; then
-                echo "-$alg/$bufsize decrypt test failed"
-                nerr=`expr $nerr + 1`
-            fi
-        done
-        TEST=`( cat $PROG | \
-                $PROG enc -e -k "$HASH" -$alg -engine aesni | \
-                $PROG enc -d -k "$HASH" -$alg -engine aesni | \
-                $PROG dgst -hex ) 2>/dev/null`
-        if [ "$TEST" != "$HASH" ]; then
-                echo "-$alg en/decrypt test failed"
-                nerr=`expr $nerr + 1`
-        fi
-    done
-
-    if [ $nerr -gt 0 ]; then
-        echo "AESNI engine test failed."
-        exit 1;
-    fi
-else
-    echo "AESNI engine is not available"
-fi
-
-exit 0
diff --git a/src/lib/libssl/test/test_padlock b/src/lib/libssl/test/test_padlock
deleted file mode 100755
index 5c0f21043c..0000000000
--- a/src/lib/libssl/test/test_padlock
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/bin/sh
-
-PROG=$1
-
-if [ -x $PROG ]; then
-    if expr "x`$PROG version`" : "xOpenSSL" > /dev/null; then
-        :
-    else
-        echo "$PROG is not OpenSSL executable"
-        exit 1
-    fi
-else
-    echo "$PROG is not executable"
-    exit 1;
-fi
-
-if $PROG engine padlock | grep -v no-ACE; then
-
-    HASH=`cat $PROG | $PROG dgst -hex`
-
-    ACE_ALGS="  aes-128-ecb aes-192-ecb aes-256-ecb \
-                aes-128-cbc aes-192-cbc aes-256-cbc \
-                aes-128-cfb aes-192-cfb aes-256-cfb \
-                aes-128-ofb aes-192-ofb aes-256-ofb"
-
-    nerr=0
-
-    for alg in $ACE_ALGS; do
-        echo $alg
-        TEST=`( cat $PROG | \
-                $PROG enc -e -k "$HASH" -$alg -bufsize 999 -engine padlock | \
-                $PROG enc -d -k "$HASH" -$alg | \
-                $PROG dgst -hex ) 2>/dev/null`
-        if [ "$TEST" != "$HASH" ]; then
-                echo "-$alg encrypt test failed"
-                nerr=`expr $nerr + 1`
-        fi
-        TEST=`( cat $PROG | \
-                $PROG enc -e -k "$HASH" -$alg | \
-                $PROG enc -d -k "$HASH" -$alg -bufsize 999 -engine padlock | \
-                $PROG dgst -hex ) 2>/dev/null`
-        if [ "$TEST" != "$HASH" ]; then
-                echo "-$alg decrypt test failed"
-                nerr=`expr $nerr + 1`
-        fi
-        TEST=`( cat $PROG | \
-                $PROG enc -e -k "$HASH" -$alg -engine padlock | \
-                $PROG enc -d -k "$HASH" -$alg -engine padlock | \
-                $PROG dgst -hex ) 2>/dev/null`
-        if [ "$TEST" != "$HASH" ]; then
-                echo "-$alg en/decrypt test failed"
-                nerr=`expr $nerr + 1`
-        fi
-    done
-
-    if [ $nerr -gt 0 ]; then
-        echo "PadLock ACE test failed."
-        exit 1;
-    fi
-else
-    echo "PadLock ACE is not available"
-fi
-
-exit 0
diff --git a/src/lib/libssl/test/testca b/src/lib/libssl/test/testca
deleted file mode 100644
index b109cfe271..0000000000
--- a/src/lib/libssl/test/testca
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/sh
-
-SH="/bin/sh"
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH="../apps\;$PATH"
-else
-    PATH="../apps:$PATH"
-fi
-export SH PATH
-
-SSLEAY_CONFIG="-config CAss.cnf"
-export SSLEAY_CONFIG
-
-OPENSSL="`pwd`/../util/opensslwrap.sh"
-export OPENSSL
-
-/bin/rm -fr demoCA
-$SH ../apps/CA.sh -newca <<EOF
-EOF
-
-if [ $? != 0 ]; then
-        exit 1;
-fi
-
-SSLEAY_CONFIG="-config Uss.cnf"
-export SSLEAY_CONFIG
-$SH ../apps/CA.sh -newreq
-if [ $? != 0 ]; then
-        exit 1;
-fi
-
-
-SSLEAY_CONFIG="-config ../apps/openssl.cnf"
-export SSLEAY_CONFIG
-$SH ../apps/CA.sh -sign  <<EOF
-y
-y
-EOF
-if [ $? != 0 ]; then
-        exit 1;
-fi
-
-
-$SH ../apps/CA.sh -verify newcert.pem
-if [ $? != 0 ]; then
-        exit 1;
-fi
-
-/bin/rm -fr demoCA newcert.pem newreq.pem
-#usage: CA -newcert|-newreq|-newca|-sign|-verify
-
diff --git a/src/lib/libssl/test/testcrl.pem b/src/lib/libssl/test/testcrl.pem
deleted file mode 100644
index 0989788354..0000000000
--- a/src/lib/libssl/test/testcrl.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN X509 CRL-----
-MIICjTCCAfowDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxIDAeBgNVBAoT
-F1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2VydmVy
-IENlcnRpZmljYXRpb24gQXV0aG9yaXR5Fw05NTA1MDIwMjEyMjZaFw05NTA2MDEw
-MDAxNDlaMIIBaDAWAgUCQQAABBcNOTUwMjAxMTcyNDI2WjAWAgUCQQAACRcNOTUw
-MjEwMDIxNjM5WjAWAgUCQQAADxcNOTUwMjI0MDAxMjQ5WjAWAgUCQQAADBcNOTUw
-MjI1MDA0NjQ0WjAWAgUCQQAAGxcNOTUwMzEzMTg0MDQ5WjAWAgUCQQAAFhcNOTUw
-MzE1MTkxNjU0WjAWAgUCQQAAGhcNOTUwMzE1MTk0MDQxWjAWAgUCQQAAHxcNOTUw
-MzI0MTk0NDMzWjAWAgUCcgAABRcNOTUwMzI5MjAwNzExWjAWAgUCcgAAERcNOTUw
-MzMwMDIzNDI2WjAWAgUCQQAAIBcNOTUwNDA3MDExMzIxWjAWAgUCcgAAHhcNOTUw
-NDA4MDAwMjU5WjAWAgUCcgAAQRcNOTUwNDI4MTcxNzI0WjAWAgUCcgAAOBcNOTUw
-NDI4MTcyNzIxWjAWAgUCcgAATBcNOTUwNTAyMDIxMjI2WjANBgkqhkiG9w0BAQIF
-AAN+AHqOEJXSDejYy0UwxxrH/9+N2z5xu/if0J6qQmK92W0hW158wpJg+ovV3+wQ
-wvIEPRL2rocL0tKfAsVq1IawSJzSNgxG0lrcla3MrJBnZ4GaZDu4FutZh72MR3Gt
-JaAL3iTJHJD55kK2D/VoyY1djlsPuNh6AEgdVwFAyp0v
------END X509 CRL-----
diff --git a/src/lib/libssl/test/testenc b/src/lib/libssl/test/testenc
deleted file mode 100644
index f5ce7c0c45..0000000000
--- a/src/lib/libssl/test/testenc
+++ /dev/null
@@ -1,54 +0,0 @@
-#!/bin/sh
-
-testsrc=Makefile
-test=./p
-cmd="../util/shlib_wrap.sh ../apps/openssl"
-
-cat $testsrc >$test;
-
-echo cat
-$cmd enc < $test > $test.cipher
-$cmd enc < $test.cipher >$test.clear
-cmp $test $test.clear
-if [ $? != 0 ]
-then
-        exit 1
-else
-        /bin/rm $test.cipher $test.clear
-fi
-echo base64
-$cmd enc -a -e < $test > $test.cipher
-$cmd enc -a -d < $test.cipher >$test.clear
-cmp $test $test.clear
-if [ $? != 0 ]
-then
-        exit 1
-else
-        /bin/rm $test.cipher $test.clear
-fi
-
-for i in `$cmd list-cipher-commands`
-do
-        echo $i
-        $cmd $i -bufsize 113 -e -k test < $test > $test.$i.cipher
-        $cmd $i -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear
-        cmp $test $test.$i.clear
-        if [ $? != 0 ]
-        then
-                exit 1
-        else
-                /bin/rm $test.$i.cipher $test.$i.clear
-        fi
-
-        echo $i base64
-        $cmd $i -bufsize 113 -a -e -k test < $test > $test.$i.cipher
-        $cmd $i -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear
-        cmp $test $test.$i.clear
-        if [ $? != 0 ]
-        then
-                exit 1
-        else
-                /bin/rm $test.$i.cipher $test.$i.clear
-        fi
-done
-rm -f $test
diff --git a/src/lib/libssl/test/testgen b/src/lib/libssl/test/testgen
deleted file mode 100644
index 524c0d134c..0000000000
--- a/src/lib/libssl/test/testgen
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/bin/sh
-
-T=testcert
-KEY=512
-CA=../certs/testca.pem
-
-/bin/rm -f $T.1 $T.2 $T.key
-
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH=../apps\;$PATH;
-else
-    PATH=../apps:$PATH;
-fi
-export PATH
-
-echo "generating certificate request"
-
-echo "string to make the random number generator think it has entropy" >> ./.rnd
-
-if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
-  req_new='-newkey dsa:../apps/dsa512.pem'
-else
-  req_new='-new'
-  echo "There should be a 2 sequences of .'s and some +'s."
-  echo "There should not be more that at most 80 per line"
-fi
-
-echo "This could take some time."
-
-rm -f testkey.pem testreq.pem
-
-../util/shlib_wrap.sh ../apps/openssl req -config test.cnf $req_new -out testreq.pem
-if [ $? != 0 ]; then
-echo problems creating request
-exit 1
-fi
-
-../util/shlib_wrap.sh ../apps/openssl req -config test.cnf -verify -in testreq.pem -noout
-if [ $? != 0 ]; then
-echo signature on req is wrong
-exit 1
-fi
-
-exit 0
diff --git a/src/lib/libssl/test/testp7.pem b/src/lib/libssl/test/testp7.pem
deleted file mode 100644
index e5b7866c31..0000000000
--- a/src/lib/libssl/test/testp7.pem
+++ /dev/null
@@ -1,46 +0,0 @@
------BEGIN PKCS7-----
-MIIIGAYJKoZIhvcNAQcCoIIICTCCCAUCAQExADALBgkqhkiG9w0BBwGgggY8MIIE
-cjCCBBygAwIBAgIQeS+OJfWJUZAx6cX0eAiMjzANBgkqhkiG9w0BAQQFADBiMREw
-DwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNV
-BAsTK1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIw
-HhcNOTYwNzE5MDAwMDAwWhcNOTcwMzMwMjM1OTU5WjCB1TERMA8GA1UEBxMISW50
-ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2ln
-biBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMSgwJgYDVQQLEx9E
-aWdpdGFsIElEIENsYXNzIDEgLSBTTUlNRSBUZXN0MUcwRQYDVQQLEz53d3cudmVy
-aXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTLTEuMCBJbmMuIGJ5IFJlZi4sTElBQi5M
-VEQoYyk5NjBbMA0GCSqGSIb3DQEBAQUAA0oAMEcCQA7LvHEIAiQ5+4gDYvJGnGAq
-UM5GXyG11diEXmIEZTHUZhorooX5sr8IIjSXiPY59YYUFSvAaharFM1xaBN8zNEC
-AwEAAaOCAjkwggI1MAkGA1UdEwQCMAAwggImBgNVHQMEggIdMIICGTCCAhUwggIR
-BgtghkgBhvhFAQcBATCCAgAWggGrVGhpcyBjZXJ0aWZpY2F0ZSBpbmNvcnBvcmF0
-ZXMgYnkgcmVmZXJlbmNlLCBhbmQgaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0
-IHRvLCB0aGUgVmVyaVNpZ24gQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1l
-bnQgKENQUyksIGF2YWlsYWJsZSBhdDogaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
-L0NQUy0xLjA7IGJ5IEUtbWFpbCBhdCBDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29t
-OyBvciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMuLCAyNTkzIENvYXN0IEF2ZS4s
-IE1vdW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsxICg0MTUpIDk2MS04
-ODMwIENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxsIFJpZ2h0
-cyBSZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJ
-QUJJTElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQEC
-MC8wLRYraHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTLTEu
-AzANBgkqhkiG9w0BAQQFAANBAMCYDuSb/eIlYSxY31nZZTaCZkCSfHjlacMofExr
-cF+A2yHoEuT+eCQkqM0pMNHXddUeoQ9RjV+VuMBNmm63DUYwggHCMIIBbKADAgEC
-AhB8CYTq1bkRFJBYOd67cp9JMA0GCSqGSIb3DQEBAgUAMD4xCzAJBgNVBAYTAlVT
-MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEWMBQGA1UECxMNVEVTVCBSb290IFBD
-QTAeFw05NjA3MTcwMDAwMDBaFw05NzA3MTcyMzU5NTlaMGIxETAPBgNVBAcTCElu
-dGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNp
-Z24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjBcMA0GCSqGSIb3
-DQEBAQUAA0sAMEgCQQDsVzrNgnDhbAJZrWeLd9g1vMZJA2W67D33TTbga6yMt+ES
-TWEywhS6RNP+fzLGg7utinjH4tL60cXa0G27GDsLAgMBAAGjIjAgMAsGA1UdDwQE
-AwIBBjARBglghkgBhvhCAQEEBAMCAgQwDQYJKoZIhvcNAQECBQADQQAUp6bRwkaD
-2d1MBs/mjUcgTI2fXVmW8tTm/Ud6OzUwpC3vYgybiOOA4f6mOC5dbyUHrLOsrihU
-47ZQ0Jo1DUfboYIBrTCBwTBtMA0GCSqGSIb3DQEBAgUAMD4xCzAJBgNVBAYTAlVT
-MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEWMBQGA1UECxMNVEVTVCBSb290IFBD
-QRcNOTYwNzE3MTc0NDA5WhcNOTgwNzE3MDAwMDAwWjANBgkqhkiG9w0BAQIFAANB
-AHitA0/xAukCjHzeh1AMT/l2oC68N+yFb+aJPHBBMxc6gG2MaKjBNwb5hcXUllMl
-ExONA3ju10f7owIq3s3wx10wgeYwgZEwDQYJKoZIhvcNAQECBQAwYjERMA8GA1UE
-BxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytW
-ZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyFw05NjA3
-MTcxNzU5MjlaFw05NzA3MTgwMDAwMDBaMA0GCSqGSIb3DQEBAgUAA0EAubVWYTsW
-sQmste9f+UgMw8BkjDlM25fwQLrCfmmnLxjewey10kSROypUaJLb+r4oRALc0fG9
-XfZsaiiIgotQHjEA
------END PKCS7-----
diff --git a/src/lib/libssl/test/testreq2.pem b/src/lib/libssl/test/testreq2.pem
deleted file mode 100644
index c3cdcffcbc..0000000000
--- a/src/lib/libssl/test/testreq2.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN CERTIFICATE REQUEST-----
-MIHaMIGFAgEAMA4xDDAKBgNVBAMTA2NuNDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC
-QQCQsnkyUGDY2R3mYoeTprFJKgWuJ3f1jUjlIuW5+wfAUoeMt35c4vcFZ2mIBpEG
-DtzkNQN1kr2O9ldm9zYnYhyhAgMBAAGgEjAQBgorBgEEAYI3AgEOMQIwADANBgkq
-hkiG9w0BAQQFAANBAAb2szZgVIxg3vK6kYLjGSBISyuzcXJ6IvuPW6M+yzi1Qgoi
-gQhazHTJp91T8ItZEzUJGZSZl2e5iXlnffWB+/U=
------END CERTIFICATE REQUEST-----
diff --git a/src/lib/libssl/test/testrsa.pem b/src/lib/libssl/test/testrsa.pem
deleted file mode 100644
index aad21067a8..0000000000
--- a/src/lib/libssl/test/testrsa.pem
+++ /dev/null
@@ -1,9 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIBPAIBAAJBAKrbeqkuRk8VcRmWFmtP+LviMB3+6dizWW3DwaffznyHGAFwUJ/I
-Tv0XtbsCyl3QoyKGhrOAy3RvPK5M38iuXT0CAwEAAQJAZ3cnzaHXM/bxGaR5CR1R
-rD1qFBAVfoQFiOH9uPJgMaoAuoQEisPHVcZDKcOv4wEg6/TInAIXBnEigtqvRzuy
-oQIhAPcgZzUq3yVooAaoov8UbXPxqHlwo6GBMqnv20xzkf6ZAiEAsP4BnIaQTM8S
-mvcpHZwQJdmdHHkGKAs37Dfxi67HbkUCIQCeZGliHXFa071Fp06ZeWlR2ADonTZz
-rJBhdTe0v5pCeQIhAIZfkiGgGBX4cIuuckzEm43g9WMUjxP/0GlK39vIyihxAiEA
-mymehFRT0MvqW5xAKAx7Pgkt8HVKwVhc2LwGKHE0DZM=
------END RSA PRIVATE KEY-----
diff --git a/src/lib/libssl/test/testsid.pem b/src/lib/libssl/test/testsid.pem
deleted file mode 100644
index 7ffd008f66..0000000000
--- a/src/lib/libssl/test/testsid.pem
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN SSL SESSION PARAMETERS-----
-MIIB1gIBAQIBAgQDAQCABBCi11xa5qkOP8xrr02K/NQCBBBkIYQZM0Bt95W0EHNV
-bA58oQYCBDIBr7WiBAICASyjggGGMIIBgjCCASwCAQMwDQYJKoZIhvcNAQEEBQAw
-ODELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3Jz
-YSB0ZXN0IENBMB4XDTk1MTAwOTIzMzEzNFoXDTk4MDcwNTIzMzEzNFowYDELMAkG
-A1UEBhMCQVUxDDAKBgNVBAgTA1FMRDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRk
-LjELMAkGA1UECxMCQ1MxGzAZBgNVBAMTElNTTGVheSBkZW1vIGNsaWVudDBcMA0G
-CSqGSIb3DQEBAQUAA0sAMEgCQQC4pcXEL1lgVA+B5Q3TcuW/O3LZHoA73IYm8oFD
-TezgCDhL2RTMn+seKWF36UtJKRIOBU9jZHCVVd0Me5ls6BEjAgMBAAEwDQYJKoZI
-hvcNAQEEBQADQQBoIpOcwUY1qlVF7j3ROSGvUsbvByOBFmYWkIBgsCqR+9qo1A7L
-CrWF5i8LWt/vLwAHaxWNx2YuBJMFyuK81fTvpA0EC3Rlc3Rjb250ZXh0
------END SSL SESSION PARAMETERS-----
diff --git a/src/lib/libssl/test/testss b/src/lib/libssl/test/testss
deleted file mode 100644
index 1a426857d3..0000000000
--- a/src/lib/libssl/test/testss
+++ /dev/null
@@ -1,163 +0,0 @@
-#!/bin/sh
-
-digest='-sha1'
-reqcmd="../util/shlib_wrap.sh ../apps/openssl req"
-x509cmd="../util/shlib_wrap.sh ../apps/openssl x509 $digest"
-verifycmd="../util/shlib_wrap.sh ../apps/openssl verify"
-dummycnf="../apps/openssl.cnf"
-
-CAkey="keyCA.ss"
-CAcert="certCA.ss"
-CAreq="reqCA.ss"
-CAconf="CAss.cnf"
-CAreq2="req2CA.ss"      # temp
-
-Uconf="Uss.cnf"
-Ukey="keyU.ss"
-Ureq="reqU.ss"
-Ucert="certU.ss"
-
-P1conf="P1ss.cnf"
-P1key="keyP1.ss"
-P1req="reqP1.ss"
-P1cert="certP1.ss"
-P1intermediate="tmp_intP1.ss"
-
-P2conf="P2ss.cnf"
-P2key="keyP2.ss"
-P2req="reqP2.ss"
-P2cert="certP2.ss"
-P2intermediate="tmp_intP2.ss"
-
-echo
-echo "make a certificate request using 'req'"
-
-echo "string to make the random number generator think it has entropy" >> ./.rnd
-
-if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
-  req_new='-newkey dsa:../apps/dsa512.pem'
-else
-  req_new='-new'
-fi
-
-$reqcmd -config $CAconf -out $CAreq -keyout $CAkey $req_new #>err.ss
-if [ $? != 0 ]; then
-        echo "error using 'req' to generate a certificate request"
-        exit 1
-fi
-echo
-echo "convert the certificate request into a self signed certificate using 'x509'"
-$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'x509' to self sign a certificate request"
-        exit 1
-fi
-
-echo
-echo "convert a certificate into a certificate request using 'x509'"
-$x509cmd -in $CAcert -x509toreq -signkey $CAkey -out $CAreq2 >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'x509' convert a certificate to a certificate request"
-        exit 1
-fi
-
-$reqcmd -config $dummycnf -verify -in $CAreq -noout
-if [ $? != 0 ]; then
-        echo first generated request is invalid
-        exit 1
-fi
-
-$reqcmd -config $dummycnf -verify -in $CAreq2 -noout
-if [ $? != 0 ]; then
-        echo second generated request is invalid
-        exit 1
-fi
-
-$verifycmd -CAfile $CAcert $CAcert
-if [ $? != 0 ]; then
-        echo first generated cert is invalid
-        exit 1
-fi
-
-echo
-echo "make a user certificate request using 'req'"
-$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'req' to generate a user certificate request"
-        exit 1
-fi
-
-echo
-echo "sign user certificate request with the just created CA via 'x509'"
-$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'x509' to sign a user certificate request"
-        exit 1
-fi
-
-$verifycmd -CAfile $CAcert $Ucert
-echo
-echo "Certificate details"
-$x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert
-
-echo
-echo "make a proxy certificate request using 'req'"
-$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'req' to generate a proxy certificate request"
-        exit 1
-fi
-
-echo
-echo "sign proxy certificate request with the just created user certificate via 'x509'"
-$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'x509' to sign a proxy certificate request"
-        exit 1
-fi
-
-cat $Ucert > $P1intermediate
-$verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert
-echo
-echo "Certificate details"
-$x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert
-
-echo
-echo "make another proxy certificate request using 'req'"
-$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'req' to generate another proxy certificate request"
-        exit 1
-fi
-
-echo
-echo "sign second proxy certificate request with the first proxy certificate via 'x509'"
-$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss
-if [ $? != 0 ]; then
-        echo "error using 'x509' to sign a second proxy certificate request"
-        exit 1
-fi
-
-cat $Ucert $P1cert > $P2intermediate
-$verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert
-echo
-echo "Certificate details"
-$x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert
-
-echo
-echo The generated CA certificate is $CAcert
-echo The generated CA private key is $CAkey
-
-echo The generated user certificate is $Ucert
-echo The generated user private key is $Ukey
-
-echo The first generated proxy certificate is $P1cert
-echo The first generated proxy private key is $P1key
-
-echo The second generated proxy certificate is $P2cert
-echo The second generated proxy private key is $P2key
-
-/bin/rm err.ss
-#/bin/rm $P1intermediate
-#/bin/rm $P2intermediate
-exit 0
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl
deleted file mode 100644
index 4e8542b556..0000000000
--- a/src/lib/libssl/test/testssl
+++ /dev/null
@@ -1,178 +0,0 @@
-#!/bin/sh
-
-if [ "$1" = "" ]; then
-  key=../apps/server.pem
-else
-  key="$1"
-fi
-if [ "$2" = "" ]; then
-  cert=../apps/server.pem
-else
-  cert="$2"
-fi
-ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
-
-if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
-  dsa_cert=YES
-else
-  dsa_cert=NO
-fi
-
-if [ "$3" = "" ]; then
-  CA="-CApath ../certs"
-else
-  CA="-CAfile $3"
-fi
-
-if [ "$4" = "" ]; then
-  extra=""
-else
-  extra="$4"
-fi
-
-#############################################################################
-
-echo test sslv2
-$ssltest -ssl2 $extra || exit 1
-
-echo test sslv2 with server authentication
-$ssltest -ssl2 -server_auth $CA $extra || exit 1
-
-if [ $dsa_cert = NO ]; then
-  echo test sslv2 with client authentication
-  $ssltest -ssl2 -client_auth $CA $extra || exit 1
-
-  echo test sslv2 with both client and server authentication
-  $ssltest -ssl2 -server_auth -client_auth $CA $extra || exit 1
-fi
-
-echo test sslv3
-$ssltest -ssl3 $extra || exit 1
-
-echo test sslv3 with server authentication
-$ssltest -ssl3 -server_auth $CA $extra || exit 1
-
-echo test sslv3 with client authentication
-$ssltest -ssl3 -client_auth $CA $extra || exit 1
-
-echo test sslv3 with both client and server authentication
-$ssltest -ssl3 -server_auth -client_auth $CA $extra || exit 1
-
-echo test sslv2/sslv3
-$ssltest $extra || exit 1
-
-echo test sslv2/sslv3 with server authentication
-$ssltest -server_auth $CA $extra || exit 1
-
-echo test sslv2/sslv3 with client authentication
-$ssltest -client_auth $CA $extra || exit 1
-
-echo test sslv2/sslv3 with both client and server authentication
-$ssltest -server_auth -client_auth $CA $extra || exit 1
-
-echo test sslv2 via BIO pair
-$ssltest -bio_pair -ssl2 $extra || exit 1
-
-echo test sslv2 with server authentication via BIO pair
-$ssltest -bio_pair -ssl2 -server_auth $CA $extra || exit 1
-
-if [ $dsa_cert = NO ]; then
-  echo test sslv2 with client authentication via BIO pair
-  $ssltest -bio_pair -ssl2 -client_auth $CA $extra || exit 1
-
-  echo test sslv2 with both client and server authentication via BIO pair
-  $ssltest -bio_pair -ssl2 -server_auth -client_auth $CA $extra || exit 1
-fi
-
-echo test sslv3 via BIO pair
-$ssltest -bio_pair -ssl3 $extra || exit 1
-
-echo test sslv3 with server authentication via BIO pair
-$ssltest -bio_pair -ssl3 -server_auth $CA $extra || exit 1
-
-echo test sslv3 with client authentication via BIO pair
-$ssltest -bio_pair -ssl3 -client_auth $CA $extra || exit 1
-
-echo test sslv3 with both client and server authentication via BIO pair
-$ssltest -bio_pair -ssl3 -server_auth -client_auth $CA $extra || exit 1
-
-echo test sslv2/sslv3 via BIO pair
-$ssltest $extra || exit 1
-
-if [ $dsa_cert = NO ]; then
-  echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'
-  $ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1
-fi
-
-echo test sslv2/sslv3 with 1024bit DHE via BIO pair
-$ssltest -bio_pair -dhe1024dsa -v $extra || exit 1
-
-echo test sslv2/sslv3 with server authentication
-$ssltest -bio_pair -server_auth $CA $extra || exit 1
-
-echo test sslv2/sslv3 with client authentication via BIO pair
-$ssltest -bio_pair -client_auth $CA $extra || exit 1
-
-echo test sslv2/sslv3 with both client and server authentication via BIO pair
-$ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
-
-echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
-$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
-
-echo "Testing ciphersuites"
-for protocol in TLSv1.2 SSLv3; do
-  echo "Testing ciphersuites for $protocol"
-  for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
-    echo "Testing $cipher"
-    prot=""
-    if [ $protocol = "SSLv3" ] ; then
-      prot="-ssl3"
-    fi
-    $ssltest -cipher $cipher $prot
-    if [ $? -ne 0 ] ; then
-          echo "Failed $cipher"
-          exit 1
-    fi
-  done
-done
-
-#############################################################################
-
-if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
-  echo skipping anonymous DH tests
-else
-  echo test tls1 with 1024bit anonymous DH, multiple handshakes
-  $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
-fi
-
-if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
-  echo skipping RSA tests
-else
-  echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
-  ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
-
-  if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
-    echo skipping RSA+DHE tests
-  else
-    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
-    ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
-  fi
-fi
-
-echo test tls1 with PSK
-$ssltest -tls1 -cipher PSK -psk abc123 $extra || exit 1
-
-echo test tls1 with PSK via BIO pair
-$ssltest -bio_pair -tls1 -cipher PSK -psk abc123 $extra || exit 1
-
-if ../util/shlib_wrap.sh ../apps/openssl no-srp; then
-  echo skipping SRP tests
-else
-  echo test tls1 with SRP
-  $ssltest -tls1 -cipher SRP -srpuser test -srppass abc123
-
-  echo test tls1 with SRP via BIO pair
-  $ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123
-fi
-
-exit 0
diff --git a/src/lib/libssl/test/testsslproxy b/src/lib/libssl/test/testsslproxy
deleted file mode 100644
index 58bbda8ab7..0000000000
--- a/src/lib/libssl/test/testsslproxy
+++ /dev/null
@@ -1,10 +0,0 @@
-#! /bin/sh
-
-echo 'Testing a lot of proxy conditions.'
-echo 'Some of them may turn out being invalid, which is fine.'
-for auth in A B C BC; do
-    for cond in A B C 'A|B&!C'; do
-        sh ./testssl $1 $2 $3 "-proxy -proxy_auth $auth -proxy_cond $cond"
-        if [ $? = 3 ]; then exit 1; fi
-    done
-done
diff --git a/src/lib/libssl/test/testtsa b/src/lib/libssl/test/testtsa
deleted file mode 100644
index bb653b5f73..0000000000
--- a/src/lib/libssl/test/testtsa
+++ /dev/null
@@ -1,238 +0,0 @@
-#!/bin/sh
-
-#
-# A few very basic tests for the 'ts' time stamping authority command.
-#
-
-SH="/bin/sh"
-if test "$OSTYPE" = msdosdjgpp; then
-    PATH="../apps\;$PATH"
-else
-    PATH="../apps:$PATH"
-fi
-export SH PATH
-
-OPENSSL_CONF="../CAtsa.cnf"
-export OPENSSL_CONF
-# Because that's what ../apps/CA.sh really looks at
-SSLEAY_CONFIG="-config $OPENSSL_CONF"
-export SSLEAY_CONFIG
-
-OPENSSL="`pwd`/../util/opensslwrap.sh"
-export OPENSSL
-
-error () {
-
-    echo "TSA test failed!" >&2
-    exit 1
-}
-
-setup_dir () {
-
-    rm -rf tsa 2>/dev/null
-    mkdir tsa
-    cd ./tsa
-}
-
-clean_up_dir () {
-
-    cd ..
-    rm -rf tsa
-}
-
-create_ca () {
-
-    echo "Creating a new CA for the TSA tests..."
-    TSDNSECT=ts_ca_dn
-    export TSDNSECT   
-    ../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \
-        -out tsaca.pem -keyout tsacakey.pem
-    test $? != 0 && error
-}
-
-create_tsa_cert () {
-
-    INDEX=$1
-    export INDEX
-    EXT=$2
-    TSDNSECT=ts_cert_dn
-    export TSDNSECT   
-
-    ../../util/shlib_wrap.sh ../../apps/openssl req -new \
-        -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem
-    test $? != 0 && error
-echo Using extension $EXT
-    ../../util/shlib_wrap.sh ../../apps/openssl x509 -req \
-        -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \
-        -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \
-        -extfile $OPENSSL_CONF -extensions $EXT
-    test $? != 0 && error
-}
-
-print_request () {
-
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -query -in $1 -text
-}
-
-create_time_stamp_request1 () {
-
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq
-    test $? != 0 && error
-}
-
-create_time_stamp_request2 () {
-
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \
-        -out req2.tsq
-    test $? != 0 && error
-}
-
-create_time_stamp_request3 () {
-
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq
-    test $? != 0 && error
-}
-
-print_response () {
-
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $1 -text
-    test $? != 0 && error
-}
-
-create_time_stamp_response () {
-
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -section $3 -queryfile $1 -out $2
-    test $? != 0 && error
-}
-
-time_stamp_response_token_test () {
-
-    RESPONSE2=$2.copy.tsr
-    TOKEN_DER=$2.token.der
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $TOKEN_DER -token_out
-    test $? != 0 && error
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2
-    test $? != 0 && error
-    cmp $RESPONSE2 $2
-    test $? != 0 && error
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -text -token_out
-    test $? != 0 && error
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -text -token_out
-    test $? != 0 && error
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -queryfile $1 -text -token_out
-    test $? != 0 && error
-}
-
-verify_time_stamp_response () {
-
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
-        -untrusted tsa_cert1.pem
-    test $? != 0 && error
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2 -CAfile tsaca.pem \
-        -untrusted tsa_cert1.pem
-    test $? != 0 && error
-}
-
-verify_time_stamp_token () {
-
-    # create the token from the response first
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $2.token -token_out
-    test $? != 0 && error
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2.token -token_in \
-        -CAfile tsaca.pem -untrusted tsa_cert1.pem
-    test $? != 0 && error
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2.token -token_in \
-        -CAfile tsaca.pem -untrusted tsa_cert1.pem
-    test $? != 0 && error
-}
-
-verify_time_stamp_response_fail () {
-
-    ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \
-        -untrusted tsa_cert1.pem
-    # Checks if the verification failed, as it should have.
-    test $? = 0 && error
-    echo Ok
-}
-
-# main functions
-
-echo "Setting up TSA test directory..."
-setup_dir
-
-echo "Creating CA for TSA tests..."
-create_ca
-
-echo "Creating tsa_cert1.pem TSA server cert..."
-create_tsa_cert 1 tsa_cert
-
-echo "Creating tsa_cert2.pem non-TSA server cert..."
-create_tsa_cert 2 non_tsa_cert
-
-echo "Creating req1.req time stamp request for file testtsa..."
-create_time_stamp_request1
-
-echo "Printing req1.req..."
-print_request req1.tsq
-
-echo "Generating valid response for req1.req..."
-create_time_stamp_response req1.tsq resp1.tsr tsa_config1
-
-echo "Printing response..."
-print_response resp1.tsr
-
-echo "Verifying valid response..."
-verify_time_stamp_response req1.tsq resp1.tsr ../testtsa
-
-echo "Verifying valid token..."
-verify_time_stamp_token req1.tsq resp1.tsr ../testtsa
-
-# The tests below are commented out, because invalid signer certificates
-# can no longer be specified in the config file.
-
-# echo "Generating _invalid_ response for req1.req..."
-# create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2
-
-# echo "Printing response..."
-# print_response resp1_bad.tsr
-
-# echo "Verifying invalid response, it should fail..."
-# verify_time_stamp_response_fail req1.tsq resp1_bad.tsr
-
-echo "Creating req2.req time stamp request for file testtsa..."
-create_time_stamp_request2
-
-echo "Printing req2.req..."
-print_request req2.tsq
-
-echo "Generating valid response for req2.req..."
-create_time_stamp_response req2.tsq resp2.tsr tsa_config1
-
-echo "Checking '-token_in' and '-token_out' options with '-reply'..."
-time_stamp_response_token_test req2.tsq resp2.tsr
-
-echo "Printing response..."
-print_response resp2.tsr
-
-echo "Verifying valid response..."
-verify_time_stamp_response req2.tsq resp2.tsr ../testtsa
-
-echo "Verifying response against wrong request, it should fail..."
-verify_time_stamp_response_fail req1.tsq resp2.tsr
-
-echo "Verifying response against wrong request, it should fail..."
-verify_time_stamp_response_fail req2.tsq resp1.tsr
-
-echo "Creating req3.req time stamp request for file CAtsa.cnf..."
-create_time_stamp_request3
-
-echo "Printing req3.req..."
-print_request req3.tsq
-
-echo "Verifying response against wrong request, it should fail..."
-verify_time_stamp_response_fail req3.tsq resp1.tsr
-
-echo "Cleaning up..."
-clean_up_dir
-
-exit 0
diff --git a/src/lib/libssl/test/testx509.pem b/src/lib/libssl/test/testx509.pem
deleted file mode 100644
index 8a85d14964..0000000000
--- a/src/lib/libssl/test/testx509.pem
+++ /dev/null
@@ -1,10 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBWzCCAQYCARgwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
-BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MDYxOTIz
-MzMxMloXDTk1MDcxNzIzMzMxMlowOjELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
-RDEdMBsGA1UEAxMUU1NMZWF5L3JzYSB0ZXN0IGNlcnQwXDANBgkqhkiG9w0BAQEF
-AANLADBIAkEAqtt6qS5GTxVxGZYWa0/4u+IwHf7p2LNZbcPBp9/OfIcYAXBQn8hO
-/Re1uwLKXdCjIoaGs4DLdG88rkzfyK5dPQIDAQABMAwGCCqGSIb3DQIFBQADQQAE
-Wc7EcF8po2/ZO6kNCwK/ICH6DobgLekA5lSLr5EvuioZniZp5lFzAw4+YzPQ7XKJ
-zl9HYIMxATFyqSiD9jsx
------END CERTIFICATE-----
diff --git a/src/lib/libssl/test/times b/src/lib/libssl/test/times
deleted file mode 100644
index 6b66eb342e..0000000000
--- a/src/lib/libssl/test/times
+++ /dev/null
@@ -1,113 +0,0 @@
-
-More number for the questions about SSL overheads....
-
-The following numbers were generated on a Pentium pro 200, running Linux.
-They give an indication of the SSL protocol and encryption overheads.
-
-The program that generated them is an unreleased version of ssl/ssltest.c
-which is the SSLeay ssl protocol testing program.  It is a single process that
-talks both sides of the SSL protocol via a non-blocking memory buffer
-interface.
-
-How do I read this?  The protocol and cipher are reasonable obvious.
-The next number is the number of connections being made.  The next is the
-number of bytes exchanged between the client and server side of the protocol.
-This is the number of bytes that the client sends to the server, and then
-the server sends back.  Because this is all happening in one process,
-the data is being encrypted, decrypted, encrypted and then decrypted again.
-It is a round trip of that many bytes.  Because the one process performs
-both the client and server sides of the protocol and it sends this many bytes
-each direction, multiply this number by 4 to generate the number
-of bytes encrypted/decrypted/MACed.  The first time value is how many seconds
-elapsed doing a full SSL handshake, the second is the cost of one
-full handshake and the rest being session-id reuse.
-
-SSLv2 RC4-MD5      1000 x      1   12.83s   0.70s
-SSLv3 NULL-MD5     1000 x      1   14.35s   1.47s
-SSLv3 RC4-MD5      1000 x      1   14.46s   1.56s
-SSLv3 RC4-MD5      1000 x      1   51.93s   1.62s 1024bit RSA
-SSLv3 RC4-SHA      1000 x      1   14.61s   1.83s
-SSLv3 DES-CBC-SHA  1000 x      1   14.70s   1.89s
-SSLv3 DES-CBC3-SHA 1000 x      1   15.16s   2.16s
-
-SSLv2 RC4-MD5      1000 x   1024   13.72s   1.27s
-SSLv3 NULL-MD5     1000 x   1024   14.79s   1.92s
-SSLv3 RC4-MD5      1000 x   1024   52.58s   2.29s 1024bit RSA
-SSLv3 RC4-SHA      1000 x   1024   15.39s   2.67s
-SSLv3 DES-CBC-SHA  1000 x   1024   16.45s   3.55s
-SSLv3 DES-CBC3-SHA 1000 x   1024   18.21s   5.38s
-
-SSLv2 RC4-MD5      1000 x  10240   18.97s   6.52s
-SSLv3 NULL-MD5     1000 x  10240   17.79s   5.11s
-SSLv3 RC4-MD5      1000 x  10240   20.25s   7.90s
-SSLv3 RC4-MD5      1000 x  10240   58.26s   8.08s 1024bit RSA
-SSLv3 RC4-SHA      1000 x  10240   22.96s  11.44s
-SSLv3 DES-CBC-SHA  1000 x  10240   30.65s  18.41s
-SSLv3 DES-CBC3-SHA 1000 x  10240   47.04s  34.53s
-
-SSLv2 RC4-MD5      1000 x 102400   70.22s  57.74s
-SSLv3 NULL-MD5     1000 x 102400   43.73s  31.03s
-SSLv3 RC4-MD5      1000 x 102400   71.32s  58.83s
-SSLv3 RC4-MD5      1000 x 102400  109.66s  59.20s 1024bit RSA
-SSLv3 RC4-SHA      1000 x 102400   95.88s  82.21s
-SSLv3 DES-CBC-SHA  1000 x 102400  173.22s 160.55s
-SSLv3 DES-CBC3-SHA 1000 x 102400  336.61s 323.82s
-
-What does this all mean?  Well for a server, with no session-id reuse, with
-a transfer size of 10240 bytes, using RC4-MD5 and a 512bit server key,
-a Pentium pro 200 running Linux can handle the SSLv3 protocol overheads of
-about 49 connections a second.  Reality will be quite different :-).
-
-Remember the first number is 1000 full ssl handshakes, the second is
-1 full and 999 with session-id reuse.  The RSA overheads for each exchange
-would be one public and one private operation, but the protocol/MAC/cipher
-cost would be quite similar in both the client and server.
-
-eric (adding numbers to speculation)
-
---- Appendix ---
-- The time measured is user time but these number a very rough.
-- Remember this is the cost of both client and server sides of the protocol.
-- The TCP/kernel overhead of connection establishment is normally the
-  killer in SSL.  Often delays in the TCP protocol will make session-id
-  reuse look slower that new sessions, but this would not be the case on
-  a loaded server.
-- The TCP round trip latencies, while slowing individual connections,
-  would have minimal impact on throughput.
-- Instead of sending one 102400 byte buffer, one 8k buffer is sent until
-- the required number of bytes are processed.
-- The SSLv3 connections were actually SSLv2 compatible SSLv3 headers.
-- A 512bit server key was being used except where noted.
-- No server key verification was being performed on the client side of the
-  protocol.  This would slow things down very little.
-- The library being used is SSLeay 0.8.x.
-- The normal measuring system was commands of the form
-  time ./ssltest -num 1000 -bytes 102400 -cipher DES-CBC-SHA -reuse
-  This modified version of ssltest should be in the next public release of
-  SSLeay.
-
-The general cipher performance number for this platform are
-
-SSLeay 0.8.2a 04-Sep-1997
-built on Fri Sep  5 17:37:05 EST 1997
-options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(ptr2)
-C flags:gcc -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized 
-The 'numbers' are in 1000s of bytes per second processed.
-type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
-md2               131.02k      368.41k      500.57k      549.21k      566.09k
-mdc2              535.60k      589.10k      595.88k      595.97k      594.54k
-md5              1801.53k     9674.77k    17484.03k    21849.43k    23592.96k
-sha              1261.63k     5533.25k     9285.63k    11187.88k    11913.90k
-sha1             1103.13k     4782.53k     7933.78k     9472.34k    10070.70k
-rc4             10722.53k    14443.93k    15215.79k    15299.24k    15219.59k
-des cbc          3286.57k     3827.73k     3913.39k     3931.82k     3926.70k
-des ede3         1443.50k     1549.08k     1561.17k     1566.38k     1564.67k
-idea cbc         2203.64k     2508.16k     2538.33k     2543.62k     2547.71k
-rc2 cbc          1430.94k     1511.59k     1524.82k     1527.13k     1523.33k
-blowfish cbc     4716.07k     5965.82k     6190.17k     6243.67k     6234.11k
-                  sign    verify
-rsa  512 bits   0.0100s   0.0011s
-rsa 1024 bits   0.0451s   0.0012s
-rsa 2048 bits   0.2605s   0.0086s
-rsa 4096 bits   1.6883s   0.0302s
-
diff --git a/src/lib/libssl/test/tpkcs7 b/src/lib/libssl/test/tpkcs7
deleted file mode 100644
index 3e435ffbf9..0000000000
--- a/src/lib/libssl/test/tpkcs7
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/bin/sh
-
-cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
-
-if [ "$1"x != "x" ]; then
-        t=$1
-else
-        t=testp7.pem
-fi
-
-echo testing pkcs7 conversions
-cp $t fff.p
-
-echo "p -> d"
-$cmd -in fff.p -inform p -outform d >f.d
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in fff.p -inform p -outform p >f.p
-if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> d"
-$cmd -in f.d -inform d -outform d >ff.d1
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> d"
-$cmd -in f.p -inform p -outform d >ff.d3
-if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> p"
-$cmd -in f.d -inform d -outform p >ff.p1
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in f.p -inform p -outform p >ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-cmp fff.p f.p
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-cmp f.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-/bin/rm -f f.* ff.* fff.*
-exit 0
diff --git a/src/lib/libssl/test/tpkcs7d b/src/lib/libssl/test/tpkcs7d
deleted file mode 100644
index 64fc28e88f..0000000000
--- a/src/lib/libssl/test/tpkcs7d
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/sh
-
-cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
-
-if [ "$1"x != "x" ]; then
-        t=$1
-else
-        t=pkcs7-1.pem
-fi
-
-echo "testing pkcs7 conversions (2)"
-cp $t fff.p
-
-echo "p -> d"
-$cmd -in fff.p -inform p -outform d >f.d
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in fff.p -inform p -outform p >f.p
-if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> d"
-$cmd -in f.d -inform d -outform d >ff.d1
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> d"
-$cmd -in f.p -inform p -outform d >ff.d3
-if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> p"
-$cmd -in f.d -inform d -outform p >ff.p1
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in f.p -inform p -outform p >ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-cmp f.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-/bin/rm -f f.* ff.* fff.*
-exit 0
diff --git a/src/lib/libssl/test/treq b/src/lib/libssl/test/treq
deleted file mode 100644
index 77f37dcf3a..0000000000
--- a/src/lib/libssl/test/treq
+++ /dev/null
@@ -1,83 +0,0 @@
-#!/bin/sh
-
-cmd='../util/shlib_wrap.sh ../apps/openssl req -config ../apps/openssl.cnf'
-
-if [ "$1"x != "x" ]; then
-        t=$1
-else
-        t=testreq.pem
-fi
-
-if $cmd -in $t -inform p -noout -text 2>&1 | fgrep -i 'Unknown Public Key'; then
-  echo "skipping req conversion test for $t"
-  exit 0
-fi
-
-echo testing req conversions
-cp $t fff.p
-
-echo "p -> d"
-$cmd -in fff.p -inform p -outform d >f.d
-if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in fff.p -inform p -outform t >f.t
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in fff.p -inform p -outform p >f.p
-if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> d"
-$cmd -verify -in f.d -inform d -outform d >ff.d1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> d"
-#$cmd -in f.t -inform t -outform d >ff.d2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> d"
-$cmd -verify -in f.p -inform p -outform d >ff.d3
-if [ $? != 0 ]; then exit 1; fi
-
-#echo "d -> t"
-#$cmd -in f.d -inform d -outform t >ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#echo "t -> t"
-#$cmd -in f.t -inform t -outform t >ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in f.p -inform p -outform t >ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> p"
-$cmd -in f.d -inform d -outform p >ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> p"
-#$cmd -in f.t -inform t -outform p >ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in f.p -inform p -outform p >ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-cmp fff.p f.p
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp fff.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-#cmp f.t ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-
-cmp f.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp f.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-/bin/rm -f f.* ff.* fff.*
-exit 0
diff --git a/src/lib/libssl/test/trsa b/src/lib/libssl/test/trsa
deleted file mode 100644
index 249ac1ddcc..0000000000
--- a/src/lib/libssl/test/trsa
+++ /dev/null
@@ -1,83 +0,0 @@
-#!/bin/sh
-
-if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
-  echo skipping rsa conversion test
-  exit 0
-fi
-
-cmd='../util/shlib_wrap.sh ../apps/openssl rsa'
-
-if [ "$1"x != "x" ]; then
-        t=$1
-else
-        t=testrsa.pem
-fi
-
-echo testing rsa conversions
-cp $t fff.p
-
-echo "p -> d"
-$cmd -in fff.p -inform p -outform d >f.d
-if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in fff.p -inform p -outform t >f.t
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in fff.p -inform p -outform p >f.p
-if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> d"
-$cmd -in f.d -inform d -outform d >ff.d1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> d"
-#$cmd -in f.t -inform t -outform d >ff.d2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> d"
-$cmd -in f.p -inform p -outform d >ff.d3
-if [ $? != 0 ]; then exit 1; fi
-
-#echo "d -> t"
-#$cmd -in f.d -inform d -outform t >ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#echo "t -> t"
-#$cmd -in f.t -inform t -outform t >ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in f.p -inform p -outform t >ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> p"
-$cmd -in f.d -inform d -outform p >ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> p"
-#$cmd -in f.t -inform t -outform p >ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in f.p -inform p -outform p >ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-cmp fff.p f.p
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp fff.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-#cmp f.t ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-
-cmp f.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp f.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-/bin/rm -f f.* ff.* fff.*
-exit 0
diff --git a/src/lib/libssl/test/tsid b/src/lib/libssl/test/tsid
deleted file mode 100644
index 6adbd531ce..0000000000
--- a/src/lib/libssl/test/tsid
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/bin/sh
-
-cmd='../util/shlib_wrap.sh ../apps/openssl sess_id'
-
-if [ "$1"x != "x" ]; then
-        t=$1
-else
-        t=testsid.pem
-fi
-
-echo testing session-id conversions
-cp $t fff.p
-
-echo "p -> d"
-$cmd -in fff.p -inform p -outform d >f.d
-if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in fff.p -inform p -outform t >f.t
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in fff.p -inform p -outform p >f.p
-if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> d"
-$cmd -in f.d -inform d -outform d >ff.d1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> d"
-#$cmd -in f.t -inform t -outform d >ff.d2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> d"
-$cmd -in f.p -inform p -outform d >ff.d3
-if [ $? != 0 ]; then exit 1; fi
-
-#echo "d -> t"
-#$cmd -in f.d -inform d -outform t >ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#echo "t -> t"
-#$cmd -in f.t -inform t -outform t >ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#echo "p -> t"
-#$cmd -in f.p -inform p -outform t >ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> p"
-$cmd -in f.d -inform d -outform p >ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#echo "t -> p"
-#$cmd -in f.t -inform t -outform p >ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in f.p -inform p -outform p >ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-cmp fff.p f.p
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp fff.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-#cmp f.t ff.t1
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t2
-#if [ $? != 0 ]; then exit 1; fi
-#cmp f.t ff.t3
-#if [ $? != 0 ]; then exit 1; fi
-
-cmp f.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-#cmp f.p ff.p2
-#if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-/bin/rm -f f.* ff.* fff.*
-exit 0
diff --git a/src/lib/libssl/test/tx509 b/src/lib/libssl/test/tx509
deleted file mode 100644
index 4a15b98d17..0000000000
--- a/src/lib/libssl/test/tx509
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/bin/sh
-
-cmd='../util/shlib_wrap.sh ../apps/openssl x509'
-
-if [ "$1"x != "x" ]; then
-        t=$1
-else
-        t=testx509.pem
-fi
-
-echo testing X509 conversions
-cp $t fff.p
-
-echo "p -> d"
-$cmd -in fff.p -inform p -outform d >f.d
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> n"
-$cmd -in fff.p -inform p -outform n >f.n
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in fff.p -inform p -outform p >f.p
-if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> d"
-$cmd -in f.d -inform d -outform d >ff.d1
-if [ $? != 0 ]; then exit 1; fi
-echo "n -> d"
-$cmd -in f.n -inform n -outform d >ff.d2
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> d"
-$cmd -in f.p -inform p -outform d >ff.d3
-if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> n"
-$cmd -in f.d -inform d -outform n >ff.n1
-if [ $? != 0 ]; then exit 1; fi
-echo "n -> n"
-$cmd -in f.n -inform n -outform n >ff.n2
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> n"
-$cmd -in f.p -inform p -outform n >ff.n3
-if [ $? != 0 ]; then exit 1; fi
-
-echo "d -> p"
-$cmd -in f.d -inform d -outform p >ff.p1
-if [ $? != 0 ]; then exit 1; fi
-echo "n -> p"
-$cmd -in f.n -inform n -outform p >ff.p2
-if [ $? != 0 ]; then exit 1; fi
-echo "p -> p"
-$cmd -in f.p -inform p -outform p >ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-cmp fff.p f.p
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p2
-if [ $? != 0 ]; then exit 1; fi
-cmp fff.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-cmp f.n ff.n1
-if [ $? != 0 ]; then exit 1; fi
-cmp f.n ff.n2
-if [ $? != 0 ]; then exit 1; fi
-cmp f.n ff.n3
-if [ $? != 0 ]; then exit 1; fi
-
-cmp f.p ff.p1
-if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p2
-if [ $? != 0 ]; then exit 1; fi
-cmp f.p ff.p3
-if [ $? != 0 ]; then exit 1; fi
-
-/bin/rm -f f.* ff.* fff.*
-exit 0
diff --git a/src/lib/libssl/test/v3-cert1.pem b/src/lib/libssl/test/v3-cert1.pem
deleted file mode 100644
index 0da253d5c3..0000000000
--- a/src/lib/libssl/test/v3-cert1.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICjTCCAfigAwIBAgIEMaYgRzALBgkqhkiG9w0BAQQwRTELMAkGA1UEBhMCVVMx
-NjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFuZCBTcGFjZSBBZG1pbmlz
-dHJhdGlvbjAmFxE5NjA1MjgxMzQ5MDUrMDgwMBcROTgwNTI4MTM0OTA1KzA4MDAw
-ZzELMAkGA1UEBhMCVVMxNjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFu
-ZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEgMAkGA1UEBRMCMTYwEwYDVQQDEwxTdGV2
-ZSBTY2hvY2gwWDALBgkqhkiG9w0BAQEDSQAwRgJBALrAwyYdgxmzNP/ts0Uyf6Bp
-miJYktU/w4NG67ULaN4B5CnEz7k57s9o3YY3LecETgQ5iQHmkwlYDTL2fTgVfw0C
-AQOjgaswgagwZAYDVR0ZAQH/BFowWDBWMFQxCzAJBgNVBAYTAlVTMTYwNAYDVQQK
-Ey1OYXRpb25hbCBBZXJvbmF1dGljcyBhbmQgU3BhY2UgQWRtaW5pc3RyYXRpb24x
-DTALBgNVBAMTBENSTDEwFwYDVR0BAQH/BA0wC4AJODMyOTcwODEwMBgGA1UdAgQR
-MA8ECTgzMjk3MDgyM4ACBSAwDQYDVR0KBAYwBAMCBkAwCwYJKoZIhvcNAQEEA4GB
-AH2y1VCEw/A4zaXzSYZJTTUi3uawbbFiS2yxHvgf28+8Js0OHXk1H1w2d6qOHH21
-X82tZXd/0JtG0g1T9usFFBDvYK8O0ebgz/P5ELJnBL2+atObEuJy1ZZ0pBDWINR3
-WkDNLCGiTkCKp0F5EWIrVDwh54NNevkCQRZita+z4IBO
------END CERTIFICATE-----
diff --git a/src/lib/libssl/test/v3-cert2.pem b/src/lib/libssl/test/v3-cert2.pem
deleted file mode 100644
index de0723ff8d..0000000000
--- a/src/lib/libssl/test/v3-cert2.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICiTCCAfKgAwIBAgIEMeZfHzANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQGEwJD
-YTEPMA0GA1UEBxMGTmVwZWFuMR4wHAYDVQQLExVObyBMaWFiaWxpdHkgQWNjZXB0
-ZWQxHzAdBgNVBAoTFkZvciBEZW1vIFB1cnBvc2VzIE9ubHkxHDAaBgNVBAMTE0Vu
-dHJ1c3QgRGVtbyBXZWIgQ0EwHhcNOTYwNzEyMTQyMDE1WhcNOTYxMDEyMTQyMDE1
-WjB0MSQwIgYJKoZIhvcNAQkBExVjb29rZUBpc3NsLmF0bC5ocC5jb20xCzAJBgNV
-BAYTAlVTMScwJQYDVQQLEx5IZXdsZXR0IFBhY2thcmQgQ29tcGFueSAoSVNTTCkx
-FjAUBgNVBAMTDVBhdWwgQS4gQ29va2UwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
-6ceSq9a9AU6g+zBwaL/yVmW1/9EE8s5you1mgjHnj0wAILuoB3L6rm6jmFRy7QZT
-G43IhVZdDua4e+5/n1ZslwIDAQABo2MwYTARBglghkgBhvhCAQEEBAMCB4AwTAYJ
-YIZIAYb4QgENBD8WPVRoaXMgY2VydGlmaWNhdGUgaXMgb25seSBpbnRlbmRlZCBm
-b3IgZGVtb25zdHJhdGlvbiBwdXJwb3Nlcy4wDQYJKoZIhvcNAQEEBQADgYEAi8qc
-F3zfFqy1sV8NhjwLVwOKuSfhR/Z8mbIEUeSTlnH3QbYt3HWZQ+vXI8mvtZoBc2Fz
-lexKeIkAZXCesqGbs6z6nCt16P6tmdfbZF3I3AWzLquPcOXjPf4HgstkyvVBn0Ap
-jAFN418KF/Cx4qyHB4cjdvLrRjjQLnb2+ibo7QU=
------END CERTIFICATE-----
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 901b38f860..21d3960796 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.104 2024/07/22 14:47:15 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.106 2025/12/04 21:16:17 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -53,9 +53,21 @@ tls13_client_init(struct tls13_ctx *ctx)
                 return 0;
         if ((ctx->hs->key_share = tls_key_share_new(groups[0])) == NULL)
                 return 0;
-        if (!tls_key_share_generate(ctx->hs->key_share))
+        if (!tls_key_share_client_generate(ctx->hs->key_share))
                 return 0;
 
+        /*
+         * Generate a second key share prediction if we have another
+         * supported group
+         */
+        if (groups_len > 1) {
+                if ((ctx->hs->tls13.key_share = tls_key_share_new(groups[1])) ==
+                    NULL)
+                        return 0;
+                if (!tls_key_share_client_generate(ctx->hs->tls13.key_share))
+                        return 0;
+        }
+
         arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
 
         /*
@@ -450,7 +462,7 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
         if ((ctx->hs->key_share =
             tls_key_share_new(ctx->hs->tls13.server_group)) == NULL)
                 return 0;
-        if (!tls_key_share_generate(ctx->hs->key_share))
+        if (!tls_key_share_client_generate(ctx->hs->key_share))
                 return 0;
 
         if (!tls13_client_hello_build(ctx, cbb))
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index 6c33eccc61..6a06330b22 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.44 2024/01/30 14:50:50 jsing Exp $ */
+/*      $OpenBSD: tls13_legacy.c,v 1.45 2026/04/03 07:17:36 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -353,7 +353,6 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx)
                 s->rstate = SSL_ST_READ_BODY;
                 s->packet = s->s3->rbuf.buf;
                 s->packet_length = SSL3_RT_HEADER_LENGTH;
-                s->mac_packet = 1;
         }
 
         /* Stash the current handshake message. */
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 331a3ad1a7..c3470b2931 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.77 2024/01/27 14:23:51 jsing Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.78 2025/06/07 10:25:12 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -538,7 +538,7 @@ tls13_ctx_new(int mode, SSL *ssl)
 {
         struct tls13_ctx *ctx = NULL;
 
-        if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
+        if ((ctx = calloc(1, sizeof(*ctx))) == NULL)
                 goto err;
 
         ctx->hs = &ssl->s3->hs;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 63b7d92093..604dab4cba 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.109 2024/07/22 14:47:15 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.112 2025/12/04 21:03:42 beck Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -327,7 +327,7 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 }
 
 static int
-tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
+tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb)
 {
         uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH;
         const uint8_t *server_random;
@@ -338,7 +338,7 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
         cipher = SSL_CIPHER_get_value(ctx->hs->cipher);
         server_random = s->s3->server_random;
 
-        if (hrr) {
+        if (ctx->hs->tls13.hrr) {
                 server_random = tls13_hello_retry_request_hash;
                 tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
         }
@@ -437,8 +437,6 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
 int
 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        int nid;
-
         ctx->hs->tls13.hrr = 1;
 
         if (!tls13_synthetic_handshake_message(ctx))
@@ -446,12 +444,10 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 
         if (ctx->hs->key_share != NULL)
                 return 0;
-        if (!tls1_get_supported_group(ctx->ssl, &nid))
-                return 0;
-        if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group))
+        if (ctx->hs->tls13.server_group == 0)
                 return 0;
 
-        if (!tls13_server_hello_build(ctx, cbb, 1))
+        if (!tls13_server_hello_build(ctx, cbb))
                 return 0;
 
         return 1;
@@ -506,14 +502,12 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 {
         if (ctx->hs->key_share == NULL)
                 return 0;
-        if (!tls_key_share_generate(ctx->hs->key_share))
+        if (!tls_key_share_server_generate(ctx->hs->key_share))
                 return 0;
         if (!tls13_servername_process(ctx))
                 return 0;
 
-        ctx->hs->tls13.server_group = 0;
-
-        if (!tls13_server_hello_build(ctx, cbb, 0))
+        if (!tls13_server_hello_build(ctx, cbb))
                 return 0;
 
         return 1;
diff --git a/src/lib/libssl/tls_internal.h b/src/lib/libssl/tls_internal.h
index 84edde8474..3d8d6aa940 100644
--- a/src/lib/libssl/tls_internal.h
+++ b/src/lib/libssl/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.10 2022/11/10 18:06:37 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.11 2025/12/04 21:03:42 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019, 2021 Joel Sing <jsing@openbsd.org>
  *
@@ -85,12 +85,15 @@ int tls_key_share_nid(struct tls_key_share *ks);
 void tls_key_share_set_key_bits(struct tls_key_share *ks, size_t key_bits);
 int tls_key_share_set_dh_params(struct tls_key_share *ks, DH *dh_params);
 int tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey);
-int tls_key_share_generate(struct tls_key_share *ks);
+int tls_key_share_client_generate(struct tls_key_share *ks);
+int tls_key_share_server_generate(struct tls_key_share *ks);
 int tls_key_share_params(struct tls_key_share *ks, CBB *cbb);
 int tls_key_share_public(struct tls_key_share *ks, CBB *cbb);
 int tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs,
     int *decode_error, int *invalid_params);
-int tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs,
+int tls_key_share_server_peer_public(struct tls_key_share *ks, CBS *cbs,
+    int *decode_error, int *invalid_key);
+int tls_key_share_client_peer_public(struct tls_key_share *ks, CBS *cbs,
     int *decode_error, int *invalid_key);
 int tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
     size_t *shared_key_len);
diff --git a/src/lib/libssl/tls_key_share.c b/src/lib/libssl/tls_key_share.c
index cf7b1da262..9e04cb7b75 100644
--- a/src/lib/libssl/tls_key_share.c
+++ b/src/lib/libssl/tls_key_share.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_key_share.c,v 1.8 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: tls_key_share.c,v 1.10 2026/01/01 12:47:52 tb Exp $ */
 /*
  * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
  *
@@ -21,6 +21,7 @@
 #include <openssl/dh.h>
 #include <openssl/ec.h>
 #include <openssl/evp.h>
+#include <openssl/mlkem.h>
 
 #include "bytestring.h"
 #include "ssl_local.h"
@@ -40,6 +41,19 @@ struct tls_key_share {
         uint8_t *x25519_public;
         uint8_t *x25519_private;
         uint8_t *x25519_peer_public;
+
+        uint8_t *mlkem_public;
+        size_t mlkem_public_len;
+        MLKEM_private_key *mlkem_private;
+        MLKEM_public_key *mlkem_peer_public;
+
+        /* The ciphertext from MLKEM_encap. */
+        uint8_t *mlkem_encap;
+        size_t mlkem_encap_len;
+
+        /* The shared secret from an ML-KEM encapsulation. */
+        uint8_t *mlkem_shared_secret;
+        size_t mlkem_shared_secret_len;
 };
 
 static struct tls_key_share *
@@ -96,6 +110,12 @@ tls_key_share_free(struct tls_key_share *ks)
         freezero(ks->x25519_private, X25519_KEY_LENGTH);
         freezero(ks->x25519_peer_public, X25519_KEY_LENGTH);
 
+        freezero(ks->mlkem_public, ks->mlkem_public_len);
+        MLKEM_private_key_free(ks->mlkem_private);
+        MLKEM_public_key_free(ks->mlkem_peer_public);
+        freezero(ks->mlkem_encap, ks->mlkem_encap_len);
+        freezero(ks->mlkem_shared_secret, ks->mlkem_shared_secret_len);
+
         freezero(ks, sizeof(*ks));
 }
 
@@ -230,7 +250,73 @@ tls_key_share_generate_x25519(struct tls_key_share *ks)
         return ret;
 }
 
-int
+static int
+tls_key_share_generate_mlkem(struct tls_key_share *ks, int rank)
+{
+        MLKEM_private_key *private = NULL;
+        uint8_t *public = NULL;
+        size_t p_len = 0;
+        int ret = 0;
+
+        if (ks->mlkem_public != NULL || ks->mlkem_private != NULL)
+                goto err;
+
+        if ((private = MLKEM_private_key_new(rank)) == NULL)
+                goto err;
+
+        if (!MLKEM_generate_key(private, &public, &p_len, NULL, NULL))
+                goto err;
+
+        ks->mlkem_public = public;
+        ks->mlkem_public_len = p_len;
+        ks->mlkem_private = private;
+        public = NULL;
+        private = NULL;
+
+        ret = 1;
+
+ err:
+        freezero(public, p_len);
+        MLKEM_private_key_free(private);
+
+        return ret;
+}
+
+static int
+tls_key_share_client_generate_mlkem768x25519(struct tls_key_share *ks)
+{
+        if (!tls_key_share_generate_mlkem(ks, MLKEM768_RANK))
+                return 0;
+
+        if (!tls_key_share_generate_x25519(ks))
+                return 0;
+
+        return 1;
+}
+
+static int
+tls_key_share_server_generate_mlkem768x25519(struct tls_key_share *ks)
+{
+        if (ks->mlkem_private != NULL)
+                return 0;
+
+        /* The server side needs the client's parsed share */
+
+        if (ks->x25519_peer_public == NULL)
+                return 0;
+
+        if (ks->mlkem_peer_public == NULL)
+                return 0;
+
+        if (!tls_key_share_generate_x25519(ks))
+                return 0;
+
+        return MLKEM_encap(ks->mlkem_peer_public, &ks->mlkem_encap,
+            &ks->mlkem_encap_len, &ks->mlkem_shared_secret,
+            &ks->mlkem_shared_secret_len);
+}
+
+static int
 tls_key_share_generate(struct tls_key_share *ks)
 {
         if (ks->nid == NID_dhKeyAgreement)
@@ -242,6 +328,24 @@ tls_key_share_generate(struct tls_key_share *ks)
         return tls_key_share_generate_ecdhe_ecp(ks);
 }
 
+int
+tls_key_share_client_generate(struct tls_key_share *ks)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_client_generate_mlkem768x25519(ks);
+
+        return tls_key_share_generate(ks);
+}
+
+int
+tls_key_share_server_generate(struct tls_key_share *ks)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_server_generate_mlkem768x25519(ks);
+
+        return tls_key_share_generate(ks);
+}
+
 static int
 tls_key_share_params_dhe(struct tls_key_share *ks, CBB *cbb)
 {
@@ -287,6 +391,47 @@ tls_key_share_public_x25519(struct tls_key_share *ks, CBB *cbb)
         return CBB_add_bytes(cbb, ks->x25519_public, X25519_KEY_LENGTH);
 }
 
+static int
+tls_key_share_public_mlkem768x25519(struct tls_key_share *ks, CBB *cbb)
+{
+        uint8_t *mlkem_part;
+        size_t mlkem_part_len;
+
+        if (ks->x25519_public == NULL)
+                return 0;
+
+        /*
+         * https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
+         * Section 3.1.2:
+         * The server's key exchange value is the concatenation of an
+         * ML-KEM ciphertext returned from encapsulation to the client's
+         * encapsulation key, and the server's ephemeral X25519 share.
+         */
+        mlkem_part = ks->mlkem_encap;
+        mlkem_part_len = ks->mlkem_encap_len;
+
+        /*
+         * https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
+         * Section 3.1.1:
+         * The client's key_exchange value is the concatenation of the
+         * client's ML-KEM-768 encapsulation key and the client's X25519
+         * ephemeral share.
+         */
+        if (mlkem_part == NULL) {
+                mlkem_part = ks->mlkem_public;
+                mlkem_part_len = ks->mlkem_public_len;
+        }
+
+        if (mlkem_part == NULL)
+                return 0;
+
+        if (!CBB_add_bytes(cbb, mlkem_part, mlkem_part_len))
+                return 0;
+
+        /* Both the client and server send their x25519 public keys. */
+        return CBB_add_bytes(cbb, ks->x25519_public, X25519_KEY_LENGTH);
+}
+
 int
 tls_key_share_public(struct tls_key_share *ks, CBB *cbb)
 {
@@ -296,6 +441,9 @@ tls_key_share_public(struct tls_key_share *ks, CBB *cbb)
         if (ks->nid == NID_X25519)
                 return tls_key_share_public_x25519(ks, cbb);
 
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_public_mlkem768x25519(ks, cbb);
+
         return tls_key_share_public_ecdhe_ecp(ks, cbb);
 }
 
@@ -325,7 +473,7 @@ tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs,
                 return 0;
 
         return tls_key_share_peer_params_dhe(ks, cbs, decode_error,
-             invalid_params);
+            invalid_params);
 }
 
 static int
@@ -383,7 +531,91 @@ tls_key_share_peer_public_x25519(struct tls_key_share *ks, CBS *cbs,
         return CBS_stow(cbs, &ks->x25519_peer_public, &out_len);
 }
 
-int
+static int
+tls_key_share_client_peer_public_mlkem768x25519(struct tls_key_share *ks,
+    CBS *cbs, int *decode_error)
+{
+        CBS x25519_cbs, mlkem_ciphertext_cbs;
+        size_t out_len;
+
+        if (ks->mlkem_shared_secret != NULL)
+                return 0;
+
+        if (ks->mlkem_private == NULL)
+                return 0;
+
+        if (!CBS_get_bytes(cbs, &mlkem_ciphertext_cbs,
+            MLKEM_private_key_ciphertext_length(ks->mlkem_private)))
+                return 0;
+
+        if (!CBS_get_bytes(cbs, &x25519_cbs, X25519_KEY_LENGTH))
+                return 0;
+
+        if (CBS_len(cbs) != 0)
+                return 0;
+
+        if (!CBS_stow(&x25519_cbs, &ks->x25519_peer_public, &out_len))
+                return 0;
+
+        if (!CBS_stow(&mlkem_ciphertext_cbs, &ks->mlkem_encap, &ks->mlkem_encap_len))
+                return 0;
+
+        return 1;
+}
+
+static int
+tls_key_share_server_peer_public_mlkem768x25519(struct tls_key_share *ks,
+    CBS *cbs, int *decode_error)
+{
+        CBS x25519_cbs, mlkem768_cbs;
+        size_t out_len;
+
+        *decode_error = 0;
+
+        /* The server should not have an mlkem private key */
+        if (ks->mlkem_private != NULL)
+                return 0;
+
+        if (ks->mlkem_shared_secret != NULL)
+                return 0;
+
+        if (ks->mlkem_peer_public != NULL)
+                return 0;
+
+        if (ks->x25519_peer_public != NULL)
+                return 0;
+
+        /* Nein, ist nur normal (1024 ist gigantisch) */
+        if ((ks->mlkem_peer_public = MLKEM_public_key_new(MLKEM768_RANK)) == NULL)
+                goto err;
+
+        if (!CBS_get_bytes(cbs, &mlkem768_cbs,
+            MLKEM_public_key_encoded_length(ks->mlkem_peer_public)))
+                goto err;
+
+        if (!CBS_get_bytes(cbs, &x25519_cbs, X25519_KEY_LENGTH))
+                goto err;
+
+        if (CBS_len(cbs) != 0)
+                goto err;
+
+        if (!CBS_stow(&x25519_cbs, &ks->x25519_peer_public, &out_len))
+                goto err;
+
+        /* Poetische */
+        if (!MLKEM_parse_public_key(ks->mlkem_peer_public,
+            CBS_data(&mlkem768_cbs), CBS_len(&mlkem768_cbs)))
+                goto err;
+
+        return 1;
+
+ err:
+        *decode_error = 1;
+
+        return 0;
+}
+
+static int
 tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs, int *decode_error,
     int *invalid_key)
 {
@@ -402,6 +634,30 @@ tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs, int *decode_error,
         return tls_key_share_peer_public_ecdhe_ecp(ks, cbs);
 }
 
+/* Called from client to process a server peer */
+int
+tls_key_share_client_peer_public(struct tls_key_share *ks, CBS *cbs,
+    int *decode_error, int *invalid_key)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_client_peer_public_mlkem768x25519(ks, cbs,
+                    decode_error);
+
+        return tls_key_share_peer_public(ks, cbs, decode_error, invalid_key);
+}
+
+/* Called from server to process a client peer */
+int
+tls_key_share_server_peer_public(struct tls_key_share *ks, CBS *cbs,
+    int *decode_error, int *invalid_key)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_server_peer_public_mlkem768x25519(ks, cbs,
+                    decode_error);
+
+        return tls_key_share_peer_public(ks, cbs, decode_error, invalid_key);
+}
+
 static int
 tls_key_share_derive_dhe(struct tls_key_share *ks,
     uint8_t **shared_key, size_t *shared_key_len)
@@ -451,6 +707,65 @@ tls_key_share_derive_x25519(struct tls_key_share *ks,
         return ret;
 }
 
+/*
+ * https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
+ * Section 3.1.3:
+ * For X25519MLKEM768, the shared secret is the concatenation of the ML-KEM
+ * shared secret and the X25519 shared secret.
+ */
+static int
+tls_key_share_derive_mlkem768x25519(struct tls_key_share *ks,
+    uint8_t **out_shared_key, size_t *out_shared_key_len)
+{
+        uint8_t *x25519_shared_key;
+        CBB cbb;
+
+        memset(&cbb, 0, sizeof(cbb));
+
+        if (ks->x25519_private == NULL)
+                goto err;
+
+        if (ks->x25519_peer_public == NULL)
+                goto err;
+
+        if (ks->mlkem_shared_secret == NULL) {
+                if (ks->mlkem_private == NULL)
+                        goto err;
+
+                if (ks->mlkem_encap == NULL)
+                        goto err;
+
+                if (!MLKEM_decap(ks->mlkem_private, ks->mlkem_encap,
+                    MLKEM_private_key_ciphertext_length(ks->mlkem_private),
+                    &ks->mlkem_shared_secret, &ks->mlkem_shared_secret_len))
+                        goto err;
+        }
+
+        if (!CBB_init(&cbb,  ks->mlkem_shared_secret_len + X25519_KEY_LENGTH))
+                goto err;
+
+        if (!CBB_add_bytes(&cbb, ks->mlkem_shared_secret,
+            ks->mlkem_shared_secret_len))
+                goto err;
+
+        if (!CBB_add_space(&cbb, &x25519_shared_key, X25519_KEY_LENGTH))
+                goto err;
+
+        if (!X25519(x25519_shared_key, ks->x25519_private,
+            ks->x25519_peer_public))
+                goto err;
+
+        if (!CBB_finish(&cbb, out_shared_key, out_shared_key_len))
+                goto err;
+
+        return 1;
+
+ err:
+        CBB_cleanup(&cbb);
+
+        return 0;
+}
+
 int
 tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
     size_t *shared_key_len)
@@ -468,6 +783,10 @@ tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
                 return tls_key_share_derive_x25519(ks, shared_key,
                     shared_key_len);
 
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_derive_mlkem768x25519(ks, shared_key,
+                    shared_key_len);
+
         return tls_key_share_derive_ecdhe_ecp(ks, shared_key,
             shared_key_len);
 }