146 files changed, 992 insertions, 483 deletions

diff --git a/src/lib/libssl/LICENSE b/src/lib/libssl/LICENSE
index 892e14a450..c41ff4d1ca 100644
--- a/src/lib/libssl/LICENSE
+++ b/src/lib/libssl/LICENSE
@@ -1,7 +1,7 @@
 
-  LibReSSL files are retained under the copyright of the authors. New
+  LibreSSL files are retained under the copyright of the authors. New
   additions are ISC licensed as per OpenBSD's normal licensing policy,
-  or are placed in the public domain. 
+  or are placed in the public domain.
 
   The OpenSSL code is distributed under the terms of the original OpenSSL
   licenses which follow:
@@ -25,7 +25,7 @@
  * are met:
  *
  * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
+ *    notice, this list of conditions and the following disclaimer.
  *
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
@@ -80,21 +80,21 @@
  * This package is an SSL implementation written
  * by Eric Young (eay@cryptsoft.com).
  * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
  * This library is free for commercial and non-commercial use as long as
  * the following conditions are aheared to.  The following conditions
  * apply to all code found in this distribution, be it the RC4, RSA,
  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  * included with this distribution is covered by the same copyright terms
  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
+ *
  * Copyright remains Eric Young's, and as such any Copyright notices in
  * the code are not to be removed.
  * If this package is used in a product, Eric Young should be given attribution
  * as the author of the parts of the library used.
  * This can be in the form of a textual message at program startup or
  * in documentation (online or textual) provided with the package.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -109,10 +109,10 @@
  *     Eric Young (eay@cryptsoft.com)"
  *    The word 'cryptographic' can be left out if the rouines from the library
  *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
  *    the apps directory (application code) you must include an acknowledgement:
  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -124,7 +124,7 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
- * 
+ *
  * The licence and distribution terms for any publically available version or
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
diff --git a/src/lib/libssl/Symbols.list b/src/lib/libssl/Symbols.list
index 65cd3e7f86..0d82c7c726 100644
--- a/src/lib/libssl/Symbols.list
+++ b/src/lib/libssl/Symbols.list
@@ -137,6 +137,7 @@ SSL_CTX_use_certificate_ASN1
 SSL_CTX_use_certificate_chain_file
 SSL_CTX_use_certificate_chain_mem
 SSL_CTX_use_certificate_file
+SSL_SESSION_dup
 SSL_SESSION_free
 SSL_SESSION_get0_cipher
 SSL_SESSION_get0_id_context
diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c
index 6dd1699606..13e4f30539 100644
--- a/src/lib/libssl/bio_ssl.c
+++ b/src/lib/libssl/bio_ssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_ssl.c,v 1.40 2023/07/19 13:34:33 tb Exp $ */
+/* $OpenBSD: bio_ssl.c,v 1.41 2025/06/02 12:18:22 jsg Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -229,9 +229,7 @@ ssl_write(BIO *b, const char *out, int outl)
 
         BIO_clear_retry_flags(b);
 
-/*      ret=SSL_do_handshake(ssl);
-        if (ret > 0) */
-                ret = SSL_write(ssl, out, outl);
+        ret = SSL_write(ssl, out, outl);
 
         switch (SSL_get_error(ssl, ret)) {
         case SSL_ERROR_NONE:
diff --git a/src/lib/libssl/hidden/openssl/ssl.h b/src/lib/libssl/hidden/openssl/ssl.h
index b854dd7b73..b010488d7f 100644
--- a/src/lib/libssl/hidden/openssl/ssl.h
+++ b/src/lib/libssl/hidden/openssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.9 2024/08/31 10:51:48 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.10 2025/10/24 11:36:08 tb Exp $ */
 /*
  * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
  *
@@ -182,6 +182,7 @@ LSSL_USED(SSL_SESSION_set1_id_context);
 LSSL_USED(SSL_SESSION_is_resumable);
 LSSL_USED(SSL_SESSION_new);
 LSSL_USED(SSL_SESSION_free);
+LSSL_USED(SSL_SESSION_dup);
 LSSL_USED(SSL_SESSION_up_ref);
 LSSL_USED(SSL_SESSION_get_id);
 LSSL_USED(SSL_SESSION_get0_id_context);
diff --git a/src/lib/libssl/hidden/ssl_namespace.h b/src/lib/libssl/hidden/ssl_namespace.h
index 5d26516f3c..763dcd700f 100644
--- a/src/lib/libssl/hidden/ssl_namespace.h
+++ b/src/lib/libssl/hidden/ssl_namespace.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_namespace.h,v 1.3 2024/07/12 05:26:34 miod Exp $  */
+/*      $OpenBSD: ssl_namespace.h,v 1.4 2025/08/18 16:00:53 tb Exp $    */
 /*
  * Copyright (c) 2016 Philip Guenther <guenther@openbsd.org>
  *
@@ -35,7 +35,11 @@
 #else
 #define LSSL_UNUSED(x)
 #define LSSL_USED(x)
+#ifdef _MSC_VER
+#define LSSL_ALIAS(x)
+#else
 #define LSSL_ALIAS(x)           asm("")
+#endif /* _MSC_VER */
 #endif
 
 #endif  /* _LIBSSL_SSL_NAMESPACE_H_ */
diff --git a/src/lib/libssl/man/BIO_f_ssl.3 b/src/lib/libssl/man/BIO_f_ssl.3
index 3b74a3d6a4..e23a15e121 100644
--- a/src/lib/libssl/man/BIO_f_ssl.3
+++ b/src/lib/libssl/man/BIO_f_ssl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_f_ssl.3,v 1.16 2024/01/13 18:37:51 tb Exp $
+.\" $OpenBSD: BIO_f_ssl.3,v 1.17 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL f672aee4 Feb 9 11:52:40 2016 -0500
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 13 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_F_SSL 3
 .Os
 .Sh NAME
@@ -69,6 +69,7 @@
 .Nm BIO_do_handshake
 .Nd SSL BIO
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/bio.h
 .In openssl/ssl.h
 .Ft const BIO_METHOD *
diff --git a/src/lib/libssl/man/DTLSv1_listen.3 b/src/lib/libssl/man/DTLSv1_listen.3
index 047ec0a7ff..bdba1c59b0 100644
--- a/src/lib/libssl/man/DTLSv1_listen.3
+++ b/src/lib/libssl/man/DTLSv1_listen.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DTLSv1_listen.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: DTLSv1_listen.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 7795475f Dec 18 13:18:31 2015 -0500
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DTLSV1_LISTEN 3
 .Os
 .Sh NAME
 .Nm DTLSv1_listen
 .Nd listen for incoming DTLS connections
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo DTLSv1_listen
diff --git a/src/lib/libssl/man/OPENSSL_init_ssl.3 b/src/lib/libssl/man/OPENSSL_init_ssl.3
index f37dccfaac..ec840f5e1c 100644
--- a/src/lib/libssl/man/OPENSSL_init_ssl.3
+++ b/src/lib/libssl/man/OPENSSL_init_ssl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OPENSSL_init_ssl.3,v 1.4 2019/06/14 13:41:31 schwarze Exp $
+.\" $OpenBSD: OPENSSL_init_ssl.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 14 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OPENSSL_INIT_SSL 3
 .Os
 .Sh NAME
 .Nm OPENSSL_init_ssl
 .Nd initialise the crypto and ssl libraries
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo OPENSSL_init_ssl
diff --git a/src/lib/libssl/man/PEM_read_SSL_SESSION.3 b/src/lib/libssl/man/PEM_read_SSL_SESSION.3
index 3eb1414c62..93bd0b8ebd 100644
--- a/src/lib/libssl/man/PEM_read_SSL_SESSION.3
+++ b/src/lib/libssl/man/PEM_read_SSL_SESSION.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PEM_read_SSL_SESSION.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: PEM_read_SSL_SESSION.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL doc/man3/PEM_read_CMS.pod b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Rich Salz <rsalz@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PEM_READ_SSL_SESSION 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm PEM_write_bio_SSL_SESSION
 .Nd encode and decode SSL session objects in PEM format
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_SESSION *
 .Fo PEM_read_SSL_SESSION
diff --git a/src/lib/libssl/man/SSL_CIPHER_get_name.3 b/src/lib/libssl/man/SSL_CIPHER_get_name.3
index 86c1d3c0ba..fc92eb9723 100644
--- a/src/lib/libssl/man/SSL_CIPHER_get_name.3
+++ b/src/lib/libssl/man/SSL_CIPHER_get_name.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.17 2024/07/16 10:19:38 tb Exp $
+.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.19 2025/06/13 18:34:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 16 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt SSL_CIPHER_GET_NAME 3
 .Os
 .Sh NAME
@@ -70,6 +70,7 @@
 .Nm SSL_CIPHER_description
 .Nd get SSL_CIPHER properties
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_CIPHER_get_name "const SSL_CIPHER *cipher"
@@ -81,7 +82,7 @@
 .Fn SSL_CIPHER_get_cipher_nid "const SSL_CIPHER *cipher"
 .Ft int
 .Fn SSL_CIPHER_get_digest_nid "const SSL_CIPHER *cipher"
-.Ft "const EVP_MD *"
+.Ft const EVP_MD *
 .Fn SSL_CIPHER_get_handshake_digest "const SSL_CIPHER *cipher"
 .Ft int
 .Fn SSL_CIPHER_get_kx_nid "const SSL_CIPHER *cipher"
diff --git a/src/lib/libssl/man/SSL_COMP_add_compression_method.3 b/src/lib/libssl/man/SSL_COMP_add_compression_method.3
index f9e25358d7..0b990ca88e 100644
--- a/src/lib/libssl/man/SSL_COMP_add_compression_method.3
+++ b/src/lib/libssl/man/SSL_COMP_add_compression_method.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_COMP_add_compression_method.3,v 1.7 2024/08/31 10:51:48 tb Exp $
+.\" $OpenBSD: SSL_COMP_add_compression_method.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 31 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_COMP_ADD_COMPRESSION_METHOD 3
 .Os
 .Sh NAME
 .Nm SSL_COMP_get_compression_methods
 .Nd handle SSL/TLS integrated compression methods
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(SSL_COMP) *
 .Fn SSL_COMP_get_compression_methods void
diff --git a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
index 86eb27a523..91c4c80758 100644
--- a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
+++ b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.2 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_ADD1_CHAIN_CERT 3
 .Os
 .Sh NAME
@@ -67,6 +67,7 @@
 .Nm SSL_clear_chain_certs
 .Nd extra chain certificate processing
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set0_chain
diff --git a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
index b9694b0cbc..891c22a40a 100644
--- a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
+++ b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.8 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_CTX_clear_extra_chain_certs
 .Nd add, retrieve, and clear extra chain certificates
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_add_extra_chain_cert "SSL_CTX *ctx" "X509 *x509"
diff --git a/src/lib/libssl/man/SSL_CTX_add_session.3 b/src/lib/libssl/man/SSL_CTX_add_session.3
index 443bdb542a..df634bcdda 100644
--- a/src/lib/libssl/man/SSL_CTX_add_session.3
+++ b/src/lib/libssl/man/SSL_CTX_add_session.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_add_session.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_add_session.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_add_session.pod 1722496f Jun 8 15:18:38 2017 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_ADD_SESSION 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_remove_session
 .Nd manipulate session cache
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_add_session "SSL_CTX *ctx" "SSL_SESSION *c"
diff --git a/src/lib/libssl/man/SSL_CTX_ctrl.3 b/src/lib/libssl/man/SSL_CTX_ctrl.3
index c91ddff374..4d254d8f48 100644
--- a/src/lib/libssl/man/SSL_CTX_ctrl.3
+++ b/src/lib/libssl/man/SSL_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_ctrl.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_ctrl.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_callback_ctrl
 .Nd internal handling functions for SSL_CTX and SSL objects
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_ctrl "SSL_CTX *ctx" "int cmd" "long larg" "void *parg"
diff --git a/src/lib/libssl/man/SSL_CTX_flush_sessions.3 b/src/lib/libssl/man/SSL_CTX_flush_sessions.3
index 2ef781cb4a..deabf5200a 100644
--- a/src/lib/libssl/man/SSL_CTX_flush_sessions.3
+++ b/src/lib/libssl/man/SSL_CTX_flush_sessions.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_flush_sessions.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_flush_sessions.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_flush_sessions.pod 1722496f Jun 8 15:18:38 2017 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_FLUSH_SESSIONS 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_flush_sessions
 .Nd remove expired sessions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_flush_sessions "SSL_CTX *ctx" "long tm"
diff --git a/src/lib/libssl/man/SSL_CTX_free.3 b/src/lib/libssl/man/SSL_CTX_free.3
index 47f247631b..0afef7cd0e 100644
--- a/src/lib/libssl/man/SSL_CTX_free.3
+++ b/src/lib/libssl/man/SSL_CTX_free.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_free.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_free.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_FREE 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_free
 .Nd free an allocated SSL_CTX object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_free "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_get0_certificate.3 b/src/lib/libssl/man/SSL_CTX_get0_certificate.3
index 63c86bd5e0..226e6cd87a 100644
--- a/src/lib/libssl/man/SSL_CTX_get0_certificate.3
+++ b/src/lib/libssl/man/SSL_CTX_get0_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_get0_certificate.3,v 1.3 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_get0_certificate.3,v 1.4 2025/06/08 22:47:20 schwarze Exp $
 .\"
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,15 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_GET0_CERTIFICATE 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_get0_certificate
 .Nd get the active certificate from an SSL context
 .Sh SYNOPSIS
+.Lb libssl libcrypto
+.In openssl/ssl.h
 .Ft X509 *
 .Fo SSL_CTX_get0_certificate
 .Fa "const SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3 b/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3
index 3dbaf2e981..30a02cc317 100644
--- a/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3
+++ b/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_get_ex_new_index.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_ex_data
 .Nd internal application specific data functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_get_ex_new_index
diff --git a/src/lib/libssl/man/SSL_CTX_get_verify_mode.3 b/src/lib/libssl/man/SSL_CTX_get_verify_mode.3
index 7c87775069..88187f7f3c 100644
--- a/src/lib/libssl/man/SSL_CTX_get_verify_mode.3
+++ b/src/lib/libssl/man/SSL_CTX_get_verify_mode.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_get_verify_mode.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_get_verify_mode.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_GET_VERIFY_MODE 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_CTX_get_verify_callback
 .Nd get currently set verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_get_verify_mode "const SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_load_verify_locations.3 b/src/lib/libssl/man/SSL_CTX_load_verify_locations.3
index 373df2402e..0cc22f433d 100644
--- a/src/lib/libssl/man/SSL_CTX_load_verify_locations.3
+++ b/src/lib/libssl/man/SSL_CTX_load_verify_locations.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_load_verify_locations.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_load_verify_locations.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_LOAD_VERIFY_LOCATIONS 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_set_default_verify_paths
 .Nd set default locations for trusted CA certificates
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_load_verify_locations
diff --git a/src/lib/libssl/man/SSL_CTX_new.3 b/src/lib/libssl/man/SSL_CTX_new.3
index 4b50a03de4..2afad5378c 100644
--- a/src/lib/libssl/man/SSL_CTX_new.3
+++ b/src/lib/libssl/man/SSL_CTX_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_new.3,v 1.17 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_new.3,v 1.18 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 21cd6e00 Oct 21 14:40:15 2015 +0100
 .\" selective merge up to: OpenSSL 8f75443f May 24 14:04:26 2019 +0200
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_NEW 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm DTLSv1_2_client_method
 .Nd create a new SSL_CTX object as a framework for TLS enabled functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_CTX *
 .Fn SSL_CTX_new "const SSL_METHOD *method"
diff --git a/src/lib/libssl/man/SSL_CTX_sess_number.3 b/src/lib/libssl/man/SSL_CTX_sess_number.3
index 76d436cd17..854f6256eb 100644
--- a/src/lib/libssl/man/SSL_CTX_sess_number.3
+++ b/src/lib/libssl/man/SSL_CTX_sess_number.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sess_number.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_sess_number.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_sess_number.pod 7bd27895 Mar 29 11:45:29 2017 +1000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESS_NUMBER 3
 .Os
 .Sh NAME
@@ -66,6 +66,7 @@
 .Nm SSL_CTX_sess_cache_full
 .Nd obtain session cache statistics
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_sess_number "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 b/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
index 6d5fede0b6..e8bfe50a3c 100644
--- a/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
+++ b/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sess_set_cache_size.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_sess_set_cache_size.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESS_SET_CACHE_SIZE 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_CTX_sess_get_cache_size
 .Nd manipulate session cache size
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_sess_set_cache_size "SSL_CTX *ctx" "long t"
diff --git a/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 b/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
index e99f2be671..62a6698399 100644
--- a/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sess_set_get_cb.3,v 1.7 2022/03/29 18:15:52 naddy Exp $
+.\"     $OpenBSD: SSL_CTX_sess_set_get_cb.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESS_SET_GET_CB 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm SSL_CTX_sess_get_get_cb
 .Nd provide callback functions for server side external session caching
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_sess_set_new_cb
diff --git a/src/lib/libssl/man/SSL_CTX_sessions.3 b/src/lib/libssl/man/SSL_CTX_sessions.3
index 964d1a7346..627c694cd8 100644
--- a/src/lib/libssl/man/SSL_CTX_sessions.3
+++ b/src/lib/libssl/man/SSL_CTX_sessions.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sessions.3,v 1.5 2018/04/25 14:19:39 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_sessions.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESSIONS 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_sessions
 .Nd access internal session cache
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft LHASH_OF(SSL_SESSION) *
 .Fn SSL_CTX_sessions "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_set1_groups.3 b/src/lib/libssl/man/SSL_CTX_set1_groups.3
index 0d1eb36ea7..8cd620d3b4 100644
--- a/src/lib/libssl/man/SSL_CTX_set1_groups.3
+++ b/src/lib/libssl/man/SSL_CTX_set1_groups.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set1_groups.3,v 1.2 2017/08/19 19:36:39 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set1_groups.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_set1_curves.pod de4d764e Nov 9 14:51:06 2016 +0000
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 19 2017 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET1_GROUPS 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm SSL_set1_curves_list
 .Nd choose supported EC groups
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set1_groups
diff --git a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
index 2317c57af4..ff69408247 100644
--- a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.11 2025/02/04 14:00:05 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.12 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 87b81496 Apr 19 12:38:27 2017 -0400
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 4 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_ALPN_SELECT_CB 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_get0_alpn_selected
 .Nd handle application layer protocol negotiation (ALPN)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_alpn_protos
diff --git a/src/lib/libssl/man/SSL_CTX_set_cert_store.3 b/src/lib/libssl/man/SSL_CTX_set_cert_store.3
index 1be1ba2f68..75c145fd78 100644
--- a/src/lib/libssl/man/SSL_CTX_set_cert_store.3
+++ b/src/lib/libssl/man/SSL_CTX_set_cert_store.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_cert_store.3,v 1.8 2024/08/03 04:53:01 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_cert_store.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 3 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CERT_STORE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_cert_store
 .Nd manipulate X509 certificate verification storage
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_cert_store "SSL_CTX *ctx" "X509_STORE *store"
diff --git a/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 b/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
index 0e12b48c78..2e2beac850 100644
--- a/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_cert_verify_callback.3,v 1.5 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_cert_verify_callback.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CERT_VERIFY_CALLBACK 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_cert_verify_callback
 .Nd set peer certificate verification procedure
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_cert_verify_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
index b3f0dc3541..6201dc9f55 100644
--- a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
+++ b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.18 2025/01/18 12:20:02 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.19 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CIPHER_LIST 3
 .Os
 .Sh NAME
@@ -73,6 +73,7 @@
 .Nm SSL_set_cipher_list
 .Nd choose list of available SSL_CIPHERs
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_set_cipher_list "SSL_CTX *ctx" "const char *control"
diff --git a/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3 b/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3
index d19fb93ed0..520be04318 100644
--- a/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3
+++ b/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_client_CA_list.3,v 1.6 2020/03/30 10:28:59 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_client_CA_list.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,16 +48,17 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 30 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CLIENT_CA_LIST 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_client_CA_list ,
 .Nm SSL_set_client_CA_list ,
 .Nm SSL_CTX_add_client_CA ,
-.Nm  SSL_add_client_CA
+.Nm SSL_add_client_CA
 .Nd set list of CAs sent to the client when requesting a client certificate
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_client_CA_list "SSL_CTX *ctx" "STACK_OF(X509_NAME) *list"
diff --git a/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 b/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
index a2433b5e92..2cf8275602 100644
--- a/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_client_cert_cb.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_client_cert_cb.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CLIENT_CERT_CB 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_CTX_get_client_cert_cb
 .Nd handle client certificate callback function
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_client_cert_cb
diff --git a/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 b/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
index 94b4ea543d..e3da1bec66 100644
--- a/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_default_passwd_cb.3,v 1.9 2023/09/19 09:40:35 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_default_passwd_cb.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\" selective merge up to: OpenSSL 18bad535 Apr 9 15:13:55 2019 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_DEFAULT_PASSWD_CB 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm SSL_CTX_get_default_passwd_cb_userdata
 .Nd set or get passwd callback for encrypted PEM file handling
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_default_passwd_cb "SSL_CTX *ctx" "pem_password_cb *cb"
diff --git a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3 b/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
index d85383d776..29c102ac50 100644
--- a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
+++ b/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.5 2018/03/22 21:09:18 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 22 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_GENERATE_SESSION_ID 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm GEN_SESSION_CB
 .Nd manipulate generation of SSL session IDs (server only)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft typedef int
 .Fo (*GEN_SESSION_CB)
diff --git a/src/lib/libssl/man/SSL_CTX_set_info_callback.3 b/src/lib/libssl/man/SSL_CTX_set_info_callback.3
index 76eb8bee61..ec251b5b69 100644
--- a/src/lib/libssl/man/SSL_CTX_set_info_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_info_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_info_callback.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_info_callback.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_INFO_CALLBACK 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_info_callback
 .Nd handle information callback for SSL connections
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_info_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3 b/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
index 24b8f9992f..0cb36b07c6 100644
--- a/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_keylog_callback.3,v 1.3 2024/05/16 08:39:30 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_keylog_callback.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\" OpenSSL pod checked up to: 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" Copyright (c) 2021 Bob Beck <beck@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 16 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_KEYLOG_CALLBACK 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm SSL_CTX_get_keylog_callback
 .Nd set and get the unused key logging callback
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft typedef void
 .Fo (*SSL_CTX_keylog_cb_func)
diff --git a/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3 b/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3
index 89513b1006..700f534f54 100644
--- a/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3
+++ b/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_max_cert_list.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_max_cert_list.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MAX_CERT_LIST 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_max_cert_list
 .Nd manipulate allowed size for the peer's certificate chain
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_max_cert_list "SSL_CTX *ctx" "long size"
diff --git a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 b/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
index a2597cda83..50a5fc448d 100644
--- a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
+++ b/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.5 2021/04/15 16:40:32 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 3edabd3c Sep 14 09:28:39 2017 +0200
 .\"
 .\" This file was written by Kurt Roeckx <kurt@roeckx.be> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MIN_PROTO_VERSION 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm SSL_get_max_proto_version
 .Nd get and set minimum and maximum supported protocol version
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_min_proto_version
diff --git a/src/lib/libssl/man/SSL_CTX_set_mode.3 b/src/lib/libssl/man/SSL_CTX_set_mode.3
index fca1a977d0..62a7a6deda 100644
--- a/src/lib/libssl/man/SSL_CTX_set_mode.3
+++ b/src/lib/libssl/man/SSL_CTX_set_mode.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_mode.3,v 1.7 2020/10/08 16:02:38 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_mode.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 8671b898 Jun 3 02:48:34 2008 +0000
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 8 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MODE 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm SSL_get_mode
 .Nd manipulate SSL engine mode
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_mode "SSL_CTX *ctx" "long mode"
diff --git a/src/lib/libssl/man/SSL_CTX_set_msg_callback.3 b/src/lib/libssl/man/SSL_CTX_set_msg_callback.3
index a27333e6d9..65df06016a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_msg_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_msg_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_msg_callback.3,v 1.5 2021/04/15 16:43:27 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_msg_callback.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_set_msg_callback.pod e9b77246 Jan 20 19:58:49 2017 +0100
 .\"     OpenSSL SSL_CTX_set_msg_callback.pod b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MSG_CALLBACK 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_set_msg_callback_arg
 .Nd install callback for observing protocol messages
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_msg_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_num_tickets.3 b/src/lib/libssl/man/SSL_CTX_set_num_tickets.3
index cb6d7e000a..093387725a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_num_tickets.3
+++ b/src/lib/libssl/man/SSL_CTX_set_num_tickets.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_num_tickets.3,v 1.2 2021/10/23 17:20:50 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_num_tickets.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" OpenSSL pod checked up to: 5402f96a Sep 11 09:58:52 2021 +0100
 .\"
 .\" Copyright (c) 2021 Bob Beck <beck@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 23 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_NUM_TICKETS 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm SSL_get_num_tickets
 .Nd set and get the number of TLS 1.3 session tickets to be sent
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_set_num_tickets "SSL_CTX *ctx" "size_t num_tickets"
diff --git a/src/lib/libssl/man/SSL_CTX_set_options.3 b/src/lib/libssl/man/SSL_CTX_set_options.3
index 5df0b07785..5e81c978bd 100644
--- a/src/lib/libssl/man/SSL_CTX_set_options.3
+++ b/src/lib/libssl/man/SSL_CTX_set_options.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_options.3,v 1.16 2022/03/31 17:27:18 naddy Exp $
+.\" $OpenBSD: SSL_CTX_set_options.3,v 1.17 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100
 .\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000
 .\"
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_OPTIONS 3
 .Os
 .Sh NAME
@@ -65,6 +65,7 @@
 .Nm SSL_get_secure_renegotiation_support
 .Nd manipulate SSL options
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_options "SSL_CTX *ctx" "long options"
diff --git a/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 b/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
index 71463f1eca..20b882167b 100644
--- a/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
+++ b/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_quiet_shutdown.3,v 1.6 2020/03/30 10:28:59 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_quiet_shutdown.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 30 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_QUIET_SHUTDOWN 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_quiet_shutdown
 .Nd manipulate shutdown behaviour
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_quiet_shutdown "SSL_CTX *ctx" "int mode"
diff --git a/src/lib/libssl/man/SSL_CTX_set_read_ahead.3 b/src/lib/libssl/man/SSL_CTX_set_read_ahead.3
index eae76eb472..208ecfbf1a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_read_ahead.3
+++ b/src/lib/libssl/man/SSL_CTX_set_read_ahead.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_read_ahead.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_read_ahead.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_READ_AHEAD 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_CTX_get_default_read_ahead
 .Nd manage whether to read as many input bytes as possible
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_read_ahead
diff --git a/src/lib/libssl/man/SSL_CTX_set_security_level.3 b/src/lib/libssl/man/SSL_CTX_set_security_level.3
index 89adb3d65d..2d3afa5785 100644
--- a/src/lib/libssl/man/SSL_CTX_set_security_level.3
+++ b/src/lib/libssl/man/SSL_CTX_set_security_level.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_security_level.3,v 1.2 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_security_level.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SECURITY_LEVEL 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm SSL_get_security_level
 .Nd change security level for TLS
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_security_level
diff --git a/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 b/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
index 1fe67b2a7e..d19ff79545 100644
--- a/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
+++ b/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_session_cache_mode.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_session_cache_mode.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 67adf0a7 Dec 25 19:58:38 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SESSION_CACHE_MODE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_session_cache_mode
 .Nd enable/disable session caching
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_session_cache_mode "SSL_CTX ctx" "long mode"
diff --git a/src/lib/libssl/man/SSL_CTX_set_session_id_context.3 b/src/lib/libssl/man/SSL_CTX_set_session_id_context.3
index 06fd9348ae..53923888db 100644
--- a/src/lib/libssl/man/SSL_CTX_set_session_id_context.3
+++ b/src/lib/libssl/man/SSL_CTX_set_session_id_context.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_session_id_context.3,v 1.6 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_session_id_context.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SESSION_ID_CONTEXT 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_set_session_id_context
 .Nd set context within which session can be reused (server side only)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_session_id_context
diff --git a/src/lib/libssl/man/SSL_CTX_set_ssl_version.3 b/src/lib/libssl/man/SSL_CTX_set_ssl_version.3
index b1bdb92bb0..fe9febe431 100644
--- a/src/lib/libssl/man/SSL_CTX_set_ssl_version.3
+++ b/src/lib/libssl/man/SSL_CTX_set_ssl_version.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_ssl_version.3,v 1.5 2021/05/11 19:48:56 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_ssl_version.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SSL_VERSION 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_ssl_method
 .Nd choose a new TLS/SSL method
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_set_ssl_version "SSL_CTX *ctx" "const SSL_METHOD *method"
diff --git a/src/lib/libssl/man/SSL_CTX_set_timeout.3 b/src/lib/libssl/man/SSL_CTX_set_timeout.3
index ab99e2016e..da2f811528 100644
--- a/src/lib/libssl/man/SSL_CTX_set_timeout.3
+++ b/src/lib/libssl/man/SSL_CTX_set_timeout.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_timeout.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_timeout.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TIMEOUT 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_CTX_get_timeout
 .Nd manipulate timeout values for session caching
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_timeout "SSL_CTX *ctx" "long t"
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
index 79169a004b..b6cece259c 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.7 2025/04/18 08:35:34 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 190b9a03 Jun 28 15:46:13 2017 +0800
 .\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm SSL_set_tlsext_host_name
 .Nd handle server name indication (SNI)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_CTX_set_tlsext_servername_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
index d5979af1e8..c9763f9d2f 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_status_cb.3,v 1.8 2021/09/11 18:58:41 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_status_cb.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 43c34894 Nov 30 16:04:51 2015 +0000
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_STATUS_CB 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm SSL_set_tlsext_status_ocsp_resp
 .Nd OCSP Certificate Status Request functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/tls1.h
 .Ft long
 .Fo SSL_CTX_set_tlsext_status_cb
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
index b6ccabaeca..0427f7dcf5 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_tlsext_ticket_key_cb.3,v 1.8 2022/01/25 18:01:20 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_tlsext_ticket_key_cb.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Rich Salz <rsalz@akamai.com>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 25 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_tlsext_ticket_key_cb
 .Nd set a callback for session ticket processing
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/tls1.h
 .Ft long
 .Fo SSL_CTX_set_tlsext_ticket_key_cb
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3
index 04c4833c6a..4acd452ad5 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_use_srtp.3,v 1.6 2021/06/11 19:41:39 jmc Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_use_srtp.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_USE_SRTP 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_selected_srtp_profile
 .Nd Configure and query SRTP support
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/srtp.h
 .Ft int
 .Fo SSL_CTX_set_tlsext_use_srtp
diff --git a/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
index c6f5253431..9fa830656a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.11 2025/01/18 10:45:12 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.12 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TMP_DH_CALLBACK 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_set_tmp_dh
 .Nd handle DH keys for ephemeral key exchange
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_tmp_dh_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
index b4c3a3c647..7009ac6ab5 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_tmp_rsa_callback.3,v 1.9 2022/03/29 14:27:59 naddy Exp $
+.\"     $OpenBSD: SSL_CTX_set_tmp_rsa_callback.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 0b30fc90 Dec 19 15:23:05 2013 -0500
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TMP_RSA_CALLBACK 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_need_tmp_RSA
 .Nd handle RSA keys for ephemeral key exchange
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_tmp_rsa_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_verify.3 b/src/lib/libssl/man/SSL_CTX_set_verify.3
index 1ed86407e9..656c85afd4 100644
--- a/src/lib/libssl/man/SSL_CTX_set_verify.3
+++ b/src/lib/libssl/man/SSL_CTX_set_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.9 2021/06/12 16:59:53 jmc Exp $
+.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\" selective merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_VERIFY 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_set_verify_depth
 .Nd set peer certificate verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_verify
diff --git a/src/lib/libssl/man/SSL_CTX_use_certificate.3 b/src/lib/libssl/man/SSL_CTX_use_certificate.3
index c88a6971b2..27ec834d16 100644
--- a/src/lib/libssl/man/SSL_CTX_use_certificate.3
+++ b/src/lib/libssl/man/SSL_CTX_use_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.17 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.18 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 3aaa1bd0 Mar 28 16:35:25 2017 +1000
 .\" selective merge up to: OpenSSL d1f7a1e6 Apr 26 14:05:40 2018 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_USE_CERTIFICATE 3
 .Os
 .Sh NAME
@@ -79,6 +79,7 @@
 .Nm SSL_check_private_key
 .Nd load certificate and key data
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_use_certificate "SSL_CTX *ctx" "X509 *x"
diff --git a/src/lib/libssl/man/SSL_SESSION_free.3 b/src/lib/libssl/man/SSL_SESSION_free.3
index 3f785e95e5..af02a273a0 100644
--- a/src/lib/libssl/man/SSL_SESSION_free.3
+++ b/src/lib/libssl/man/SSL_SESSION_free.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_free.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_free.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b31db505 Mar 24 16:01:50 2017 +0000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_FREE 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_SESSION_free
 .Nd SSL_SESSION reference counting
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_SESSION_up_ref "SSL_SESSION *session"
diff --git a/src/lib/libssl/man/SSL_SESSION_get0_cipher.3 b/src/lib/libssl/man/SSL_SESSION_get0_cipher.3
index 239a426dbd..4e5b0bb057 100644
--- a/src/lib/libssl/man/SSL_SESSION_get0_cipher.3
+++ b/src/lib/libssl/man/SSL_SESSION_get0_cipher.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_get0_cipher.3,v 1.1 2021/05/12 14:16:25 tb Exp $
+.\" $OpenBSD: SSL_SESSION_get0_cipher.3,v 1.2 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL d42e7759f Mar 30 19:40:04 2017 +0200
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 12 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET0_CIPHER 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get0_cipher
 .Nd retrieve the SSL cipher associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const SSL_CIPHER *
 .Fo SSL_SESSION_get0_cipher
diff --git a/src/lib/libssl/man/SSL_SESSION_get0_peer.3 b/src/lib/libssl/man/SSL_SESSION_get0_peer.3
index 6b1ef6680e..98ae1bab9d 100644
--- a/src/lib/libssl/man/SSL_SESSION_get0_peer.3
+++ b/src/lib/libssl/man/SSL_SESSION_get0_peer.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get0_peer.3,v 1.2 2018/03/23 05:50:30 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get0_peer.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_SESSION_get0_peer.pod b31db505 Mar 24 16:01:50 2017 +0000
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET0_PEER 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get0_peer
 .Nd get details about peer's certificate for a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509 *
 .Fo SSL_SESSION_get0_peer
diff --git a/src/lib/libssl/man/SSL_SESSION_get_compress_id.3 b/src/lib/libssl/man/SSL_SESSION_get_compress_id.3
index aedc216a15..da0d48ff6c 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_compress_id.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_compress_id.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get_compress_id.3,v 1.3 2018/03/23 05:50:30 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get_compress_id.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_SESSION_get_compress_id.pod b31db505 Mar 24 16:01:50 2017
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_COMPRESS_ID 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get_compress_id
 .Nd get details about the compression associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft unsigned int
 .Fo SSL_SESSION_get_compress_id
diff --git a/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 b/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
index 9fd6949b6a..55cde1c66b 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get_ex_new_index.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_get_ex_data
 .Nd internal application specific data functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_get_ex_new_index
diff --git a/src/lib/libssl/man/SSL_SESSION_get_id.3 b/src/lib/libssl/man/SSL_SESSION_get_id.3
index 6d0de1e52e..eb14d24111 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_id.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_id.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_get_id.3,v 1.6 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_get_id.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL SSL_SESSION_set1_id 17b60280 Dec 21 09:08:25 2017 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_ID 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_SESSION_set1_id
 .Nd get and set the SSL session ID
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const unsigned char *
 .Fo SSL_SESSION_get_id
diff --git a/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3 b/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3
index f14c0490e9..dad9eab7ef 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_get_protocol_version.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_get_protocol_version.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by TJ Saunders <tj@castaglia.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_PROTOCOL_VERSION 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get_protocol_version
 .Nd get the session protocol version
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_get_protocol_version
diff --git a/src/lib/libssl/man/SSL_SESSION_get_time.3 b/src/lib/libssl/man/SSL_SESSION_get_time.3
index aaadec5137..28aeedf72c 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_time.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_time.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get_time.3,v 1.8 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get_time.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_TIME 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm SSL_set_timeout
 .Nd retrieve and manipulate session time and timeout settings
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_SESSION_get_time "const SSL_SESSION *s"
diff --git a/src/lib/libssl/man/SSL_SESSION_has_ticket.3 b/src/lib/libssl/man/SSL_SESSION_has_ticket.3
index 322b49feef..07b894c4f8 100644
--- a/src/lib/libssl/man/SSL_SESSION_has_ticket.3
+++ b/src/lib/libssl/man/SSL_SESSION_has_ticket.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_has_ticket.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_has_ticket.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL f2baac27 Feb 8 15:43:16 2015 +0000
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_HAS_TICKET 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_get_ticket_lifetime_hint
 .Nd get details about the ticket associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_has_ticket
diff --git a/src/lib/libssl/man/SSL_SESSION_is_resumable.3 b/src/lib/libssl/man/SSL_SESSION_is_resumable.3
index 48d7d17889..ddc037c1aa 100644
--- a/src/lib/libssl/man/SSL_SESSION_is_resumable.3
+++ b/src/lib/libssl/man/SSL_SESSION_is_resumable.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_is_resumable.3,v 1.1 2021/09/14 14:08:15 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_is_resumable.3,v 1.2 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 14 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_IS_RESUMABLE 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_is_resumable
 .Nd determine whether an SSL_SESSION object can be used for resumption
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_is_resumable
diff --git a/src/lib/libssl/man/SSL_SESSION_new.3 b/src/lib/libssl/man/SSL_SESSION_new.3
index 2dcdb264c1..182266a311 100644
--- a/src/lib/libssl/man/SSL_SESSION_new.3
+++ b/src/lib/libssl/man/SSL_SESSION_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_new.3,v 1.9 2021/09/14 14:08:15 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_new.3,v 1.12 2025/10/24 13:18:22 tb Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,16 +14,20 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 14 2021 $
+.Dd $Mdocdate: October 24 2025 $
 .Dt SSL_SESSION_NEW 3
 .Os
 .Sh NAME
-.Nm SSL_SESSION_new
+.Nm SSL_SESSION_new ,
+.Nm SSL_SESSION_dup
 .Nd construct a new SSL_SESSION object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_SESSION *
 .Fn SSL_SESSION_new void
+.Ft SSL_SESSION *
+.Fn SSL_SESSION_dup "const SSL_SESSION *src"
 .Sh DESCRIPTION
 .Fn SSL_SESSION_new
 allocates and initializes a new
@@ -38,9 +42,20 @@ When the object is no longer needed, it can be destructed with
 .Fn SSL_SESSION_new
 is used internally, for example by
 .Xr SSL_connect 3 .
+.Pp
+.Fn SSL_SESSION_dup
+creates a deep copy of
+.Fa src
+with the exception that
+the reference count is set to 1, that
+the peer certificate is shared with
+.Fa src ,
+and that the new session is not part of any session cache.
 .Sh RETURN VALUES
 .Fn SSL_SESSION_new
-returns the new
+and
+.Fn SSL_SESSION_dup
+return the new
 .Vt SSL_SESSION
 object or
 .Dv NULL
@@ -76,3 +91,7 @@ returns
 .Fn SSL_SESSION_new
 first appeared in SSLeay 0.5.2 and has been available since
 .Ox 2.4 .
+.Pp
+.Fn SSL_SESSION_dup
+first appeared in OpenSSL 1.1.1 and has been available since
+.Ox 7.9 .
diff --git a/src/lib/libssl/man/SSL_SESSION_print.3 b/src/lib/libssl/man/SSL_SESSION_print.3
index e92debde0e..65742140d0 100644
--- a/src/lib/libssl/man/SSL_SESSION_print.3
+++ b/src/lib/libssl/man/SSL_SESSION_print.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_print.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_print.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_PRINT 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm SSL_SESSION_print_fp
 .Nd print some properties of an SSL_SESSION object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_print
diff --git a/src/lib/libssl/man/SSL_SESSION_set1_id_context.3 b/src/lib/libssl/man/SSL_SESSION_set1_id_context.3
index dd7595baca..24f1de4fda 100644
--- a/src/lib/libssl/man/SSL_SESSION_set1_id_context.3
+++ b/src/lib/libssl/man/SSL_SESSION_set1_id_context.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_set1_id_context.3,v 1.4 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_set1_id_context.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL SSL_SESSION_get0_id_context b31db505 Mar 24 16:01:50 2017
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_SET1_ID_CONTEXT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_set1_id_context
 .Nd get and set the SSL ID context associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const unsigned char *
 .Fo SSL_SESSION_get0_id_context
diff --git a/src/lib/libssl/man/SSL_accept.3 b/src/lib/libssl/man/SSL_accept.3
index fb1d89eb57..ecb757aaa5 100644
--- a/src/lib/libssl/man/SSL_accept.3
+++ b/src/lib/libssl/man/SSL_accept.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_accept.3,v 1.6 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_accept.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_ACCEPT 3
 .Os
 .Sh NAME
 .Nm SSL_accept
 .Nd wait for a TLS/SSL client to initiate a TLS/SSL handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_accept "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_alert_type_string.3 b/src/lib/libssl/man/SSL_alert_type_string.3
index 354865e546..0f051cc0a6 100644
--- a/src/lib/libssl/man/SSL_alert_type_string.3
+++ b/src/lib/libssl/man/SSL_alert_type_string.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_alert_type_string.3,v 1.7 2024/10/13 08:25:09 jsg Exp $
+.\"     $OpenBSD: SSL_alert_type_string.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 13 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_ALERT_TYPE_STRING 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_alert_desc_string_long
 .Nd get textual description of alert information
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_alert_type_string "int value"
diff --git a/src/lib/libssl/man/SSL_clear.3 b/src/lib/libssl/man/SSL_clear.3
index 809c3b20f4..5e4da1257f 100644
--- a/src/lib/libssl/man/SSL_clear.3
+++ b/src/lib/libssl/man/SSL_clear.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_clear.3,v 1.5 2021/06/11 19:41:39 jmc Exp $
+.\"     $OpenBSD: SSL_clear.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CLEAR 3
 .Os
 .Sh NAME
 .Nm SSL_clear
 .Nd reset SSL object to allow another connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_clear "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_connect.3 b/src/lib/libssl/man/SSL_connect.3
index d5b962a480..a0cd8f8443 100644
--- a/src/lib/libssl/man/SSL_connect.3
+++ b/src/lib/libssl/man/SSL_connect.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_connect.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_connect.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CONNECT 3
 .Os
 .Sh NAME
 .Nm SSL_connect
 .Nd initiate the TLS/SSL handshake with a TLS/SSL server
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_connect "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_copy_session_id.3 b/src/lib/libssl/man/SSL_copy_session_id.3
index a7a7a8aa99..75a52e8879 100644
--- a/src/lib/libssl/man/SSL_copy_session_id.3
+++ b/src/lib/libssl/man/SSL_copy_session_id.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_copy_session_id.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_copy_session_id.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_COPY_SESSION_ID 3
 .Os
 .Sh NAME
 .Nm SSL_copy_session_id
 .Nd copy session details between SSL objects
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_copy_session_id
diff --git a/src/lib/libssl/man/SSL_do_handshake.3 b/src/lib/libssl/man/SSL_do_handshake.3
index e9327b4229..78b41db2f4 100644
--- a/src/lib/libssl/man/SSL_do_handshake.3
+++ b/src/lib/libssl/man/SSL_do_handshake.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_do_handshake.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_do_handshake.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Martin Sjoegren <martin@strakt.com>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_DO_HANDSHAKE 3
 .Os
 .Sh NAME
 .Nm SSL_do_handshake
 .Nd perform a TLS/SSL handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_do_handshake "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_dup.3 b/src/lib/libssl/man/SSL_dup.3
index a83440b431..f7d999fb62 100644
--- a/src/lib/libssl/man/SSL_dup.3
+++ b/src/lib/libssl/man/SSL_dup.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_dup.3,v 1.5 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_dup.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_DUP 3
 .Os
 .Sh NAME
 .Nm SSL_dup
 .Nd deep copy of an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL *
 .Fo SSL_dup
diff --git a/src/lib/libssl/man/SSL_dup_CA_list.3 b/src/lib/libssl/man/SSL_dup_CA_list.3
index d073b07176..553c03bd8c 100644
--- a/src/lib/libssl/man/SSL_dup_CA_list.3
+++ b/src/lib/libssl/man/SSL_dup_CA_list.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_dup_CA_list.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_dup_CA_list.3,v 1.7 2025/06/08 22:47:20 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_DUP_CA_LIST 3
 .Os
 .Sh NAME
@@ -22,6 +22,8 @@
 .Nd deep copy of a stack of X.509 Name objects
 .\" The capital "N" in "Name" is intentional (X.509 syntax).
 .Sh SYNOPSIS
+.Lb libssl libcrypto
+.In openssl/ssl.h
 .Ft STACK_OF(X509_NAME) *
 .Fo SSL_dup_CA_list
 .Fa "const STACK_OF(X509_NAME) *sk"
diff --git a/src/lib/libssl/man/SSL_export_keying_material.3 b/src/lib/libssl/man/SSL_export_keying_material.3
index e32a5c5d61..d3daa3a5a3 100644
--- a/src/lib/libssl/man/SSL_export_keying_material.3
+++ b/src/lib/libssl/man/SSL_export_keying_material.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_export_keying_material.3,v 1.3 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_export_keying_material.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL a599574b Jun 28 17:18:27 2017 +0100
 .\"     OpenSSL 23cec1f4 Jun 21 13:55:02 2017 +0100
 .\"
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_EXPORT_KEYING_MATERIAL 3
 .Os
 .Sh NAME
 .Nm SSL_export_keying_material
 .Nd obtain keying material for application use
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_export_keying_material
diff --git a/src/lib/libssl/man/SSL_free.3 b/src/lib/libssl/man/SSL_free.3
index c713ded121..b630bc8a2e 100644
--- a/src/lib/libssl/man/SSL_free.3
+++ b/src/lib/libssl/man/SSL_free.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_free.3,v 1.6 2021/06/11 19:41:39 jmc Exp $
+.\"     $OpenBSD: SSL_free.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_FREE 3
 .Os
 .Sh NAME
 .Nm SSL_free
 .Nd free an allocated SSL structure
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_free "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_SSL_CTX.3 b/src/lib/libssl/man/SSL_get_SSL_CTX.3
index 60fda555bc..eaf1b6ff11 100644
--- a/src/lib/libssl/man/SSL_get_SSL_CTX.3
+++ b/src/lib/libssl/man/SSL_get_SSL_CTX.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_SSL_CTX.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_SSL_CTX.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SSL_CTX 3
 .Os
 .Sh NAME
 .Nm SSL_get_SSL_CTX
 .Nd get the SSL_CTX from which an SSL is created
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_CTX *
 .Fn SSL_get_SSL_CTX "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_certificate.3 b/src/lib/libssl/man/SSL_get_certificate.3
index eb53ea49bf..72ae7ec541 100644
--- a/src/lib/libssl/man/SSL_get_certificate.3
+++ b/src/lib/libssl/man/SSL_get_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_certificate.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_get_certificate.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CERTIFICATE 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm SSL_get_privatekey
 .Nd get SSL certificate and private key
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509 *
 .Fo SSL_get_certificate
diff --git a/src/lib/libssl/man/SSL_get_ciphers.3 b/src/lib/libssl/man/SSL_get_ciphers.3
index 8030f0bbb1..d723f7959e 100644
--- a/src/lib/libssl/man/SSL_get_ciphers.3
+++ b/src/lib/libssl/man/SSL_get_ciphers.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_ciphers.3,v 1.11 2020/09/16 07:25:15 schwarze Exp $
+.\" $OpenBSD: SSL_get_ciphers.3,v 1.12 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" selective merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
@@ -69,7 +69,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 16 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CIPHERS 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm SSL_get_cipher_list
 .Nd get lists of available SSL_CIPHERs
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(SSL_CIPHER) *
 .Fn SSL_get_ciphers "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_client_CA_list.3 b/src/lib/libssl/man/SSL_get_client_CA_list.3
index e80e5cb6f5..8be7020489 100644
--- a/src/lib/libssl/man/SSL_get_client_CA_list.3
+++ b/src/lib/libssl/man/SSL_get_client_CA_list.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_client_CA_list.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_client_CA_list.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CLIENT_CA_LIST 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_client_CA_list
 .Nd get list of client CAs
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(X509_NAME) *
 .Fn SSL_get_client_CA_list "const SSL *s"
diff --git a/src/lib/libssl/man/SSL_get_client_random.3 b/src/lib/libssl/man/SSL_get_client_random.3
index eda74db355..131972b688 100644
--- a/src/lib/libssl/man/SSL_get_client_random.3
+++ b/src/lib/libssl/man/SSL_get_client_random.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_client_random.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_get_client_random.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Nick Mathewson <nickm@torproject.org>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CLIENT_RANDOM 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_get_master_key
 .Nd get internal TLS handshake random values and master key
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft size_t
 .Fo SSL_get_client_random
diff --git a/src/lib/libssl/man/SSL_get_current_cipher.3 b/src/lib/libssl/man/SSL_get_current_cipher.3
index 6b951d03ca..37f6409023 100644
--- a/src/lib/libssl/man/SSL_get_current_cipher.3
+++ b/src/lib/libssl/man/SSL_get_current_cipher.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_current_cipher.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_current_cipher.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,17 +48,18 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CURRENT_CIPHER 3
 .Os
 .Sh NAME
 .Nm SSL_get_current_cipher ,
 .Nm SSL_get_cipher ,
 .Nm SSL_get_cipher_name ,
-.Nm  SSL_get_cipher_bits ,
+.Nm SSL_get_cipher_bits ,
 .Nm SSL_get_cipher_version
 .Nd get SSL_CIPHER of a connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const SSL_CIPHER *
 .Fn SSL_get_current_cipher "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_default_timeout.3 b/src/lib/libssl/man/SSL_get_default_timeout.3
index 47737d8ee0..ef119780a3 100644
--- a/src/lib/libssl/man/SSL_get_default_timeout.3
+++ b/src/lib/libssl/man/SSL_get_default_timeout.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_default_timeout.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_default_timeout.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_DEFAULT_TIMEOUT 3
 .Os
 .Sh NAME
 .Nm SSL_get_default_timeout
 .Nd get default session timeout value
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_get_default_timeout "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_error.3 b/src/lib/libssl/man/SSL_get_error.3
index 5d325b3f56..ba64b779ac 100644
--- a/src/lib/libssl/man/SSL_get_error.3
+++ b/src/lib/libssl/man/SSL_get_error.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_error.3,v 1.5 2018/04/29 07:37:01 guenther Exp $
+.\"     $OpenBSD: SSL_get_error.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Bodo Moeller <bodo@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 29 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_ERROR 3
 .Os
 .Sh NAME
 .Nm SSL_get_error
 .Nd obtain result code for TLS/SSL I/O operation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_get_error "const SSL *ssl" "int ret"
diff --git a/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 b/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
index a249cda6ac..234034ac2d 100644
--- a/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
+++ b/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_ex_data_X509_STORE_CTX_idx.3,v 1.5 2022/02/06 00:29:02 jsg Exp $
+.\"     $OpenBSD: SSL_get_ex_data_X509_STORE_CTX_idx.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 6 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_EX_DATA_X509_STORE_CTX_IDX 3
 .Os
 .Sh NAME
 .Nm SSL_get_ex_data_X509_STORE_CTX_idx
 .Nd get ex_data index to access SSL structure from X509_STORE_CTX
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_get_ex_data_X509_STORE_CTX_idx void
diff --git a/src/lib/libssl/man/SSL_get_ex_new_index.3 b/src/lib/libssl/man/SSL_get_ex_new_index.3
index cecd25fa44..811df94fc7 100644
--- a/src/lib/libssl/man/SSL_get_ex_new_index.3
+++ b/src/lib/libssl/man/SSL_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_ex_new_index.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_ex_new_index.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_get_ex_data
 .Nd internal application specific data functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_get_ex_new_index
diff --git a/src/lib/libssl/man/SSL_get_fd.3 b/src/lib/libssl/man/SSL_get_fd.3
index 1e093424cb..3a7948d35f 100644
--- a/src/lib/libssl/man/SSL_get_fd.3
+++ b/src/lib/libssl/man/SSL_get_fd.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_fd.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_fd.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_FD 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_get_wfd
 .Nd get file descriptor linked to an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_get_fd "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_finished.3 b/src/lib/libssl/man/SSL_get_finished.3
index 3cfb655ea0..e5c8a36cf6 100644
--- a/src/lib/libssl/man/SSL_get_finished.3
+++ b/src/lib/libssl/man/SSL_get_finished.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_finished.3,v 1.2 2021/01/30 10:48:15 tb Exp $
+.\" $OpenBSD: SSL_get_finished.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 30 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_FINISHED 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm SSL_get_peer_finished
 .Nd get last sent or last expected finished message
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft size_t
 .Fn SSL_get_finished "const SSL *ssl" "void *buf" "size_t count"
diff --git a/src/lib/libssl/man/SSL_get_peer_cert_chain.3 b/src/lib/libssl/man/SSL_get_peer_cert_chain.3
index eb2ae53dc4..c4f778aac6 100644
--- a/src/lib/libssl/man/SSL_get_peer_cert_chain.3
+++ b/src/lib/libssl/man/SSL_get_peer_cert_chain.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_peer_cert_chain.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_peer_cert_chain.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_get_peer_cert_chain.pod 1f164c6f Jan 18 01:40:36 2017 +0100
 .\"     OpenSSL SSL_get_peer_cert_chain.pod 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
@@ -50,13 +50,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_PEER_CERT_CHAIN 3
 .Os
 .Sh NAME
 .Nm SSL_get_peer_cert_chain
 .Nd get the X509 certificate chain sent by the peer
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(X509) *
 .Fn SSL_get_peer_cert_chain "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_peer_certificate.3 b/src/lib/libssl/man/SSL_get_peer_certificate.3
index 99f9330288..9ac35a607d 100644
--- a/src/lib/libssl/man/SSL_get_peer_certificate.3
+++ b/src/lib/libssl/man/SSL_get_peer_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_peer_certificate.3,v 1.6 2021/06/26 17:36:28 tb Exp $
+.\" $OpenBSD: SSL_get_peer_certificate.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_PEER_CERTIFICATE 3
 .Os
 .Sh NAME
 .Nm SSL_get_peer_certificate
 .Nd get the X509 certificate of the peer
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509 *
 .Fn SSL_get_peer_certificate "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_rbio.3 b/src/lib/libssl/man/SSL_get_rbio.3
index 38096fbecf..7179277f71 100644
--- a/src/lib/libssl/man/SSL_get_rbio.3
+++ b/src/lib/libssl/man/SSL_get_rbio.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_rbio.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_rbio.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_RBIO 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_get_wbio
 .Nd get BIO linked to an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft BIO *
 .Fn SSL_get_rbio "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_server_tmp_key.3 b/src/lib/libssl/man/SSL_get_server_tmp_key.3
index aeeb358240..c55036d526 100644
--- a/src/lib/libssl/man/SSL_get_server_tmp_key.3
+++ b/src/lib/libssl/man/SSL_get_server_tmp_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_server_tmp_key.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_get_server_tmp_key.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_get_server_tmp_key.pod 508fafd8 Apr 3 15:41:21 2017 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SERVER_TMP_KEY 3
 .Os
 .Sh NAME
 .Nm SSL_get_server_tmp_key
 .Nd temporary server key during a handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_get_server_tmp_key
diff --git a/src/lib/libssl/man/SSL_get_session.3 b/src/lib/libssl/man/SSL_get_session.3
index 2ab43fdd3e..597888a0bd 100644
--- a/src/lib/libssl/man/SSL_get_session.3
+++ b/src/lib/libssl/man/SSL_get_session.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_session.3,v 1.8 2022/03/31 17:27:18 naddy Exp $
+.\"     $OpenBSD: SSL_get_session.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SESSION 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get1_session
 .Nd retrieve TLS/SSL session data
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_SESSION *
 .Fn SSL_get_session "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_shared_ciphers.3 b/src/lib/libssl/man/SSL_get_shared_ciphers.3
index 207e8c42eb..9011780527 100644
--- a/src/lib/libssl/man/SSL_get_shared_ciphers.3
+++ b/src/lib/libssl/man/SSL_get_shared_ciphers.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_shared_ciphers.3,v 1.5 2021/01/09 10:50:02 tb Exp $
+.\" $OpenBSD: SSL_get_shared_ciphers.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SHARED_CIPHERS 3
 .Os
 .Sh NAME
 .Nm SSL_get_shared_ciphers
 .Nd ciphers supported by both client and server
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft char *
 .Fo SSL_get_shared_ciphers
diff --git a/src/lib/libssl/man/SSL_get_state.3 b/src/lib/libssl/man/SSL_get_state.3
index 297bbce876..0e1a20e6f7 100644
--- a/src/lib/libssl/man/SSL_get_state.3
+++ b/src/lib/libssl/man/SSL_get_state.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_state.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_get_state.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_STATE 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm SSL_is_init_finished
 .Nd inspect the state of the SSL state machine
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_get_state
diff --git a/src/lib/libssl/man/SSL_get_verify_result.3 b/src/lib/libssl/man/SSL_get_verify_result.3
index 180cf1bb73..32a397f4a2 100644
--- a/src/lib/libssl/man/SSL_get_verify_result.3
+++ b/src/lib/libssl/man/SSL_get_verify_result.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_verify_result.3,v 1.6 2021/06/26 17:36:28 tb Exp $
+.\" $OpenBSD: SSL_get_verify_result.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_VERIFY_RESULT 3
 .Os
 .Sh NAME
 .Nm SSL_get_verify_result
 .Nd get result of peer certificate verification
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_get_verify_result "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_version.3 b/src/lib/libssl/man/SSL_get_version.3
index a6cefb055b..d32dd34e0e 100644
--- a/src/lib/libssl/man/SSL_get_version.3
+++ b/src/lib/libssl/man/SSL_get_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_version.3,v 1.9 2021/04/15 16:13:22 tb Exp $
+.\" $OpenBSD: SSL_get_version.3,v 1.10 2025/06/08 22:49:42 schwarze Exp $
 .\" full merge up to: OpenSSL e417070c Jun 8 11:37:06 2016 -0400
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -49,21 +49,16 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_VERSION 3
 .Os
 .Sh NAME
 .Nm SSL_get_version ,
 .Nm SSL_is_dtls ,
 .Nm SSL_version
-.\" The following are intentionally undocumented because
-.\" - the longer term plan is to remove them
-.\" - nothing appears to be using them in the wild
-.\" - and they have the wrong namespace prefix
-.\" Nm TLS1_get_version
-.\" Nm TLS1_get_client_version
 .Nd get the protocol information of a connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_get_version "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_library_init.3 b/src/lib/libssl/man/SSL_library_init.3
index 053c1e6fcb..d25a248617 100644
--- a/src/lib/libssl/man/SSL_library_init.3
+++ b/src/lib/libssl/man/SSL_library_init.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_library_init.3,v 1.7 2019/06/14 13:41:31 schwarze Exp $
+.\"     $OpenBSD: SSL_library_init.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 14 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_LIBRARY_INIT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSLeay_add_ssl_algorithms
 .Nd initialize SSL library by registering algorithms
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_library_init void
diff --git a/src/lib/libssl/man/SSL_load_client_CA_file.3 b/src/lib/libssl/man/SSL_load_client_CA_file.3
index f782d96dce..e57900c941 100644
--- a/src/lib/libssl/man/SSL_load_client_CA_file.3
+++ b/src/lib/libssl/man/SSL_load_client_CA_file.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_load_client_CA_file.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_load_client_CA_file.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_LOAD_CLIENT_CA_FILE 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm SSL_add_dir_cert_subjects_to_stack
 .Nd load certificate names from files
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(X509_NAME) *
 .Fn SSL_load_client_CA_file "const char *file"
diff --git a/src/lib/libssl/man/SSL_new.3 b/src/lib/libssl/man/SSL_new.3
index 22c5dbf2db..3906a346d7 100644
--- a/src/lib/libssl/man/SSL_new.3
+++ b/src/lib/libssl/man/SSL_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_new.3,v 1.7 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_new.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 1c7ae3dd Mar 29 19:17:55 2017 +1000
 .\"
 .\" This file was written by Richard Levitte <levitte@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_NEW 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_up_ref
 .Nd create a new SSL structure for a connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL *
 .Fn SSL_new "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_num_renegotiations.3 b/src/lib/libssl/man/SSL_num_renegotiations.3
index 6a81b76a60..d366f97c4a 100644
--- a/src/lib/libssl/man/SSL_num_renegotiations.3
+++ b/src/lib/libssl/man/SSL_num_renegotiations.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_num_renegotiations.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_num_renegotiations.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_NUM_RENEGOTIATIONS 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm SSL_total_renegotiations
 .Nd renegotiation counters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_num_renegotiations
diff --git a/src/lib/libssl/man/SSL_pending.3 b/src/lib/libssl/man/SSL_pending.3
index bbc2e9bdd2..c304302ed8 100644
--- a/src/lib/libssl/man/SSL_pending.3
+++ b/src/lib/libssl/man/SSL_pending.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_pending.3,v 1.5 2020/01/23 03:40:18 beck Exp $
+.\"     $OpenBSD: SSL_pending.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>,
@@ -50,13 +50,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 23 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_PENDING 3
 .Os
 .Sh NAME
 .Nm SSL_pending
 .Nd obtain number of readable bytes buffered in an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_pending "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_read.3 b/src/lib/libssl/man/SSL_read.3
index bb72a8ed82..3d42fd8a90 100644
--- a/src/lib/libssl/man/SSL_read.3
+++ b/src/lib/libssl/man/SSL_read.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_read.3,v 1.8 2021/10/24 15:10:13 schwarze Exp $
+.\" $OpenBSD: SSL_read.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 5a2443ae Nov 14 11:37:36 2016 +0000
 .\" partial merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 24 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_READ 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm SSL_peek
 .Nd read bytes from a TLS connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_read_ex "SSL *ssl" "void *buf" "size_t num" "size_t *readbytes"
diff --git a/src/lib/libssl/man/SSL_read_early_data.3 b/src/lib/libssl/man/SSL_read_early_data.3
index 1435c15935..d36b1e49f7 100644
--- a/src/lib/libssl/man/SSL_read_early_data.3
+++ b/src/lib/libssl/man/SSL_read_early_data.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_read_early_data.3,v 1.4 2021/11/26 13:48:22 jsg Exp $
+.\" $OpenBSD: SSL_read_early_data.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" content checked up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_READ_EARLY_DATA 3
 .Os
 .Sh NAME
@@ -30,6 +30,7 @@
 .Nm SSL_get_early_data_status
 .Nd transmit application data during the handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_max_early_data
diff --git a/src/lib/libssl/man/SSL_renegotiate.3 b/src/lib/libssl/man/SSL_renegotiate.3
index 8188d37323..badfe8c6cb 100644
--- a/src/lib/libssl/man/SSL_renegotiate.3
+++ b/src/lib/libssl/man/SSL_renegotiate.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_renegotiate.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_renegotiate.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_key_update.pod 4fbfe86a Feb 16 17:04:40 2017 +0000
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_RENEGOTIATE 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm SSL_renegotiate_pending
 .Nd initiate a new TLS handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_renegotiate
diff --git a/src/lib/libssl/man/SSL_rstate_string.3 b/src/lib/libssl/man/SSL_rstate_string.3
index 99613ba3c0..624c1b08ab 100644
--- a/src/lib/libssl/man/SSL_rstate_string.3
+++ b/src/lib/libssl/man/SSL_rstate_string.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_rstate_string.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_rstate_string.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_RSTATE_STRING 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_rstate_string_long
 .Nd get textual description of state of an SSL object during read operation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_rstate_string "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_session_reused.3 b/src/lib/libssl/man/SSL_session_reused.3
index add61a904b..3340144660 100644
--- a/src/lib/libssl/man/SSL_session_reused.3
+++ b/src/lib/libssl/man/SSL_session_reused.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_session_reused.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_session_reused.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_REUSED 3
 .Os
 .Sh NAME
 .Nm SSL_session_reused
 .Nd query whether a reused session was negotiated during handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_session_reused "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_set1_host.3 b/src/lib/libssl/man/SSL_set1_host.3
index 2a3935c3f2..2c6cdbe5a1 100644
--- a/src/lib/libssl/man/SSL_set1_host.3
+++ b/src/lib/libssl/man/SSL_set1_host.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set1_host.3,v 1.4 2021/03/31 16:56:46 tb Exp $
+.\" $OpenBSD: SSL_set1_host.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
 .\" This file was written by Viktor Dukhovni <viktor@openssl.org>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET1_HOST 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_get0_peername
 .Nd SSL server verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_set1_host
diff --git a/src/lib/libssl/man/SSL_set1_param.3 b/src/lib/libssl/man/SSL_set1_param.3
index cd8ad40ad0..2d255a0991 100644
--- a/src/lib/libssl/man/SSL_set1_param.3
+++ b/src/lib/libssl/man/SSL_set1_param.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set1_param.3,v 1.6 2022/09/10 10:22:46 jsg Exp $
+.\" $OpenBSD: SSL_set1_param.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/SSL_CTX_get0_param 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 10 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET1_PARAM 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_set1_param
 .Nd get and set verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509_VERIFY_PARAM *
 .Fo SSL_CTX_get0_param
diff --git a/src/lib/libssl/man/SSL_set_SSL_CTX.3 b/src/lib/libssl/man/SSL_set_SSL_CTX.3
index 2abaefb292..3a909dabe6 100644
--- a/src/lib/libssl/man/SSL_set_SSL_CTX.3
+++ b/src/lib/libssl/man/SSL_set_SSL_CTX.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set_SSL_CTX.3,v 1.4 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_set_SSL_CTX.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_SSL_CTX 3
 .Os
 .Sh NAME
 .Nm SSL_set_SSL_CTX
 .Nd modify an SSL connection object to use another context
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_CTX *
 .Fo SSL_set_SSL_CTX
diff --git a/src/lib/libssl/man/SSL_set_bio.3 b/src/lib/libssl/man/SSL_set_bio.3
index e727f442d6..98ce9a7080 100644
--- a/src/lib/libssl/man/SSL_set_bio.3
+++ b/src/lib/libssl/man/SSL_set_bio.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_bio.3,v 1.6 2020/10/08 18:21:30 tb Exp $
+.\"     $OpenBSD: SSL_set_bio.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL acb5b343 Sep 16 16:00:38 2000 +0000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 8 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_BIO 3
 .Os
 .Sh NAME
 .Nm SSL_set_bio
 .Nd connect the SSL object with a BIO
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_bio "SSL *ssl" "BIO *rbio" "BIO *wbio"
diff --git a/src/lib/libssl/man/SSL_set_connect_state.3 b/src/lib/libssl/man/SSL_set_connect_state.3
index c2072c4370..b7d126d046 100644
--- a/src/lib/libssl/man/SSL_set_connect_state.3
+++ b/src/lib/libssl/man/SSL_set_connect_state.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set_connect_state.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\" $OpenBSD: SSL_set_connect_state.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL dbd007d7 Jul 28 13:31:27 2017 +0800
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_CONNECT_STATE 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_is_server
 .Nd prepare SSL object to work in client or server mode
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_connect_state "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_set_fd.3 b/src/lib/libssl/man/SSL_set_fd.3
index 7b9727e9ad..3c4441e677 100644
--- a/src/lib/libssl/man/SSL_set_fd.3
+++ b/src/lib/libssl/man/SSL_set_fd.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_fd.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_set_fd.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_FD 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_set_wfd
 .Nd connect the SSL object with a file descriptor
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_set_fd "SSL *ssl" "int fd"
diff --git a/src/lib/libssl/man/SSL_set_max_send_fragment.3 b/src/lib/libssl/man/SSL_set_max_send_fragment.3
index 7de087a743..d5265ebb74 100644
--- a/src/lib/libssl/man/SSL_set_max_send_fragment.3
+++ b/src/lib/libssl/man/SSL_set_max_send_fragment.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_max_send_fragment.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_set_max_send_fragment.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL doc/man3/SSL_CTX_set_split_send_fragment.pod
 .\"     OpenSSL 6782e5fd Oct 21 16:16:20 2016 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_MAX_SEND_FRAGMENT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_set_max_send_fragment
 .Nd control fragment sizes
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_CTX_set_max_send_fragment
diff --git a/src/lib/libssl/man/SSL_set_psk_use_session_callback.3 b/src/lib/libssl/man/SSL_set_psk_use_session_callback.3
index 7f2bfcc010..d53f5b97c9 100644
--- a/src/lib/libssl/man/SSL_set_psk_use_session_callback.3
+++ b/src/lib/libssl/man/SSL_set_psk_use_session_callback.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set_psk_use_session_callback.3,v 1.1 2021/09/14 14:30:57 schwarze Exp $
+.\" $OpenBSD: SSL_set_psk_use_session_callback.3,v 1.2 2025/06/08 22:52:00 schwarze Exp $
 .\" OpenSSL man3/SSL_CTX_set_psk_client_callback.pod
 .\" checked up to 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 14 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_PSK_USE_SESSION_CALLBACK 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm SSL_psk_use_session_cb_func
 .Nd set TLS pre-shared key client callback
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft typedef int
 .Fo (*SSL_psk_use_session_cb_func)
diff --git a/src/lib/libssl/man/SSL_set_session.3 b/src/lib/libssl/man/SSL_set_session.3
index 7d85f5ad0c..db3fc6a85c 100644
--- a/src/lib/libssl/man/SSL_set_session.3
+++ b/src/lib/libssl/man/SSL_set_session.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_session.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_set_session.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_SESSION 3
 .Os
 .Sh NAME
 .Nm SSL_set_session
 .Nd set a TLS/SSL session to be used during TLS/SSL connect
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_set_session "SSL *ssl" "SSL_SESSION *session"
diff --git a/src/lib/libssl/man/SSL_set_shutdown.3 b/src/lib/libssl/man/SSL_set_shutdown.3
index ef8c004f76..1c1d59e927 100644
--- a/src/lib/libssl/man/SSL_set_shutdown.3
+++ b/src/lib/libssl/man/SSL_set_shutdown.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_shutdown.3,v 1.7 2024/12/19 06:45:21 jmc Exp $
+.\"     $OpenBSD: SSL_set_shutdown.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 19 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_SHUTDOWN 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_get_shutdown
 .Nd manipulate shutdown state of an SSL connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_shutdown "SSL *ssl" "int mode"
diff --git a/src/lib/libssl/man/SSL_set_tmp_ecdh.3 b/src/lib/libssl/man/SSL_set_tmp_ecdh.3
index 8fd2d9fd5b..0794efdfb7 100644
--- a/src/lib/libssl/man/SSL_set_tmp_ecdh.3
+++ b/src/lib/libssl/man/SSL_set_tmp_ecdh.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_tmp_ecdh.3,v 1.6 2021/11/30 15:58:08 jsing Exp $
+.\"     $OpenBSD: SSL_set_tmp_ecdh.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 30 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_TMP_ECDH 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm SSL_CTX_set_tmp_ecdh_callback
 .Nd select a curve for ECDH ephemeral key exchange
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_set_tmp_ecdh
diff --git a/src/lib/libssl/man/SSL_set_verify_result.3 b/src/lib/libssl/man/SSL_set_verify_result.3
index 4b7cc6ec3c..f43d375bc9 100644
--- a/src/lib/libssl/man/SSL_set_verify_result.3
+++ b/src/lib/libssl/man/SSL_set_verify_result.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_verify_result.3,v 1.5 2020/03/29 17:05:02 schwarze Exp $
+.\"     $OpenBSD: SSL_set_verify_result.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_VERIFY_RESULT 3
 .Os
 .Sh NAME
 .Nm SSL_set_verify_result
 .Nd override result of peer certificate verification
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_verify_result "SSL *ssl" "long verify_result"
diff --git a/src/lib/libssl/man/SSL_shutdown.3 b/src/lib/libssl/man/SSL_shutdown.3
index bfb1e91ea7..ad49a47d8e 100644
--- a/src/lib/libssl/man/SSL_shutdown.3
+++ b/src/lib/libssl/man/SSL_shutdown.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_shutdown.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_shutdown.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SHUTDOWN 3
 .Os
 .Sh NAME
 .Nm SSL_shutdown
 .Nd shut down a TLS/SSL connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_shutdown "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_state_string.3 b/src/lib/libssl/man/SSL_state_string.3
index 1070335448..d202056eec 100644
--- a/src/lib/libssl/man/SSL_state_string.3
+++ b/src/lib/libssl/man/SSL_state_string.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_state_string.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_state_string.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_STATE_STRING 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_state_string_long
 .Nd get textual description of state of an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_state_string "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_want.3 b/src/lib/libssl/man/SSL_want.3
index 24e8645ba8..c7c2ee4885 100644
--- a/src/lib/libssl/man/SSL_want.3
+++ b/src/lib/libssl/man/SSL_want.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_want.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_want.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_WANT 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_want_x509_lookup
 .Nd obtain state information TLS/SSL I/O operation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_want "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_write.3 b/src/lib/libssl/man/SSL_write.3
index 2c6fbcef08..54d0953e82 100644
--- a/src/lib/libssl/man/SSL_write.3
+++ b/src/lib/libssl/man/SSL_write.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_write.3,v 1.7 2021/10/24 15:10:13 schwarze Exp $
+.\" $OpenBSD: SSL_write.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" partial merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 24 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_WRITE 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_write
 .Nd write bytes to a TLS connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_write_ex "SSL *ssl" "const void *buf" "size_t num" "size_t *written"
diff --git a/src/lib/libssl/man/d2i_SSL_SESSION.3 b/src/lib/libssl/man/d2i_SSL_SESSION.3
index 7a2bc529ab..6b0dfc86b9 100644
--- a/src/lib/libssl/man/d2i_SSL_SESSION.3
+++ b/src/lib/libssl/man/d2i_SSL_SESSION.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_SSL_SESSION.3,v 1.7 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: d2i_SSL_SESSION.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_SSL_SESSION 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm i2d_SSL_SESSION
 .Nd convert SSL_SESSION object from/to ASN1 representation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft  SSL_SESSION *
 .Fn d2i_SSL_SESSION "SSL_SESSION **a" "const unsigned char **pp" "long length"
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 86b32aec15..bcf26bec40 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.257 2024/07/23 14:40:53 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.258 2025/12/04 21:16:17 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1286,6 +1286,7 @@ ssl3_free(SSL *s)
         sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
         sk_X509_pop_free(s->s3->hs.verified_chain, X509_free);
         tls_key_share_free(s->s3->hs.key_share);
+        tls_key_share_free(s->s3->hs.tls13.key_share);
 
         tls13_secrets_destroy(s->s3->hs.tls13.secrets);
         freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
@@ -1337,6 +1338,8 @@ ssl3_clear(SSL *s)
 
         tls_key_share_free(s->s3->hs.key_share);
         s->s3->hs.key_share = NULL;
+        tls_key_share_free(s->s3->hs.tls13.key_share);
+        s->s3->hs.tls13.key_share = NULL;
 
         tls13_secrets_destroy(s->s3->hs.tls13.secrets);
         s->s3->hs.tls13.secrets = NULL;
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version
index c2665004b4..dc886efa77 100644
--- a/src/lib/libssl/shlib_version
+++ b/src/lib/libssl/shlib_version
@@ -1,3 +1,3 @@
 # Don't forget to give libtls the same type of bump!
-major=59
-minor=1
+major=60
+minor=2
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index e8a11ebdb9..48cb6256df 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.248 2025/04/18 07:34:01 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.249 2025/10/24 11:36:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1199,6 +1199,7 @@ int SSL_SESSION_is_resumable(const SSL_SESSION *s);
 
 SSL_SESSION *SSL_SESSION_new(void);
 void    SSL_SESSION_free(SSL_SESSION *ses);
+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src);
 int     SSL_SESSION_up_ref(SSL_SESSION *ss);
 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *ss,
             unsigned int *len);
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 0d3dcf78af..22469ce346 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.169 2025/03/09 15:53:36 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.170 2025/12/04 21:03:42 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1195,7 +1195,7 @@ ssl3_get_server_kex_dhe(SSL *s, CBS *cbs)
                 }
                 goto err;
         }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
+        if (!tls_key_share_client_peer_public(s->s3->hs.key_share, cbs,
             &decode_error, &invalid_key)) {
                 if (decode_error) {
                         SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
@@ -1264,7 +1264,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
         if ((s->s3->hs.key_share = tls_key_share_new(group_id)) == NULL)
                 goto err;
 
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
+        if (!tls_key_share_client_peer_public(s->s3->hs.key_share, &public,
             &decode_error, NULL)) {
                 if (decode_error)
                         goto decode_err;
@@ -1859,7 +1859,7 @@ ssl3_send_client_kex_dhe(SSL *s, CBB *cbb)
                 goto err;
         }
 
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_client_generate(s->s3->hs.key_share))
                 goto err;
         if (!tls_key_share_public(s->s3->hs.key_share, cbb))
                 goto err;
@@ -1898,7 +1898,7 @@ ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb)
                 goto err;
         }
 
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_client_generate(s->s3->hs.key_share))
                 goto err;
 
         if (!CBB_add_u8_length_prefixed(cbb, &public))
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index ce68981493..630724e670 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.331 2025/03/12 14:03:55 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.333 2025/06/09 10:14:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1298,7 +1298,7 @@ SSL_shutdown(SSL *s)
                 return (-1);
         }
 
-        if (s != NULL && !SSL_in_init(s))
+        if (!SSL_in_init(s))
                 return (s->method->ssl_shutdown(s));
 
         return (1);
@@ -3008,8 +3008,9 @@ SSL_dup(SSL *s)
 
         /* Dup the client_CA list */
         if (s->client_CA != NULL) {
-                if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
-                        ret->client_CA = sk;
+                if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL)
+                        goto err;
+                ret->client_CA = sk;
                 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
                         xn = sk_X509_NAME_value(sk, i);
                         if (sk_X509_NAME_set(sk, i,
diff --git a/src/lib/libssl/ssl_local.h b/src/lib/libssl/ssl_local.h
index acb87f8650..7942c36dbd 100644
--- a/src/lib/libssl/ssl_local.h
+++ b/src/lib/libssl/ssl_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_local.h,v 1.33 2025/05/10 06:04:36 tb Exp $ */
+/* $OpenBSD: ssl_local.h,v 1.35 2025/12/04 21:16:17 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -490,6 +490,9 @@ typedef struct ssl_handshake_tls13_st {
         /* Certificate selected for use (static pointer). */
         const SSL_CERT_PKEY *cpk;
 
+        /* Client's extra predicted key share */
+        struct tls_key_share *key_share;
+
         /* Version proposed by peer server. */
         uint16_t server_version;
 
@@ -1240,7 +1243,7 @@ int ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk,
 int ssl_security_shared_group(const SSL *ssl, uint16_t group_id);
 int ssl_security_supported_group(const SSL *ssl, uint16_t group_id);
 
-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int include_ticket);
+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int include_ticket);
 int ssl_get_new_session(SSL *s, int session);
 int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block,
     int *alert);
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 6c8a2be3d3..1490e10ba4 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.51 2023/12/30 06:25:56 tb Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.53 2025/08/14 15:55:54 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index a5cfc33c04..7f16061b48 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.129 2025/03/09 15:53:36 tb Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.131 2025/10/24 11:36:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -247,7 +247,7 @@ SSL_SESSION_new(void)
 LSSL_ALIAS(SSL_SESSION_new);
 
 SSL_SESSION *
-ssl_session_dup(SSL_SESSION *sess, int include_ticket)
+ssl_session_dup(const SSL_SESSION *sess, int include_ticket)
 {
         SSL_SESSION *copy;
         CBS cbs;
@@ -313,7 +313,7 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket)
                 goto err;
 
         if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, &copy->ex_data,
-            &sess->ex_data))
+            (CRYPTO_EX_DATA *)&sess->ex_data))
                 goto err;
 
         /* Omit prev/next: the new session gets its own slot in the cache. */
@@ -345,6 +345,13 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket)
         return NULL;
 }
 
+SSL_SESSION *
+SSL_SESSION_dup(const SSL_SESSION *src)
+{
+        return ssl_session_dup(src, 1);
+}
+LSSL_ALIAS(SSL_SESSION_dup);
+
 const unsigned char *
 SSL_SESSION_get_id(const SSL_SESSION *ss, unsigned int *len)
 {
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index db4ba38b51..ef93e283de 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.166 2025/03/09 15:53:36 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.167 2025/12/04 21:03:42 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1357,7 +1357,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
                         goto err;
         }
 
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_server_generate(s->s3->hs.key_share))
                 goto err;
 
         if (!tls_key_share_params(s->s3->hs.key_share, cbb))
@@ -1393,7 +1393,7 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
         if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
                 goto err;
 
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_server_generate(s->s3->hs.key_share))
                 goto err;
 
         /*
@@ -1744,7 +1744,7 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
                 goto err;
         }
 
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
+        if (!tls_key_share_server_peer_public(s->s3->hs.key_share, cbs,
             &decode_error, &invalid_key)) {
                 if (decode_error) {
                         SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
@@ -1792,7 +1792,7 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
                 goto err;
         }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
+        if (!tls_key_share_server_peer_public(s->s3->hs.key_share, &public,
             &decode_error, NULL)) {
                 if (decode_error) {
                         SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
index b19944ca83..9966217ca3 100644
--- a/src/lib/libssl/ssl_stat.c
+++ b/src/lib/libssl/ssl_stat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_stat.c,v 1.23 2024/10/12 03:54:18 tb Exp $ */
+/* $OpenBSD: ssl_stat.c,v 1.24 2025/05/22 08:25:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -438,72 +438,7 @@ LSSL_ALIAS(SSL_alert_type_string);
 const char *
 SSL_alert_desc_string(int value)
 {
-        switch (value & 0xff) {
-        case SSL_AD_CLOSE_NOTIFY:
-                return "CN";
-        case SSL_AD_UNEXPECTED_MESSAGE:
-                return "UM";
-        case SSL_AD_BAD_RECORD_MAC:
-                return "BM";
-        case SSL_AD_RECORD_OVERFLOW:
-                return "RO";
-        case SSL_AD_DECOMPRESSION_FAILURE:
-                return "DF";
-        case SSL_AD_HANDSHAKE_FAILURE:
-                return "HF";
-        case SSL_AD_BAD_CERTIFICATE:
-                return "BC";
-        case SSL_AD_UNSUPPORTED_CERTIFICATE:
-                return "UC";
-        case SSL_AD_CERTIFICATE_REVOKED:
-                return "CR";
-        case SSL_AD_CERTIFICATE_EXPIRED:
-                return "CE";
-        case SSL_AD_CERTIFICATE_UNKNOWN:
-                return "CU";
-        case SSL_AD_ILLEGAL_PARAMETER:
-                return "IP";
-        case SSL_AD_UNKNOWN_CA:
-                return "CA";
-        case SSL_AD_ACCESS_DENIED:
-                return "AD";
-        case SSL_AD_DECODE_ERROR:
-                return "DE";
-        case SSL_AD_DECRYPT_ERROR:
-                return "CY";
-        case SSL_AD_PROTOCOL_VERSION:
-                return "PV";
-        case SSL_AD_INSUFFICIENT_SECURITY:
-                return "IS";
-        case SSL_AD_INTERNAL_ERROR:
-                return "IE";
-        case SSL_AD_INAPPROPRIATE_FALLBACK:
-                return "IF";
-        case SSL_AD_USER_CANCELLED:
-                return "US";
-        case SSL_AD_NO_RENEGOTIATION:
-                return "NR";
-        case SSL_AD_MISSING_EXTENSION:
-                return "ME";
-        case SSL_AD_UNSUPPORTED_EXTENSION:
-                return "UE";
-        case SSL_AD_CERTIFICATE_UNOBTAINABLE:
-                return "CO";
-        case SSL_AD_UNRECOGNIZED_NAME:
-                return "UN";
-        case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
-                return "BR";
-        case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
-                return "BH";
-        case SSL_AD_UNKNOWN_PSK_IDENTITY:
-                return "UP";
-        case SSL_AD_CERTIFICATE_REQUIRED:
-                return "CQ"; /* XXX */
-        case SSL_AD_NO_APPLICATION_PROTOCOL:
-                return "AP";
-        default:
-                return "UK";
-        }
+        return "!!";
 }
 LSSL_ALIAS(SSL_alert_desc_string);
 
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 57efb75d32..d879b3304e 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.155 2025/04/30 13:50:50 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.159 2025/12/04 21:16:17 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1445,7 +1445,7 @@ tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
 static int
 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
 {
-        CBB client_shares, key_exchange;
+        CBB client_shares, key_exchange, key_exchange2;
 
         if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
                 return 0;
@@ -1458,6 +1458,31 @@ tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
         if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
                 return 0;
 
+        /*
+         * We wish to include a second key share prediction in a TLS 1.3 client
+         * hello if we have more than one preferred group. We never wish to do
+         * this in response to a server selected group (Either from a TLS 1.2
+         * server, or from a hello retry request after having negotiated TLS
+         * 1.3).
+         *
+         * Therefore we only do this if we have not yet negotiated
+         * a version, and our max version could negotiate TLS 1.3.
+         */
+        if (s->s3->hs.negotiated_tls_version == 0 &&
+            s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
+                if (s->s3->hs.tls13.key_share != NULL) {
+                        if (!CBB_add_u16(&client_shares,
+                            tls_key_share_group(s->s3->hs.tls13.key_share)))
+                                return 0;
+                        if (!CBB_add_u16_length_prefixed(&client_shares,
+                            &key_exchange2))
+                                return 0;
+                        if (!tls_key_share_public(s->s3->hs.tls13.key_share,
+                            &key_exchange2))
+                                return 0;
+                }
+        }
+
         if (!CBB_flush(cbb))
                 return 0;
 
@@ -1523,7 +1548,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                         *alert = SSL_AD_INTERNAL_ERROR;
                         return 0;
                 }
-                if (!tls_key_share_peer_public(s->s3->hs.key_share,
+                if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
                     &key_exchange, &decode_error, NULL)) {
                         if (!decode_error)
                                 *alert = SSL_AD_INTERNAL_ERROR;
@@ -1554,6 +1579,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                 for (j = 0; j < server_groups_len; j++) {
                         if (server_groups[j] == client_groups[i]) {
                                 client_preferred_group = client_groups[i];
+                                s->s3->hs.tls13.server_group = client_preferred_group;
                                 preferred_group_found = 1;
                                 break;
                         }
@@ -1613,7 +1639,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                         *alert = SSL_AD_INTERNAL_ERROR;
                         return 0;
                 }
-                if (!tls_key_share_peer_public(s->s3->hs.key_share,
+                if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
                     &key_exchange, &decode_error, NULL)) {
                         if (!decode_error)
                                 *alert = SSL_AD_INTERNAL_ERROR;
@@ -1686,11 +1712,33 @@ tlsext_keyshare_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                 *alert = SSL_AD_INTERNAL_ERROR;
                 return 0;
         }
+
+        if (s->s3->hs.tls13.server_version >= TLS1_3_VERSION &&
+            tls_key_share_group(s->s3->hs.key_share) != group &&
+            s->s3->hs.tls13.key_share != NULL &&
+            tls_key_share_group(s->s3->hs.tls13.key_share) == group) {
+                /*
+                 * Server chose our second key share prediction, switch to it,
+                 * and discard the first one.
+                 */
+                tls_key_share_free(s->s3->hs.key_share);
+                s->s3->hs.key_share = s->s3->hs.tls13.key_share;
+                s->s3->hs.tls13.key_share = NULL;
+        }
+
         if (tls_key_share_group(s->s3->hs.key_share) != group) {
                 *alert = SSL_AD_INTERNAL_ERROR;
                 return 0;
         }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share,
+
+        /*
+         * Discard our now unused second key share prediction if we had made one
+         * with our initial 1.3 client hello
+         */
+        tls_key_share_free(s->s3->hs.tls13.key_share);
+        s->s3->hs.tls13.key_share = NULL;
+
+        if (!tls_key_share_client_peer_public(s->s3->hs.key_share,
             &key_exchange, &decode_error, NULL)) {
                 if (!decode_error)
                         *alert = SSL_AD_INTERNAL_ERROR;
@@ -2414,8 +2462,8 @@ tlsext_randomize_build_order(SSL *s)
         free(s->tlsext_build_order);
         s->tlsext_build_order_len = 0;
 
-        if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
-            N_TLS_EXTENSIONS)) == NULL)
+        if ((s->tlsext_build_order = calloc(N_TLS_EXTENSIONS,
+            sizeof(*s->tlsext_build_order))) == NULL)
                 return 0;
         s->tlsext_build_order_len = N_TLS_EXTENSIONS;
 
@@ -2443,8 +2491,8 @@ tlsext_linearize_build_order(SSL *s)
         free(s->tlsext_build_order);
         s->tlsext_build_order_len = 0;
 
-        if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
-            N_TLS_EXTENSIONS)) == NULL)
+        if ((s->tlsext_build_order = calloc(N_TLS_EXTENSIONS,
+            sizeof(*s->tlsext_build_order))) == NULL)
                 return 0;
         s->tlsext_build_order_len = N_TLS_EXTENSIONS;
 
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index b200f78098..912bea592a 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.204 2025/01/18 14:17:05 tb Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.207 2025/12/04 21:16:17 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -151,6 +151,7 @@ tls1_clear(SSL *s)
 }
 
 struct supported_group {
+        uint16_t group_id;
         int nid;
         int bits;
 };
@@ -160,122 +161,156 @@ struct supported_group {
  * https://www.iana.org/assignments/tls-parameters/#tls-parameters-8
  */
 static const struct supported_group nid_list[] = {
-        [1] = {
+        {
+                .group_id = 1,
                 .nid = NID_sect163k1,
                 .bits = 80,
         },
-        [2] = {
+        {
+                .group_id = 2,
                 .nid = NID_sect163r1,
                 .bits = 80,
         },
-        [3] = {
+        {
+                .group_id = 3,
                 .nid = NID_sect163r2,
                 .bits = 80,
         },
-        [4] = {
+        {
+                .group_id = 4,
                 .nid = NID_sect193r1,
                 .bits = 80,
         },
-        [5] = {
+        {
+                .group_id = 5,
                 .nid = NID_sect193r2,
                 .bits = 80,
         },
-        [6] = {
+        {
+                .group_id = 6,
                 .nid = NID_sect233k1,
                 .bits = 112,
         },
-        [7] = {
+        {
+                .group_id = 7,
                 .nid = NID_sect233r1,
                 .bits = 112,
         },
-        [8] = {
+        {
+                .group_id = 8,
                 .nid = NID_sect239k1,
                 .bits = 112,
         },
-        [9] = {
+        {
+                .group_id = 9,
                 .nid = NID_sect283k1,
                 .bits = 128,
         },
-        [10] = {
+        {
+                .group_id = 10,
                 .nid = NID_sect283r1,
                 .bits = 128,
         },
-        [11] = {
+        {
+                .group_id = 11,
                 .nid = NID_sect409k1,
                 .bits = 192,
         },
-        [12] = {
+        {
+                .group_id = 12,
                 .nid = NID_sect409r1,
                 .bits = 192,
         },
-        [13] = {
+        {
+                .group_id = 13,
                 .nid = NID_sect571k1,
                 .bits = 256,
         },
-        [14] = {
+        {
+                .group_id = 14,
                 .nid = NID_sect571r1,
                 .bits = 256,
         },
-        [15] = {
+        {
+                .group_id = 15,
                 .nid = NID_secp160k1,
                 .bits = 80,
         },
-        [16] = {
+        {
+                .group_id = 16,
                 .nid = NID_secp160r1,
                 .bits = 80,
         },
-        [17] = {
+        {
+                .group_id = 17,
                 .nid = NID_secp160r2,
                 .bits = 80,
         },
-        [18] = {
+        {
+                .group_id = 18,
                 .nid = NID_secp192k1,
                 .bits = 80,
         },
-        [19] = {
+        {
+                .group_id = 19,
                 .nid = NID_X9_62_prime192v1,    /* aka secp192r1 */
                 .bits = 80,
         },
-        [20] = {
+        {
+                .group_id = 20,
                 .nid = NID_secp224k1,
                 .bits = 112,
         },
-        [21] = {
+        {
+                .group_id = 21,
                 .nid = NID_secp224r1,
                 .bits = 112,
         },
-        [22] = {
+        {
+                .group_id = 22,
                 .nid = NID_secp256k1,
                 .bits = 128,
         },
-        [23] = {
+        {
+                .group_id = 23,
                 .nid = NID_X9_62_prime256v1,    /* aka secp256r1 */
                 .bits = 128,
         },
-        [24] = {
+        {
+                .group_id = 24,
                 .nid = NID_secp384r1,
                 .bits = 192,
         },
-        [25] = {
+        {
+                .group_id = 25,
                 .nid = NID_secp521r1,
                 .bits = 256,
         },
-        [26] = {
+        {
+                .group_id = 26,
                 .nid = NID_brainpoolP256r1,
                 .bits = 128,
         },
-        [27] = {
+        {
+                .group_id = 27,
                 .nid = NID_brainpoolP384r1,
                 .bits = 192,
         },
-        [28] = {
+        {
+                .group_id = 28,
                 .nid = NID_brainpoolP512r1,
                 .bits = 256,
         },
-        [29] = {
+        {
+                .group_id = 29,
                 .nid = NID_X25519,
                 .bits = 128,
         },
+        {
+                .group_id = 4588,
+                .nid = NID_X25519MLKEM768,
+                .bits = 128,
+        },
 };
 
 #define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0]))
@@ -292,41 +327,21 @@ static const uint8_t ecformats_default[] = {
         TLSEXT_ECPOINTFORMAT_uncompressed,
 };
 
-#if 0
-static const uint16_t ecgroups_list[] = {
+static const uint16_t ecgroups_tls12_client_default[] = {
         29,                     /* X25519 (29) */
-        14,                     /* sect571r1 (14) */
-        13,                     /* sect571k1 (13) */
-        25,                     /* secp521r1 (25) */
-        28,                     /* brainpoolP512r1 (28) */
-        11,                     /* sect409k1 (11) */
-        12,                     /* sect409r1 (12) */
-        27,                     /* brainpoolP384r1 (27) */
+        23,                     /* secp256r1 (23) */
         24,                     /* secp384r1 (24) */
-        9,                      /* sect283k1 (9) */
-        10,                     /* sect283r1 (10) */
-        26,                     /* brainpoolP256r1 (26) */
-        22,                     /* secp256k1 (22) */
+        25,                     /* secp521r1 (25) */
+};
+
+static const uint16_t ecgroups_tls12_server_default[] = {
+        29,                     /* X25519 (29) */
         23,                     /* secp256r1 (23) */
-        8,                      /* sect239k1 (8) */
-        6,                      /* sect233k1 (6) */
-        7,                      /* sect233r1 (7) */
-        20,                     /* secp224k1 (20) */
-        21,                     /* secp224r1 (21) */
-        4,                      /* sect193r1 (4) */
-        5,                      /* sect193r2 (5) */
-        18,                     /* secp192k1 (18) */
-        19,                     /* secp192r1 (19) */
-        1,                      /* sect163k1 (1) */
-        2,                      /* sect163r1 (2) */
-        3,                      /* sect163r2 (3) */
-        15,                     /* secp160k1 (15) */
-        16,                     /* secp160r1 (16) */
-        17,                     /* secp160r2 (17) */
+        24,                     /* secp384r1 (24) */
 };
-#endif
 
 static const uint16_t ecgroups_client_default[] = {
+        4588,                   /* X25519MLKEM768 (4588) */
         29,                     /* X25519 (29) */
         23,                     /* secp256r1 (23) */
         24,                     /* secp384r1 (24) */
@@ -334,23 +349,47 @@ static const uint16_t ecgroups_client_default[] = {
 };
 
 static const uint16_t ecgroups_server_default[] = {
+        4588,                   /* X25519MLKEM768 (4588) */
         29,                     /* X25519 (29) */
         23,                     /* secp256r1 (23) */
         24,                     /* secp384r1 (24) */
 };
 
+static const struct supported_group *
+tls1_supported_group_by_id(uint16_t group_id)
+{
+        int i;
+
+        for (i = 0; i < NID_LIST_LEN; i++) {
+                if (group_id == nid_list[i].group_id)
+                        return &nid_list[i];
+        }
+
+        return NULL;
+}
+
+static const struct supported_group *
+tls1_supported_group_by_nid(int nid)
+{
+        int i;
+
+        for (i = 0; i < NID_LIST_LEN; i++) {
+                if (nid == nid_list[i].nid)
+                        return &nid_list[i];
+        }
+
+        return NULL;
+}
+
 int
 tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
 {
-        int nid;
-
-        if (group_id >= NID_LIST_LEN)
-                return 0;
+        const struct supported_group *sg;
 
-        if ((nid = nid_list[group_id].nid) == 0)
+        if ((sg = tls1_supported_group_by_id(group_id)) == NULL)
                 return 0;
 
-        *out_nid = nid;
+        *out_nid = sg->nid;
 
         return 1;
 }
@@ -358,15 +397,12 @@ tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
 int
 tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
 {
-        int bits;
+        const struct supported_group *sg;
 
-        if (group_id >= NID_LIST_LEN)
+        if ((sg = tls1_supported_group_by_id(group_id)) == NULL)
                 return 0;
 
-        if ((bits = nid_list[group_id].bits) == 0)
-                return 0;
-
-        *out_bits = bits;
+        *out_bits = sg->bits;
 
         return 1;
 }
@@ -374,19 +410,14 @@ tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
 int
 tls1_ec_nid2group_id(int nid, uint16_t *out_group_id)
 {
-        uint16_t group_id;
+        const struct supported_group *sg;
 
-        if (nid == 0)
+        if ((sg = tls1_supported_group_by_nid(nid)) == NULL)
                 return 0;
 
-        for (group_id = 0; group_id < NID_LIST_LEN; group_id++) {
-                if (nid_list[group_id].nid == nid) {
-                        *out_group_id = group_id;
-                        return 1;
-                }
-        }
+        *out_group_id = sg->group_id;
 
-        return 0;
+        return 1;
 }
 
 /*
@@ -433,11 +464,21 @@ tls1_get_group_list(const SSL *s, int client_groups, const uint16_t **pgroups,
                 return;
 
         if (!s->server) {
-                *pgroups = ecgroups_client_default;
-                *pgroupslen = sizeof(ecgroups_client_default) / 2;
+                if (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
+                        *pgroups = ecgroups_client_default;
+                        *pgroupslen = sizeof(ecgroups_client_default) / 2;
+                } else {
+                        *pgroups = ecgroups_tls12_client_default;
+                        *pgroupslen = sizeof(ecgroups_tls12_client_default) / 2;
+                }
         } else {
-                *pgroups = ecgroups_server_default;
-                *pgroupslen = sizeof(ecgroups_server_default) / 2;
+                if (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
+                        *pgroups = ecgroups_server_default;
+                        *pgroupslen = sizeof(ecgroups_server_default) / 2;
+                } else {
+                        *pgroups = ecgroups_tls12_server_default;
+                        *pgroupslen = sizeof(ecgroups_tls12_server_default) / 2;
+                }
         }
 }
 
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 901b38f860..21d3960796 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.104 2024/07/22 14:47:15 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.106 2025/12/04 21:16:17 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -53,9 +53,21 @@ tls13_client_init(struct tls13_ctx *ctx)
                 return 0;
         if ((ctx->hs->key_share = tls_key_share_new(groups[0])) == NULL)
                 return 0;
-        if (!tls_key_share_generate(ctx->hs->key_share))
+        if (!tls_key_share_client_generate(ctx->hs->key_share))
                 return 0;
 
+        /*
+         * Generate a second key share prediction if we have another
+         * supported group
+         */
+        if (groups_len > 1) {
+                if ((ctx->hs->tls13.key_share = tls_key_share_new(groups[1])) ==
+                    NULL)
+                        return 0;
+                if (!tls_key_share_client_generate(ctx->hs->tls13.key_share))
+                        return 0;
+        }
+
         arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
 
         /*
@@ -450,7 +462,7 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
         if ((ctx->hs->key_share =
             tls_key_share_new(ctx->hs->tls13.server_group)) == NULL)
                 return 0;
-        if (!tls_key_share_generate(ctx->hs->key_share))
+        if (!tls_key_share_client_generate(ctx->hs->key_share))
                 return 0;
 
         if (!tls13_client_hello_build(ctx, cbb))
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 331a3ad1a7..c3470b2931 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.77 2024/01/27 14:23:51 jsing Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.78 2025/06/07 10:25:12 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -538,7 +538,7 @@ tls13_ctx_new(int mode, SSL *ssl)
 {
         struct tls13_ctx *ctx = NULL;
 
-        if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
+        if ((ctx = calloc(1, sizeof(*ctx))) == NULL)
                 goto err;
 
         ctx->hs = &ssl->s3->hs;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 63b7d92093..604dab4cba 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.109 2024/07/22 14:47:15 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.112 2025/12/04 21:03:42 beck Exp $ */
 /*
  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -327,7 +327,7 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 }
 
 static int
-tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
+tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb)
 {
         uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH;
         const uint8_t *server_random;
@@ -338,7 +338,7 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
         cipher = SSL_CIPHER_get_value(ctx->hs->cipher);
         server_random = s->s3->server_random;
 
-        if (hrr) {
+        if (ctx->hs->tls13.hrr) {
                 server_random = tls13_hello_retry_request_hash;
                 tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
         }
@@ -437,8 +437,6 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
 int
 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        int nid;
-
         ctx->hs->tls13.hrr = 1;
 
         if (!tls13_synthetic_handshake_message(ctx))
@@ -446,12 +444,10 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 
         if (ctx->hs->key_share != NULL)
                 return 0;
-        if (!tls1_get_supported_group(ctx->ssl, &nid))
-                return 0;
-        if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group))
+        if (ctx->hs->tls13.server_group == 0)
                 return 0;
 
-        if (!tls13_server_hello_build(ctx, cbb, 1))
+        if (!tls13_server_hello_build(ctx, cbb))
                 return 0;
 
         return 1;
@@ -506,14 +502,12 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 {
         if (ctx->hs->key_share == NULL)
                 return 0;
-        if (!tls_key_share_generate(ctx->hs->key_share))
+        if (!tls_key_share_server_generate(ctx->hs->key_share))
                 return 0;
         if (!tls13_servername_process(ctx))
                 return 0;
 
-        ctx->hs->tls13.server_group = 0;
-
-        if (!tls13_server_hello_build(ctx, cbb, 0))
+        if (!tls13_server_hello_build(ctx, cbb))
                 return 0;
 
         return 1;
diff --git a/src/lib/libssl/tls_internal.h b/src/lib/libssl/tls_internal.h
index 84edde8474..3d8d6aa940 100644
--- a/src/lib/libssl/tls_internal.h
+++ b/src/lib/libssl/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.10 2022/11/10 18:06:37 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.11 2025/12/04 21:03:42 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019, 2021 Joel Sing <jsing@openbsd.org>
  *
@@ -85,12 +85,15 @@ int tls_key_share_nid(struct tls_key_share *ks);
 void tls_key_share_set_key_bits(struct tls_key_share *ks, size_t key_bits);
 int tls_key_share_set_dh_params(struct tls_key_share *ks, DH *dh_params);
 int tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey);
-int tls_key_share_generate(struct tls_key_share *ks);
+int tls_key_share_client_generate(struct tls_key_share *ks);
+int tls_key_share_server_generate(struct tls_key_share *ks);
 int tls_key_share_params(struct tls_key_share *ks, CBB *cbb);
 int tls_key_share_public(struct tls_key_share *ks, CBB *cbb);
 int tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs,
     int *decode_error, int *invalid_params);
-int tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs,
+int tls_key_share_server_peer_public(struct tls_key_share *ks, CBS *cbs,
+    int *decode_error, int *invalid_key);
+int tls_key_share_client_peer_public(struct tls_key_share *ks, CBS *cbs,
     int *decode_error, int *invalid_key);
 int tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
     size_t *shared_key_len);
diff --git a/src/lib/libssl/tls_key_share.c b/src/lib/libssl/tls_key_share.c
index cf7b1da262..9e04cb7b75 100644
--- a/src/lib/libssl/tls_key_share.c
+++ b/src/lib/libssl/tls_key_share.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_key_share.c,v 1.8 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: tls_key_share.c,v 1.10 2026/01/01 12:47:52 tb Exp $ */
 /*
  * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
  *
@@ -21,6 +21,7 @@
 #include <openssl/dh.h>
 #include <openssl/ec.h>
 #include <openssl/evp.h>
+#include <openssl/mlkem.h>
 
 #include "bytestring.h"
 #include "ssl_local.h"
@@ -40,6 +41,19 @@ struct tls_key_share {
         uint8_t *x25519_public;
         uint8_t *x25519_private;
         uint8_t *x25519_peer_public;
+
+        uint8_t *mlkem_public;
+        size_t mlkem_public_len;
+        MLKEM_private_key *mlkem_private;
+        MLKEM_public_key *mlkem_peer_public;
+
+        /* The ciphertext from MLKEM_encap. */
+        uint8_t *mlkem_encap;
+        size_t mlkem_encap_len;
+
+        /* The shared secret from an ML-KEM encapsulation. */
+        uint8_t *mlkem_shared_secret;
+        size_t mlkem_shared_secret_len;
 };
 
 static struct tls_key_share *
@@ -96,6 +110,12 @@ tls_key_share_free(struct tls_key_share *ks)
         freezero(ks->x25519_private, X25519_KEY_LENGTH);
         freezero(ks->x25519_peer_public, X25519_KEY_LENGTH);
 
+        freezero(ks->mlkem_public, ks->mlkem_public_len);
+        MLKEM_private_key_free(ks->mlkem_private);
+        MLKEM_public_key_free(ks->mlkem_peer_public);
+        freezero(ks->mlkem_encap, ks->mlkem_encap_len);
+        freezero(ks->mlkem_shared_secret, ks->mlkem_shared_secret_len);
+
         freezero(ks, sizeof(*ks));
 }
 
@@ -230,7 +250,73 @@ tls_key_share_generate_x25519(struct tls_key_share *ks)
         return ret;
 }
 
-int
+static int
+tls_key_share_generate_mlkem(struct tls_key_share *ks, int rank)
+{
+        MLKEM_private_key *private = NULL;
+        uint8_t *public = NULL;
+        size_t p_len = 0;
+        int ret = 0;
+
+        if (ks->mlkem_public != NULL || ks->mlkem_private != NULL)
+                goto err;
+
+        if ((private = MLKEM_private_key_new(rank)) == NULL)
+                goto err;
+
+        if (!MLKEM_generate_key(private, &public, &p_len, NULL, NULL))
+                goto err;
+
+        ks->mlkem_public = public;
+        ks->mlkem_public_len = p_len;
+        ks->mlkem_private = private;
+        public = NULL;
+        private = NULL;
+
+        ret = 1;
+
+ err:
+        freezero(public, p_len);
+        MLKEM_private_key_free(private);
+
+        return ret;
+}
+
+static int
+tls_key_share_client_generate_mlkem768x25519(struct tls_key_share *ks)
+{
+        if (!tls_key_share_generate_mlkem(ks, MLKEM768_RANK))
+                return 0;
+
+        if (!tls_key_share_generate_x25519(ks))
+                return 0;
+
+        return 1;
+}
+
+static int
+tls_key_share_server_generate_mlkem768x25519(struct tls_key_share *ks)
+{
+        if (ks->mlkem_private != NULL)
+                return 0;
+
+        /* The server side needs the client's parsed share */
+
+        if (ks->x25519_peer_public == NULL)
+                return 0;
+
+        if (ks->mlkem_peer_public == NULL)
+                return 0;
+
+        if (!tls_key_share_generate_x25519(ks))
+                return 0;
+
+        return MLKEM_encap(ks->mlkem_peer_public, &ks->mlkem_encap,
+            &ks->mlkem_encap_len, &ks->mlkem_shared_secret,
+            &ks->mlkem_shared_secret_len);
+}
+
+static int
 tls_key_share_generate(struct tls_key_share *ks)
 {
         if (ks->nid == NID_dhKeyAgreement)
@@ -242,6 +328,24 @@ tls_key_share_generate(struct tls_key_share *ks)
         return tls_key_share_generate_ecdhe_ecp(ks);
 }
 
+int
+tls_key_share_client_generate(struct tls_key_share *ks)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_client_generate_mlkem768x25519(ks);
+
+        return tls_key_share_generate(ks);
+}
+
+int
+tls_key_share_server_generate(struct tls_key_share *ks)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_server_generate_mlkem768x25519(ks);
+
+        return tls_key_share_generate(ks);
+}
+
 static int
 tls_key_share_params_dhe(struct tls_key_share *ks, CBB *cbb)
 {
@@ -287,6 +391,47 @@ tls_key_share_public_x25519(struct tls_key_share *ks, CBB *cbb)
         return CBB_add_bytes(cbb, ks->x25519_public, X25519_KEY_LENGTH);
 }
 
+static int
+tls_key_share_public_mlkem768x25519(struct tls_key_share *ks, CBB *cbb)
+{
+        uint8_t *mlkem_part;
+        size_t mlkem_part_len;
+
+        if (ks->x25519_public == NULL)
+                return 0;
+
+        /*
+         * https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
+         * Section 3.1.2:
+         * The server's key exchange value is the concatenation of an
+         * ML-KEM ciphertext returned from encapsulation to the client's
+         * encapsulation key, and the server's ephemeral X25519 share.
+         */
+        mlkem_part = ks->mlkem_encap;
+        mlkem_part_len = ks->mlkem_encap_len;
+
+        /*
+         * https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
+         * Section 3.1.1:
+         * The client's key_exchange value is the concatenation of the
+         * client's ML-KEM-768 encapsulation key and the client's X25519
+         * ephemeral share.
+         */
+        if (mlkem_part == NULL) {
+                mlkem_part = ks->mlkem_public;
+                mlkem_part_len = ks->mlkem_public_len;
+        }
+
+        if (mlkem_part == NULL)
+                return 0;
+
+        if (!CBB_add_bytes(cbb, mlkem_part, mlkem_part_len))
+                return 0;
+
+        /* Both the client and server send their x25519 public keys. */
+        return CBB_add_bytes(cbb, ks->x25519_public, X25519_KEY_LENGTH);
+}
+
 int
 tls_key_share_public(struct tls_key_share *ks, CBB *cbb)
 {
@@ -296,6 +441,9 @@ tls_key_share_public(struct tls_key_share *ks, CBB *cbb)
         if (ks->nid == NID_X25519)
                 return tls_key_share_public_x25519(ks, cbb);
 
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_public_mlkem768x25519(ks, cbb);
+
         return tls_key_share_public_ecdhe_ecp(ks, cbb);
 }
 
@@ -325,7 +473,7 @@ tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs,
                 return 0;
 
         return tls_key_share_peer_params_dhe(ks, cbs, decode_error,
-             invalid_params);
+            invalid_params);
 }
 
 static int
@@ -383,7 +531,91 @@ tls_key_share_peer_public_x25519(struct tls_key_share *ks, CBS *cbs,
         return CBS_stow(cbs, &ks->x25519_peer_public, &out_len);
 }
 
-int
+static int
+tls_key_share_client_peer_public_mlkem768x25519(struct tls_key_share *ks,
+    CBS *cbs, int *decode_error)
+{
+        CBS x25519_cbs, mlkem_ciphertext_cbs;
+        size_t out_len;
+
+        if (ks->mlkem_shared_secret != NULL)
+                return 0;
+
+        if (ks->mlkem_private == NULL)
+                return 0;
+
+        if (!CBS_get_bytes(cbs, &mlkem_ciphertext_cbs,
+            MLKEM_private_key_ciphertext_length(ks->mlkem_private)))
+                return 0;
+
+        if (!CBS_get_bytes(cbs, &x25519_cbs, X25519_KEY_LENGTH))
+                return 0;
+
+        if (CBS_len(cbs) != 0)
+                return 0;
+
+        if (!CBS_stow(&x25519_cbs, &ks->x25519_peer_public, &out_len))
+                return 0;
+
+        if (!CBS_stow(&mlkem_ciphertext_cbs, &ks->mlkem_encap, &ks->mlkem_encap_len))
+                return 0;
+
+        return 1;
+}
+
+static int
+tls_key_share_server_peer_public_mlkem768x25519(struct tls_key_share *ks,
+    CBS *cbs, int *decode_error)
+{
+        CBS x25519_cbs, mlkem768_cbs;
+        size_t out_len;
+
+        *decode_error = 0;
+
+        /* The server should not have an mlkem private key */
+        if (ks->mlkem_private != NULL)
+                return 0;
+
+        if (ks->mlkem_shared_secret != NULL)
+                return 0;
+
+        if (ks->mlkem_peer_public != NULL)
+                return 0;
+
+        if (ks->x25519_peer_public != NULL)
+                return 0;
+
+        /* Nein, ist nur normal (1024 ist gigantisch) */
+        if ((ks->mlkem_peer_public = MLKEM_public_key_new(MLKEM768_RANK)) == NULL)
+                goto err;
+
+        if (!CBS_get_bytes(cbs, &mlkem768_cbs,
+            MLKEM_public_key_encoded_length(ks->mlkem_peer_public)))
+                goto err;
+
+        if (!CBS_get_bytes(cbs, &x25519_cbs, X25519_KEY_LENGTH))
+                goto err;
+
+        if (CBS_len(cbs) != 0)
+                goto err;
+
+        if (!CBS_stow(&x25519_cbs, &ks->x25519_peer_public, &out_len))
+                goto err;
+
+        /* Poetische */
+        if (!MLKEM_parse_public_key(ks->mlkem_peer_public,
+            CBS_data(&mlkem768_cbs), CBS_len(&mlkem768_cbs)))
+                goto err;
+
+        return 1;
+
+ err:
+        *decode_error = 1;
+
+        return 0;
+}
+
+static int
 tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs, int *decode_error,
     int *invalid_key)
 {
@@ -402,6 +634,30 @@ tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs, int *decode_error,
         return tls_key_share_peer_public_ecdhe_ecp(ks, cbs);
 }
 
+/* Called from client to process a server peer */
+int
+tls_key_share_client_peer_public(struct tls_key_share *ks, CBS *cbs,
+    int *decode_error, int *invalid_key)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_client_peer_public_mlkem768x25519(ks, cbs,
+                    decode_error);
+
+        return tls_key_share_peer_public(ks, cbs, decode_error, invalid_key);
+}
+
+/* Called from server to process a client peer */
+int
+tls_key_share_server_peer_public(struct tls_key_share *ks, CBS *cbs,
+    int *decode_error, int *invalid_key)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_server_peer_public_mlkem768x25519(ks, cbs,
+                    decode_error);
+
+        return tls_key_share_peer_public(ks, cbs, decode_error, invalid_key);
+}
+
 static int
 tls_key_share_derive_dhe(struct tls_key_share *ks,
     uint8_t **shared_key, size_t *shared_key_len)
@@ -451,6 +707,65 @@ tls_key_share_derive_x25519(struct tls_key_share *ks,
         return ret;
 }
 
+/*
+ * https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
+ * Section 3.1.3:
+ * For X25519MLKEM768, the shared secret is the concatenation of the ML-KEM
+ * shared secret and the X25519 shared secret.
+ */
+static int
+tls_key_share_derive_mlkem768x25519(struct tls_key_share *ks,
+    uint8_t **out_shared_key, size_t *out_shared_key_len)
+{
+        uint8_t *x25519_shared_key;
+        CBB cbb;
+
+        memset(&cbb, 0, sizeof(cbb));
+
+        if (ks->x25519_private == NULL)
+                goto err;
+
+        if (ks->x25519_peer_public == NULL)
+                goto err;
+
+        if (ks->mlkem_shared_secret == NULL) {
+                if (ks->mlkem_private == NULL)
+                        goto err;
+
+                if (ks->mlkem_encap == NULL)
+                        goto err;
+
+                if (!MLKEM_decap(ks->mlkem_private, ks->mlkem_encap,
+                    MLKEM_private_key_ciphertext_length(ks->mlkem_private),
+                    &ks->mlkem_shared_secret, &ks->mlkem_shared_secret_len))
+                        goto err;
+        }
+
+        if (!CBB_init(&cbb,  ks->mlkem_shared_secret_len + X25519_KEY_LENGTH))
+                goto err;
+
+        if (!CBB_add_bytes(&cbb, ks->mlkem_shared_secret,
+            ks->mlkem_shared_secret_len))
+                goto err;
+
+        if (!CBB_add_space(&cbb, &x25519_shared_key, X25519_KEY_LENGTH))
+                goto err;
+
+        if (!X25519(x25519_shared_key, ks->x25519_private,
+            ks->x25519_peer_public))
+                goto err;
+
+        if (!CBB_finish(&cbb, out_shared_key, out_shared_key_len))
+                goto err;
+
+        return 1;
+
+ err:
+        CBB_cleanup(&cbb);
+
+        return 0;
+}
+
 int
 tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
     size_t *shared_key_len)
@@ -468,6 +783,10 @@ tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
                 return tls_key_share_derive_x25519(ks, shared_key,
                     shared_key_len);
 
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_derive_mlkem768x25519(ks, shared_key,
+                    shared_key_len);
+
         return tls_key_share_derive_ecdhe_ecp(ks, shared_key,
             shared_key_len);
 }