Fix nits in pod files.

Add doc-nit-check to help find future issues.
Make podchecker be almost clean.
Remove trailing whitespace.
Tab expansion

Reviewed-by: Richard Levitte <levitte@openssl.org>
diff --git a/doc/apps/CA.pl.pod b/doc/apps/CA.pl.pod
index be56e0a..a84083a 100644
--- a/doc/apps/CA.pl.pod
+++ b/doc/apps/CA.pl.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =head1 NAME
@@ -103,7 +102,7 @@
 =item B<-verify>
 
 verifies certificates against the CA certificate for "demoCA". If no certificates
-are specified on the command line it tries to verify the file "newcert.pem". 
+are specified on the command line it tries to verify the file "newcert.pem".
 
 =item B<files>
 
@@ -148,7 +147,7 @@
 Create a DSA certificate request and private key (a different set of parameters
 can optionally be created first):
 
- openssl req -out newreq.pem -newkey dsa:dsap.pem 
+ openssl req -out newreq.pem -newkey dsa:dsap.pem
 
 Sign the request:
 
@@ -169,7 +168,7 @@
 
  perl -S CA.pl
 
-can be used and the B<OPENSSL_CONF> environment variable changed to point to 
+can be used and the B<OPENSSL_CONF> environment variable changed to point to
 the correct path of the configuration file "openssl.cnf".
 
 The script is intended as a simple front end for the B<openssl> program for use
diff --git a/doc/apps/asn1parse.pod b/doc/apps/asn1parse.pod
index cd30797..e231a93 100644
--- a/doc/apps/asn1parse.pod
+++ b/doc/apps/asn1parse.pod
@@ -92,7 +92,7 @@
 present then the string is obtained from the default section using the name
 B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
 though it came from a file, the contents can thus be examined and written to a
-file using the B<out> option. 
+file using the B<out> option.
 
 =item B<-strictpem>
 
@@ -108,20 +108,20 @@
 
 The output will typically contain lines like this:
 
-  0:d=0  hl=4 l= 681 cons: SEQUENCE          
+  0:d=0  hl=4 l= 681 cons: SEQUENCE
 
 .....
 
   229:d=3  hl=3 l= 141 prim: BIT STRING
-  373:d=2  hl=3 l= 162 cons: cont [ 3 ]        
-  376:d=3  hl=3 l= 159 cons: SEQUENCE          
-  379:d=4  hl=2 l=  29 cons: SEQUENCE          
+  373:d=2  hl=3 l= 162 cons: cont [ 3 ]
+  376:d=3  hl=3 l= 159 cons: SEQUENCE
+  379:d=4  hl=2 l=  29 cons: SEQUENCE
   381:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
-  386:d=5  hl=2 l=  22 prim: OCTET STRING      
-  410:d=4  hl=2 l= 112 cons: SEQUENCE          
+  386:d=5  hl=2 l=  22 prim: OCTET STRING
+  410:d=4  hl=2 l= 112 cons: SEQUENCE
   412:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
-  417:d=5  hl=2 l= 105 prim: OCTET STRING      
-  524:d=4  hl=2 l=  12 cons: SEQUENCE          
+  417:d=5  hl=2 l= 105 prim: OCTET STRING
+  524:d=4  hl=2 l=  12 cons: SEQUENCE
 
 .....
 
@@ -133,27 +133,27 @@
 
 The B<-i> option can be used to make the output more readable.
 
-Some knowledge of the ASN.1 structure is needed to interpret the output. 
+Some knowledge of the ASN.1 structure is needed to interpret the output.
 
 In this example the BIT STRING at offset 229 is the certificate public key.
 The contents octets of this will contain the public key information. This can
 be examined using the option B<-strparse 229> to yield:
 
-    0:d=0  hl=3 l= 137 cons: SEQUENCE          
+    0:d=0  hl=3 l= 137 cons: SEQUENCE
     3:d=1  hl=3 l= 129 prim: INTEGER           :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
   135:d=1  hl=2 l=   3 prim: INTEGER           :010001
 
 =head1 NOTES
 
 If an OID is not part of OpenSSL's internal table it will be represented in
-numerical form (for example 1.2.3.4). The file passed to the B<-oid> option 
+numerical form (for example 1.2.3.4). The file passed to the B<-oid> option
 allows additional OIDs to be included. Each line consists of three columns,
 the first column is the OID in numerical format and should be followed by white
 space. The second column is the "short name" which is a single word followed
 by white space. The final column is the rest of the line and is the
 "long name". B<asn1parse> displays the long name. Example:
 
-C<1.2.3.4	shortName	A long name>
+C<1.2.3.4       shortName       A long name>
 
 =head1 EXAMPLES
 
diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod
index 6c29485..de3744e 100644
--- a/doc/apps/ca.pod
+++ b/doc/apps/ca.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =head1 NAME
@@ -101,7 +100,7 @@
 =item B<-infiles>
 
 if present this should be the last option, all subsequent arguments
-are taken as the names of files containing certificate requests. 
+are taken as the names of files containing certificate requests.
 
 =item B<-out filename>
 
@@ -195,7 +194,7 @@
 =item B<-preserveDN>
 
 Normally the DN order of a certificate is the same as the order of the
-fields in the relevant policy section. When this option is set the order 
+fields in the relevant policy section. When this option is set the order
 is the same as the request. This is largely for compatibility with the
 older IE enrollment control which would only accept certificates if their
 DNs match the order of the request. This is not needed for Xenroll.
@@ -245,7 +244,7 @@
 
 =item B<-utf8>
 
-this option causes field values to be interpreted as UTF8 strings, by 
+this option causes field values to be interpreted as UTF8 strings, by
 default they are interpreted as ASCII. This means that the field
 values, whether prompted from a terminal or obtained from a
 configuration file, must be valid UTF8 strings.
@@ -366,7 +365,7 @@
 This specifies a file containing additional B<OBJECT IDENTIFIERS>.
 Each line of the file should consist of the numerical form of the
 object identifier followed by white space then the short name followed
-by white space and finally the long name. 
+by white space and finally the long name.
 
 =item B<oid_section>
 
@@ -398,7 +397,7 @@
 =item B<default_days>
 
 the same as the B<-days> option. The number of days to certify
-a certificate for. 
+a certificate for.
 
 =item B<default_startdate>
 
@@ -521,7 +520,7 @@
 
 The input to the B<-spkac> command line option is a Netscape
 signed public key and challenge. This will usually come from
-the B<KEYGEN> tag in an HTML form to create a new private key. 
+the B<KEYGEN> tag in an HTML form to create a new private key.
 It is however possible to create SPKACs using the B<spkac> utility.
 
 The file should contain the variable SPKAC set to the value of
@@ -581,18 +580,18 @@
 
  [ ca ]
  default_ca      = CA_default            # The default ca section
- 
+
  [ CA_default ]
 
  dir            = ./demoCA              # top dir
  database       = $dir/index.txt        # index file.
- new_certs_dir	= $dir/newcerts         # new certs dir
- 
+ new_certs_dir  = $dir/newcerts         # new certs dir
+
  certificate    = $dir/cacert.pem       # The CA cert
  serial         = $dir/serial           # serial no file
  private_key    = $dir/private/cakey.pem# CA private key
  RANDFILE       = $dir/private/.rand    # random number file
- 
+
  default_days   = 365                   # how long to certify for
  default_crl_days= 30                   # how long before next CRL
  default_md     = md5                   # md to use
@@ -600,9 +599,9 @@
  policy         = policy_any            # default policy
  email_in_dn    = no                    # Don't add the email into cert DN
 
- name_opt	= ca_default		# Subject name display option
- cert_opt	= ca_default		# Certificate display option
- copy_extensions = none			# Don't copy extensions from request
+ name_opt       = ca_default            # Subject name display option
+ cert_opt       = ca_default            # Certificate display option
+ copy_extensions = none                 # Don't copy extensions from request
 
  [ policy_any ]
  countryName            = supplied
@@ -636,7 +635,7 @@
 
 =head1 RESTRICTIONS
 
-The text database index file is a critical part of the process and 
+The text database index file is a critical part of the process and
 if corrupted it can be difficult to fix. It is theoretically possible
 to rebuild the index file from all the issued certificates and a current
 CRL: however there is no option to do this.
@@ -704,7 +703,7 @@
 =head1 SEE ALSO
 
 L<req(1)>, L<spkac(1)>, L<x509(1)>, L<CA.pl(1)>,
-L<config(5)>, L<x509v3_config(5)> 
+L<config(5)>, L<x509v3_config(5)>
 
 =cut
 
diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod
index 4876ef1..2552f22 100644
--- a/doc/apps/cms.pod
+++ b/doc/apps/cms.pod
@@ -186,13 +186,13 @@
 
 =item B<-sign_receipt>
 
-Generate and output a signed receipt for the supplied message. The input 
+Generate and output a signed receipt for the supplied message. The input
 message B<must> contain a signed receipt request. Functionality is otherwise
 similar to the B<-sign> operation.
 
 =item B<-verify_receipt receipt>
 
-Verify a signed receipt in filename B<receipt>. The input message B<must> 
+Verify a signed receipt in filename B<receipt>. The input message B<must>
 contain the original receipt request. Functionality is otherwise similar
 to the B<-verify> operation.
 
@@ -256,7 +256,7 @@
 
 this option adds plain text (text/plain) MIME headers to the supplied
 message if encrypting or signing. If decrypting or verifying it strips
-off text headers: if the decrypted or verified message is not of MIME 
+off text headers: if the decrypted or verified message is not of MIME
 type text/plain then an error occurs.
 
 =item B<-noout>
@@ -298,11 +298,11 @@
 
 the encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
 or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
-EVP_get_cipherbyname() function) can also be used preceded by a dash, for 
+EVP_get_cipherbyname() function) can also be used preceded by a dash, for
 example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for a list of ciphers
 supported by your version of OpenSSL.
 
-If not specified triple DES is used. Only used with B<-encrypt> and 
+If not specified triple DES is used. Only used with B<-encrypt> and
 B<-EncryptedData_create> commands.
 
 =item B<-nointern>
@@ -408,7 +408,7 @@
 
 =item B<-receipt_request_to emailaddress>
 
-Add an explicit email address where signed receipts should be sent to. This 
+Add an explicit email address where signed receipts should be sent to. This
 option B<must> but supplied if a signed receipt it requested.
 
 =item B<-receipt_request_print>
@@ -436,7 +436,7 @@
 
 set the encapsulated content type to B<type> if not supplied the B<Data> type
 is used. The B<type> argument can be any valid OID name in either text or
-numerical format. 
+numerical format.
 
 =item B<-inkey file>
 
@@ -469,7 +469,7 @@
 =item B<cert.pem...>
 
 one or more certificates of message recipients: used when encrypting
-a message. 
+a message.
 
 =item B<-to, -from, -subject>
 
@@ -534,7 +534,7 @@
 in turn using the supplied private key. To thwart the MMA attack
 (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are
 tried whether they succeed or not and if no recipients match the message
-is "decrypted" using a random key which will typically output garbage. 
+is "decrypted" using a random key which will typically output garbage.
 The B<-debug_decrypt> option can be used to disable the MMA attack protection
 and return an error if no recipient can be found: this option should be used
 with caution. For a fuller description see L<CMS_decrypt(3)>).
@@ -598,29 +598,29 @@
 Create a cleartext signed message:
 
  openssl cms -sign -in message.txt -text -out mail.msg \
-	-signer mycert.pem
+        -signer mycert.pem
 
 Create an opaque signed message
 
  openssl cms -sign -in message.txt -text -out mail.msg -nodetach \
-	-signer mycert.pem
+        -signer mycert.pem
 
 Create a signed message, include some additional certificates and
 read the private key from another file:
 
  openssl cms -sign -in in.txt -text -out mail.msg \
-	-signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
+        -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
 
 Create a signed message with two signers, use key identifier:
 
  openssl cms -sign -in message.txt -text -out mail.msg \
-	-signer mycert.pem -signer othercert.pem -keyid
+        -signer mycert.pem -signer othercert.pem -keyid
 
 Send a signed message under Unix directly to sendmail, including headers:
 
  openssl cms -sign -in in.txt -text -signer mycert.pem \
-	-from steve@openssl.org -to someone@somewhere \
-	-subject "Signed message" | sendmail someone@somewhere
+        -from steve@openssl.org -to someone@somewhere \
+        -subject "Signed message" | sendmail someone@somewhere
 
 Verify a message and extract the signer's certificate if successful:
 
@@ -629,15 +629,15 @@
 Send encrypted mail using triple DES:
 
  openssl cms -encrypt -in in.txt -from steve@openssl.org \
-	-to someone@somewhere -subject "Encrypted message" \
-	-des3 user.pem -out mail.msg
+        -to someone@somewhere -subject "Encrypted message" \
+        -des3 user.pem -out mail.msg
 
 Sign and encrypt mail:
 
  openssl cms -sign -in ml.txt -signer my.pem -text \
-	| openssl cms -encrypt -out mail.msg \
-	-from steve@openssl.org -to someone@somewhere \
-	-subject "Signed and Encrypted message" -des3 user.pem
+        | openssl cms -encrypt -out mail.msg \
+        -from steve@openssl.org -to someone@somewhere \
+        -subject "Signed and Encrypted message" -des3 user.pem
 
 Note: the encryption command does not include the B<-text> option because the
 message being encrypted already has MIME headers.
@@ -654,7 +654,7 @@
  -----BEGIN PKCS7-----
  -----END PKCS7-----
 
-and using the command, 
+and using the command,
 
  openssl cms -verify -inform PEM -in signature.pem -content content.txt
 
@@ -673,17 +673,17 @@
 Sign mail using RSA-PSS:
 
  openssl cms -sign -in message.txt -text -out mail.msg \
-	-signer mycert.pem -keyopt rsa_padding_mode:pss
+        -signer mycert.pem -keyopt rsa_padding_mode:pss
 
 Create encrypted mail using RSA-OAEP:
 
  openssl cms -encrypt -in plain.txt -out mail.msg \
-	-recip cert.pem -keyopt rsa_padding_mode:oaep
+        -recip cert.pem -keyopt rsa_padding_mode:oaep
 
 Use SHA256 KDF with an ECDH certificate:
 
  openssl cms -encrypt -in plain.txt -out mail.msg \
-	-recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256
+        -recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256
 
 =head1 BUGS
 
@@ -715,7 +715,7 @@
 The use of B<-recip> to specify the recipient when encrypting mail was first
 added to OpenSSL 1.1.0
 
-Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. 
+Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0.
 
 The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added
 to OpenSSL 1.1.0.
diff --git a/doc/apps/config.pod b/doc/apps/config.pod
index baa886b..499bc9e 100644
--- a/doc/apps/config.pod
+++ b/doc/apps/config.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =for comment openssl_manual_section:5
@@ -63,14 +62,14 @@
 unless an option is used in the sub command to use an alternative configuration
 file.
 
-To enable library configuration the default section needs to contain an 
+To enable library configuration the default section needs to contain an
 appropriate line which points to the main configuration section. The default
 name is B<openssl_conf> which is used by the B<openssl> utility. Other
 applications may use an alternative name such as B<myapplicaton_conf>.
 
 The configuration section should consist of a set of name value pairs which
 contain specific module configuration information. The B<name> represents
-the name of the I<configuration module> the meaning of the B<value> is 
+the name of the I<configuration module> the meaning of the B<value> is
 module specific: it may, for example, represent a further configuration
 section containing configuration module specific information. E.g.
 
@@ -102,7 +101,7 @@
 as any compliant applications. For example:
 
  [new_oids]
- 
+
  some_new_oid = 1.2.3.4
  some_other_oid = 1.2.3.5
 
@@ -141,7 +140,7 @@
  [bar_section]
  ... "bar" ENGINE specific commands ...
 
-The command B<engine_id> is used to give the ENGINE name. If used this 
+The command B<engine_id> is used to give the ENGINE name. If used this
 command must be first. For example:
 
  [engine_section]
@@ -168,7 +167,7 @@
 supply using the functions ENGINE_set_default_string().
 
 If the name matches none of the above command names it is assumed to be a
-ctrl command which is sent to the ENGINE. The value of the command is the 
+ctrl command which is sent to the ENGINE. The value of the command is the
 argument to the ctrl command. If the value is the string B<EMPTY> then no
 value is sent to the command.
 
@@ -266,7 +265,7 @@
 mentioned above.
 
  # This is the default section.
- 
+
  HOME=/temp
  RANDFILE= ${ENV::HOME}/.rnd
  configdir=$ENV::HOME/config
@@ -296,7 +295,7 @@
 set to any value at all. If you just include the environment variable
 names and the variable doesn't exist then this will cause an error when
 an attempt is made to load the configuration file. By making use of the
-default section both values can be looked up with B<TEMP> taking 
+default section both values can be looked up with B<TEMP> taking
 priority and B</tmp> used if neither is defined:
 
  TMP=/tmp
diff --git a/doc/apps/crl.pod b/doc/apps/crl.pod
index bb1092c..cb5969a 100644
--- a/doc/apps/crl.pod
+++ b/doc/apps/crl.pod
@@ -42,7 +42,7 @@
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
diff --git a/doc/apps/crl2pkcs7.pod b/doc/apps/crl2pkcs7.pod
index f329402..26ec889 100644
--- a/doc/apps/crl2pkcs7.pod
+++ b/doc/apps/crl2pkcs7.pod
@@ -74,8 +74,8 @@
 Creates a PKCS#7 structure in DER format with no CRL from several
 different certificates:
 
- openssl crl2pkcs7 -nocrl -certfile newcert.pem 
-	-certfile demoCA/cacert.pem -outform DER -out p7.der
+ openssl crl2pkcs7 -nocrl -certfile newcert.pem
+        -certfile demoCA/cacert.pem -outform DER -out p7.der
 
 =head1 NOTES
 
diff --git a/doc/apps/dgst.pod b/doc/apps/dgst.pod
index ce26a56..75b8ad9 100644
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -156,7 +156,7 @@
 generator, or an EGD socket (see L<RAND_egd(3)>).
 Multiple files can be specified separated by an OS-dependent character.
 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
-all others. 
+all others.
 
 =item B<-fips-fingerprint>
 
diff --git a/doc/apps/dhparam.pod b/doc/apps/dhparam.pod
index b72ca7e..771ef1b 100644
--- a/doc/apps/dhparam.pod
+++ b/doc/apps/dhparam.pod
@@ -44,7 +44,7 @@
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in> I<filename>
@@ -123,7 +123,7 @@
 
 The program B<dhparam> combines the functionality of the programs B<dh> and
 B<gendh> in previous versions of OpenSSL. The B<dh> and B<gendh>
-programs are retained for now but may have different purposes in future 
+programs are retained for now but may have different purposes in future
 versions of OpenSSL.
 
 =head1 NOTES
diff --git a/doc/apps/dsa.pod b/doc/apps/dsa.pod
index 1f0e5dd..3a244cf 100644
--- a/doc/apps/dsa.pod
+++ b/doc/apps/dsa.pod
@@ -59,7 +59,7 @@
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -149,7 +149,7 @@
 
  openssl dsa -in key.pem -des3 -out keyout.pem
 
-To convert a private key from PEM to DER format: 
+To convert a private key from PEM to DER format:
 
  openssl dsa -in key.pem -outform DER -out keyout.der
 
diff --git a/doc/apps/dsaparam.pod b/doc/apps/dsaparam.pod
index 0a3727a..753f3b1 100644
--- a/doc/apps/dsaparam.pod
+++ b/doc/apps/dsaparam.pod
@@ -41,7 +41,7 @@
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
diff --git a/doc/apps/ec.pod b/doc/apps/ec.pod
index 738b718..c1b6bb0 100644
--- a/doc/apps/ec.pod
+++ b/doc/apps/ec.pod
@@ -31,7 +31,7 @@
 =head1 DESCRIPTION
 
 The B<ec> command processes EC keys. They can be converted between various
-forms and their components printed out. B<Note> OpenSSL uses the 
+forms and their components printed out. B<Note> OpenSSL uses the
 private key format specified in 'SEC 1: Elliptic Curve Cryptography'
 (http://www.secg.org/). To convert an OpenSSL EC private key into the
 PKCS#8 private key format use the B<pkcs8> command.
@@ -55,7 +55,7 @@
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -83,7 +83,7 @@
 
 =item B<-des|-des3|-idea>
 
-These options encrypt the private key with the DES, triple DES, IDEA or 
+These options encrypt the private key with the DES, triple DES, IDEA or
 any other cipher supported by OpenSSL before outputting it. A pass phrase is
 prompted for.
 If none of these options is specified the key is written in plain text. This
@@ -130,7 +130,7 @@
 This specifies how the elliptic curve parameters are encoded.
 Possible value are: B<named_curve>, i.e. the ec parameters are
 specified by an OID, or B<explicit> where the ec parameters are
-explicitly given (see RFC 3279 for the definition of the 
+explicitly given (see RFC 3279 for the definition of the
 EC parameters structures). The default value is B<named_curve>.
 B<Note> the B<implicitlyCA> alternative ,as specified in RFC 3279,
 is currently not implemented in OpenSSL.
@@ -170,7 +170,7 @@
 
  openssl ec -in key.pem -des3 -out keyout.pem
 
-To convert a private key from PEM to DER format: 
+To convert a private key from PEM to DER format:
 
  openssl ec -in key.pem -outform DER -out keyout.der
 
diff --git a/doc/apps/ecparam.pod b/doc/apps/ecparam.pod
index fb0181f..a41e005 100644
--- a/doc/apps/ecparam.pod
+++ b/doc/apps/ecparam.pod
@@ -41,12 +41,12 @@
 
 This specifies the input format. The B<DER> option uses an ASN.1 DER encoded
 form compatible with RFC 3279 EcpkParameters. The PEM form is the default
-format: it consists of the B<DER> format base64 encoded with additional 
+format: it consists of the B<DER> format base64 encoded with additional
 header and footer lines.
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -102,7 +102,7 @@
 This specifies how the elliptic curve parameters are encoded.
 Possible value are: B<named_curve>, i.e. the ec parameters are
 specified by an OID, or B<explicit> where the ec parameters are
-explicitly given (see RFC 3279 for the definition of the 
+explicitly given (see RFC 3279 for the definition of the
 EC parameters structures). The default value is B<named_curve>.
 B<Note> the B<implicitlyCA> alternative ,as specified in RFC 3279,
 is currently not implemented in OpenSSL.
@@ -141,7 +141,7 @@
  -----END EC PARAMETERS-----
 
 OpenSSL is currently not able to generate new groups and therefore
-B<ecparam> can only create EC parameters from known (named) curves. 
+B<ecparam> can only create EC parameters from known (named) curves.
 
 =head1 EXAMPLES
 
diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod
index 3b58aeb..7abd980 100644
--- a/doc/apps/enc.pod
+++ b/doc/apps/enc.pod
@@ -257,7 +257,7 @@
  desx               DESX algorithm.
 
  gost89             GOST 28147-89 in CFB mode (provided by ccgost engine)
- gost89-cnt        `GOST 28147-89 in CNT mode (provided by ccgost engine) 
+ gost89-cnt        `GOST 28147-89 in CNT mode (provided by ccgost engine)
 
  idea-cbc           IDEA algorithm in CBC mode
  idea               same as idea-cbc
@@ -283,13 +283,13 @@
  rc5-ecb            RC5 cipher in ECB mode
  rc5-ofb            RC5 cipher in OFB mode
 
- aes-[128|192|256]-cbc	128/192/256 bit AES in CBC mode
- aes[128|192|256]	Alias for aes-[128|192|256]-cbc
- aes-[128|192|256]-cfb	128/192/256 bit AES in 128 bit CFB mode
- aes-[128|192|256]-cfb1	128/192/256 bit AES in 1 bit CFB mode
- aes-[128|192|256]-cfb8	128/192/256 bit AES in 8 bit CFB mode
- aes-[128|192|256]-ecb	128/192/256 bit AES in ECB mode
- aes-[128|192|256]-ofb	128/192/256 bit AES in OFB mode
+ aes-[128|192|256]-cbc  128/192/256 bit AES in CBC mode
+ aes[128|192|256]       Alias for aes-[128|192|256]-cbc
+ aes-[128|192|256]-cfb  128/192/256 bit AES in 128 bit CFB mode
+ aes-[128|192|256]-cfb1 128/192/256 bit AES in 1 bit CFB mode
+ aes-[128|192|256]-cfb8 128/192/256 bit AES in 8 bit CFB mode
+ aes-[128|192|256]-ecb  128/192/256 bit AES in ECB mode
+ aes-[128|192|256]-ofb  128/192/256 bit AES in OFB mode
 
 =head1 EXAMPLES
 
@@ -299,11 +299,11 @@
 
 Decode the same file
 
- openssl base64 -d -in file.b64 -out file.bin 
+ openssl base64 -d -in file.b64 -out file.bin
 
 Encrypt a file using triple DES in CBC mode using a prompted password:
 
- openssl des3 -salt -in file.txt -out file.des3 
+ openssl des3 -salt -in file.txt -out file.des3
 
 Decrypt a file using a supplied password:
 
diff --git a/doc/apps/engine.pod b/doc/apps/engine.pod
index 59c4234..32274df 100644
--- a/doc/apps/engine.pod
+++ b/doc/apps/engine.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =head1 NAME
@@ -52,6 +51,7 @@
 Displays an error trace for any unavailable engine.
 
 =item B<-pre> I<command>
+
 =item B<-post> I<command>
 
 Command-line configuration of engines.
diff --git a/doc/apps/errstr.pod b/doc/apps/errstr.pod
index 4349de1..fea95f8 100644
--- a/doc/apps/errstr.pod
+++ b/doc/apps/errstr.pod
@@ -11,7 +11,7 @@
 =head1 DESCRIPTION
 
 Sometimes an application will not load error message and only
-numerical forms will be available. The B<errstr> utility can be used to 
+numerical forms will be available. The B<errstr> utility can be used to
 display the meaning of the hex code. The hex code is the hex digits after the
 second colon.
 
@@ -22,7 +22,7 @@
  27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107:
 
 can be displayed with:
- 
+
  openssl errstr 2006D080
 
 to produce the error message:
diff --git a/doc/apps/genpkey.pod b/doc/apps/genpkey.pod
index 204ab2a..5d61b73 100644
--- a/doc/apps/genpkey.pod
+++ b/doc/apps/genpkey.pod
@@ -213,12 +213,12 @@
 Generate a 2048 bit RSA key using 3 as the public exponent:
 
  openssl genpkey -algorithm RSA -out key.pem -pkeyopt rsa_keygen_bits:2048 \
- 						-pkeyopt rsa_keygen_pubexp:3
+                                                -pkeyopt rsa_keygen_pubexp:3
 
 Generate 1024 bit DSA parameters:
 
  openssl genpkey -genparam -algorithm DSA -out dsap.pem \
-						-pkeyopt dsa_paramgen_bits:1024
+                                                -pkeyopt dsa_paramgen_bits:1024
 
 Generate DSA key from parameters:
 
@@ -227,7 +227,7 @@
 Generate 1024 bit DH parameters:
 
  openssl genpkey -genparam -algorithm DH -out dhp.pem \
-					-pkeyopt dh_paramgen_prime_len:1024
+                                        -pkeyopt dh_paramgen_prime_len:1024
 
 Output RFC5114 2048 bit DH parameters with 224 bit subgroup:
 
@@ -240,8 +240,8 @@
 Generate EC parameters:
 
  openssl genpkey -genparam -algorithm EC -out ecp.pem \
-	-pkeyopt ec_paramgen_curve:secp384r1 \
-	-pkeyopt ec_param_enc:named_curve
+        -pkeyopt ec_paramgen_curve:secp384r1 \
+        -pkeyopt ec_param_enc:named_curve
 
 Generate EC key from parameters:
 
@@ -250,8 +250,8 @@
 Generate EC key directly:
 
  openssl genpkey -algorithm EC -out eckey.pem \
-	-pkeyopt ec_paramgen_curve:P-384 \
-	-pkeyopt ec_param_enc:named_curve
+        -pkeyopt ec_paramgen_curve:P-384 \
+        -pkeyopt ec_param_enc:named_curve
 
 =head1 HISTORY
 
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 1d50d4b..6004794 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -337,13 +337,13 @@
 
 =item B<-nrequest number>
 
-The OCSP server will exit after receiving B<number> requests, default unlimited. 
+The OCSP server will exit after receiving B<number> requests, default unlimited.
 
 =item B<-nmin minutes>, B<-ndays days>
 
 Number of minutes or days when fresh revocation information is available: used in the
-B<nextUpdate> field. If neither option is present then the B<nextUpdate> field is 
-omitted meaning fresh revocation information is immediately available.
+B<nextUpdate> field. If neither option is present then the B<nextUpdate> field
+is omitted meaning fresh revocation information is immediately available.
 
 =back
 
@@ -413,7 +413,7 @@
 
  openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der
 
-Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the 
+Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the
 response to a file, print it out in text form, and verify the response:
 
  openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \
@@ -427,7 +427,7 @@
 responder certificate. All requests and responses are printed to a file.
 
  openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem
-	-text -out log.txt
+        -text -out log.txt
 
 As above but exit after processing one request:
 
diff --git a/doc/apps/openssl.pod b/doc/apps/openssl.pod
index a3bb8f0..46d0bb1 100644
--- a/doc/apps/openssl.pod
+++ b/doc/apps/openssl.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =head1 NAME
diff --git a/doc/apps/pkcs12.pod b/doc/apps/pkcs12.pod
index f64669c..012d09c 100644
--- a/doc/apps/pkcs12.pod
+++ b/doc/apps/pkcs12.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =head1 NAME
@@ -337,7 +336,7 @@
  openssl pkcs12 -in file.p12 -clcerts -out file.pem
 
 Don't encrypt the private key:
- 
+
  openssl pkcs12 -in file.p12 -out file.pem -nodes
 
 Print some info about a PKCS#12 file:
diff --git a/doc/apps/pkcs7.pod b/doc/apps/pkcs7.pod
index 81354e2..abbcab2 100644
--- a/doc/apps/pkcs7.pod
+++ b/doc/apps/pkcs7.pod
@@ -37,7 +37,7 @@
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -100,7 +100,7 @@
 
 There is no option to print out all the fields of a PKCS#7 file.
 
-This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they 
+This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in RFC2315 they
 cannot currently parse, for example, the new CMS as described in RFC2630.
 
 =head1 SEE ALSO
diff --git a/doc/apps/pkey.pod b/doc/apps/pkey.pod
index ddc2b58..fd564c4 100644
--- a/doc/apps/pkey.pod
+++ b/doc/apps/pkey.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =head1 NAME
@@ -42,7 +41,7 @@
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -76,7 +75,7 @@
 =item B<-text>
 
 prints out the various public or private key components in
-plain text in addition to the encoded version. 
+plain text in addition to the encoded version.
 
 =item B<-text_pub>
 
@@ -116,7 +115,7 @@
 
  openssl pkey -in key.pem -des3 -out keyout.pem
 
-To convert a private key from PEM to DER format: 
+To convert a private key from PEM to DER format:
 
  openssl pkey -in key.pem -outform DER -out keyout.der
 
@@ -135,7 +134,7 @@
 =head1 SEE ALSO
 
 L<genpkey(1)>, L<rsa(1)>, L<pkcs8(1)>,
-L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)> 
+L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)>
 
 =cut
 
diff --git a/doc/apps/pkeyparam.pod b/doc/apps/pkeyparam.pod
index 153871d..7472de0 100644
--- a/doc/apps/pkeyparam.pod
+++ b/doc/apps/pkeyparam.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =head1 NAME
@@ -40,7 +39,7 @@
 
 =item B<-text>
 
-prints out the parameters in plain text in addition to the encoded version. 
+prints out the parameters in plain text in addition to the encoded version.
 
 =item B<-noout>
 
@@ -69,7 +68,7 @@
 =head1 SEE ALSO
 
 L<genpkey(1)>, L<rsa(1)>, L<pkcs8(1)>,
-L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)> 
+L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)>
 
 =cut
 
diff --git a/doc/apps/pkeyutl.pod b/doc/apps/pkeyutl.pod
index e937a87..73818db 100644
--- a/doc/apps/pkeyutl.pod
+++ b/doc/apps/pkeyutl.pod
@@ -84,11 +84,11 @@
 
 =item B<-pubin>
 
-the input file is a public key. 
+the input file is a public key.
 
 =item B<-certin>
 
-the input is a certificate containing a public key. 
+the input is a certificate containing a public key.
 
 =item B<-rev>
 
@@ -198,7 +198,7 @@
 PKCS#1 padding, B<sslv23> for SSLv23 padding, B<none> for no padding, B<oaep>
 for B<OAEP> mode, B<x931> for X9.31 mode and B<pss> for PSS.
 
-In PKCS#1 padding if the message digest is not set then the supplied data is 
+In PKCS#1 padding if the message digest is not set then the supplied data is
 signed or verified directly instead of using a B<DigestInfo> structure. If a
 digest is set then the a B<DigestInfo> structure is used and its the length
 must correspond to the digest type.
diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index acfbb25..e98d3a4 100644
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =head1 NAME
@@ -70,7 +69,7 @@
 
 =item B<-outform DER|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -257,7 +256,7 @@
 
 =item B<-utf8>
 
-this option causes field values to be interpreted as UTF8 strings, by 
+this option causes field values to be interpreted as UTF8 strings, by
 default they are interpreted as ASCII. This means that the field
 values, whether prompted from a terminal or obtained from a
 configuration file, must be valid UTF8 strings.
@@ -272,7 +271,7 @@
 =item B<-reqopt>
 
 customise the output format used with B<-text>. The B<option> argument can be
-a single option or multiple options separated by commas. 
+a single option or multiple options separated by commas.
 
 See discussion of the  B<-certopt> parameter in the L<x509(1)>
 command.
@@ -342,7 +341,7 @@
 This specifies a file containing additional B<OBJECT IDENTIFIERS>.
 Each line of the file should consist of the numerical form of the
 object identifier followed by white space then the short name followed
-by white space and finally the long name. 
+by white space and finally the long name.
 
 =item B<oid_section>
 
@@ -376,7 +375,7 @@
 fields. Most users will not need to change this option.
 
 It can be set to several values B<default> which is also the default
-option uses PrintableStrings, T61Strings and BMPStrings if the 
+option uses PrintableStrings, T61Strings and BMPStrings if the
 B<pkix> value is used then only PrintableStrings and BMPStrings will
 be used. This follows the PKIX recommendation in RFC2459. If the
 B<utf8only> option is used then only UTF8Strings will be used: this
@@ -388,7 +387,7 @@
 
 this specifies the configuration file section containing a list of
 extensions to add to the certificate request. It can be overridden
-by the B<-reqexts> command line switch. See the 
+by the B<-reqexts> command line switch. See the
 L<x509v3_config(5)> manual page for details of the
 extension section format.
 
@@ -499,8 +498,8 @@
 
 Example of a file pointed to by the B<oid_file> option:
 
- 1.2.3.4	shortName	A longer Name
- 1.2.3.6	otherName	Other longer Name
+ 1.2.3.4        shortName       A longer Name
+ 1.2.3.6        otherName       Other longer Name
 
 Example of a section pointed to by B<oid_section> making use of variable
 expansion:
@@ -511,34 +510,34 @@
 Sample configuration file prompting for field values:
 
  [ req ]
- default_bits		= 2048
- default_keyfile 	= privkey.pem
- distinguished_name	= req_distinguished_name
- attributes		= req_attributes
- req_extensions		= v3_ca
+ default_bits           = 2048
+ default_keyfile        = privkey.pem
+ distinguished_name     = req_distinguished_name
+ attributes             = req_attributes
+ req_extensions         = v3_ca
 
  dirstring_type = nobmp
 
  [ req_distinguished_name ]
- countryName			= Country Name (2 letter code)
- countryName_default		= AU
- countryName_min		= 2
- countryName_max		= 2
+ countryName                    = Country Name (2 letter code)
+ countryName_default            = AU
+ countryName_min                = 2
+ countryName_max                = 2
 
- localityName			= Locality Name (eg, city)
+ localityName                   = Locality Name (eg, city)
 
- organizationalUnitName		= Organizational Unit Name (eg, section)
+ organizationalUnitName         = Organizational Unit Name (eg, section)
 
- commonName			= Common Name (eg, YOUR name)
- commonName_max			= 64
+ commonName                     = Common Name (eg, YOUR name)
+ commonName_max                 = 64
 
- emailAddress			= Email Address
- emailAddress_max		= 40
+ emailAddress                   = Email Address
+ emailAddress_max               = 40
 
  [ req_attributes ]
- challengePassword		= A challenge password
- challengePassword_min		= 4
- challengePassword_max		= 20
+ challengePassword              = A challenge password
+ challengePassword_min          = 4
+ challengePassword_max          = 20
 
  [ v3_ca ]
 
@@ -549,27 +548,27 @@
 Sample configuration containing all field values:
 
 
- RANDFILE		= $ENV::HOME/.rnd
+ RANDFILE               = $ENV::HOME/.rnd
 
  [ req ]
- default_bits		= 2048
- default_keyfile 	= keyfile.pem
- distinguished_name	= req_distinguished_name
- attributes		= req_attributes
- prompt			= no
- output_password	= mypass
+ default_bits           = 2048
+ default_keyfile        = keyfile.pem
+ distinguished_name     = req_distinguished_name
+ attributes             = req_attributes
+ prompt                 = no
+ output_password        = mypass
 
  [ req_distinguished_name ]
- C			= GB
- ST			= Test State or Province
- L			= Test Locality
- O			= Organization Name
- OU			= Organizational Unit Name
- CN			= Common Name
- emailAddress		= test@email.address
+ C                      = GB
+ ST                     = Test State or Province
+ L                      = Test Locality
+ O                      = Organization Name
+ OU                     = Organizational Unit Name
+ CN                     = Common Name
+ emailAddress           = test@email.address
 
  [ req_attributes ]
- challengePassword		= A challenge password
+ challengePassword              = A challenge password
 
 
 =head1 NOTES
@@ -596,13 +595,13 @@
 
 The following messages are frequently asked about:
 
-	Using configuration from /some/path/openssl.cnf
-	Unable to load config info
+        Using configuration from /some/path/openssl.cnf
+        Unable to load config info
 
 This is followed some time later by...
 
-	unable to find 'distinguished_name' in config
-	problems making Certificate Request
+        unable to find 'distinguished_name' in config
+        problems making Certificate Request
 
 The first error message is the clue: it can't find the configuration
 file! Certain operations (like examining a certificate request) don't
@@ -652,7 +651,7 @@
 
 L<x509(1)>, L<ca(1)>, L<genrsa(1)>,
 L<gendsa(1)>, L<config(5)>,
-L<x509v3_config(5)> 
+L<x509v3_config(5)>
 
 =cut
 
diff --git a/doc/apps/rsa.pod b/doc/apps/rsa.pod
index e216bac..9be51f9 100644
--- a/doc/apps/rsa.pod
+++ b/doc/apps/rsa.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =head1 NAME
@@ -61,7 +60,7 @@
 
 =item B<-outform DER|NET|PEM>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -100,7 +99,7 @@
 =item B<-text>
 
 prints out the various public or private key components in
-plain text in addition to the encoded version. 
+plain text in addition to the encoded version.
 
 =item B<-noout>
 
@@ -176,7 +175,7 @@
 
  openssl rsa -in key.pem -des3 -out keyout.pem
 
-To convert a private key from PEM to DER format: 
+To convert a private key from PEM to DER format:
 
  openssl rsa -in key.pem -outform DER -out keyout.der
 
@@ -203,7 +202,7 @@
 =head1 SEE ALSO
 
 L<pkcs8(1)>, L<dsa(1)>, L<genrsa(1)>,
-L<gendsa(1)> 
+L<gendsa(1)>
 
 =cut
 
diff --git a/doc/apps/rsautl.pod b/doc/apps/rsautl.pod
index 94c5dce..3fb2e40 100644
--- a/doc/apps/rsautl.pod
+++ b/doc/apps/rsautl.pod
@@ -61,7 +61,7 @@
 
 =item B<-certin>
 
-the input is a certificate containing an RSA public key. 
+the input is a certificate containing an RSA public key.
 
 =item B<-sign>
 
@@ -136,24 +136,24 @@
 
  openssl asn1parse -in pca-cert.pem
 
-    0:d=0  hl=4 l= 742 cons: SEQUENCE          
-    4:d=1  hl=4 l= 591 cons:  SEQUENCE          
-    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]        
+    0:d=0  hl=4 l= 742 cons: SEQUENCE
+    4:d=1  hl=4 l= 591 cons:  SEQUENCE
+    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
    10:d=3  hl=2 l=   1 prim:    INTEGER           :02
    13:d=2  hl=2 l=   1 prim:   INTEGER           :00
-   16:d=2  hl=2 l=  13 cons:   SEQUENCE          
+   16:d=2  hl=2 l=  13 cons:   SEQUENCE
    18:d=3  hl=2 l=   9 prim:    OBJECT            :md5WithRSAEncryption
-   29:d=3  hl=2 l=   0 prim:    NULL              
-   31:d=2  hl=2 l=  92 cons:   SEQUENCE          
-   33:d=3  hl=2 l=  11 cons:    SET               
-   35:d=4  hl=2 l=   9 cons:     SEQUENCE          
+   29:d=3  hl=2 l=   0 prim:    NULL
+   31:d=2  hl=2 l=  92 cons:   SEQUENCE
+   33:d=3  hl=2 l=  11 cons:    SET
+   35:d=4  hl=2 l=   9 cons:     SEQUENCE
    37:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
    42:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :AU
   ....
-  599:d=1  hl=2 l=  13 cons:  SEQUENCE          
+  599:d=1  hl=2 l=  13 cons:  SEQUENCE
   601:d=2  hl=2 l=   9 prim:   OBJECT            :md5WithRSAEncryption
-  612:d=2  hl=2 l=   0 prim:   NULL              
-  614:d=1  hl=3 l= 129 prim:  BIT STRING        
+  612:d=2  hl=2 l=   0 prim:   NULL
+  614:d=1  hl=3 l= 129 prim:  BIT STRING
 
 
 The final BIT STRING contains the actual signature. It can be extracted with:
@@ -161,18 +161,18 @@
  openssl asn1parse -in pca-cert.pem -out sig -noout -strparse 614
 
 The certificate public key can be extracted with:
- 
+
  openssl x509 -in test/testx509.pem -pubkey -noout >pubkey.pem
 
 The signature can be analysed with:
 
  openssl rsautl -in sig -verify -asn1parse -inkey pubkey.pem -pubin
 
-    0:d=0  hl=2 l=  32 cons: SEQUENCE          
-    2:d=1  hl=2 l=  12 cons:  SEQUENCE          
+    0:d=0  hl=2 l=  32 cons: SEQUENCE
+    2:d=1  hl=2 l=  12 cons:  SEQUENCE
     4:d=2  hl=2 l=   8 prim:   OBJECT            :md5
-   14:d=2  hl=2 l=   0 prim:   NULL              
-   16:d=1  hl=2 l=  16 prim:  OCTET STRING      
+   14:d=2  hl=2 l=   0 prim:   NULL
+   16:d=1  hl=2 l=  16 prim:  OCTET STRING
       0000 - f3 46 9e aa 1a 4a 73 c9-37 ea 93 00 48 25 08 b5   .F...Js.7...H%..
 
 This is the parsed version of an ASN1 DigestInfo structure. It can be seen that
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index 029da4f..0021983 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =head1 NAME
@@ -416,7 +415,7 @@
 
 =item B<-no_ticket>
 
-disable RFC4507bis session ticket support. 
+disable RFC4507bis session ticket support.
 
 =item B<-sess_out filename>
 
@@ -444,7 +443,7 @@
 
 =item B<-serverinfo types>
 
-a list of comma-separated TLS Extension Types (numbers between 0 and 
+a list of comma-separated TLS Extension Types (numbers between 0 and
 65535).  Each type will be sent as an empty ClientHello TLS Extension.
 The server's response (if any) will be encoded and displayed as a PEM
 file.
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index 6417451..d7ddb74 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =head1 NAME
diff --git a/doc/apps/s_time.pod b/doc/apps/s_time.pod
index d8ef3c4..5a4381e 100644
--- a/doc/apps/s_time.pod
+++ b/doc/apps/s_time.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =head1 NAME
diff --git a/doc/apps/sess_id.pod b/doc/apps/sess_id.pod
index dbfc19d..3eed13f 100644
--- a/doc/apps/sess_id.pod
+++ b/doc/apps/sess_id.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =head1 NAME
@@ -57,7 +56,7 @@
 =item B<-text>
 
 prints out the various public or private key components in
-plain text in addition to the encoded version. 
+plain text in addition to the encoded version.
 
 =item B<-cert>
 
diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod
index 4dc7378..1d25a41 100644
--- a/doc/apps/smime.pod
+++ b/doc/apps/smime.pod
@@ -170,7 +170,7 @@
 
 this option adds plain text (text/plain) MIME headers to the supplied
 message if encrypting or signing. If decrypting or verifying it strips
-off text headers: if the decrypted or verified message is not of MIME 
+off text headers: if the decrypted or verified message is not of MIME
 type text/plain then an error occurs.
 
 =item B<-CAfile file>
@@ -201,7 +201,7 @@
 
 the encryption algorithm to use. For example DES  (56 bits) - B<-des>,
 triple DES (168 bits) - B<-des3>,
-EVP_get_cipherbyname() function) can also be used preceded by a dash, for 
+EVP_get_cipherbyname() function) can also be used preceded by a dash, for
 example B<-aes-128-cbc>. See L<B<enc>|enc(1)> for list of ciphers
 supported by your version of OpenSSL.
 
@@ -301,7 +301,7 @@
 =item B<cert.pem...>
 
 one or more certificates of message recipients: used when encrypting
-a message. 
+a message.
 
 =item B<-to, -from, -subject>
 
@@ -398,29 +398,29 @@
 Create a cleartext signed message:
 
  openssl smime -sign -in message.txt -text -out mail.msg \
-	-signer mycert.pem
+        -signer mycert.pem
 
 Create an opaque signed message:
 
  openssl smime -sign -in message.txt -text -out mail.msg -nodetach \
-	-signer mycert.pem
+        -signer mycert.pem
 
 Create a signed message, include some additional certificates and
 read the private key from another file:
 
  openssl smime -sign -in in.txt -text -out mail.msg \
-	-signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
+        -signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
 
 Create a signed message with two signers:
 
  openssl smime -sign -in message.txt -text -out mail.msg \
-	-signer mycert.pem -signer othercert.pem
+        -signer mycert.pem -signer othercert.pem
 
 Send a signed message under Unix directly to sendmail, including headers:
 
  openssl smime -sign -in in.txt -text -signer mycert.pem \
-	-from steve@openssl.org -to someone@somewhere \
-	-subject "Signed message" | sendmail someone@somewhere
+        -from steve@openssl.org -to someone@somewhere \
+        -subject "Signed message" | sendmail someone@somewhere
 
 Verify a message and extract the signer's certificate if successful:
 
@@ -429,15 +429,15 @@
 Send encrypted mail using triple DES:
 
  openssl smime -encrypt -in in.txt -from steve@openssl.org \
-	-to someone@somewhere -subject "Encrypted message" \
-	-des3 user.pem -out mail.msg
+        -to someone@somewhere -subject "Encrypted message" \
+        -des3 user.pem -out mail.msg
 
 Sign and encrypt mail:
 
  openssl smime -sign -in ml.txt -signer my.pem -text \
-	| openssl smime -encrypt -out mail.msg \
-	-from steve@openssl.org -to someone@somewhere \
-	-subject "Signed and Encrypted message" -des3 user.pem
+        | openssl smime -encrypt -out mail.msg \
+        -from steve@openssl.org -to someone@somewhere \
+        -subject "Signed and Encrypted message" -des3 user.pem
 
 Note: the encryption command does not include the B<-text> option because the
 message being encrypted already has MIME headers.
@@ -454,7 +454,7 @@
  -----BEGIN PKCS7-----
  -----END PKCS7-----
 
-and using the command: 
+and using the command:
 
  openssl smime -verify -inform PEM -in signature.pem -content content.txt
 
diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod
index dc41003..0f41a15 100644
--- a/doc/apps/ts.pod
+++ b/doc/apps/ts.pod
@@ -522,13 +522,13 @@
 without nonce and policy and no certificate is required in the response:
 
   openssl ts -query -data design1.txt -no_nonce \
-	-out design1.tsq
+        -out design1.tsq
 
 To create a similar time stamp request with specifying the message imprint
 explicitly:
 
   openssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \
-	 -no_nonce -out design1.tsq
+         -no_nonce -out design1.tsq
 
 To print the content of the previous request in human readable format:
 
@@ -540,7 +540,7 @@
 OID section of the config file):
 
   openssl ts -query -data design2.txt -md5 \
-	-tspolicy tsa_policy1 -cert -out design2.tsq
+        -tspolicy tsa_policy1 -cert -out design2.tsq
 
 =head2 Time Stamp Response
 
@@ -557,7 +557,7 @@
 To create a time stamp response for a request:
 
   openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \
-	-signer tsacert.pem -out design1.tsr
+        -signer tsacert.pem -out design1.tsr
 
 If you want to use the settings in the config file you could just write:
 
@@ -589,20 +589,20 @@
 To verify a time stamp reply against a request:
 
   openssl ts -verify -queryfile design1.tsq -in design1.tsr \
-	-CAfile cacert.pem -untrusted tsacert.pem
+        -CAfile cacert.pem -untrusted tsacert.pem
 
 To verify a time stamp reply that includes the certificate chain:
 
   openssl ts -verify -queryfile design2.tsq -in design2.tsr \
-	-CAfile cacert.pem
+        -CAfile cacert.pem
 
 To verify a time stamp token against the original data file:
   openssl ts -verify -data design2.txt -in design2.tsr \
-	-CAfile cacert.pem
+        -CAfile cacert.pem
 
 To verify a time stamp token against a message imprint:
   openssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \
-	 -in design2.tsr -CAfile cacert.pem
+         -in design2.tsr -CAfile cacert.pem
 
 You could also look at the 'test' directory for more examples.
 
diff --git a/doc/apps/tsget.pod b/doc/apps/tsget.pod
index 7f30b71..e325697 100644
--- a/doc/apps/tsget.pod
+++ b/doc/apps/tsget.pod
@@ -33,15 +33,15 @@
 
 The tool sends the following HTTP request for each time stamp request:
 
-	POST url HTTP/1.1
-	User-Agent: OpenTSA tsget.pl/<version>
-	Host: <host>:<port>
-	Pragma: no-cache
-	Content-Type: application/timestamp-query
-	Accept: application/timestamp-reply
-	Content-Length: length of body
+        POST url HTTP/1.1
+        User-Agent: OpenTSA tsget.pl/<version>
+        Host: <host>:<port>
+        Pragma: no-cache
+        Content-Type: application/timestamp-query
+        Accept: application/timestamp-reply
+        Content-Length: length of body
 
-	...binary request specified by the user...
+        ...binary request specified by the user...
 
 B<tsget> expects a response of type application/timestamp-reply, which is
 written to a file without any interpretation.
@@ -142,7 +142,7 @@
 and at port 8443 for HTTPS requests, the TSA service is available at the /tsa
 absolute path.
 
-Get a time stamp response for file1.tsq over HTTP, output is written to 
+Get a time stamp response for file1.tsq over HTTP, output is written to
 file1.tsr:
 
   tsget -h http://tsa.opentsa.org:8080/tsa file1.tsq
@@ -151,40 +151,40 @@
 progress, output is written to file1.reply and file2.reply respectively:
 
   tsget -h http://tsa.opentsa.org:8080/tsa -v -e .reply \
-	file1.tsq file2.tsq
+        file1.tsq file2.tsq
 
 Create a time stamp request, write it to file3.tsq, send it to the server and
 write the response to file3.tsr:
 
   openssl ts -query -data file3.txt -cert | tee file3.tsq \
-	| tsget -h http://tsa.opentsa.org:8080/tsa \
-	-o file3.tsr
+        | tsget -h http://tsa.opentsa.org:8080/tsa \
+        -o file3.tsr
 
 Get a time stamp response for file1.tsq over HTTPS without client
 authentication:
 
   tsget -h https://tsa.opentsa.org:8443/tsa \
-	-C cacerts.pem file1.tsq
+        -C cacerts.pem file1.tsq
 
 Get a time stamp response for file1.tsq over HTTPS with certificate-based
 client authentication (it will ask for the passphrase if client_key.pem is
 protected):
 
   tsget -h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \
-	-k client_key.pem -c client_cert.pem file1.tsq
+        -k client_key.pem -c client_cert.pem file1.tsq
 
 You can shorten the previous command line if you make use of the B<TSGET>
 environment variable. The following commands do the same as the previous
 example:
 
   TSGET='-h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \
-	-k client_key.pem -c client_cert.pem'
+        -k client_key.pem -c client_cert.pem'
   export TSGET
   tsget file1.tsq
 
 =head1 SEE ALSO
 
-L<openssl(1)>, L<ts(1)>, L<curl(1)>, 
+L<openssl(1)>, L<ts(1)>, L<curl(1)>,
 B<RFC 3161>
 
 =cut
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index 17dce23..f42b806 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -148,8 +148,8 @@
 
 =item B<-no_check_time>
 
-This option suppresses checking the validity period of certificates and CRLs 
-against the current time. If option B<-attime timestamp> is used to specify 
+This option suppresses checking the validity period of certificates and CRLs
+against the current time. If option B<-attime timestamp> is used to specify
 a verification time, the check is not suppressed.
 
 =item B<-partial_chain>
diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod
index ce6f5f7..eb6d06d 100644
--- a/doc/apps/x509.pod
+++ b/doc/apps/x509.pod
@@ -1,4 +1,3 @@
-
 =pod
 
 =head1 NAME
@@ -93,7 +92,7 @@
 
 =item B<-outform DER|PEM|NET>
 
-This specifies the output format, the options have the same meaning as the 
+This specifies the output format, the options have the same meaning as the
 B<-inform> option.
 
 =item B<-in filename>
@@ -322,7 +321,7 @@
 =item B<-signkey filename>
 
 this option causes the input file to be self signed using the supplied
-private key. 
+private key.
 
 If the input file is a certificate it sets the issuer name to the
 subject name (i.e.  makes it self signed) changes the public key to the
@@ -403,7 +402,7 @@
 use the serial number is incremented and written out to the file again.
 
 The default filename consists of the CA certificate file base name with
-".srl" appended. For example if the CA certificate file is called 
+".srl" appended. For example if the CA certificate file is called
 "mycacert.pem" it expects to find a serial number file called "mycacert.srl".
 
 =item B<-CAcreateserial>
@@ -707,20 +706,20 @@
 extensions for a CA:
 
  openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
-	-signkey key.pem -out cacert.pem
+        -signkey key.pem -out cacert.pem
 
 Sign a certificate request using the CA certificate above and add user
 certificate extensions:
 
  openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
-	-CA cacert.pem -CAkey key.pem -CAcreateserial
+        -CA cacert.pem -CAkey key.pem -CAcreateserial
 
 
 Set a certificate to be trusted for SSL client use and change set its alias to
 "Steve's Class 1 CA"
 
  openssl x509 -in cert.pem -addtrust clientAuth \
-	-setalias "Steve's Class 1 CA" -out trust.pem
+        -setalias "Steve's Class 1 CA" -out trust.pem
 
 =head1 NOTES
 
@@ -854,7 +853,7 @@
 The extended key usage extension must be absent or include the "email
 protection" OID. Netscape certificate type must be absent or must have the
 S/MIME CA bit set: this is used as a work around if the basicConstraints
-extension is absent. 
+extension is absent.
 
 =item B<CRL Signing>
 
@@ -884,7 +883,7 @@
 
 L<req(1)>, L<ca(1)>, L<genrsa(1)>,
 L<gendsa(1)>, L<verify(1)>,
-L<x509v3_config(5)> 
+L<x509v3_config(5)>
 
 =head1 HISTORY
 
@@ -892,7 +891,7 @@
 before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
 of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
 canonical version of the DN using SHA1. This means that any directories using
-the old form must have their links rebuilt using B<c_rehash> or similar. 
+the old form must have their links rebuilt using B<c_rehash> or similar.
 
 =cut
 
diff --git a/doc/apps/x509v3_config.pod b/doc/apps/x509v3_config.pod
index ec96e2f..10967b9 100644
--- a/doc/apps/x509v3_config.pod
+++ b/doc/apps/x509v3_config.pod
@@ -108,19 +108,19 @@
 While any OID can be used only certain values make sense. In particular the
 following PKIX, NS and MS values are meaningful:
 
- Value			Meaning
- -----			-------
- serverAuth		SSL/TLS Web Server Authentication.
- clientAuth		SSL/TLS Web Client Authentication.
- codeSigning		Code signing.
- emailProtection	E-mail Protection (S/MIME).
- timeStamping		Trusted Timestamping
- OCSPSigning		OCSP Signing
- ipsecIKE		ipsec Internet Key Exchnage
- msCodeInd		Microsoft Individual Code Signing (authenticode)
- msCodeCom		Microsoft Commercial Code Signing (authenticode)
- msCTLSign		Microsoft Trust List Signing
- msEFS			Microsoft Encrypted File System
+ Value                  Meaning
+ -----                  -------
+ serverAuth             SSL/TLS Web Server Authentication.
+ clientAuth             SSL/TLS Web Client Authentication.
+ codeSigning            Code signing.
+ emailProtection        E-mail Protection (S/MIME).
+ timeStamping           Trusted Timestamping
+ OCSPSigning            OCSP Signing
+ ipsecIKE               ipsec Internet Key Exchnage
+ msCodeInd              Microsoft Individual Code Signing (authenticode)
+ msCodeCom              Microsoft Commercial Code Signing (authenticode)
+ msCTLSign              Microsoft Trust List Signing
+ msEFS                  Microsoft Encrypted File System
 
 Examples: