ispell
diff --git a/CHANGES b/CHANGES
index 9d0492c..e785190 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5,7 +5,7 @@
  Changes between 0.9.6 and 0.9.7  [xx XXX 2001]
 
      OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001)
-     and OpenSSL 0.9.7 were developped in parallel, based on OpenSSL 0.9.6.  
+     and OpenSSL 0.9.7 were developed in parallel, based on OpenSSL 0.9.6.  
 
      Change log entries are tagged as follows:
          -) applies to 0.9.6a/0.9.6b/0.9.6c only
@@ -20,7 +20,7 @@
      'wristwatch attack' using huge encoding parameters (cf.
      James H. Manger's CRYPTO 2001 paper).  Note that the
      RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
-     encoding paramters and hence was not vulnerable.
+     encoding parameters and hence was not vulnerable.
      [Bodo Moeller]
 
   +) Add a "destroy" handler to ENGINEs that allows structural cleanup to
@@ -60,14 +60,14 @@
      [Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>]
 
   *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
-     requivalent based on BN_pseudo_rand() instead of BN_rand().
+     equivalent based on BN_pseudo_rand() instead of BN_rand().
      [Bodo Moeller]
 
   +) Add a copy() function to EVP_MD.
      [Ben Laurie]
 
   +) Make EVP_MD routines take a context pointer instead of just the
-     md_data voud pointer.
+     md_data void pointer.
      [Ben Laurie]
 
   +) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
@@ -149,7 +149,7 @@
      The configuration part makes use of modern compiler features and
      still retains old compiler behavior for those that run older versions
      of the OS.  The shared library support part includes a variant that
-     uses the RPATH feature, and is available through the speciel
+     uses the RPATH feature, and is available through the special
      configuration target "alpha-cc-rpath", which will never be selected
      automatically.
      [Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte]
@@ -200,7 +200,7 @@
      [Steve Henson]
 
   *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
-     explicitely to NULL, as at least on Solaris 8 this seems not always to be
+     explicitly to NULL, as at least on Solaris 8 this seems not always to be
      done automatically (in contradiction to the requirements of the C
      standard). This made problems when used from OpenSSH.
      [Lutz Jaenicke]
@@ -355,7 +355,7 @@
      [Bodo Moeller]
 
   +) Enhance the general user interface with mechanisms for inner control
-     and with pssibilities to have yes/no kind of prompts.
+     and with possibilities to have yes/no kind of prompts.
      [Richard Levitte]
 
   +) Change all calls to low level digest routines in the library and
@@ -368,14 +368,14 @@
      Change the key loaders to take a UI_METHOD instead of a callback
      function pointer.  NOTE: this breaks binary compatibility with earlier
      versions of OpenSSL [engine].
-     Addapt the nCipher code for these new conditions and add a card insertion
+     Adapt the nCipher code for these new conditions and add a card insertion
      callback.
      [Richard Levitte]
 
   +) Enhance the general user interface with mechanisms to better support
      dialog box interfaces, application-defined prompts, the possibility
      to use defaults (for example default passwords from somewhere else)
-     and interrupts/cancelations.
+     and interrupts/cancellations.
      [Richard Levitte]
 
   *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
@@ -395,7 +395,7 @@
      [Ulf Möller, Bodo Möller]
 
   *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
-     RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5
+     RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
      when fixing the server behaviour for backwards-compatible 'client
      hello' messages.  (Note that the attack is impractical against
      SSL 3.0 and TLS 1.0 anyway because length and version checking
@@ -416,7 +416,7 @@
      [Bodo Moeller]
 
   +) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
-     tidy up some unecessarily weird code in 'sk_new()').
+     tidy up some unnecessarily weird code in 'sk_new()').
      [Geoff, reported by Diego Tartara <dtartara@novamens.com>]
 
   +) Change the key loading routines for ENGINEs to use the same kind
@@ -446,7 +446,7 @@
         const ASN1_ITEM *it = &ASN1_INTEGER_it;
 
      wont compile. This is used by the any applications that need to
-     delcare their own ASN1 modules. This was fixed by adding the option
+     declare their own ASN1 modules. This was fixed by adding the option
      EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly
      needed for static libraries under Win32.
      [Steve Henson]
@@ -584,7 +584,7 @@
        missing functions (including a catch-all ENGINE_cpy that duplicates
        all ENGINE values onto a new ENGINE except reference counts/state).
      - Removed NULL parameter checks in get/set functions. Setting a method
-       or function to NULL is a way of cancelling out a previously set
+       or function to NULL is a way of canceling out a previously set
        value.  Passing a NULL ENGINE parameter is just plain stupid anyway
        and doesn't justify the extra error symbols and code.
      - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
@@ -602,12 +602,12 @@
      combination of a flag and a thread ID variable.
      Otherwise while one thread is in ssleay_rand_bytes (which sets the
      flag), *other* threads can enter ssleay_add_bytes without obeying
-     the CRYPTO_LOCK_RAND lock (and may even illegaly release the lock
+     the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
      that they do not hold after the first thread unsets add_do_not_lock).
      [Bodo Moeller]
 
   +) Implement binary inversion algorithm for BN_mod_inverse in addition
-     to the algorithm using long divison.  The binary algorithm can be
+     to the algorithm using long division.  The binary algorithm can be
      used only if the modulus is odd.  On 32-bit systems, it is faster
      only for relatively small moduli (roughly 20-30% for 128-bit moduli,
      roughly 5-15% for 256-bit moduli), so we use it only for moduli
@@ -820,10 +820,10 @@
 	#define bar OPENSSL_GLOBAL_REF(bar)
 
      The #defines are very important, and therefore so is including the
-     header file everywere where the defined globals are used.
+     header file everywhere where the defined globals are used.
 
      The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition
-     of ASN.1 items, but that structure is a bt different.
+     of ASN.1 items, but that structure is a bit different.
 
      The largest change is in util/mkdef.pl which has been enhanced with
      better and easier to understand logic to choose which symbols should
@@ -852,7 +852,7 @@
      responses. OCSP responses are prepared in real time and may only
      be a few seconds old. Simply checking that the current time lies
      between thisUpdate and nextUpdate max reject otherwise valid responses
-     caused by either OCSP responder or client clock innacuracy. Instead
+     caused by either OCSP responder or client clock inaccuracy. Instead
      we allow thisUpdate and nextUpdate to fall within a certain period of
      the current time. The age of the response can also optionally be
      checked. Two new options -validity_period and -status_age added to
@@ -860,7 +860,7 @@
      [Steve Henson]
 
   +) If signature or public key algorithm is unrecognized print out its
-     OID rather that just UNKOWN.
+     OID rather that just UNKNOWN.
      [Steve Henson]
 
   *) Avoid coredump with unsupported or invalid public keys by checking if
@@ -895,7 +895,7 @@
      to use such a feature) has been added to "s_server".
      [Geoff Thorpe, Lutz Jaenicke]
 
-  +) Modify mkdef.pl to recognise and parse prprocessor conditionals
+  +) Modify mkdef.pl to recognise and parse preprocessor conditionals
      of the form '#if defined(...) || defined(...) || ...' and
      '#if !defined(...) && !defined(...) && ...'.  This also avoids
      the growing number of special cases it was previously handling.
@@ -1049,7 +1049,7 @@
      extract information from a certificate request. OCSP_response_create()
      creates a response and optionally adds a basic response structure.
      OCSP_basic_add1_status() adds a complete single response to a basic
-     reponse and returns the OCSP_SINGLERESP structure just added (to allow
+     response and returns the OCSP_SINGLERESP structure just added (to allow
      extensions to be included for example). OCSP_basic_add1_cert() adds a
      certificate to a basic response and OCSP_basic_sign() signs a basic
      response with various flags. New helper functions ASN1_TIME_check()
@@ -1059,7 +1059,7 @@
 
   +) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
      in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
-     structure from a certificate. X509_pubkey_digest() digests tha public_key
+     structure from a certificate. X509_pubkey_digest() digests the public_key
      contents: this is used in various key identifiers. 
      [Steve Henson]
 
@@ -1079,7 +1079,7 @@
 
   +) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
      passed by the function are trusted implicitly. If any of them signed the
-     reponse then it is assumed to be valid and is not verified.
+     response then it is assumed to be valid and is not verified.
      [Steve Henson]
 
   -) Make the CRL encoding routines work with empty SEQUENCE OF. The
diff --git a/FAQ b/FAQ
index f7a55b3..0281b4c 100644
--- a/FAQ
+++ b/FAQ
@@ -153,7 +153,7 @@
 their software on operating systems that don't normally include OpenSSL.
 
 If you develop open source software that uses OpenSSL, you may find it
-useful to choose an other license than the GPL, or state explicitely that
+useful to choose an other license than the GPL, or state explicitly that
 "This program is released under the GPL with the additional exemption that
 compiling, linking, and/or using OpenSSL is allowed."  If you are using
 GPL software developed by others, you may want to ask the copyright holder
@@ -304,7 +304,7 @@
 reject.
 
 The solution is to add the relevant CA certificate to your servers "trusted
-CA list". How you do this depends on the server sofware in uses. You can
+CA list". How you do this depends on the server software in uses. You can
 print out the servers list of acceptable CAs using the OpenSSL s_client tool:
 
 openssl s_client -connect www.some.host:443 -prexit
@@ -558,7 +558,7 @@
 * Why doesn't my server application receive a client certificate?
 
 Due to the TLS protocol definition, a client will only send a certificate,
-if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the
+if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
 SSL_CTX_set_verify() function to enable the use of client certificates.