1 files changed, 12 insertions, 9 deletions

diff --git a/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3 b/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3
index f31cdc125fcd..f61478c82762 100644
--- a/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3
+++ b/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.40)
+.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -133,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "X509_VERIFY_PARAM_SET_FLAGS 3"
-.TH X509_VERIFY_PARAM_SET_FLAGS 3 "2020-04-21" "1.1.1g" "OpenSSL"
+.TH X509_VERIFY_PARAM_SET_FLAGS 3 "2020-09-22" "1.1.1h" "OpenSSL"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -252,7 +252,7 @@ interoperable, though it will, for example, reject \s-1MD5\s0 signatures or \s-1
 shorter than 1024 bits.
 .PP
 \&\fBX509_VERIFY_PARAM_set1_host()\fR sets the expected \s-1DNS\s0 hostname to
-\&\fBname\fR clearing any previously specified host name or names.  If
+\&\fBname\fR clearing any previously specified hostname or names.  If
 \&\fBname\fR is \s-1NULL,\s0 or empty the list of hostnames is cleared, and
 name checks are not performed on the peer certificate.  If \fBname\fR
 is NUL-terminated, \fBnamelen\fR may be zero, otherwise \fBnamelen\fR
@@ -385,12 +385,15 @@ they are enabled.
 If \fBX509_V_FLAG_USE_DELTAS\fR is set delta CRLs (if present) are used to
 determine certificate status. If not set deltas are ignored.
 .PP
-\&\fBX509_V_FLAG_CHECK_SS_SIGNATURE\fR enables checking of the root \s-1CA\s0 self signed
-certificate signature. By default this check is disabled because it doesn't
+\&\fBX509_V_FLAG_CHECK_SS_SIGNATURE\fR requests checking the signature of
+the last certificate in a chain if the certificate is supposedly self-signed.
+This is prohibited and will result in an error if it is a non-conforming \s-1CA\s0
+certificate with key usage restrictions not including the keyCertSign bit.
+By default this check is disabled because it doesn't
 add any additional security but in some cases applications might want to
-check the signature anyway. A side effect of not checking the root \s-1CA\s0
-signature is that disabled or unsupported message digests on the root \s-1CA\s0
-are not treated as fatal errors.
+check the signature anyway. A side effect of not checking the self-signature
+of such a certificate is that disabled or unsupported message digests used for
+the signature are not treated as fatal errors.
 .PP
 When \fBX509_V_FLAG_TRUSTED_FIRST\fR is set, construction of the certificate chain
 in \fBX509_verify_cert\fR\|(3) will search the trust store for issuer certificates
@@ -492,7 +495,7 @@ and has no effect.
 The \fBX509_VERIFY_PARAM_get_hostflags()\fR function was added in OpenSSL 1.1.0i.
 .SH "COPYRIGHT"
 .IX Header "COPYRIGHT"
-Copyright 2009\-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009\-2020 The OpenSSL Project Authors. All Rights Reserved.
 .PP
 Licensed under the OpenSSL license (the \*(L"License\*(R").  You may not use
 this file except in compliance with the License.  You can obtain a copy