Fix issues reported by markdownlint

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/11739)
2025-04-27 02:04:37 +00:00 · 2020-05-07 13:44:01 +02:00 · 2020-05-07 13:44:01 +02:00 · 257e9d03b0
commit 257e9d03b0
parent 4ef0ddc9d8
10 changed files with 781 additions and 897 deletions
--- a/ACKNOWLEDGEMENTS.md
+++ b/ACKNOWLEDGEMENTS.md
@ -3,6 +3,5 @@ Acknowlegements
 Please see our [Thanks!][] page for the current acknowledgements.
 [Thanks!]: https://www.openssl.org/community/thanks.html
--- a/AUTHORS.md
+++ b/AUTHORS.md
@ -7,40 +7,38 @@ since in some cases, their employer may be the copyright holder.
 To see the full list of contributors, see the revision history in
 source control.
 Groups
 ------
- *  OpenSSL Software Services, Inc.
+ * OpenSSL Software Services, Inc.
- *  OpenSSL Software Foundation, Inc.
+ * OpenSSL Software Foundation, Inc.
 Individuals
 -----------
- *  Andy Polyakov
+ * Andy Polyakov
- *  Ben Laurie
+ * Ben Laurie
- *  Ben Kaduk
+ * Ben Kaduk
- *  Bernd Edlinger
+ * Bernd Edlinger
- *  Bodo Möller
+ * Bodo Möller
- *  David Benjamin
+ * David Benjamin
- *  Emilia Käsper
+ * Emilia Käsper
- *  Eric Young
+ * Eric Young
- *  Geoff Thorpe
+ * Geoff Thorpe
- *  Holger Reif
+ * Holger Reif
- *  Kurt Roeckx
+ * Kurt Roeckx
- *  Lutz Jänicke
+ * Lutz Jänicke
- *  Mark J. Cox
+ * Mark J. Cox
- *  Matt Caswell
+ * Matt Caswell
- *  Matthias St. Pierre
+ * Matthias St. Pierre
- *  Nils Larsch
+ * Nils Larsch
- *  Paul Dale
+ * Paul Dale
- *  Paul C. Sutton
+ * Paul C. Sutton
- *  Ralf S. Engelschall
+ * Ralf S. Engelschall
- *  Rich Salz
+ * Rich Salz
- *  Richard Levitte
+ * Richard Levitte
- *  Stephen Henson
+ * Stephen Henson
- *  Steve Marquess
+ * Steve Marquess
- *  Tim Hudson
+ * Tim Hudson
- *  Ulf Möller
+ * Ulf Möller
- *  Viktor Dukhovni
+ * Viktor Dukhovni
--- a/CHANGES.md
+++ b/CHANGES.md
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -5,7 +5,6 @@ Please visit our [Getting Started][gs] page for other ideas about how to contrib
  [gs]: https://www.openssl.org/community/getting-started.html
 Development is done on GitHub in the [openssl/openssl][gh] repository.
  [gh]: https://github.com/openssl/openssl
@ -30,14 +29,17 @@ guidelines:
    [CLA]: https://www.openssl.org/policies/cla.html
    To amend a missing "`CLA: trivial`" line after submission, do the following:
    ```
        git commit --amend
        [add the line, save and quit the editor]
        git push -f
    ```
 2. All source files should start with the following text (with
    appropriate comment characters at the start of each line and the
    year(s) updated):
    ```
        Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved.
--- a/INSTALL.md
+++ b/INSTALL.md
@ -1,4 +1,3 @@
 Build and Install
 =================
@ -12,36 +11,35 @@ Table of Contents
 - [Prerequisites](#prerequisites)
 - [Notational Conventions](#notational-conventions)
 - [Quick Installation Guide](#quick-installation-guide)
-    - [Building OpenSSL](#building-openssl)
+   - [Building OpenSSL](#building-openssl)
-    - [Installing OpenSSL](#installing-openssl)
+   - [Installing OpenSSL](#installing-openssl)
 - [Configuration Options](#configuration-options)
-    - [API Level](#api-level)
+   - [API Level](#api-level)
-    - [Cross Compile Prefix](#cross-compile-prefix)
+   - [Cross Compile Prefix](#cross-compile-prefix)
-    - [Build Type](#build-type)
+   - [Build Type](#build-type)
-    - [Directories](#directories)
+   - [Directories](#directories)
-    - [Compiler Warnings](#compiler-warnings)
+   - [Compiler Warnings](#compiler-warnings)
-    - [ZLib Flags](#zlib-flags)
+   - [ZLib Flags](#zlib-flags)
-    - [Seeding the Random Generator](#seeding-the-random-generator)
+   - [Seeding the Random Generator](#seeding-the-random-generator)
-    - [Enable and Disable Features](#enable-and-disable-features)
+   - [Enable and Disable Features](#enable-and-disable-features)
-    - [Displaying configuration data](#displaying-configuration-data)
+   - [Displaying configuration data](#displaying-configuration-data)
 - [Installation Steps in Detail](#installation-steps-in-detail)
-    - [Configure](#configure-openssl)
+   - [Configure](#configure-openssl)
-    - [Build](#build-openssl)
+   - [Build](#build-openssl)
-    - [Test](#test-openssl)
+   - [Test](#test-openssl)
-    - [Install](#install-openssl)
+   - [Install](#install-openssl)
 - [Advanced Build Options](#advanced-build-options)
-    - [Environment Variables](#environment-variables)
+   - [Environment Variables](#environment-variables)
-    - [Makefile Targets](#makefile-targets)
+   - [Makefile Targets](#makefile-targets)
-    - [Running Selected Tests](#running-selected-tests)
+   - [Running Selected Tests](#running-selected-tests)
 - [Troubleshooting](#troubleshooting)
-    - [Configuration Problems](#configuration-problems)
+   - [Configuration Problems](#configuration-problems)
-    - [Build Failures](#build-failures)
+   - [Build Failures](#build-failures)
-    - [Test Failures](#test-failures)
+   - [Test Failures](#test-failures)
 - [Notes](#notes)
-    - [Notes on multi-threading](#notes-on-multi-threading)
+   - [Notes on multi-threading](#notes-on-multi-threading)
-    - [Notes on shared libraries](#notes-on-shared-libraries)
+   - [Notes on shared libraries](#notes-on-shared-libraries)
-    - [Notes on random number generation](#notes-on-random-number-generation)
+   - [Notes on random number generation](#notes-on-random-number-generation)
 Prerequisites
 =============
@ -67,7 +65,6 @@ issues and other details, please read one of these:
 * [NOTES.VALGRIND](NOTES.VALGRIND) - testing with Valgrind
 * [NOTES.PERL](NOTES.PERL) - some notes on Perl
 Notational conventions
 ======================
@ -129,7 +126,6 @@ A simple example would be
 which is to be understood to use the command `type` on some file name
 determined by the user.
 **Optional Arguments** are enclosed in double square brackets.
    [[ options ]]
@ -138,7 +134,6 @@ Note that the notation assumes spaces around {, }, [, ], {{, }} and
 [[, ]].  This is to differentiate from OpenVMS directory
 specifications, which also use [ and ], but without spaces.
 Quick Installation Guide
 ========================
@ -154,13 +149,13 @@ Use the following commands to configure, build and test OpenSSL.
 The testing is optional, but recommended if you intend to install
 OpenSSL for production use.
-### Unix / Linux / macOS ###
+### Unix / Linux / macOS
    $ ./config
    $ make
    $ make test
-### OpenVMS ###
+### OpenVMS
 Use the following commands to build OpenSSL:
@ -168,7 +163,7 @@ Use the following commands to build OpenSSL:
    $ mms
    $ mms test
-### Windows ###
+### Windows
 If you are using Visual Studio, open a Developer Command Prompt and
 and issue the following commands to build OpenSSL.
@ -210,7 +205,7 @@ the global search path for system libraries.
 Finally, if you plan on using the FIPS module, you need to read the
 [Post-installation Notes](#post-installation-notes) further down.
-### Unix / Linux / macOS ###
+### Unix / Linux / macOS
 Depending on your distribution, you need to run the following command as
 root user or prepend `sudo` to the command:
@ -230,7 +225,7 @@ More precisely, the files will be installed into the  subdirectories
 depending on the file type, as it is custom on Unix-like operating systems.
-### OpenVMS ###
+### OpenVMS
 Use the following command to install OpenSSL.
@ -243,7 +238,7 @@ By default, OpenSSL will be installed to
 where 'version' is the OpenSSL version number with underscores instead
 of periods.
-### Windows ###
+### Windows
 If you are using Visual Studio, open the Developer Command Prompt _elevated_
 and issue the following command.
@ -264,8 +259,7 @@ for native binaries, or
 for 32bit binaries on 64bit Windows (WOW64).
-
+#### Installing to a different location
 #### Installing to a different location ####
 To install OpenSSL to a different location (for example into your home
 directory for testing purposes) run config like this:
@ -279,11 +273,10 @@ directory for testing purposes) run config like this:
    $ @config --prefix=PROGRAM:[INSTALLS] --openssldir=SYS$MANAGER:[OPENSSL]
 Note: if you do add options to the configuration command, please make sure
-you've read more than just this Quick Start, such as relevant NOTES.* files,
+you've read more than just this Quick Start, such as relevant `NOTES.*` files,
 the options outline below, as configuration options may change the outcome
 in otherwise unexpected ways.
 Configuration Options
 =====================
@ -310,7 +303,6 @@ If you just intend to remove all deprecated APIs up to the current version
 entirely, just specify [no-deprecated](#no-deprecated).
 If `--api` isn't given, it defaults to the current (minor) OpenSSL version.
 Cross Compile Prefix
 --------------------
@ -333,7 +325,6 @@ mention that you have to invoke `./Configure`, not `./config`, and pass your tar
 name explicitly.  Also, note that `--openssldir` refers to target's file system,
 not one you are building on.
 Build Type
 ----------
@ -345,11 +336,10 @@ Build OpenSSL with debugging symbols and zero optimization level.
 Build OpenSSL without debugging symbols.  This is the default.
 Directories
 -----------
-### libdir ###
+### libdir
    --libdir=DIR
@ -359,7 +349,7 @@ this is "lib". Note that on Windows only static libraries (`*.lib`) will
 be stored in this location. Shared libraries (`*.dll`) will always be
 installed to the "bin" directory.
-### openssldir ###
+### openssldir
    --openssldir=DIR
@ -373,7 +363,7 @@ and key store.  Defaults are:
 For 32bit Windows applications on Windows 64bit (WOW64), always replace
 `C:\Program Files` by `C:\Program Files (x86)`.
-### prefix ###
+### prefix
    --prefix=DIR
@ -383,7 +373,6 @@ The top of the installation directory tree.  Defaults are:
    Windows:        C:\Program Files\OpenSSL
    OpenVMS:        SYS$COMMON:[OPENSSL-'version']
 Compiler Warnings
 -----------------
@ -397,7 +386,7 @@ this option where possible.
 ZLib Flags
 ----------
-### with-zlib-include ###
+### with-zlib-include
    --with-zlib-include=DIR
@ -405,7 +394,7 @@ The directory for the location of the zlib include file.  This option is only
 necessary if [enable-zlib](#enable-zlib) is used and the include file is not
 already on the system include path.
-### with-zlib-lib ###
+### with-zlib-lib
    --with-zlib-lib=LIB
@ -421,7 +410,6 @@ then this flag is optional and defaults to "ZLIB1" if not provided.
 This flag is optional and if not provided then "GNV$LIBZSHR", "GNV$LIBZSHR32"
 or "GNV$LIBZSHR64" is used by default depending on the pointer size chosen.
 Seeding the Random Generator
 ----------------------------
@ -432,18 +420,18 @@ in order to obtain random input (a.k.a "entropy") for seeding its
 cryptographically secure random number generator (CSPRNG).
 The current seeding methods are:
-### os ###
+### os
 Use a trusted operating system entropy source.
 This is the default method if such an entropy source exists.
-### getrandom ###
+### getrandom
 Use the [getrandom(2)][man-getrandom] or equivalent system call.
 [man-getrandom]: http://man7.org/linux/man-pages/man2/getrandom.2.html
-### devrandom ###
+### devrandom
 Use the first device from the DEVRANDOM list which can be opened to read
 random bytes.  The DEVRANDOM preprocessor constant expands to
@ -452,19 +440,19 @@ random bytes.  The DEVRANDOM preprocessor constant expands to
 on most unix-ish operating systems.
-### egd ###
+### egd
 Check for an entropy generating daemon.
-### rdcpu ###
+### rdcpu
 Use the RDSEED or RDRAND command if provided by the CPU.
-### librandom ###
+### librandom
 Use librandom (not implemented yet).
-### none ###
+### none
 Disable automatic seeding.  This is the default on some operating systems where
 no suitable entropy source exists, or no support for it is implemented yet.
@ -474,7 +462,6 @@ at the end of this document.
 [rng]: #notes-on-random-number-generation
 Enable and Disable Features
 ---------------------------
@ -488,14 +475,13 @@ In the following list, always the non-default variant is documented: if
 feature xxxx is disabled by default then enable-xxxx is documented and
 if feature xxxx is enabled by default then no-xxxx is documented.
-
+### no-afalgeng
 ### no-afalgeng ###
 Don't build the AFALG engine.
 This option will be forced on a platform that does not support AFALG.
-### enable-ktls ###
+### enable-ktls
 Build with Kernel TLS support.
@ -505,7 +491,7 @@ TLS sockets.  The Kernel may use TLS accelerators if any are available on the
 system.  This option will be forced off on systems that do not support the
 Kernel TLS data-path.
-### enable-asan ###
+### enable-asan
 Build with the Address sanitiser.
@ -514,7 +500,7 @@ never be used in production environments.  It will only work when used with
 gcc or clang and should be used in conjunction with the [no-shared](#no-shared)
 option.
-### no-asm ###
+### no-asm
 Do not use assembler code.
@ -522,11 +508,11 @@ This should be viewed as debugging/troubleshooting option rather than for
 production use.  On some platforms a small amount of assembler code may still
 be used even with this option.
-### no-async ###
+### no-async
 Do not build support for async operations.
-### no-autoalginit ###
+### no-autoalginit
 Don't automatically load all supported ciphers and digests.
@ -536,7 +522,7 @@ size is an objective.  This only affects libcrypto.  Ciphers and digests will
 have to be loaded manually using EVP_add_cipher() and EVP_add_digest() if this
 option is used.  This option will force a non-shared build.
-### no-autoerrinit ###
+### no-autoerrinit
 Don't automatically load all libcrypto/libssl error strings.
@ -544,14 +530,14 @@ Typically OpenSSL will automatically load human readable error strings.  For a
 statically linked application this may be undesirable if small executable size
 is an objective.
-### no-autoload-config ###
+### no-autoload-config
 Don't automatically load the default openssl.cnf file.
 Typically OpenSSL will automatically load a system config file which configures
 default SSL options.
-### enable-buildtest-c++ ###
+### enable-buildtest-c++
 While testing, generate C++ buildtest files that simply check that the public
 OpenSSL header files are usable standalone with C++.
@ -561,76 +547,76 @@ as configuration option, you must ensure that it's valid for both the C and
 the C++ compiler.  If not, the C++ build test will most likely break.  As an
 alternative, you can use the language specific variables, CFLAGS and CXXFLAGS.
-### no-capieng ###
+### no-capieng
 Don't build the CAPI engine.
 This option will be forced if on a platform that does not support CAPI.
-### no-cmp ###
+### no-cmp
 Don't build support for Certificate Management Protocol (CMP).
-### no-cms ###
+### no-cms
 Don't build support for Cryptographic Message Syntax (CMS).
-### no-comp ###
+### no-comp
 Don't build support for SSL/TLS compression.
 If this option is enabled (the default), then compression will only work if
 the zlib or zlib-dynamic options are also chosen.
-### enable-crypto-mdebug ###
+### enable-crypto-mdebug
 This now only enables the failed-malloc feature.
-### enable-crypto-mdebug-backtrace ###
+### enable-crypto-mdebug-backtrace
 This is a no-op; the project uses the compiler's address/leak sanitizer instead.
-### no-ct ###
+### no-ct
 Don't build support for Certificate Transparency (CT).
-### no-deprecated ###
+### no-deprecated
 Don't build with support for deprecated APIs up until and including the version
 given with `--api` (or the current version, if `--api` wasn't specified).
-### no-dgram ###
+### no-dgram
 Don't build support for datagram based BIOs.
 Selecting this option will also force the disabling of DTLS.
-### no-dso ###
+### no-dso
 Don't build support for loading Dynamic Shared Objects (DSO)
-### enable-devcryptoeng ###
+### enable-devcryptoeng
 Build the `/dev/crypto` engine.
 This option is automatically selected on the BSD platform, in which case it can
 be disabled with no-devcryptoeng.
-### no-dynamic-engine ###
+### no-dynamic-engine
 Don't build the dynamically loaded engines.
 This only has an effect in a shared build.
-### no-ec ###
+### no-ec
 Don't build support for Elliptic Curves.
-### no-ec2m ###
+### no-ec2m
 Don't build support for binary Elliptic Curves
-### enable-ec_nistp_64_gcc_128 ###
+### enable-ec_nistp_64_gcc_128
 Enable support for optimised implementations of some commonly used NIST
 elliptic curves.
@ -643,19 +629,19 @@ This option is only supported on platforms:
   - supports the non-standard type `__uint128_t`
   - defines the built-in macro `__SIZEOF_INT128__`
-### enable-egd ###
+### enable-egd
 Build support for gathering entropy from the Entropy Gathering Daemon (EGD).
-### no-engine ###
+### no-engine
 Don't build support for loading engines.
-### no-err ###
+### no-err
 Don't compile in any error strings.
-### enable-external-tests ###
+### enable-external-tests
 Enable building of integration with external test suites.
@ -668,16 +654,16 @@ external test suites are currently supported:
 See the file [test/README.external]/(test/README.external) for further details.
-### no-filenames ###
+### no-filenames
 Don't compile in filename and line number information (e.g.  for errors and
 memory allocation).
-### no-fips ###
+### no-fips
 Don't compile the FIPS provider
-### enable-fuzz-libfuzzer, enable-fuzz-afl ###
+### enable-fuzz-libfuzzer, enable-fuzz-afl
 Build with support for fuzzing using either libfuzzer or AFL.
@ -686,7 +672,7 @@ should never be used in production environments.
 See the file [fuzz/README.md](fuzz/README.md) for further details.
-### no-gost ###
+### no-gost
 Don't build support for GOST based ciphersuites.
@ -694,51 +680,49 @@ Note that if this feature is enabled then GOST ciphersuites are only available
 if the GOST algorithms are also available through loading an externally supplied
 engine.
-### no-legacy ###
+### no-legacy
 Don't build the legacy provider.
 Disabling this also disables the legacy algorithms: MD2 (already disabled by default).
-
+### no-makedepend
 ### no-makedepend ###
 Don't generate dependencies.
-### no-module ###
+### no-module
 Don't build any dynamically loadable engines.
 This also implies 'no-dynamic-engine'.
-### no-multiblock ###
+### no-multiblock
 Don't build support for writing multiple records in one go in libssl
 Note: this is a different capability to the pipelining functionality.
-### no-nextprotoneg ###
+### no-nextprotoneg
 Don't build support for the Next Protocol Negotiation (NPN) TLS extension.
-### no-ocsp ###
+### no-ocsp
 Don't build support for Online Certificate Status Protocol (OCSP).
-
+### no-padlockeng
 ### no-padlockeng ###
 Don't build the padlock engine.
-### no-hw-padlock ###
+### no-hw-padlock
 As synonyme for no-padlockeng.  Deprecated and should not be used.
-### no-pic ###
+### no-pic
 Don't build with support for Position Independent Code.
-### no-pinshared ###
+### no-pinshared
 Don't pin the shared libraries.
@ -755,48 +739,47 @@ before libcrypto then a crash is likely to happen.  Applications can suppress
 running of the atexit() handler at run time by using the OPENSSL_INIT_NO_ATEXIT
 option to OPENSSL_init_crypto().  See the man page for it for further details.
-### no-posix-io ###
+### no-posix-io
 Don't use POSIX IO capabilities.
-### no-psk ###
+### no-psk
 Don't build support for Pre-Shared Key based ciphersuites.
-### no-rdrand ###
+### no-rdrand
 Don't use hardware RDRAND capabilities.
-### no-rfc3779 ###
+### no-rfc3779
 Don't build support for RFC3779, "X.509 Extensions for IP Addresses and
 AS Identifiers".
-### sctp ###
+### sctp
 Build support for Stream Control Transmission Protocol (SCTP).
-### no-shared ###
+### no-shared
 Do not create shared libraries, only static ones.
 See [Notes on shared libraries](#notes-on-shared-libraries) below.
-### no-sock ###
+### no-sock
 Don't build support for socket BIOs.
-### no-srp ###
+### no-srp
 Don't build support for Secure Remote Password (SRP) protocol or
 SRP based ciphersuites.
-### no-srtp ###
+### no-srtp
 Don't build Secure Real-Time Transport Protocol (SRTP) support.
-### no-sse2 ###
+### no-sse2
 Exclude SSE2 code paths from 32-bit x86 assembly modules.
@ -810,34 +793,34 @@ disengage SSE2 code paths upon application start-up, but if you aim for wider
 "audience" running such kernel, consider no-sse2.  Both the 386 and no-asm
 options imply no-sse2.
-### enable-ssl-trace ###
+### enable-ssl-trace
 Build with the SSL Trace capabilities.
 This adds the "-trace" option to s_client and s_server.
-### no-static-engine ###
+### no-static-engine
 Don't build the statically linked engines.
 This only has an impact when not built "shared".
-### no-stdio ###
+### no-stdio
 Don't use anything from the C header file "stdio.h" that makes use of the "FILE"
 type.  Only libcrypto and libssl can be built in this way.  Using this option will
 suppress building the command line applications.  Additionally, since the OpenSSL
 tests also use the command line applications, the tests will also be skipped.
-### no-tests ###
+### no-tests
 Don't build test programs or run any tests.
-### no-threads ###
+### no-threads
 Don't build with support for multi-threaded applications.
-### threads ###
+### threads
 Build with support for multi-threaded applications.  Most platforms will enable
 this by default.  However if on a platform where this is not the case then this
@ -845,17 +828,17 @@ will usually require additional system-dependent options!
 See [Notes on multi-threading](#notes-on-multi-threading) below.
-### enable-trace ###
+### enable-trace
 Build with support for the integrated tracing api.
 See manual pages OSSL_trace_set_channel(3) and OSSL_trace_enabled(3) for details.
-### no-ts ###
+### no-ts
 Don't build Time Stamping (TS) Authority support.
-### enable-ubsan ###
+### enable-ubsan
 Build with the Undefined Behaviour sanitiser (UBSAN).
@ -864,40 +847,40 @@ never be used in production environments.  It will only work when used with gcc
 or clang and should be used in conjunction with the `-DPEDANTIC` option
 (or the `--strict-warnings` option).
-### no-ui-console ###
+### no-ui-console
 Don't build with the User Interface (UI) console method
 The User Interface console method enables text based console prompts.
-### enable-unit-test ###
+### enable-unit-test
 Enable additional unit test APIs.
 This should not typically be used in production deployments.
-### no-uplink ###
+### no-uplink
 Don't build support for UPLINK interface.
-### enable-weak-ssl-ciphers ###
+### enable-weak-ssl-ciphers
 Build support for SSL/TLS ciphers that are considered "weak"
 Enabling this includes for example the RC4 based ciphersuites.
-### zlib ###
+### zlib
 Build with support for zlib compression/decompression.
-### zlib-dynamic ###
+### zlib-dynamic
 Like the zlib option, but has OpenSSL load the zlib library dynamically
 when needed.
 This is only supported on systems where loading of shared libraries is supported.
-### 386 ###
+### 386
 In 32-bit x86 builds, use the 80386 instruction set only in assembly modules
@ -905,7 +888,7 @@ The default x86 code is more efficient, but requires at least an 486 processor.
 Note: This doesn't affect compiler generated code, so this option needs to be
 accompanied by a corresponding compiler-specific option.
-### no-{protocol} ###
+### no-{protocol}
    no-{ssl|ssl3|tls|tls1|tls1_1|tls1_2|tls1_3|dtls|dtls1|dtls1_2}
@ -917,7 +900,7 @@ synonymous with "no-ssl3".  Note this only affects version negotiation.
 OpenSSL will still provide the methods for applications to explicitly select
 the individual protocol versions.
-### no-{protocol}-method ###
+### no-{protocol}-method
    no-{ssl|ssl3|tls|tls1|tls1_1|tls1_2|tls1_3|dtls|dtls1|dtls1_2}-method
@ -929,13 +912,13 @@ TLSv1.3.
 Using individual protocol methods directly is deprecated.  Applications should
 use TLS_method() instead.
-### enable-{algorithm} ###
+### enable-{algorithm}
    enable-{md2|rc5}
 Build with support for the specified algorithm.
-### no-{algorithm} ###
+### no-{algorithm}
    no-{aria|bf|blake2|camellia|cast|chacha|cmac|
        des|dh|dsa|ecdh|ecdsa|idea|md4|mdc2|ocb|
@ -946,7 +929,7 @@ Build without support for the specified algorithm.
 The "ripemd" algorithm is deprecated and if used is synonymous with rmd160.
-### Compiler-specific options ###
+### Compiler-specific options
    -Dxxx, -Ixxx, -Wp, -lxxx, -Lxxx, -Wl, -rpath, -R, -framework, -static
@ -977,7 +960,7 @@ encoding.
 Take note of the [Environment Variables](#environment-variables) documentation
 below and how these flags interact with those variables.
-### Environment Variables ###
+### Environment Variables
    VAR=value
@ -1054,7 +1037,7 @@ If CC is set, it is advisable to also set CXX to ensure both the C and C++
 compiler are in the same "family".  This becomes relevant with
 'enable-external-tests' and 'enable-buildtest-c++'.
-### Reconfigure ###
+### Reconfigure
    reconf
    reconfigure
@ -1093,7 +1076,7 @@ Installation Steps in Detail
 Configure OpenSSL
 -----------------
-### Automatic Configuration ###
+### Automatic Configuration
 On some platform a `config` script is available which attempts to guess
 your operating system (and compiler, if necessary) and calls the `Configure`
@ -1101,15 +1084,15 @@ Perl script with appropriate target based on its guess.  Further options can
 be supplied to the `config` script, which will be passed on to the `Configure`
 script.
-#### Unix / Linux / macOS ####
+#### Unix / Linux / macOS
    $ ./config [[ options ]]
-#### OpenVMS ####
+#### OpenVMS
    $ @config [[ options ]]
-#### Windows ####
+#### Windows
 Automatic configuration is not available on Windows.
@ -1129,7 +1112,7 @@ On some systems, you can include debugging information as follows:
      $ ./config -d [[ options ]]
-### Manual Configuration ###
+### Manual Configuration
 OpenSSL knows about a range of different operating system, hardware and
 compiler combinations.  To see the ones it knows about, run
@ -1151,8 +1134,7 @@ run:
    $ ./Configure linux-elf [[ options ]]
-
+### Creating your own Configuration
 ### Creating your own Configuration ###
 If your system isn't listed, you will have to create a configuration
 file named Configurations/{{ something }}.conf and add the correct
@ -1168,13 +1150,13 @@ and "descrip.mms" on OpenVMS) from a suitable template in Configurations,
 and defines various macros in include/openssl/configuration.h (generated
 from include/openssl/configuration.h.in).
-### Out of Tree Builds ###
+### Out of Tree Builds
 OpenSSL can be configured to build in a build directory separate from the
 source code directory.  It's done by placing yourself in some other
 directory and invoking the configuration commands from there.
-#### Unix example ####
+#### Unix example
    $ mkdir /var/tmp/openssl-build
    $ cd /var/tmp/openssl-build
@ -1184,7 +1166,7 @@ or
    $ /PATH/TO/OPENSSL/SOURCE/Configure {{ target }} [[ options ]]
-#### OpenVMS example ####
+#### OpenVMS example
    $ set default sys$login:
    $ create/dir [.tmp.openssl-build]
@ -1195,7 +1177,7 @@ or
    $ @[PATH.TO.OPENSSL.SOURCE]Configure {{ target }} [[ options ]]
-#### Windows example ####
+#### Windows example
    $ C:
    $ mkdir \temp-openssl
@ -1205,7 +1187,6 @@ or
 Paths can be relative just as well as absolute.  Configure will do its best
 to translate them to relative paths whenever possible.
 Build OpenSSL
 -------------
@ -1239,7 +1220,6 @@ your privileges temporarily if your platform allows it).
 If some tests fail, take a look at the [Test Failures](#test-failures)
 subsection of the [Troubleshooting](#troubleshooting) section.
 Install OpenSSL
 ---------------
@ -1256,7 +1236,7 @@ The above commands will install all the software components in this
 directory tree under PREFIX (the directory given with `--prefix` or
 its default):
-#### Unix / Linux / macOS ####
+### Unix / Linux / macOS
    bin/           Contains the openssl binary and a few other
                   utility scripts.
@ -1278,7 +1258,7 @@ its default):
    share/doc/openssl/html/man7
                   Contains the HTML rendition of the man-pages.
-#### OpenVMS ####
+### OpenVMS
 'arch' is replaced with the architecture name, "Alpha" or "ia64",
 'sover' is replaced with the shared library version (0101 for 1.1), and
@ -1299,8 +1279,7 @@ its default):
    [.SYSTEST]     Contains the installation verification procedure.
    [.HTML]        Contains the HTML rendition of the manual pages.
-
+### Additional Directories
 #### Additional Directories ####
 Additionally, install will add the following directories under
 OPENSSLDIR (the directory given with `--openssldir` or its default)
@ -1328,9 +1307,10 @@ packaged, can use
 The specified destination directory will be prepended to all installation
 target paths.
-### Compatibility issues with previous OpenSSL versions ###
+Compatibility issues with previous OpenSSL versions
 ---------------------------------------------------
-#### COMPILING existing applications ####
+### COMPILING existing applications
 Starting with version 1.1.0, OpenSSL hides a number of structures that were
 previously open.  This includes all internal libssl structures and a number
@ -1346,7 +1326,6 @@ access a structure's field directly.
 Some APIs have changed as well.  However, older APIs have been preserved when
 possible.
 Post-installation Notes
 -----------------------
@ -1358,11 +1337,9 @@ This involves using the following command:
 See the openssl-fipsinstall(1) manual for details and examples.
 Advanced Build Options
 ======================
 Environment Variables
 ---------------------
@ -1437,7 +1414,6 @@ platforms.
    WINDRES
                   See RC.
 Makefile Targets
 ----------------
@ -1530,7 +1506,7 @@ Also, all tokens except for "alltests" may have wildcards, such as *.
 (on Unix and Windows, BSD style wildcards are supported, while on VMS,
 it's VMS style wildcards)
-### Examples ###
+### Examples
 Run all tests except for the fuzz tests:
@ -1568,7 +1544,7 @@ Troubleshooting
 Configuration Problems
 ----------------------
-### Selecting the correct target ###
+### Selecting the correct target
 The `./config` script tries hard to guess your operating system, but in some
 cases it does not succeed. You will see a message like the following:
@ -1616,7 +1592,7 @@ you can [raise an issue][] to ask a question yourself.
 More about our support resources can be found in the [SUPPORT][] file.
-### Configuration Errors ###
+### Configuration Errors
 If the `./config` or `./Configure`  command fails with an error message,
 read the error message carefully and try to figure out whether you made
@ -1637,7 +1613,6 @@ Note: To make the output readable, pleace add a 'code fence' (three backquotes
     ```
 Build Failures
 --------------
@ -1668,7 +1643,6 @@ encountered an OpenSSL bug, please [raise an issue][] to file a bug report.
 Please take the time to review the existing issues first; maybe the bug was
 already reported or has already been fixed.
 Test Failures
 -------------
@ -1713,12 +1687,11 @@ compiler optimization flags from the CFLAGS line in Makefile and
 run "make clean; make" or corresponding.
 To report a bug please open an issue on GitHub, at
-https://github.com/openssl/openssl/issues.
+<https://github.com/openssl/openssl/issues>.
 For more details on how the make variables TESTS can be used,
 see section [Running Selected Tests](#running-selected-tests) below.
 Notes
 =====
@ -1803,20 +1776,19 @@ to install additional support software to obtain a random seed and reseed
 the CSPRNG manually.  Please check out the manual pages for RAND_add(),
 RAND_bytes(), RAND_egd(), and the FAQ for more information.
 <!-- Links  -->
 [openssl-users]:
-    https://mta.openssl.org/mailman/listinfo/openssl-users
+    <https://mta.openssl.org/mailman/listinfo/openssl-users>
 [SUPPORT]:
    ./SUPPORT.md
 [GitHub Issues]:
-    https://github.com/openssl/openssl/issues
+    <https://github.com/openssl/openssl/issues>
 [raise an issue]:
-    https://github.com/openssl/openssl/issues/new/choose
+    <https://github.com/openssl/openssl/issues/new/choose>
 [10-main.conf]:
    Configurations/10-main.conf
--- a/NEWS.md
+++ b/NEWS.md
@ -1,4 +1,3 @@
 NEWS
 ====
@ -19,7 +18,7 @@ OpenSSL Releases
 OpenSSL 3.0
 -----------
-### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 [under development] ###
+### Major changes between OpenSSL 1.1.1 and OpenSSL 3.0 [under development]
  * The X25519, X448, Ed25519, Ed448 and SHAKE256 algorithms are included in
    the FIPS provider.  None have the "fips=yes" property set and, as such,
@ -67,16 +66,16 @@ OpenSSL 3.0
 OpenSSL 1.1.1
 -------------
-### Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [under development] ###
+### Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [under development]
  *
-### Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020] ###
+### Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]
  * Fixed an overflow bug in the x64_64 Montgomery squaring procedure
    used in exponentiation with 512-bit moduli ([CVE-2019-1551][])
-### Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019] ###
+### Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]
  * Fixed a fork protection issue ([CVE-2019-1549][])
  * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
@ -93,36 +92,36 @@ OpenSSL 1.1.1
  * Significantly reduce secure memory usage by the randomness pools
  * Revert the DEVRANDOM_WAIT feature for Linux systems
-### Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019] ###
+### Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019]
  * Prevent over long nonces in ChaCha20-Poly1305 ([CVE-2019-1543][])
-### Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019] ###
+### Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019]
  * Change the info callback signals for the start and end of a post-handshake
    message exchange in TLSv1.3.
  * Fix a bug in DTLS over SCTP. This breaks interoperability with older
    versions of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2.
-### Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018] ###
+### Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]
  * Timing vulnerability in DSA signature generation ([CVE-2018-0734][])
  * Timing vulnerability in ECDSA signature generation ([CVE-2018-0735][])
-### Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018] ###
+### Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]
  * Support for TLSv1.3 added. The TLSv1.3 implementation includes:
-      * Fully compliant implementation of RFC8446 (TLSv1.3) on by default
+    * Fully compliant implementation of RFC8446 (TLSv1.3) on by default
-      * Early data (0-RTT)
+    * Early data (0-RTT)
-      * Post-handshake authentication and key update
+    * Post-handshake authentication and key update
-      * Middlebox Compatibility Mode
+    * Middlebox Compatibility Mode
-      * TLSv1.3 PSKs
+    * TLSv1.3 PSKs
-      * Support for all five RFC8446 ciphersuites
+    * Support for all five RFC8446 ciphersuites
-      * RSA-PSS signature algorithms (backported to TLSv1.2)
+    * RSA-PSS signature algorithms (backported to TLSv1.2)
-      * Configurable session ticket support
+    * Configurable session ticket support
-      * Stateless server support
+    * Stateless server support
-      * Rewrite of the packet construction code for "safer" packet handling
+    * Rewrite of the packet construction code for "safer" packet handling
-      * Rewrite of the extension handling code
+    * Rewrite of the extension handling code
    For further important information, see the [TLS1.3 page](
    https://wiki.openssl.org/index.php/TLS1.3) in the OpenSSL Wiki.
@ -159,11 +158,10 @@ OpenSSL 1.1.1
  * Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes
  * Rewrite of devcrypto engine
 OpenSSL 1.1.0
 -------------
-### Major changes between OpenSSL 1.1.0k and OpenSSL 1.1.0l [10 Sep 2019] ###
+### Major changes between OpenSSL 1.1.0k and OpenSSL 1.1.0l [10 Sep 2019]
  * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
    ([CVE-2019-1563][])
@ -173,57 +171,57 @@ OpenSSL 1.1.0
    ([CVE-2019-1547][])
  * Use Windows installation paths in the mingw builds ([CVE-2019-1552][])
-### Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [28 May 2019] ###
+### Major changes between OpenSSL 1.1.0j and OpenSSL 1.1.0k [28 May 2019]
  * Prevent over long nonces in ChaCha20-Poly1305 ([CVE-2019-1543][])
-### Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [20 Nov 2018] ###
+### Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.0j [20 Nov 2018]
  * Timing vulnerability in DSA signature generation ([CVE-2018-0734][])
  * Timing vulnerability in ECDSA signature generation ([CVE-2018-0735][])
-### Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018] ###
+### Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [14 Aug 2018]
  * Client DoS due to large DH parameter ([CVE-2018-0732][])
  * Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737][])
-### Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [27 Mar 2018] ###
+### Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [27 Mar 2018]
  * Constructed ASN.1 types with a recursive definition could exceed the
    stack ([CVE-2018-0739][])
  * Incorrect CRYPTO_memcmp on HP-UX PA-RISC ([CVE-2018-0733][])
  * rsaz_1024_mul_avx2 overflow bug on x86_64 ([CVE-2017-3738][])
-### Major changes between OpenSSL 1.1.0f and OpenSSL 1.1.0g [2 Nov 2017] ###
+### Major changes between OpenSSL 1.1.0f and OpenSSL 1.1.0g [2 Nov 2017]
  * bn_sqrx8x_internal carry bug on x86_64 ([CVE-2017-3736][])
  * Malformed X.509 IPAddressFamily could cause OOB read ([CVE-2017-3735][])
-### Major changes between OpenSSL 1.1.0e and OpenSSL 1.1.0f [25 May 2017] ###
+### Major changes between OpenSSL 1.1.0e and OpenSSL 1.1.0f [25 May 2017]
  * config now recognises 64-bit mingw and chooses mingw64 instead of mingw
-### Major changes between OpenSSL 1.1.0d and OpenSSL 1.1.0e [16 Feb 2017] ###
+### Major changes between OpenSSL 1.1.0d and OpenSSL 1.1.0e [16 Feb 2017]
  * Encrypt-Then-Mac renegotiation crash ([CVE-2017-3733][])
-### Major changes between OpenSSL 1.1.0c and OpenSSL 1.1.0d [26 Jan 2017] ###
+### Major changes between OpenSSL 1.1.0c and OpenSSL 1.1.0d [26 Jan 2017]
  * Truncated packet could crash via OOB read ([CVE-2017-3731][])
  * Bad (EC)DHE parameters cause a client crash ([CVE-2017-3730][])
  * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2017-3732][])
-### Major changes between OpenSSL 1.1.0b and OpenSSL 1.1.0c [10 Nov 2016] ###
+### Major changes between OpenSSL 1.1.0b and OpenSSL 1.1.0c [10 Nov 2016]
  * ChaCha20/Poly1305 heap-buffer-overflow ([CVE-2016-7054][])
  * CMS Null dereference ([CVE-2016-7053][])
  * Montgomery multiplication may produce incorrect results ([CVE-2016-7055][])
-### Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [26 Sep 2016] ###
+### Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [26 Sep 2016]
  * Fix Use After Free for large message sizes ([CVE-2016-6309][])
-### Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016] ###
+### Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016]
  * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304][])
  * SSL_peek() hang on empty record ([CVE-2016-6305][])
@ -232,7 +230,7 @@ OpenSSL 1.1.0
  * Excessive allocation of memory in dtls1_preprocess_fragment()
    ([CVE-2016-6308][])
-### Major changes between OpenSSL 1.0.2h and OpenSSL 1.1.0 [25 Aug 2016] ###
+### Major changes between OpenSSL 1.0.2h and OpenSSL 1.1.0 [25 Aug 2016]
  * Copyright text was shrunk to a boilerplate that points to the license
  * "shared" builds are now the default when possible
@ -280,11 +278,10 @@ OpenSSL 1.1.0
  * Support for Certificate Transparency
  * HKDF support.
 OpenSSL 1.0.2
 -------------
-### Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [10 Sep 2019] ###
+### Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [10 Sep 2019]
  * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
    ([CVE-2019-1563][])
@ -295,54 +292,54 @@ OpenSSL 1.0.2
  * Document issue with installation paths in diverse Windows builds
    ([CVE-2019-1552][])
-### Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [28 May 2019] ###
+### Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [28 May 2019]
  * None
-### Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019] ###
+### Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019]
  * 0-byte record padding oracle ([CVE-2019-1559][])
-### Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018] ###
+### Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018]
  * Microarchitecture timing vulnerability in ECC scalar multiplication ([CVE-2018-5407][])
  * Timing vulnerability in DSA signature generation ([CVE-2018-0734][])
-### Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018] ###
+### Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018]
  * Client DoS due to large DH parameter ([CVE-2018-0732][])
  * Cache timing vulnerability in RSA Key Generation ([CVE-2018-0737][])
-### Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [27 Mar 2018] ###
+### Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [27 Mar 2018]
  * Constructed ASN.1 types with a recursive definition could exceed the
    stack ([CVE-2018-0739][])
-### Major changes between OpenSSL 1.0.2m and OpenSSL 1.0.2n [7 Dec 2017] ###
+### Major changes between OpenSSL 1.0.2m and OpenSSL 1.0.2n [7 Dec 2017]
  * Read/write after SSL object in error state ([CVE-2017-3737][])
  * rsaz_1024_mul_avx2 overflow bug on x86_64 ([CVE-2017-3738][])
-### Major changes between OpenSSL 1.0.2l and OpenSSL 1.0.2m [2 Nov 2017] ###
+### Major changes between OpenSSL 1.0.2l and OpenSSL 1.0.2m [2 Nov 2017]
  * bn_sqrx8x_internal carry bug on x86_64 ([CVE-2017-3736][])
  * Malformed X.509 IPAddressFamily could cause OOB read ([CVE-2017-3735][])
-### Major changes between OpenSSL 1.0.2k and OpenSSL 1.0.2l [25 May 2017] ###
+### Major changes between OpenSSL 1.0.2k and OpenSSL 1.0.2l [25 May 2017]
  * config now recognises 64-bit mingw and chooses mingw64 instead of mingw
-### Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017] ###
+### Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017]
  * Truncated packet could crash via OOB read ([CVE-2017-3731][])
  * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2017-3732][])
  * Montgomery multiplication may produce incorrect results ([CVE-2016-7055][])
-### Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016] ###
+### Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016]
  * Missing CRL sanity check ([CVE-2016-7052][])
-### Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016] ###
+### Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]
  * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304][])
  * SWEET32 Mitigation ([CVE-2016-2183][])
@ -356,7 +353,7 @@ OpenSSL 1.0.2
  * DTLS replay protection DoS ([CVE-2016-2181][])
  * Certificate message OOB reads ([CVE-2016-6306][])
-### Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016] ###
+### Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]
  * Prevent padding oracle in AES-NI CBC MAC check ([CVE-2016-2107][])
  * Fix EVP_EncodeUpdate overflow ([CVE-2016-2105][])
@ -369,7 +366,7 @@ OpenSSL 1.0.2
    the default.
  * Only remove the SSLv2 methods with the no-ssl2-method option.
-### Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016] ###
+### Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
  * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
  * Disable SSLv2 default build, default negotiation and weak ciphers
@ -382,12 +379,12 @@ OpenSSL 1.0.2
  * Fix memory issues in BIO_*printf functions ([CVE-2016-0799][])
  * Fix side channel attack on modular exponentiation ([CVE-2016-0702][])
-### Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016] ###
+### Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
  * DH small subgroups ([CVE-2016-0701][])
  * SSLv2 doesn't block disabled ciphers ([CVE-2015-3197][])
-### Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015] ###
+### Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]
  * BN_mod_exp may produce incorrect results on x86_64 ([CVE-2015-3193][])
  * Certificate verify crash with missing PSS parameter ([CVE-2015-3194][])
@ -396,16 +393,16 @@ OpenSSL 1.0.2
  * In DSA_generate_parameters_ex, if the provided seed is too short,
    return an error
-### Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015] ###
+### Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015]
  * Alternate chains certificate forgery ([CVE-2015-1793][])
  * Race condition handling PSK identify hint ([CVE-2015-3196][])
-### Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015] ###
+### Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]
  * Fix HMAC ABI incompatibility
-### Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015] ###
+### Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015]
  * Malformed ECParameters causes infinite loop ([CVE-2015-1788][])
  * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789][])
@ -413,7 +410,7 @@ OpenSSL 1.0.2
  * CMS verify infinite loop with unknown hash function ([CVE-2015-1792][])
  * Race condition handling NewSessionTicket ([CVE-2015-1791][])
-### Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015] ###
+### Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015]
  * OpenSSL 1.0.2 ClientHello sigalgs DoS fix ([CVE-2015-0291][])
  * Multiblock corrupted pointer fix ([CVE-2015-0290][])
@ -429,7 +426,7 @@ OpenSSL 1.0.2
  * X509_to_X509_REQ NULL pointer deref fix ([CVE-2015-0288][])
  * Removed the export ciphers from the DEFAULT ciphers
-### Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015] ###
+### Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]
  * Suite B support for TLS 1.2 and DTLS 1.2
  * Support for DTLS 1.2
@ -440,11 +437,10 @@ OpenSSL 1.0.2
  * ALPN support.
  * CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
 OpenSSL 1.0.1
 -------------
-### Major changes between OpenSSL 1.0.1t and OpenSSL 1.0.1u [22 Sep 2016] ###
+### Major changes between OpenSSL 1.0.1t and OpenSSL 1.0.1u [22 Sep 2016]
  * OCSP Status Request extension unbounded memory growth ([CVE-2016-6304][])
  * SWEET32 Mitigation ([CVE-2016-2183][])
@ -458,7 +454,7 @@ OpenSSL 1.0.1
  * DTLS replay protection DoS ([CVE-2016-2181][])
  * Certificate message OOB reads ([CVE-2016-6306][])
-### Major changes between OpenSSL 1.0.1s and OpenSSL 1.0.1t [3 May 2016] ###
+### Major changes between OpenSSL 1.0.1s and OpenSSL 1.0.1t [3 May 2016]
  * Prevent padding oracle in AES-NI CBC MAC check ([CVE-2016-2107][])
  * Fix EVP_EncodeUpdate overflow ([CVE-2016-2105][])
@ -471,7 +467,7 @@ OpenSSL 1.0.1
    the default.
  * Only remove the SSLv2 methods with the no-ssl2-method option.
-### Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016] ###
+### Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016]
  * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
  * Disable SSLv2 default build, default negotiation and weak ciphers
@ -484,12 +480,12 @@ OpenSSL 1.0.1
  * Fix memory issues in BIO_*printf functions ([CVE-2016-0799][])
  * Fix side channel attack on modular exponentiation ([CVE-2016-0702][])
-### Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016] ###
+### Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016]
  * Protection for DH small subgroup attacks
  * SSLv2 doesn't block disabled ciphers ([CVE-2015-3197][])
-### Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015] ###
+### Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015]
  * Certificate verify crash with missing PSS parameter ([CVE-2015-3194][])
  * X509_ATTRIBUTE memory leak ([CVE-2015-3195][])
@ -497,16 +493,16 @@ OpenSSL 1.0.1
  * In DSA_generate_parameters_ex, if the provided seed is too short,
    return an error
-### Major changes between OpenSSL 1.0.1o and OpenSSL 1.0.1p [9 Jul 2015] ###
+### Major changes between OpenSSL 1.0.1o and OpenSSL 1.0.1p [9 Jul 2015]
  * Alternate chains certificate forgery ([CVE-2015-1793][])
  * Race condition handling PSK identify hint ([CVE-2015-3196][])
-### Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [12 Jun 2015] ###
+### Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [12 Jun 2015]
  * Fix HMAC ABI incompatibility
-### Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [11 Jun 2015] ###
+### Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [11 Jun 2015]
  * Malformed ECParameters causes infinite loop ([CVE-2015-1788][])
  * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789][])
@ -514,7 +510,7 @@ OpenSSL 1.0.1
  * CMS verify infinite loop with unknown hash function ([CVE-2015-1792][])
  * Race condition handling NewSessionTicket ([CVE-2015-1791][])
-### Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.1m [19 Mar 2015] ###
+### Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.1m [19 Mar 2015]
  * Segmentation fault in ASN1_TYPE_cmp fix ([CVE-2015-0286][])
  * ASN.1 structure reuse memory corruption fix ([CVE-2015-0287][])
@ -524,11 +520,11 @@ OpenSSL 1.0.1
  * X509_to_X509_REQ NULL pointer deref fix ([CVE-2015-0288][])
  * Removed the export ciphers from the DEFAULT ciphers
-### Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015] ###
+### Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015]
  * Build fixes for the Windows and OpenVMS platforms
-### Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015] ###
+### Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]
  * Fix for [CVE-2014-3571][]
  * Fix for [CVE-2015-0206][]
@ -539,14 +535,14 @@ OpenSSL 1.0.1
  * Fix for [CVE-2014-8275][]
  * Fix for [CVE-2014-3570][]
-### Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014] ###
+### Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
  * Fix for [CVE-2014-3513][]
  * Fix for [CVE-2014-3567][]
  * Mitigation for [CVE-2014-3566][] (SSL protocol vulnerability)
  * Fix for [CVE-2014-3568][]
-### Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014] ###
+### Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014]
  * Fix for [CVE-2014-3512][]
  * Fix for [CVE-2014-3511][]
@ -558,7 +554,7 @@ OpenSSL 1.0.1
  * Fix for [CVE-2014-5139][]
  * Fix for [CVE-2014-3508][]
-### Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014] ###
+### Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]
  * Fix for [CVE-2014-0224][]
  * Fix for [CVE-2014-0221][]
@ -567,24 +563,24 @@ OpenSSL 1.0.1
  * Fix for [CVE-2014-3470][]
  * Fix for [CVE-2010-5298][]
-### Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014] ###
+### Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
  * Fix for [CVE-2014-0160][]
  * Add TLS padding extension workaround for broken servers.
  * Fix for [CVE-2014-0076][]
-### Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014] ###
+### Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
  * Don't include gmt_unix_time in TLS server and client random values
  * Fix for TLS record tampering bug [CVE-2013-4353][]
  * Fix for TLS version checking bug [CVE-2013-6449][]
  * Fix for DTLS retransmission bug [CVE-2013-6450][]
-### Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013] ###
+### Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013]
  * Corrected fix for [CVE-2013-0169][]
-### Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013] ###
+### Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013]
  * Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
  * Include the fips configuration module.
@ -592,24 +588,24 @@ OpenSSL 1.0.1
  * Fix for SSL/TLS/DTLS CBC plaintext recovery attack [CVE-2013-0169][]
  * Fix for TLS AESNI record handling flaw [CVE-2012-2686][]
-### Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012] ###
+### Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012]
  * Fix TLS/DTLS record length checking bug [CVE-2012-2333][]
  * Don't attempt to use non-FIPS composite ciphers in FIPS mode.
-### Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012] ###
+### Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012]
  * Fix compilation error on non-x86 platforms.
  * Make FIPS capable OpenSSL ciphers work in non-FIPS mode.
  * Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0
-### Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012] ###
+### Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012]
  * Fix for ASN1 overflow bug [CVE-2012-2110][]
  * Workarounds for some servers that hang on long client hellos.
  * Fix SEGV in AES code.
-### Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012] ###
+### Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]
  * TLS/DTLS heartbeat support.
  * SCTP support.
@ -622,16 +618,15 @@ OpenSSL 1.0.1
  * Preliminary FIPS capability for unvalidated 2.0 FIPS module.
  * SRP support.
 OpenSSL 1.0.0
 -------------
-### Major changes between OpenSSL 1.0.0s and OpenSSL 1.0.0t [3 Dec 2015] ###
+### Major changes between OpenSSL 1.0.0s and OpenSSL 1.0.0t [3 Dec 2015]
  * X509_ATTRIBUTE memory leak ([CVE-2015-3195][])
  * Race condition handling PSK identify hint ([CVE-2015-3196][])
-### Major changes between OpenSSL 1.0.0r and OpenSSL 1.0.0s [11 Jun 2015] ###
+### Major changes between OpenSSL 1.0.0r and OpenSSL 1.0.0s [11 Jun 2015]
  * Malformed ECParameters causes infinite loop ([CVE-2015-1788][])
  * Exploitable out-of-bounds read in X509_cmp_time ([CVE-2015-1789][])
@ -639,7 +634,7 @@ OpenSSL 1.0.0
  * CMS verify infinite loop with unknown hash function ([CVE-2015-1792][])
  * Race condition handling NewSessionTicket ([CVE-2015-1791][])
-### Major changes between OpenSSL 1.0.0q and OpenSSL 1.0.0r [19 Mar 2015] ###
+### Major changes between OpenSSL 1.0.0q and OpenSSL 1.0.0r [19 Mar 2015]
  * Segmentation fault in ASN1_TYPE_cmp fix ([CVE-2015-0286][])
  * ASN.1 structure reuse memory corruption fix ([CVE-2015-0287][])
@ -649,11 +644,11 @@ OpenSSL 1.0.0
  * X509_to_X509_REQ NULL pointer deref fix ([CVE-2015-0288][])
  * Removed the export ciphers from the DEFAULT ciphers
-### Major changes between OpenSSL 1.0.0p and OpenSSL 1.0.0q [15 Jan 2015] ###
+### Major changes between OpenSSL 1.0.0p and OpenSSL 1.0.0q [15 Jan 2015]
  * Build fixes for the Windows and OpenVMS platforms
-### Major changes between OpenSSL 1.0.0o and OpenSSL 1.0.0p [8 Jan 2015] ###
+### Major changes between OpenSSL 1.0.0o and OpenSSL 1.0.0p [8 Jan 2015]
  * Fix for [CVE-2014-3571][]
  * Fix for [CVE-2015-0206][]
@ -664,14 +659,14 @@ OpenSSL 1.0.0
  * Fix for [CVE-2014-8275][]
  * Fix for [CVE-2014-3570][]
-### Major changes between OpenSSL 1.0.0n and OpenSSL 1.0.0o [15 Oct 2014] ###
+### Major changes between OpenSSL 1.0.0n and OpenSSL 1.0.0o [15 Oct 2014]
  * Fix for [CVE-2014-3513][]
  * Fix for [CVE-2014-3567][]
  * Mitigation for [CVE-2014-3566][] (SSL protocol vulnerability)
  * Fix for [CVE-2014-3568][]
-### Major changes between OpenSSL 1.0.0m and OpenSSL 1.0.0n [6 Aug 2014] ###
+### Major changes between OpenSSL 1.0.0m and OpenSSL 1.0.0n [6 Aug 2014]
  * Fix for [CVE-2014-3510][]
  * Fix for [CVE-2014-3507][]
@ -685,9 +680,9 @@ OpenSSL 1.0.0
  * EAP-FAST and other applications using tls_session_secret_cb
    wont resume sessions. Fixed in 1.0.0n-dev
  * Compilation failure of s3_pkt.c on some platforms due to missing
-    <limits.h> include. Fixed in 1.0.0n-dev
+    `<limits.h>` include. Fixed in 1.0.0n-dev
-### Major changes between OpenSSL 1.0.0l and OpenSSL 1.0.0m [5 Jun 2014] ###
+### Major changes between OpenSSL 1.0.0l and OpenSSL 1.0.0m [5 Jun 2014]
  * Fix for [CVE-2014-0224][]
  * Fix for [CVE-2014-0221][]
@ -697,35 +692,34 @@ OpenSSL 1.0.0
  * Fix for [CVE-2014-0076][]
  * Fix for [CVE-2010-5298][]
-### Major changes between OpenSSL 1.0.0k and OpenSSL 1.0.0l [6 Jan 2014] ###
+### Major changes between OpenSSL 1.0.0k and OpenSSL 1.0.0l [6 Jan 2014]
  * Fix for DTLS retransmission bug [CVE-2013-6450][]
-### Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k [5 Feb 2013] ###
+### Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k [5 Feb 2013]
  * Fix for SSL/TLS/DTLS CBC plaintext recovery attack [CVE-2013-0169][]
  * Fix OCSP bad key DoS attack [CVE-2013-0166][]
-### Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j [10 May 2012] ###
+### Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j [10 May 2012]
  * Fix DTLS record length checking bug [CVE-2012-2333][]
-### Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.0i [19 Apr 2012] ###
+### Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.0i [19 Apr 2012]
  * Fix for ASN1 overflow bug [CVE-2012-2110][]
-
+### Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012]
 ### Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012] ###
  * Fix for CMS/PKCS#7 MMA [CVE-2012-0884][]
  * Corrected fix for [CVE-2011-4619][]
  * Various DTLS fixes.
-### Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012] ###
+### Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012]
  * Fix for DTLS DoS issue [CVE-2012-0050][]
-### Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012] ###
+### Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012]
  * Fix for DTLS plaintext recovery attack [CVE-2011-4108][]
  * Clear block padding bytes of SSL 3.0 records [CVE-2011-4576][]
@ -733,7 +727,7 @@ OpenSSL 1.0.0
  * Check parameters are not NULL in GOST ENGINE [CVE-2012-0027][]
  * Check for malformed RFC3779 data [CVE-2011-4577][]
-### Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011] ###
+### Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011]
  * Fix for CRL vulnerability issue [CVE-2011-3207][]
  * Fix for ECDH crashes [CVE-2011-3210][]
@ -741,11 +735,11 @@ OpenSSL 1.0.0
  * Support ECDH ciphersuites for certificates using SHA2 algorithms.
  * Various DTLS fixes.
-### Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011] ###
+### Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011]
  * Fix for security issue [CVE-2011-0014][]
-### Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010] ###
+### Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010]
  * Fix for security issue [CVE-2010-4180][]
  * Fix for [CVE-2010-4252][]
@ -753,18 +747,18 @@ OpenSSL 1.0.0
  * Fix various platform compilation issues.
  * Corrected fix for security issue [CVE-2010-3864][].
-### Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010] ###
+### Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010]
  * Fix for security issue [CVE-2010-3864][].
  * Fix for [CVE-2010-2939][]
  * Fix WIN32 build system for GOST ENGINE.
-### Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010] ###
+### Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010]
  * Fix for security issue [CVE-2010-1633][].
  * GOST MAC and CFB fixes.
-### Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010] ###
+### Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010]
  * RFC3280 path validation: sufficient to process PKITS tests.
  * Integrated support for PVK files and keyblobs.
@ -790,12 +784,12 @@ OpenSSL 1.0.0
 OpenSSL 0.9.x
 -------------
-### Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010] ###
+### Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]
  * CFB cipher definition fixes.
  * Fix security issues [CVE-2010-0740][] and [CVE-2010-0433][].
-### Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010] ###
+### Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]
  * Cipher definition fixes.
  * Workaround for slow RAND_poll() on some WIN32 versions.
@ -807,33 +801,33 @@ OpenSSL 0.9.x
  * Ticket and SNI coexistence fixes.
  * Many fixes to DTLS handling.
-### Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009] ###
+### Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]
  * Temporary work around for [CVE-2009-3555][]: disable renegotiation.
-### Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009] ###
+### Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]
  * Fix various build issues.
  * Fix security issues ([CVE-2009-0590][], [CVE-2009-0591][], [CVE-2009-0789][])
-### Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009] ###
+### Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]
  * Fix security issue ([CVE-2008-5077][])
  * Merge FIPS 140-2 branch code.
-### Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008] ###
+### Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]
  * CryptoAPI ENGINE support.
  * Various precautionary measures.
  * Fix for bugs affecting certificate request creation.
  * Support for local machine keyset attribute in PKCS#12 files.
-### Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007] ###
+### Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]
  * Backport of CMS functionality to 0.9.8.
  * Fixes for bugs introduced with 0.9.8f.
-### Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007] ###
+### Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]
  * Add gcc 4.2 support.
  * Add support for AES and SSE2 assembly language optimization
@ -844,23 +838,23 @@ OpenSSL 0.9.x
  * RFC4507bis support.
  * TLS Extensions support.
-### Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007] ###
+### Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]
  * Various ciphersuite selection fixes.
  * RFC3779 support.
-### Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006] ###
+### Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]
  * Introduce limits to prevent malicious key DoS  ([CVE-2006-2940][])
  * Fix security issues ([CVE-2006-2937][], [CVE-2006-3737][], [CVE-2006-4343][])
  * Changes to ciphersuite selection algorithm
-### Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006] ###
+### Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]
  * Fix Daniel Bleichenbacher forged signature attack, [CVE-2006-4339][]
  * New cipher Camellia
-### Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006] ###
+### Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]
  * Cipher string fixes.
  * Fixes for VC++ 2005.
@ -870,12 +864,12 @@ OpenSSL 0.9.x
  * Built in dynamic engine compilation support on Win32.
  * Fixes auto dynamic engine loading in Win32.
-### Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005] ###
+### Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]
  * Fix potential SSL 2.0 rollback, [CVE-2005-2969][]
  * Extended Windows CE support
-### Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005] ###
+### Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]
  * Major work on the BIGNUM library for higher efficiency and to
    make operations more streamlined and less contradictory.  This
@ -949,36 +943,36 @@ OpenSSL 0.9.x
  * Added initial support for Win64.
  * Added alternate pkg-config files.
-### Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007] ###
+### Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007]
  * FIPS 1.1.1 module linking.
  * Various ciphersuite selection fixes.
-### Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006] ###
+### Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006]
  * Introduce limits to prevent malicious key DoS  ([CVE-2006-2940][])
  * Fix security issues ([CVE-2006-2937][], [CVE-2006-3737][], [CVE-2006-4343][])
-### Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006] ###
+### Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006]
  * Fix Daniel Bleichenbacher forged signature attack, [CVE-2006-4339][]
-### Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006] ###
+### Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006]
  * Visual C++ 2005 fixes.
  * Update Windows build system for FIPS.
-### Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005] ###
+### Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]
  * Give EVP_MAX_MD_SIZE its old value, except for a FIPS build.
-### Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005] ###
+### Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]
  * Fix SSL 2.0 Rollback, [CVE-2005-2969][]
  * Allow use of fixed-length exponent on DSA signing
  * Default fixed-window RSA, DSA, DH private-key operations
-### Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005] ###
+### Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005]
  * More compilation issues fixed.
  * Adaptation to more modern Kerberos API.
@ -987,7 +981,7 @@ OpenSSL 0.9.x
  * More constification.
  * Added processing of proxy certificates (RFC 3820).
-### Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005] ###
+### Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005]
  * Several compilation issues fixed.
  * Many memory allocation failure checks added.
@ -995,12 +989,12 @@ OpenSSL 0.9.x
  * Mandatory basic checks on certificates.
  * Performance improvements.
-### Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004] ###
+### Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004]
  * Fix race condition in CRL checking code.
  * Fixes to PKCS#7 (S/MIME) code.
-### Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004] ###
+### Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004]
  * Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
  * Security: Fix null-pointer assignment in do_change_cipher_spec()
@ -1008,14 +1002,14 @@ OpenSSL 0.9.x
  * Multiple X509 verification fixes
  * Speed up HMAC and other operations
-### Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003] ###
+### Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003]
  * Security: fix various ASN1 parsing bugs.
  * New -ignore_err option to OCSP utility.
  * Various interop and bug fixes in S/MIME code.
  * SSL/TLS protocol fix for unrequested client certificates.
-### Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003] ###
+### Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003]
  * Security: counter the Klima-Pokorny-Rosa extension of
    Bleichbacher's attack
@ -1026,7 +1020,7 @@ OpenSSL 0.9.x
  * ASN.1: treat domainComponent correctly.
  * Documentation: fixes and additions.
-### Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003] ###
+### Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003]
  * Security: Important security related bugfixes.
  * Enhanced compatibility with MIT Kerberos.
@ -1037,7 +1031,7 @@ OpenSSL 0.9.x
  * SSL/TLS: now handles manual certificate chain building.
  * SSL/TLS: certain session ID malfunctions corrected.
-### Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002] ###
+### Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002]
  * New library section OCSP.
  * Complete rewrite of ASN1 code.
@ -1083,23 +1077,23 @@ OpenSSL 0.9.x
  * SSL/TLS: add callback to retrieve SSL/TLS messages.
  * SSL/TLS: support AES cipher suites (RFC3268).
-### Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003] ###
+### Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003]
  * Security: fix various ASN1 parsing bugs.
  * SSL/TLS protocol fix for unrequested client certificates.
-### Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003] ###
+### Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003]
  * Security: counter the Klima-Pokorny-Rosa extension of
    Bleichbacher's attack
  * Security: make RSA blinding default.
  * Build: shared library support fixes.
-### Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003] ###
+### Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003]
  * Important security related bugfixes.
-### Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002] ###
+### Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002]
  * New configuration targets for Tandem OSS and A/UX.
  * New OIDs for Microsoft attributes.
@ -1113,25 +1107,25 @@ OpenSSL 0.9.x
  * Fixes for smaller building problems.
  * Updates of manuals, FAQ and other instructive documents.
-### Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002] ###
+### Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002]
  * Important building fixes on Unix.
-### Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002] ###
+### Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002]
  * Various important bugfixes.
-### Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002] ###
+### Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002]
  * Important security related bugfixes.
  * Various SSL/TLS library bugfixes.
-### Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002] ###
+### Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002]
  * Various SSL/TLS library bugfixes.
  * Fix DH parameter generation for 'non-standard' generators.
-### Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001] ###
+### Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001]
  * Various SSL/TLS library bugfixes.
  * BIGNUM library fixes.
@ -1144,7 +1138,7 @@ OpenSSL 0.9.x
    Broadcom and Cryptographic Appliance's keyserver
    [in 0.9.6c-engine release].
-### Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001] ###
+### Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001]
  * Security fix: PRNG improvements.
  * Security fix: RSA OAEP check.
@ -1161,7 +1155,7 @@ OpenSSL 0.9.x
  * Increase default size for BIO buffering filter.
  * Compatibility fixes in some scripts.
-### Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001] ###
+### Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001]
  * Security fix: change behavior of OpenSSL to avoid using
    environment variables when running as root.
@ -1186,7 +1180,7 @@ OpenSSL 0.9.x
  * New function BN_rand_range().
  * Add "-rand" option to openssl s_client and s_server.
-### Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000] ###
+### Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000]
  * Some documentation for BIO and SSL libraries.
  * Enhanced chain verification using key identifiers.
@ -1201,7 +1195,7 @@ OpenSSL 0.9.x
  [1] The support for external crypto devices is currently a separate
      distribution.  See the file README.ENGINE.
-### Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000] ###
+### Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000]
  * Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8
  * Shared library support for HPUX and Solaris-gcc
@ -1210,7 +1204,7 @@ OpenSSL 0.9.x
  * New 'rand' application
  * New way to check for existence of algorithms from scripts
-### Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000] ###
+### Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000]
  * S/MIME support in new 'smime' command
  * Documentation for the OpenSSL command line application
@ -1246,7 +1240,7 @@ OpenSSL 0.9.x
  * Enhanced support for Alpha Linux
  * Experimental MacOS support
-### Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999] ###
+### Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999]
  * Transparent support for PKCS#8 format private keys: these are used
    by several software packages and are more secure than the standard
@ -1257,7 +1251,7 @@ OpenSSL 0.9.x
  * New pipe-like BIO that allows using the SSL library when actual I/O
    must be handled by the application (BIO pair)
-### Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999] ###
+### Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999]
  * Lots of enhancements and cleanups to the Configuration mechanism
  * RSA OEAP related fixes
@ -1272,7 +1266,7 @@ OpenSSL 0.9.x
  * Sparc assembler bignum implementation, optimized hash functions
  * Option to disable selected ciphers
-### Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999] ###
+### Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999]
  * Fixed a security hole related to session resumption
  * Fixed RSA encryption routines for the p < q case
@ -1295,7 +1289,7 @@ OpenSSL 0.9.x
  * Lots of memory leak fixes.
  * Lots of bug fixes.
-### Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998] ###
+### Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998]
  * Integration of the popular NO_RSA/NO_DSA patches
  * Initial support for compression inside the SSL record layer
@ -1307,8 +1301,6 @@ OpenSSL 0.9.x
  * Adjustments of the source tree for CVS
  * Support for various new platforms
 <!-- Links -->
 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
--- a/README.md
+++ b/README.md
@ -1,13 +1,11 @@
 Welcome to the OpenSSL Project
 ==============================
 [![openssl logo][]][www.openssl.org]
 [![travis badge][]][travis jobs]
 [![appveyor badge][]][appveyor jobs]
 Welcome to the OpenSSL Project
 ==============================
 OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit
 for the Transport Layer Security (TLS) protocol formerly known as the
 Secure Sockets Layer (SSL) protocol. The protocol implementation is based
@ -19,7 +17,6 @@ and Tim J. Hudson.
 The official Home Page of the OpenSSL Project is [www.openssl.org][].
 Table of Contents
 =================
@ -47,13 +44,13 @@ The OpenSSL toolkit includes:
 - **openssl**
  the OpenSSL command line tool, a swiss army knife for cryptographic tasks,
  testing and analyzing. It can be used for
-   - creation of key parameters
+  - creation of key parameters
-   - creation of X.509 certificates, CSRs and CRLs
+  - creation of X.509 certificates, CSRs and CRLs
-   - calculation of message digests
+  - calculation of message digests
-   - encryption and decryption
+  - encryption and decryption
-   - SSL/TLS client and server tests
+  - SSL/TLS client and server tests
-   - handling of S/MIME signed or encrypted mail
+  - handling of S/MIME signed or encrypted mail
-   - and more...
+  - and more...
 Download
 ========
@ -70,7 +67,6 @@ of the OpenSSL toolkit are available. In particular on Linux and other
 Unix operating systems it is normally recommended to link against the
 precompiled shared libraries provided by the distributor or vendor.
 For Testing and Development
 ---------------------------
@ -86,22 +82,21 @@ which is updated automatically from the former on every commit.
 A local copy of the Git Repository can be obtained by cloning it from
 the original OpenSSL repository using
-        git clone git://git.openssl.org/openssl.git
+    git clone git://git.openssl.org/openssl.git
 or from the GitHub mirror using
-        git clone https://github.com/openssl/openssl.git
+    git clone https://github.com/openssl/openssl.git
 If you intend to contribute to OpenSSL, either to fix bugs or contribute
 new features, you need to fork the OpenSSL repository openssl/openssl on
 GitHub and clone your public fork instead.
-        git clone https://github.com/yourname/openssl.git
+    git clone https://github.com/yourname/openssl.git
 This is necessary, because all development of OpenSSL nowadays is done via
 GitHub pull requests. For more details, see [Contributing](#contributing).
 Build and Install
 =================
@ -166,7 +161,6 @@ platform. The OpenSSL Project Pages at [openssl.github.io][] are a
 valuable source of information if you want to get familiar with our
 development process on GitHub.
 Legalities
 ==========
@ -174,7 +168,6 @@ A number of nations restrict the use or export of cryptography. If you are
 potentially subject to such restrictions you should seek legal advice before
 attempting to develop or distribute cryptographic code.
 Copyright
 =========
@ -184,37 +177,34 @@ Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
 All rights reserved.
 <!-- Links  -->
 [www.openssl.org]:
-    https://www.openssl.org
+    <https://www.openssl.org>
    "OpenSSL Homepage"
 [git.openssl.org]:
-    https://git.openssl.org
+    <https://git.openssl.org>
    "OpenSSL Git Repository"
 [git.openssl.org]:
-    https://git.openssl.org
+    <https://git.openssl.org>
    "OpenSSL Git Repository"
 [github.com/openssl/openssl]:
-    https://github.com/openssl/openssl
+    <https://github.com/openssl/openssl>
    "OpenSSL GitHub Mirror"
 [openssl.github.io]:
-    https://mspncp.github.io
+    <https://mspncp.github.io>
    "OpenSSL Project Pages"
 [wiki.openssl.org]:
-    https://wiki.openssl.org
+    <https://wiki.openssl.org>
    "OpenSSL Wiki"
 [RFC 8446]:
-     https://tools.ietf.org/html/rfc8446
+     <https://tools.ietf.org/html/rfc8446>
 <!-- Logos and Badges -->
 <!--
@ -230,17 +220,17 @@ All rights reserved.
    "OpenSSL Logo"
 [travis badge]:
-    https://travis-ci.org/openssl/openssl.svg?branch=master
+    <https://travis-ci.org/openssl/openssl.svg?branch=master>
    "Travis Build Status"
 [travis jobs]:
-    https://travis-ci.org/openssl/openssl
+    <https://travis-ci.org/openssl/openssl>
    "Travis Jobs"
 [appveyor badge]:
-    https://ci.appveyor.com/api/projects/status/ikn2l4u1xsume63u/branch/master?svg=true
+    <https://ci.appveyor.com/api/projects/status/ikn2l4u1xsume63u/branch/master?svg=true>
    "AppVeyor Build Status"
 [appveyor jobs]:
-    https://ci.appveyor.com/project/openssl/openssl/branch/master
+    <https://ci.appveyor.com/project/openssl/openssl/branch/master>
    "AppVeyor Jobs"
--- a/SUPPORT.md
+++ b/SUPPORT.md
@ -1,4 +1,3 @@
 OpenSSL User Support resources
 ==============================
@ -7,7 +6,7 @@ _Under Construction; not more than a collection of text fragments yet._
 See the OpenSSL website www.openssl.org for details on how to obtain
 commercial technical support. Free community support is available through the
 openssl-users email list (see
-https://www.openssl.org/community/mailinglists.html for further details).
+<https://www.openssl.org/community/mailinglists.html for> further details).
 If you have any problems with OpenSSL then please take the following steps
 first:
@ -32,8 +31,6 @@ Just because something doesn't work the way you expect does not mean it
 is necessarily a bug in OpenSSL. Use the openssl-users email list for this type
 of query.
 For *questions* on how to use OpenSSL or what went wrong when you
 tried something, our primary resource is the mailing list
 openssl-users@openssl.org, where you can get help from others in the
@ -41,10 +38,7 @@ OpenSSL community (which includes the developers as time permits).
 Only subscribers can post to openssl-users@openssl.org (although the
 archives are public).
-For more information, see https://www.openssl.org/community/mailinglists.html
+For more information, see <https://www.openssl.org/community/mailinglists.html>
 You have general questions about using OpenSSL
 ----------------------------------------------
@ -97,10 +91,6 @@ pull request. The details are covered in the [Contributing](#contributing) secti
 Don't hesitate to open a pull request, even if it's only a small change
 like a grammatical or typographical error in the documentation.
 Mailing Lists
 =============
@ -121,7 +111,6 @@ The openssl-dev list has been discontinued since development is now taking
 place in form of GitHub pull requests. Although not active anymore, the
 searchable archive may still contain useful information.
 <!-- Links -->
 [mailing lists]:     https://www.openssl.org/community/mailinglists.html
--- a/fuzz/README.md
+++ b/fuzz/README.md
@ -1,7 +1,10 @@
-# I Can Haz Fuzz?
+Fuzzing OpenSSL
 ===============
 OpenSSL can use either LibFuzzer or AFL to do fuzzing.
 LibFuzzer
-=========
+---------
 How to fuzz OpenSSL with [libfuzzer](http://llvm.org/docs/LibFuzzer.html),
 starting from a vanilla+OpenSSH server Ubuntu install.
@ -68,7 +71,7 @@ prebuilt fuzzer library. This is represented as `$PATH_TO_LIBFUZZER_DIR` below.
            --debug
 AFL
-===
+---
 This is an alternative to using LibFuzzer.
@ -92,7 +95,7 @@ Run one of the fuzzers:
 Where $FUZZER is one of the executables in `fuzz/`.
 Reproducing issues
-==================
+------------------
 If a fuzzer generates a reproducible error, you can reproduce the problem using
 the fuzz/*-test binaries and the file generated by the fuzzer. They binaries
@ -108,7 +111,7 @@ To reproduce the crash you can run:
    fuzz/$FUZZER-test $file
 Random numbers
-==============
+--------------
 The client and server fuzzer normally generate random numbers as part of the TLS
 connection setup. This results in the coverage of the fuzzing corpus changing
@ -127,16 +130,17 @@ the same client hello with the same random number in it, and so the server, as
 emulated by the file, can be generated for that client hello.
 Coverage changes
-================
+----------------
 Since the corpus depends on the default behaviour of the client and the server,
 changes in what they send by default will have an impact on the coverage. The
 corpus will need to be updated in that case.
 Updating the corpus
-===================
+-------------------
 The client and server corpus is generated with multiple config options:
 - The options as documented above
 - Without enable-ec_nistp_64_gcc_128 and without --debug
 - With no-asm
@ -147,7 +151,7 @@ The libfuzzer merge option is used to add the additional coverage
 from each config to the minimal set.
 Minimizing the corpus
-=====================
+---------------------
 When you have gathered corpus data from more than one fuzzer run
 or for any other reason want to to minimize the data
--- a/test/README.ssltest.md
+++ b/test/README.ssltest.md
@ -1,4 +1,5 @@
-# SSL tests
+SSL tests
 =========
 SSL testcases are configured in the `ssl-tests` directory.
@ -14,20 +15,19 @@ corresponding to the default configuration. These testcases live in
 For more details, see `ssl-tests/01-simple.cnf.in` for an example.
-## Configuring the test
+Configuring the test
 --------------------
 First, give your test a name. The names do not have to be unique.
 An example test input looks like this:
 ```
    {
        name => "test-default",
        server => { "CipherString" => "DEFAULT" },
        client => { "CipherString" => "DEFAULT" },
        test   => { "ExpectedResult" => "Success" },
    }
 ```
 The test section supports the following options
@ -111,19 +111,18 @@ handshake.
  If this is "empty" the list is expected to be empty otherwise it is a file
  of certificates whose subject names form the list.
-## Configuring the client and server
+Configuring the client and server
 ---------------------------------
 The client and server configurations can be any valid `SSL_CTX`
 configurations. For details, see the manpages for `SSL_CONF_cmd`.
 Give your configurations as a dictionary of CONF commands, e.g.
-```
+    server => {
-server => {
+        "CipherString" => "DEFAULT",
-    "CipherString" => "DEFAULT",
+        "MinProtocol" => "TLSv1",
-    "MinProtocol" => "TLSv1",
+    }
 }
 ```
 The following sections may optionally be defined:
@ -146,14 +145,12 @@ The following sections may optionally be defined:
 Additional handshake settings can be configured in the `extra` section of each
 client and server:
-```
+    client => {
-client => {
+        "CipherString" => "DEFAULT",
-    "CipherString" => "DEFAULT",
+        extra => {
-    extra => {
+            "ServerName" => "server2",
-        "ServerName" => "server2",
+        }
    }
 }
 ```
 #### Supported client-side options
@ -202,21 +199,18 @@ automatically. Server certificate verification is requested by default.
 You can override these options by redefining them:
-```
+    client => {
-client => {
+        "VerifyCAFile" => "/path/to/custom/file"
-    "VerifyCAFile" => "/path/to/custom/file"
+    }
 }
 ```
 or by deleting them
-```
+    client => {
-client => {
+        "VerifyCAFile" => undef
-    "VerifyCAFile" => undef
+    }
 }
 ```
-## Adding a test to the test harness
+Adding a test to the test harness
 ---------------------------------
 1. Add a new test configuration to `test/ssl-tests`, following the examples of
   existing `*.cnf.in` files (for example, `01-simple.cnf.in`).
@ -224,33 +218,26 @@ client => {
 2. Generate the generated `*.cnf` test input file. You can do so by running
   `generate_ssl_tests.pl`:
-```
+    $ ./config
-$ ./config
+    $ cd test
-$ cd test
+    $ TOP=.. perl -I ../util/perl/ generate_ssl_tests.pl \
-$ TOP=.. perl -I ../util/perl/ generate_ssl_tests.pl ssl-tests/my.cnf.in default \
+      ssl-tests/my.cnf.in default > ssl-tests/my.cnf
  > ssl-tests/my.cnf
 ```
 where `my.cnf.in` is your test input file and `default` is the provider to use.
 For all the pre-generated test files you should use the default provider.
 For example, to generate the test cases in `ssl-tests/01-simple.cnf.in`, do
-```
+    $ TOP=.. perl -I ../util/perl/ generate_ssl_tests.pl \
-$ TOP=.. perl -I ../util/perl/ generate_ssl_tests.pl ssl-tests/01-simple.cnf.in default > ssl-tests/01-simple.cnf
+      ssl-tests/01-simple.cnf.in default > ssl-tests/01-simple.cnf
 ```
 Alternatively (hackish but simple), you can comment out
-```
+    unlink glob $tmp_file;
 unlink glob $tmp_file;
 ```
 in `test/recipes/80-test_ssl_new.t` and run
-```
+    $ make TESTS=test_ssl_new test
 $ make TESTS=test_ssl_new test
 ```
 This will save the generated output in a `*.tmp` file in the build directory.
@ -258,13 +245,13 @@ This will save the generated output in a `*.tmp` file in the build directory.
   the test suite has any skip conditions, update those too (see
   `test/recipes/80-test_ssl_new.t` for details).
-## Running the tests with the test harness
+Running the tests with the test harness
 ---------------------------------------
-```
+    HARNESS_VERBOSE=yes make TESTS=test_ssl_new test
 HARNESS_VERBOSE=yes make TESTS=test_ssl_new test
 ```
-## Running a test manually
+Running a test manually
 -----------------------
 These steps are only needed during development. End users should run `make test`
 or follow the instructions above to run the SSL test suite.
@ -273,17 +260,13 @@ To run an SSL test manually from the command line, the `TEST_CERTS_DIR`
 environment variable to point to the location of the certs. E.g., from the root
 OpenSSL directory, do
-```
+    $ CTLOG_FILE=test/ct/log_list.cnf TEST_CERTS_DIR=test/certs test/ssl_test \
-$ CTLOG_FILE=test/ct/log_list.cnf TEST_CERTS_DIR=test/certs test/ssl_test \
+      test/ssl-tests/01-simple.cnf
  test/ssl-tests/01-simple.cnf
 ```
 or for shared builds
-```
+    $ CTLOG_FILE=test/ct/log_list.cnf  TEST_CERTS_DIR=test/certs \
-$ CTLOG_FILE=test/ct/log_list.cnf  TEST_CERTS_DIR=test/certs \
+      util/wrap.pl test/ssl_test test/ssl-tests/01-simple.cnf
  util/wrap.pl test/ssl_test test/ssl-tests/01-simple.cnf
 ```
 Note that the test expectations sometimes depend on the Configure settings. For
 example, the negotiated protocol depends on the set of available (enabled)
`@ -3,6 +3,5 @@ Acknowlegements`

	`Please see our [Thanks!][] page for the current acknowledgements.`	`Please see our [Thanks!][] page for the current acknowledgements.`


	`[Thanks!]: https://www.openssl.org/community/thanks.html`	`[Thanks!]: https://www.openssl.org/community/thanks.html`