===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/openssl.1,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- src/usr.bin/openssl/openssl.1	2015/09/11 06:43:05	1.21
+++ src/usr.bin/openssl/openssl.1	2015/09/11 14:30:23	1.22
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.21 2015/09/11 06:43:05 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.22 2015/09/11 14:30:23 bcook Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -284,8 +284,6 @@
 EC parameter manipulation and generation.
 .It Cm enc
 Encoding with ciphers.
-.It Cm engine
-Engine (loadable module) information and manipulation.
 .It Cm errstr
 Error number to error string conversion.
 .It Cm gendh
@@ -703,7 +701,6 @@
 .Op Fl crlhours Ar hours
 .Op Fl days Ar arg
 .Op Fl enddate Ar date
-.Op Fl engine Ar id
 .Op Fl extensions Ar section
 .Op Fl extfile Ar section
 .Op Fl gencrl
@@ -711,7 +708,7 @@
 .Op Fl infiles
 .Op Fl key Ar keyfile
 .Op Fl keyfile Ar arg
-.Op Fl keyform Ar ENGINE | PEM
+.Op Fl keyform Ar PEM
 .Op Fl md Ar arg
 .Op Fl msie_hack
 .Op Fl name Ar section
@@ -757,14 +754,6 @@
 This allows the expiry date to be explicitly set.
 The format of the date is YYMMDDHHMMSSZ
 .Pq the same as an ASN1 UTCTime structure .
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm ca
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl extensions Ar section
 The section of the configuration file containing certificate extensions
 to be added when a certificate is issued (defaults to
@@ -800,7 +789,7 @@
 utility) this option should be used with caution.
 .It Fl keyfile Ar file
 The private key to sign requests with.
-.It Fl keyform Ar ENGINE | PEM
+.It Fl keyform Ar PEM
 Private key file format.
 .It Fl md Ar alg
 The message digest to use.
@@ -1811,10 +1800,9 @@
 .Oc
 .Op Fl binary
 .Op Fl cd
-.Op Fl engine Ar id
 .Op Fl hex
 .Op Fl hmac Ar key
-.Op Fl keyform Ar ENGINE | PEM
+.Op Fl keyform Ar PEM
 .Op Fl mac Ar algorithm
 .Op Fl macopt Ar nm : Ns Ar v
 .Op Fl out Ar file
@@ -1853,16 +1841,6 @@
 format output is used.
 .It Fl d
 Print out BIO debugging information.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm dgst
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
-This engine is not used as a source for digest algorithms
-unless it is also specified in the configuration file.
 .It Fl hex
 Digest is to be output as a hex dump.
 This is the default case for a
@@ -1871,7 +1849,7 @@
 .It Fl hmac Ar key
 Create a hashed MAC using
 .Ar key .
-.It Fl keyform Ar ENGINE | PEM
+.It Fl keyform Ar PEM
 Specifies the key format to sign the digest with.
 .It Fl mac Ar algorithm
 Create a keyed Message Authentication Code (MAC).
@@ -1963,7 +1941,6 @@
 .Op Fl C
 .Op Fl check
 .Op Fl dsaparam
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl noout
@@ -2008,14 +1985,6 @@
 Beware that with such DSA-style DH parameters,
 a fresh DH key should be created for each use to
 avoid small-subgroup attacks that may be possible otherwise.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm dhparam
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -2109,7 +2078,6 @@
 .Fl aes128 | aes192 | aes256 |
 .Fl des | des3
 .Oc
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl modulus
@@ -2154,14 +2122,6 @@
 or by setting the encryption options it can be use to add or change
 the pass phrase.
 These options can only be used with PEM format output files.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm dsa
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -2267,7 +2227,6 @@
 .Nm "openssl dsaparam"
 .Bk -words
 .Op Fl C
-.Op Fl engine Ar id
 .Op Fl genkey
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
@@ -2290,14 +2249,6 @@
 The parameters can then be loaded by calling the
 .Cm get_dsa Ns Ar XXX Ns Li ()
 function.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm dsaparam
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl genkey
 This option will generate a DSA either using the specified or generated
 parameters.
@@ -2362,7 +2313,6 @@
 .Op Fl conv_form Ar arg
 .Op Fl des
 .Op Fl des3
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl noout
@@ -2428,14 +2378,6 @@
 or by setting the encryption options
 it can be use to add or change the pass phrase.
 These options can only be used with PEM format output files.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm ec
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input filename to read a key from,
 or standard input if this option is not specified.
@@ -2567,7 +2509,6 @@
 .Op Fl C
 .Op Fl check
 .Op Fl conv_form Ar arg
-.Op Fl engine Ar id
 .Op Fl genkey
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
@@ -2611,14 +2552,6 @@
 and can be enabled by defining the preprocessor macro
 .Ar OPENSSL_EC_BIN_PT_COMP
 at compile time.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm ecparam
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl genkey
 Generate an EC private key using the specified parameters.
 .It Fl in Ar file
@@ -2736,7 +2669,6 @@
 .Op Fl base64
 .Op Fl bufsize Ar number
 .Op Fl debug
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl iv Ar IV
 .Op Fl K Ar key
@@ -2779,14 +2711,6 @@
 Debug the BIOs used for I/O.
 .It Fl e
 Encrypt the input data: this is the default.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm enc
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 The input
 .Ar file ;
@@ -2918,26 +2842,7 @@
 .Nm openssl ciphername
 or
 .Nm openssl enc -ciphername .
-But the first form doesn't work with engine-provided ciphers,
-because this form is processed before the
-configuration file is read and any engines loaded.
 .Pp
-Engines which provide entirely new encryption algorithms
-should be configured in the configuration file.
-Engines, specified on the command line using the
-.Fl engine
-option,
-can only be used for hardware-assisted implementations of ciphers,
-supported by
-.Nm OpenSSL
-core, or by other engines specified in the configuration file.
-.Pp
-When
-.Nm enc
-lists supported ciphers,
-ciphers provided by engines specified in the configuration files
-are listed too.
-.Pp
 A password will be prompted for to derive the
 .Ar key
 and
@@ -3077,56 +2982,6 @@
 Therefore it is not possible to use RC2 with a 76-bit key
 or RC4 with an 84-bit key with this program.
 .\"
-.\" ENGINE
-.\"
-.Sh ENGINE
-.Nm openssl engine
-.Op Fl ctv
-.Op Fl post Ar cmd
-.Op Fl pre Ar cmd
-.Op Ar engine ...
-.Pp
-The
-.Nm engine
-command provides loadable module information and manipulation
-of various engines.
-Any options are applied to all engines supplied on the command line,
-or all supported engines if none are specified.
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl c
-For each engine, also list the capabilities.
-.It Fl post Ar cmd
-Run command
-.Ar cmd
-against the engine after loading it
-(only used if
-.Fl t
-is also provided).
-.It Fl pre Ar cmd
-Run command
-.Ar cmd
-against the engine before any attempts
-to load it
-(only used if
-.Fl t
-is also provided).
-.It Fl t
-For each engine, check that they are really available.
-.Fl tt
-will display an error trace for unavailable engines.
-.It Fl v
-Verbose mode.
-For each engine, list its 'control commands'.
-.Fl vv
-will additionally display each command's description.
-.Fl vvv
-will also add the input flags for each command.
-.Fl vvvv
-will also show internal input flags.
-.El
-.\"
 .\" ERRSTR
 .\"
 .Sh ERRSTR
@@ -3192,7 +3047,6 @@
 .Fl aes128 | aes192 | aes256 |
 .Fl des | des3
 .Oc
-.Op Fl engine Ar id
 .Op Fl out Ar file
 .Op Ar paramfile
 .Ek
@@ -3215,14 +3069,6 @@
 or the triple DES ciphers, respectively, before outputting it.
 A pass phrase is prompted for.
 If none of these options are specified, no encryption is used.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm gendsa
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl out Ar file
 The output
 .Ar file .
@@ -3246,7 +3092,6 @@
 .Bk -words
 .Op Fl algorithm Ar alg
 .Op Ar cipher
-.Op Fl engine Ar id
 .Op Fl genparam
 .Op Fl out Ar file
 .Op Fl outform Ar DER | PEM
@@ -3262,8 +3107,7 @@
 command generates private keys.
 The use of this
 program is encouraged over the algorithm specific utilities
-because additional algorithm options
-and engine-provided algorithms can be used.
+because additional algorithm options can be used.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
@@ -3284,14 +3128,6 @@
 .Fn EVP_get_cipherbyname
 is acceptable, such as
 .Cm des3 .
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm genpkey
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl genparam
 Generate a set of parameters instead of a private key.
 If used this option must precede any
@@ -3422,7 +3258,6 @@
 .Fl aes128 | aes192 | aes256 |
 .Fl des | des3
 .Oc
-.Op Fl engine Ar id
 .Op Fl out Ar file
 .Op Fl passout Ar arg
 .Op Ar numbits
@@ -3449,14 +3284,6 @@
 if it is not supplied via the
 .Fl passout
 option.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm genrsa
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl out Ar file
 The output
 .Ar file .
@@ -4129,7 +3956,6 @@
 .nr nS 1
 .Nm "openssl pkcs7"
 .Bk -words
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl noout
@@ -4146,14 +3972,6 @@
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkcs7
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -4218,7 +4036,6 @@
 .Nm "openssl pkcs8"
 .Bk -words
 .Op Fl embed
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl nocrypt
@@ -4254,14 +4071,6 @@
 two structures:
 a SEQUENCE containing the parameters and an ASN1 INTEGER containing
 the private key.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkcs8
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -4484,7 +4293,6 @@
 .Op Fl clcerts
 .Op Fl CSP Ar name
 .Op Fl descert
-.Op Fl engine Ar id
 .Op Fl export
 .Op Fl in Ar file
 .Op Fl info
@@ -4631,14 +4439,6 @@
 software.
 By default, the private key is encrypted using triple DES and the
 certificate using 40-bit RC2.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkcs12
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl export
 This option specifies that a PKCS#12 file will be created rather than
 parsed.
@@ -4844,7 +4644,6 @@
 .Nm "openssl pkey"
 .Bk -words
 .Op Ar cipher
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl noout
@@ -4873,14 +4672,6 @@
 .Fn EVP_get_cipherbyname
 is acceptable, such as
 .Cm des3 .
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkey
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input filename to read a key from,
 or standard input if this option is not specified.
@@ -4966,7 +4757,6 @@
 .\"
 .Sh PKEYPARAM
 .Cm openssl pkeyparam
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl noout
 .Op Fl out Ar file
@@ -4979,14 +4769,6 @@
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkeyparam
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input filename to read parameters from,
 or standard input if this option is not specified.
@@ -5022,14 +4804,13 @@
 .Op Fl decrypt
 .Op Fl derive
 .Op Fl encrypt
-.Op Fl engine Ar id
 .Op Fl hexdump
 .Op Fl in Ar file
 .Op Fl inkey Ar file
-.Op Fl keyform Ar DER | ENGINE | PEM
+.Op Fl keyform Ar DER | PEM
 .Op Fl out Ar file
 .Op Fl passin Ar arg
-.Op Fl peerform Ar DER | ENGINE | PEM
+.Op Fl peerform Ar DER | PEM
 .Op Fl peerkey Ar file
 .Op Fl pkeyopt Ar opt : Ns Ar value
 .Op Fl pubin
@@ -5061,14 +4842,6 @@
 Derive a shared secret using the peer key.
 .It Fl encrypt
 Encrypt the input data using a public key.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkeyutl
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl hexdump
 Hex dump the output data.
 .It Fl in Ar file
@@ -5077,8 +4850,8 @@
 .It Fl inkey Ar file
 The input key file.
 By default it should be a private key.
-.It Fl keyform Ar DER | ENGINE | PEM
-The key format DER, ENGINE, or PEM.
+.It Fl keyform Ar DER | PEM
+The key format DER or PEM.
 .It Fl out Ar file
 Specify the output filename to write to,
 or standard output by default.
@@ -5089,8 +4862,8 @@
 see the
 .Sx PASS PHRASE ARGUMENTS
 section above.
-.It Fl peerform Ar DER | ENGINE | PEM
-The peer key format DER, ENGINE, or PEM.
+.It Fl peerform Ar DER | PEM
+The peer key format DER or PEM.
 .It Fl peerkey Ar file
 The peer key file, used by key derivation (agreement) operations.
 .It Fl pkeyopt Ar opt : Ns Ar value
@@ -5271,7 +5044,6 @@
 .nr nS 1
 .Nm "openssl rand"
 .Op Fl base64
-.Op Fl engine Ar id
 .Op Fl hex
 .Op Fl out Ar file
 .Ar num
@@ -5289,14 +5061,6 @@
 Perform
 .Em base64
 encoding on the output.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm rand
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl hex
 Specify hexadecimal output.
 .It Fl out Ar file
@@ -5315,7 +5079,6 @@
 .Op Fl batch
 .Op Fl config Ar file
 .Op Fl days Ar n
-.Op Fl engine Ar id
 .Op Fl extensions Ar section
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
@@ -5392,14 +5155,6 @@
 option is being used, this specifies the number of
 days to certify the certificate for.
 The default is 30 days.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm req
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl extensions Ar section , Fl reqexts Ar section
 These options specify alternative sections to include certificate
 extensions (if the
@@ -6067,7 +5822,6 @@
 .Fl des | des3
 .Oc
 .Op Fl check
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | NET | PEM
 .Op Fl modulus
@@ -6114,14 +5868,6 @@
 These options can only be used with PEM format output files.
 .It Fl check
 This option checks the consistency of an RSA private key.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm rsa
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -6264,7 +6010,6 @@
 .Op Fl certin
 .Op Fl decrypt
 .Op Fl encrypt
-.Op Fl engine Ar id
 .Op Fl hexdump
 .Op Fl in Ar file
 .Op Fl inkey Ar file
@@ -6294,14 +6039,6 @@
 Decrypt the input data using an RSA private key.
 .It Fl encrypt
 Encrypt the input data using an RSA public key.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm rsautl
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl hexdump
 Hex dump the output data.
 .It Fl in Ar file
@@ -6458,7 +6195,6 @@
 .Op Fl crl_check_all
 .Op Fl crlf
 .Op Fl debug
-.Op Fl engine Ar id
 .Op Fl extended_crl
 .Op Fl ign_eof
 .Op Fl ignore_critical
@@ -6570,14 +6306,6 @@
 by some servers.
 .It Fl debug
 Print extensive debugging information including a hex dump of all traffic.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm s_client
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl ign_eof
 Inhibit shutting down the connection when end of file is reached in the
 input.
@@ -6782,7 +6510,6 @@
 .Op Fl debug
 .Op Fl dhparam Ar file
 .Op Fl dkey Ar file
-.Op Fl engine Ar id
 .Op Fl hack
 .Op Fl HTTP
 .Op Fl id_prefix Ar arg
@@ -6897,14 +6624,6 @@
 If this fails, a static set of parameters hard coded into the
 .Nm s_server
 program will be used.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm s_server
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl hack
 This option enables a further workaround for some early Netscape
 SSL code
@@ -7386,7 +7105,6 @@
 .Op Fl crl_check_all
 .Op Fl decrypt
 .Op Fl encrypt
-.Op Fl engine Ar id
 .Op Fl extended_crl
 .Op Fl from Ar addr
 .Op Fl ignore_critical
@@ -7395,7 +7113,7 @@
 .Op Fl inform Ar DER | PEM | SMIME
 .Op Fl inkey Ar file
 .Op Fl issuer_checks
-.Op Fl keyform Ar ENGINE | PEM
+.Op Fl keyform Ar PEM
 .Op Fl md Ar digest
 .Op Fl noattr
 .Op Fl nocerts
@@ -7542,14 +7260,6 @@
 and it uses the multipart/signed
 .Em MIME
 content type.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm smime
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Xo
 .Fl from Ar addr ,
 .Fl subject Ar s ,
@@ -7605,7 +7315,7 @@
 file.
 When signing,
 this option can be used multiple times to specify successive keys.
-.It Fl keyform Ar ENGINE | PEM
+.It Fl keyform Ar PEM
 Input private key format.
 .It Fl md Ar digest
 The digest algorithm to use when signing or resigning.
@@ -7968,7 +7678,6 @@
 .Op Cm sha1
 .Op Fl decrypt
 .Op Fl elapsed
-.Op Fl engine Ar id
 .Op Fl evp Ar e
 .Op Fl mr
 .Op Fl multi Ar number
@@ -7986,14 +7695,6 @@
 .It Fl decrypt
 Time decryption instead of encryption
 .Pq only EVP .
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm speed
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl elapsed
 Measure time in real time instead of CPU user time.
 .It Fl evp Ar e
@@ -8033,7 +7734,6 @@
 .Fl reply
 .Op Fl chain Ar certs_file.pem
 .Op Fl config Ar configfile
-.Op Fl engine Ar id
 .Op Fl in Ar response.tsr
 .Op Fl inkey Ar private.pem
 .Op Fl out Ar response.tsr
@@ -8194,14 +7894,6 @@
 See
 .Sx TS CONFIGURATION FILE OPTIONS
 for configurable variables.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm ts
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar response.tsr
 Specifies a previously created time stamp response or time stamp token, if
 .Fl token_in
@@ -8379,11 +8071,6 @@
 If the file does not exist at the time of response
 generation a new file is created with serial number 1.
 This parameter is mandatory.
-.It Cm crypto_device
-Specifies the
-.Nm OpenSSL
-engine that will be set as the default for
-all available algorithms.
 .It Cm signer_cert
 TSA signing certificate, in PEM format.
 The same as the
@@ -8611,7 +8298,6 @@
 .Nm "openssl spkac"
 .Bk -words
 .Op Fl challenge Ar string
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl key Ar keyfile
 .Op Fl noout
@@ -8636,14 +8322,6 @@
 .Bl -tag -width Ds
 .It Fl challenge Ar string
 Specifies the challenge string if an SPKAC is being created.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm spkac
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -8743,7 +8421,6 @@
 .Op Fl check_ss_sig
 .Op Fl crl_check
 .Op Fl crl_check_all
-.Op Fl engine Ar id
 .Op Fl explicit_policy
 .Op Fl extended_crl
 .Op Fl help
@@ -8800,14 +8477,6 @@
 .It Fl crl_check_all
 Checks the validity of all certificates in the chain by attempting
 to look up valid CRLs.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm verify
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl explicit_policy
 Set policy variable require-explicit-policy (see RFC 3280 et al).
 .It Fl extended_crl
@@ -9181,7 +8850,6 @@
 .Op Fl days Ar arg
 .Op Fl email
 .Op Fl enddate
-.Op Fl engine Ar id
 .Op Fl extensions Ar section
 .Op Fl extfile Ar file
 .Op Fl fingerprint
@@ -9230,14 +8898,6 @@
 various sections.
 .Sh X509 INPUT, OUTPUT, AND GENERAL PURPOSE OPTIONS
 .Bl -tag -width "XXXX"
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm x509
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file