openssl-cmp.pod.in: Clean up doc of -verify_email, -verify_hostname, and -verify_ip

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12932)

doc/man1/openssl-cmp.pod.in

@@ -35,9 +35,6 @@ Certificate enrollment options:
 [B<-popo> I<number>]
 [B<-csr> I<filename>]
 [B<-out_trusted> I<filenames>]
-[B<-verify_hostname> I<cn>]
-[B<-verify_ip> I<ip>]
-[B<-verify_email> I<email>]
 [B<-implicit_confirm>]
 [B<-disable_confirm>]
 [B<-certout> I<filename>]
@@ -140,33 +137,7 @@ Mock server options:
 
 Certificate verification options, for both CMP and TLS:
 
-[B<-policy> I<arg>]
-[B<-purpose> I<purpose>]
-[B<-verify_name> I<name>]
-[B<-verify_depth> I<num>]
-[B<-auth_level> I<level>]
-[B<-attime> I<timestamp>]
-[B<-ignore_critical>]
-[B<-issuer_checks>]
-[B<-policy_check>]
-[B<-explicit_policy>]
-[B<-inhibit_any>]
-[B<-inhibit_map>]
-[B<-x509_strict>]
-[B<-extended_crl>]
-[B<-use_deltas>]
-[B<-policy_print>]
-[B<-check_ss_sig>]
-[B<-crl_check>]
-[B<-crl_check_all>]
-[B<-trusted_first>]
-[B<-suiteB_128_only>]
-[B<-suiteB_128>]
-[B<-suiteB_192>]
-[B<-partial_chain>]
-[B<-no_alt_chains>]
-[B<-no_check_time>]
-[B<-allow_proxy_certs>]
+{- $OpenSSL::safe::opt_v_synopsis -}
 
 =head1 DESCRIPTION
 
@@ -378,23 +349,9 @@ Multiple filenames may be given, separated by commas and/or whitespace
 (where in the latter case the whole argument must be enclosed in "...").
 Each source may contain multiple certificates.
 
-=item B<-verify_hostname> I<name>
-
-When verification of the newly enrolled certificate is enabled (with the
-B<-out_trusted> option), check if any DNS Subject Alternative Name (or if no
-DNS SAN is included, the Common Name in the subject) equals the given B<name>.
-
-=item B<-verify_ip> I<ip>
-
-When verification of the newly enrolled certificate is enabled (with the
-B<-out_trusted> option), check if there is
-an IP address Subject Alternative Name matching the given IP address.
-
-=item B<-verify_email> I<email>
-
-When verification of the newly enrolled certificate is enabled (with the
-B<-out_trusted> option), check if there is
-an email address Subject Alternative Name matching the given email address.
+The certificate verification options
+B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
+only affect the certificate verification enabled via this option.
 
 =item B<-implicit_confirm>
 
@@ -511,7 +468,7 @@ When verifying signature-based protection of CMP response messages,
 these are the CA certificate(s) to trust while checking certificate chains
 during CMP server authentication.
 This option gives more flexibility than the B<-srvcert> option because the
-protection certificate is not pinned but may be any certificate
+server-side CMP signer certificate is not pinned but may be any certificate
 for which a chain to one of the given trusted certificates can be constructed.
 
 If no B<-trusted>, B<-srvcert>, and B<-secret> option is given
@@ -521,6 +478,10 @@ Multiple filenames may be given, separated by commas and/or whitespace
 (where in the latter case the whole argument must be enclosed in "...").
 Each source may contain multiple certificates.
 
+The certificate verification options
+B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
+have no effect on the certificate verification enabled via this option.
+
 =item B<-untrusted> I<sources>
 
 Non-trusted intermediate CA certificate(s).
@@ -666,13 +627,17 @@ is included in the extraCerts field in signature-protected request messages.
 =item B<-own_trusted> I<filenames>
 
 If this list of certificates is provided then the chain built for
-the CMP signer certificate given with the B<-cert> option is verified
-using the given certificates as trust anchors.
+the client-side CMP signer certificate given with the B<-cert> option
+is verified using the given certificates as trust anchors.
 
 Multiple filenames may be given, separated by commas and/or whitespace
 (where in the latter case the whole argument must be enclosed in "...").
 Each source may contain multiple certificates.
 
+The certificate verification options
+B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
+have no effect on the certificate verification enabled via this option.
+
 =item B<-key> I<filename>
 
 The corresponding private key file for the client's current certificate given in
@@ -808,6 +773,10 @@ Multiple filenames may be given, separated by commas and/or whitespace
 (where in the latter case the whole argument must be enclosed in "...").
 Each source may contain multiple certificates.
 
+The certificate verification options
+B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
+have no effect on the certificate verification enabled via this option.
+
 =item B<-tls_host> I<name>
 
 Address to be checked during hostname validation. 
@@ -913,6 +882,10 @@ Server private key (and cert) file pass phrase source.
 
 Trusted certificates for client authentication.
 
+The certificate verification options
+B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
+have no effect on the certificate verification enabled via this option.
+
 =item B<-srv_untrusted> I<filenames>
 
 Intermediate CA certs that may be useful when verifying client certificates.
@@ -991,21 +964,11 @@ Accept RAVERIFED as proof-of-possession (POPO).
 
 =over 4
 
-=item B<-policy>, B<-purpose>, B<-verify_name>, B<-verify_depth>,
-B<-attime>,
-B<-ignore_critical>, B<-issuer_checks>,
-B<-policy_check>,
-B<-explicit_policy>, B<-inhibit_any>, B<-inhibit_map>,
-B<-x509_strict>, B<-extended_crl>, B<-use_deltas>,
-B<-policy_print>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
-B<-trusted_first>,
-B<-suiteB_128_only>, B<-suiteB_128>, B<-suiteB_192>,
-B<-partial_chain>, B<-no_alt_chains>, B<-no_check_time>,
-B<-auth_level>,
-B<-allow_proxy_certs>
+{- $OpenSSL::safe::opt_v_item -}
 
-Set various options of certificate chain verification.
-See L<openssl(1)/Verification Options> for details.
+The certificate verification options
+B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
+only affect the certificate verification enabled via the B<-out_trusted> option.
 
 =back