Sync code with last security fixes and improvements from OpenBSD

lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.27 2022/12/01 05:33:55 tb Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.29 2023/04/30 19:40:23 tb Exp $
 .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 1 2022 $
+.Dd $Mdocdate: April 30 2023 $
 .Dt X509_VERIFY_PARAM_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -540,7 +540,9 @@ flag disables workarounds for some broken certificates and makes the
 verification strictly apply X509 rules.
 .Pp
 .Dv X509_V_FLAG_ALLOW_PROXY_CERTS
-enables proxy certificate verification.
+deprecated flag that used to
+enable proxy certificate verification.
+In LibreSSL, this flag has no effect.
 .Pp
 .Dv X509_V_FLAG_POLICY_CHECK
 enables certificate policy checking; by default no policy checking is
@@ -566,8 +568,6 @@ If
 .Dv X509_V_FLAG_NOTIFY_POLICY
 is set and policy checking is successful, a special status code is
 sent to the verification callback.
-This permits it to examine the valid policy tree and perform additional
-checks or simply log it for debugging purposes.
 .Pp
 By default some additional features such as indirect CRLs and CRLs
 signed by different keys are disabled.