diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index aa5c15f1a0..bbddbe5903 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.111 2007/02/16 02:59:40 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/config.sgml,v 1.112 2007/02/16 16:37:29 tgl Exp $ -->
 
 <chapter Id="runtime-config">
   <title>Server Configuration</title>
@@ -569,15 +569,15 @@ SET ENABLE_SEQSCAN TO OFF;
       </listitem>
      </varlistentry>
 
-     <varlistentry id="guc-ssl-ciphers" xreflabel="ssl-ciphers">
-      <term><varname>ssl_ciphers> (<type>string</type>)</term>
+     <varlistentry id="guc-ssl-ciphers" xreflabel="ssl_ciphers">
+      <term><varname>ssl_ciphers</varname> (<type>string</type>)</term>
       <indexterm>
        <primary><varname>ssl_ciphers</> configuration parameter</primary>
       </indexterm>
       <listitem>
        <para>
-        Specifies a list of <acronym>SSL</> ciphers which can be used to
-        establish secure connections. See the <application>openssl</>
+        Specifies a list of <acronym>SSL</> ciphers that are allowed to be
+        used on secure connections. See the <application>openssl</>
         manual page for a list of supported ciphers.
        </para>
       </listitem>
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 4dbf47ac50..5b8ef438b3 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.230 2007/02/16 03:50:29 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/libpq.sgml,v 1.231 2007/02/16 16:37:29 tgl Exp $ -->
 
  <chapter id="libpq">
   <title><application>libpq</application> - C Library</title>
@@ -4178,10 +4178,11 @@ setting, and is only available if
 <primary><envar>PGSSLKEY</envar></primary>
 </indexterm>
 <envar>PGSSLKEY</envar>
-specifies the hardware token which stores the secret key for the client
-certificate, instead of a file. The value of this variable should consist
+specifies the hardware token that stores the secret key for the client
+certificate. The value of this variable should consist
 of a colon-separated engine name (engines are <productname>OpenSSL</>
-loadable modules) and an engine-specific key identifier.
+loadable modules) and an engine-specific key identifier.  If this is not
+set, the secret key must be kept in a file.
 </para>
 </listitem>
 <listitem>
@@ -4450,30 +4451,29 @@ ldap://ldap.mycompany.com/dc=mycompany,dc=com?uniqueMember?one?(cn=mydatabase)
    for increased security. See <xref linkend="ssl-tcp"> for details
    about the server-side <acronym>SSL</> functionality.
   </para>
+
   <para>
-  <application>libpq</application> reads the system-wide
-  <productname>OpenSSL</productname> configuration file. By default, this
-  file is named <filename>openssl.cnf</filename> and is located in the
-  directory reported by <application>openssl</>:
-  <programlisting>
-  openssl version -d
-  </programlisting>
-  The default can be overriden by setting environment variable
-  <envar>OPENSSL_CONF</envar> to the name of the desired configuration
-  file.
+   <application>libpq</application> reads the system-wide
+   <productname>OpenSSL</productname> configuration file. By default, this
+   file is named <filename>openssl.cnf</filename> and is located in the
+   directory reported by <literal>openssl version -d</>.
+   This default can be overridden by setting environment variable
+   <envar>OPENSSL_CONF</envar> to the name of the desired configuration
+   file.
   </para>
+
   <para>
    If the server demands a client certificate, 
    <application>libpq</application>
    will send the certificate stored in file
    <filename>~/.postgresql/postgresql.crt</> within the user's home directory.
    A matching private key file <filename>~/.postgresql/postgresql.key</>
-   must also be present, and must not be world-readable, unless the secret
-   key is stored in a hardware token, as specified by
-   <envar>PGSSLKEY</envar>.
+   must also be present, unless the secret key for the certificate is stored
+   in a hardware token, as specified by <envar>PGSSLKEY</envar>.
    (On Microsoft Windows these files are named
    <filename>%APPDATA%\postgresql\postgresql.crt</filename> and
    <filename>%APPDATA%\postgresql\postgresql.key</filename>.)
+   The private key file must not be world-readable.
   </para>
 
   <para>
@@ -4481,7 +4481,7 @@ ldap://ldap.mycompany.com/dc=mycompany,dc=com?uniqueMember?one?(cn=mydatabase)
    should consist of a colon-separated engine name and key identifier. In
    this case, <application>libpq</application> will load the specified
    engine, i.e. the <productname>OpenSSL</> module which supports special
-   hardware and reference the key with the specified identifier.
+   hardware, and reference the key with the specified identifier.
    Identifiers are engine-specific. Typically, cryptography hardware tokens
    do not reveal secret keys to the application. Instead, applications
    delegate all cryptography operations which require the secret key to
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 7bed97a86f..57e4692710 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.377 2007/02/16 02:59:40 momjian Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.378 2007/02/16 16:37:29 tgl Exp $ -->
 
 <chapter Id="runtime">
  <title>Operating System Environment</title>
@@ -1518,20 +1518,17 @@ $ <userinput>kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid`</userinput
   <para>
    <productname>OpenSSL</productname> supports a wide range of ciphers
    and authentication algorithms, whose strength varies significantly.
-   You can restrict the list of ciphers which can be used to connect to
-   your server using the <xref linkend="guc-ssl-ciphers"> parameter.
+   You can restrict the list of ciphers that can be used to connect to
+   your server by adjusting the <xref linkend="guc-ssl-ciphers"> parameter.
   </para>
 
   <para>
-   <productname>PostgreSQL</productname> reads a system-wide
-   <productname>OpenSSL</productname> configuration file. By default this
+   <productname>PostgreSQL</productname> reads the system-wide
+   <productname>OpenSSL</productname> configuration file. By default, this
    file is named <filename>openssl.cnf</filename> and is located in the
-   directory reported by <application>openssl</>:
-   <programlisting>
-   openssl version -d
-   </programlisting>
-   This default can be overriden by setting environment variable
-   <envar>OPENSSL_CONF</envar> to the name of desired configuration file.
+   directory reported by <literal>openssl version -d</>.
+   This default can be overridden by setting environment variable
+   <envar>OPENSSL_CONF</envar> to the name of the desired configuration file.
   </para>
 
   <para>