curl_easy_setopt.3: clarify VERIFYHOST/PEER

Extended the descriptions somewhat and made the options get listed next
to each other.

docs/libcurl/curl_easy_setopt.3

@@ -1888,12 +1888,14 @@ CA certificates and you can specify alternate certificates with the
 
 When \fICURLOPT_SSL_VERIFYPEER\fP is nonzero, and the verification fails to
 prove that the certificate is authentic, the connection fails.  When the
-option is zero, the connection succeeds regardless.
+option is zero, the peer certificate verification succeeds regardless.
 
 Authenticating the certificate is not by itself very useful.  You typically
 want to ensure that the server, as authentically identified by its
 certificate, is the server you mean to be talking to.  Use
-\fICURLOPT_SSL_VERIFYHOST\fP to control that.
+\fICURLOPT_SSL_VERIFYHOST\fP to control that. The check that the host name in
+the certificate is valid for the host name you're connecting to is done
+independently of the \fICURLOPT_SSL_VERIFYPEER\fP option.
 .IP CURLOPT_CAINFO
 Pass a char * to a zero terminated string naming a file holding one or more
 certificates to verify the peer with.  This makes sense only when used in
@@ -1951,20 +1953,6 @@ A specific error code (CURLE_SSL_CRL_BADFILE) is defined with the option. It
 is returned when the SSL exchange fails because the CRL file cannot be loaded.
 A failure in certificate verification due to a revocation information found in
 the CRL does not trigger this specific error. (Added in 7.19.0)
-.IP CURLOPT_CERTINFO
-Pass a long set to 1 to enable libcurl's certificate chain info gatherer. With
-this enabled, libcurl (if built with OpenSSL) will extract lots of information
-and data about the certificates in the certificate chain used in the SSL
-connection. This data is then possible to extract after a transfer using
-\fIcurl_easy_getinfo(3)\fP and its option \fICURLINFO_CERTINFO\fP. (Added in
-7.19.1)
-.IP CURLOPT_RANDOM_FILE
-Pass a char * to a zero terminated file name. The file will be used to read
-from to seed the random engine for SSL. The more random the specified file is,
-the more secure the SSL connection will become.
-.IP CURLOPT_EGDSOCKET
-Pass a char * to the zero terminated path name to the Entropy Gathering Daemon
-socket. It will be used to seed the random engine for SSL.
 .IP CURLOPT_SSL_VERIFYHOST
 Pass a long as parameter.
 
@@ -1988,10 +1976,25 @@ doesn't matter what name it says.  (This is not ordinarily a useful setting).
 When the value is 0, the connection succeeds regardless of the names in the
 certificate.
 
-The default, since 7.10, is 2.
+The default value for this option is 2.
 
-This option controls checking the server's claimed identity.  The server could
+This option controls checking the server's certificate's claimed identity.
-be lying.  To control lying, see \fICURLOPT_SSL_VERIFYPEER\fP.
+The server could be lying.  To control lying, see
+\fICURLOPT_SSL_VERIFYPEER\fP.
+.IP CURLOPT_CERTINFO
+Pass a long set to 1 to enable libcurl's certificate chain info gatherer. With
+this enabled, libcurl (if built with OpenSSL) will extract lots of information
+and data about the certificates in the certificate chain used in the SSL
+connection. This data is then possible to extract after a transfer using
+\fIcurl_easy_getinfo(3)\fP and its option \fICURLINFO_CERTINFO\fP. (Added in
+7.19.1)
+.IP CURLOPT_RANDOM_FILE
+Pass a char * to a zero terminated file name. The file will be used to read
+from to seed the random engine for SSL. The more random the specified file is,
+the more secure the SSL connection will become.
+.IP CURLOPT_EGDSOCKET
+Pass a char * to the zero terminated path name to the Entropy Gathering Daemon
+socket. It will be used to seed the random engine for SSL.
 .IP CURLOPT_SSL_CIPHER_LIST
 Pass a char *, pointing to a zero terminated string holding the list of
 ciphers to use for the SSL connection. The list must be syntactically correct,