I am doing this because I have need to add information that really does
belong here, and the current stuff is less documentation than more or
less some hand waving about how it works without any details

So to summarize the changes:

1) This documents the current way that X509_verify_cert goes about
building and verifying a chain, identifying the relevant flags that
can affect how this happens today, and cross references the correct page
to find the rest of the exhaustive list of verification flags and what they do.

2) This documents the verification callback and how it can be used
to affect the verification outcome, This includes warning potential
users of the callback of what returning values from it means,
the common ways to end up unintentionaly doing things you did not expect
with the callback, and that it depends upon internals and should not be
relied upon.

We document which names and name constraints will be evaluated
as well as the limits that will be placed on the evauluation on
a per certificate basis.

We call out in the BUGS section that the RFC 5280 requires a byte
per byte match of name constraints unless the higher level protocol
has defines a different matching method for wildcards. This
"deferall of specification" and corresponding lack of specification
by upper level protocols means that across implementations encountering
the default behaviour is to be expected, and that therefore relying
on excluded names to constrain signers in a PKI from signing wildcards
is ill advised.

This is then cross referenced in the documentation for X509_verify_cert
and the maximum possible comparisons which can be forces in a certificate
validtion noted in the BUGS section of X509_verify_cert.

Fixes: openssl#30706