public_key, ssl: Patch 1112

    OTP-7046  Support for Diffie-Hellman. ssl-3.11 requires public_key-0.6.

    OTP-8553  Moved extended key usage test for ssl values to ssl.

    OTP-8557  Fixes handling of the option fail_if_no_peer_cert and some
              undocumented options. Thanks to Rory Byrne.

    OTP-7046  Support for Diffie-Hellman. ssl-3.11 requires public_key-0.6.

    OTP-8517  New ssl now properly handles ssl renegotiation, and initiates
              a renegotiation if ssl/ltls-sequence numbers comes close
              to the max value. However RFC-5746 is not yet supported,
              but will be in an upcoming release.

    OTP-8545  When gen_tcp is configured with the {packet,http} option,
              it automatically switches to expect HTTP Headers after a
              HTTP Request/Response line has been received. This update
              fixes ssl to behave in the same way. Thanks to Rory Byrne.

    OTP-8554  Ssl now correctly verifies the extended_key_usage extension
              and also allows the user to verify application specific
              extensions by supplying an appropriate fun.

    OTP-8560  Fixed ssl:transport_accept/2 to return properly when socket
              is closed. Thanks to Rory Byrne.

2 files changed, 82 insertions, 4 deletions

diff --git a/lib/ssl/doc/src/new_ssl.xml b/lib/ssl/doc/src/new_ssl.xml
index b642280096..08868a1b3c 100644
--- a/lib/ssl/doc/src/new_ssl.xml
+++ b/lib/ssl/doc/src/new_ssl.xml
@@ -84,8 +84,6 @@
       <item>New API functions are
             ssl:shutdown/2, ssl:cipher_suites/[0,1] and
             ssl:versions/0</item>
-      <item>Diffie-Hellman keyexchange is
-            not supported yet.</item>
       <item>CRL and policy certificate
             extensions are not supported yet. </item>
       <item>Supported SSL/TLS-versions are SSL-3.0 and TLS-1.0 </item>
@@ -118,8 +116,8 @@
       {fail_if_no_peer_cert, boolean()}
       {depth, integer()} |
       {certfile, path()} | {keyfile, path()} | {password, string()} |
-      {cacertfile, path()} | {ciphers, ciphers()} | {ssl_imp, ssl_imp()}
-      | {reuse_sessions, boolean()} | {reuse_session, fun()}
+      {cacertfile, path()} | {dhfile, path()} | {ciphers, ciphers()} |
+      {ssl_imp, ssl_imp()} | {reuse_sessions, boolean()} | {reuse_session, fun()} 
     </c></p>
 
     <p><c>transportoption() = {CallbackModule, DataTag, ClosedTag}
@@ -262,6 +260,12 @@ end
       CA certificates (trusted certificates used for verifying a peer
       certificate). May be omitted if you do not want to verify
       the peer.</item>
+
+      <tag>{dhfile, path()}</tag>
+      <item>Path to file containing PEM encoded Diffie Hellman parameters,
+      for the server to use if a cipher suite using Diffie Hellman key exchange
+      is negotiated. If not specified hardcode parameters will be used.
+      </item>
       
       <tag>{ciphers, ciphers()}</tag>
       <item>The function <c>ciphers_suites/0</c> can
@@ -491,6 +495,19 @@ end
     </func>
     
     <func>
+      <name>renegotiate(Socket) -> ok | {error, Reason}</name>
+      <fsummary> Initiates a new handshake.</fsummary>
+      <type>
+	<v>Socket = sslsocket()</v>
+      </type>
+      <desc><p>Initiates a new handshake. A notable return value is
+      <c>{error, renegotiation_rejected}</c> indicating that the peer
+      refused to go through with the renegotiation but the connection
+      is still active using the previously negotiated session.</p>
+      </desc>
+    </func>
+    
+    <func>
       <name>send(Socket, Data) -> ok | {error, Reason}</name>
       <fsummary>Write data to a socket.</fsummary>
       <type>
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 2dd11bc88e..9d13427677 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -30,6 +30,67 @@
   </header>
   <p>This document describes the changes made to the SSL application.
     </p>
+<section><title>SSL 3.11</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+            Fixes handling of the option fail_if_no_peer_cert and
+            some undocumented options. Thanks to Rory Byrne.</p>
+          <p>
+            Own Id: OTP-8557</p>
+        </item>
+      </list>
+    </section>
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+            Support for Diffie-Hellman. ssl-3.11 requires
+            public_key-0.6.</p>
+          <p>
+            Own Id: OTP-7046</p>
+        </item>
+        <item>
+          <p>
+            New ssl now properly handles ssl renegotiation, and
+            initiates a renegotiation if ssl/ltls-sequence numbers
+            comes close to the max value. However RFC-5746 is not yet
+            supported, but will be in an upcoming release.</p>
+          <p>
+            Own Id: OTP-8517</p>
+        </item>
+        <item>
+          <p>
+            When gen_tcp is configured with the {packet,http} option,
+            it automatically switches to expect HTTP Headers after a
+            HTTP Request/Response line has been received. This update
+            fixes ssl to behave in the same way. Thanks to Rory
+            Byrne.</p>
+          <p>
+            Own Id: OTP-8545</p>
+        </item>
+        <item>
+          <p>
+            Ssl now correctly verifies the extended_key_usage
+            extension and also allows the user to verify application
+            specific extensions by supplying an appropriate fun.</p>
+          <p>
+            Own Id: OTP-8554 Aux Id: OTP-8553 </p>
+        </item>
+        <item>
+          <p>
+            Fixed ssl:transport_accept/2 to return properly when
+            socket is closed. Thanks to Rory Byrne.</p>
+          <p>
+            Own Id: OTP-8560</p>
+        </item>
+      </list>
+    </section>
+
+</section>
 
 <section><title>SSL 3.10.9</title>