Removed global name from the certificate tabel

We want the certificate table to be handled the same way as the
session table and not have a global name, so that we may easier
create a separate ssl-manager to handle erlang distribution over ssl.

8 files changed, 143 insertions, 141 deletions

diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 8c0c2bfa5d..422ea6404b 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2010. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2011. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -30,9 +30,9 @@
 -include("ssl_internal.hrl").
 -include_lib("public_key/include/public_key.hrl"). 
 
--export([trusted_cert_and_path/2,
-	 certificate_chain/2, 
-	 file_to_certificats/1,
+-export([trusted_cert_and_path/3,
+	 certificate_chain/3,
+	 file_to_certificats/2,
 	 validate_extension/3,
 	 is_valid_extkey_usage/2,
 	 is_valid_key_usage/2,
@@ -46,14 +46,14 @@
 %%====================================================================
 
 %%--------------------------------------------------------------------
--spec trusted_cert_and_path([der_cert()], certdb_ref()) ->
+-spec trusted_cert_and_path([der_cert()], db_handle(), certdb_ref()) ->
 				   {der_cert() | unknown_ca, [der_cert()]}.
 %%
 %% Description: Extracts the root cert (if not presents tries to 
 %% look it up, if not found {bad_cert, unknown_ca} will be added verification
 %% errors. Returns {RootCert, Path, VerifyErrors}
 %%--------------------------------------------------------------------
-trusted_cert_and_path(CertChain, CertDbRef) ->
+trusted_cert_and_path(CertChain, CertDbHandle, CertDbRef) ->
     Path = [Cert | _] = lists:reverse(CertChain),
     OtpCert = public_key:pkix_decode_cert(Cert, otp),
     SignedAndIssuerID =
@@ -66,7 +66,7 @@ trusted_cert_and_path(CertChain, CertDbRef) ->
 		    {ok, IssuerId} ->
 			{other, IssuerId};
 		    {error, issuer_not_found} ->
-			case find_issuer(OtpCert, no_candidate) of
+			case find_issuer(OtpCert, no_candidate, CertDbHandle) of
 			    {ok, IssuerId} ->
 				{other, IssuerId};
 			    Other ->
@@ -82,7 +82,7 @@ trusted_cert_and_path(CertChain, CertDbRef) ->
 	{self, _} when length(Path) == 1 ->
 	    {selfsigned_peer, Path};
 	{_ ,{SerialNr, Issuer}} ->
-	    case ssl_manager:lookup_trusted_cert(CertDbRef, SerialNr, Issuer) of
+	    case ssl_manager:lookup_trusted_cert(CertDbHandle, CertDbRef, SerialNr, Issuer) of
 		{ok, {BinCert,_}} ->
 		    {BinCert, Path};
 		_ ->
@@ -92,23 +92,23 @@ trusted_cert_and_path(CertChain, CertDbRef) ->
     end.
 
 %%--------------------------------------------------------------------
--spec certificate_chain(undefined | binary(), certdb_ref()) -> 
+-spec certificate_chain(undefined | binary(), db_handle(), certdb_ref()) ->
 			  {error, no_cert} | {ok, [der_cert()]}.
 %%
 %% Description: Return the certificate chain to send to peer.
 %%--------------------------------------------------------------------
-certificate_chain(undefined, _CertsDbRef) ->
+certificate_chain(undefined, _, _) ->
     {error, no_cert};
-certificate_chain(OwnCert, CertsDbRef) ->
+certificate_chain(OwnCert, CertDbHandle, CertsDbRef) ->
     ErlCert = public_key:pkix_decode_cert(OwnCert, otp),
-    certificate_chain(ErlCert, OwnCert, CertsDbRef, [OwnCert]).
+    certificate_chain(ErlCert, OwnCert, CertDbHandle, CertsDbRef, [OwnCert]).
 %%--------------------------------------------------------------------
--spec file_to_certificats(string()) -> [der_cert()].
+-spec file_to_certificats(string(), term()) -> [der_cert()].
 %%
 %% Description: Return list of DER encoded certificates.
 %%--------------------------------------------------------------------
-file_to_certificats(File) -> 
-    {ok, List} = ssl_manager:cache_pem_file(File),
+file_to_certificats(File, DbHandle) ->
+    {ok, List} = ssl_manager:cache_pem_file(File, DbHandle),
     [Bin || {'Certificate', Bin, not_encrypted} <- List].
 %%--------------------------------------------------------------------
 -spec validate_extension(term(), #'Extension'{} | {bad_cert, atom()} | valid,
@@ -180,7 +180,7 @@ signature_type(?'id-dsa-with-sha1') ->
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
-certificate_chain(OtpCert, _Cert, CertsDbRef, Chain) ->    
+certificate_chain(OtpCert, _Cert, CertDbHandle, CertsDbRef, Chain) ->
     IssuerAndSelfSigned = 
 	case public_key:pkix_is_self_signed(OtpCert) of
 	    true ->
@@ -191,11 +191,11 @@ certificate_chain(OtpCert, _Cert, CertsDbRef, Chain) ->
     
     case IssuerAndSelfSigned of 
 	{_, true = SelfSigned} ->
-	    certificate_chain(CertsDbRef, Chain, ignore, ignore, SelfSigned);
+	    certificate_chain(CertDbHandle, CertsDbRef, Chain, ignore, ignore, SelfSigned);
 	{{error, issuer_not_found}, SelfSigned} ->
-	    case find_issuer(OtpCert, no_candidate) of
+	    case find_issuer(OtpCert, no_candidate, CertDbHandle) of
 		{ok, {SerialNr, Issuer}} ->
-		    certificate_chain(CertsDbRef, Chain, 
+		    certificate_chain(CertDbHandle, CertsDbRef, Chain,
 				      SerialNr, Issuer, SelfSigned);
 		_ ->
 		    %% Guess the the issuer must be the root
@@ -205,19 +205,19 @@ certificate_chain(OtpCert, _Cert, CertsDbRef, Chain) ->
 		    {ok, lists:reverse(Chain)}
 	    end;
 	{{ok, {SerialNr, Issuer}}, SelfSigned} -> 
-	    certificate_chain(CertsDbRef, Chain, SerialNr, Issuer, SelfSigned)
+	    certificate_chain(CertDbHandle, CertsDbRef, Chain, SerialNr, Issuer, SelfSigned)
     end.
   
-certificate_chain(_CertsDbRef, Chain, _SerialNr, _Issuer, true) ->
+certificate_chain(_,_, Chain, _SerialNr, _Issuer, true) ->
     {ok, lists:reverse(Chain)};
 
-certificate_chain(CertsDbRef, Chain, SerialNr, Issuer, _SelfSigned) ->
-    case ssl_manager:lookup_trusted_cert(CertsDbRef, 
+certificate_chain(CertDbHandle, CertsDbRef, Chain, SerialNr, Issuer, _SelfSigned) ->
+    case ssl_manager:lookup_trusted_cert(CertDbHandle, CertsDbRef,
 						SerialNr, Issuer) of
 	{ok, {IssuerCert, ErlCert}} ->
 	    ErlCert = public_key:pkix_decode_cert(IssuerCert, otp),
 	    certificate_chain(ErlCert, IssuerCert, 
-			      CertsDbRef, [IssuerCert | Chain]);
+			      CertDbHandle, CertsDbRef, [IssuerCert | Chain]);
 	_ ->
 	    %% The trusted cert may be obmitted from the chain as the
 	    %% counter part needs to have it anyway to be able to
@@ -227,8 +227,8 @@ certificate_chain(CertsDbRef, Chain, SerialNr, Issuer, _SelfSigned) ->
 	    {ok, lists:reverse(Chain)}		      
     end.
 
-find_issuer(OtpCert, PrevCandidateKey) ->
-    case ssl_manager:issuer_candidate(PrevCandidateKey) of
+find_issuer(OtpCert, PrevCandidateKey, CertDbHandle) ->
+    case ssl_manager:issuer_candidate(PrevCandidateKey, CertDbHandle) of
  	no_more_candidates ->
  	    {error, issuer_not_found};
  	{Key, {_Cert, ErlCertCandidate}} ->
@@ -236,7 +236,7 @@ find_issuer(OtpCert, PrevCandidateKey) ->
 		true ->
 		    public_key:pkix_issuer_id(ErlCertCandidate, self);
 		false ->
-		    find_issuer(OtpCert, Key)
+		    find_issuer(OtpCert, Key, CertDbHandle)
 	    end
     end.
 
diff --git a/lib/ssl/src/ssl_certificate_db.erl b/lib/ssl/src/ssl_certificate_db.erl
index 3eceefa304..0560a02110 100644
--- a/lib/ssl/src/ssl_certificate_db.erl
+++ b/lib/ssl/src/ssl_certificate_db.erl
@@ -26,8 +26,8 @@
 -include_lib("public_key/include/public_key.hrl").
 
 -export([create/0, remove/1, add_trusted_certs/3, 
-	 remove_trusted_certs/2, lookup_trusted_cert/3, issuer_candidate/1,
-	 lookup_cached_certs/1, cache_pem_file/4, uncache_pem_file/2, lookup/2]).
+	 remove_trusted_certs/2, lookup_trusted_cert/4, issuer_candidate/2,
+	 lookup_cached_certs/2, cache_pem_file/4, uncache_pem_file/2, lookup/2]).
 
 -type time()      :: {non_neg_integer(), non_neg_integer(), non_neg_integer()}.
 
@@ -36,19 +36,19 @@
 %%====================================================================
 
 %%--------------------------------------------------------------------
--spec create() -> certdb_ref().
+-spec create() -> [db_handle()].
 %% 
 %% Description: Creates a new certificate db.
-%% Note: lookup_trusted_cert/3 may be called from any process but only
+%% Note: lookup_trusted_cert/4 may be called from any process but only
 %% the process that called create may call the other functions.
 %%--------------------------------------------------------------------
 create() ->
-    [ets:new(certificate_db_name(), [named_table, set, protected]),
-     ets:new(ssl_file_to_ref, [named_table, set, protected]),
+    [ets:new(ssl_otp_certificate_db, [set, protected]),
+     ets:new(ssl_file_to_ref, [set, protected]),
      ets:new(ssl_pid_to_file, [bag, private])]. 
 
 %%--------------------------------------------------------------------
--spec remove(certdb_ref()) -> term().
+-spec remove([db_handle()]) -> term().
 %%
 %% Description: Removes database db  
 %%--------------------------------------------------------------------
@@ -56,7 +56,7 @@ remove(Dbs) ->
     lists:foreach(fun(Db) -> true = ets:delete(Db) end, Dbs).
 
 %%--------------------------------------------------------------------
--spec lookup_trusted_cert(reference(), serialnumber(), issuer()) -> 
+-spec lookup_trusted_cert(db_handle(), certdb_ref(), serialnumber(), issuer()) ->
 				 undefined | {ok, {der_cert(), #'OTPCertificate'{}}}.
 
 %%
@@ -64,19 +64,19 @@ remove(Dbs) ->
 %% <SerialNumber, Issuer>. Ref is used as it is specified  
 %% for each connection which certificates are trusted.
 %%--------------------------------------------------------------------
-lookup_trusted_cert(Ref, SerialNumber, Issuer) ->
-    case lookup({Ref, SerialNumber, Issuer}, certificate_db_name()) of
+lookup_trusted_cert(DbHandle, Ref, SerialNumber, Issuer) ->
+    case lookup({Ref, SerialNumber, Issuer}, DbHandle) of
 	undefined ->
 	    undefined;
 	[Certs] ->
 	    {ok, Certs}
     end.
 
-lookup_cached_certs(File) ->
-    ets:lookup(certificate_db_name(), {file, File}).
+lookup_cached_certs(DbHandle, File) ->
+    ets:lookup(DbHandle, {file, File}).
 
 %%--------------------------------------------------------------------
--spec add_trusted_certs(pid(), string() | {der, list()}, certdb_ref()) -> {ok, certdb_ref()}.
+-spec add_trusted_certs(pid(), string() | {der, list()}, [db_handle()]) -> {ok, [db_handle()]}.
 %%
 %% Description: Adds the trusted certificates from file <File> to the
 %% runtime database. Returns Ref that should be handed to lookup_trusted_cert
@@ -100,7 +100,7 @@ add_trusted_certs(Pid, File, [CertsDb, FileToRefDb, PidToFileDb]) ->
     insert(Pid, File, PidToFileDb),
     {ok, Ref}.
 %%--------------------------------------------------------------------
--spec cache_pem_file(pid(), string(), time(), certdb_ref()) -> term().
+-spec cache_pem_file(pid(), string(), time(), [db_handle()]) -> term().
 %%
 %% Description: Cache file as binary in DB
 %%--------------------------------------------------------------------
@@ -112,7 +112,7 @@ cache_pem_file(Pid, File, Time, [CertsDb, _FileToRefDb, PidToFileDb]) ->
     {ok, Content}.
 
 %--------------------------------------------------------------------
--spec uncache_pem_file(string(), certdb_ref()) -> no_return().
+-spec uncache_pem_file(string(), [db_handle()]) -> no_return().
 %%
 %% Description: If a cached file is no longer valid (changed on disk)
 %% we must terminate the connections using the old file content, and
@@ -130,7 +130,7 @@ uncache_pem_file(File, [_CertsDb, _FileToRefDb, PidToFileDb]) ->
 
 
 %%--------------------------------------------------------------------
--spec remove_trusted_certs(pid(), certdb_ref()) -> term().
+-spec remove_trusted_certs(pid(), [db_handle()]) -> term().
 				  
 %%
 %% Description: Removes trusted certs originating from 
@@ -161,7 +161,7 @@ remove_trusted_certs(Pid, [CertsDb, FileToRefDb, PidToFileDb]) ->
     end.
 
 %%--------------------------------------------------------------------
--spec issuer_candidate(no_candidate | cert_key() | {file, term()}) -> 
+-spec issuer_candidate(no_candidate | cert_key() | {file, term()}, term()) ->
 			      {cert_key(),{der_cert(), #'OTPCertificate'{}}} | no_more_candidates.
 %%
 %% Description: If a certificat does not define its issuer through
@@ -169,32 +169,30 @@ remove_trusted_certs(Pid, [CertsDb, FileToRefDb, PidToFileDb]) ->
 %%              try to find the issuer in the database over known
 %%              certificates. 
 %%--------------------------------------------------------------------
-issuer_candidate(no_candidate) ->
-    Db = certificate_db_name(),
+issuer_candidate(no_candidate, Db) ->
     case ets:first(Db) of
  	'$end_of_table' ->
  	    no_more_candidates;
 	{file, _} = Key ->
-	    issuer_candidate(Key);
+	    issuer_candidate(Key, Db);
  	Key ->
 	    [Cert] = lookup(Key, Db),
  	    {Key, Cert}
     end;
 
-issuer_candidate(PrevCandidateKey) ->	    
-    Db = certificate_db_name(),
+issuer_candidate(PrevCandidateKey, Db) ->
     case ets:next(Db, PrevCandidateKey) of
  	'$end_of_table' ->
  	    no_more_candidates;
 	{file, _} = Key ->
-	    issuer_candidate(Key);
+	    issuer_candidate(Key, Db);
  	Key ->
 	    [Cert] = lookup(Key, Db),
  	    {Key, Cert}
     end.
 
 %%--------------------------------------------------------------------
--spec lookup(term(), term()) -> term() | undefined.
+-spec lookup(term(), db_handle()) -> term() | undefined.
 %%
 %% Description: Looks up an element in a certificat <Db>.
 %%--------------------------------------------------------------------
@@ -212,9 +210,6 @@ lookup(Key, Db) ->
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
-certificate_db_name() ->
-    ssl_otp_certificate_db.
-
 insert(Key, Data, Db) ->
     true = ets:insert(Db, {Key, Data}).
 
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 5550897a06..21b021afb0 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -70,6 +70,7 @@
 	  %% {{md5_hash, sha_hash}, {prev_md5, prev_sha}} (binary())
           tls_handshake_hashes, % see above 
           tls_cipher_texts,     % list() received but not deciphered yet
+	  cert_db,              %
           session,              % #session{} from ssl_handshake.hrl
 	  session_cache,        % 
 	  session_cache_cb,     %
@@ -305,12 +306,13 @@ init([Role, Host, Port, Socket, {SSLOpts0, _} = Options,
     Hashes0 = ssl_handshake:init_hashes(),    
 
     try ssl_init(SSLOpts0, Role) of
-	{ok, Ref, CacheRef, OwnCert, Key, DHParams} ->	   
+	{ok, Ref, CertDbHandle, CacheHandle, OwnCert, Key, DHParams} ->
 	    Session = State0#state.session,
 	    State = State0#state{tls_handshake_hashes = Hashes0,
 				 session = Session#session{own_certificate = OwnCert},
 				 cert_db_ref = Ref,
-				 session_cache = CacheRef,
+				 cert_db = CertDbHandle,
+				 session_cache = CacheHandle,
 				 private_key = Key,
 				 diffie_hellman_params = DHParams},
 	    {ok, hello, State, get_timeout(State)}
@@ -500,9 +502,10 @@ certify(#certificate{asn1_certificates = []},
 certify(#certificate{} = Cert, 
         #state{negotiated_version = Version,
 	       role = Role,
+	       cert_db = CertDbHandle,
 	       cert_db_ref = CertDbRef,
 	       ssl_options = Opts} = State) ->
-    case ssl_handshake:certify(Cert, CertDbRef, Opts#ssl_options.depth, 
+    case ssl_handshake:certify(Cert, CertDbHandle, CertDbRef, Opts#ssl_options.depth,
 			       Opts#ssl_options.verify,
 			       Opts#ssl_options.verify_fun, Role) of
         {PeerCert, PublicKeyInfo} ->
@@ -1044,19 +1047,19 @@ start_fsm(Role, Host, Port, Socket, Opts,  User, {CbModule, _,_, _} = CbInfo,
     end.
 
 ssl_init(SslOpts, Role) ->
-    {ok, CertDbRef, CacheRef, OwnCert} = init_certificates(SslOpts, Role),
+    {ok, CertDbRef, CertDbHandle, CacheHandle, OwnCert} = init_certificates(SslOpts, Role),
     PrivateKey =
-	init_private_key(SslOpts#ssl_options.key, SslOpts#ssl_options.keyfile,
+	init_private_key(CertDbHandle, SslOpts#ssl_options.key, SslOpts#ssl_options.keyfile,
 			 SslOpts#ssl_options.password, Role),
-    DHParams = init_diffie_hellman(SslOpts#ssl_options.dh, SslOpts#ssl_options.dhfile, Role),
-    {ok, CertDbRef, CacheRef, OwnCert, PrivateKey, DHParams}.
+    DHParams = init_diffie_hellman(CertDbHandle, SslOpts#ssl_options.dh, SslOpts#ssl_options.dhfile, Role),
+    {ok, CertDbRef, CertDbHandle, CacheHandle, OwnCert, PrivateKey, DHParams}.
 
 
 init_certificates(#ssl_options{cacerts = CaCerts,
 			       cacertfile = CACertFile,
 			       certfile = CertFile,
 			       cert = Cert}, Role) ->
-    {ok, CertDbRef, CacheRef} = 
+    {ok, CertDbRef, CertDbHandle, CacheHandle} =
 	try 
 	    Certs = case CaCerts of
 			undefined ->
@@ -1064,44 +1067,44 @@ init_certificates(#ssl_options{cacerts = CaCerts,
 			_ ->
 			    {der, CaCerts}
 		    end,
-	    {ok, _, _} = ssl_manager:connection_init(Certs, Role)
+	    {ok, _, _, _} = ssl_manager:connection_init(Certs, Role)
 	catch
 	    Error:Reason ->
 		handle_file_error(?LINE, Error, Reason, CACertFile, ecacertfile,
 				  erlang:get_stacktrace())
 	end,
-    init_certificates(Cert, CertDbRef, CacheRef, CertFile, Role).
+    init_certificates(Cert, CertDbRef, CertDbHandle, CacheHandle, CertFile, Role).
 
-init_certificates(undefined, CertDbRef, CacheRef, "", _) ->
-    {ok, CertDbRef, CacheRef, undefined};
+init_certificates(undefined, CertDbRef, CertDbHandle, CacheHandle, "", _) ->
+    {ok, CertDbRef, CertDbHandle, CacheHandle, undefined};
 
-init_certificates(undefined, CertDbRef, CacheRef, CertFile, client) ->
+init_certificates(undefined, CertDbRef, CertDbHandle, CacheHandle, CertFile, client) ->
     try 
-	[OwnCert] = ssl_certificate:file_to_certificats(CertFile),
-	{ok, CertDbRef, CacheRef, OwnCert}
+	[OwnCert] = ssl_certificate:file_to_certificats(CertFile, CertDbHandle),
+	{ok, CertDbRef, CertDbHandle, CacheHandle, OwnCert}
     catch _Error:_Reason  ->
-	    {ok, CertDbRef, CacheRef, undefined}
+	    {ok, CertDbRef, CertDbHandle, CacheHandle, undefined}
     end;
 
-init_certificates(undefined, CertDbRef, CacheRef, CertFile, server) ->
+init_certificates(undefined, CertDbRef, CertDbHandle, CacheRef, CertFile, server) ->
     try
-	[OwnCert] = ssl_certificate:file_to_certificats(CertFile),
-	{ok, CertDbRef, CacheRef, OwnCert}
+	[OwnCert] = ssl_certificate:file_to_certificats(CertFile, CertDbHandle),
+	{ok, CertDbRef, CertDbHandle, CacheRef, OwnCert}
     catch
 	Error:Reason ->
 	    handle_file_error(?LINE, Error, Reason, CertFile, ecertfile,
 			      erlang:get_stacktrace())
     end;
-init_certificates(Cert, CertDbRef, CacheRef, _, _) ->
-    {ok, CertDbRef, CacheRef, Cert}.
+init_certificates(Cert, CertDbRef, CertDbHandle, CacheRef, _, _) ->
+    {ok, CertDbRef, CertDbHandle, CacheRef, Cert}.
 
-init_private_key(undefined, "", _Password, _Client) ->
+init_private_key(_, undefined, "", _Password, _Client) ->
     undefined;
-init_private_key(undefined, KeyFile, Password, _)  -> 
+init_private_key(DbHandle, undefined, KeyFile, Password, _) ->
     try
-	{ok, List} = ssl_manager:cache_pem_file(KeyFile), 
+	{ok, List} = ssl_manager:cache_pem_file(KeyFile, DbHandle),
 	[PemEntry] = [PemEntry || PemEntry = {PKey, _ , _} <- List,
-				  PKey =:= 'RSAPrivateKey' orelse 
+				  PKey =:= 'RSAPrivateKey' orelse
 				      PKey =:= 'DSAPrivateKey'],
 	public_key:pem_entry_decode(PemEntry, Password)
     catch 
@@ -1110,9 +1113,9 @@ init_private_key(undefined, KeyFile, Password, _)  ->
 			      erlang:get_stacktrace()) 
     end;
 
-init_private_key({rsa, PrivateKey}, _, _,_) ->
+init_private_key(_,{rsa, PrivateKey}, _, _,_) ->
     public_key:der_decode('RSAPrivateKey', PrivateKey);
-init_private_key({dsa, PrivateKey},_,_,_) ->
+init_private_key(_,{dsa, PrivateKey},_,_,_) ->
     public_key:der_decode('DSAPrivateKey', PrivateKey).
 
 -spec(handle_file_error(_,_,_,_,_,_) -> no_return()).
@@ -1128,15 +1131,15 @@ file_error(Line, Error, Reason, File, Throw, Stack) ->
     error_logger:error_report(Report),
     throw(Throw).
 
-init_diffie_hellman(Params, _,_) when is_binary(Params)->
+init_diffie_hellman(_,Params, _,_) when is_binary(Params)->
     public_key:der_decode('DHParameter', Params);
-init_diffie_hellman(_,_, client) ->
+init_diffie_hellman(_,_,_, client) ->
     undefined;
-init_diffie_hellman(_,undefined, _) ->
+init_diffie_hellman(_,_,undefined, _) ->
     ?DEFAULT_DIFFIE_HELLMAN_PARAMS;
-init_diffie_hellman(_, DHParamFile, server) ->
+init_diffie_hellman(DbHandle,_, DHParamFile, server) ->
     try
-	{ok, List} = ssl_manager:cache_pem_file(DHParamFile), 
+	{ok, List} = ssl_manager:cache_pem_file(DHParamFile,DbHandle),
 	case [Entry || Entry = {'DHParameter', _ , _} <- List] of
 	    [Entry] ->
 		public_key:pem_entry_decode(Entry);
@@ -1180,11 +1183,12 @@ certify_client(#state{client_certificate_requested = true, role = client,
                       connection_states = ConnectionStates0,
                       transport_cb = Transport,
                       negotiated_version = Version,
+		      cert_db = CertDbHandle,
                       cert_db_ref = CertDbRef,
 		      session = #session{own_certificate = OwnCert},
                       socket = Socket,
                       tls_handshake_hashes = Hashes0} = State) ->
-    Certificate = ssl_handshake:certificate(OwnCert, CertDbRef, client),
+    Certificate = ssl_handshake:certificate(OwnCert, CertDbHandle, CertDbRef, client),
     {BinCert, ConnectionStates1, Hashes1} =
         encode_handshake(Certificate, Version, ConnectionStates0, Hashes0),
     Transport:send(Socket, BinCert),
@@ -1365,9 +1369,10 @@ certify_server(#state{transport_cb = Transport,
 		      negotiated_version = Version,
 		      connection_states = ConnectionStates,
 		      tls_handshake_hashes = Hashes,
+		      cert_db = CertDbHandle,
 		      cert_db_ref = CertDbRef,
 		      session = #session{own_certificate = OwnCert}} = State) ->
-    case ssl_handshake:certificate(OwnCert, CertDbRef, server) of
+    case ssl_handshake:certificate(OwnCert, CertDbHandle, CertDbRef, server) of
 	CertMsg = #certificate{} ->
 	    {BinCertMsg, NewConnectionStates, NewHashes} =
 		encode_handshake(CertMsg, Version, ConnectionStates, Hashes),
@@ -1454,12 +1459,13 @@ rsa_key_exchange(_, _) ->
 
 request_client_cert(#state{ssl_options = #ssl_options{verify = verify_peer},
 			   connection_states = ConnectionStates0,
+			   cert_db = CertDbHandle,
 			   cert_db_ref = CertDbRef,
 			   tls_handshake_hashes = Hashes0,
 			   negotiated_version = Version,
 			   socket = Socket,
 			   transport_cb = Transport} = State) ->
-    Msg = ssl_handshake:certificate_request(ConnectionStates0, CertDbRef),
+    Msg = ssl_handshake:certificate_request(ConnectionStates0, CertDbHandle, CertDbRef),
     {BinMsg, ConnectionStates1, Hashes1} =
         encode_handshake(Msg, Version, ConnectionStates0, Hashes0),
     Transport:send(Socket, BinMsg),
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 1f4c44d115..4e74aec4ac 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -31,9 +31,9 @@
 -include_lib("public_key/include/public_key.hrl").
 
 -export([master_secret/4, client_hello/6, server_hello/4, hello/4,
-	 hello_request/0, certify/6, certificate/3,
+	 hello_request/0, certify/7, certificate/4,
 	 client_certificate_verify/5, certificate_verify/5,
-	 certificate_request/2, key_exchange/2, server_key_exchange_hash/2,
+	 certificate_request/3, key_exchange/2, server_key_exchange_hash/2,
 	 finished/4, verify_connection/5, get_tls_handshake/2,
 	 decode_client_key/3, server_hello_done/0,
 	 encode_handshake/2, init_hashes/0, update_hashes/2,
@@ -106,7 +106,7 @@ hello_request() ->
 
 %%--------------------------------------------------------------------
 -spec hello(#server_hello{} | #client_hello{}, #ssl_options{},
- 	    #connection_states{} | {port_num(), #session{}, cache_ref(),
+	    #connection_states{} | {port_num(), #session{}, db_handle(),
  				    atom(), #connection_states{}, binary()},
  	    boolean()) -> {tls_version(), session_id(), #connection_states{}}| 
  			  {tls_version(), {resumed | new, #session{}}, 
@@ -173,13 +173,13 @@ hello(#client_hello{client_version = ClientVersion, random = Random,
     end.
 
 %%--------------------------------------------------------------------
--spec certify(#certificate{}, term(), integer() | nolimit,
+-spec certify(#certificate{}, db_handle(), certdb_ref(), integer() | nolimit,
 	      verify_peer | verify_none, {fun(), term},
 	      client | server) ->  {der_cert(), public_key_info()} | #alert{}.
 %%
 %% Description: Handles a certificate handshake message
 %%--------------------------------------------------------------------
-certify(#certificate{asn1_certificates = ASN1Certs}, CertDbRef,
+certify(#certificate{asn1_certificates = ASN1Certs}, CertDbHandle, CertDbRef,
 	MaxPathLen, _Verify, VerifyFunAndState, Role) ->
     [PeerCert | _] = ASN1Certs,
       
@@ -208,7 +208,7 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbRef,
 	end,
 
     {TrustedErlCert, CertPath}  =
-	ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbRef),
+	ssl_certificate:trusted_cert_and_path(ASN1Certs, CertDbHandle, CertDbRef),
 
     case public_key:pkix_path_validation(TrustedErlCert,
 					 CertPath,
@@ -222,13 +222,13 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbRef,
     end.
 
 %%--------------------------------------------------------------------
--spec certificate(der_cert(), term(), client | server) -> #certificate{} | #alert{}. 
+-spec certificate(der_cert(), db_handle(), certdb_ref(), client | server) -> #certificate{} | #alert{}.
 %%
 %% Description: Creates a certificate message.
 %%--------------------------------------------------------------------
-certificate(OwnCert, CertDbRef, client) ->
+certificate(OwnCert, CertDbHandle, CertDbRef, client) ->
     Chain =
-	case ssl_certificate:certificate_chain(OwnCert, CertDbRef) of
+	case ssl_certificate:certificate_chain(OwnCert, CertDbHandle, CertDbRef) of
 	    {ok, CertChain} ->
 		CertChain;
 	    {error, _} -> 
@@ -239,8 +239,8 @@ certificate(OwnCert, CertDbRef, client) ->
 	end,
     #certificate{asn1_certificates = Chain};
 
-certificate(OwnCert, CertDbRef, server) -> 
-    case ssl_certificate:certificate_chain(OwnCert, CertDbRef) of
+certificate(OwnCert, CertDbHandle, CertDbRef, server) ->
+    case ssl_certificate:certificate_chain(OwnCert, CertDbHandle, CertDbRef) of
 	{ok, Chain} ->
 	    #certificate{asn1_certificates = Chain};
 	{error, _} ->
@@ -302,17 +302,17 @@ certificate_verify(Signature, {?'id-dsa' = Algorithm, PublicKey, PublicKeyParams
 
 
 %%--------------------------------------------------------------------
--spec certificate_request(#connection_states{}, certdb_ref()) -> 
+-spec certificate_request(#connection_states{}, db_handle(), certdb_ref()) ->
     #certificate_request{}.
 %%
 %% Description: Creates a certificate_request message, called by the server.
 %%--------------------------------------------------------------------
-certificate_request(ConnectionStates, CertDbRef) ->
+certificate_request(ConnectionStates, CertDbHandle, CertDbRef) ->
     #connection_state{security_parameters = 
 		      #security_parameters{cipher_suite = CipherSuite}} =
 	ssl_record:pending_connection_state(ConnectionStates, read),
     Types = certificate_types(CipherSuite),
-    Authorities = certificate_authorities(CertDbRef),
+    Authorities = certificate_authorities(CertDbHandle, CertDbRef),
     #certificate_request{
 		    certificate_types = Types,
 		    certificate_authorities = Authorities
@@ -1071,8 +1071,8 @@ certificate_types({KeyExchange, _, _, _})
 certificate_types(_) ->
     <<?BYTE(?RSA_SIGN)>>.
 
-certificate_authorities(CertDbRef) ->
-    Authorities = certificate_authorities_from_db(CertDbRef),
+certificate_authorities(CertDbHandle, CertDbRef) ->
+    Authorities = certificate_authorities_from_db(CertDbHandle, CertDbRef),
     Enc = fun(#'OTPCertificate'{tbsCertificate=TBSCert}) ->
 		  OTPSubj = TBSCert#'OTPTBSCertificate'.subject,
 		  DNEncodedBin = public_key:pkix_encode('Name', OTPSubj, otp),
@@ -1084,18 +1084,18 @@ certificate_authorities(CertDbRef) ->
 	  end,
     list_to_binary([Enc(Cert) || {_, Cert} <- Authorities]).
 
-certificate_authorities_from_db(CertDbRef) ->
-    certificate_authorities_from_db(CertDbRef, no_candidate, []).
+certificate_authorities_from_db(CertDbHandle, CertDbRef) ->
+    certificate_authorities_from_db(CertDbHandle, CertDbRef, no_candidate, []).
 
-certificate_authorities_from_db(CertDbRef, PrevKey, Acc) ->
-    case ssl_manager:issuer_candidate(PrevKey) of
+certificate_authorities_from_db(CertDbHandle,CertDbRef, PrevKey, Acc) ->
+    case ssl_manager:issuer_candidate(PrevKey, CertDbHandle) of
 	no_more_candidates ->
 	    lists:reverse(Acc);
 	{{CertDbRef, _, _} = Key, Cert} ->
-	    certificate_authorities_from_db(CertDbRef, Key, [Cert|Acc]);
+	    certificate_authorities_from_db(CertDbHandle, CertDbRef, Key, [Cert|Acc]);
 	{Key, _Cert} ->
 	    %% skip certs not from this ssl connection
-	    certificate_authorities_from_db(CertDbRef, Key, Acc)
+	    certificate_authorities_from_db(CertDbHandle, CertDbRef, Key, Acc)
     end.
 
 digitally_signed(Hash, #'RSAPrivateKey'{} = Key) ->
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index c28daa271e..cc66246068 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -33,8 +33,8 @@
 -type session_id()        :: 0 | binary().
 -type tls_version()       :: {integer(), integer()}.
 -type tls_atom_version()  :: sslv3 | tlsv1.
--type cache_ref()         :: term().
--type certdb_ref()        :: term().
+-type certdb_ref()        :: reference().
+-type db_handle()         :: term().
 -type key_algo()          :: null | rsa | dhe_rsa | dhe_dss | dh_anon.
 -type der_cert()          :: binary().
 -type private_key()       :: #'RSAPrivateKey'{} | #'DSAPrivateKey'{}.
diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl
index 371bfafae0..b02815bfd8 100644
--- a/lib/ssl/src/ssl_manager.erl
+++ b/lib/ssl/src/ssl_manager.erl
@@ -28,8 +28,8 @@
 
 %% Internal application API
 -export([start_link/1, 
-	 connection_init/2, cache_pem_file/1,
-	 lookup_trusted_cert/3, issuer_candidate/1, client_session_id/4,
+	 connection_init/2, cache_pem_file/2,
+	 lookup_trusted_cert/4, issuer_candidate/2, client_session_id/4,
 	 server_session_id/4,
 	 register_session/2, register_session/3, invalidate_session/2,
 	 invalidate_session/3]).
@@ -73,45 +73,45 @@ start_link(Opts) ->
 
 %%--------------------------------------------------------------------
 -spec connection_init(string()| {der, list()}, client | server) ->
-			     {ok, reference(), cache_ref()}.
+			     {ok, certdb_ref(), db_handle(), db_handle()}.
 %%			     
 %% Description: Do necessary initializations for a new connection.
 %%--------------------------------------------------------------------
 connection_init(Trustedcerts, Role) ->
     call({connection_init, Trustedcerts, Role}).
 %%--------------------------------------------------------------------
--spec cache_pem_file(string()) -> {ok, term()} | {error, reason()}.
+-spec cache_pem_file(string(), term()) -> {ok, term()} | {error, reason()}.
 %%		    
 %% Description: Cach a pem file and return its content.
 %%--------------------------------------------------------------------
-cache_pem_file(File) ->
+cache_pem_file(File, DbHandle) ->
     try file:read_file_info(File) of
 	{ok, #file_info{mtime = LastWrite}} ->
-	    cache_pem_file(File, LastWrite)
+	    cache_pem_file(File, LastWrite, DbHandle)
     catch
 	_:Reason ->
 	    {error, Reason}
     end.
 %%--------------------------------------------------------------------
--spec lookup_trusted_cert(reference(), serialnumber(), issuer()) -> 
+-spec lookup_trusted_cert(term(), reference(), serialnumber(), issuer()) ->
 				 undefined | 
 				 {ok, {der_cert(), #'OTPCertificate'{}}}.
 %%				 
 %% Description: Lookup the trusted cert with Key = {reference(),
 %% serialnumber(), issuer()}.
 %% --------------------------------------------------------------------
-lookup_trusted_cert(Ref, SerialNumber, Issuer) ->
-    ssl_certificate_db:lookup_trusted_cert(Ref, SerialNumber, Issuer).
+lookup_trusted_cert(DbHandle, Ref, SerialNumber, Issuer) ->
+    ssl_certificate_db:lookup_trusted_cert(DbHandle, Ref, SerialNumber, Issuer).
 %%--------------------------------------------------------------------
--spec issuer_candidate(cert_key() | no_candidate) -> 
+-spec issuer_candidate(cert_key() | no_candidate, term()) ->
 			      {cert_key(),
 			       {der_cert(),
 				#'OTPCertificate'{}}} | no_more_candidates.
 %%
 %% Description: Return next issuer candidate.
 %%--------------------------------------------------------------------
-issuer_candidate(PrevCandidateKey) ->
-    ssl_certificate_db:issuer_candidate(PrevCandidateKey).
+issuer_candidate(PrevCandidateKey, DbHandle) ->
+    ssl_certificate_db:issuer_candidate(PrevCandidateKey, DbHandle).
 %%--------------------------------------------------------------------
 -spec client_session_id(host(), port_num(), #ssl_options{},
 			der_cert() | undefined) -> session_id().
@@ -193,19 +193,20 @@ init([Opts]) ->
 %% Description: Handling call messages
 %%--------------------------------------------------------------------
 handle_call({{connection_init, "", _Role}, Pid}, _From, 
-	    #state{session_cache = Cache} = State) ->
+	    #state{certificate_db = [CertDb |_],
+		   session_cache = Cache} = State) ->
     erlang:monitor(process, Pid),
-    Result = {ok, make_ref(), Cache},
+    Result = {ok, make_ref(),CertDb, Cache},
     {reply, Result, State};
 
 handle_call({{connection_init, Trustedcerts, _Role}, Pid}, _From,
-	    #state{certificate_db = Db,
+	    #state{certificate_db = [CertDb|_] =Db,
 		   session_cache = Cache} = State) ->
     erlang:monitor(process, Pid),
     Result = 
 	try
 	    {ok, Ref} = ssl_certificate_db:add_trusted_certs(Pid, Trustedcerts, Db),
-	    {ok, Ref, Cache}
+	    {ok, Ref, CertDb, Cache}
 	catch
 	    _:Reason ->
 		{error, Reason}
@@ -411,8 +412,8 @@ session_validation({{Port, _}, Session}, LifeTime) ->
     validate_session(Port, Session, LifeTime),
     LifeTime.
 
-cache_pem_file(File, LastWrite) ->
-    case ssl_certificate_db:lookup_cached_certs(File) of
+cache_pem_file(File, LastWrite, DbHandle) ->
+    case ssl_certificate_db:lookup_cached_certs(DbHandle,File) of
 	[{_, {Mtime, Content}}] ->
 	    case LastWrite of
 		Mtime ->
diff --git a/lib/ssl/src/ssl_session.erl b/lib/ssl/src/ssl_session.erl
index dc4b7a711c..85c9fcb61c 100644
--- a/lib/ssl/src/ssl_session.erl
+++ b/lib/ssl/src/ssl_session.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %% 
-%% Copyright Ericsson AB 2007-2010. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2011. All Rights Reserved.
 %% 
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -48,7 +48,7 @@ is_new(_ClientSuggestion, _ServerDecision) ->
     true.
 
 %%--------------------------------------------------------------------
--spec id({host(), port_num(), #ssl_options{}}, cache_ref(), atom(),
+-spec id({host(), port_num(), #ssl_options{}}, db_handle(), atom(),
 	 undefined | binary()) -> binary().
 %%
 %% Description: Should be called by the client side to get an id 
@@ -63,7 +63,7 @@ id(ClientInfo, Cache, CacheCb, OwnCert) ->
     end.
 
 %%--------------------------------------------------------------------
--spec id(port_num(), binary(), #ssl_options{}, cache_ref(), 
+-spec id(port_num(), binary(), #ssl_options{}, db_handle(),
 	 atom(), seconds(), binary()) -> binary().
 %%
 %% Description: Should be called by the server side to get an id 
diff --git a/lib/ssl/src/ssl_session_cache.erl b/lib/ssl/src/ssl_session_cache.erl
index c1be6691be..66610817be 100644
--- a/lib/ssl/src/ssl_session_cache.erl
+++ b/lib/ssl/src/ssl_session_cache.erl
@@ -31,7 +31,7 @@
 -type key() :: {{host(), port_num()}, session_id()} |  {port_num(), session_id()}.
 
 %%--------------------------------------------------------------------
--spec init(list()) -> cache_ref(). %% Returns reference to the cache (opaque)    
+-spec init(list()) -> db_handle(). %% Returns reference to the cache (opaque)
 %%
 %% Description: Return table reference. Called by ssl_manager process. 
 %%--------------------------------------------------------------------
@@ -39,7 +39,7 @@ init(_) ->
     ets:new(cache_name(), [set, protected]).
 
 %%--------------------------------------------------------------------
--spec terminate(cache_ref()) -> any(). %%    
+-spec terminate(db_handle()) -> any().
 %%
 %% Description: Handles cache table at termination of ssl manager. 
 %%--------------------------------------------------------------------
@@ -47,7 +47,7 @@ terminate(Cache) ->
     ets:delete(Cache).
 
 %%--------------------------------------------------------------------
--spec lookup(cache_ref(), key()) -> #session{} | undefined.
+-spec lookup(db_handle(), key()) -> #session{} | undefined.
 %%
 %% Description: Looks up a cach entry. Should be callable from any
 %% process.
@@ -61,7 +61,7 @@ lookup(Cache, Key) ->
     end.
 
 %%--------------------------------------------------------------------
--spec update(cache_ref(), key(), #session{}) -> any().
+-spec update(db_handle(), key(), #session{}) -> any().
 %%
 %% Description: Caches a new session or updates a already cached one.
 %% Will only be called from the ssl_manager process.
@@ -70,7 +70,7 @@ update(Cache, Key, Session) ->
     ets:insert(Cache, {Key, Session}).
 
 %%--------------------------------------------------------------------
--spec delete(cache_ref(), key()) -> any().
+-spec delete(db_handle(), key()) -> any().
 %%
 %% Description: Delets a cache entry.
 %% Will only be called from the ssl_manager process.
@@ -79,7 +79,7 @@ delete(Cache, Key) ->
     ets:delete(Cache, Key).
 
 %%--------------------------------------------------------------------
--spec foldl(fun(), term(), cache_ref()) -> term().
+-spec foldl(fun(), term(), db_handle()) -> term().
 %%
 %% Description: Calls Fun(Elem, AccIn) on successive elements of the
 %% cache, starting with AccIn == Acc0. Fun/2 must return a new
@@ -91,7 +91,7 @@ foldl(Fun, Acc0, Cache) ->
     ets:foldl(Fun, Acc0, Cache).
   
 %%--------------------------------------------------------------------
--spec select_session(cache_ref(), {host(), port_num()} | port_num()) -> [#session{}].
+-spec select_session(db_handle(), {host(), port_num()} | port_num()) -> [#session{}].
 %%
 %% Description: Selects a session that could be reused. Should be callable
 %% from any process.