ssl: Refactor to use maps for the connection states

13 files changed, 488 insertions, 495 deletions

diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl
index c02cf51a9a..479f68f4bb 100644
--- a/lib/ssl/src/dtls_connection.erl
+++ b/lib/ssl/src/dtls_connection.erl
@@ -97,10 +97,11 @@ send_handshake(Handshake, State) ->
     send_handshake_flight(queue_handshake(Handshake, State)).
 
 queue_flight_buffer(Msg, #state{negotiated_version = Version,
-				connection_states = #connection_states{
-				  current_write =
-				      #connection_state{epoch = Epoch}},
+				connection_states = ConnectionStates,
 				flight_buffer = Flight} = State) ->
+    ConnectionState = 
+	ssl_record:current_connection_state(ConnectionStates, write),
+    Epoch = maps:get(epoch, ConnectionState),
     State#state{flight_buffer = Flight ++ [{Version, Epoch, Msg}]}.
 
 queue_handshake(Handshake, #state{negotiated_version = Version,
@@ -494,12 +495,12 @@ encode_handshake_record(_Version, _Epoch, _Space, _MsgType, _MsgSeq, _Len, <<>>,
 encode_handshake_record(Version, Epoch, Space, MsgType, MsgSeq, Len, Bin,
 			Offset, MRS, Encoded0, CS0) ->
     MaxFragmentLen = Space - 25,
-    case Bin of
-	<<BinFragment:MaxFragmentLen/bytes, Rest/binary>> ->
-	    ok;
+    {BinFragment, Rest} =
+	case Bin of
+	<<BinFragment0:MaxFragmentLen/bytes, Rest0/binary>> ->
+	    {BinFragment0, Rest0};
 	_ ->
-	    BinFragment = Bin,
-	    Rest = <<>>
+	    {Bin, <<>>}
     end,
     FragLength = byte_size(BinFragment),
     Frag = [MsgType, ?uint24(Len), ?uint16(MsgSeq), ?uint24(Offset), ?uint24(FragLength), BinFragment],
@@ -536,7 +537,7 @@ decode_alerts(Bin) ->
 initial_state(Role, Host, Port, Socket, {SSLOptions, SocketOptions}, User,
 	      {CbModule, DataTag, CloseTag, ErrorTag}) ->
     #ssl_options{beast_mitigation = BeastMitigation} = SSLOptions,
-    ConnectionStates = ssl_record:init_connection_states(Role, BeastMitigation),
+    ConnectionStates = dtls_record:init_connection_states(Role, BeastMitigation),
     
     SessionCacheCb = case application:get_env(ssl, session_cb) of
 			 {ok, Cb} when is_atom(Cb) ->
@@ -693,8 +694,8 @@ next_event(StateName, Record, State, Actions) ->
 %% address_to_bin({A,B,C,D,E,F,G,H}, Port) ->
 %%     <<A:16,B:16,C:16,D:16,E:16,F:16,G:16,H:16,Port:16>>.
 
-sequence(#connection_states{dtls_write_msg_seq = Seq} = CS) ->
-    {Seq, CS#connection_states{dtls_write_msg_seq = Seq + 1}}.
+sequence(#{write_msg_seq := Seq} = ConnectionState) ->
+    {Seq, ConnectionState#{write_msg_seq => Seq + 1}}.
 
 renegotiate(#state{role = client} = State, Actions) ->
     %% Handle same way as if server requested
@@ -707,9 +708,10 @@ renegotiate(#state{role = client} = State, Actions) ->
 renegotiate(#state{role = server,
 		   connection_states = CS0} = State0, Actions) ->
     HelloRequest = ssl_handshake:hello_request(),
+    CS = CS0#{write_msg_seq => 0},
     State1 = send_handshake(HelloRequest, 
 			    State0#state{connection_states =
-					     CS0#connection_states{dtls_write_msg_seq = 0}}),
+					     CS}),
     Hs0 = ssl_handshake:init_handshake_history(),
     {Record, State} = next_record(State1#state{tls_handshake_history = Hs0,
 					       protocol_buffers = #protocol_buffers{}}),
diff --git a/lib/ssl/src/dtls_handshake.erl b/lib/ssl/src/dtls_handshake.erl
index 5a799cf441..d52f26e578 100644
--- a/lib/ssl/src/dtls_handshake.erl
+++ b/lib/ssl/src/dtls_handshake.erl
@@ -35,7 +35,7 @@
 %% Internal application API
 %%====================================================================
 %%--------------------------------------------------------------------
--spec client_hello(host(), inet:port_number(), #connection_states{},
+-spec client_hello(host(), inet:port_number(), ssl_record:connection_states(),
 		   #ssl_options{}, integer(), atom(), boolean(), der_cert()) ->
 			  #client_hello{}.
 %%
@@ -48,7 +48,7 @@ client_hello(Host, Port, ConnectionStates, SslOpts,
 		 Cache, CacheCb, Renegotiation, OwnCert).
 
 %%--------------------------------------------------------------------
--spec client_hello(host(), inet:port_number(), term(), #connection_states{},
+-spec client_hello(host(), inet:port_number(), term(), ssl_record:connection_states(),
 		   #ssl_options{}, integer(), atom(), boolean(), der_cert()) ->
 			  #client_hello{}.
 %%
@@ -61,7 +61,7 @@ client_hello(Host, Port, Cookie, ConnectionStates,
 	     Cache, CacheCb, Renegotiation, OwnCert) ->
     Version =  dtls_record:highest_protocol_version(Versions),
     Pending = ssl_record:pending_connection_state(ConnectionStates, read),
-    SecParams = Pending#connection_state.security_parameters,
+    SecParams = maps:get(security_parameters, Pending),
     CipherSuites = ssl_handshake:available_suites(UserSuites, Version),
 
     Extensions = ssl_handshake:client_hello_extensions(Host, dtls_v1:corresponding_tls_version(Version), CipherSuites,
diff --git a/lib/ssl/src/dtls_record.erl b/lib/ssl/src/dtls_record.erl
index 5387fcafa8..8a6e2d315c 100644
--- a/lib/ssl/src/dtls_record.erl
+++ b/lib/ssl/src/dtls_record.erl
@@ -30,7 +30,7 @@
 -include("ssl_cipher.hrl").
 
 %% Handling of incoming data
--export([get_dtls_records/2]).
+-export([get_dtls_records/2,  init_connection_states/2]).
 
 %% Decoding
 -export([decode_cipher_text/2]).
@@ -58,7 +58,26 @@
 %%====================================================================
 %% Internal application API
 %%====================================================================
-
+%%--------------------------------------------------------------------
+-spec init_connection_states(client | server, one_n_minus_one | zero_n | disabled) ->
+ 				    ssl_record:connection_states().
+%% %
+						%
+%% Description: Creates a connection_states record with appropriate
+%% values for the initial SSL connection setup.
+%%--------------------------------------------------------------------
+init_connection_states(Role, BeastMitigation) ->
+    ConnectionEnd = ssl_record:record_protocol_role(Role),
+    Current = initial_connection_state(ConnectionEnd, BeastMitigation),
+    Pending = ssl_record:empty_connection_state(ConnectionEnd, BeastMitigation),
+    #{write_msg_seq => 0, 
+      prvious_read  => undefined,
+      current_read  => Current,
+      pending_read  => Pending,
+      prvious_write => undefined,
+      current_write => Current,
+      pending_write => Pending}.
+  
 %%--------------------------------------------------------------------
 -spec get_dtls_records(binary(), binary()) -> {[binary()], binary()} | #alert{}.
 %%
@@ -122,63 +141,59 @@ get_dtls_records_aux(Data, Acc) ->
     end.
 
 encode_plain_text(Type, Version, Data,
-		  #connection_states{current_write =
-					 #connection_state{
-					    epoch = Epoch,
-					    sequence_number = Seq,
-					    compression_state=CompS0,
-					    security_parameters=
-						#security_parameters{
-						   cipher_type = ?AEAD,
-						   compression_algorithm=CompAlg}
-					   }= WriteState0} = ConnectionStates) ->
+		  #{current_write :=
+			#{epoch := Epoch,
+			  sequence_number := Seq,
+			  compression_state := CompS0,
+			  security_parameters :=
+			      #security_parameters{
+				 cipher_type = ?AEAD,
+				 compression_algorithm = CompAlg}
+			 }= WriteState0} = ConnectionStates) ->
     {Comp, CompS1} = ssl_record:compress(CompAlg, Data, CompS0),
-    WriteState1 = WriteState0#connection_state{compression_state = CompS1},
+    WriteState1 = WriteState0#{compression_state => CompS1},
     AAD = calc_aad(Type, Version, Epoch, Seq),
     {CipherFragment, WriteState} = ssl_record:cipher_aead(dtls_v1:corresponding_tls_version(Version),
 							  Comp, WriteState1, AAD),
     CipherText = encode_tls_cipher_text(Type, Version, Epoch, Seq, CipherFragment),
-    {CipherText, ConnectionStates#connection_states{current_write =
-							WriteState#connection_state{sequence_number = Seq +1}}};
+    {CipherText, ConnectionStates#{current_write => WriteState#{sequence_number => Seq +1}}};
 
 encode_plain_text(Type, Version, Data,
-		  #connection_states{current_write=#connection_state{
-						      epoch = Epoch,
-						      sequence_number = Seq,
-						      compression_state=CompS0,
-						      security_parameters=
-							  #security_parameters{compression_algorithm=CompAlg}
-						     }= WriteState0} = ConnectionStates) ->
+		  #{current_write := 
+			#{epoch := Epoch,
+			  sequence_number := Seq,
+			  compression_state := CompS0,
+			  security_parameters :=
+			      #security_parameters{compression_algorithm = CompAlg}
+			 }= WriteState0} = ConnectionStates) ->
     {Comp, CompS1} = ssl_record:compress(CompAlg, Data, CompS0),
-    WriteState1 = WriteState0#connection_state{compression_state = CompS1},
+    WriteState1 = WriteState0#{compression_state => CompS1},
     MacHash = calc_mac_hash(WriteState1, Type, Version, Epoch, Seq, Comp),
     {CipherFragment, WriteState} = ssl_record:cipher(dtls_v1:corresponding_tls_version(Version), 
 						     Comp, WriteState1, MacHash),
     CipherText = encode_tls_cipher_text(Type, Version, Epoch, Seq, CipherFragment),
-    {CipherText, ConnectionStates#connection_states{current_write =
-							WriteState#connection_state{sequence_number = Seq +1}}}.
+    {CipherText, ConnectionStates#{current_write => WriteState#{sequence_number => Seq +1}}}.
 
 decode_cipher_text(#ssl_tls{type = Type, version = Version,
 			    epoch = Epoch,
 			    sequence_number = Seq,
 			    fragment = CipherFragment} = CipherText,
-		   #connection_states{current_read =
-					  #connection_state{
-					     compression_state = CompressionS0,
-					     security_parameters=
-						 #security_parameters{
-						    cipher_type = ?AEAD,
-						    compression_algorithm=CompAlg}
-					    } = ReadState0}= ConnnectionStates0) ->
+		   #{current_read :=
+			 #{compression_state := CompressionS0,
+			   security_parameters :=
+			       #security_parameters{
+				  cipher_type = ?AEAD,
+				  compression_algorithm = CompAlg}
+			  } = ReadState0} = ConnnectionStates0) ->
     AAD = calc_aad(Type, Version, Epoch, Seq),
     case ssl_record:decipher_aead(dtls_v1:corresponding_tls_version(Version),
 				  CipherFragment, ReadState0, AAD) of
 	{PlainFragment, ReadState1} ->
 	    {Plain, CompressionS1} = ssl_record:uncompress(CompAlg,
 							   PlainFragment, CompressionS0),
-	    ConnnectionStates = ConnnectionStates0#connection_states{
-				  current_read = ReadState1#connection_state{
-						   compression_state = CompressionS1}},
+	    ConnnectionStates = ConnnectionStates0#{
+				  current_read => ReadState1#{
+						    compression_state => CompressionS1}},
 	    {CipherText#ssl_tls{fragment = Plain}, ConnnectionStates};
 	#alert{} = Alert ->
 	    Alert
@@ -188,13 +203,12 @@ decode_cipher_text(#ssl_tls{type = Type, version = Version,
 			    epoch = Epoch,
 			    sequence_number = Seq,
 			    fragment = CipherFragment} = CipherText,
-		   #connection_states{current_read =
-					  #connection_state{
-					     compression_state = CompressionS0,
-					     security_parameters=
-						 #security_parameters{
-						    compression_algorithm=CompAlg}
-					    } = ReadState0}= ConnnectionStates0) ->
+		   #{current_read :=
+			 #{compression_state := CompressionS0,
+			   security_parameters :=
+			       #security_parameters{
+				  compression_algorithm = CompAlg}
+			  } = ReadState0}= ConnnectionStates0) ->
     {PlainFragment, Mac, ReadState1} = ssl_record:decipher(dtls_v1:corresponding_tls_version(Version),
 							   CipherFragment, ReadState0, true),
     MacHash = calc_mac_hash(ReadState1, Type, Version, Epoch, Seq, PlainFragment),
@@ -202,17 +216,17 @@ decode_cipher_text(#ssl_tls{type = Type, version = Version,
 	true ->
 	    {Plain, CompressionS1} = ssl_record:uncompress(CompAlg,
 							   PlainFragment, CompressionS0),
-	    ConnnectionStates = ConnnectionStates0#connection_states{
-				  current_read = ReadState1#connection_state{
-						   compression_state = CompressionS1}},
+	    ConnnectionStates = ConnnectionStates0#{
+				  current_read => ReadState1#{
+						    compression_state => CompressionS1}},
 	    {CipherText#ssl_tls{fragment = Plain}, ConnnectionStates};
 	false ->
 	    ?ALERT_REC(?FATAL, ?BAD_RECORD_MAC)
     end.
 
 %%--------------------------------------------------------------------
--spec encode_change_cipher_spec(dtls_version(), #connection_states{}) ->
-				       {iolist(), #connection_states{}}.
+-spec encode_change_cipher_spec(dtls_version(), ssl_record:connection_states()) ->
+				       {iolist(), ssl_record:connection_states()}.
 %%
 %% Description: Encodes a change_cipher_spec-message to send on the ssl socket.
 %%--------------------------------------------------------------------
@@ -352,92 +366,87 @@ is_acceptable_version(Version, Versions) ->
 
 
 %%--------------------------------------------------------------------
--spec init_connection_state_seq(dtls_version(), #connection_states{}) ->
-				       #connection_state{}.
+-spec init_connection_state_seq(dtls_version(), ssl_record:connection_states()) ->
+				       ssl_record:connection_state().
 %%
 %% Description: Copy the read sequence number to the write sequence number
 %% This is only valid for DTLS in the first client_hello
 %%--------------------------------------------------------------------
 init_connection_state_seq({254, _},
-			  #connection_states{
-			     current_read = Read = #connection_state{epoch = 0},
-			     current_write = Write = #connection_state{epoch = 0}} = CS0) ->
-    CS0#connection_states{current_write =
-			      Write#connection_state{
-				sequence_number = Read#connection_state.sequence_number}};
+			  #{current_read := #{epoch := 0} = Read,
+			    current_write := #{epoch := 0} = Write} = CS0) ->
+    Seq = maps:get(sequence_number, Read),
+    CS0#{current_write => Write#{sequence_number => Seq}};
 init_connection_state_seq(_, CS) ->
     CS.
 
 %%--------------------------------------------------------
--spec current_connection_state_epoch(#connection_states{}, read | write) ->
+-spec current_connection_state_epoch(ssl_record:connection_states(), read | write) ->
 					    integer().
 %%
 %% Description: Returns the epoch the connection_state record
 %% that is currently defined as the current conection state.
 %%--------------------------------------------------------------------
-current_connection_state_epoch(#connection_states{current_read = Current},
+current_connection_state_epoch(#{current_read := Current},
 			       read) ->
-    Current#connection_state.epoch;
-current_connection_state_epoch(#connection_states{current_write = Current},
+    maps:get(epoch, Current);
+current_connection_state_epoch(#{current_write := Current},
 			       write) ->
-    Current#connection_state.epoch.
+    maps:get(epoch, Current).
 
 %%--------------------------------------------------------------------
 
--spec connection_state_by_epoch(#connection_states{}, integer(), read | write) ->
-				      #connection_state{}.
+-spec connection_state_by_epoch(ssl_record:connection_states(), integer(), read | write) ->
+				       ssl_record:connection_state().
 %%
 %% Description: Returns the instance of the connection_state record
 %% that is defined by the Epoch.
 %%--------------------------------------------------------------------
-connection_state_by_epoch(#connection_states{current_read = CS}, Epoch, read)
-  when CS#connection_state.epoch == Epoch ->
+connection_state_by_epoch(#{current_read := #{epoch := Epoch}} = CS, Epoch, read) ->
     CS;
-connection_state_by_epoch(#connection_states{pending_read = CS}, Epoch, read)
-  when CS#connection_state.epoch == Epoch ->
+connection_state_by_epoch(#{pending_read := #{epoch := Epoch}} = CS, Epoch, read) ->
     CS;
-connection_state_by_epoch(#connection_states{current_write = CS}, Epoch, write)
-  when CS#connection_state.epoch == Epoch ->
+connection_state_by_epoch(#{current_write := #{epoch := Epoch}} = CS, Epoch, write) ->
     CS;
-connection_state_by_epoch(#connection_states{pending_write = CS}, Epoch, write)
-  when CS#connection_state.epoch == Epoch ->
+connection_state_by_epoch(#{pending_write := #{epoch := Epoch}} = CS, Epoch, write) ->
     CS.
 %%--------------------------------------------------------------------
--spec set_connection_state_by_epoch(#connection_states{},
-				    #connection_state{}, read | write)
-				   -> #connection_states{}.
+-spec set_connection_state_by_epoch(ssl_record:connection_states(),
+				    ssl_record:connection_state(), read | write)
+				   -> ssl_record:connection_states().
 %%
 %% Description: Returns the instance of the connection_state record
 %% that is defined by the Epoch.
 %%--------------------------------------------------------------------
-set_connection_state_by_epoch(ConnectionStates0 =
-				  #connection_states{current_read = CS},
-			      NewCS = #connection_state{epoch = Epoch}, read)
-  when CS#connection_state.epoch == Epoch ->
-    ConnectionStates0#connection_states{current_read = NewCS};
-
-set_connection_state_by_epoch(ConnectionStates0 =
-				  #connection_states{pending_read = CS},
-			      NewCS = #connection_state{epoch = Epoch}, read)
-  when CS#connection_state.epoch == Epoch ->
-    ConnectionStates0#connection_states{pending_read = NewCS};
-
-set_connection_state_by_epoch(ConnectionStates0 =
-				  #connection_states{current_write = CS},
-			      NewCS = #connection_state{epoch = Epoch}, write)
-  when CS#connection_state.epoch == Epoch ->
-    ConnectionStates0#connection_states{current_write = NewCS};
-
-set_connection_state_by_epoch(ConnectionStates0 =
-				  #connection_states{pending_write = CS},
-			      NewCS = #connection_state{epoch = Epoch}, write)
-  when CS#connection_state.epoch == Epoch ->
-    ConnectionStates0#connection_states{pending_write = NewCS}.
+set_connection_state_by_epoch(#{current_read := #{epoch := Epoch}} = ConnectionStates0,
+                              NewCS = #{epoch := Epoch}, read) ->
+    ConnectionStates0#{current_read => NewCS};
+set_connection_state_by_epoch(#{pending_read := #{epoch := Epoch}} = ConnectionStates0,
+			      NewCS = #{epoch := Epoch}, read) ->
+    ConnectionStates0#{pending_read => NewCS};
+set_connection_state_by_epoch(#{current_write := #{epoch := Epoch}} = ConnectionStates0,
+			      NewCS = #{epoch := Epoch}, write) ->
+    ConnectionStates0#{current_write => NewCS};
+set_connection_state_by_epoch(#{pending_write := #{epoch := Epoch}} = ConnectionStates0,
+NewCS = #{epoch := Epoch}, write) ->
+    ConnectionStates0#{pending_write => NewCS}.
 
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
-
+initial_connection_state(ConnectionEnd, BeastMitigation) ->
+    #{security_parameters =>
+	  ssl_record:initial_security_params(ConnectionEnd),
+      epoch => 0,
+      sequence_number => 1,
+      beast_mitigation => BeastMitigation,
+      compression_state  => undefined,
+      cipher_state  => undefined,
+      mac_secret  => undefined,
+      secure_renegotiation => undefined,
+      client_verify_data => undefined,
+      server_verify_data => undefined
+     }.
 
 lowest_list_protocol_version(Ver, []) ->
     Ver;
@@ -454,8 +463,8 @@ encode_tls_cipher_text(Type, {MajVer, MinVer}, Epoch, Seq, Fragment) ->
     [<<?BYTE(Type), ?BYTE(MajVer), ?BYTE(MinVer), ?UINT16(Epoch),
        ?UINT48(Seq), ?UINT16(Length)>>, Fragment].
 
-calc_mac_hash(#connection_state{mac_secret = MacSecret,
-				security_parameters = #security_parameters{mac_algorithm = MacAlg}},
+calc_mac_hash(#{mac_secret := MacSecret,
+		security_parameters := #security_parameters{mac_algorithm = MacAlg}},
 	      Type, Version, Epoch, SeqNo, Fragment) ->
     Length = erlang:iolist_size(Fragment),
     NewSeq = (Epoch bsl 48) + SeqNo,
diff --git a/lib/ssl/src/ssl_alert.erl b/lib/ssl/src/ssl_alert.erl
index db71b16d80..05dfb4c1b3 100644
--- a/lib/ssl/src/ssl_alert.erl
+++ b/lib/ssl/src/ssl_alert.erl
@@ -39,8 +39,8 @@
 %%====================================================================
 
 %%--------------------------------------------------------------------
--spec encode(#alert{}, ssl_record:ssl_version(), #connection_states{}) -> 
-		    {iolist(), #connection_states{}}.
+-spec encode(#alert{}, ssl_record:ssl_version(), ssl_record:connection_states()) -> 
+		    {iolist(), ssl_record:connection_states()}.
 %%
 %% Description: Encodes an alert
 %%--------------------------------------------------------------------
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index f0f5982de4..304d1706f5 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -271,7 +271,7 @@ prf(ConnectionPid, Secret, Label, Seed, WantedLength) ->
 
 %%--------------------------------------------------------------------
 -spec handle_session(#server_hello{}, ssl_record:ssl_version(),
-		     binary(), #connection_states{}, _,_, #state{}) ->
+		     binary(), ssl_record:connection_states(), _,_, #state{}) ->
 			    gen_statem:state_function_result().
 %%--------------------------------------------------------------------
 handle_session(#server_hello{cipher_suite = CipherSuite,
@@ -918,9 +918,8 @@ handle_call(renegotiate, From, StateName, _, _) when StateName =/= connection ->
 handle_call({prf, Secret, Label, Seed, WantedLength}, From, _,
 	    #state{connection_states = ConnectionStates,
 		   negotiated_version = Version}, _) ->
-    ConnectionState =
+    #{security_parameters := SecParams} =
 	ssl_record:current_connection_state(ConnectionStates, read),
-    SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{master_secret = MasterSecret,
 			 client_random = ClientRandom,
 			 server_random = ServerRandom,
@@ -1414,9 +1413,8 @@ key_exchange(#state{role = server, key_algorithm = Algo,
        Algo == dhe_rsa;
        Algo == dh_anon ->
     DHKeys = public_key:generate_key(Params),
-    ConnectionState =
+    #{security_parameters := SecParams} =
 	ssl_record:pending_connection_state(ConnectionStates0, read),
-    SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams,
     Msg = ssl_handshake:key_exchange(server, ssl:tls_version(Version), {dh, DHKeys, Params,
@@ -1439,9 +1437,8 @@ key_exchange(#state{role = server, key_algorithm = Algo,
        Algo == ecdh_anon ->
 
     ECDHKeys = public_key:generate_key(select_curve(State0)),
-    ConnectionState =
+    #{security_parameters := SecParams} = 
 	ssl_record:pending_connection_state(ConnectionStates0, read),
-    SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams,
     Msg =  ssl_handshake:key_exchange(server, ssl:tls_version(Version), 
@@ -1462,9 +1459,8 @@ key_exchange(#state{role = server, key_algorithm = psk,
 		    connection_states = ConnectionStates0,
 		    negotiated_version = Version
 		   } = State0, Connection) ->
-    ConnectionState =
+    #{security_parameters := SecParams} = 
 	ssl_record:pending_connection_state(ConnectionStates0, read),
-    SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams,
     Msg = ssl_handshake:key_exchange(server, ssl:tls_version(Version), 
@@ -1483,9 +1479,8 @@ key_exchange(#state{role = server, key_algorithm = dhe_psk,
 		    negotiated_version = Version
 		   } = State0, Connection) ->
     DHKeys = public_key:generate_key(Params),
-    ConnectionState =
+    #{security_parameters := SecParams} =
 	ssl_record:pending_connection_state(ConnectionStates0, read),
-    SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams,
     Msg =  ssl_handshake:key_exchange(server, ssl:tls_version(Version), 
@@ -1507,9 +1502,8 @@ key_exchange(#state{role = server, key_algorithm = rsa_psk,
 		    connection_states = ConnectionStates0,
 		    negotiated_version = Version
 		   } = State0, Connection) ->
-    ConnectionState =
+    #{security_parameters := SecParams} =
 	ssl_record:pending_connection_state(ConnectionStates0, read),
-    SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams,
     Msg =  ssl_handshake:key_exchange(server, ssl:tls_version(Version), 
@@ -1537,9 +1531,8 @@ key_exchange(#state{role = server, key_algorithm = Algo,
 	       Keys0 = {_,_} ->
 		   Keys0
 	   end,
-    ConnectionState =
+    #{security_parameters := SecParams} =
 	ssl_record:pending_connection_state(ConnectionStates0, read),
-    SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams,
     Msg =  ssl_handshake:key_exchange(server, ssl:tls_version(Version),
@@ -1658,8 +1651,8 @@ request_client_cert(#state{ssl_options = #ssl_options{verify = verify_peer,
 			   cert_db = CertDbHandle,
 			   cert_db_ref = CertDbRef,
 			   negotiated_version = Version} = State0, Connection) ->
-    #connection_state{security_parameters =
-			  #security_parameters{cipher_suite = CipherSuite}} =
+    #{security_parameters :=
+	  #security_parameters{cipher_suite = CipherSuite}} =
 	ssl_record:pending_connection_state(ConnectionStates0, read),
     TLSVersion =  ssl:tls_version(Version),
     HashSigns = ssl_handshake:available_signature_algs(SupportedHashSigns, 
@@ -1868,11 +1861,11 @@ is_anonymous(_) ->
     false.
 
 get_current_prf(CStates, Direction) ->
-	CS = ssl_record:current_connection_state(CStates, Direction),
-	CS#connection_state.security_parameters#security_parameters.prf_algorithm.
+    #{security_parameters := SecParams} = ssl_record:current_connection_state(CStates, Direction),
+    SecParams#security_parameters.prf_algorithm.
 get_pending_prf(CStates, Direction) ->
-	CS = ssl_record:pending_connection_state(CStates, Direction),
-	CS#connection_state.security_parameters#security_parameters.prf_algorithm.
+    #{security_parameters := SecParams} = ssl_record:pending_connection_state(CStates, Direction),
+    SecParams#security_parameters.prf_algorithm.
 
 opposite_role(client) ->
     server;
@@ -2201,8 +2194,7 @@ encode_size_packet(Bin, Size, Max) ->
     end.
 
 time_to_renegotiate(_Data, 
-		    #connection_states{current_write = 
-					   #connection_state{sequence_number = Num}}, 
+		    #{current_write := #{sequence_number := Num}}, 
 		    RenegotiateAt) ->
     
     %% We could do test:
diff --git a/lib/ssl/src/ssl_connection.hrl b/lib/ssl/src/ssl_connection.hrl
index 4b54943ddf..f1e612a41b 100644
--- a/lib/ssl/src/ssl_connection.hrl
+++ b/lib/ssl/src/ssl_connection.hrl
@@ -46,7 +46,7 @@
           socket                :: port(),
           ssl_options           :: #ssl_options{},
           socket_options        :: #socket_options{},
-          connection_states     :: #connection_states{} | secret_printout(),
+          connection_states     :: ssl_record:connection_states() | secret_printout(),
 	  protocol_buffers      :: term() | secret_printout() , %% #protocol_buffers{} from tls_record.hrl or dtls_recor.hrl
           tls_handshake_history :: ssl_handshake:ssl_handshake_history() | secret_printout()
                                  | 'undefined',
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index f0ff7c5270..36d533cd4e 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -94,15 +94,14 @@ hello_request() ->
     #hello_request{}.
 
 %%--------------------------------------------------------------------
--spec server_hello(#session{}, ssl_record:ssl_version(), #connection_states{},
+-spec server_hello(#session{}, ssl_record:ssl_version(), ssl_record:connection_states(),
 		   #hello_extensions{}) -> #server_hello{}.
 %%
 %% Description: Creates a server hello message.
 %%--------------------------------------------------------------------
 server_hello(SessionId, Version, ConnectionStates, Extensions) ->
-    Pending = ssl_record:pending_connection_state(ConnectionStates, read),
-    SecParams = Pending#connection_state.security_parameters,
-
+    #{security_parameters := SecParams} = 
+	ssl_record:pending_connection_state(ConnectionStates, read),
     #server_hello{server_version = Version,
 		  cipher_suite = SecParams#security_parameters.cipher_suite,
                   compression_method =
@@ -335,9 +334,8 @@ verify_server_key(#server_key_params{params_bin = EncParams,
 				     signature = Signature},
 		  HashSign = {HashAlgo, _},
 		  ConnectionStates, Version, PubKeyInfo) ->
-    ConnectionState =
+    #{security_parameters := SecParams} =
 	ssl_record:pending_connection_state(ConnectionStates, read),
-    SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams,
     Hash = server_key_exchange_hash(HashAlgo,
@@ -696,8 +694,8 @@ select_hashsign_algs(undefined, ?'id-dsa', _) ->
 
 
 %%--------------------------------------------------------------------
--spec master_secret(ssl_record:ssl_version(), #session{} | binary(), #connection_states{},
-		   client | server) -> {binary(), #connection_states{}} | #alert{}.
+-spec master_secret(ssl_record:ssl_version(), #session{} | binary(), ssl_record:connection_states(),
+		   client | server) -> {binary(), ssl_record:connection_states()} | #alert{}.
 %%
 %% Description: Sets or calculates the master secret and calculate keys,
 %% updating the pending connection states. The Mastersecret and the update
@@ -705,9 +703,8 @@ select_hashsign_algs(undefined, ?'id-dsa', _) ->
 %%-------------------------------------------------------------------
 master_secret(Version, #session{master_secret = Mastersecret},
 	      ConnectionStates, Role) ->
-    ConnectionState =
+    #{security_parameters := SecParams} =
 	ssl_record:pending_connection_state(ConnectionStates, read),
-    SecParams = ConnectionState#connection_state.security_parameters,
     try master_secret(Version, Mastersecret, SecParams,
 		      ConnectionStates, Role)
     catch
@@ -716,9 +713,9 @@ master_secret(Version, #session{master_secret = Mastersecret},
     end;
 
 master_secret(Version, PremasterSecret, ConnectionStates, Role) ->
-    ConnectionState =
+    #{security_parameters := SecParams} =
 	ssl_record:pending_connection_state(ConnectionStates, read),
-    SecParams = ConnectionState#connection_state.security_parameters,
+    
     #security_parameters{prf_algorithm = PrfAlgo,
 			 client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams,
@@ -1343,29 +1340,29 @@ do_select_version(
 renegotiation_info(_, client, _, false) ->
     #renegotiation_info{renegotiated_connection = undefined};
 renegotiation_info(_RecordCB, server, ConnectionStates, false) ->
-    CS  = ssl_record:current_connection_state(ConnectionStates, read),
-    case CS#connection_state.secure_renegotiation of
+    ConnectionState  = ssl_record:current_connection_state(ConnectionStates, read),
+    case maps:get(secure_renegotiation, ConnectionState) of
 	true ->
 	    #renegotiation_info{renegotiated_connection = ?byte(0)};
 	false ->
 	    #renegotiation_info{renegotiated_connection = undefined}
     end;
 renegotiation_info(_RecordCB, client, ConnectionStates, true) ->
-    CS = ssl_record:current_connection_state(ConnectionStates, read),
-    case CS#connection_state.secure_renegotiation of
+    ConnectionState = ssl_record:current_connection_state(ConnectionStates, read),
+    case  maps:get(secure_renegotiation, ConnectionState) of
 	true ->
-	    Data = CS#connection_state.client_verify_data,
+	    Data = maps:get(client_verify_data, ConnectionState),
 	    #renegotiation_info{renegotiated_connection = Data};
 	false ->
 	    #renegotiation_info{renegotiated_connection = undefined}
     end;
 
 renegotiation_info(_RecordCB, server, ConnectionStates, true) ->
-    CS = ssl_record:current_connection_state(ConnectionStates, read),
-    case CS#connection_state.secure_renegotiation of
+    ConnectionState = ssl_record:current_connection_state(ConnectionStates, read),
+    case maps:get(secure_renegotiation, ConnectionState) of
 	true ->
-	    CData = CS#connection_state.client_verify_data,
-	    SData  =CS#connection_state.server_verify_data,
+	    CData = maps:get(client_verify_data, ConnectionState),
+	    SData = maps:get(server_verify_data, ConnectionState),
 	    #renegotiation_info{renegotiated_connection = <<CData/binary, SData/binary>>};
 	false ->
 	    #renegotiation_info{renegotiated_connection = undefined}
@@ -1388,9 +1385,9 @@ handle_renegotiation_info(_RecordCB, _, undefined, ConnectionStates, false, _, _
 
 handle_renegotiation_info(_RecordCB, client, #renegotiation_info{renegotiated_connection = ClientServerVerify},
 			  ConnectionStates, true, _, _) ->
-    CS = ssl_record:current_connection_state(ConnectionStates, read),
-    CData = CS#connection_state.client_verify_data,
-    SData = CS#connection_state.server_verify_data,
+    ConnectionState = ssl_record:current_connection_state(ConnectionStates, read),
+    CData = maps:get(client_verify_data, ConnectionState),
+    SData = maps:get(server_verify_data, ConnectionState),
     case <<CData/binary, SData/binary>> == ClientServerVerify of
 	true ->
 	    {ok, ConnectionStates};
@@ -1404,8 +1401,8 @@ handle_renegotiation_info(_RecordCB, server, #renegotiation_info{renegotiated_co
 	  true ->
               ?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE, {server_renegotiation, empty_renegotiation_info_scsv});
 	  false ->
-	      CS = ssl_record:current_connection_state(ConnectionStates, read),
-	      Data = CS#connection_state.client_verify_data,
+	      ConnectionState = ssl_record:current_connection_state(ConnectionStates, read),
+	      Data =  maps:get(client_verify_data, ConnectionState),
 	      case Data == ClientVerify of
 		  true ->
 		      {ok, ConnectionStates};
@@ -1426,8 +1423,8 @@ handle_renegotiation_info(RecordCB, server, undefined, ConnectionStates, true, S
      end.
 
 handle_renegotiation_info(_RecordCB, ConnectionStates, SecureRenegotation) ->
-    CS = ssl_record:current_connection_state(ConnectionStates, read),
-    case {SecureRenegotation, CS#connection_state.secure_renegotiation} of
+    ConnectionState = ssl_record:current_connection_state(ConnectionStates, read),
+    case {SecureRenegotation, maps:get(secure_renegotiation, ConnectionState)} of
 	{_, true} ->
             ?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE, already_secure);
 	{true, false} ->
@@ -1728,18 +1725,16 @@ hello_pending_connection_states(_RecordCB, Role, Version, CipherSuite, Random, C
 				    NewWriteSecParams,
 				    ConnectionStates).
 
-hello_security_parameters(client, Version, ConnectionState, CipherSuite, Random,
+hello_security_parameters(client, Version, #{security_parameters := SecParams}, CipherSuite, Random,
 			  Compression) ->
-    SecParams = ConnectionState#connection_state.security_parameters,
     NewSecParams = ssl_cipher:security_parameters(Version, CipherSuite, SecParams),
     NewSecParams#security_parameters{
       server_random = Random,
       compression_algorithm = Compression
      };
 
-hello_security_parameters(server, Version, ConnectionState, CipherSuite, Random,
+hello_security_parameters(server, Version, #{security_parameters := SecParams}, CipherSuite, Random,
 			  Compression) ->
-    SecParams = ConnectionState#connection_state.security_parameters,
     NewSecParams = ssl_cipher:security_parameters(Version, CipherSuite, SecParams),
     NewSecParams#security_parameters{
       client_random = Random,
diff --git a/lib/ssl/src/ssl_record.erl b/lib/ssl/src/ssl_record.erl
index 5bb1c92c2d..71cd0279f3 100644
--- a/lib/ssl/src/ssl_record.erl
+++ b/lib/ssl/src/ssl_record.erl
@@ -30,8 +30,7 @@
 -include("ssl_alert.hrl").
 
 %% Connection state handling
--export([init_connection_states/2,
-	 current_connection_state/2, pending_connection_state/2,
+-export([initial_security_params/1, current_connection_state/2, pending_connection_state/2,
 	 activate_pending_connection_state/2,
 	 set_security_params/3,
          set_mac_secret/4,
@@ -39,7 +38,8 @@
          set_pending_cipher_state/4,
 	 set_renegotiation_flag/2,
 	 set_client_verify_data/3,
-	 set_server_verify_data/3]).
+	 set_server_verify_data/3,
+	 empty_connection_state/2, initial_connection_state/2, record_protocol_role/1]).
 
 %% Encoding records
 -export([encode_handshake/3, encode_alert_record/3,
@@ -52,122 +52,92 @@
 -export([cipher/4, decipher/4, is_correct_mac/2,
 	 cipher_aead/4, decipher_aead/4]).
 
--export_type([ssl_version/0, ssl_atom_version/0]).
+-export_type([ssl_version/0, ssl_atom_version/0, connection_states/0, connection_state/0]).
 
 -type ssl_version()       :: {integer(), integer()}.
 -type ssl_atom_version() :: tls_record:tls_atom_version().
-
+-type connection_states() :: term(). %% Map
+-type connection_state() :: term(). %% Map
 %%====================================================================
 %% Internal application API
 %%====================================================================
 
+
 %%--------------------------------------------------------------------
--spec init_connection_states(client | server, one_n_minus_one | zero_n | disabled ) ->
-				      #connection_states{}.
-%%
-%% Description: Creates a connection_states record with appropriate
-%% values for the initial SSL connection setup.
-%%--------------------------------------------------------------------
-init_connection_states(Role, BeastMitigation) ->
-    ConnectionEnd = record_protocol_role(Role),
-    Current = initial_connection_state(ConnectionEnd, BeastMitigation),
-    Pending = empty_connection_state(ConnectionEnd, BeastMitigation),
-    #connection_states{dtls_write_msg_seq = 1, % only used by dtls
-		       current_read = Current,
-		       pending_read = Pending,
-		       current_write = Current,
-		       pending_write = Pending
-                      }.
-
-%%--------------------------------------------------------------------
--spec current_connection_state(#connection_states{}, read | write) ->
-				      #connection_state{}.
+-spec current_connection_state(connection_states(), read | write) ->
+				      connection_state().
 %%
-%% Description: Returns the instance of the connection_state record
+%% Description: Returns the instance of the connection_state map
 %% that is currently defined as the current conection state.
 %%--------------------------------------------------------------------
-current_connection_state(#connection_states{current_read = Current},
-			 read) ->
-    Current;
-current_connection_state(#connection_states{current_write = Current},
-			 write) ->
-    Current.
+current_connection_state(ConnectionStates, read) ->
+    maps:get(current_read, ConnectionStates);
+current_connection_state(ConnectionStates, write) ->
+    maps:get(current_write, ConnectionStates).
 
 %%--------------------------------------------------------------------
--spec pending_connection_state(#connection_states{}, read | write) ->
-				      term().
+-spec pending_connection_state(connection_states(), read | write) ->
+				      connection_state().
 %%
-%% Description: Returns the instance of the connection_state record
-%% that is currently defined as the pending conection state.
+%% Description: Returns the instance of the connection_state map
+%% that is pendingly defined as the pending conection state.
 %%--------------------------------------------------------------------
-pending_connection_state(#connection_states{pending_read = Pending},
-			 read) ->
-    Pending;
-pending_connection_state(#connection_states{pending_write = Pending},
-			 write) ->
-    Pending.
-
+pending_connection_state(ConnectionStates, read) ->
+    maps:get(pending_read, ConnectionStates);
+pending_connection_state(ConnectionStates, write) ->
+    maps:get(pending_write, ConnectionStates).
 
 %%--------------------------------------------------------------------
--spec activate_pending_connection_state(#connection_states{}, read | write) ->
-					       #connection_states{}.
+-spec activate_pending_connection_state(connection_states(), read | write) ->
+					       connection_states().
 %%
 %% Description: Creates a new instance of the connection_states record
 %% where the pending state of <Type> has been activated.
 %%--------------------------------------------------------------------
-activate_pending_connection_state(States =
-                                  #connection_states{current_read = Current,
-						     pending_read = Pending},
+activate_pending_connection_state(#{current_read := Current,
+				    pending_read := Pending} = States,
                                   read) ->
-    NewCurrent = Pending#connection_state{epoch = dtls_next_epoch(Current),
-					  sequence_number = 0},
-    BeastMitigation = Pending#connection_state.beast_mitigation,
-    SecParams = Pending#connection_state.security_parameters,
+    #{secure_renegotiation := SecureRenegotation} = Current,
+    #{beast_mitigation := BeastMitigation,
+      security_parameters := SecParams} = Pending,
+    NewCurrent = Pending#{sequence_number => 0},
     ConnectionEnd = SecParams#security_parameters.connection_end,
     EmptyPending = empty_connection_state(ConnectionEnd, BeastMitigation),
-    SecureRenegotation = NewCurrent#connection_state.secure_renegotiation,
-    NewPending = EmptyPending#connection_state{secure_renegotiation = SecureRenegotation},
-    States#connection_states{current_read = NewCurrent,
-                             pending_read = NewPending
-                            };
-
-activate_pending_connection_state(States =
-                                  #connection_states{current_write = Current,
-						     pending_write = Pending},
+    NewPending = EmptyPending#{secure_renegotiation => SecureRenegotation},
+    States#{current_read => NewCurrent,
+	    pending_read => NewPending
+	   };
+
+activate_pending_connection_state(#{current_write := Current,
+				    pending_write := Pending} = States,
                                   write) ->
-    NewCurrent = Pending#connection_state{epoch = dtls_next_epoch(Current),
-					  sequence_number = 0},
-    BeastMitigation = Pending#connection_state.beast_mitigation,
-    SecParams = Pending#connection_state.security_parameters,
+    NewCurrent = Pending#{sequence_number => 0},
+    #{secure_renegotiation := SecureRenegotation} = Current,
+    #{beast_mitigation := BeastMitigation,
+      security_parameters := SecParams} = Pending,
     ConnectionEnd = SecParams#security_parameters.connection_end,
     EmptyPending = empty_connection_state(ConnectionEnd, BeastMitigation),
-    SecureRenegotation = NewCurrent#connection_state.secure_renegotiation,
-    NewPending = EmptyPending#connection_state{secure_renegotiation = SecureRenegotation},
-    States#connection_states{current_write = NewCurrent,
-                             pending_write = NewPending
-                            }.
-
+    NewPending = EmptyPending#{secure_renegotiation => SecureRenegotation},
+    States#{current_write => NewCurrent,
+	    pending_write => NewPending
+	   }.
 
 %%--------------------------------------------------------------------
 -spec set_security_params(#security_parameters{}, #security_parameters{},
-			     #connection_states{}) -> #connection_states{}.
+			  connection_states()) -> connection_states().
 %%
 %% Description: Creates a new instance of the connection_states record
 %% where the pending states gets its security parameters updated.
 %%--------------------------------------------------------------------
-set_security_params(ReadParams, WriteParams, States =
-		       #connection_states{pending_read = Read,
-					  pending_write = Write}) ->
-    States#connection_states{pending_read =
-                             Read#connection_state{security_parameters =
-                                                   ReadParams},
-                             pending_write =
-                             Write#connection_state{security_parameters =
-                                                    WriteParams}
-                            }.
+set_security_params(ReadParams, WriteParams, 
+		    #{pending_read := Read,
+		      pending_write := Write} = States) ->
+    States#{pending_read  => Read#{security_parameters => ReadParams},
+	    pending_write => Write#{security_parameters => WriteParams}
+	   }.
 %%--------------------------------------------------------------------
 -spec set_mac_secret(binary(), binary(), client | server,
-			#connection_states{}) -> #connection_states{}.
+		     connection_states()) -> connection_states().
 %%
 %% Description: update the mac_secret field in pending connection states
 %%--------------------------------------------------------------------
@@ -177,152 +147,145 @@ set_mac_secret(ClientWriteMacSecret, ServerWriteMacSecret, server, States) ->
     set_mac_secret(ClientWriteMacSecret, ServerWriteMacSecret, States).
 
 set_mac_secret(ReadMacSecret, WriteMacSecret,
-	       States = #connection_states{pending_read = Read,
-					   pending_write = Write}) ->
-    States#connection_states{
-      pending_read = Read#connection_state{mac_secret = ReadMacSecret},
-      pending_write = Write#connection_state{mac_secret = WriteMacSecret}
+	       States = #{pending_read := Read,
+			  pending_write := Write}) ->
+    States#{pending_read => Read#{mac_secret => ReadMacSecret},
+	    pending_write => Write#{mac_secret => WriteMacSecret}
      }.
 
 
 %%--------------------------------------------------------------------
--spec set_master_secret(binary(), #connection_states{}) -> #connection_states{}.
+-spec set_master_secret(binary(), connection_states()) -> connection_states().
 %%
 %% Description: Set master_secret in pending connection states
 %%--------------------------------------------------------------------
 set_master_secret(MasterSecret,
-                  States = #connection_states{pending_read = Read,
-                                              pending_write = Write}) ->
-    ReadSecPar = Read#connection_state.security_parameters,
-    Read1 = Read#connection_state{
-              security_parameters = ReadSecPar#security_parameters{
-                                      master_secret = MasterSecret}},
-    WriteSecPar = Write#connection_state.security_parameters,
-    Write1 = Write#connection_state{
-               security_parameters = WriteSecPar#security_parameters{
-                                       master_secret = MasterSecret}},
-    States#connection_states{pending_read = Read1, pending_write = Write1}.
-
-%%--------------------------------------------------------------------
--spec set_renegotiation_flag(boolean(), #connection_states{}) -> #connection_states{}.
+                  States = #{pending_read := Read = #{security_parameters := ReadSecPar},
+			     pending_write := Write = #{security_parameters := WriteSecPar}}) ->
+    Read1 = Read#{security_parameters => ReadSecPar#security_parameters{
+					   master_secret = MasterSecret}},
+    Write1 = Write#{security_parameters => WriteSecPar#security_parameters{
+					     master_secret = MasterSecret}},
+    States#{pending_read => Read1, pending_write => Write1}.
+
+%%--------------------------------------------------------------------
+-spec set_renegotiation_flag(boolean(), connection_states()) -> connection_states().
 %%
 %% Description: Set secure_renegotiation in pending connection states
 %%--------------------------------------------------------------------
-set_renegotiation_flag(Flag, #connection_states{
-			 current_read = CurrentRead0,
-			 current_write = CurrentWrite0,
-			 pending_read = PendingRead0,
-			 pending_write = PendingWrite0}
+set_renegotiation_flag(Flag, #{current_read := CurrentRead0,
+			       current_write := CurrentWrite0,
+			       pending_read := PendingRead0,
+			       pending_write := PendingWrite0}
 		       = ConnectionStates) ->
-    CurrentRead = CurrentRead0#connection_state{secure_renegotiation = Flag},
-    CurrentWrite = CurrentWrite0#connection_state{secure_renegotiation = Flag},
-    PendingRead = PendingRead0#connection_state{secure_renegotiation = Flag},
-    PendingWrite = PendingWrite0#connection_state{secure_renegotiation = Flag},
-    ConnectionStates#connection_states{current_read = CurrentRead,
-				       current_write = CurrentWrite,
-				       pending_read = PendingRead,
-				       pending_write = PendingWrite}.
+    CurrentRead = CurrentRead0#{secure_renegotiation => Flag},
+    CurrentWrite = CurrentWrite0#{secure_renegotiation => Flag},
+    PendingRead = PendingRead0#{secure_renegotiation => Flag},
+    PendingWrite = PendingWrite0#{secure_renegotiation => Flag},
+    ConnectionStates#{current_read => CurrentRead,
+		      current_write => CurrentWrite,
+		      pending_read => PendingRead,
+		      pending_write => PendingWrite}.
 
 %%--------------------------------------------------------------------
 -spec set_client_verify_data(current_read | current_write | current_both,
-			     binary(), #connection_states{})->
-				    #connection_states{}.
+			     binary(), connection_states())->
+				    connection_states().
 %%
 %% Description: Set verify data in connection states.
 %%--------------------------------------------------------------------
 set_client_verify_data(current_read, Data,
-		       #connection_states{current_read = CurrentRead0,
-					  pending_write = PendingWrite0}
+		       #{current_read := CurrentRead0,
+			 pending_write := PendingWrite0}
 		       = ConnectionStates) ->
-    CurrentRead = CurrentRead0#connection_state{client_verify_data = Data},
-    PendingWrite = PendingWrite0#connection_state{client_verify_data = Data},
-    ConnectionStates#connection_states{current_read = CurrentRead,
-				       pending_write = PendingWrite};
+    CurrentRead = CurrentRead0#{client_verify_data => Data},
+    PendingWrite = PendingWrite0#{client_verify_data => Data},
+    ConnectionStates#{current_read => CurrentRead,
+		      pending_write => PendingWrite};
 set_client_verify_data(current_write, Data,
-		       #connection_states{pending_read = PendingRead0,
-					  current_write = CurrentWrite0}
+		       #{pending_read := PendingRead0,
+			 current_write := CurrentWrite0}
 		       = ConnectionStates) ->
-    PendingRead = PendingRead0#connection_state{client_verify_data = Data},
-    CurrentWrite = CurrentWrite0#connection_state{client_verify_data = Data},
-    ConnectionStates#connection_states{pending_read = PendingRead,
-				       current_write = CurrentWrite};
+    PendingRead = PendingRead0#{client_verify_data => Data},
+    CurrentWrite = CurrentWrite0#{client_verify_data => Data},
+    ConnectionStates#{pending_read => PendingRead,
+		      current_write => CurrentWrite};
 set_client_verify_data(current_both, Data,
-		       #connection_states{current_read = CurrentRead0,
-					  current_write = CurrentWrite0}
+		       #{current_read := CurrentRead0,
+			 current_write := CurrentWrite0}
 		       = ConnectionStates) ->
-    CurrentRead = CurrentRead0#connection_state{client_verify_data = Data},
-    CurrentWrite = CurrentWrite0#connection_state{client_verify_data = Data},
-    ConnectionStates#connection_states{current_read = CurrentRead,
-				       current_write = CurrentWrite}.
+    CurrentRead = CurrentRead0#{client_verify_data => Data},
+    CurrentWrite = CurrentWrite0#{client_verify_data => Data},
+    ConnectionStates#{current_read => CurrentRead,
+		      current_write => CurrentWrite}.
 %%--------------------------------------------------------------------
 -spec set_server_verify_data(current_read | current_write | current_both,
-			     binary(), #connection_states{})->
-				    #connection_states{}.
+			     binary(), connection_states())->
+				    connection_states().
 %%
 %% Description: Set verify data in pending connection states.
 %%--------------------------------------------------------------------
 set_server_verify_data(current_write, Data,
-		       #connection_states{pending_read = PendingRead0,
-					  current_write = CurrentWrite0}
+		       #{pending_read := PendingRead0,
+			 current_write := CurrentWrite0}
 		       = ConnectionStates) ->
-    PendingRead = PendingRead0#connection_state{server_verify_data = Data},
-    CurrentWrite = CurrentWrite0#connection_state{server_verify_data = Data},
-    ConnectionStates#connection_states{pending_read = PendingRead,
-				       current_write = CurrentWrite};
+    PendingRead = PendingRead0#{server_verify_data => Data},
+    CurrentWrite = CurrentWrite0#{server_verify_data => Data},
+    ConnectionStates#{pending_read => PendingRead,
+		      current_write => CurrentWrite};
 
 set_server_verify_data(current_read, Data,
-		       #connection_states{current_read = CurrentRead0,
-					  pending_write = PendingWrite0}
+		       #{current_read := CurrentRead0,
+			 pending_write := PendingWrite0}
 		       = ConnectionStates) ->
-    CurrentRead = CurrentRead0#connection_state{server_verify_data = Data},
-    PendingWrite = PendingWrite0#connection_state{server_verify_data = Data},
-    ConnectionStates#connection_states{current_read = CurrentRead,
-				       pending_write = PendingWrite};
+    CurrentRead = CurrentRead0#{server_verify_data => Data},
+    PendingWrite = PendingWrite0#{server_verify_data => Data},
+    ConnectionStates#{current_read => CurrentRead,
+				       pending_write => PendingWrite};
 
 set_server_verify_data(current_both, Data,
-		       #connection_states{current_read = CurrentRead0,
-					  current_write = CurrentWrite0}
+		       #{current_read := CurrentRead0,
+			 current_write := CurrentWrite0}
 		       = ConnectionStates) ->
-    CurrentRead = CurrentRead0#connection_state{server_verify_data = Data},
-    CurrentWrite = CurrentWrite0#connection_state{server_verify_data = Data},
-    ConnectionStates#connection_states{current_read = CurrentRead,
-				       current_write = CurrentWrite}.
+    CurrentRead = CurrentRead0#{server_verify_data => Data},
+    CurrentWrite = CurrentWrite0#{server_verify_data => Data},
+    ConnectionStates#{current_read => CurrentRead,
+		      current_write => CurrentWrite}.
 %%--------------------------------------------------------------------
--spec set_pending_cipher_state(#connection_states{}, #cipher_state{},
+-spec set_pending_cipher_state(connection_states(), #cipher_state{},
 			       #cipher_state{}, client | server) ->
-				      #connection_states{}.
+				      connection_states().
 %%
 %% Description: Set the cipher state in the specified pending connection state.
 %%--------------------------------------------------------------------
-set_pending_cipher_state(#connection_states{pending_read = Read,
-                                            pending_write = Write} = States,
+set_pending_cipher_state(#{pending_read := Read,
+			   pending_write := Write} = States,
                          ClientState, ServerState, server) ->
-    States#connection_states{
-        pending_read = Read#connection_state{cipher_state = ClientState},
-        pending_write = Write#connection_state{cipher_state = ServerState}};
+    States#{
+      pending_read => Read#{cipher_state => ClientState},
+      pending_write => Write#{cipher_state => ServerState}};
 
-set_pending_cipher_state(#connection_states{pending_read = Read,
-                                            pending_write = Write} = States,
+set_pending_cipher_state(#{pending_read := Read,
+			   pending_write := Write} = States,
                          ClientState, ServerState, client) ->
-    States#connection_states{
-        pending_read = Read#connection_state{cipher_state = ServerState},
-        pending_write = Write#connection_state{cipher_state = ClientState}}.
+    States#{
+      pending_read => Read#{cipher_state => ServerState},
+      pending_write => Write#{cipher_state => ClientState}}.
 
 
 %%--------------------------------------------------------------------
--spec encode_handshake(iolist(), ssl_version(), #connection_states{}) ->
-			      {iolist(), #connection_states{}}.
+-spec encode_handshake(iolist(), ssl_version(), connection_states()) ->
+			      {iolist(), connection_states()}.
 %%
 %% Description: Encodes a handshake message to send on the ssl-socket.
 %%--------------------------------------------------------------------
 encode_handshake(Frag, Version, 
-		 #connection_states{current_write = 
-					#connection_state{
-					   beast_mitigation = BeastMitigation,
-					   security_parameters =
-					       #security_parameters{bulk_cipher_algorithm = BCA}}} = 
+		 #{current_write :=
+		       #{beast_mitigation := BeastMitigation,
+			  security_parameters :=
+			     #security_parameters{bulk_cipher_algorithm = BCA}}} = 
 		     ConnectionStates)
-when is_list(Frag) ->
+  when is_list(Frag) ->
     case iolist_size(Frag) of
 	N  when N > ?MAX_PLAIN_TEXT_LENGTH ->
 	    Data = split_bin(iolist_to_binary(Frag), ?MAX_PLAIN_TEXT_LENGTH, Version, BCA, BeastMitigation),
@@ -341,8 +304,8 @@ encode_handshake(Frag, Version, ConnectionStates) ->
     encode_plain_text(?HANDSHAKE, Version, Frag, ConnectionStates).
 
 %%--------------------------------------------------------------------
--spec encode_alert_record(#alert{}, ssl_version(), #connection_states{}) ->
-				 {iolist(), #connection_states{}}.
+-spec encode_alert_record(#alert{}, ssl_version(), connection_states()) ->
+				 {iolist(), connection_states()}.
 %%
 %% Description: Encodes an alert message to send on the ssl-socket.
 %%--------------------------------------------------------------------
@@ -352,8 +315,8 @@ encode_alert_record(#alert{level = Level, description = Description},
 		      ConnectionStates).
 
 %%--------------------------------------------------------------------
--spec encode_change_cipher_spec(ssl_version(), #connection_states{}) ->
-				       {iolist(), #connection_states{}}.
+-spec encode_change_cipher_spec(ssl_version(), connection_states()) ->
+				       {iolist(), connection_states()}.
 %%
 %% Description: Encodes a change_cipher_spec-message to send on the ssl socket.
 %%--------------------------------------------------------------------
@@ -361,15 +324,14 @@ encode_change_cipher_spec(Version, ConnectionStates) ->
     encode_plain_text(?CHANGE_CIPHER_SPEC, Version, <<1:8>>, ConnectionStates).
 
 %%--------------------------------------------------------------------
--spec encode_data(binary(), ssl_version(), #connection_states{}) ->
-			 {iolist(), #connection_states{}}.
+-spec encode_data(binary(), ssl_version(), connection_states()) ->
+			 {iolist(), connection_states()}.
 %%
 %% Description: Encodes data to send on the ssl-socket.
 %%--------------------------------------------------------------------
 encode_data(Frag, Version,
-	    #connection_states{current_write = #connection_state{
-				 beast_mitigation = BeastMitigation,
-				 security_parameters =
+	    #{current_write := #{beast_mitigation := BeastMitigation,
+				 security_parameters :=
 				     #security_parameters{bulk_cipher_algorithm = BCA}}} =
 		ConnectionStates) ->
     Data = split_bin(Frag, ?MAX_PLAIN_TEXT_LENGTH, Version, BCA, BeastMitigation),
@@ -390,73 +352,74 @@ compressions() ->
     [?byte(?NULL)].
 
 %%--------------------------------------------------------------------
--spec cipher(ssl_version(), iodata(), #connection_state{}, MacHash::binary()) ->
-		    {CipherFragment::binary(), #connection_state{}}.
+-spec cipher(ssl_version(), iodata(), connection_state(), MacHash::binary()) ->
+		    {CipherFragment::binary(), connection_state()}.
 %%
 %% Description: Payload encryption
 %%--------------------------------------------------------------------
 cipher(Version, Fragment,
-       #connection_state{cipher_state = CipherS0,
-			 security_parameters=
-			     #security_parameters{bulk_cipher_algorithm =
-						      BulkCipherAlgo}
-			} = WriteState0, MacHash) ->
-
+       #{cipher_state := CipherS0,
+	 security_parameters :=
+	     #security_parameters{bulk_cipher_algorithm =
+				      BulkCipherAlgo}
+	} = WriteState0, MacHash) ->
+    
     {CipherFragment, CipherS1} =
 	ssl_cipher:cipher(BulkCipherAlgo, CipherS0, MacHash, Fragment, Version),
-    {CipherFragment,  WriteState0#connection_state{cipher_state = CipherS1}}.
+    {CipherFragment,  WriteState0#{cipher_state => CipherS1}}.
 %%--------------------------------------------------------------------
--spec cipher_aead(ssl_version(), iodata(), #connection_state{}, MacHash::binary()) ->
-			 {CipherFragment::binary(), #connection_state{}}.
+-spec cipher_aead(ssl_version(), iodata(), connection_state(), MacHash::binary()) ->
+			 {CipherFragment::binary(), connection_state()}.
 %%
 %% Description: Payload encryption
 %%--------------------------------------------------------------------
 cipher_aead(Version, Fragment,
-       #connection_state{cipher_state = CipherS0,
-			 sequence_number = SeqNo,
-			 security_parameters=
-			     #security_parameters{bulk_cipher_algorithm =
-						      BulkCipherAlgo}
-			} = WriteState0, AAD) ->
-
+	    #{cipher_state := CipherS0,
+	      sequence_number := SeqNo,
+	      security_parameters :=
+		  #security_parameters{bulk_cipher_algorithm =
+					   BulkCipherAlgo}
+	     } = WriteState0, AAD) ->
+    
     {CipherFragment, CipherS1} =
 	ssl_cipher:cipher_aead(BulkCipherAlgo, CipherS0, SeqNo, AAD, Fragment, Version),
-    {CipherFragment,  WriteState0#connection_state{cipher_state = CipherS1}}.
+    {CipherFragment,  WriteState0#{cipher_state => CipherS1}}.
 
 %%--------------------------------------------------------------------
--spec decipher(ssl_version(), binary(), #connection_state{}, boolean()) -> {binary(), binary(), #connection_state{}} | #alert{}.
+-spec decipher(ssl_version(), binary(), connection_state(), boolean()) -> {binary(), binary(), connection_state} | #alert{}.
 %%
 %% Description: Payload decryption
 %%--------------------------------------------------------------------
 decipher(Version, CipherFragment,
-	 #connection_state{security_parameters =
-			       #security_parameters{bulk_cipher_algorithm =
-							BulkCipherAlgo,
-						    hash_size = HashSz},
-			   cipher_state = CipherS0
-			  } = ReadState, PaddingCheck) ->
+	 #{security_parameters :=
+	       #security_parameters{bulk_cipher_algorithm =
+					BulkCipherAlgo,
+				    hash_size = HashSz},
+	   cipher_state := CipherS0
+	  } = ReadState, PaddingCheck) ->
     case ssl_cipher:decipher(BulkCipherAlgo, HashSz, CipherS0, CipherFragment, Version, PaddingCheck) of
 	{PlainFragment, Mac, CipherS1} ->
-	    CS1 = ReadState#connection_state{cipher_state = CipherS1},
+	    CS1 = ReadState#{cipher_state => CipherS1},
 	    {PlainFragment, Mac, CS1};
 	#alert{} = Alert ->
 	    Alert
     end.
 %%--------------------------------------------------------------------
--spec decipher_aead(ssl_version(), binary(), #connection_state{}, binary()) -> {binary(), binary(), #connection_state{}} | #alert{}.
+-spec decipher_aead(ssl_version(), binary(), connection_state(), binary()) -> 
+			   {binary(), binary(), connection_state()} | #alert{}.
 %%
 %% Description: Payload decryption
 %%--------------------------------------------------------------------
 decipher_aead(Version, CipherFragment,
-	 #connection_state{sequence_number = SeqNo,
-			   security_parameters =
-			       #security_parameters{bulk_cipher_algorithm =
-							BulkCipherAlgo},
-			   cipher_state = CipherS0
-			  } = ReadState, AAD) ->
+	      #{sequence_number := SeqNo,
+		security_parameters :=
+		    #security_parameters{bulk_cipher_algorithm =
+					     BulkCipherAlgo},
+		cipher_state := CipherS0
+	       } = ReadState, AAD) ->
     case ssl_cipher:decipher_aead(BulkCipherAlgo, CipherS0, SeqNo, AAD, CipherFragment, Version) of
 	{PlainFragment, CipherS1} ->
-	    CS1 = ReadState#connection_state{cipher_state = CipherS1},
+	    CS1 = ReadState#{cipher_state => CipherS1},
 	    {PlainFragment, CS1};
 	#alert{} = Alert ->
 	    Alert
@@ -466,8 +429,15 @@ decipher_aead(Version, CipherFragment,
 %%--------------------------------------------------------------------
 empty_connection_state(ConnectionEnd, BeastMitigation) ->
     SecParams = empty_security_params(ConnectionEnd),
-    #connection_state{security_parameters = SecParams,
-                      beast_mitigation = BeastMitigation}.
+    #{security_parameters => SecParams,
+      beast_mitigation => BeastMitigation,
+      compression_state  => undefined,
+      cipher_state  => undefined,
+      mac_secret  => undefined,
+      secure_renegotiation => undefined,
+      client_verify_data => undefined,
+      server_verify_data => undefined
+     }.
 
 empty_security_params(ConnectionEnd = ?CLIENT) ->
     #security_parameters{connection_end = ConnectionEnd,
@@ -481,10 +451,10 @@ random() ->
     Random_28_bytes = ssl_cipher:random_bytes(28),
     <<?UINT32(Secs_since_1970), Random_28_bytes/binary>>.
 
-dtls_next_epoch(#connection_state{epoch = undefined}) -> %% SSL/TLS
-    undefined;
-dtls_next_epoch(#connection_state{epoch = Epoch}) -> %% DTLS
-    Epoch + 1.
+%% dtls_next_epoch(#connection_state{epoch = undefined}) -> %% SSL/TLS
+%%     undefined;
+%% dtls_next_epoch(#connection_state{epoch = Epoch}) -> %% DTLS
+%%     Epoch + 1.
 
 is_correct_mac(Mac, Mac) ->
     true;
@@ -497,11 +467,17 @@ record_protocol_role(server) ->
     ?SERVER.
 
 initial_connection_state(ConnectionEnd, BeastMitigation) ->
-    #connection_state{security_parameters =
-			  initial_security_params(ConnectionEnd),
-                      sequence_number = 0,
-                      beast_mitigation = BeastMitigation
-                     }.
+    #{security_parameters =>
+	  initial_security_params(ConnectionEnd),
+      sequence_number => 0,
+      beast_mitigation => BeastMitigation,
+      compression_state  => undefined,
+      cipher_state  => undefined,
+      mac_secret  => undefined,
+      secure_renegotiation => undefined,
+      client_verify_data => undefined,
+      server_verify_data => undefined
+     }.
 
 initial_security_params(ConnectionEnd) ->
     SecParams = #security_parameters{connection_end = ConnectionEnd,
diff --git a/lib/ssl/src/ssl_record.hrl b/lib/ssl/src/ssl_record.hrl
index a41264ff9b..ed007f58d7 100644
--- a/lib/ssl/src/ssl_record.hrl
+++ b/lib/ssl/src/ssl_record.hrl
@@ -30,29 +30,27 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%% Connection states - RFC 4346 section 6.1
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
--record(connection_state, {
-	  security_parameters,
-	  compression_state,
-	  cipher_state,
-	  mac_secret,
-	  epoch, %% Only used by DTLS
-	  sequence_number,
-	  %% RFC 5746
-	  secure_renegotiation,
-	  client_verify_data,
-	  server_verify_data,
-	  %% How to do BEAST mitigation?
-	  beast_mitigation
-	 }).
-
--record(connection_states, {
-	  dtls_write_msg_seq, %% Only used by DTLS
+%% For documentation purposes are now maps in implementation
+%% -record(connection_state, {
+%% 	  security_parameters,
+%% 	  compression_state,
+%% 	  cipher_state,
+%% 	  mac_secret,
+%% 	  sequence_number,
+%% 	  %% RFC 5746
+%% 	  secure_renegotiation,
+%% 	  client_verify_data,
+%% 	  server_verify_data,
+%% 	  %% How to do BEAST mitigation?
+%% 	  beast_mitigation
+%% 	 }).
 
-	  current_read,
-	  pending_read,
-	  current_write,
-	  pending_write
-	 }).
+%% -record(connection_states, {
+%% 	  current_read,
+%% 	  pending_read,
+%% 	  current_write,
+%% 	  pending_write,
+%% 	 }).
 
 -record(security_parameters, {
           cipher_suite,
diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index c64a00c7bf..9b9031473a 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -491,7 +491,7 @@ decode_alerts(Bin) ->
 initial_state(Role, Host, Port, Socket, {SSLOptions, SocketOptions, Tracker}, User,
 	      {CbModule, DataTag, CloseTag, ErrorTag}) ->
     #ssl_options{beast_mitigation = BeastMitigation} = SSLOptions,
-    ConnectionStates = ssl_record:init_connection_states(Role, BeastMitigation),
+    ConnectionStates = tls_record:init_connection_states(Role, BeastMitigation),
     
     SessionCacheCb = case application:get_env(ssl, session_cb) of
 			 {ok, Cb} when is_atom(Cb) ->
diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl
index 6e593950d9..a2486bf752 100644
--- a/lib/ssl/src/tls_handshake.erl
+++ b/lib/ssl/src/tls_handshake.erl
@@ -41,7 +41,7 @@
 %% Internal application API
 %%====================================================================
 %%--------------------------------------------------------------------
--spec client_hello(host(), inet:port_number(), #connection_states{},
+-spec client_hello(host(), inet:port_number(), ssl_record:connection_states(),
 		   #ssl_options{}, integer(), atom(), boolean(), der_cert()) ->
 			  #client_hello{}.
 %%
@@ -54,8 +54,7 @@ client_hello(Host, Port, ConnectionStates,
 			 } = SslOpts,
 	     Cache, CacheCb, Renegotiation, OwnCert) ->
     Version = tls_record:highest_protocol_version(Versions),
-    Pending = ssl_record:pending_connection_state(ConnectionStates, read),
-    SecParams = Pending#connection_state.security_parameters,
+    #{security_parameters := SecParams} = ssl_record:pending_connection_state(ConnectionStates, read),
     AvailableCipherSuites = ssl_handshake:available_suites(UserSuites, Version),     
     Extensions = ssl_handshake:client_hello_extensions(Host, Version, 
 						       AvailableCipherSuites,
@@ -78,14 +77,14 @@ client_hello(Host, Port, ConnectionStates,
 
 %%--------------------------------------------------------------------
 -spec hello(#server_hello{} | #client_hello{}, #ssl_options{},
-	    #connection_states{} | {inet:port_number(), #session{}, db_handle(),
-				    atom(), #connection_states{}, 
+	    ssl_record:connection_states() | {inet:port_number(), #session{}, db_handle(),
+				    atom(), ssl_record:connection_states(), 
 				    binary() | undefined, ssl_cipher:key_algo()},
 	    boolean()) ->
 		   {tls_record:tls_version(), session_id(), 
-		    #connection_states{}, alpn | npn, binary() | undefined}|
+		    ssl_record:connection_states(), alpn | npn, binary() | undefined}|
 		   {tls_record:tls_version(), {resumed | new, #session{}}, 
-		    #connection_states{}, binary() | undefined, 
+		    ssl_record:connection_states(), binary() | undefined, 
 		    #hello_extensions{}, {ssl_cipher:hash(), ssl_cipher:sign_algo()} | undefined} |
 		   #alert{}.
 %%
diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl
index 9348c8bbdd..5331dd1303 100644
--- a/lib/ssl/src/tls_record.erl
+++ b/lib/ssl/src/tls_record.erl
@@ -32,7 +32,7 @@
 -include("ssl_cipher.hrl").
 
 %% Handling of incoming data
--export([get_tls_records/2]).
+-export([get_tls_records/2, init_connection_states/2]).
 
 %% Decoding
 -export([decode_cipher_text/3]).
@@ -56,12 +56,28 @@
 %%====================================================================
 %% Internal application API
 %%====================================================================
+%%--------------------------------------------------------------------
+-spec init_connection_states(client | server, one_n_minus_one | zero_n | disabled) ->
+ 				    ssl_record:connection_states().
+%% %
+						%
+%% Description: Creates a connection_states record with appropriate
+%% values for the initial SSL connection setup.
+%%--------------------------------------------------------------------
+init_connection_states(Role, BeastMitigation) ->
+    ConnectionEnd = ssl_record:record_protocol_role(Role),
+    Current = initial_connection_state(ConnectionEnd, BeastMitigation),
+    Pending = ssl_record:empty_connection_state(ConnectionEnd, BeastMitigation),
+    #{current_read  => Current,
+      pending_read  => Pending,
+      current_write => Current,
+      pending_write => Pending}.
 
 %%--------------------------------------------------------------------
 -spec get_tls_records(binary(), binary()) -> {[binary()], binary()} | #alert{}.
 %%			     
-%% Description: Given old buffer and new data from TCP, packs up a records
 %% and returns it as a list of tls_compressed binaries also returns leftover
+%% Description: Given old buffer and new data from TCP, packs up a records
 %% data
 %%--------------------------------------------------------------------
 get_tls_records(Data, <<>>) ->
@@ -129,63 +145,61 @@ get_tls_records_aux(Data, Acc) ->
 	end.
 
 encode_plain_text(Type, Version, Data,
-		  #connection_states{current_write =
-					 #connection_state{
-					    sequence_number = Seq,
-					    compression_state=CompS0,
-					    security_parameters=
-						#security_parameters{
-						   cipher_type = ?AEAD,
-						   compression_algorithm=CompAlg}
-					   }= WriteState0} = ConnectionStates) ->
+		  #{current_write :=
+			#{sequence_number := Seq,
+			  compression_state := CompS0,
+			  security_parameters :=
+			      #security_parameters{
+				 cipher_type = ?AEAD,
+				 compression_algorithm = CompAlg}
+			 }= WriteState0} = ConnectionStates) ->
     {Comp, CompS1} = ssl_record:compress(CompAlg, Data, CompS0),
-    WriteState1 = WriteState0#connection_state{compression_state = CompS1},
+    WriteState1 = WriteState0#{compression_state => CompS1},
     AAD = calc_aad(Type, Version, WriteState1),
     {CipherFragment, WriteState} = ssl_record:cipher_aead(Version, Comp, WriteState1, AAD),
     CipherText = encode_tls_cipher_text(Type, Version, CipherFragment),
-    {CipherText, ConnectionStates#connection_states{current_write = WriteState#connection_state{sequence_number = Seq +1}}};
+    {CipherText, ConnectionStates#{current_write => WriteState#{sequence_number => Seq +1}}};
 
 encode_plain_text(Type, Version, Data,
-		  #connection_states{current_write =
-					 #connection_state{
-					    sequence_number = Seq,
-					    compression_state=CompS0,
-					    security_parameters=
-						#security_parameters{compression_algorithm=CompAlg}
-					   }= WriteState0} = ConnectionStates) ->
+		  #{current_write :=
+			#{sequence_number := Seq,
+			  compression_state := CompS0,
+			  security_parameters :=
+			      #security_parameters{compression_algorithm = CompAlg}
+			 }= WriteState0} = ConnectionStates) ->
     {Comp, CompS1} = ssl_record:compress(CompAlg, Data, CompS0),
-    WriteState1 = WriteState0#connection_state{compression_state = CompS1},
+    WriteState1 = WriteState0#{compression_state => CompS1},
     MacHash = calc_mac_hash(Type, Version, Comp, WriteState1),
     {CipherFragment, WriteState} = ssl_record:cipher(Version, Comp, WriteState1, MacHash),
     CipherText = encode_tls_cipher_text(Type, Version, CipherFragment),
-    {CipherText, ConnectionStates#connection_states{current_write = WriteState#connection_state{sequence_number = Seq +1}}}.
+    {CipherText, ConnectionStates#{current_write => WriteState#{sequence_number => Seq +1}}};
+encode_plain_text(_,_,_, CS) ->
+    exit({cs, CS}).
 
 %%--------------------------------------------------------------------
--spec decode_cipher_text(#ssl_tls{}, #connection_states{}, boolean()) ->
-				{#ssl_tls{}, #connection_states{}}| #alert{}.
+-spec decode_cipher_text(#ssl_tls{}, ssl_record:connection_states(), boolean()) ->
+				{#ssl_tls{}, ssl_record:connection_states()}| #alert{}.
 %%
 %% Description: Decode cipher text
 %%--------------------------------------------------------------------
 decode_cipher_text(#ssl_tls{type = Type, version = Version,
 			    fragment = CipherFragment} = CipherText,
-		   #connection_states{current_read =
-					  #connection_state{
-					     compression_state = CompressionS0,
-					     sequence_number = Seq,
-					     security_parameters=
-						 #security_parameters{
-						    cipher_type = ?AEAD,
-						    compression_algorithm=CompAlg}
-					    } = ReadState0} = ConnnectionStates0, _) ->
+		   #{current_read :=
+			 #{compression_state := CompressionS0,
+			   sequence_number := Seq,
+			   security_parameters :=
+			       #security_parameters{
+				  cipher_type = ?AEAD,
+				  compression_algorithm = CompAlg}
+			  } = ReadState0} = ConnnectionStates0, _) ->
     AAD = calc_aad(Type, Version, ReadState0),
     case ssl_record:decipher_aead(Version, CipherFragment, ReadState0, AAD) of
 	{PlainFragment, ReadState1} ->
 	    {Plain, CompressionS1} = ssl_record:uncompress(CompAlg,
 							   PlainFragment, CompressionS0),
-	    ConnnectionStates = ConnnectionStates0#connection_states{
-				  current_read = ReadState1#connection_state{
-						   sequence_number = Seq + 1,
-						   compression_state = CompressionS1}},
+	    ConnnectionStates = ConnnectionStates0#{
+				  current_read => ReadState1#{sequence_number => Seq + 1,
+							      compression_state => CompressionS1}},
 	    {CipherText#ssl_tls{fragment = Plain}, ConnnectionStates};
 	#alert{} = Alert ->
 	    Alert
@@ -193,13 +207,12 @@ decode_cipher_text(#ssl_tls{type = Type, version = Version,
 
 decode_cipher_text(#ssl_tls{type = Type, version = Version,
 			    fragment = CipherFragment} = CipherText,
-		   #connection_states{current_read =
-					  #connection_state{
-					     compression_state = CompressionS0,
-					     sequence_number = Seq,
-					     security_parameters=
-						 #security_parameters{compression_algorithm=CompAlg}
-					    } = ReadState0} = ConnnectionStates0, PaddingCheck) ->
+		   #{current_read :=
+			 #{compression_state := CompressionS0,
+			   sequence_number := Seq,
+			   security_parameters :=
+			       #security_parameters{compression_algorithm = CompAlg}
+			  } = ReadState0} = ConnnectionStates0, PaddingCheck) ->
     case ssl_record:decipher(Version, CipherFragment, ReadState0, PaddingCheck) of
 	{PlainFragment, Mac, ReadState1} ->
 	    MacHash = calc_mac_hash(Type, Version, PlainFragment, ReadState1),
@@ -207,10 +220,10 @@ decode_cipher_text(#ssl_tls{type = Type, version = Version,
 		true ->
 		    {Plain, CompressionS1} = ssl_record:uncompress(CompAlg,
 								   PlainFragment, CompressionS0),
-		    ConnnectionStates = ConnnectionStates0#connection_states{
-					  current_read = ReadState1#connection_state{
-							   sequence_number = Seq + 1,
-							   compression_state = CompressionS1}},
+		    ConnnectionStates = ConnnectionStates0#{
+					  current_read => ReadState1#{
+							    sequence_number => Seq + 1,
+							    compression_state => CompressionS1}},
 		    {CipherText#ssl_tls{fragment = Plain}, ConnnectionStates};
 		false ->
 			?ALERT_REC(?FATAL, ?BAD_RECORD_MAC)
@@ -375,6 +388,18 @@ is_acceptable_version(_,_) ->
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
+initial_connection_state(ConnectionEnd, BeastMitigation) ->
+    #{security_parameters =>
+	  ssl_record:initial_security_params(ConnectionEnd),
+      sequence_number => 0,
+      beast_mitigation => BeastMitigation,
+      compression_state  => undefined,
+      cipher_state  => undefined,
+      mac_secret  => undefined,
+      secure_renegotiation => undefined,
+      client_verify_data => undefined,
+      server_verify_data => undefined
+     }.
 
 lowest_list_protocol_version(Ver, []) ->
     Ver;
@@ -413,15 +438,15 @@ sufficient_tlsv1_2_crypto_support() ->
     proplists:get_bool(sha256, proplists:get_value(hashs, CryptoSupport)).
 
 calc_mac_hash(Type, Version,
-	      PlainFragment, #connection_state{sequence_number = SeqNo,
-					       mac_secret = MacSecret,
-					       security_parameters =
-						   SecPars}) ->
+	      PlainFragment, #{sequence_number := SeqNo,
+			       mac_secret := MacSecret,
+			       security_parameters:=
+				   SecPars}) ->
     Length = erlang:iolist_size(PlainFragment),
     mac_hash(Version, SecPars#security_parameters.mac_algorithm,
 	     MacSecret, SeqNo, Type,
 	     Length, PlainFragment).
 
 calc_aad(Type, {MajVer, MinVer},
-	 #connection_state{sequence_number = SeqNo}) ->
+	 #{sequence_number := SeqNo}) ->
     <<SeqNo:64/integer, ?BYTE(Type), ?BYTE(MajVer), ?BYTE(MinVer)>>.
diff --git a/lib/ssl/test/ssl_npn_hello_SUITE.erl b/lib/ssl/test/ssl_npn_hello_SUITE.erl
index 6ae9efe5e9..69aeea10c5 100644
--- a/lib/ssl/test/ssl_npn_hello_SUITE.erl
+++ b/lib/ssl/test/ssl_npn_hello_SUITE.erl
@@ -135,15 +135,12 @@ create_server_handshake(Npn) ->
 				     }, Vsn).
 
 create_connection_states() ->
-    #connection_states{
-       pending_read = #connection_state{
-			 security_parameters = #security_parameters{
+    #{pending_read => #{security_parameters => #security_parameters{
 						  server_random = <<1:256>>,
 						  compression_algorithm = 1,
 						  cipher_suite = ?TLS_DHE_DSS_WITH_DES_CBC_SHA
 						 }
-			},
-       current_read = #connection_state {
-			 secure_renegotiation = false
-			}
-      }.
+		       },
+      current_read => #{secure_renegotiation => false
+       }
+     }.