Merge branch 'ingela/ssl/dtls-cont' into maint

* ingela/ssl/dtls-cont:
  dtls: Only test this for TLS for now
  dtls: Avoid mixup of protocol to test
  dtls: 'dtlsv1.2' corresponds to 'tlsv1.2'
  dtls: Correct dialyzer spec and postpone inclusion of test
  dtls: Erlang distribution over DTLS is not supported
  dtls: Enable some DTLS tests in ssl_to_openssl_SUITE
  dtls: Enable DTLS test in ssl_certificate_verify_SUITE
  dtls: Hibernation and retransmit timers
  dtls: Make sure retransmission timers are run
  dtls: DTLS specific handling of socket and ciphers

15 files changed, 593 insertions, 292 deletions

diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl
index 070a90d481..f607c86ae3 100644
--- a/lib/ssl/src/dtls_connection.erl
+++ b/lib/ssl/src/dtls_connection.erl
@@ -39,7 +39,7 @@
 -export([start_fsm/8, start_link/7, init/1]).
 
 %% State transition handling	 
--export([next_record/1, next_event/3]).
+-export([next_record/1, next_event/3, next_event/4]).
 
 %% Handshake handling
 -export([renegotiate/2, 
@@ -53,7 +53,7 @@
 %% Data handling
 
 -export([encode_data/3, passive_receive/2,  next_record_if_active/1, handle_common_event/4,
-	 send/3]).
+	 send/3, socket/5]).
 
 %% gen_statem state functions
 -export([init/3, error/3, downgrade/3, %% Initiation and take down states
@@ -77,20 +77,6 @@ start_fsm(Role, Host, Port, Socket, {#ssl_options{erl_dist = false},_, Tracker}
     catch
 	error:{badmatch, {error, _} = Error} ->
 	    Error
-    end;
-
-start_fsm(Role, Host, Port, Socket, {#ssl_options{erl_dist = true},_, Tracker} = Opts,
-	  User, {CbModule, _,_, _} = CbInfo, 
-	  Timeout) -> 
-    try 
-	{ok, Pid} = dtls_connection_sup:start_child_dist([Role, Host, Port, Socket, 
-							  Opts, User, CbInfo]), 
-	{ok, SslSocket} = ssl_connection:socket_control(?MODULE, Socket, Pid, CbModule, Tracker),
-	ok = ssl_connection:handshake(SslSocket, Timeout),
-	{ok, SslSocket} 
-    catch
-	error:{badmatch, {error, _} = Error} ->
-	    Error
     end.
 
 send_handshake(Handshake, #state{connection_states = ConnectionStates} = States) ->
@@ -201,6 +187,7 @@ reinit_handshake_data(#state{protocol_buffers = Buffers} = State) ->
     State#state{premaster_secret = undefined,
 		public_key_info = undefined,
 		tls_handshake_history = ssl_handshake:init_handshake_history(),
+                flight_state = {retransmit, ?INITIAL_RETRANSMIT_TIMEOUT},
 		protocol_buffers =
 		    Buffers#protocol_buffers{
 		      dtls_handshake_next_seq = 0,
@@ -213,6 +200,9 @@ select_sni_extension(#client_hello{extensions = HelloExtensions}) ->
 select_sni_extension(_) ->
     undefined.
 
+socket(Pid,  Transport, Socket, Connection, _) ->
+    dtls_socket:socket(Pid, Transport, Socket, Connection).
+
 %%====================================================================
 %% tls_connection_sup API
 %%====================================================================
@@ -243,7 +233,7 @@ callback_mode() ->
     state_functions.
 
 %%--------------------------------------------------------------------
-%% State functionsconnection/2
+%% State functions 
 %%--------------------------------------------------------------------
 
 init({call, From}, {start, Timeout}, 
@@ -262,17 +252,19 @@ init({call, From}, {start, Timeout},
     Version = Hello#client_hello.client_version,
     HelloVersion = dtls_record:lowest_protocol_version(SslOpts#ssl_options.versions),
     State1 = prepare_flight(State0#state{negotiated_version = Version}),
-    State2 = send_handshake(Hello, State1#state{negotiated_version = HelloVersion}),  
+    {State2, Actions} = send_handshake(Hello, State1#state{negotiated_version = HelloVersion}),  
     State3 = State2#state{negotiated_version = Version, %% Requested version
 			  session =
 			      Session0#session{session_id = Hello#client_hello.session_id},
 			  start_or_recv_from = From,
-			  timer = Timer},
+			  timer = Timer,
+                          flight_state = {retransmit, ?INITIAL_RETRANSMIT_TIMEOUT}
+                         },
     {Record, State} = next_record(State3),
-    next_event(hello, Record, State);
+    next_event(hello, Record, State, Actions);
 init({call, _} = Type, Event, #state{role = server, transport_cb = gen_udp} = State) ->
     ssl_connection:init(Type, Event, 
-			State#state{flight_state = {waiting, undefined, ?INITIAL_RETRANSMIT_TIMEOUT}},
+			State#state{flight_state = {retransmit, ?INITIAL_RETRANSMIT_TIMEOUT}},
 			?MODULE);
 init({call, _} = Type, Event, #state{role = server} = State) ->
     %% I.E. DTLS over sctp
@@ -302,9 +294,9 @@ hello(internal, #client_hello{cookie = <<>>,
     Cookie = dtls_handshake:cookie(<<"secret">>, IP, Port, Hello),
     VerifyRequest = dtls_handshake:hello_verify_request(Cookie, Version),
     State1 = prepare_flight(State0#state{negotiated_version = Version}),
-    State2 = send_handshake(VerifyRequest, State1),
+    {State2, Actions} = send_handshake(VerifyRequest, State1),
     {Record, State} = next_record(State2),
-    next_event(hello, Record, State#state{tls_handshake_history = ssl_handshake:init_handshake_history()});
+    next_event(hello, Record, State#state{tls_handshake_history = ssl_handshake:init_handshake_history()}, Actions);
 hello(internal, #client_hello{cookie = Cookie} = Hello, #state{role = server,
 							       transport_cb = Transport,
 							       socket = Socket} = State0) ->
@@ -333,13 +325,13 @@ hello(internal, #hello_verify_request{cookie = Cookie}, #state{role = client,
 					Cache, CacheCb, Renegotiation, OwnCert),
     Version = Hello#client_hello.client_version,
     HelloVersion = dtls_record:lowest_protocol_version(SslOpts#ssl_options.versions),
-    State2 = send_handshake(Hello, State1#state{negotiated_version = HelloVersion}), 
+    {State2, Actions} = send_handshake(Hello, State1#state{negotiated_version = HelloVersion}), 
     State3 = State2#state{negotiated_version = Version, %% Requested version
 			  session =
 			      Session0#session{session_id = 
 						   Hello#client_hello.session_id}},
     {Record, State} = next_record(State3),
-    next_event(hello, Record, State);
+    next_event(hello, Record, State, Actions);
 hello(internal, #server_hello{} = Hello,
       #state{connection_states = ConnectionStates0,
 	     negotiated_version = ReqVersion,
@@ -356,13 +348,13 @@ hello(internal, #server_hello{} = Hello,
 hello(internal, {handshake, {#client_hello{cookie = <<>>} = Handshake, _}}, State) ->
     %% Initial hello should not be in handshake history
     {next_state, hello, State, [{next_event, internal, Handshake}]};
-
 hello(internal, {handshake, {#hello_verify_request{} = Handshake, _}}, State) ->
     %% hello_verify should not be in handshake history
     {next_state, hello, State, [{next_event, internal, Handshake}]};
-
 hello(info, Event, State) ->
     handle_info(Event, hello, State);
+hello(state_timeout, Event, State) ->
+    handle_state_timeout(Event, hello, State);
 hello(Type, Event, State) ->
     ssl_connection:hello(Type, Event, State, ?MODULE).
 
@@ -375,7 +367,11 @@ abbreviated(internal = Type,
     ConnectionStates = dtls_record:next_epoch(ConnectionStates1, read),
     ssl_connection:abbreviated(Type, Event, State#state{connection_states = ConnectionStates}, ?MODULE);
 abbreviated(internal = Type, #finished{} = Event, #state{connection_states = ConnectionStates} = State) ->
-    ssl_connection:cipher(Type, Event, prepare_flight(State#state{connection_states = ConnectionStates}), ?MODULE);
+    ssl_connection:abbreviated(Type, Event, 
+                               prepare_flight(State#state{connection_states = ConnectionStates,
+                                                          flight_state = connection}), ?MODULE);
+abbreviated(state_timeout, Event, State) ->
+    handle_state_timeout(Event, abbreviated, State);
 abbreviated(Type, Event, State) ->
     ssl_connection:abbreviated(Type, Event, State, ?MODULE).
 
@@ -383,6 +379,8 @@ certify(info, Event, State) ->
     handle_info(Event, certify, State);
 certify(internal = Type, #server_hello_done{} = Event, State) ->
     ssl_connection:certify(Type, Event, prepare_flight(State), ?MODULE);
+certify(state_timeout, Event, State) ->
+    handle_state_timeout(Event, certify, State);
 certify(Type, Event, State) ->
     ssl_connection:certify(Type, Event, State, ?MODULE).
 
@@ -395,7 +393,11 @@ cipher(internal = Type, #change_cipher_spec{type = <<1>>} = Event,
     ssl_connection:cipher(Type, Event, State#state{connection_states = ConnectionStates}, ?MODULE);
 cipher(internal = Type, #finished{} = Event, #state{connection_states = ConnectionStates} = State) ->
     ssl_connection:cipher(Type, Event, 
-			  prepare_flight(State#state{connection_states = ConnectionStates}), ?MODULE);
+			  prepare_flight(State#state{connection_states = ConnectionStates,
+                                                     flight_state = connection}), 
+                          ?MODULE);
+cipher(state_timeout, Event, State) ->
+    handle_state_timeout(Event, cipher, State);
 cipher(Type, Event, State) ->
      ssl_connection:cipher(Type, Event, State, ?MODULE).
 
@@ -409,12 +411,12 @@ connection(internal, #hello_request{}, #state{host = Host, port = Port,
 				    renegotiation = {Renegotiation, _}} = State0) ->
     Hello = dtls_handshake:client_hello(Host, Port, ConnectionStates0, SslOpts,
 					Cache, CacheCb, Renegotiation, Cert),
-    State1 = send_handshake(Hello, State0),
+    {State1, Actions} = send_handshake(Hello, State0),
     {Record, State} =
 	next_record(
 	  State1#state{session = Session0#session{session_id
 						  = Hello#client_hello.session_id}}),
-    next_event(hello, Record, State);
+    next_event(hello, Record, State, Actions);
 connection(internal, #client_hello{} = Hello, #state{role = server, allow_renegotiate = true} = State) ->
     %% Mitigate Computational DoS attack
     %% http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html
@@ -434,7 +436,6 @@ connection(Type, Event, State) ->
 downgrade(Type, Event, State) ->
      ssl_connection:downgrade(Type, Event, State, ?MODULE).
 
-
 %%--------------------------------------------------------------------
 %% Description: This function is called by a gen_fsm when it receives any
 %% other message than a synchronous or asynchronous event
@@ -442,16 +443,6 @@ downgrade(Type, Event, State) ->
 %%--------------------------------------------------------------------
 
 %% raw data from socket, unpack records
-handle_info({_,flight_retransmission_timeout}, connection, _) ->
-    {next_state, keep_state_and_data};
-handle_info({Ref, flight_retransmission_timeout}, StateName, 
-	    #state{flight_state = {waiting, Ref, NextTimeout}} = State0) ->
-    State1 = send_handshake_flight(State0#state{flight_state = {retransmit_timer, NextTimeout}}, 
-				   retransmit_epoch(StateName, State0)),
-    {Record, State} = next_record(State1),
-    next_event(StateName, Record, State);
-handle_info({_, flight_retransmission_timeout}, _, _) ->
-    {next_state, keep_state_and_data};
 handle_info({Protocol, _, _, _, Data}, StateName,
             #state{data_tag = Protocol} = State0) ->
     case next_dtls_record(Data, State0) of
@@ -489,7 +480,6 @@ handle_call(Event, From, StateName, State) ->
 handle_common_event(internal, #alert{} = Alert, StateName, 
 		    #state{negotiated_version = Version} = State) ->
     ssl_connection:handle_own_alert(Alert, Version, StateName, State);
-
 %%% DTLS record protocol level handshake messages 
 handle_common_event(internal, #ssl_tls{type = ?HANDSHAKE,
 				       fragment = Data}, 
@@ -498,19 +488,14 @@ handle_common_event(internal, #ssl_tls{type = ?HANDSHAKE,
 			   negotiated_version = Version} = State0) ->
     try
 	case dtls_handshake:get_dtls_handshake(Version, Data, Buffers0) of
-	    {more_data, Buffers} ->
+	    {[], Buffers} ->
 		{Record, State} = next_record(State0#state{protocol_buffers = Buffers}),
 		next_event(StateName, Record, State);
 	    {Packets, Buffers} ->
 		State = State0#state{protocol_buffers = Buffers},
 		Events = dtls_handshake_events(Packets),
-		case StateName of
-		    connection ->
-			ssl_connection:hibernate_after(StateName, State, Events);
-		    _ ->
-			{next_state, StateName, 
-			 State#state{unprocessed_handshake_events = unprocessed_events(Events)}, Events}
-		end
+                {next_state, StateName, 
+                 State#state{unprocessed_handshake_events = unprocessed_events(Events)}, Events}
 	end
     catch throw:#alert{} = Alert ->
 	    ssl_connection:handle_own_alert(Alert, Version, StateName, State0)
@@ -534,6 +519,13 @@ handle_common_event(internal, #ssl_tls{type = ?ALERT, fragment = EncAlerts}, Sta
 handle_common_event(internal, #ssl_tls{type = _Unknown}, StateName, State) ->
     {next_state, StateName, State}.
 
+handle_state_timeout(flight_retransmission_timeout, StateName, 
+                    #state{flight_state = {retransmit, NextTimeout}} = State0) ->
+    {State1, Actions} = send_handshake_flight(State0#state{flight_state = {retransmit, NextTimeout}}, 
+                                              retransmit_epoch(StateName, State0)),
+    {Record, State} = next_record(State1),
+    next_event(StateName, Record, State, Actions).
+
 send(Transport, {_, {{_,_}, _} = Socket}, Data) ->
     send(Transport, Socket, Data);
 send(Transport, Socket, Data) ->
@@ -645,7 +637,8 @@ initial_state(Role, Host, Port, Socket, {SSLOptions, SocketOptions, _}, User,
 	   allow_renegotiate = SSLOptions#ssl_options.client_renegotiation,
 	   start_or_recv_from = undefined,
 	   protocol_cb = ?MODULE,
-	   flight_buffer = new_flight()
+	   flight_buffer = new_flight(),
+           flight_state = {retransmit, ?INITIAL_RETRANSMIT_TIMEOUT}
 	  }.
 
 next_dtls_record(Data, #state{protocol_buffers = #protocol_buffers{
@@ -714,14 +707,14 @@ next_event(connection = StateName, no_record,
 	   #state{connection_states = #{current_read := #{epoch := CurrentEpoch}}} = State0, Actions) ->
     case next_record_if_active(State0) of
 	{no_record, State} ->
-	    ssl_connection:hibernate_after(StateName, State, Actions);
+            ssl_connection:hibernate_after(StateName, State, Actions);
 	{#ssl_tls{epoch = CurrentEpoch} = Record, State} ->
 	    {next_state, StateName, State, [{next_event, internal, {protocol_record, Record}} | Actions]};
 	{#ssl_tls{epoch = Epoch,
 		  type = ?HANDSHAKE,
 		  version = _Version}, State1} = _Record when Epoch == CurrentEpoch-1 ->
-	    State = send_handshake_flight(State1, Epoch),
-	    {next_state, StateName, State, Actions};
+	    {State, MoreActions} = send_handshake_flight(State1, Epoch),
+	    {next_state, StateName, State, Actions ++ MoreActions};
 	{#ssl_tls{epoch = _Epoch,
 		  version = _Version}, State} ->
 	    %% TODO maybe buffer later epoch
@@ -772,17 +765,20 @@ next_flight(Flight) ->
     Flight#{handshakes => [],
 	    change_cipher_spec => undefined,
 	    handshakes_after_change_cipher_spec => []}.
-
 	
 start_flight(#state{transport_cb = gen_udp,
-		    flight_state = {retransmit_timer, Timeout}} = State) ->
-    Ref = erlang:make_ref(),
-    _ = erlang:send_after(Timeout, self(), {Ref, flight_retransmission_timeout}),    
-    State#state{flight_state = {waiting, Ref, new_timeout(Timeout)}};
-
+		    flight_state = {retransmit, Timeout}} = State) ->
+    start_retransmision_timer(Timeout, State);
+start_flight(#state{transport_cb = gen_udp,
+		    flight_state = connection} = State) ->
+    {State, []};
 start_flight(State) ->
     %% No retransmision needed i.e DTLS over SCTP
-    State#state{flight_state = reliable}.
+    {State#state{flight_state = reliable}, []}.
+
+start_retransmision_timer(Timeout, State) ->
+    {State#state{flight_state = {retransmit, new_timeout(Timeout)}}, 
+     [{state_timeout, Timeout, flight_retransmission_timeout}]}.
 
 new_timeout(N) when N =< 30 -> 
     N * 2;
@@ -806,13 +802,13 @@ renegotiate(#state{role = server,
 		   connection_states = CS0} = State0, Actions) ->
     HelloRequest = ssl_handshake:hello_request(),
     CS = CS0#{write_msg_seq => 0},
-    State1 = send_handshake(HelloRequest, 
-			    State0#state{connection_states =
-					     CS}),
+    {State1, MoreActions} = send_handshake(HelloRequest, 
+                                           State0#state{connection_states =
+                                                        CS}),
     Hs0 = ssl_handshake:init_handshake_history(),
     {Record, State} = next_record(State1#state{tls_handshake_history = Hs0,
 					       protocol_buffers = #protocol_buffers{}}),
-    next_event(hello, Record, State, Actions).
+    next_event(hello, Record, State, Actions ++ MoreActions).
 
 handle_alerts([], Result) ->
     Result;
@@ -823,15 +819,11 @@ handle_alerts([Alert | Alerts], {next_state, StateName, State}) ->
 handle_alerts([Alert | Alerts], {next_state, StateName, State, _Actions}) ->
      handle_alerts(Alerts, ssl_connection:handle_alert(Alert, StateName, State)).
 
-retransmit_epoch(StateName, #state{connection_states = ConnectionStates}) ->
+retransmit_epoch(_StateName, #state{connection_states = ConnectionStates}) ->
     #{epoch := Epoch} = 
 	ssl_record:current_connection_state(ConnectionStates, write),
-    case StateName of
-	connection ->
-	    Epoch-1;
-	_ ->
-	    Epoch
-    end.	
+    Epoch.
+
 	    
 update_handshake_history(#hello_verify_request{}, _, Hist) ->
     Hist;
@@ -846,3 +838,4 @@ unprocessed_events(Events) ->
     %% handshake events left to process before we should
     %% process more TLS-records received on the socket. 
     erlang:length(Events)-1.
+
diff --git a/lib/ssl/src/dtls_handshake.erl b/lib/ssl/src/dtls_handshake.erl
index af3708ddb7..fd1f9698fe 100644
--- a/lib/ssl/src/dtls_handshake.erl
+++ b/lib/ssl/src/dtls_handshake.erl
@@ -136,9 +136,11 @@ handshake_bin([Type, Length, Data], Seq) ->
     
 %%--------------------------------------------------------------------
 -spec get_dtls_handshake(dtls_record:dtls_version(), binary(), #protocol_buffers{}) ->
-     {[{dtls_handshake(), binary()}], #protocol_buffers{}} | {more_data, #protocol_buffers{}}.
+                                {[dtls_handshake()], #protocol_buffers{}}.                
 %%
-%% Description: ...
+%% Description:  Given buffered and new data from dtls_record, collects
+%% and returns it as a list of handshake messages, also returns 
+%% possible leftover data in the new "protocol_buffers".
 %%--------------------------------------------------------------------
 get_dtls_handshake(Version, Fragment, ProtocolBuffers) ->
     handle_fragments(Version, Fragment, ProtocolBuffers, []).
@@ -288,8 +290,6 @@ do_handle_fragments(_, [], Buffers, Acc) ->
     {lists:reverse(Acc), Buffers};
 do_handle_fragments(Version, [Fragment | Fragments], Buffers0, Acc) ->
     case reassemble(Version, Fragment, Buffers0) of
-	{more_data, _} = More when Acc == []->
-	    More;
 	{more_data, Buffers} when Fragments == [] ->
 	    {lists:reverse(Acc), Buffers};
 	{more_data, Buffers} ->
diff --git a/lib/ssl/src/dtls_socket.erl b/lib/ssl/src/dtls_socket.erl
index 570b3ae83a..ac1a7b37c6 100644
--- a/lib/ssl/src/dtls_socket.erl
+++ b/lib/ssl/src/dtls_socket.erl
@@ -71,11 +71,14 @@ connect(Address, Port, #config{transport_info = {Transport, _, _, _} = CbInfo,
 close(gen_udp, {_Client, _Socket}) ->
     ok.
 
+socket(Pid, gen_udp = Transport, {{_, _}, Socket}, ConnectionCb) ->
+    #sslsocket{pid = Pid, 
+	       %% "The name "fd" is keept for backwards compatibility
+	       fd = {Transport, Socket, ConnectionCb}};
 socket(Pid, Transport, Socket, ConnectionCb) ->
     #sslsocket{pid = Pid, 
 	       %% "The name "fd" is keept for backwards compatibility
-	       fd = {Transport, Socket, ConnectionCb}}.	
-
+	       fd = {Transport, Socket, ConnectionCb}}.
 %% Vad göra med emulerade
 setopts(gen_udp, #sslsocket{pid = {Socket, _}}, Options) ->
     {SockOpts, _} = tls_socket:split_options(Options),
@@ -108,11 +111,15 @@ getstat(gen_udp, {_,Socket}, Options) ->
 	inet:getstat(Socket, Options);
 getstat(Transport, Socket, Options) ->
 	Transport:getstat(Socket, Options).
+peername(udp, _) ->
+    {error, enotconn};
 peername(gen_udp, {_, {Client, _Socket}}) ->
     {ok, Client};
 peername(Transport, Socket) ->
     Transport:peername(Socket).
-sockname(gen_udp, {_,Socket}) ->
+sockname(gen_udp, {_, {_,Socket}}) ->
+    inet:sockname(Socket);
+sockname(gen_udp, Socket) ->
     inet:sockname(Socket);
 sockname(Transport, Socket) ->
     Transport:sockname(Socket).
diff --git a/lib/ssl/src/dtls_udp_listener.erl b/lib/ssl/src/dtls_udp_listener.erl
index b7f115582e..ab3d0783bd 100644
--- a/lib/ssl/src/dtls_udp_listener.erl
+++ b/lib/ssl/src/dtls_udp_listener.erl
@@ -24,7 +24,8 @@
 -behaviour(gen_server).
 
 %% API
--export([start_link/4, active_once/3, accept/2, sockname/1]).
+-export([start_link/4, active_once/3, accept/2, sockname/1, close/1,
+        get_all_opts/1]).
 
 %% gen_server callbacks
 -export([init/1, handle_call/3, handle_cast/2, handle_info/2,
@@ -39,7 +40,8 @@
 	 clients = set_new(),
 	 dtls_processes = kv_new(),
 	 accepters  = queue:new(),
-	 first
+	 first,
+         close
 	}).
 
 %%%===================================================================
@@ -53,10 +55,14 @@ active_once(UDPConnection, Client, Pid) ->
     gen_server:cast(UDPConnection, {active_once, Client, Pid}).
 
 accept(UDPConnection, Accepter) ->
-    gen_server:call(UDPConnection, {accept, Accepter}, infinity).
+    call(UDPConnection, {accept, Accepter}).
 
 sockname(UDPConnection) ->
-    gen_server:call(UDPConnection, sockname, infinity).
+    call(UDPConnection, sockname).
+close(UDPConnection) ->
+    call(UDPConnection, close).
+get_all_opts(UDPConnection) ->
+    call(UDPConnection, get_all_opts).
 
 %%%===================================================================
 %%% gen_server callbacks
@@ -69,10 +75,13 @@ init([Port, EmOpts, InetOptions, DTLSOptions]) ->
 		    first = true,
 		    dtls_options = DTLSOptions,
 		    emulated_options = EmOpts,
-		    listner = Socket}}
+		    listner = Socket,
+                    close = false}}
     catch _:_ ->
 	    {error, closed}
     end.
+handle_call({accept, _}, _, #state{close = true} = State) ->
+    {reply, {error, closed}, State};
 
 handle_call({accept, Accepter}, From, #state{first = true,
 					     accepters = Accepters,
@@ -87,7 +96,21 @@ handle_call({accept, Accepter}, From, #state{accepters = Accepters} = State0) ->
     {noreply, State};
 handle_call(sockname, _, #state{listner = Socket} = State) ->
     Reply = inet:sockname(Socket),
-    {reply, Reply, State}.
+    {reply, Reply, State};
+handle_call(close, _, #state{dtls_processes = Processes,
+                             accepters = Accepters} = State) ->
+    case kv_empty(Processes) of
+        true ->
+            {stop, normal, ok, State#state{close=true}};
+        false -> 
+            lists:foreach(fun({_, From}) ->
+                                  gen_server:reply(From, {error, closed})
+                          end, queue:to_list(Accepters)),
+            {reply, ok,  State#state{close = true, accepters = queue:new()}}
+    end;
+handle_call(get_all_opts, _, #state{dtls_options = DTLSOptions,
+                                    emulated_options = EmOpts} = State) ->
+    {reply, {ok, EmOpts, DTLSOptions}, State}.
 
 handle_cast({active_once, Client, Pid}, State0) ->
     State = handle_active_once(Client, Pid, State0),
@@ -99,11 +122,17 @@ handle_info({udp, Socket, IP, InPortNo, _} = Msg, #state{listner = Socket} = Sta
     {noreply, State};
 
 handle_info({'DOWN', _, process, Pid, _}, #state{clients = Clients,
-						 dtls_processes = Processes0} = State) ->
+						 dtls_processes = Processes0,
+                                                 close = ListenClosed} = State) ->
     Client = kv_get(Pid, Processes0),
     Processes = kv_delete(Pid, Processes0),
-    {noreply, State#state{clients = set_delete(Client, Clients),
-			  dtls_processes = Processes}}.
+    case ListenClosed andalso kv_empty(Processes) of
+        true ->
+            {stop, normal, State};
+        false ->
+            {noreply, State#state{clients = set_delete(Client, Clients),
+                                  dtls_processes = Processes}}
+    end.
 
 terminate(_Reason, _State) ->
     ok.
@@ -182,6 +211,7 @@ setup_new_connection(User, From, Client, Msg, #state{dtls_processes = Processes,
 	    gen_server:reply(From, {error, Reason}),
 	    State
     end.
+
 kv_update(Key, Value, Store) ->
     gb_trees:update(Key, Value, Store).
 kv_lookup(Key, Store) ->
@@ -194,6 +224,8 @@ kv_delete(Key, Store) ->
     gb_trees:delete(Key, Store).
 kv_new() ->
     gb_trees:empty().
+kv_empty(Store) ->
+    gb_trees:is_empty(Store).
 
 set_new() ->
     gb_sets:empty().
@@ -203,3 +235,15 @@ set_delete(Item, Set) ->
     gb_sets:delete(Item, Set).
 set_is_member(Item, Set) ->
     gb_sets:is_member(Item, Set).
+
+call(Server, Msg) ->
+    try
+        gen_server:call(Server, Msg, infinity)
+    catch
+	exit:{noproc, _} ->
+	    {error, closed};
+        exit:{normal, _} ->
+            {error, closed};
+        exit:{{shutdown, _},_} ->
+            {error, closed}
+    end.
diff --git a/lib/ssl/src/dtls_v1.erl b/lib/ssl/src/dtls_v1.erl
index ffd3e4b833..dd0d35d404 100644
--- a/lib/ssl/src/dtls_v1.erl
+++ b/lib/ssl/src/dtls_v1.erl
@@ -21,12 +21,21 @@
 
 -include("ssl_cipher.hrl").
 
--export([suites/1, mac_hash/7, ecc_curves/1, corresponding_tls_version/1, corresponding_dtls_version/1]).
+-export([suites/1, all_suites/1, mac_hash/7, ecc_curves/1, 
+         corresponding_tls_version/1, corresponding_dtls_version/1]).
 
 -spec suites(Minor:: 253|255) -> [ssl_cipher:cipher_suite()].
 
 suites(Minor) ->
-   tls_v1:suites(corresponding_minor_tls_version(Minor)).
+    lists:filter(fun(Cipher) -> 
+                         is_acceptable_cipher(ssl_cipher:suite_definition(Cipher)) 
+                 end,
+                 tls_v1:suites(corresponding_minor_tls_version(Minor))).
+all_suites(Version) ->
+    lists:filter(fun(Cipher) -> 
+                         is_acceptable_cipher(ssl_cipher:suite_definition(Cipher)) 
+                 end,
+                 ssl_cipher:all_suites(corresponding_tls_version(Version))).
 
 mac_hash(Version, MacAlg, MacSecret, SeqNo, Type, Length, Fragment) ->
     tls_v1:mac_hash(MacAlg, MacSecret, SeqNo, Type, Version,
@@ -50,3 +59,5 @@ corresponding_minor_dtls_version(2) ->
     255;
 corresponding_minor_dtls_version(3) ->
     253.
+is_acceptable_cipher(Suite) ->
+    not ssl_cipher:is_stream_ciphersuite(Suite).
diff --git a/lib/ssl/src/ssl.app.src b/lib/ssl/src/ssl.app.src
index 148989174d..064dcd6892 100644
--- a/lib/ssl/src/ssl.app.src
+++ b/lib/ssl/src/ssl.app.src
@@ -63,7 +63,7 @@
     {applications, [crypto, public_key, kernel, stdlib]},
     {env, []},
     {mod, {ssl_app, []}},
-    {runtime_dependencies, ["stdlib-3.1","public_key-1.2","kernel-3.0",
+    {runtime_dependencies, ["stdlib-3.2","public_key-1.2","kernel-3.0",
 			    "erts-7.0","crypto-3.3", "inets-5.10.7"]}]}.
 
 
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 4a5a7e25ea..ed04c7e67b 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -187,16 +187,24 @@ ssl_accept(ListenSocket, SslOptions)  when is_port(ListenSocket) ->
 
 ssl_accept(#sslsocket{} = Socket, [], Timeout) when (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)->
     ssl_accept(Socket, Timeout);
-ssl_accept(#sslsocket{fd = {_, _, _, Tracker}} = Socket, SslOpts0, Timeout) when
+ssl_accept(#sslsocket{fd = {_, _, _, Tracker}} = Socket, SslOpts, Timeout) when
       (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)->
     try
-	{ok, EmOpts, InheritedSslOpts} = tls_socket:get_all_opts(Tracker),
-	SslOpts = handle_options(SslOpts0, InheritedSslOpts),
+	{ok, EmOpts, _} = tls_socket:get_all_opts(Tracker),
 	ssl_connection:handshake(Socket, {SslOpts, 
 					  tls_socket:emulated_socket_options(EmOpts, #socket_options{})}, Timeout)
     catch
 	Error = {error, _Reason} -> Error
     end;
+ssl_accept(#sslsocket{pid = Pid, fd = {_, _, _}} = Socket, SslOpts, Timeout) when
+      (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)->
+    try
+        {ok, EmOpts, _} = dtls_udp_listener:get_all_opts(Pid),
+	ssl_connection:handshake(Socket, {SslOpts,  
+                                          tls_socket:emulated_socket_options(EmOpts, #socket_options{})}, Timeout)
+    catch
+	Error = {error, _Reason} -> Error
+    end;
 ssl_accept(Socket, SslOptions, Timeout) when is_port(Socket),
 					     (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) ->
     {Transport,_,_,_} =
@@ -215,7 +223,6 @@ ssl_accept(Socket, SslOptions, Timeout) when is_port(Socket),
     catch
 	Error = {error, _Reason} -> Error
     end.
-
 %%--------------------------------------------------------------------
 -spec  close(#sslsocket{}) -> term().
 %%
@@ -223,6 +230,8 @@ ssl_accept(Socket, SslOptions, Timeout) when is_port(Socket),
 %%--------------------------------------------------------------------
 close(#sslsocket{pid = Pid}) when is_pid(Pid) ->
     ssl_connection:close(Pid, {close, ?DEFAULT_TIMEOUT});
+close(#sslsocket{pid = {udp, #config{udp_handler = {Pid, _}}}}) ->
+   dtls_udp_listener:close(Pid);
 close(#sslsocket{pid = {ListenSocket, #config{transport_info={Transport,_, _, _}}}}) ->
     Transport:close(ListenSocket).
 
@@ -251,6 +260,8 @@ send(#sslsocket{pid = Pid}, Data) when is_pid(Pid) ->
     ssl_connection:send(Pid, Data);
 send(#sslsocket{pid = {_, #config{transport_info={gen_udp, _, _, _}}}}, _) ->
     {error,enotconn}; %% Emulate connection behaviour
+send(#sslsocket{pid = {udp,_}}, _) ->
+    {error,enotconn};
 send(#sslsocket{pid = {ListenSocket, #config{transport_info={Transport, _, _, _}}}}, Data) ->
     Transport:send(ListenSocket, Data). %% {error,enotconn}
 
@@ -265,6 +276,8 @@ recv(Socket, Length) ->
 recv(#sslsocket{pid = Pid}, Length, Timeout) when is_pid(Pid),
 						  (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)->
     ssl_connection:recv(Pid, Length, Timeout);
+recv(#sslsocket{pid = {udp,_}}, _, _) ->
+    {error,enotconn};
 recv(#sslsocket{pid = {Listen,
 		       #config{transport_info = {Transport, _, _, _}}}}, _,_) when is_port(Listen)->
     Transport:recv(Listen, 0). %% {error,enotconn}
@@ -277,10 +290,14 @@ recv(#sslsocket{pid = {Listen,
 %%--------------------------------------------------------------------
 controlling_process(#sslsocket{pid = Pid}, NewOwner) when is_pid(Pid), is_pid(NewOwner) ->
     ssl_connection:new_user(Pid, NewOwner);
+controlling_process(#sslsocket{pid = {udp, _}},
+		    NewOwner) when is_pid(NewOwner) ->
+    ok; %% Meaningless but let it be allowed to conform with TLS 
 controlling_process(#sslsocket{pid = {Listen,
 				      #config{transport_info = {Transport, _, _, _}}}},
 		    NewOwner) when is_port(Listen),
 				   is_pid(NewOwner) ->
+     %% Meaningless but let it be allowed to conform with normal sockets  
     Transport:controlling_process(Listen, NewOwner).
 
 
@@ -297,7 +314,9 @@ connection_information(#sslsocket{pid = Pid}) when is_pid(Pid) ->
             Error
     end;
 connection_information(#sslsocket{pid = {Listen, _}}) when is_port(Listen) -> 
-    {error, enotconn}.
+    {error, enotconn};
+connection_information(#sslsocket{pid = {udp,_}}) ->
+    {error,enotconn}. 
 
 %%--------------------------------------------------------------------
 -spec connection_information(#sslsocket{}, [atom()]) -> {ok, list()} | {error, reason()}.
@@ -333,10 +352,18 @@ connection_info(#sslsocket{} = SSLSocket) ->
 %%
 %% Description: same as inet:peername/1.
 %%--------------------------------------------------------------------
+peername(#sslsocket{pid = Pid, fd = {Transport, Socket, _}}) when is_pid(Pid)->
+    dtls_socket:peername(Transport, Socket);
 peername(#sslsocket{pid = Pid, fd = {Transport, Socket, _, _}}) when is_pid(Pid)->
     tls_socket:peername(Transport, Socket);
+peername(#sslsocket{pid = {udp = Transport, #config{udp_handler = {_Pid, _}}}}) ->
+    dtls_socket:peername(Transport, undefined);
+peername(#sslsocket{pid = Pid, fd = {gen_udp= Transport, Socket, _, _}}) when is_pid(Pid) ->
+    dtls_socket:peername(Transport, Socket);
 peername(#sslsocket{pid = {ListenSocket,  #config{transport_info = {Transport,_,_,_}}}}) ->
-    tls_socket:peername(Transport, ListenSocket). %% Will return {error, enotconn}
+    tls_socket:peername(Transport, ListenSocket); %% Will return {error, enotconn}
+peername(#sslsocket{pid = {udp,_}}) ->
+    {error,enotconn}.
 
 %%--------------------------------------------------------------------
 -spec peercert(#sslsocket{}) ->{ok, DerCert::binary()} | {error, reason()}.
@@ -350,6 +377,8 @@ peercert(#sslsocket{pid = Pid}) when is_pid(Pid) ->
         Result ->
 	    Result
     end;
+peercert(#sslsocket{pid = {udp, _}}) ->
+    {error, enotconn};
 peercert(#sslsocket{pid = {Listen, _}}) when is_port(Listen) ->
     {error, enotconn}.
 
@@ -506,6 +535,8 @@ getstat(#sslsocket{pid = Pid, fd = {Transport, Socket, _, _}}, Options) when is_
 shutdown(#sslsocket{pid = {Listen, #config{transport_info = {Transport,_, _, _}}}},
 	 How) when is_port(Listen) ->
     Transport:shutdown(Listen, How);
+shutdown(#sslsocket{pid = {udp,_}},_) ->
+    {error, enotconn};
 shutdown(#sslsocket{pid = Pid}, How) ->
     ssl_connection:shutdown(Pid, How).
 
@@ -518,7 +549,7 @@ sockname(#sslsocket{pid = {Listen,  #config{transport_info = {Transport, _, _, _
     tls_socket:sockname(Transport, Listen);
 sockname(#sslsocket{pid = {udp, #config{udp_handler = {Pid, _}}}}) ->
     dtls_udp_listener:sockname(Pid);
-sockname(#sslsocket{pid = Pid, fd = {gen_udp= Transport, Socket, _, _}}) when is_pid(Pid) ->
+sockname(#sslsocket{pid = Pid, fd = {Transport, Socket, _}}) when is_pid(Pid) ->
     dtls_socket:sockname(Transport, Socket);
 sockname(#sslsocket{pid = Pid, fd = {Transport, Socket, _, _}}) when is_pid(Pid) ->
     tls_socket:sockname(Transport, Socket).
@@ -531,6 +562,8 @@ sockname(#sslsocket{pid = Pid, fd = {Transport, Socket, _, _}}) when is_pid(Pid)
 %%--------------------------------------------------------------------
 session_info(#sslsocket{pid = Pid}) when is_pid(Pid) ->
     ssl_connection:session_info(Pid);
+session_info(#sslsocket{pid = {udp,_}}) ->
+    {error, enotconn};
 session_info(#sslsocket{pid = {Listen,_}}) when is_port(Listen) ->
     {error, enotconn}.
 
@@ -555,6 +588,8 @@ versions() ->
 %%--------------------------------------------------------------------
 renegotiate(#sslsocket{pid = Pid}) when is_pid(Pid) ->
     ssl_connection:renegotiation(Pid);
+renegotiate(#sslsocket{pid = {udp,_}}) ->
+    {error, enotconn};
 renegotiate(#sslsocket{pid = {Listen,_}}) when is_port(Listen) ->
     {error, enotconn}.
 
@@ -568,6 +603,8 @@ renegotiate(#sslsocket{pid = {Listen,_}}) when is_port(Listen) ->
 prf(#sslsocket{pid = Pid},
     Secret, Label, Seed, WantedLength) when is_pid(Pid) ->
     ssl_connection:prf(Pid, Secret, Label, Seed, WantedLength);
+prf(#sslsocket{pid = {udp,_}}, _,_,_,_) ->
+    {error, enotconn};
 prf(#sslsocket{pid = {Listen,_}}, _,_,_,_) when is_port(Listen) ->
     {error, enotconn}.
 
@@ -696,7 +733,7 @@ handle_options(Opts0, Role) ->
 		       [RecordCb:protocol_version(Vsn) || Vsn <- Vsns]
 	       end,
 
-    Protocol = proplists:get_value(protocol, Opts, tls),
+    Protocol = handle_option(protocol, Opts, tls),
 
     SSLOptions = #ssl_options{
 		    versions   = Versions,
@@ -755,7 +792,7 @@ handle_options(Opts0, Role) ->
 		    honor_ecc_order = handle_option(honor_ecc_order, Opts,
 						       default_option_role(server, false, Role),
 						       server, Role),
-		    protocol = Protocol, 
+		    protocol = Protocol,
 		    padding_check =  proplists:get_value(padding_check, Opts, true),
 		    beast_mitigation = handle_option(beast_mitigation, Opts, one_n_minus_one),
 		    fallback = handle_option(fallback, Opts,
@@ -1032,6 +1069,10 @@ validate_option(v2_hello_compatible, Value) when is_boolean(Value)  ->
     Value;
 validate_option(max_handshake_size, Value) when is_integer(Value)  andalso Value =< ?MAX_UNIT24 ->
     Value;
+validate_option(protocol, Value = tls) ->
+    Value;
+validate_option(protocol, Value = dtls) ->
+    Value;
 validate_option(Opt, Value) ->
     throw({error, {options, {Opt, Value}}}).
 
@@ -1069,17 +1110,37 @@ validate_binary_list(Opt, List) ->
            (Bin) ->
             throw({error, {options, {Opt, {invalid_protocol, Bin}}}})
         end, List).
-
 validate_versions([], Versions) ->
     Versions;
 validate_versions([Version | Rest], Versions) when Version == 'tlsv1.2';
                                                    Version == 'tlsv1.1';
                                                    Version == tlsv1;
                                                    Version == sslv3 ->
-    validate_versions(Rest, Versions);
+    tls_validate_versions(Rest, Versions);                                      
+validate_versions([Version | Rest], Versions) when Version == 'dtlsv1';
+                                                   Version == 'dtlsv2'->
+    dtls_validate_versions(Rest, Versions);
 validate_versions([Ver| _], Versions) ->
     throw({error, {options, {Ver, {versions, Versions}}}}).
 
+tls_validate_versions([], Versions) ->
+    Versions;
+tls_validate_versions([Version | Rest], Versions) when Version == 'tlsv1.2';
+                                                   Version == 'tlsv1.1';
+                                                   Version == tlsv1;
+                                                   Version == sslv3 ->
+    tls_validate_versions(Rest, Versions);                  
+tls_validate_versions([Ver| _], Versions) ->
+    throw({error, {options, {Ver, {versions, Versions}}}}).
+
+dtls_validate_versions([], Versions) ->
+    Versions;
+dtls_validate_versions([Version | Rest], Versions) when  Version == 'dtlsv1';
+                                                         Version == 'dtlsv2'->
+    dtls_validate_versions(Rest, Versions);
+dtls_validate_versions([Ver| _], Versions) ->
+    throw({error, {options, {Ver, {versions, Versions}}}}).
+
 validate_inet_option(mode, Value)
   when Value =/= list, Value =/= binary ->
     throw({error, {options, {mode,Value}}});
@@ -1151,18 +1212,18 @@ handle_cipher_option(Value, Version)  when is_list(Value) ->
 binary_cipher_suites(Version, []) -> 
     %% Defaults to all supported suites that does
     %% not require explicit configuration
-    ssl_cipher:filter_suites(ssl_cipher:suites(Version));
+    ssl_cipher:filter_suites(ssl_cipher:suites(tls_version(Version)));
 binary_cipher_suites(Version, [Tuple|_] = Ciphers0) when is_tuple(Tuple) ->
     Ciphers = [ssl_cipher:suite(C) || C <- Ciphers0],
     binary_cipher_suites(Version, Ciphers);
 
 binary_cipher_suites(Version, [Cipher0 | _] = Ciphers0) when is_binary(Cipher0) ->
-    All = ssl_cipher:all_suites(Version),
+    All = ssl_cipher:all_suites(tls_version(Version)),
     case [Cipher || Cipher <- Ciphers0, lists:member(Cipher, All)] of
 	[] ->
 	    %% Defaults to all supported suites that does
 	    %% not require explicit configuration
-	    ssl_cipher:filter_suites(ssl_cipher:suites(Version));
+	    ssl_cipher:filter_suites(ssl_cipher:suites(tls_version(Version)));
 	Ciphers ->
 	    Ciphers
     end;
@@ -1175,7 +1236,8 @@ binary_cipher_suites(Version, Ciphers0)  ->
     Ciphers = [ssl_cipher:openssl_suite(C) || C <- string:tokens(Ciphers0, ":")],
     binary_cipher_suites(Version, Ciphers).
 
-handle_eccs_option(Value, {_Major, Minor}) when is_list(Value) ->
+handle_eccs_option(Value, Version) when is_list(Value) ->
+    {_Major, Minor} = tls_version(Version),
     try tls_v1:ecc_curves(Minor, Value) of
         Curves -> #elliptic_curves{elliptic_curve_list = Curves}
     catch
@@ -1348,7 +1410,10 @@ new_ssl_options([{signature_algs, Value} | Rest], #ssl_options{} = Opts, RecordC
 					 handle_hashsigns_option(Value, 
 								 tls_version(RecordCB:highest_protocol_version()))}, 
 		    RecordCB);
-
+new_ssl_options([{protocol, dtls = Value} | Rest], #ssl_options{} = Opts, dtls_record = RecordCB) -> 
+    new_ssl_options(Rest, Opts#ssl_options{protocol = Value}, RecordCB);
+new_ssl_options([{protocol, tls = Value} | Rest], #ssl_options{} = Opts, tls_record = RecordCB) -> 
+    new_ssl_options(Rest, Opts#ssl_options{protocol = Value}, RecordCB);
 new_ssl_options([{Key, Value} | _Rest], #ssl_options{}, _) -> 
     throw({error, {options, {Key, Value}}}).
 
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 32fec03b8e..8e6860e9dc 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -40,7 +40,8 @@
 	 ec_keyed_suites/0, anonymous_suites/1, psk_suites/1, srp_suites/0,
 	 rc4_suites/1, des_suites/1, openssl_suite/1, openssl_suite_name/1, filter/2, filter_suites/1,
 	 hash_algorithm/1, sign_algorithm/1, is_acceptable_hash/2, is_fallback/1,
-	 random_bytes/1, calc_aad/3, calc_mac_hash/4]).
+	 random_bytes/1, calc_aad/3, calc_mac_hash/4,
+         is_stream_ciphersuite/1]).
 
 -export_type([cipher_suite/0,
 	      erl_cipher_suite/0, openssl_cipher_suite/0,
@@ -310,18 +311,21 @@ aead_decipher(Type, #cipher_state{key = Key, iv = IV} = CipherState,
 %%--------------------------------------------------------------------
 suites({3, 0}) ->
     ssl_v3:suites();
-suites({3, N}) ->
-    tls_v1:suites(N);
-suites(Version) ->
-    suites(dtls_v1:corresponding_tls_version(Version)).
+suites({3, Minor}) ->
+    tls_v1:suites(Minor);
+suites({_, Minor}) ->
+    dtls_v1:suites(Minor).
 
-all_suites(Version) ->
+all_suites({3, _} = Version) ->
     suites(Version)
 	++ anonymous_suites(Version)
 	++ psk_suites(Version)
 	++ srp_suites()
         ++ rc4_suites(Version)
-        ++ des_suites(Version).
+        ++ des_suites(Version);
+all_suites(Version) ->
+    dtls_v1:all_suites(Version).
+
 %%--------------------------------------------------------------------
 -spec anonymous_suites(ssl_record:ssl_version() | integer()) -> [cipher_suite()].
 %%
@@ -1541,6 +1545,10 @@ calc_mac_hash(Type, Version,
 	     MacSecret, SeqNo, Type,
 	     Length, PlainFragment).
 
+is_stream_ciphersuite({_, rc4_128, _, _}) ->
+    true;
+is_stream_ciphersuite(_) ->
+    false.
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 4fbac4cad3..5244db31af 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -148,19 +148,19 @@ socket_control(Connection, Socket, Pid, Transport) ->
 %%--------------------------------------------------------------------	    
 socket_control(Connection, Socket, Pid, Transport, udp_listner) ->
     %% dtls listner process must have the socket control
-    {ok, dtls_socket:socket(Pid, Transport, Socket, Connection)};
+    {ok, Connection:socket(Pid, Transport, Socket, Connection, undefined)};
 
 socket_control(tls_connection = Connection, Socket, Pid, Transport, ListenTracker) ->
     case Transport:controlling_process(Socket, Pid) of
 	ok ->
-	    {ok, tls_socket:socket(Pid, Transport, Socket, Connection, ListenTracker)};
+	    {ok, Connection:socket(Pid, Transport, Socket, Connection, ListenTracker)};
 	{error, Reason}	->
 	    {error, Reason}
     end;
 socket_control(dtls_connection = Connection, {_, Socket}, Pid, Transport, ListenTracker) ->
     case Transport:controlling_process(Socket, Pid) of
 	ok ->
-	    {ok, tls_socket:socket(Pid, Transport, Socket, Connection, ListenTracker)};
+	    {ok, Connection:socket(Pid, Transport, Socket, Connection, ListenTracker)};
 	{error, Reason}	->
 	    {error, Reason}
     end.
@@ -363,11 +363,13 @@ init({call, From}, {start, Timeout}, State0, Connection) ->
 							  timer = Timer}),
     Connection:next_event(hello, Record, State);
 init({call, From}, {start, {Opts, EmOpts}, Timeout}, 
-     #state{role = Role} = State0, Connection) ->
+     #state{role = Role, ssl_options = OrigSSLOptions,
+            socket_options = SockOpts} = State0, Connection) ->
     try 
-	State = ssl_config(Opts, Role, State0),
+        SslOpts = ssl:handle_options(Opts, OrigSSLOptions),
+	State = ssl_config(SslOpts, Role, State0),
 	init({call, From}, {start, Timeout}, 
-	     State#state{ssl_options = Opts, socket_options = EmOpts}, Connection)
+	     State#state{ssl_options = SslOpts, socket_options = new_emulated(EmOpts, SockOpts)}, Connection)
     catch throw:Error ->
 	    {stop_and_reply, normal, {reply, From, {error, Error}}}
     end;
@@ -432,11 +434,11 @@ abbreviated(internal, #finished{verify_data = Data} = Finished,
         verified ->
 	    ConnectionStates1 =
 		ssl_record:set_server_verify_data(current_read, Data, ConnectionStates0),
-	    State1 =
+	    {State1, Actions} =
 		finalize_handshake(State0#state{connection_states = ConnectionStates1},
 				   abbreviated, Connection),
 	    {Record, State} = prepare_connection(State1#state{expecting_finished = false}, Connection),
-	    Connection:next_event(connection, Record, State);
+	    Connection:next_event(connection, Record, State, Actions);
 	#alert{} = Alert ->
 	    handle_own_alert(Alert, Version, abbreviated, State0)
     end;
@@ -856,6 +858,7 @@ handle_common_event(internal, #change_cipher_spec{type = <<1>>}, StateName,
 				StateName, State);
 handle_common_event(_Type, Msg, StateName, #state{negotiated_version = Version} = State, 
 		    _) ->
+    ct:pal("Unexpected msg ~p", [Msg]),
     Alert =  ?ALERT_REC(?FATAL,?UNEXPECTED_MESSAGE),
     handle_own_alert(Alert, Version, {StateName, Msg}, State).
 
@@ -1236,13 +1239,13 @@ new_server_hello(#server_hello{cipher_suite = CipherSuite,
 		       negotiated_version = Version} = State0, Connection) ->
     try server_certify_and_key_exchange(State0, Connection) of
         #state{} = State1 ->
-            State2 = server_hello_done(State1, Connection),
+            {State2, Actions} = server_hello_done(State1, Connection),
 	    Session =
 		Session0#session{session_id = SessionId,
 				 cipher_suite = CipherSuite,
 				 compression_method = Compression},
 	    {Record, State} = Connection:next_record(State2#state{session = Session}),
-	    Connection:next_event(certify, Record, State)
+	    Connection:next_event(certify, Record, State, Actions)
     catch
         #alert{} = Alert ->
 	    handle_own_alert(Alert, Version, hello, State0)
@@ -1257,10 +1260,10 @@ resumed_server_hello(#state{session = Session,
 	{_, ConnectionStates1} ->
 	    State1 = State0#state{connection_states = ConnectionStates1,
 				  session = Session},
-	    State2 =
+	    {State2, Actions} =
 		finalize_handshake(State1, abbreviated, Connection),
 	    {Record, State} = Connection:next_record(State2),
-	    Connection:next_event(abbreviated, Record, State);
+	    Connection:next_event(abbreviated, Record, State, Actions);
 	#alert{} = Alert ->
 	    handle_own_alert(Alert, Version, hello, State0)
     end.
@@ -1343,12 +1346,12 @@ client_certify_and_key_exchange(#state{negotiated_version = Version} =
 				State0, Connection) ->
     try do_client_certify_and_key_exchange(State0, Connection) of
         State1 = #state{} ->
-	    State2 = finalize_handshake(State1, certify, Connection),
+	    {State2, Actions} = finalize_handshake(State1, certify, Connection),
             State3 = State2#state{
 		       %% Reinitialize
 		       client_certificate_requested = false},
 	    {Record, State} = Connection:next_record(State3),
-	    Connection:next_event(cipher, Record, State)
+	    Connection:next_event(cipher, Record, State, Actions)
     catch
         throw:#alert{} = Alert ->
 	    handle_own_alert(Alert, Version, certify, State0)
@@ -1870,11 +1873,11 @@ cipher_role(server, Data, Session,  #state{connection_states = ConnectionStates0
 	    Connection) ->
     ConnectionStates1 = ssl_record:set_client_verify_data(current_read, Data, 
 							  ConnectionStates0),
-    State1 =
+    {State1, Actions} =
 	finalize_handshake(State0#state{connection_states = ConnectionStates1,
 					session = Session}, cipher, Connection),
     {Record, State} = prepare_connection(State1, Connection),
-    Connection:next_event(connection, Record, State).
+    Connection:next_event(connection, Record, State, Actions).
 
 is_anonymous(Algo) when Algo == dh_anon;
 			Algo == ecdh_anon;
@@ -2305,7 +2308,7 @@ format_reply(_, _,#socket_options{active = false, mode = Mode, packet = Packet,
     {ok, do_format_reply(Mode, Packet, Header, Data)};
 format_reply(Transport, Socket, #socket_options{active = _, mode = Mode, packet = Packet,
 						header = Header}, Data, Tracker, Connection) ->
-    {ssl, tls_socket:socket(self(), Transport, Socket, Connection, Tracker), 
+    {ssl, Connection:socket(self(), Transport, Socket, Connection, Tracker), 
      do_format_reply(Mode, Packet, Header, Data)}.
 
 deliver_packet_error(Transport, Socket, SO= #socket_options{active = Active}, Data, Pid, From, Tracker, Connection) ->
@@ -2314,7 +2317,7 @@ deliver_packet_error(Transport, Socket, SO= #socket_options{active = Active}, Da
 format_packet_error(_, _,#socket_options{active = false, mode = Mode}, Data, _, _) ->
     {error, {invalid_packet, do_format_reply(Mode, raw, 0, Data)}};
 format_packet_error(Transport, Socket, #socket_options{active = _, mode = Mode}, Data, Tracker, Connection) ->
-    {ssl_error, tls_socket:socket(self(), Transport, Socket, Connection, Tracker), 
+    {ssl_error, Connection:socket(self(), Transport, Socket, Connection, Tracker), 
      {invalid_packet, do_format_reply(Mode, raw, 0, Data)}}.
 
 do_format_reply(binary, _, N, Data) when N > 0 ->  % Header mode
@@ -2369,11 +2372,11 @@ alert_user(Transport, Tracker, Socket, Active, Pid, From, Alert, Role, Connectio
     case ssl_alert:reason_code(Alert, Role) of
 	closed ->
 	    send_or_reply(Active, Pid, From,
-			  {ssl_closed, tls_socket:socket(self(), 
+			  {ssl_closed, Connection:socket(self(), 
 							 Transport, Socket, Connection, Tracker)});
 	ReasonCode ->
 	    send_or_reply(Active, Pid, From,
-			  {ssl_error, tls_socket:socket(self(), 
+			  {ssl_error, Connection:socket(self(), 
 							Transport, Socket, Connection, Tracker), ReasonCode})
     end.
 
@@ -2472,3 +2475,8 @@ update_ssl_options_from_sni(OrigSSLOptions, SNIHostname) ->
         _ ->
             ssl:handle_options(SSLOption, OrigSSLOptions)
     end.
+
+new_emulated([], EmOpts) ->
+    EmOpts;
+new_emulated(NewEmOpts, _) ->
+    NewEmOpts.
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index c34af9f82c..c10ec3a2d6 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -76,7 +76,7 @@
 -define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]).
 -define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]).
 -define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
--define(MIN_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
+-define(MIN_DATAGRAM_SUPPORTED_VERSIONS, [dtlsv1]).
 
 -define('24H_in_msec', 86400000).
 -define('24H_in_sec', 86400).
diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index 77606911be..c6e530e164 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -48,7 +48,7 @@
 -export([encode_data/3, encode_alert/3]).
 
 %% State transition handling	 
--export([next_record/1, next_event/3]).
+-export([next_record/1, next_event/3, next_event/4]).
 
 %% Handshake handling
 -export([renegotiate/2, send_handshake/2, 
@@ -59,7 +59,8 @@
 -export([send_alert/2, close/5]).
 
 %% Data handling
--export([passive_receive/2, next_record_if_active/1, handle_common_event/4, send/3]).
+-export([passive_receive/2, next_record_if_active/1, handle_common_event/4, send/3,
+        socket/5]).
 
 %% gen_statem state functions
 -export([init/3, error/3, downgrade/3, %% Initiation and take down states
@@ -117,7 +118,7 @@ send_handshake_flight(#state{socket = Socket,
 			     transport_cb = Transport,
 			     flight_buffer = Flight} = State0) ->
     send(Transport, Socket, Flight),
-    State0#state{flight_buffer = []}.
+    {State0#state{flight_buffer = []}, []}.
 
 queue_change_cipher(Msg, #state{negotiated_version = Version,
 				  flight_buffer = Flight0,
@@ -191,6 +192,10 @@ init([Role, Host, Port, Socket, Options,  User, CbInfo]) ->
 callback_mode() ->
     state_functions.
 
+socket(Pid,  Transport, Socket, Connection, Tracker) ->
+    tls_socket:socket(Pid, Transport, Socket, Connection, Tracker).
+
+
 %%--------------------------------------------------------------------
 %% State functions
 %%--------------------------------------------------------------------
@@ -340,12 +345,12 @@ connection(internal, #hello_request{},
 		  renegotiation = {Renegotiation, _}} = State0) ->
     Hello = tls_handshake:client_hello(Host, Port, ConnectionStates0, SslOpts,
 				       Cache, CacheCb, Renegotiation, Cert),
-    State1 = send_handshake(Hello, State0),
+    {State1, Actions} = send_handshake(Hello, State0),
     {Record, State} =
 	next_record(
 	  State1#state{session = Session0#session{session_id
 						  = Hello#client_hello.session_id}}),
-    next_event(hello, Record, State);
+    next_event(hello, Record, State, Actions);
 connection(internal, #client_hello{} = Hello, 
 	   #state{role = server, allow_renegotiate = true} = State0) ->
     %% Mitigate Computational DoS attack
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index f0a3c42e8d..bff6d254f1 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -53,7 +53,8 @@ all() ->
      {group, options_tls},
      {group, session},
      {group, 'dtlsv1.2'},
-     %%{group, 'dtlsv1'},
+     %%     {group, 'dtlsv1'}, Breaks dtls in cert_verify_SUITE enable later when 
+     %% problem is identified and fixed
      {group, 'tlsv1.2'},
      {group, 'tlsv1.1'},
      {group, 'tlsv1'},
@@ -65,15 +66,15 @@ groups() ->
      {basic_tls, [], basic_tests_tls()},
      {options, [], options_tests()},
      {options_tls, [], options_tests_tls()},
-     %%{'dtlsv1.2', [], all_versions_groups()},
-     {'dtlsv1.2', [], [connection_information]},
-     %%{'dtlsv1', [], all_versions_groups()},
+     {'dtlsv1.2', [], all_versions_groups()},
+     {'dtlsv1', [], all_versions_groups()},
      {'tlsv1.2', [], all_versions_groups() ++ tls_versions_groups() ++ [conf_signature_algs, no_common_signature_algs]},
      {'tlsv1.1', [], all_versions_groups() ++ tls_versions_groups()},
      {'tlsv1', [], all_versions_groups() ++ tls_versions_groups() ++ rizzo_tests()},
      {'sslv3', [], all_versions_groups() ++ tls_versions_groups() ++ rizzo_tests() ++ [tls_ciphersuite_vs_version]},
      {api,[], api_tests()},
      {api_tls,[], api_tests_tls()},
+     {tls_ciphers,[], tls_cipher_tests()},
      {session, [], session_tests()},
      {renegotiate, [], renegotiate_tests()},
      {ciphers, [], cipher_tests()},
@@ -83,12 +84,13 @@ groups() ->
     ].
 
 tls_versions_groups ()->
-    [{group, api_tls},
+    [{group, renegotiate}, %% Should be in all_versions_groups not fixed for DTLS yet
+     {group, api_tls},
+     {group, tls_ciphers},
      {group, error_handling_tests_tls}].
 
 all_versions_groups ()->
     [{group, api},
-     {group, renegotiate},
      {group, ciphers},
      {group, ciphers_ec},
      {group, error_handling_tests}].
@@ -147,10 +149,8 @@ options_tests_tls() ->
 api_tests() ->
     [connection_info,
      connection_information,
-     peername,
      peercert,
      peercert_with_client_cert,
-     sockname,
      versions,
      eccs,
      controlling_process,
@@ -162,7 +162,6 @@ api_tests() ->
      ssl_recv_timeout,
      server_name_indication_option,
      accept_pool,
-     new_options_in_accept,
      prf
     ].
 
@@ -175,7 +174,10 @@ api_tests_tls() ->
      tls_shutdown,
      tls_shutdown_write,
      tls_shutdown_both,
-     tls_shutdown_error
+     tls_shutdown_error,
+     peername,
+     sockname,
+     new_options_in_accept
     ].
 
 session_tests() ->
@@ -197,6 +199,11 @@ renegotiate_tests() ->
      renegotiate_dos_mitigate_passive,
      renegotiate_dos_mitigate_absolute].
 
+tls_cipher_tests() ->
+    [rc4_rsa_cipher_suites,
+     rc4_ecdh_rsa_cipher_suites,
+     rc4_ecdsa_cipher_suites].
+
 cipher_tests() ->
     [cipher_suites,
      cipher_suites_mix,
@@ -212,9 +219,6 @@ cipher_tests() ->
      srp_cipher_suites,
      srp_anon_cipher_suites,
      srp_dsa_cipher_suites,
-     rc4_rsa_cipher_suites,
-     rc4_ecdh_rsa_cipher_suites,
-     rc4_ecdsa_cipher_suites,
      des_rsa_cipher_suites,
      des_ecdh_rsa_cipher_suites,
      default_reject_anonymous].
@@ -226,15 +230,15 @@ cipher_tests_ec() ->
      ciphers_ecdh_rsa_signed_certs_openssl_names].
 
 error_handling_tests()->
-    [controller_dies,
-     close_transport_accept,
+    [close_transport_accept,
      recv_active,
      recv_active_once,
      recv_error_handling
     ].
 
 error_handling_tests_tls()->
-    [tls_client_closes_socket,
+    [controller_dies,
+     tls_client_closes_socket,
      tls_tcp_error_propagation_in_active_mode,
      tls_tcp_connect,
      tls_tcp_connect_big,
@@ -843,8 +847,7 @@ controller_dies(Config) when is_list(Config) ->
     Server ! listen, 
     Tester = self(),
     Connect = fun(Pid) ->
-		      {ok, Socket} = ssl:connect(Hostname, Port, 
-						  [{reuseaddr,true},{ssl_imp,new}]),
+		      {ok, Socket} = ssl:connect(Hostname, Port, ClientOpts),
 		      %% Make sure server finishes and verification
 		      %% and is in coonection state before
 		      %% killing client
@@ -2194,8 +2197,9 @@ ciphers_dsa_signed_certs() ->
     [{doc,"Test all dsa ssl cipher suites in highest support ssl/tls version"}].
        
 ciphers_dsa_signed_certs(Config) when is_list(Config) ->
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:dsa_suites(tls_record:protocol_version(Version)),
+    Ciphers = ssl_test_lib:dsa_suites(NVersion),
     ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]),
     run_suites(Ciphers, Version, Config, dsa).
 %%-------------------------------------------------------------------
@@ -2218,29 +2222,33 @@ anonymous_cipher_suites(Config) when is_list(Config) ->
 psk_cipher_suites() ->
     [{doc, "Test the PSK ciphersuites WITHOUT server supplied identity hint"}].
 psk_cipher_suites(Config) when is_list(Config) ->
+    NVersion = tls_record:highest_protocol_version([]),
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:psk_suites(),
+    Ciphers = ssl_test_lib:psk_suites(NVersion),
     run_suites(Ciphers, Version, Config, psk).
 %%-------------------------------------------------------------------
 psk_with_hint_cipher_suites()->
     [{doc, "Test the PSK ciphersuites WITH server supplied identity hint"}].
 psk_with_hint_cipher_suites(Config) when is_list(Config) ->
+    NVersion = tls_record:highest_protocol_version([]),
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:psk_suites(),
+    Ciphers = ssl_test_lib:psk_suites(NVersion),
     run_suites(Ciphers, Version, Config, psk_with_hint).
 %%-------------------------------------------------------------------
 psk_anon_cipher_suites() ->
     [{doc, "Test the anonymous PSK ciphersuites WITHOUT server supplied identity hint"}].
 psk_anon_cipher_suites(Config) when is_list(Config) ->
+    NVersion = tls_record:highest_protocol_version([]),
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:psk_anon_suites(),
+    Ciphers = ssl_test_lib:psk_anon_suites(NVersion),
     run_suites(Ciphers, Version, Config, psk_anon).
 %%-------------------------------------------------------------------
 psk_anon_with_hint_cipher_suites()->
     [{doc, "Test the anonymous PSK ciphersuites WITH server supplied identity hint"}].
 psk_anon_with_hint_cipher_suites(Config) when is_list(Config) ->
+    NVersion = tls_record:highest_protocol_version([]),
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:psk_anon_suites(),
+    Ciphers = ssl_test_lib:psk_anon_suites(NVersion),
     run_suites(Ciphers, Version, Config, psk_anon_with_hint).
 %%-------------------------------------------------------------------
 srp_cipher_suites()->
@@ -2291,18 +2299,17 @@ rc4_ecdsa_cipher_suites(Config) when is_list(Config) ->
 
 %%-------------------------------------------------------------------
 des_rsa_cipher_suites()->
-    [{doc, "Test the RC4 ciphersuites"}].
+    [{doc, "Test the des_rsa ciphersuites"}].
 des_rsa_cipher_suites(Config) when is_list(Config) ->
-    NVersion = tls_record:highest_protocol_version([]),
-    Version = tls_record:protocol_version(NVersion),
-    Ciphers = ssl_test_lib:des_suites(NVersion),
+    Version = ssl_test_lib:protocol_version(Config),
+    Ciphers = ssl_test_lib:des_suites(Config),
     run_suites(Ciphers, Version, Config, des_rsa).
 %-------------------------------------------------------------------
 des_ecdh_rsa_cipher_suites()->
-    [{doc, "Test the RC4 ciphersuites"}].
+    [{doc, "Test ECDH rsa signed ciphersuites"}].
 des_ecdh_rsa_cipher_suites(Config) when is_list(Config) ->
-    NVersion = tls_record:highest_protocol_version([]),
-    Version = tls_record:protocol_version(NVersion),
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
+    Version = ssl_test_lib:protocol_version(Config),
     Ciphers = ssl_test_lib:des_suites(NVersion),
     run_suites(Ciphers, Version, Config, des_dhe_rsa).
 
@@ -2313,9 +2320,11 @@ default_reject_anonymous(Config) when is_list(Config) ->
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
     ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
-    Version = tls_record:highest_protocol_version(tls_record:supported_protocol_versions()),
-    [CipherSuite | _] = ssl_test_lib:anonymous_suites(Version),
-
+    Version = ssl_test_lib:protocol_version(Config),
+    TLSVersion = ssl_test_lib:tls_version(Version),
+    
+   [CipherSuite | _] = ssl_test_lib:anonymous_suites(TLSVersion),
+    
     Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
 					      {from, self()},
 					      {options, ServerOpts}]),
@@ -2335,8 +2344,9 @@ ciphers_ecdsa_signed_certs() ->
     [{doc, "Test all ecdsa ssl cipher suites in highest support ssl/tls version"}].
 
 ciphers_ecdsa_signed_certs(Config) when is_list(Config) ->
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:ecdsa_suites(tls_record:protocol_version(Version)),
+    Ciphers = ssl_test_lib:ecdsa_suites(NVersion),
     ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]),
     run_suites(Ciphers, Version, Config, ecdsa).
 %%--------------------------------------------------------------------
@@ -2353,8 +2363,9 @@ ciphers_ecdh_rsa_signed_certs() ->
     [{doc, "Test all ecdh_rsa ssl cipher suites in highest support ssl/tls version"}].
 
 ciphers_ecdh_rsa_signed_certs(Config) when is_list(Config) ->
+    NVersion = ssl_test_lib:protocol_version(Config, tuple),
     Version = ssl_test_lib:protocol_version(Config),
-    Ciphers = ssl_test_lib:ecdh_rsa_suites(tls_record:protocol_version(Version)),
+    Ciphers = ssl_test_lib:ecdh_rsa_suites(NVersion),
     ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]),
     run_suites(Ciphers, Version, Config, ecdh_rsa).
 %%--------------------------------------------------------------------
@@ -3326,11 +3337,11 @@ hibernate(Config) ->
         process_info(Pid, current_function),
 
     ssl_test_lib:check_result(Server, ok, Client, ok),
-    timer:sleep(1100),
-
+    
+    timer:sleep(1500),
     {current_function, {erlang, hibernate, 3}} =
 	process_info(Pid, current_function),
-
+    
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client).
 
@@ -3363,13 +3374,12 @@ hibernate_right_away(Config) ->
                     [{port, Port1}, {options, [{hibernate_after, 0}|ClientOpts]}]),
 
     ssl_test_lib:check_result(Server1, ok, Client1, ok),
-
-    {current_function, {erlang, hibernate, 3}} =
+  
+     {current_function, {erlang, hibernate, 3}} =
 	process_info(Pid1, current_function),
-
     ssl_test_lib:close(Server1),
     ssl_test_lib:close(Client1),
-
+    
     Server2 = ssl_test_lib:start_server(StartServerOpts),
     Port2 = ssl_test_lib:inet_port(Server2),
     {Client2, #sslsocket{pid = Pid2}} = ssl_test_lib:start_client(StartClientOpts ++
@@ -3377,8 +3387,8 @@ hibernate_right_away(Config) ->
 
     ssl_test_lib:check_result(Server2, ok, Client2, ok),
 
-    ct:sleep(100), %% Schedule out
-
+    ct:sleep(1000), %% Schedule out
+    
     {current_function, {erlang, hibernate, 3}} =
 	process_info(Pid2, current_function),
 
@@ -4507,16 +4517,21 @@ run_suites(Ciphers, Version, Config, Type) ->
 		 [{reuseaddr, true}, {ciphers, ssl_test_lib:anonymous_suites(Version)}]};
 	    psk ->
 		{ssl_test_lib:ssl_options(client_psk, Config),
-		 ssl_test_lib:ssl_options(server_psk, Config)};
+                 [{ciphers, ssl_test_lib:psk_suites(Version)} | 
+                  ssl_test_lib:ssl_options(server_psk, Config)]};
 	    psk_with_hint ->
 		{ssl_test_lib:ssl_options(client_psk, Config),
-		 ssl_test_lib:ssl_options(server_psk_hint, Config)};
+		 [{ciphers, ssl_test_lib:psk_suites(Version)} |
+                  ssl_test_lib:ssl_options(server_psk_hint, Config)
+                 ]};
 	    psk_anon ->
 		{ssl_test_lib:ssl_options(client_psk, Config),
-		 ssl_test_lib:ssl_options(server_psk_anon, Config)};
+                 [{ciphers, ssl_test_lib:psk_anon_suites(Version)} |
+                  ssl_test_lib:ssl_options(server_psk_anon, Config)]};
 	    psk_anon_with_hint ->
 		{ssl_test_lib:ssl_options(client_psk, Config),
-		 ssl_test_lib:ssl_options(server_psk_anon_hint, Config)};
+                 [{ciphers, ssl_test_lib:psk_anon_suites(Version)} |
+		 ssl_test_lib:ssl_options(server_psk_anon_hint, Config)]};
 	    srp ->
 		{ssl_test_lib:ssl_options(client_srp, Config),
 		 ssl_test_lib:ssl_options(server_srp, Config)};
@@ -4556,7 +4571,7 @@ run_suites(Ciphers, Version, Config, Type) ->
 
     Result =  lists:map(fun(Cipher) ->
 				cipher(Cipher, Version, Config, ClientOpts, ServerOpts) end,
-			ssl_test_lib:filter_suites(Ciphers)),
+			ssl_test_lib:filter_suites(Ciphers, Version)),
     case lists:flatten(Result) of
 	[] ->
 	    ok;
diff --git a/lib/ssl/test/ssl_certificate_verify_SUITE.erl b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
index 5265c87e29..4552a4f57d 100644
--- a/lib/ssl/test/ssl_certificate_verify_SUITE.erl
+++ b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
@@ -39,17 +39,26 @@
 %% Common Test interface functions -----------------------------------
 %%--------------------------------------------------------------------
 all() ->
-    [{group, active},
-     {group, passive},
-     {group, active_once},
-     {group, error_handling}].
-
+    [
+     {group, tls},
+     {group, dtls}
+    ].
 
 groups() ->
-    [{active, [], tests()},
+    [
+     {tls, [], all_protocol_groups()},
+     {dtls, [], all_protocol_groups()},
+     {active, [], tests()},
      {active_once, [], tests()},
      {passive, [], tests()},
-     {error_handling, [],error_handling_tests()}].
+     {error_handling, [],error_handling_tests()}
+    ].
+
+all_protocol_groups() ->
+    [{group, active},
+     {group, passive},
+     {group, active_once},
+     {group, error_handling}].
 
 tests() ->
     [verify_peer,
@@ -85,7 +94,7 @@ init_per_suite(Config0) ->
     catch crypto:stop(),
     try crypto:start() of
 	ok ->
-	    ssl_test_lib:clean_start(),
+            ssl_test_lib:clean_start(),
 	    %% make rsa certs using oppenssl
 	    {ok, _} = make_certs:all(proplists:get_value(data_dir, Config0),
 				     proplists:get_value(priv_dir, Config0)),
@@ -99,6 +108,26 @@ end_per_suite(_Config) ->
     ssl:stop(),
     application:stop(crypto).
 
+init_per_group(tls, Config) ->
+    Version = tls_record:protocol_version(tls_record:highest_protocol_version([])),
+    ssl:stop(),
+    application:load(ssl),
+    application:set_env(ssl, protocol_version, Version),
+    application:set_env(ssl, bypass_pem_cache, Version),
+    ssl:start(),
+    NewConfig = proplists:delete(protocol, Config),
+    [{protocol, tls}, {version, tls_record:protocol_version(Version)} | NewConfig];
+
+init_per_group(dtls, Config) ->
+    Version = dtls_record:protocol_version(dtls_record:highest_protocol_version([])),
+    ssl:stop(),
+    application:load(ssl),
+    application:set_env(ssl, protocol_version, Version),
+    application:set_env(ssl, bypass_pem_cache, Version),
+    ssl:start(),
+    NewConfig = proplists:delete(protocol_opts, proplists:delete(protocol, Config)),
+    [{protocol, dtls}, {protocol_opts, [{protocol, dtls}]}, {version, dtls_record:protocol_version(Version)} | NewConfig];
+
 init_per_group(active, Config) ->
     [{active, true}, {receive_function, send_recv_result_active}  | Config];
 init_per_group(active_once, Config) ->
@@ -262,7 +291,7 @@ server_require_peer_cert_fail() ->
 server_require_peer_cert_fail(Config) when is_list(Config) ->
     ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}
 		  | ssl_test_lib:ssl_options(server_verification_opts, Config)],
-    BadClientOpts = ssl_test_lib:ssl_options(client_opts, []),
+    BadClientOpts = ssl_test_lib:ssl_options(empty_client_opts, Config),
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
 
     Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
@@ -411,7 +440,7 @@ server_require_peer_cert_partial_chain_fun_fail() ->
 server_require_peer_cert_partial_chain_fun_fail(Config) when is_list(Config) ->
     ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}
 		  | ssl_test_lib:ssl_options(server_verification_opts, Config)],
-    ClientOpts = proplists:get_value(client_opts, Config),
+    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
 
     {ok, ServerCAs} = file:read_file(proplists:get_value(cacertfile, ServerOpts)),
@@ -1091,6 +1120,7 @@ client_with_cert_cipher_suites_handshake() ->
 client_with_cert_cipher_suites_handshake(Config) when is_list(Config) ->
     ClientOpts =  ssl_test_lib:ssl_options(client_verification_opts_digital_signature_only, Config),
     ServerOpts =  ssl_test_lib:ssl_options(server_verification_opts, Config),
+
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
 					{from, self()},
@@ -1098,7 +1128,7 @@ client_with_cert_cipher_suites_handshake(Config) when is_list(Config) ->
 					       send_recv_result_active, []}},
 					{options, [{active, true},
 						   {ciphers, 
-						    ssl_test_lib:rsa_non_signed_suites(tls_record:highest_protocol_version([]))}
+						    ssl_test_lib:rsa_non_signed_suites(proplists:get_value(version, Config))}
 						   | ServerOpts]}]),
     Port  = ssl_test_lib:inet_port(Server),
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
@@ -1132,7 +1162,7 @@ server_verify_no_cacerts(Config) when is_list(Config) ->
 unknown_server_ca_fail() ->
     [{doc,"Test that the client fails if the ca is unknown in verify_peer mode"}].
 unknown_server_ca_fail(Config) when is_list(Config) ->
-    ClientOpts = ssl_test_lib:ssl_options(client_opts, []),
+    ClientOpts = ssl_test_lib:ssl_options(empty_client_opts, Config),
     ServerOpts =  ssl_test_lib:ssl_options(server_verification_opts, Config),
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
@@ -1176,7 +1206,7 @@ unknown_server_ca_fail(Config) when is_list(Config) ->
 unknown_server_ca_accept_verify_none() ->
     [{doc,"Test that the client succeds if the ca is unknown in verify_none mode"}].
 unknown_server_ca_accept_verify_none(Config) when is_list(Config) ->
-    ClientOpts = ssl_test_lib:ssl_options(client_opts, []),
+    ClientOpts = ssl_test_lib:ssl_options(empty_client_opts, Config),
     ServerOpts =  ssl_test_lib:ssl_options(server_verification_opts, Config),
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
@@ -1201,8 +1231,8 @@ unknown_server_ca_accept_verify_peer() ->
     [{doc, "Test that the client succeds if the ca is unknown in verify_peer mode"
      " with a verify_fun that accepts the unknown ca error"}].
 unknown_server_ca_accept_verify_peer(Config) when is_list(Config) ->
-    ClientOpts =ssl_test_lib:ssl_options(client_opts, []),
-    ServerOpts =  ssl_test_lib:ssl_options(server_verification_opts, Config),
+    ClientOpts = ssl_test_lib:ssl_options(empty_client_opts, Config),
+    ServerOpts = ssl_test_lib:ssl_options(server_verification_opts, Config),
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
 					{from, self()},
@@ -1240,7 +1270,7 @@ unknown_server_ca_accept_verify_peer(Config) when is_list(Config) ->
 unknown_server_ca_accept_backwardscompatibility() ->
     [{doc,"Test that old style verify_funs will work"}].
 unknown_server_ca_accept_backwardscompatibility(Config) when is_list(Config) ->
-    ClientOpts = ssl_test_lib:ssl_options(client_opts, []),
+    ClientOpts = ssl_test_lib:ssl_options(empty_client_opts, Config),
     ServerOpts =  ssl_test_lib:ssl_options(server_verification_opts, Config),
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
     Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 49d2b5c1b8..7a644968f2 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -401,27 +401,22 @@ cert_options(Config) ->
 				{ssl_imp, new}]},
      {server_opts, [{ssl_imp, new},{reuseaddr, true}, {cacertfile, ServerCaCertFile}, 
 		    {certfile, ServerCertFile}, {keyfile, ServerKeyFile}]},
-     %%{server_anon, [{ssl_imp, new},{reuseaddr, true}, {ciphers, anonymous_suites()}]},
-     {client_psk, [{ssl_imp, new},{reuseaddr, true},
+     {client_psk, [{ssl_imp, new},
 		   {psk_identity, "Test-User"},
 		   {user_lookup_fun, {fun user_lookup/3, PskSharedSecret}}]},
      {server_psk, [{ssl_imp, new},{reuseaddr, true},
 		   {certfile, ServerCertFile}, {keyfile, ServerKeyFile},
-		   {user_lookup_fun, {fun user_lookup/3, PskSharedSecret}},
-		   {ciphers, psk_suites()}]},
+		   {user_lookup_fun, {fun user_lookup/3, PskSharedSecret}}]},
      {server_psk_hint, [{ssl_imp, new},{reuseaddr, true},
 			{certfile, ServerCertFile}, {keyfile, ServerKeyFile},
 			{psk_identity, "HINT"},
-			{user_lookup_fun, {fun user_lookup/3, PskSharedSecret}},
-			{ciphers, psk_suites()}]},
+			{user_lookup_fun, {fun user_lookup/3, PskSharedSecret}}]},
      {server_psk_anon, [{ssl_imp, new},{reuseaddr, true},
-			{user_lookup_fun, {fun user_lookup/3, PskSharedSecret}},
-			{ciphers, psk_anon_suites()}]},
+			{user_lookup_fun, {fun user_lookup/3, PskSharedSecret}}]},
      {server_psk_anon_hint, [{ssl_imp, new},{reuseaddr, true},
 			     {psk_identity, "HINT"},
-			     {user_lookup_fun, {fun user_lookup/3, PskSharedSecret}},
-			     {ciphers, psk_anon_suites()}]},
-     {client_srp, [{ssl_imp, new},{reuseaddr, true},
+			     {user_lookup_fun, {fun user_lookup/3, PskSharedSecret}}]},
+     {client_srp, [{ssl_imp, new},
 		   {srp_identity, {"Test-User", "secret"}}]},
      {server_srp, [{ssl_imp, new},{reuseaddr, true},
 		   {certfile, ServerCertFile}, {keyfile, ServerKeyFile},
@@ -476,7 +471,7 @@ make_dsa_cert(Config) ->
 			       {cacertfile, ClientCaCertFile},
 			       {certfile, ServerCertFile}, {keyfile, ServerKeyFile},
 			       {verify, verify_peer}]},
-     {client_dsa_opts, [{ssl_imp, new},{reuseaddr, true}, 
+     {client_dsa_opts, [{ssl_imp, new},
 			{cacertfile, ClientCaCertFile},
 			{certfile, ClientCertFile}, {keyfile, ClientKeyFile}]},
      {server_srp_dsa, [{ssl_imp, new},{reuseaddr, true}, 
@@ -484,7 +479,7 @@ make_dsa_cert(Config) ->
 		       {certfile, ServerCertFile}, {keyfile, ServerKeyFile},
 		       {user_lookup_fun, {fun user_lookup/3, undefined}},
 		       {ciphers, srp_dss_suites()}]},
-     {client_srp_dsa, [{ssl_imp, new},{reuseaddr, true}, 
+     {client_srp_dsa, [{ssl_imp, new},
 		       {srp_identity, {"Test-User", "secret"}},
 		       {cacertfile, ClientCaCertFile},
 		       {certfile, ClientCertFile}, {keyfile, ClientKeyFile}]}
@@ -505,7 +500,7 @@ make_ecdsa_cert(Config) ->
 					 {cacertfile, ClientCaCertFile},
 					 {certfile, ServerCertFile}, {keyfile, ServerKeyFile},
 					 {verify, verify_peer}]},
-	     {client_ecdsa_opts, [{ssl_imp, new},{reuseaddr, true},
+	     {client_ecdsa_opts, [{ssl_imp, new},
 				  {cacertfile, ClientCaCertFile},
 				  {certfile, ClientCertFile}, {keyfile, ClientKeyFile}]}
 	     | Config];
@@ -540,7 +535,7 @@ make_ecdh_rsa_cert(Config) ->
 					    {cacertfile, ClientCaCertFile},
 					    {certfile, ServerCertFile}, {keyfile, ServerKeyFile},
 					    {verify, verify_peer}]},
-	     {client_ecdh_rsa_opts, [{ssl_imp, new},{reuseaddr, true},
+	     {client_ecdh_rsa_opts, [{ssl_imp, new},
 				     {cacertfile, ClientCaCertFile},
 				     {certfile, ClientCertFile}, {keyfile, ClientKeyFile}]}
 	     | Config];
@@ -560,7 +555,7 @@ make_mix_cert(Config) ->
 			       {cacertfile, ClientCaCertFile},
 			       {certfile, ServerCertFile}, {keyfile, ServerKeyFile},
 			       {verify, verify_peer}]},
-     {client_mix_opts, [{ssl_imp, new},{reuseaddr, true},
+     {client_mix_opts, [{ssl_imp, new},
 			{cacertfile, ClientCaCertFile},
 			{certfile, ClientCertFile}, {keyfile, ClientKeyFile}]}
      | Config].
@@ -830,17 +825,17 @@ rsa_suites(CounterPart) ->
 		    ({dhe_rsa, des_cbc, sha}) when FIPS == true ->
 			 false;
 		    ({rsa, Cipher, _}) ->
-			 lists:member(Cipher, Ciphers);
+			 lists:member(cipher_atom(Cipher), Ciphers);
 		    ({dhe_rsa, Cipher, _}) ->
-			 lists:member(Cipher, Ciphers);
+			 lists:member(cipher_atom(Cipher), Ciphers);
 		    ({ecdhe_rsa, Cipher, _}) when ECC == true ->
-			 lists:member(Cipher, Ciphers);
+			 lists:member(cipher_atom(Cipher), Ciphers);
 		    ({rsa, Cipher, _, _}) ->
-			 lists:member(Cipher, Ciphers);
+			 lists:member(cipher_atom(Cipher), Ciphers);
 		    ({dhe_rsa, Cipher, _,_}) ->
-			 lists:member(Cipher, Ciphers);
+			 lists:member(cipher_atom(Cipher), Ciphers);
 		    ({ecdhe_rsa, Cipher, _,_}) when ECC == true ->
-			 lists:member(Cipher, Ciphers);
+			 lists:member(cipher_atom(Cipher), Ciphers);
 		    (_) ->
 			 false
 		 end,
@@ -933,44 +928,12 @@ anonymous_suites(Version) ->
     Suites = ssl_cipher:anonymous_suites(Version),
     ssl_cipher:filter_suites(Suites).
 
-psk_suites() ->
-    Suites =
-	[{psk, rc4_128, sha},
-	 {psk, '3des_ede_cbc', sha},
-	 {psk, aes_128_cbc, sha},
-	 {psk, aes_256_cbc, sha},
-	 {psk, aes_128_cbc, sha256},
-	 {psk, aes_256_cbc, sha384},
-	 {dhe_psk, rc4_128, sha},
-	 {dhe_psk, '3des_ede_cbc', sha},
-	 {dhe_psk, aes_128_cbc, sha},
-	 {dhe_psk, aes_256_cbc, sha},
-	 {dhe_psk, aes_128_cbc, sha256},
-	 {dhe_psk, aes_256_cbc, sha384},
-	 {rsa_psk, rc4_128, sha},
-	 {rsa_psk, '3des_ede_cbc', sha},
-	 {rsa_psk, aes_128_cbc, sha},
-	 {rsa_psk, aes_256_cbc, sha},
-	 {rsa_psk, aes_128_cbc, sha256},
-	 {rsa_psk, aes_256_cbc, sha384},
-	 {psk, aes_128_gcm, null, sha256},
-	 {psk, aes_256_gcm, null, sha384},
-	 {dhe_psk, aes_128_gcm, null, sha256},
-	 {dhe_psk, aes_256_gcm, null, sha384},
-	 {rsa_psk, aes_128_gcm, null, sha256},
-	 {rsa_psk, aes_256_gcm, null, sha384}],
+psk_suites(Version) ->
+    Suites = ssl_cipher:psk_suites(Version),
     ssl_cipher:filter_suites(Suites).
 
-psk_anon_suites() ->
-    Suites =
-	[{psk, rc4_128, sha},
-	 {psk, '3des_ede_cbc', sha},
-	 {psk, aes_128_cbc, sha},
-	 {psk, aes_256_cbc, sha},
-	 {dhe_psk, rc4_128, sha},
-	 {dhe_psk, '3des_ede_cbc', sha},
-	 {dhe_psk, aes_128_cbc, sha},
-	 {dhe_psk, aes_256_cbc, sha}],
+psk_anon_suites(Version) ->
+    Suites = [Suite || Suite <- psk_suites(Version), is_psk_anon_suite(Suite)],
     ssl_cipher:filter_suites(Suites).
 
 srp_suites() ->
@@ -1092,14 +1055,16 @@ init_tls_version(Version, Config)
     application:load(ssl),
     application:set_env(ssl, dtls_protocol_version, Version),
     ssl:start(),
-    [{protocol, dtls}, {protocol_opts, [{protocol, dtls}]}|Config];
+    NewConfig = proplists:delete(protocol_opts, proplists:delete(protocol, Config)),
+    [{protocol, dtls}, {protocol_opts, [{protocol, dtls}]} | NewConfig];
 
 init_tls_version(Version, Config) ->
     ssl:stop(),
     application:load(ssl),
     application:set_env(ssl, protocol_version, Version),
     ssl:start(),
-    [{protocol, tls}|Config].
+    NewConfig = proplists:delete(protocol_opts, proplists:delete(protocol, Config)),
+    [{protocol, tls} | NewConfig].
 
 sufficient_crypto_support(Version)
   when Version == 'tlsv1.2'; Version == 'dtlsv1.2' ->
@@ -1234,19 +1199,37 @@ check_sane_openssl_version(Version) ->
 enough_openssl_crl_support("OpenSSL 0." ++ _) -> false;
 enough_openssl_crl_support(_) -> true.
 
-wait_for_openssl_server(Port) ->
-    wait_for_openssl_server(Port, 10).
-wait_for_openssl_server(_, 0) ->
+wait_for_openssl_server(Port, tls) ->
+    do_wait_for_openssl_tls_server(Port, 10);
+wait_for_openssl_server(Port, dtls) ->
+    do_wait_for_openssl_dtls_server(Port, 10).
+
+do_wait_for_openssl_tls_server(_, 0) ->
     exit(failed_to_connect_to_openssl);
-wait_for_openssl_server(Port, N) ->
+do_wait_for_openssl_tls_server(Port, N) ->
     case gen_tcp:connect("localhost", Port, []) of
 	{ok, S} ->
 	    gen_tcp:close(S);
 	_  ->
 	    ct:sleep(?SLEEP),
-	    wait_for_openssl_server(Port, N-1)
+	    do_wait_for_openssl_tls_server(Port, N-1)
     end.
 
+do_wait_for_openssl_dtls_server(_, 0) ->
+    %%exit(failed_to_connect_to_openssl);
+    ok;
+do_wait_for_openssl_dtls_server(Port, N) ->
+    %% case gen_udp:open(0) of
+    %%     {ok, S} ->
+    %%         gen_udp:connect(S, "localhost", Port),
+    %%         gen_udp:close(S);
+    %%     _  ->
+    %%         ct:sleep(?SLEEP),
+    %%         do_wait_for_openssl_dtls_server(Port, N-1)
+    %% end.
+    ct:sleep(500),
+    do_wait_for_openssl_dtls_server(Port, N-1).
+
 version_flag(tlsv1) ->
     "-tls1";
 version_flag('tlsv1.1') ->
@@ -1256,10 +1239,14 @@ version_flag('tlsv1.2') ->
 version_flag(sslv3) ->
     "-ssl3";
 version_flag(sslv2) ->
-    "-ssl2".
-
-filter_suites(Ciphers0) ->
-    Version = tls_record:highest_protocol_version([]),
+    "-ssl2";
+version_flag('dtlsv1.2') ->
+    "-dtls1_2";
+version_flag('dtlsv1') ->
+    "-dtls1".
+
+filter_suites(Ciphers0, AtomVersion) ->
+    Version = tls_version(AtomVersion),
     Supported0 = ssl_cipher:suites(Version)
 	++ ssl_cipher:anonymous_suites(Version)
 	++ ssl_cipher:psk_suites(Version)
@@ -1341,7 +1328,7 @@ protocol_version(Config) ->
 protocol_version(Config, tuple) ->
     case proplists:get_value(protocol, Config) of
 	dtls ->
-	    dtls_record:protocol_version(dtls_record:highest_protocol_version([]));
+	    dtls_record:highest_protocol_version(dtls_record:supported_protocol_versions());
 	_ ->
 	    tls_record:highest_protocol_version(tls_record:supported_protocol_versions())
    end;
@@ -1375,6 +1362,7 @@ clean_env() ->
     application:unset_env(ssl, session_cache_client_max),
     application:unset_env(ssl, session_cache_server_max),
     application:unset_env(ssl, ssl_pem_cache_clean),
+    application:unset_env(ssl, bypass_pem_cache),
     application:unset_env(ssl, alert_timeout).
 
 clean_start() ->
@@ -1382,3 +1370,105 @@ clean_start() ->
     application:load(ssl),
     clean_env(),
     ssl:start().
+
+is_psk_anon_suite({psk, _,_}) ->
+    true;
+is_psk_anon_suite({dhe_psk,_,_}) ->
+    true;
+is_psk_anon_suite({psk, _,_,_}) ->
+    true;
+is_psk_anon_suite({dhe_psk, _,_,_}) ->
+    true;
+is_psk_anon_suite(_) ->
+    false.
+
+cipher_atom(aes_256_cbc) ->
+    aes_cbc256;
+cipher_atom(aes_128_cbc) ->
+    aes_cbc128;
+cipher_atom('3des_ede_cbc') ->
+    des_ede3;
+cipher_atom(Atom) ->
+    Atom.
+tls_version('dtlsv1' = Atom) ->
+    dtls_v1:corresponding_tls_version(dtls_record:protocol_version(Atom));
+tls_version('dtlsv1.2' = Atom) ->
+    dtls_v1:corresponding_tls_version(dtls_record:protocol_version(Atom));
+tls_version(Atom) ->
+    tls_record:protocol_version(Atom).
+
+dtls_hello() ->
+    [1,
+     <<0,1,4>>,
+     <<0,0>>,
+     <<0,0,0>>,
+     <<0,1,4>>,
+     <<254,253,88,
+       156,129,61,
+       131,216,15,
+       131,194,242,
+       46,154,190,
+       20,228,234,
+       234,150,44,
+       62,96,96,103,
+       127,95,103,
+       23,24,42,138,
+       13,142,32,57,
+       230,177,32,
+       210,154,152,
+       188,121,134,
+       136,53,105,
+       118,96,106,
+       103,231,223,
+       133,10,165,
+       50,32,211,
+       227,193,14,
+       181,143,48,
+       66,0,0,100,0,
+       255,192,44,
+       192,48,192,
+       36,192,40,
+       192,46,192,
+       50,192,38,
+       192,42,0,159,
+       0,163,0,107,
+       0,106,0,157,
+       0,61,192,43,
+       192,47,192,
+       35,192,39,
+       192,45,192,
+       49,192,37,
+       192,41,0,158,
+       0,162,0,103,
+       0,64,0,156,0,
+       60,192,10,
+       192,20,0,57,
+       0,56,192,5,
+       192,15,0,53,
+       192,8,192,18,
+       0,22,0,19,
+       192,3,192,13,
+       0,10,192,9,
+       192,19,0,51,
+       0,50,192,4,
+       192,14,0,47,
+       1,0,0,86,0,0,
+       0,14,0,12,0,
+       0,9,108,111,
+       99,97,108,
+       104,111,115,
+       116,0,10,0,
+       58,0,56,0,14,
+       0,13,0,25,0,
+       28,0,11,0,12,
+       0,27,0,24,0,
+       9,0,10,0,26,
+       0,22,0,23,0,
+       8,0,6,0,7,0,
+       20,0,21,0,4,
+       0,5,0,18,0,
+       19,0,1,0,2,0,
+       3,0,15,0,16,
+       0,17,0,11,0,
+       2,1,0>>].
+
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index e99340822d..7a1dce70c2 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -42,7 +42,9 @@ all() ->
      {group, 'tlsv1.2'},
      {group, 'tlsv1.1'},
      {group, 'tlsv1'},
-     {group, 'sslv3'}
+     {group, 'sslv3'},
+     {group, 'dtlsv1.2'},
+     {group, 'dtlsv1'}
     ].
 
 groups() ->
@@ -50,7 +52,10 @@ groups() ->
      {'tlsv1.2', [], all_versions_tests() ++ alpn_tests() ++ npn_tests() ++ sni_server_tests()},
      {'tlsv1.1', [], all_versions_tests() ++ alpn_tests() ++ npn_tests() ++ sni_server_tests()},
      {'tlsv1', [], all_versions_tests()++ alpn_tests() ++ npn_tests() ++ sni_server_tests()},
-     {'sslv3', [], all_versions_tests()}].
+     {'sslv3', [], all_versions_tests()},
+     {'dtlsv1.2', [], dtls_all_versions_tests()},
+     {'dtlsv1', [], dtls_all_versions_tests()}
+    ].
 
 basic_tests() ->
     [basic_erlang_client_openssl_server,
@@ -78,6 +83,25 @@ all_versions_tests() ->
      expired_session,
      ssl2_erlang_server_openssl_client
     ].
+dtls_all_versions_tests() ->
+    [
+     %%erlang_client_openssl_server,
+     erlang_server_openssl_client,
+     %%erlang_client_openssl_server_dsa_cert,
+     erlang_server_openssl_client_dsa_cert
+     %% This one works but gets port EXIT first some times 
+     %%erlang_server_openssl_client_reuse_session
+     %%erlang_client_openssl_server_renegotiate,
+     %%erlang_client_openssl_server_nowrap_seqnum,
+     %%erlang_server_openssl_client_nowrap_seqnum,
+     %%erlang_client_openssl_server_no_server_ca_cert,
+     %%erlang_client_openssl_server_client_cert,
+     %%erlang_server_openssl_client_client_cert
+     %%ciphers_rsa_signed_certs,
+     %%ciphers_dsa_signed_certs,
+     %%erlang_client_bad_openssl_server,
+     %%expired_session
+    ].
 
 alpn_tests() ->
     [erlang_client_alpn_openssl_server_alpn,
@@ -284,7 +308,8 @@ basic_erlang_client_openssl_server(Config) when is_list(Config) ->
 
     OpensslPort = ssl_test_lib:portable_open_port(Exe, Args), 
 
-    ssl_test_lib:wait_for_openssl_server(Port),
+
+    ssl_test_lib:wait_for_openssl_server(Port, tls),
 
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
 					{host, Hostname},
@@ -357,7 +382,7 @@ erlang_client_openssl_server(Config) when is_list(Config) ->
 	
     OpensslPort =  ssl_test_lib:portable_open_port(Exe, Args), 
 
-    ssl_test_lib:wait_for_openssl_server(Port),
+    ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)),
 
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
 					{host, Hostname},
@@ -431,7 +456,7 @@ erlang_client_openssl_server_dsa_cert(Config) when is_list(Config) ->
 
     OpensslPort =  ssl_test_lib:portable_open_port(Exe, Args), 
 
-    ssl_test_lib:wait_for_openssl_server(Port),
+    ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)),
 
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
 					{host, Hostname},
@@ -551,7 +576,7 @@ erlang_client_openssl_server_renegotiate(Config) when is_list(Config) ->
     
     OpensslPort =  ssl_test_lib:portable_open_port(Exe, Args), 
 
-    ssl_test_lib:wait_for_openssl_server(Port),
+    ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)),
 
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
 					{host, Hostname},
@@ -600,7 +625,7 @@ erlang_client_openssl_server_nowrap_seqnum(Config) when is_list(Config) ->
     
     OpensslPort = ssl_test_lib:portable_open_port(Exe, Args),
 
-    ssl_test_lib:wait_for_openssl_server(Port),
+    ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)),
 
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
 					{host, Hostname},
@@ -681,7 +706,7 @@ erlang_client_openssl_server_no_server_ca_cert(Config) when is_list(Config) ->
     
     OpensslPort =  ssl_test_lib:portable_open_port(Exe, Args), 
  
-    ssl_test_lib:wait_for_openssl_server(Port),
+    ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)),
 
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
 					{host, Hostname},
@@ -724,7 +749,7 @@ erlang_client_openssl_server_client_cert(Config) when is_list(Config) ->
     
     OpensslPort = ssl_test_lib:portable_open_port(Exe, Args),   
 
-    ssl_test_lib:wait_for_openssl_server(Port),
+    ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)),
 
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
 					{host, Hostname},
@@ -856,7 +881,7 @@ erlang_client_bad_openssl_server(Config) when is_list(Config) ->
  	"-cert", CertFile, "-key", KeyFile],
     OpensslPort = ssl_test_lib:portable_open_port(Exe, Args), 
     
-    ssl_test_lib:wait_for_openssl_server(Port),
+    ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)),
     
     Client0 = ssl_test_lib:start_client([{node, ClientNode}, {port, Port}, 
 					 {host, Hostname},
@@ -911,7 +936,7 @@ expired_session(Config) when is_list(Config) ->
     
     OpensslPort = ssl_test_lib:portable_open_port(Exe, Args), 
 
-    ssl_test_lib:wait_for_openssl_server(Port),
+    ssl_test_lib:wait_for_openssl_server(Port, tls),
     
     Client0 =
 	ssl_test_lib:start_client([{node, ClientNode}, 
@@ -1399,7 +1424,7 @@ cipher(CipherSuite, Version, Config, ClientOpts, ServerOpts) ->
 
     OpenSslPort =  ssl_test_lib:portable_open_port(Exe, Args), 
 
-    ssl_test_lib:wait_for_openssl_server(Port),
+    ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)),
 
     ConnectionInfo = {ok, {Version, CipherSuite}},
 
@@ -1469,7 +1494,7 @@ start_erlang_client_and_openssl_server_with_opts(Config, ErlangClientOpts, Opens
 		   
     OpensslPort = ssl_test_lib:portable_open_port(Exe, Args),  
 
-    ssl_test_lib:wait_for_openssl_server(Port),
+    ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)),
 
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
                     {host, Hostname},
@@ -1505,7 +1530,7 @@ start_erlang_client_and_openssl_server_for_alpn_negotiation(Config, Data, Callba
     Args = ["s_server", "-msg", "-alpn", "http/1.1,spdy/2", "-accept", integer_to_list(Port), ssl_test_lib:version_flag(Version),
 	    "-cert", CertFile, "-key", KeyFile],
     OpensslPort = ssl_test_lib:portable_open_port(Exe, Args),  
-    ssl_test_lib:wait_for_openssl_server(Port),
+    ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)),
 
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
                     {host, Hostname},
@@ -1574,7 +1599,7 @@ start_erlang_client_and_openssl_server_for_alpn_npn_negotiation(Config, Data, Ca
 
     OpensslPort = ssl_test_lib:portable_open_port(Exe, Args),  
 
-    ssl_test_lib:wait_for_openssl_server(Port),
+    ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)),
 
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
                     {host, Hostname},
@@ -1639,7 +1664,7 @@ start_erlang_client_and_openssl_server_for_npn_negotiation(Config, Data, Callbac
 	    "-cert", CertFile, "-key", KeyFile],
     OpensslPort = ssl_test_lib:portable_open_port(Exe, Args),  
 
-    ssl_test_lib:wait_for_openssl_server(Port),
+    ssl_test_lib:wait_for_openssl_server(Port, proplists:get_value(protocol, Config)),
 
     Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
                     {host, Hostname},