2 files changed, 63 insertions, 9 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index be5abac7bc..3f643f32e1 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -190,15 +190,18 @@
        <name name="legacy_hash"/>
      </datatype>
 
-  
      <datatype>
       <name name="signature_algs"/>
      </datatype>
-     
+
      <datatype>
       <name name="sign_algo"/>
      </datatype>
-
+     
+     <datatype>
+       <name name="sign_scheme"/>
+     </datatype>
+     
      <datatype>
       <name name="key_algo"/>
      </datatype>
@@ -334,7 +337,30 @@
       and to restrict their usage when using a cipher suite supporting them.</p>
       </desc>
     </datatype>
-    
+
+    <datatype>
+      <name name="signature_schemes"/>
+      <desc>
+	  <p>
+	    In addition to the signature_algorithms extension from TLS 1.2,
+	    <url href="http://www.ietf.org/rfc/rfc8446.txt#section-4.2.3">TLS 1.3
+	    (RFC 5246 Section 4.2.3)</url>adds the signature_algorithms_cert extension
+	    which enables having special requirements on the signatures used in the
+	    certificates that differs from the requirements on digital signatures as a whole.
+	    If this is not required this extension is not needed.
+	  </p>
+	  <p>
+	    The client will send a signature_algorithms_cert extension (ClientHello),
+	    if TLS version 1.3 or later is used, and the signature_algs_cert option is
+	    explicitly specified. By default, only the signature_algs extension is sent.
+	  </p>
+	  <p>
+	    The signature schemes shall be ordered according to the client's preference
+	    (favorite choice first).
+	  </p>
+      </desc>
+     </datatype>
+     
     <datatype>
       <name name="secure_renegotiation"/>
       <desc><p>Specifies if to reject renegotiation attempt that does
@@ -606,10 +632,19 @@ fun(srp, Username :: string(), UserState :: term()) ->
       </desc>
     </datatype>
     
-  <datatype>    
-    <name name="log_alert"/> 
-    <desc><p>If set to <c>false</c>, error reports are not displayed.</p> 
-    </desc> 
+    <datatype>    
+      <name name="log_alert"/> 
+      <desc><p>If set to <c>false</c>, error reports are not displayed.
+      Deprecated in OTP 22, use {log_level, <seealso marker="#type-logging_level">logging_level()</seealso>} instead.</p> 
+      </desc> 
+    </datatype> 
+
+    <datatype>    
+      <name name="logging_level"/> 
+      <desc><p>Specifies the log level for TLS/DTLS. At verbosity level <c>notice</c> and above error reports are
+      displayed in TLS. The level <c>debug</c> triggers verbose logging of TLS protocol
+      messages and logging of ignored alerts in DTLS.</p>
+      </desc> 
     </datatype> 
     
     <datatype>    
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 017e06b232..2542c82cc8 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -135,6 +135,22 @@
 -type legacy_hash()        :: md5.
 
 -type sign_algo()         :: rsa | dsa | ecdsa.
+
+-type sign_scheme()       :: rsa_pkcs1_sha256 
+                           | rsa_pkcs1_sha384
+                           | rsa_pkcs1_sha512
+                           | ecdsa_secp256r1_sha256
+                           | ecdsa_secp384r1_sha384
+                           | ecdsa_secp521r1_sha512
+                           | rsa_pss_rsae_sha256
+                           | rsa_pss_rsae_sha384
+                           | rsa_pss_rsae_sha512
+                           | rsa_pss_pss_sha256
+                           | rsa_pss_pss_sha384
+                           | rsa_pss_pss_sha512
+                           | rsa_pkcs1_sha1
+                           | ecdsa_sha1.
+
 -type key_algo()          :: rsa |
                              dhe_rsa | dhe_dss |
                              ecdhe_ecdsa | ecdh_ecdsa | ecdh_rsa |
@@ -228,6 +244,7 @@
                                 {password, key_password()} |
                                 {ciphers, cipher_suites()} |
                                 {eccs, eccs()} |
+                                {signature_algs_cert, signature_schemes()} |
                                 {secure_renegotiate, secure_renegotiation()} |
                                 {depth, allowed_cert_chain_length()} |
                                 {verify_fun, custom_verify()} |
@@ -237,6 +254,7 @@
                                 {partial_chain, root_fun()} |
                                 {versions, protocol_versions()} |
                                 {user_lookup_fun, custom_user_lookup()} |
+                                {log_level, logging_level()} |
                                 {log_alert, log_alert()} |
                                 {hibernate_after, hibernate_after()} |
                                 {padding_check, padding_check()} |
@@ -271,13 +289,14 @@
 -type root_fun()                 ::  fun().
 -type protocol_versions()        ::  [protocol_version()].
 -type signature_algs()           ::  [{hash(), sign_algo()}].
+-type signature_schemes()        ::  [sign_scheme()].
 -type custom_user_lookup()       ::  {Lookupfun :: fun(), UserState :: term()}.
 -type padding_check()            :: boolean(). 
 -type beast_mitigation()         :: one_n_minus_one | zero_n | disabled.
 -type srp_identity()             :: {Username :: string(), Password :: string()}.
 -type psk_identity()             :: string().
 -type log_alert()                :: boolean().
-
+-type logging_level()            :: logger:level().
 %% -------------------------------------------------------------------------------------------------------
 
 -type client_option()        :: {verify, client_verify_type()} |