1 files changed, 103 insertions, 18 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 0c042f8571..47b0dbc206 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -38,7 +38,9 @@
       <item>ssl requires the crypto and public_key applications.</item>
       <item>Supported SSL/TLS-versions are SSL-3.0, TLS-1.0,
       TLS-1.1 and TLS-1.2.</item>
-      <item>For security reasons sslv2 is not supported.</item>
+      <item>For security reasons SSL-2.0 is not supported.</item>
+      <item>For security reasons SSL-3.0 is no longer supported by default,
+      but may be configured.</item>
       <item>Ephemeral Diffie-Hellman cipher suites are supported
       but not Diffie Hellman Certificates cipher suites.</item>
       <item>Elliptic Curve cipher suites are supported if crypto
@@ -49,9 +51,9 @@
       <item>IDEA cipher suites are not supported as they have
       become deprecated by the latest TLS spec so there is not any
       real motivation to implement them.</item>
-      <item>CRL and policy certificate extensions are not supported
-      yet. However CRL verification is supported by public_key, only not integrated
-      in ssl yet. </item>
+      <item>CRL validation is supported.</item>
+      <item>Policy certificate extensions are not supported
+      yet. </item>
       <item>Support for 'Server Name Indication' extension client side
       (RFC 6066 section 3).</item>
     </list>
@@ -87,12 +89,14 @@
       |{dh, der_encoded()} | {dhfile, path()} | {ciphers, ciphers()} |
       {user_lookup_fun, {fun(), term()}}, {psk_identity, string()}, {srp_identity, {string(), string()}} |
       {ssl_imp, ssl_imp()} | {reuse_sessions, boolean()} | {reuse_session, fun()}
+      {alpn_advertised_protocols, [binary()]} |
+      {alpn_preferred_protocols, [binary()]} |
       {next_protocols_advertised, [binary()]} |
       {client_preferred_next_protocols, {client | server, [binary()]} | {client | server, [binary()], binary()}} |
       {log_alert, boolean()} | {server_name_indication, hostname() | disable}
     </c></p>
 
-    <p><c>transportoption() = {cb_info, {CallbackModule::atom(), DataTag::atom(), ClosedTag::atom(), ErrTag:atom()}}
+    <p><c>transportoption() = {cb_info, {CallbackModule :: atom(), DataTag :: atom(), ClosedTag :: atom(), ErrTag:atom()}}
 	- defaults to {gen_tcp, tcp, tcp_closed, tcp_error}. Can be used to customize
 	the transport layer. The callback module must implement a reliable transport
 	protocol and behave as gen_tcp and in addition have functions corresponding to
@@ -136,7 +140,7 @@
     </c></p>
 
    <p><c>cipher() = rc4_128 | des_cbc | '3des_ede_cbc'
-      | aes_128_cbc | aes_256_cbc </c></p>
+      | aes_128_cbc | aes_256_cbc | aes_128_gcm | aes_256_gcm </c></p>
 
    <p> <c>hash() = md5 | sha
     </c></p>
@@ -299,10 +303,47 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revo
 	<item> Possible such reasons see <seealso
 	marker="public_key:public_key#pkix_path_validation-3"> public_key:pkix_path_validation/3 </seealso></item>
       </taglist>
+      </item>
+
+      <tag>{crl_check, boolean() | peer | best_effort }</tag>
+      <item>
+	Perform CRL (Certificate Revocation List) verification
+	<seealso marker="public_key:public_key#pkix_crl_validate-3">
+	(public_key:pkix_crls_validate/3)</seealso> on all the certificates during the path validation
+	<seealso
+	    marker="public_key:public_key#pkix_path_validation-3">(public_key:pkix_path_validation/3)
+	</seealso>
+	of the certificate chain. Defaults to false.
+	
+	<p><c>peer</c> - check is only performed on
+	the peer certificate.</p>
+
+	<p><c>best_effort</c> - if certificate revocation status can not be determined
+	it will be accepted as valid.</p>
 
+	<p>The CA certificates specified for the connection will be used to 
+	construct the certificate chain validating the CRLs.</p>
+ 	
+	<p>The CRLs will be fetched from a local or external cache
+	<seealso marker="ssl:ssl_crl_cache_api">ssl_crl_cache_api(3)</seealso>.</p>
       </item>
 
+      <tag>{crl_cache, {Module :: atom(), {DbHandle :: internal | term(), Args :: list()}}}</tag>
+      <item>
+	<p>Module defaults to ssl_crl_cache with <c> DbHandle </c> internal and an
+	empty argument list. The following arguments may be specified for the internal cache.</p>
+	<taglist>
+	  <tag>{http, timeout()}</tag>
+	  <item>
+	    Enables fetching of CRLs specified as http URIs in<seealso 
+	    marker="public_key:cert_records"> X509 cerificate extensions.</seealso>
+	    Requires the OTP inets application.
+	  </item>	    
+	</taglist>    
+      </item>
+      
       <tag>{partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} | unknown_ca </tag>
+      
       <item>
 	Claim an intermediat CA in the chain as trusted. TLS will then perform the public_key:pkix_path_validation/3
 	with the selected CA as trusted anchor and the rest of the chain.
@@ -311,7 +352,7 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revo
       <tag>{versions, [protocol()]}</tag>
       <item>TLS protocol versions that will be supported by started clients and servers.
       This option overrides the application environment option <c>protocol_version</c>. If the
-      environment option is not set it defaults to all versions supported by the SSL application. See also
+      environment option is not set it defaults to all versions, except SSL-3.0, supported by the SSL application. See also
       <seealso marker="ssl:ssl_app">ssl(6)</seealso>
       </item>
 
@@ -386,7 +427,20 @@ fun(srp, Username :: string(), UserState :: term()) ->
       certificates are used during server authentication and when building the
       client certificate chain.
      </item>
-  
+
+      <tag>{alpn_advertised_protocols, [binary()]}</tag>
+      <item>
+      <p>The list of protocols supported by the client to be sent to the
+      server to be used for an Application-Layer Protocol Negotiation (ALPN).
+      If the server supports ALPN then it will choose a protocol from this
+      list; otherwise it will fail the connection with a "no_application_protocol"
+      alert. A server that does not support ALPN will ignore this value.</p>
+
+      <p>The list of protocols must not contain an empty binary.</p>
+
+      <p>The negotiated protocol can be retrieved using the <c>negotiated_protocol/1</c> function.</p>
+      </item>
+
       <tag>{client_preferred_next_protocols, {Precedence :: server | client, ClientPrefs :: [binary()]}}</tag>
       <tag>{client_preferred_next_protocols, {Precedence :: server | client, ClientPrefs :: [binary()], Default :: binary()}}</tag>
 	   <item>
@@ -506,12 +560,25 @@ fun(srp, Username :: string(), UserState :: term()) ->
       and CipherSuite is of type ciphersuite().
     </item>
 
+      <tag>{alpn_preferred_protocols, [binary()]}</tag>
+      <item>
+      <p>Indicates the server will try to perform Application-Layer
+      Protocol Negotiation (ALPN).</p>
+
+      <p>The list of protocols is in order of preference. The protocol
+      negotiated will be the first in the list that matches one of the
+      protocols advertised by the client. If no protocol matches, the
+      server will fail the connection with a "no_application_protocol" alert.</p>
+
+      <p>The negotiated protocol can be retrieved using the <c>negotiated_protocol/1</c> function.</p>
+      </item>
+
       <tag>{next_protocols_advertised, Protocols :: [binary()]}</tag>
       <item>The list of protocols to send to the client if the client indicates
       it supports the Next Protocol extension. The client may select a protocol
       that is not on this list. The list of protocols must not contain an empty
       binary. If the server negotiates a Next Protocol it can be accessed
-      using <c>negotiated_next_protocol/1</c> method.
+      using <c>negotiated_protocol/1</c> function.
       </item>
 
       <tag>{psk_identity, string()}</tag>
@@ -945,31 +1012,49 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
     
     <func>
-      <name>versions() ->
-	[{SslAppVer, SupportedSslVer, AvailableSslVsn}]</name>
+      <name>versions() -> [versions_info()]</name>
       <fsummary>Returns version information relevant for the
 	ssl application.</fsummary>
       <type>
-	<v>SslAppVer = string()</v>
-      	<v>SupportedSslVer = [protocol()]</v>
-      	<v>AvailableSslVsn = [protocol()]</v>
+	<v>versions_info() = {app_vsn, string()} | {supported | available, [protocol()] </v>
       </type>
       <desc>
 	<p>
 	  Returns version information relevant for the
-	  ssl application.</p>
+	  ssl application.
+	</p>
+	<taglist>
+	  <tag>app_vsn</tag>
+	  <item> The application version of the OTP ssl application.</item>
+
+	  <tag>supported</tag>
+
+	  <item>TLS/SSL versions supported by default.
+	  Overridden by a versions option on
+	  <seealso marker="#connect-2"> connect/[2,3,4]</seealso>, <seealso
+	  marker="#listen-2"> listen/2</seealso> and <seealso
+	  marker="#ssl_accept-2">ssl_accept/[1,2,3]</seealso>. For the
+	  negotiated TLS/SSL version see <seealso
+	  marker="#connection_info-1">ssl:connection_info/1
+	  </seealso></item>
+	  
+	  <tag>available</tag>
+	  <item>All TLS/SSL versions that the Erlang ssl application
+	  can support. Note that TLS 1.2 requires sufficient support
+	  from the crypto application. </item>
+	</taglist>
       </desc>
     </func>
     <func>
-      <name>negotiated_next_protocol(Socket) -> {ok, Protocol} | {error, next_protocol_not_negotiated}</name>
-      <fsummary>Returns the Next Protocol negotiated.</fsummary>
+      <name>negotiated_protocol(Socket) -> {ok, Protocol} | {error, protocol_not_negotiated}</name>
+      <fsummary>Returns the protocol negotiated through ALPN or NPN extensions.</fsummary>
       <type>
         <v>Socket = sslsocket()</v>
         <v>Protocol = binary()</v>
       </type>
       <desc>
         <p>
-          Returns the Next Protocol negotiated.
+          Returns the protocol negotiated through ALPN or NPN extensions.
         </p>
       </desc>
     </func>