1 files changed, 66 insertions, 22 deletions

diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 916b41742e..8fcda78ed5 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -4,7 +4,7 @@
 <erlref>
   <header>
     <copyright>
-      <year>1999</year><year>2016</year>
+      <year>1999</year><year>2017</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
@@ -69,7 +69,9 @@
 	<p><c>| {cert, public_key:der_encoded()}</c></p>
 	<p><c>| {certfile, path()}</c></p>
 	<p><c>| {key, {'RSAPrivateKey'| 'DSAPrivateKey' | 'ECPrivateKey' 
-	| 'PrivateKeyInfo', public_key:der_encoded()}}</c></p>
+	| 'PrivateKeyInfo', public_key:der_encoded()} |
+	#{algorithm := rsa | dss | ecdsa,
+	engine := crypto:engine_ref(), key_id := crypto:key_id(), password => crypto:password()}</c></p>
 	<p><c>| {keyfile, path()}</c></p>
 	<p><c>| {password, string()}</c></p>
 	<p><c>| {cacerts, [public_key:der_encoded()]}</c></p>
@@ -127,7 +129,7 @@
       <item><p><c>hostname() | ipaddress()</c></p></item>
 
       <tag><c>hostname() =</c></tag>
-      <item><p><c>string()</c></p></item>
+      <item><p><c>string() - DNS hostname</c></p></item>
 
       <tag><c>ip_address() =</c></tag>
       <item><p><c>{N1,N2,N3,N4} % IPv4 | {K1,K2,K3,K4,K5,K6,K7,K8} % IPv6
@@ -189,6 +191,11 @@
     
     <taglist>
 
+      <tag><c>{protocol, tls | dtls}</c></tag>
+      <item><p>Choose TLS or DTLS protocol for the transport layer security.
+      Defaults to <c>tls</c> Introduced in OTP 20, DTLS support is considered
+      experimental in this release. DTLS over other transports than UDP are not yet supported.</p></item>
+
       <tag><c>{cert, public_key:der_encoded()}</c></tag>
       <item><p>The DER-encoded users certificate. If this option
       is supplied, it overrides option <c>certfile</c>.</p></item>
@@ -196,9 +203,15 @@
       <tag><c>{certfile, path()}</c></tag>
       <item><p>Path to a file containing the user certificate.</p></item>
       
-      <tag><c>{key, {'RSAPrivateKey'| 'DSAPrivateKey' | 'ECPrivateKey'
-      |'PrivateKeyInfo', public_key:der_encoded()}}</c></tag>
-      <item><p>The DER-encoded user's private key. If this option 
+      <tag>
+	<marker id="key_option_def"/>
+	<c>{key, {'RSAPrivateKey'| 'DSAPrivateKey' | 'ECPrivateKey'
+      |'PrivateKeyInfo', public_key:der_encoded()} |  #{algorithm := rsa | dss | ecdsa,
+	engine := crypto:engine_ref(), key_id :=  crypto:key_id(), password => crypto:password()}</c></tag>
+      <item><p>The DER-encoded user's private key or a map refering to a crypto
+      engine and its key reference that optionally can be password protected,
+      seealso <seealso marker="crypto:crypto#engine_load-4"> crypto:engine_load/4
+      </seealso> and  <seealso marker="crypto:engine_load"> Crypto's Users Guide</seealso>. If this option 
       is supplied, it overrides option <c>keyfile</c>.</p></item>
       
       <tag><c>{keyfile, path()}</c></tag>
@@ -249,7 +262,7 @@
       be PEER, CA, ROOT-CA; if 2 the path can be PEER, CA, CA, 
       ROOT-CA, and so on. The default value is 1.</p></item>
 
-      <tag><c>{verify_fun, {Verifyfun :: fun(), InitialUserState ::
+      <tag><marker id="verify_fun"/><c>{verify_fun, {Verifyfun :: fun(), InitialUserState ::
       term()}}</c></tag>
       <item><p>The verification fun is to be defined as follows:</p>
 
@@ -582,16 +595,21 @@ fun(srp, Username :: string(), UserState :: term()) ->
       <item><p>Specifies the username and password to use to authenticate
       to the server.</p></item>
 
-      <tag><c>{server_name_indication, hostname()}</c></tag>
-      <item><p>Can be specified when upgrading a TCP socket to a TLS
-        socket to use the TLS Server Name Indication extension.</p></item>
-
-	<tag><c>{server_name_indication, disable}</c></tag>
-      <item>
-        <p>When starting a TLS connection without upgrade, the Server Name
-        Indication extension is sent if possible. This option can be
-        used to disable that behavior.</p>
+      <tag><c>{server_name_indication, HostName :: hostname()}</c></tag>
+      <item><p>Specify the hostname to be used in TLS Server Name Indication extension.
+      If not specified it will default to the <c>Host</c> argument of <seealso marker="#connect-3">connect/[3,4]</seealso>
+      unless it is of type inet:ipaddress().</p>
+      <p>
+	The <c>HostName</c> will also be used in the hostname verification of the peer certificate using
+	<seealso marker="public_key:public_key#pkix_verify_hostname-2">public_key:pkix_verify_hostname/2</seealso>.
+      </p>
       </item>
+      <tag><c>{server_name_indication, disable}</c></tag>
+	<item>
+          <p> Prevents the Server Name Indication extension from being sent and
+	  disables the hostname verification check
+	  <seealso marker="public_key:public_key#pkix_verify_hostname-2">public_key:pkix_verify_hostname/2</seealso> </p>
+	</item>
       <tag><c>{fallback, boolean()}</c></tag>
       <item>
 	<p> Send special cipher suite TLS_FALLBACK_SCSV to avoid undesired TLS version downgrade.
@@ -868,6 +886,12 @@ fun(srp, Username :: string(), UserState :: term()) ->
       <desc><p>Upgrades a <c>gen_tcp</c>, or equivalent,
 	  connected socket to an SSL socket, that is, performs the
 	  client-side ssl handshake.</p>
+	  
+	  <note><p>If the option <c>verify</c> is set to <c>verify_peer</c>
+	  the option <c>server_name_indication</c> shall also be specified,
+	  if it is not no Server Name Indication extension will be sent,
+	  and <seealso marker="public_key:public_key#pkix_verify_hostname-2">public_key:pkix_verify_hostname/2</seealso>
+	  will be called with the IP-address of the connection as <c>ReferenceID</c>, which is proably not what you want.</p></note>
     </desc>
     </func>
 
@@ -884,7 +908,24 @@ fun(srp, Username :: string(), UserState :: term()) ->
 	  <v>SslSocket = sslsocket()</v>
 	  <v>Reason = term()</v>
       </type>
-      <desc><p>Opens an SSL connection to <c>Host</c>, <c>Port</c>.</p></desc>
+      <desc><p>Opens an SSL connection to <c>Host</c>, <c>Port</c>.</p>
+      
+      <p> When the option <c>verify</c> is set to <c>verify_peer</c> the check 
+      <seealso marker="public_key:public_key#pkix_verify_hostname-2">public_key:pkix_verify_hostname/2</seealso> 
+      will be performed in addition to the usual x509-path validation checks. If the check fails the error {bad_cert, hostname_check_failed} will
+      be propagated to the path validation fun <seealso marker="#verify_fun">verify_fun</seealso>, where it is possible to do customized
+      checks by using the full possibilitis of the <seealso marker="public_key:public_key#pkix_verify_hostname-2">public_key:pkix_verify_hostname/2</seealso> API.
+      
+      When the option <c>server_name_indication</c> is provided, its value (the DNS name) will be used as <c>ReferenceID</c>
+      to <seealso marker="public_key:public_key#pkix_verify_hostname-2">public_key:pkix_verify_hostname/2</seealso>.
+      When no <c>server_name_indication</c> option is given, the <c>Host</c> argument will be used as
+      Server Name Indication extension. The <c>Host</c> argument will also be used for the
+      <seealso marker="public_key:public_key#pkix_verify_hostname-2">public_key:pkix_verify_hostname/2</seealso> check and if the <c>Host</c>
+      argument is an <c>inet:ip_address()</c> the <c>ReferenceID</c> used for the check will be <c>{ip, Host}</c> otherwise
+      <c>dns_id</c> will be assumed with a fallback to <c>ip</c> if that fails. </p>
+      <note><p>According to good practices certificates should not use IP-addresses as "server names". It would
+      be very surprising if this happen outside a closed network. </p></note> 
+      </desc>
     </func>
 
     <func>
@@ -935,13 +976,14 @@ fun(srp, Username :: string(), UserState :: term()) ->
       <fsummary>Returns all the connection information.
       </fsummary>
       <type>
-        <v>Item = protocol | cipher_suite | sni_hostname | ecc | atom()</v>
+        <v>Item = protocol | cipher_suite | sni_hostname | ecc | session_id | atom()</v>
 	<d>Meaningful atoms, not specified above, are the ssl option names.</d>
 	<v>Result = [{Item::atom(), Value::term()}]</v>
         <v>Reason = term()</v>
       </type>
-      <desc><p>Returns all relevant information about the connection, ssl options that
-      are undefined will be filtered out.</p>
+      <desc><p>Returns the most relevant information about the connection, ssl options that
+      are undefined will be filtered out. Note that values that affect the security of the
+      connection will only be returned if explicitly requested by connection_information/2.</p>
       </desc>
     </func>
 
@@ -952,8 +994,10 @@ fun(srp, Username :: string(), UserState :: term()) ->
       </fsummary>
       <type>
 	<v>Items = [Item]</v>
-	<v>Item = protocol | cipher_suite | sni_hostname | atom()</v>
-	<d>Meaningful atoms, not specified above, are the ssl option names.</d>
+	<v>Item = protocol | cipher_suite | sni_hostname | ecc | session_id | client_random 
+          | server_random  | master_secret | atom()</v>
+	<d>Note that client_random, server_random  and master_secret are values
+        that affect the security of connection. Meaningful atoms, not specified above, are the ssl option names.</d>
 	<v>Result = [{Item::atom(), Value::term()}]</v>
         <v>Reason = term()</v>
       </type>