1 files changed, 62 insertions, 12 deletions

diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index e019654685..f0eac76264 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -36,12 +36,16 @@
 
     <list type="bulleted">
       <item>ssl requires the crypto and public_key applications.</item>
-      <item>Supported SSL/TLS-versions are SSL-3.0 and TLS-1.0 </item>
+      <item>Supported SSL/TLS-versions are SSL-3.0 and TLS-1.0, experimental
+      support for TLS-1.1 and TLS-1.2 is also available (no support for elliptic curve cipher suites yet).</item>
       <item>For security reasons sslv2 is not supported.</item>
       <item>Ephemeral Diffie-Hellman cipher suites are supported
       but not Diffie Hellman Certificates cipher suites.</item>
       <item>Export cipher suites are not supported as the
       U.S. lifted its export restrictions in early 2000.</item>
+      <item>IDEA cipher suites are not supported as they have
+      become deprecated by the latest TLS spec so there is not any
+      real motivation to implement them.</item>
       <item>CRL and policy certificate
             extensions are not supported yet. </item>
     </list>
@@ -75,7 +79,9 @@
       {keyfile, path()} | {password, string()} |
       {cacerts, [der_encoded()]} | {cacertfile, path()} |
       |{dh, der_encoded()} | {dhfile, path()} | {ciphers, ciphers()} |
-      {ssl_imp, ssl_imp()} | {reuse_sessions, boolean()} | {reuse_session, fun()} 
+      {ssl_imp, ssl_imp()} | {reuse_sessions, boolean()} | {reuse_session, fun()}
+      {next_protocols_advertised, list(binary()} |
+      {client_preferred_next_protocols, binary(), client | server, list(binary())}
     </c></p>
 
     <p><c>transportoption() = {CallbackModule, DataTag, ClosedTag}
@@ -106,7 +112,7 @@
 
     <p><c>sslsocket() - opaque to the user. </c></p>
     
-    <p><c>protocol() = sslv3 | tlsv1 </c></p>
+    <p><c>protocol() = sslv3 | tlsv1 | 'tlsv1.1' | 'tlsv1.2' </c></p>
     
     <p><c>ciphers() = [ciphersuite()] | string() (according to old API)</c></p>
     
@@ -193,13 +199,13 @@
       </item>
 
       <tag>{depth, integer()}</tag>
-      <item>Specifies the maximum
-      verification depth, i.e. how far in a chain of certificates the
-      verification process can proceed before the verification is
-      considered to fail. Peer certificate = 0, CA certificate = 1,
-      higher level CA certificate = 2, etc.  The value 2 thus means
-      that a chain can at most contain peer cert, CA cert, next CA
-      cert, and an additional CA cert. The default value is 1.
+      <item>
+	The depth is the maximum number of non-self-issued
+	intermediate certificates that may follow the peer certificate
+	in a valid certification path.  So if depth is 0 the PEER must
+	be signed by the trusted ROOT-CA directly, if 1 the path can
+	be PEER, CA, ROOT-CA, if it is 2 PEER, CA, CA, ROOT-CA and so
+	on.  The default value is 1.
       </item>
 
       <tag>{verify_fun, {Verifyfun :: fun(), InitialUserState :: term()}}</tag>
@@ -297,8 +303,29 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
       when possible.
       </item>
 
+      <tag>{client_preferred_next_protocols,  Precedence:: server | client, ClientPrefs::[binary()]}
+           {client_preferred_next_protocols,  Precedence:: server | client, ClientPrefs::[binary()] , Default :: binary()}}</tag>
+
+	   <item> <p>Indicates the client will try to perform Next Protocol
+	   Negotiation.</p>
+
+	    <p>If precedence is server the negaotiated protocol will be the
+	   first protocol that appears on the server advertised list that is
+	   also on the clients preference list.</p>
+
+	   <p>If the precedence is client the negaotiated protocol will be the
+	   first protocol that appears on the clients preference list that is
+	   also on the server advertised list.</p>
+
+	  <p> If the client does not support any of the servers advertised
+	   protocols or the server does not advertise any protocols the
+	   client will fallback to the first protocol in its list or if a
+	   default is supplied it will fallback to that instead. If the
+	   server does not support next protocol renegotiation the
+	   connection will be aborted if no default protocol is supplied.</p>
+	   </item>
     </taglist>
-  </section>
+   </section>
 
   <section>
     <title>SSL OPTION DESCRIPTIONS - SERVER SIDE</title>
@@ -349,6 +376,14 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
       SuggestedSessionId is a binary(),  PeerCert is a DER encoded
       certificate, Compression is an enumeration integer
       and CipherSuite is of type ciphersuite().
+    </item>
+
+      <tag>{next_protocols_advertised, Protocols :: list(binary())}</tag>
+      <item>The list of protocols to send to the client if the client indicates
+      it supports the Next Protocol extension. The client may select a protocol
+      that is not on this list. The list of protocols must not contain an empty
+      binary. If the server negotiates a Next Protocol it can be accessed
+      using <c>negotiated_next_protocol/1</c> method.
       </item>
 
     </taglist>
@@ -762,8 +797,23 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
 	  ssl application.</p>
       </desc>
     </func>
+    <func>
+      <name>negotiated_next_protocol(Socket) -> {ok, Protocol} | {error, next_protocol_not_negotiated}</name>
+      <fsummary>Returns the Next Protocol negotiated.</fsummary>
+      <type>
+        <v>Socket = sslsocket()</v>
+        <v>Protocol = binary()</v>
+      </type>
+      <desc>
+        <p>
+          Returns the Next Protocol negotiated.
+        </p>
+      </desc>
+    </func>
+
+
   </funcs> 
-      
+
   <section>
     <title>SEE ALSO</title>
     <p><seealso marker="kernel:inet">inet(3) </seealso> and