1 files changed, 66 insertions, 23 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 90a9181ede..74a0a0a03e 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -101,16 +101,21 @@
     <datatype>
       <name name="transport_option"/>
       <desc>
-	<p>Defaults to <c>{gen_tcp, tcp, tcp_closed, tcp_error}</c>
-	for TLS and <c>{gen_udp, udp, udp_closed, udp_error}</c> for
-	DTLS. Can be used to customize the transport layer. The tag
-	values should be the values used by the underlying transport
-	in its active mode messages. For TLS the callback module must implement a
-	reliable transport protocol, behave as <c>gen_tcp</c>, and have functions
-	corresponding to <c>inet:setopts/2</c>, <c>inet:getopts/2</c>,
-	<c>inet:peername/1</c>, <c>inet:sockname/1</c>, and <c>inet:port/1</c>.
-	The callback <c>gen_tcp</c> is treated specially and calls <c>inet</c>
-	directly. For DTLS this feature must be considered exprimental.
+	<p>Defaults to <c>{gen_tcp, tcp, tcp_closed, tcp_error,
+	tcp_passive}</c> for TLS (for backward compatibility a four
+	tuple will be converted to a five tuple with the last element
+	"second_element"_passive) and <c>{gen_udp, udp, udp_closed,
+	udp_error}</c> for DTLS (might also be changed to five tuple in
+	the future). Can be used to customize the transport layer. The
+	tag values should be the values used by the underlying
+	transport in its active mode messages. For TLS the callback
+	module must implement a reliable transport protocol, behave as
+	<c>gen_tcp</c>, and have functions corresponding to
+	<c>inet:setopts/2</c>, <c>inet:getopts/2</c>,
+	<c>inet:peername/1</c>, <c>inet:sockname/1</c>, and
+	<c>inet:port/1</c>.  The callback <c>gen_tcp</c> is treated
+	specially and calls <c>inet</c> directly. For DTLS this
+	feature must be considered exprimental.
 	</p>
       </desc>
     </datatype>
@@ -140,8 +145,13 @@
      </datatype>
      
      <datatype>
-       <name name="legacy_version"/>
+       <name name="tls_legacy_version"/>
      </datatype>
+
+     <datatype>
+       <name name="dtls_legacy_version"/>
+     </datatype>
+     
      
        <datatype>
        <name name="prf_random"/>
@@ -190,11 +200,15 @@
      <datatype>
       <name name="signature_algs"/>
      </datatype>
-     
+
      <datatype>
       <name name="sign_algo"/>
      </datatype>
-
+     
+     <datatype>
+       <name name="sign_scheme"/>
+     </datatype>
+     
      <datatype>
       <name name="kex_algo"/>
      </datatype>
@@ -334,7 +348,30 @@
       and to restrict their usage when using a cipher suite supporting them.</p>
       </desc>
     </datatype>
-    
+
+    <datatype>
+      <name name="signature_schemes"/>
+      <desc>
+	  <p>
+	    In addition to the signature_algorithms extension from TLS 1.2,
+	    <url href="http://www.ietf.org/rfc/rfc8446.txt#section-4.2.3">TLS 1.3
+	    (RFC 5246 Section 4.2.3)</url>adds the signature_algorithms_cert extension
+	    which enables having special requirements on the signatures used in the
+	    certificates that differs from the requirements on digital signatures as a whole.
+	    If this is not required this extension is not needed.
+	  </p>
+	  <p>
+	    The client will send a signature_algorithms_cert extension (ClientHello),
+	    if TLS version 1.3 or later is used, and the signature_algs_cert option is
+	    explicitly specified. By default, only the signature_algs extension is sent.
+	  </p>
+	  <p>
+	    The signature schemes shall be ordered according to the client's preference
+	    (favorite choice first).
+	  </p>
+      </desc>
+     </datatype>
+     
     <datatype>
       <name name="secure_renegotiation"/>
       <desc><p>Specifies if to reject renegotiation attempt that does
@@ -474,7 +511,7 @@ marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_valid
 	  <item>check is only performed on the peer certificate.</item>
 
 	  <tag><c>best_effort</c></tag>
-	  <item>if certificate revocation status can not be determined
+	  <item>if certificate revocation status cannot be determined
 	  it will be accepted as valid.</item>
 	</taglist>
 	
@@ -607,10 +644,19 @@ fun(srp, Username :: string(), UserState :: term()) ->
       </desc>
     </datatype>
     
-  <datatype>    
-    <name name="log_alert"/> 
-    <desc><p>If set to <c>false</c>, error reports are not displayed.</p> 
-    </desc> 
+    <datatype>    
+      <name name="log_alert"/> 
+      <desc><p>If set to <c>false</c>, error reports are not displayed.
+      Deprecated in OTP 22, use {log_level, <seealso marker="#type-logging_level">logging_level()</seealso>} instead.</p> 
+      </desc> 
+    </datatype> 
+
+    <datatype>    
+      <name name="logging_level"/> 
+      <desc><p>Specifies the log level for TLS/DTLS. At verbosity level <c>notice</c> and above error reports are
+      displayed in TLS/DTLS. The level <c>debug</c> triggers verbose logging of TLS/DTLS protocol
+      messages.</p>
+      </desc> 
     </datatype> 
     
     <datatype>    
@@ -851,7 +897,6 @@ fun(srp, Username :: string(), UserState :: term()) ->
 	</desc>
       </datatype>
       
-
       <datatype_title>TLS/DTLS OPTION DESCRIPTIONS - SERVER </datatype_title>
 
 
@@ -865,8 +910,7 @@ fun(srp, Username :: string(), UserState :: term()) ->
       is supplied it overrides option <c>cacertfile</c>.</p>
 	</desc>
       </datatype>
-      
-      
+            
       <datatype>
 	<name name="server_cafile"/>
 	<desc><p>Path to a file containing PEM-encoded CA
@@ -894,7 +938,6 @@ fun(srp, Username :: string(), UserState :: term()) ->
 	default parameters are used.</p>
 	</desc>
       </datatype>
-      
 
     <datatype>
 	<name name="server_verify_type"/>