1 files changed, 104 insertions, 13 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index c448d345de..05590666da 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -145,7 +145,11 @@
      </datatype>
 
      <datatype>
-       <name name="legacy_version"/>
+       <name name="tls_legacy_version"/>
+     </datatype>
+
+     <datatype>
+       <name name="dtls_legacy_version"/>
      </datatype>
 
      <datatype>
@@ -195,12 +199,20 @@
      <datatype>
       <name name="signature_algs"/>
      </datatype>
-     
+
      <datatype>
       <name name="sign_algo"/>
      </datatype>
+     
+     <datatype>
+       <name name="sign_scheme"/>
+     </datatype>
 
      <datatype>
+       <name name="group"/>
+     </datatype>
+     
+     <datatype>
       <name name="kex_algo"/>
      </datatype>
 
@@ -332,6 +344,42 @@
 	matters.</p>
       </desc>
     </datatype>
+    
+    <datatype>
+      <name name="signature_schemes"/>
+      <desc>
+	  <p>
+	    In addition to the signature_algorithms extension from TLS 1.2,
+	    <url href="http://www.ietf.org/rfc/rfc8446.txt#section-4.2.3">TLS 1.3
+	    (RFC 5246 Section 4.2.3)</url>adds the signature_algorithms_cert extension
+	    which enables having special requirements on the signatures used in the
+	    certificates that differs from the requirements on digital signatures as a whole.
+	    If this is not required this extension is not needed.
+	  </p>
+	  <p>
+	    The client will send a signature_algorithms_cert extension (ClientHello),
+	    if TLS version 1.3 or later is used, and the signature_algs_cert option is
+	    explicitly specified. By default, only the signature_algs extension is sent.
+	  </p>
+	  <p>
+	    The signature schemes shall be ordered according to the client's preference
+	    (favorite choice first).
+	  </p>
+      </desc>
+     </datatype>
+
+     <datatype>
+       <name name="supported_groups"/>
+       <desc>
+	 <p>TLS 1.3 introduces the "supported_groups" extension that is used for negotiating
+	 the Diffie-Hellman parameters in a TLS 1.3 handshake. Both client and server
+	 can specify a list of parameters that they are willing to use.
+	 </p>
+	 <p> If it is not specified it will use a default list ([x25519, x448, secp256r1, secp384r1]) that
+	 is filtered based on the installed crypto library version.
+	 </p>
+      </desc>
+     </datatype>
 
     <datatype>
       <name name="secure_renegotiation"/>
@@ -472,7 +520,7 @@ marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_valid
 	  <item>check is only performed on the peer certificate.</item>
 
 	  <tag><c>best_effort</c></tag>
-	  <item>if certificate revocation status can not be determined
+	  <item>if certificate revocation status cannot be determined
 	  it will be accepted as valid.</item>
 	</taglist>
 	
@@ -605,10 +653,19 @@ fun(srp, Username :: string(), UserState :: term()) ->
       </desc>
     </datatype>
     
-  <datatype>    
-    <name name="log_alert"/> 
-    <desc><p>If set to <c>false</c>, error reports are not displayed.</p> 
-    </desc> 
+    <datatype>    
+      <name name="log_alert"/> 
+      <desc><p>If set to <c>false</c>, error reports are not displayed.
+      Deprecated in OTP 22, use {log_level, <seealso marker="#type-logging_level">logging_level()</seealso>} instead.</p> 
+      </desc> 
+    </datatype> 
+
+    <datatype>    
+      <name name="logging_level"/> 
+      <desc><p>Specifies the log level for TLS/DTLS. At verbosity level <c>notice</c> and above error reports are
+      displayed in TLS/DTLS. The level <c>debug</c> triggers verbose logging of TLS/DTLS protocol
+      messages.</p>
+      </desc> 
     </datatype> 
     
     <datatype>    
@@ -849,7 +906,6 @@ fun(srp, Username :: string(), UserState :: term()) ->
 	</desc>
       </datatype>
       
-
       <datatype_title>TLS/DTLS OPTION DESCRIPTIONS - SERVER </datatype_title>
 
 
@@ -863,8 +919,7 @@ fun(srp, Username :: string(), UserState :: term()) ->
       is supplied it overrides option <c>cacertfile</c>.</p>
 	</desc>
       </datatype>
-      
-      
+            
       <datatype>
 	<name name="server_cafile"/>
 	<desc><p>Path to a file containing PEM-encoded CA
@@ -881,6 +936,8 @@ fun(srp, Username :: string(), UserState :: term()) ->
 	<name name="dh_der"/>
 	<desc><p>The DER-encoded Diffie-Hellman parameters. If
 	specified, it overrides option <c>dhfile</c>.</p>
+	<warning><p>The <c>dh_der</c> option is not supported by TLS 1.3. Use the
+	<c>supported_groups</c> option instead.</p></warning>
 	</desc>
       </datatype>
     
@@ -890,9 +947,10 @@ fun(srp, Username :: string(), UserState :: term()) ->
 	parameters to be used by the server if a cipher suite using
 	Diffie Hellman key exchange is negotiated. If not specified,
 	default parameters are used.</p>
+	<warning><p>The <c>dh_file</c> option is not supported by TLS 1.3. Use the
+	<c>supported_groups</c> option instead.</p></warning>
 	</desc>
       </datatype>
-      
 
     <datatype>
 	<name name="server_verify_type"/>
@@ -1095,6 +1153,15 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
+      <name name="cipher_suites" arity="3" since="OTP 22.0"/>
+      <fsummary>Returns a list of RFC or OpenSSL names</fsummary>
+      <desc><p>Same as <seealso marker="#cipher_suites-2">cipher_suites/2</seealso>
+      but lists RFC or OpenSSL string names instead of <seealso marker="#type-erl_cipher_suite">erl_cipher_suite()</seealso>
+    </p>
+    </desc>
+    </func>
+    
+    <func>
       <name name="eccs" arity="0" since="OTP 19.2"/>
       <name name="eccs" arity="1" since="OTP 19.2"/>
       <fsummary>Returns a list of supported ECCs.</fsummary>
@@ -1526,12 +1593,36 @@ fun(srp, Username :: string(), UserState :: term()) ->
         <p>Stops the SSL application.</p>
       </desc>
     </func>
+  
+    <func>
+      <name since="OTP 22.0" name="str_to_suite" arity="1" />
+      <fsummary>Converts an RFC or OpenSSL name string to an erlang cipher suite format</fsummary>
+      <desc>
+        <p>Converts an RFC or OpenSSL name string to an
+	<seealso marker="#type-erl_cipher_suite">erl_cipher_suite()</seealso>
+	Returns an error if the cipher suite is not supported or the name is not a valid cipher suite name.</p>
+      </desc>
+    </func>
 
     <func>
+      <name since="OTP 22.0" name="suite_to_openssl_str" arity="1" />
+      <fsummary>Converts erlang cipher suite format to an OpenSSL name string.
+      </fsummary>
+      <desc>
+        <p>Converts <seealso marker="#type-erl_cipher_suite">erl_cipher_suite()</seealso>
+	to OpenSSL name string. </p>
+	
+	<p>PRE TLS-1.3 these names differ for RFC names</p>
+	
+      </desc>
+    </func>
+    
+    <func>
       <name since="OTP 21.0" name="suite_to_str" arity="1" clause_i="1" />
-      <fsummary>Returns the string representation of a cipher suite.</fsummary>
+      <fsummary>Converts an erlang cipher suite to an RFC name string.</fsummary>
       <desc>
-        <p>Returns the string representation of a cipher suite.</p>
+        <p>Converts <seealso marker="#type-erl_cipher_suite">erl_cipher_suite()</seealso>
+	to RFC name string.</p>
       </desc>
     </func>