1 files changed, 125 insertions, 41 deletions

diff --git a/lib/ssl/doc/src/ssl_distribution.xml b/lib/ssl/doc/src/ssl_distribution.xml
index 61f88e3860..e14f3f90dc 100644
--- a/lib/ssl/doc/src/ssl_distribution.xml
+++ b/lib/ssl/doc/src/ssl_distribution.xml
@@ -4,7 +4,7 @@
 <chapter>
   <header>
     <copyright>
-      <year>2000</year><year>2016</year>
+      <year>2000</year><year>2017</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
@@ -22,7 +22,7 @@
     
     </legalnotice>
 
-    <title>Using SSL for Erlang Distribution</title>
+    <title>Using TLS for Erlang Distribution</title>
     <prepared>P Nyblom</prepared>
     <responsible></responsible>
     <docno></docno>
@@ -33,7 +33,7 @@
     <file>ssl_distribution.xml</file>
   </header>
   <p>This section describes how the Erlang distribution can use 
-    SSL to get extra verification and security.</p>
+    TLS to get extra verification and security.</p>
 
     <p>The Erlang distribution can in theory use almost any 
       connection-based protocol as bearer. However, a module that 
@@ -45,16 +45,16 @@
 
       <p>In the SSL application, an extra distribution
       module, <c>inet_tls_dist</c>, can be used as an
-      alternative. All distribution connections will use SSL and
+      alternative. All distribution connections will use TLS and
       all participating Erlang nodes in a distributed system must use
       this distribution module.</p>
 
       <p>The security level depends on the parameters provided to the
-      SSL connection setup. Erlang node cookies are however always
+      TLS connection setup. Erlang node cookies are however always
       used, as they can be used to differentiate between two different
       Erlang networks.</p>
 
-    <p>To set up Erlang distribution over SSL:</p>
+    <p>To set up Erlang distribution over TLS:</p>
 
       <list type="bulleted">
       <item><em>Step 1:</em> Build boot scripts including the
@@ -63,13 +63,13 @@
       <c>net_kernel</c>.</item>
       <item><em>Step 3:</em> Specify the security options and other 
       SSL options.</item>
-      <item><em>Step 4:</em> Set up the environment to always use SSL.</item>
+      <item><em>Step 4:</em> Set up the environment to always use TLS.</item>
     </list>
 
     <p>The following sections describe these steps.</p>
 
   <section>
-    <title>Building Boot Scripts Including the ssl Application</title>
+    <title>Building Boot Scripts Including the SSL Application</title>
     <p>Boot scripts are built using the <c>systools</c> utility in the
       SASL application. For more information on <c>systools</c>,
       see the SASL documentation. This is only an example of
@@ -90,7 +90,7 @@
 	STDLIB application.</p></item>
       </list>
 
-    <p>The following shows an example <c>.rel</c> file with SSL 
+    <p>The following shows an example <c>.rel</c> file with TLS 
     added:</p>
     <code type="none">
       {release, {"OTP  APN 181 01","R15A"}, {erts, "5.9"},
@@ -154,7 +154,7 @@ Eshell V5.0  (abort with ^G)
 
   <section>
     <title>Specifying Distribution Module for net_kernel</title>
-    <p>The distribution module for SSL is named <c>inet_tls_dist</c>
+    <p>The distribution module for SSL/TLS is named <c>inet_tls_dist</c>
       and is specified on the command line with option <c>-proto_dist</c>.
       The argument to <c>-proto_dist</c> is to be the module
       name without suffix <c>_dist</c>. So, this distribution
@@ -174,21 +174,107 @@ Eshell V5.0  (abort with ^G)
 (ssl_test@myhost)1>     </code>
 
     <p>However, a node started in this way refuses to talk
-      to other nodes, as no SSL parameters are supplied
+      to other nodes, as no TLS parameters are supplied
       (see the next section).</p>
   </section>
 
   <section>
-    <title>Specifying SSL Options</title>
-    <p>For SSL to work, at least
-    a public key and a certificate must be specified for the server
-    side. In the following example, the PEM-files consist of two
-    entries, the server certificate and its private key.</p>
+    <title>Specifying SSL/TLS Options</title>
+
+    <p>
+      The SSL/TLS distribution options can be written into a file
+      that is consulted when the node is started.  This file name
+      is then specified with the command line argument
+      <c>-ssl_dist_optfile</c>.
+    </p>
+    <p>
+      Any available SSL/TLS option can be specified in an options file,
+      but note that options that take a <c>fun()</c> has to use
+      the syntax <c>fun Mod:Func/Arity</c> since a function
+      body can not be compiled when consulting a file.
+    </p>
+    <p>
+      Do not tamper with the socket options
+      <c>list</c>, <c>binary</c>, <c>active</c>, <c>packet</c>,
+      <c>nodelay</c> and <c>deliver</c> since they are used
+      by the distribution protocol handler itself.
+      Other raw socket options such as <c>packet_size</c> may
+      interfere severely, so beware!
+    </p>
+    <p>
+      For SSL/TLS to work, at least a public key and a certificate
+      must be specified for the server side.
+      In the following example, the PEM file
+      <c>"/home/me/ssl/erlserver.pem"</c> contains both
+      the server certificate and its private key.
+    </p>
+    <p>
+      Create a file named for example
+      <c>"/home/me/ssl/[email protected]"</c>:
+    </p>
+    <code type="none"><![CDATA[
+[{server,
+  [{certfile, "/home/me/ssl/erlserver.pem"},
+   {secure_renegotiate, true}]},
+ {client,
+  [{secure_renegotiate, true}]}].]]>
+    </code>
+    <p>
+      And then start the node like this
+      (line breaks in the command are for readability,
+      and shall not be there when typed):
+    </p>
+    <code type="none"><![CDATA[
+$ erl -boot /home/me/ssl/start_ssl -proto_dist inet_tls
+  -ssl_dist_optfile "/home/me/ssl/[email protected]"
+  -sname ssl_test]]>
+    </code>
+    <p>
+      The options in the <c>{server, Opts}</c> tuple are used
+      when calling <c>ssl:ssl_accept/3</c>, and the options in the
+      <c>{client, Opts}</c> tuple are used when calling
+      <c>ssl:connect/4</c>.
+    </p>
+    <p>
+      For the client, the option
+      <c>{server_name_indication, atom_to_list(TargetNode)}</c>
+      is added when connecting.
+      This makes it possible to use the client option
+      <c>{verify, verify_peer}</c>,
+      and the client will verify that the certificate matches
+      the node name you are connecting to.
+      This only works if the the server certificate is issued
+      to the name <c>atom_to_list(TargetNode)</c>.
+    </p>
+    <p>
+      For the server it is also possible to use the option
+      <c>{verify, verify_peer}</c> and the server will only accept
+      client connections with certificates that are trusted by
+      a root certificate that the server knows.
+      A client that presents an untrusted certificate will be rejected.
+      This option is preferably combined with
+      <c>{fail_if_no_peer_cert, true}</c> or a client will
+      still be accepted if it does not present any certificate.
+    </p>
+    <p>
+      A node started in this way is fully functional, using TLS
+      as the distribution protocol.
+    </p>
+  </section>
+
+  <section>
+    <title>Specifying SSL/TLS Options (Legacy)</title>
+
+    <p>
+      As in the previous section the PEM file
+      <c>"/home/me/ssl/erlserver.pem"</c> contains both
+      the server certificate and its private key.
+    </p>
 
     <p>On the <c>erl</c> command line you can specify options that the
-    SSL distribution adds when creating a socket.</p>
+    SSL/TLS distribution adds when creating a socket.</p>
 
-    <p>The simplest SSL options in the following list can be specified 
+    <p>The simplest SSL/TLS options in the following list can be specified 
     by adding the 
     prefix <c>server_</c> or <c>client_</c> to the option name:</p>
     <list type="bulleted">
@@ -208,7 +294,7 @@ Eshell V5.0  (abort with ^G)
     </list>
 
     <p>Note that <c>verify_fun</c> needs to be written in a different
-    form than the corresponding SSL option, since funs are not
+    form than the corresponding SSL/TLS option, since funs are not
     accepted on the command line.</p>
 
     <p>The server can also take the options <c>dhfile</c> and
@@ -221,32 +307,34 @@ Eshell V5.0  (abort with ^G)
     <p>Raw socket options, such as <c>packet</c> and <c>size</c> must not 
     be specified on the command line.</p>
 
-    <p>The command-line argument for specifying the SSL options is named
+    <p>The command-line argument for specifying the SSL/TLS options is named
     <c>-ssl_dist_opt</c> and is to be followed by pairs of
     SSL options and their values. Argument <c>-ssl_dist_opt</c> can
     be repeated any number of times.</p>
 
-      <p>An example command line can now look as follows
+    <p>
+      An example command line doing the same as the example
+      in the previous section can now look as follows
       (line breaks in the command are for readability, 
-      and are not be there when typed):</p>
-    <code type="none">
+      and shall not be there when typed):
+    </p>
+    <code type="none"><![CDATA[
 $ erl -boot /home/me/ssl/start_ssl -proto_dist inet_tls
-  -ssl_dist_opt server_certfile "/home/me/ssl/erlserver.pem" 
+  -ssl_dist_opt server_certfile "/home/me/ssl/erlserver.pem"
   -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true
   -sname ssl_test
 Erlang (BEAM) emulator version 5.0 [source]
- 
+
 Eshell V5.0  (abort with ^G)
-(ssl_test@myhost)1>     </code>
-    <p>A node started in this way is fully functional, using SSL
-      as the distribution protocol.</p>
+(ssl_test@myhost)1>]]>
+    </code>
   </section>
 
   <section>
-    <title>Setting up Environment to Always Use SSL</title>
+    <title>Setting up Environment to Always Use SSL/TLS (Legacy)</title>
     <p>A convenient way to specify arguments to Erlang is to use environment 
       variable <c>ERL_FLAGS</c>. All the flags needed to
-      use the SSL distribution can be specified in that variable and are
+      use the SSL/TLS distribution can be specified in that variable and are
       then interpreted as command-line arguments for all
       subsequent invocations of Erlang.</p>
 
@@ -277,25 +365,21 @@ Eshell V5.0  (abort with ^G)
   </section>
 
   <section>
-    <title>Using SSL distribution over IPv6</title>
-    <p>It is possible to use SSL distribution over IPv6 instead of
+    <title>Using SSL/TLS distribution over IPv6</title>
+    <p>It is possible to use SSL/TLS distribution over IPv6 instead of
     IPv4. To do this, pass the option <c>-proto_dist inet6_tls</c>
     instead of <c>-proto_dist inet_tls</c> when starting Erlang,
     either on the command line or in the <c>ERL_FLAGS</c> environment
     variable.</p>
 
     <p>An example command line with this option would look like this:</p>
-    <code type="none">
+    <code type="none"><![CDATA[
 $ erl -boot /home/me/ssl/start_ssl -proto_dist inet6_tls
-  -ssl_dist_opt server_certfile "/home/me/ssl/erlserver.pem"
-  -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true
-  -sname ssl_test
-Erlang (BEAM) emulator version 5.0 [source]
-
-Eshell V5.0  (abort with ^G)
-(ssl_test@myhost)1>     </code>
+  -ssl_dist_optfile "/home/me/ssl/[email protected]"
+  -sname ssl_test]]>
+    </code>
 
     <p>A node started in this way will only be able to communicate with
-    other nodes using SSL distribution over IPv6.</p>
+    other nodes using SSL/TLS distribution over IPv6.</p>
   </section>
 </chapter>