1 files changed, 98 insertions, 17 deletions

diff --git a/lib/ssl/doc/src/using_ssl.xml b/lib/ssl/doc/src/using_ssl.xml
index f84cd6e391..3ef33df719 100644
--- a/lib/ssl/doc/src/using_ssl.xml
+++ b/lib/ssl/doc/src/using_ssl.xml
@@ -22,7 +22,7 @@
     
     </legalnotice>
 
-    <title>Using SSL API</title>
+    <title>Using SSL application API</title>
     <prepared></prepared>
     <responsible></responsible>
     <docno></docno>
@@ -51,7 +51,7 @@
     <section>
       <title>Minimal Example</title>
       
-      <note><p> The minimal setup is not the most secure setup of SSL.</p>    
+      <note><p> The minimal setup is not the most secure setup of SSL/TLS/DTLS.</p>    
       </note>
 
       <p>To set up client/server connections:</p>
@@ -60,27 +60,27 @@
       <code type="erl">1 server> ssl:start().
 ok</code>
       
-      <p><em>Step 2:</em> Create an SSL listen socket:</p>
+      <p><em>Step 2:</em> Create an TLS listen socket: (To run DTLS add the option {protocol, dtls})</p>
       <code type="erl">2 server> {ok, ListenSocket} =
 ssl:listen(9999, [{certfile, "cert.pem"}, {keyfile, "key.pem"},{reuseaddr, true}]).
 {ok,{sslsocket, [...]}}</code>
       
-      <p><em>Step 3:</em> Do a transport accept on the SSL listen socket:</p>
+      <p><em>Step 3:</em> Do a transport accept on the TLS listen socket:</p>
       <code type="erl">3 server> {ok, Socket} = ssl:transport_accept(ListenSocket).
 {ok,{sslsocket, [...]}}</code>
 
-      <p><em>Step 4:</em> Start the client side:</p>
+      <p><em>Step 4:</em> Start the client side: </p>
       <code type="erl">1 client> ssl:start().
 ok</code>
-      
+      <p> To run DTLS add the option {protocol, dtls} to third argument.</p>
       <code type="erl">2 client> {ok, Socket} = ssl:connect("localhost", 9999,  [], infinity).
 {ok,{sslsocket, [...]}}</code>
       
-      <p><em>Step 5:</em> Do the SSL handshake:</p>
+      <p><em>Step 5:</em> Do the TLS handshake:</p>
       <code type="erl">4 server> ok = ssl:ssl_accept(Socket).
 ok</code>
       
-      <p><em>Step 6:</em> Send a message over SSL:</p>
+      <p><em>Step 6:</em> Send a message over TLS:</p>
       <code type="erl">5 server> ssl:send(Socket, "foo").
 ok</code>
       
@@ -92,7 +92,7 @@ ok</code>
     </section>
     
     <section>
-      <title>Upgrade Example</title>
+      <title>Upgrade Example - TLS only </title>
       
       <note><p>To upgrade a TCP/IP connection to an SSL connection, the
       client and server must agree to do so. The agreement
@@ -125,24 +125,24 @@ ok</code>
       <code type="erl">4 server> inet:setopts(Socket, [{active, false}]).
 ok</code>
       
-      <p><em>Step 6:</em> Do the SSL handshake:</p>
-      <code type="erl">5 server> {ok, SSLSocket} = ssl:ssl_accept(Socket, [{cacertfile, "cacerts.pem"},
+      <p><em>Step 6:</em> Do the TLS handshake:</p>
+      <code type="erl">5 server> {ok, TLSSocket} = ssl:ssl_accept(Socket, [{cacertfile, "cacerts.pem"},
 {certfile, "cert.pem"}, {keyfile, "key.pem"}]).
 {ok,{sslsocket,[...]}}</code>
       
-      <p><em>Step 7:</em> Upgrade to an SSL connection. The client and server
+      <p><em>Step 7:</em> Upgrade to an TLS connection. The client and server
       must agree upon the upgrade. The server must call
       <c>ssl:accept/2</c> before the client calls <c>ssl:connect/3.</c></p>
-      <code type="erl">3 client>{ok, SSLSocket} = ssl:connect(Socket, [{cacertfile, "cacerts.pem"},
+      <code type="erl">3 client>{ok, TLSSocket} = ssl:connect(Socket, [{cacertfile, "cacerts.pem"},
 {certfile, "cert.pem"}, {keyfile, "key.pem"}], infinity).
 {ok,{sslsocket,[...]}}</code>
       
-      <p><em>Step 8:</em> Send a message over SSL:</p>
-      <code type="erl">4 client> ssl:send(SSLSocket, "foo").
+      <p><em>Step 8:</em> Send a message over TLS:</p>
+      <code type="erl">4 client> ssl:send(TLSSocket, "foo").
 ok</code>
       
-      <p><em>Step 9:</em> Set <c>active true</c> on the SSL socket:</p>
-      <code type="erl">4 server> ssl:setopts(SSLSocket, [{active, true}]).
+      <p><em>Step 9:</em> Set <c>active true</c> on the TLS socket:</p>
+      <code type="erl">4 server> ssl:setopts(TLSSocket, [{active, true}]).
 ok</code>
       
       <p><em>Step 10:</em> Flush the shell message queue to see that the message
@@ -152,4 +152,85 @@ Shell got {ssl,{sslsocket,[...]},"foo"}
 ok</code>
     </section>
   </section>
+
+  <section>
+    <title>Customizing cipher suits</title>
+
+    <p>Fetch default cipher suite list for an TLS/DTLS version. Change default
+    to all to get all possible cipher suites.</p>
+    <code type="erl">1>  Default = ssl:cipher_suites(default, 'tlsv1.2').
+    [#{cipher => aes_256_gcm,key_exchange => ecdhe_ecdsa,
+    mac => aead,prf => sha384}, ....]
+</code>
+
+    <p>In OTP 20 it is desirable to remove all cipher suites
+    that uses rsa kexchange (removed from default in 21) </p>
+    <code type="erl">2> NoRSA =
+    ssl:filter_cipher_suites(Default,
+                            [{key_exchange, fun(rsa) -> false;
+			                       (_) -> true end}]).
+    [...]
+    </code>
+
+    <p> Pick just a few suites </p>
+    <code type="erl"> 3> Suites =
+    ssl:filter_cipher_suites(Default,
+                            [{key_exchange, fun(ecdh_ecdsa) -> true;
+			                       (_) -> false end},
+                             {cipher, fun(aes_128_cbc) ->true;
+			                  (_) ->false end}]).
+    [#{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa,
+     mac => sha256,prf => sha256},
+     #{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa,mac => sha,
+     prf => default_prf}]
+    </code>
+    
+    <p> Make some particular suites the most preferred, or least
+    preferred by changing prepend to append.</p>
+    <code type="erl"> 4>ssl:prepend_cipher_suites(Suites, Default).
+  [#{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa,
+     mac => sha256,prf => sha256},
+   #{cipher => aes_128_cbc,key_exchange => ecdh_ecdsa,mac => sha,
+     prf => default_prf},
+   #{cipher => aes_256_cbc,key_exchange => ecdhe_ecdsa,
+     mac => sha384,prf => sha384}, ...]
+    </code>
+  </section>      
+
+  <section>
+    <title>Using an Engine Stored Key</title>
+    
+    <p>Erlang ssl application is able to use private keys provided
+    by OpenSSL engines using the following mechanism:</p>
+    
+    <code type="erl">1> ssl:start().
+ok</code>
+
+    <p>Load a crypto engine, should be done once per engine used. For example
+    dynamically load the engine called <c>MyEngine</c>:
+    </p>
+    <code type="erl">2> {ok, EngineRef} =
+crypto:engine_load(&lt;&lt;"dynamic">>,
+                   [{&lt;&lt;"SO_PATH">>, "/tmp/user/engines/MyEngine"},&lt;&lt;"LOAD">>],[]).
+{ok,#Ref&lt;0.2399045421.3028942852.173962>}
+    </code>
+    
+    <p>Create a map with the engine information and the algorithm used by the engine:</p>
+    <code type="erl">3> PrivKey =
+ #{algorithm => rsa,
+   engine => EngineRef,
+   key_id => "id of the private key in Engine"}.
+    </code>
+    <p>Use the map in the ssl key option:</p>
+    <code type="erl">4> {ok, SSLSocket} =
+ssl:connect("localhost", 9999,
+            [{cacertfile, "cacerts.pem"},
+             {certfile, "cert.pem"},
+             {key, PrivKey}], infinity).
+    </code>
+
+    <p>See also <seealso marker="crypto:engine_load#engine_load"> crypto documentation</seealso> </p>
+    
+     </section>      
+  
  </chapter>