3 files changed, 87 insertions, 25 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 874c5dd11d..a511cb4db3 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -27,6 +27,30 @@
   </header>
   <p>This document describes the changes made to the SSL application.</p>
 
+<section><title>SSL 9.2.1</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    The timeout for a passive receive was sometimes not
+	    cancelled and later caused a server crash. This bug has
+	    now been corrected.</p>
+          <p>
+	    Own Id: OTP-14701 Aux Id: ERL-883, ERL-884 </p>
+        </item>
+        <item>
+          <p>
+	    Add tag for passive message (active N) in cb_info to
+	    retain transport transparency.</p>
+          <p>
+	    Own Id: OTP-15679 Aux Id: ERL-861 </p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
 <section><title>SSL 9.2</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
@@ -802,7 +826,7 @@
           <p>
 	    TLS sessions must be registered with SNI if provided, so
 	    that sessions where client hostname verification would
-	    fail can not connect reusing a session created when the
+	    fail cannot connect reusing a session created when the
 	    server name verification succeeded.</p>
           <p>
 	    Own Id: OTP-14632</p>
@@ -980,7 +1004,7 @@
 	    public_key:pkix_verify_hostname/2 to verify the hostname
 	    of the connection with the server certificates specified
 	    hostname during certificate path validation. The user may
-	    explicitly disables it. Also if the hostname can not be
+	    explicitly disables it. Also if the hostname cannot be
 	    derived from the first argument to connect or is not
 	    supplied by the server name indication option, the check
 	    will not be performed.</p>
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 90a9181ede..37bf9033a1 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -101,16 +101,21 @@
     <datatype>
       <name name="transport_option"/>
       <desc>
-	<p>Defaults to <c>{gen_tcp, tcp, tcp_closed, tcp_error}</c>
-	for TLS and <c>{gen_udp, udp, udp_closed, udp_error}</c> for
-	DTLS. Can be used to customize the transport layer. The tag
-	values should be the values used by the underlying transport
-	in its active mode messages. For TLS the callback module must implement a
-	reliable transport protocol, behave as <c>gen_tcp</c>, and have functions
-	corresponding to <c>inet:setopts/2</c>, <c>inet:getopts/2</c>,
-	<c>inet:peername/1</c>, <c>inet:sockname/1</c>, and <c>inet:port/1</c>.
-	The callback <c>gen_tcp</c> is treated specially and calls <c>inet</c>
-	directly. For DTLS this feature must be considered exprimental.
+	<p>Defaults to <c>{gen_tcp, tcp, tcp_closed, tcp_error,
+	tcp_passive}</c> for TLS (for backward compatibility a four
+	tuple will be converted to a five tuple with the last element
+	"second_element"_passive) and <c>{gen_udp, udp, udp_closed,
+	udp_error}</c> for DTLS (might also be changed to five tuple in
+	the future). Can be used to customize the transport layer. The
+	tag values should be the values used by the underlying
+	transport in its active mode messages. For TLS the callback
+	module must implement a reliable transport protocol, behave as
+	<c>gen_tcp</c>, and have functions corresponding to
+	<c>inet:setopts/2</c>, <c>inet:getopts/2</c>,
+	<c>inet:peername/1</c>, <c>inet:sockname/1</c>, and
+	<c>inet:port/1</c>.  The callback <c>gen_tcp</c> is treated
+	specially and calls <c>inet</c> directly. For DTLS this
+	feature must be considered exprimental.
 	</p>
       </desc>
     </datatype>
@@ -190,11 +195,15 @@
      <datatype>
       <name name="signature_algs"/>
      </datatype>
-     
+
      <datatype>
       <name name="sign_algo"/>
      </datatype>
-
+     
+     <datatype>
+       <name name="sign_scheme"/>
+     </datatype>
+     
      <datatype>
       <name name="kex_algo"/>
      </datatype>
@@ -334,7 +343,30 @@
       and to restrict their usage when using a cipher suite supporting them.</p>
       </desc>
     </datatype>
-    
+
+    <datatype>
+      <name name="signature_schemes"/>
+      <desc>
+	  <p>
+	    In addition to the signature_algorithms extension from TLS 1.2,
+	    <url href="http://www.ietf.org/rfc/rfc8446.txt#section-4.2.3">TLS 1.3
+	    (RFC 5246 Section 4.2.3)</url>adds the signature_algorithms_cert extension
+	    which enables having special requirements on the signatures used in the
+	    certificates that differs from the requirements on digital signatures as a whole.
+	    If this is not required this extension is not needed.
+	  </p>
+	  <p>
+	    The client will send a signature_algorithms_cert extension (ClientHello),
+	    if TLS version 1.3 or later is used, and the signature_algs_cert option is
+	    explicitly specified. By default, only the signature_algs extension is sent.
+	  </p>
+	  <p>
+	    The signature schemes shall be ordered according to the client's preference
+	    (favorite choice first).
+	  </p>
+      </desc>
+     </datatype>
+     
     <datatype>
       <name name="secure_renegotiation"/>
       <desc><p>Specifies if to reject renegotiation attempt that does
@@ -474,7 +506,7 @@ marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_valid
 	  <item>check is only performed on the peer certificate.</item>
 
 	  <tag><c>best_effort</c></tag>
-	  <item>if certificate revocation status can not be determined
+	  <item>if certificate revocation status cannot be determined
 	  it will be accepted as valid.</item>
 	</taglist>
 	
@@ -607,10 +639,19 @@ fun(srp, Username :: string(), UserState :: term()) ->
       </desc>
     </datatype>
     
-  <datatype>    
-    <name name="log_alert"/> 
-    <desc><p>If set to <c>false</c>, error reports are not displayed.</p> 
-    </desc> 
+    <datatype>    
+      <name name="log_alert"/> 
+      <desc><p>If set to <c>false</c>, error reports are not displayed.
+      Deprecated in OTP 22, use {log_level, <seealso marker="#type-logging_level">logging_level()</seealso>} instead.</p> 
+      </desc> 
+    </datatype> 
+
+    <datatype>    
+      <name name="logging_level"/> 
+      <desc><p>Specifies the log level for TLS/DTLS. At verbosity level <c>notice</c> and above error reports are
+      displayed in TLS/DTLS. The level <c>debug</c> triggers verbose logging of TLS/DTLS protocol
+      messages.</p>
+      </desc> 
     </datatype> 
     
     <datatype>    
@@ -851,7 +892,6 @@ fun(srp, Username :: string(), UserState :: term()) ->
 	</desc>
       </datatype>
       
-
       <datatype_title>TLS/DTLS OPTION DESCRIPTIONS - SERVER </datatype_title>
 
 
@@ -865,8 +905,7 @@ fun(srp, Username :: string(), UserState :: term()) ->
       is supplied it overrides option <c>cacertfile</c>.</p>
 	</desc>
       </datatype>
-      
-      
+            
       <datatype>
 	<name name="server_cafile"/>
 	<desc><p>Path to a file containing PEM-encoded CA
@@ -894,7 +933,6 @@ fun(srp, Username :: string(), UserState :: term()) ->
 	default parameters are used.</p>
 	</desc>
       </datatype>
-      
 
     <datatype>
 	<name name="server_verify_type"/>
diff --git a/lib/ssl/doc/src/ssl_distribution.xml b/lib/ssl/doc/src/ssl_distribution.xml
index e14f3f90dc..1774bd8f77 100644
--- a/lib/ssl/doc/src/ssl_distribution.xml
+++ b/lib/ssl/doc/src/ssl_distribution.xml
@@ -191,7 +191,7 @@ Eshell V5.0  (abort with ^G)
       Any available SSL/TLS option can be specified in an options file,
       but note that options that take a <c>fun()</c> has to use
       the syntax <c>fun Mod:Func/Arity</c> since a function
-      body can not be compiled when consulting a file.
+      body cannot be compiled when consulting a file.
     </p>
     <p>
       Do not tamper with the socket options