5 files changed, 241 insertions, 16 deletions
diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index c61b2a9c2f..4349e5a456 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -25,7 +25,204 @@
     <file>notes.xml</file>
   </header>
   <p>This document describes the changes made to the SSL application.</p>
-  <section><title>SSL 5.3.4</title>
+  <section><title>SSL 5.3.8</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Make sure the clean rule for ssh, ssl, eunit and otp_mibs
+	    actually removes generated files.</p>
+          <p>
+	    Own Id: OTP-12200</p>
+        </item>
+      </list>
+    </section>
+
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+	    Change code to reflect that state data may be secret to
+	    avoid breaking dialyzer contracts.</p>
+          <p>
+	    Own Id: OTP-12341</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>SSL 5.3.7</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Handle the fact that servers may send an empty SNI
+	    extension to the client.</p>
+          <p>
+	    Own Id: OTP-12198</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>SSL 5.3.6</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Corrected handling of ECC certificates, there where
+	    several small issues with the handling of such
+	    certificates in the ssl and public_key application. Now
+	    ECC signed ECC certificates shall work and not only RSA
+	    signed ECC certificates.</p>
+          <p>
+	    Own Id: OTP-12026</p>
+        </item>
+        <item>
+          <p>
+	    Check that the certificate chain ends with a trusted ROOT
+	    CA e.i. a self-signed certificate, but provide an option
+	    partial_chain to enable the application to define an
+	    intermediat CA as trusted.</p>
+          <p>
+	    Own Id: OTP-12149</p>
+        </item>
+      </list>
+    </section>
+
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+	    Add decode functions for SNI (Server Name Indication)</p>
+          <p>
+	    Own Id: OTP-12048</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>SSL 5.3.5</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    ssl:recv now returns {error, einval} if applied to a non
+	    passive socket, the same as gen_tcp:recv. </p>
+          <p>
+	    Thanks to Danil Zagoskin for reporting this issue</p>
+          <p>
+	    Own Id: OTP-11878</p>
+        </item>
+        <item>
+          <p>
+	    Corrected handling of default values for
+	    signature_algorithms extension in TLS-1.2 and
+	    corresponding values used in previous versions that does
+	    not support this extension. </p>
+          <p>
+	    Thanks to Danil Zagoskin</p>
+          <p>
+	    Own Id: OTP-11886</p>
+        </item>
+        <item>
+          <p>
+	    Handle socket option inheritance when pooling of accept
+	    sockets is used</p>
+          <p>
+	    Own Id: OTP-11897</p>
+        </item>
+        <item>
+          <p>
+	    Make sure that the list of versions, possibly supplied in
+	    the versions option, is not order dependent.</p>
+          <p>
+	    Thanks to Ransom Richardson for reporting this issue</p>
+          <p>
+	    Own Id: OTP-11912</p>
+        </item>
+        <item>
+          <p>
+	    Reject connection if the next_protocol message is sent
+	    twice.</p>
+          <p>
+	    Own Id: OTP-11926</p>
+        </item>
+        <item>
+          <p>
+	    Correct options handling when ssl:ssl_accept/3 is called
+	    with new ssl options after calling ssl:listen/2</p>
+          <p>
+	    Own Id: OTP-11950</p>
+        </item>
+      </list>
+    </section>
+
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+	    Gracefully handle unknown alerts</p>
+          <p>
+	    Thanks to Atul Atri for reporting this issue</p>
+          <p>
+	    Own Id: OTP-11874</p>
+        </item>
+        <item>
+          <p>
+	    Gracefully ignore cipher suites sent by client not
+	    supported by the SSL/TLS version that the client has
+	    negotiated.</p>
+          <p>
+	    Thanks to Danil Zagoskin for reporting this issue</p>
+          <p>
+	    Own Id: OTP-11875</p>
+        </item>
+        <item>
+          <p>
+	    Gracefully handle structured garbage, i.e a client sends
+	    some garbage in a ssl record instead of a valid fragment.</p>
+          <p>
+	    Thanks to Danil Zagoskin</p>
+          <p>
+	    Own Id: OTP-11880</p>
+        </item>
+        <item>
+          <p>
+	    Gracefully handle invalid alerts</p>
+          <p>
+	    Own Id: OTP-11890</p>
+        </item>
+        <item>
+          <p>
+	    Generalize handling of default ciphers</p>
+          <p>
+	    Thanks to Andreas Schultz</p>
+          <p>
+	    Own Id: OTP-11966</p>
+        </item>
+        <item>
+          <p>
+	    Make sure change cipher spec is correctly handled</p>
+          <p>
+	    Own Id: OTP-11975</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>SSL 5.3.4</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
       <list>
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index ffee4bd1af..83e5ed82bb 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -136,7 +136,7 @@
     </c></p>
 
    <p><c>cipher() = rc4_128 | des_cbc | '3des_ede_cbc'
-      | aes_128_cbc | aes_256_cbc </c></p>
+      | aes_128_cbc | aes_256_cbc | aes_128_gcm | aes_256_gcm </c></p>
 
    <p> <c>hash() = md5 | sha
     </c></p>
@@ -226,7 +226,7 @@
 	<p>The verification fun should be defined as:</p>
 
 	<code>
-fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
+fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revoked, atom()}} |
 	     {extension, #'Extension'{}}, InitialUserState :: term()) ->
 	{valid, UserState :: term()} | {valid_peer, UserState :: term()} |
 	{fail, Reason :: term()} | {unknown, UserState :: term()}.
@@ -252,7 +252,7 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
 	always returns {valid, UserState}, the TLS/SSL handshake will
 	not be terminated with respect to verification failures and
 	the connection will be established. If called with an
-	extension unknown to the user application the return value
+	extension unknown to the user application, the return value
 	{unknown, UserState} should be used.</p>
 
 	<p>The default verify_fun option in verify_peer mode:</p>
@@ -283,9 +283,29 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom()} |
  end, []}
       </code>
 
-<p>Possible path validation errors: </p>
+      <p>Possible path validation errors are given on the form {bad_cert, Reason} where Reason is:</p>
 
-<p> {bad_cert, cert_expired}, {bad_cert, invalid_issuer}, {bad_cert, invalid_signature}, {bad_cert, unknown_ca},{bad_cert, selfsigned_peer}, {bad_cert, name_not_permitted}, {bad_cert, missing_basic_constraint}, {bad_cert, invalid_key_usage}</p>
+      <taglist>
+	<tag>unknown_ca</tag>
+	<item>No trusted CA was found in the trusted store. The trusted CA is
+	normally a so called ROOT CA that is a self-signed cert. Trust may
+	be claimed for an intermediat CA (trusted anchor does not have to be self signed
+	according to X-509) by using the option <c>partial_chain</c></item>
+
+	<tag>selfsigned_peer</tag>
+	<item>The chain consisted only of one self-signed certificate.</item>
+
+	<tag>PKIX X-509-path validation error</tag>
+	<item> Possible such reasons see <seealso
+	marker="public_key:public_key#pkix_path_validation-3"> public_key:pkix_path_validation/3 </seealso></item>
+      </taglist>
+
+      </item>
+
+      <tag>{partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} | unknown_ca </tag>
+      <item>
+	Claim an intermediat CA in the chain as trusted. TLS will then perform the public_key:pkix_path_validation/3
+	with the selected CA as trusted anchor and the rest of the chain.
       </item>
 
       <tag>{versions, [protocol()]}</tag>
diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
index 43cb3934f7..c8024548b5 100644
--- a/lib/ssl/doc/src/ssl_app.xml
+++ b/lib/ssl/doc/src/ssl_app.xml
@@ -4,7 +4,7 @@
 <appref>
   <header>
     <copyright>
-      <year>1999</year><year>2013</year>
+      <year>1999</year><year>2014</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
@@ -75,10 +75,10 @@
           </p>
       </item>
 
-      <tag><c><![CDATA[session_cb_init_args = list() <optional>]]></c></tag>
+      <tag><c><![CDATA[session_cb_init_args = proplist:proplist() <optional>]]></c></tag>
       <item>
 	<p>
-	  List of arguments to the init function in session cache
+	  List of additional user defined arguments to the init function in session cache
 	  callback module, defaults to [].
 	</p>
       </item>
diff --git a/lib/ssl/doc/src/ssl_protocol.xml b/lib/ssl/doc/src/ssl_protocol.xml
index cdfafe224b..80d9cc4ee8 100644
--- a/lib/ssl/doc/src/ssl_protocol.xml
+++ b/lib/ssl/doc/src/ssl_protocol.xml
@@ -83,7 +83,7 @@
      <em>subject</em>. The certificate is signed 
      with the private key of the issuer of the certificate. A chain
      of trust is build by having the issuer in its turn being
-     certified by an other certificate and so on until you reach the
+     certified by another certificate and so on until you reach the
      so called root certificate that is self signed i.e. issued
      by itself.</p>
      
diff --git a/lib/ssl/doc/src/ssl_session_cache_api.xml b/lib/ssl/doc/src/ssl_session_cache_api.xml
index 82de1784ca..cb97bbfbb2 100644
--- a/lib/ssl/doc/src/ssl_session_cache_api.xml
+++ b/lib/ssl/doc/src/ssl_session_cache_api.xml
@@ -4,7 +4,7 @@
 <erlref>
   <header>
     <copyright>
-      <year>1999</year><year>2013</year>
+      <year>1999</year><year>2014</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
@@ -79,17 +79,25 @@
     </func>
 
     <func>
-      <name>init() -> opaque() </name>
+      <name>init(Args) -> opaque() </name>
       <fsummary>Return cache reference</fsummary>
       <type>
-	<v></v>
+	<v>Args = proplists:proplist()</v>
+	<d>Will always include the property {role, client | server}. Currently this
+	is the only predefined property, there may also be user defined properties.
+	<seealso marker="ssl_app"> See also application environment variable
+	session_cb_init_args</seealso>
+	</d>
       </type>
       <desc>
 	<p>Performs possible initializations of the cache and returns
 	a reference to it that will be used as parameter to the other
-	api functions. Will be called by the cache handling processes
-	init function, hence putting the same requirements on it as
-	a normal process init function.
+	API functions. Will be called by the cache handling processes
+	init function, hence putting the same requirements on it as a
+	normal process init function. Note that this function will be
+	called twice when starting the ssl application, once with the
+	role client and once with the role server, as the ssl application
+	must be prepared to take on both roles.
 	</p>
       </desc>
     </func>