3 files changed, 145 insertions, 2 deletions

diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 61d1c8355a..e5070bc247 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -28,6 +28,124 @@
   <p>This document describes the changes made to the SSL application.</p>
 
 
+<section><title>SSL 7.3</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Make sure there is only one poller validator at a time
+	    for validating the session cache.</p>
+          <p>
+	    Own Id: OTP-13185</p>
+        </item>
+        <item>
+          <p>
+	    A timing related issue could cause ssl to hang,
+	    especially happened with newer versions of OpenSSL in
+	    combination with ECC ciphers.</p>
+          <p>
+	    Own Id: OTP-13253</p>
+        </item>
+        <item>
+          <p>
+	    Work around a race condition in the TLS distribution
+	    start.</p>
+          <p>
+	    Own Id: OTP-13268</p>
+        </item>
+        <item>
+          <p>
+	    Big handshake messages are now correctly fragmented in
+	    the TLS record layer.</p>
+          <p>
+	    Own Id: OTP-13306</p>
+        </item>
+        <item>
+          <p>
+	    Improve portability of ECC tests in Crypto and SSL for
+	    "exotic" OpenSSL versions.</p>
+          <p>
+	    Own Id: OTP-13311</p>
+        </item>
+        <item>
+          <p>
+	    Certificate extensions marked as critical are ignored
+	    when using verify_none</p>
+          <p>
+	    Own Id: OTP-13377</p>
+        </item>
+        <item>
+          <p>
+	    If a certificate doesn't contain a CRL Distribution
+	    Points extension, and the relevant CRL is not in the
+	    cache, and the <c>crl_check</c> option is not set to
+	    <c>best_effort</c> , the revocation check should fail.</p>
+          <p>
+	    Own Id: OTP-13378</p>
+        </item>
+        <item>
+          <p>
+	    Enable TLS distribution over IPv6</p>
+          <p>
+	    Own Id: OTP-13391</p>
+        </item>
+      </list>
+    </section>
+
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+	    Improve error reporting for TLS distribution</p>
+          <p>
+	    Own Id: OTP-13219</p>
+        </item>
+        <item>
+          <p>
+	    Include options from connect, listen and accept in
+	    <c>connection_information/1,2</c></p>
+          <p>
+	    Own Id: OTP-13232</p>
+        </item>
+        <item>
+          <p>
+	    Allow adding extra options for outgoing TLS distribution
+	    connections, as supported for plain TCP connections.</p>
+          <p>
+	    Own Id: OTP-13285</p>
+        </item>
+        <item>
+          <p>
+	    Use loopback as server option in TLS-distribution module</p>
+          <p>
+	    Own Id: OTP-13300</p>
+        </item>
+        <item>
+          <p>
+	    Verify certificate signature against original certificate
+	    binary.</p>
+          <p>
+	    This avoids bugs due to encoding errors when re-encoding
+	    a decode certificate. As there exists several decode step
+	    and using of different ASN.1 specification this is a risk
+	    worth avoiding.</p>
+          <p>
+	    Own Id: OTP-13334</p>
+        </item>
+        <item>
+          <p>
+	    Use <c>application:ensure_all_started/2</c> instead of
+	    hard-coding dependencies</p>
+          <p>
+	    Own Id: OTP-13363</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
 <section><title>SSL 7.2</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
index 6c82e32a74..d05ece3971 100644
--- a/lib/ssl/doc/src/ssl_app.xml
+++ b/lib/ssl/doc/src/ssl_app.xml
@@ -43,6 +43,8 @@
       <item>For security reasons SSL-2.0 is not supported.</item>
       <item>For security reasons SSL-3.0 is no longer supported by default,
       but can be configured.</item>
+      <item>For security reasons DES cipher suites are no longer supported by default,
+      but can be configured.</item>
       <item>Ephemeral Diffie-Hellman cipher suites are supported,
       but not Diffie Hellman Certificates cipher suites.</item>
       <item>Elliptic Curve cipher suites are supported if the Crypto 
@@ -55,8 +57,8 @@
       motivated to implement them.</item>
       <item>CRL validation is supported.</item>
       <item>Policy certificate extensions are not supported.</item>
-      <item>'Server Name Indication' extension client side
-      (RFC 6066, Section 3) is supported.</item>
+      <item>'Server Name Indication' extension
+      (<url href="http://www.ietf.org/rfc/rfc6066.txt">RFC 6066</url>) is supported.</item>
     </list>
    </description>
 
diff --git a/lib/ssl/doc/src/ssl_distribution.xml b/lib/ssl/doc/src/ssl_distribution.xml
index a347ce5ae6..dc04d446b0 100644
--- a/lib/ssl/doc/src/ssl_distribution.xml
+++ b/lib/ssl/doc/src/ssl_distribution.xml
@@ -271,4 +271,27 @@ Eshell V5.0  (abort with ^G)
     <p>The <c>init:get_arguments()</c> call verifies that the correct
       arguments are supplied to the emulator.</p>
   </section>
+
+  <section>
+    <title>Using SSL distribution over IPv6</title>
+    <p>It is possible to use SSL distribution over IPv6 instead of
+    IPv4. To do this, pass the option <c>-proto_dist inet6_tls</c>
+    instead of <c>-proto_dist inet_tls</c> when starting Erlang,
+    either on the command line or in the <c>ERL_FLAGS</c> environment
+    variable.</p>
+
+    <p>An example command line with this option would look like this:</p>
+    <code type="none">
+$ erl -boot /home/me/ssl/start_ssl -proto_dist inet6_tls
+  -ssl_dist_opt server_certfile "/home/me/ssl/erlserver.pem"
+  -ssl_dist_opt server_secure_renegotiate true client_secure_renegotiate true
+  -sname ssl_test
+Erlang (BEAM) emulator version 5.0 [source]
+
+Eshell V5.0  (abort with ^G)
+(ssl_test@myhost)1>     </code>
+
+    <p>A node started in this way will only be able to communicate with
+    other nodes using SSL distribution over IPv6.</p>
+  </section>
 </chapter>