7 files changed, 255 insertions, 40 deletions
diff --git a/lib/ssl/doc/src/Makefile b/lib/ssl/doc/src/Makefile
index fb12499ef7..cfbf98f6e3 100644
--- a/lib/ssl/doc/src/Makefile
+++ b/lib/ssl/doc/src/Makefile
@@ -1,7 +1,7 @@
 #
 # %CopyrightBegin%
 #
-# Copyright Ericsson AB 1999-2012. All Rights Reserved.
+# Copyright Ericsson AB 1999-2015. All Rights Reserved.
 #
 # The contents of this file are subject to the Erlang Public License,
 # Version 1.1, (the "License"); you may not use this file except in
@@ -37,7 +37,7 @@ RELSYSDIR = $(RELEASE_PATH)/lib/$(APPLICATION)-$(VSN)
 # Target Specs
 # ----------------------------------------------------
 XML_APPLICATION_FILES = refman.xml
-XML_REF3_FILES = ssl.xml ssl_session_cache_api.xml
+XML_REF3_FILES = ssl.xml ssl_crl_cache.xml ssl_crl_cache.xml ssl_session_cache_api.xml 
 XML_REF6_FILES = ssl_app.xml
 
 XML_PART_FILES = release_notes.xml usersguide.xml
diff --git a/lib/ssl/doc/src/refman.xml b/lib/ssl/doc/src/refman.xml
index ae11198edb..d5f2219af9 100644
--- a/lib/ssl/doc/src/refman.xml
+++ b/lib/ssl/doc/src/refman.xml
@@ -4,7 +4,7 @@
 <application xmlns:xi="http://www.w3.org/2001/XInclude">
   <header>
     <copyright>
-      <year>1999</year><year>2013</year>
+      <year>1999</year><year>2015</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
@@ -28,23 +28,10 @@
     <rev>B</rev>
     <file>refman.sgml</file>
   </header>
-  <description>
-    <p>The <em>SSL</em> application provides secure communication over
-      sockets.
-      </p>
-    <p>This product includes software developed by the OpenSSL Project for
-      use in the OpenSSL Toolkit (http://www.openssl.org/).
-      </p>
-    <p>This product includes cryptographic software written by Eric Young
-      ([email protected]).  
-      </p>
-    <p>This product includes software written by Tim Hudson
-      ([email protected]).
-      </p>
-    <p>For full OpenSSL and SSLeay license texts, see <seealso marker="licenses#licenses">Licenses</seealso>.</p>
-  </description>
   <xi:include href="ssl_app.xml"/>
   <xi:include href="ssl.xml"/>
+  <xi:include href="ssl_crl_cache.xml"/>
+  <xi:include href="ssl_crl_cache_api.xml"/>
   <xi:include href="ssl_session_cache_api.xml"/>
 </application>
 
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 0c042f8571..c9b02d44ec 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -38,7 +38,9 @@
       <item>ssl requires the crypto and public_key applications.</item>
       <item>Supported SSL/TLS-versions are SSL-3.0, TLS-1.0,
       TLS-1.1 and TLS-1.2.</item>
-      <item>For security reasons sslv2 is not supported.</item>
+      <item>For security reasons SSL-2.0 is not supported.</item>
+      <item>For security reasons SSL-3.0 is no longer supported by default,
+      but may be configured.</item>
       <item>Ephemeral Diffie-Hellman cipher suites are supported
       but not Diffie Hellman Certificates cipher suites.</item>
       <item>Elliptic Curve cipher suites are supported if crypto
@@ -49,9 +51,9 @@
       <item>IDEA cipher suites are not supported as they have
       become deprecated by the latest TLS spec so there is not any
       real motivation to implement them.</item>
-      <item>CRL and policy certificate extensions are not supported
-      yet. However CRL verification is supported by public_key, only not integrated
-      in ssl yet. </item>
+      <item>CRL validation is supported.</item>
+      <item>Policy certificate extensions are not supported
+      yet. </item>
       <item>Support for 'Server Name Indication' extension client side
       (RFC 6066 section 3).</item>
     </list>
@@ -136,7 +138,7 @@
     </c></p>
 
    <p><c>cipher() = rc4_128 | des_cbc | '3des_ede_cbc'
-      | aes_128_cbc | aes_256_cbc </c></p>
+      | aes_128_cbc | aes_256_cbc | aes_128_gcm | aes_256_gcm </c></p>
 
    <p> <c>hash() = md5 | sha
     </c></p>
@@ -299,10 +301,47 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revo
 	<item> Possible such reasons see <seealso
 	marker="public_key:public_key#pkix_path_validation-3"> public_key:pkix_path_validation/3 </seealso></item>
       </taglist>
+      </item>
+
+      <tag>{crl_check, boolean() | peer | best_effort )</tag>
+      <item>
+	Perform CRL (Certificate Revocation List) verification
+	<seealso marker="public_key:public_key#pkix_crl_validate-3">
+	public_key:pkix_crls_validate/3</seealso>, during the
+	<seealso
+	marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_validation/3  </seealso>
+	invokation on all the certificates in the peer certificate chain. Defaults to
+	false.
+
+	<p><c>peer</c> - check is only performed on
+	the peer certificate.</p>
+
+	<p><c>best_effort</c> - if certificate revokation status can not be determined
+	it will be accepted as valid.</p>
 
+	<p>The CA certificates specified for the connection will be used to 
+	construct the certificate chain validating the CRLs.</p>
+ 	
+	<p>The CRLs will be fetched from a local or external cache
+	<seealso marker="ssl:ssl_crl_cache_api">ssl_crl_cache_api(3)</seealso>.</p>
       </item>
 
+      <tag>{crl_cache, {Module::atom, {DbHandle::internal | term(), Args::list()}}</tag>
+      <item>
+	<p>Module defaults to ssl_crl_cache with <c> DbHandle </c> internal and an
+	empty argument list. The following arguments may be specified for the internal cache.</p>
+	<taglist>
+	  <tag>{http, timeout()}</tag>
+	  <item>
+	    Enables fetching of CRLs specified as http URIs in<seealso 
+	    marker="public_key:cert_records"> X509 cerificate extensions.</seealso>
+	    Requires the OTP inets application.
+	  </item>	    
+	</taglist>    
+      </item>
+      
       <tag>{partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} | unknown_ca </tag>
+      
       <item>
 	Claim an intermediat CA in the chain as trusted. TLS will then perform the public_key:pkix_path_validation/3
 	with the selected CA as trusted anchor and the rest of the chain.
@@ -311,7 +350,7 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revo
       <tag>{versions, [protocol()]}</tag>
       <item>TLS protocol versions that will be supported by started clients and servers.
       This option overrides the application environment option <c>protocol_version</c>. If the
-      environment option is not set it defaults to all versions supported by the SSL application. See also
+      environment option is not set it defaults to all versions, except SSL-3.0, supported by the SSL application. See also
       <seealso marker="ssl:ssl_app">ssl(6)</seealso>
       </item>
 
@@ -945,19 +984,37 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
     
     <func>
-      <name>versions() ->
-	[{SslAppVer, SupportedSslVer, AvailableSslVsn}]</name>
+      <name>versions() -> [versions_info()]</name>
       <fsummary>Returns version information relevant for the
 	ssl application.</fsummary>
       <type>
-	<v>SslAppVer = string()</v>
-      	<v>SupportedSslVer = [protocol()]</v>
-      	<v>AvailableSslVsn = [protocol()]</v>
+	<v>versions_info() = {app_vsn, string()} | {supported | available, [protocol()] </v>
       </type>
       <desc>
 	<p>
 	  Returns version information relevant for the
-	  ssl application.</p>
+	  ssl application.
+	</p>
+	<taglist>
+	  <tag>app_vsn</tag>
+	  <item> The application version of the OTP ssl application.</item>
+
+	  <tag>supported</tag>
+
+	  <item>TLS/SSL versions supported by default.
+	  Overridden by a versions option on
+	  <seealso marker="#connect-2"> connect/[2,3,4]</seealso>, <seealso
+	  marker="#listen-2"> listen/2</seealso> and <seealso
+	  marker="#ssl_accept-2">ssl_accept/[1,2,3]</seealso>. For the
+	  negotiated TLS/SSL version see <seealso
+	  marker="#connection_info-1">ssl:connection_info/1
+	  </seealso></item>
+	  
+	  <tag>available</tag>
+	  <item>All TLS/SSL versions that the Erlang ssl application
+	  can support. Note that TLS 1.2 requires sufficient support
+	  from the crypto application. </item>
+	</taglist>
       </desc>
     </func>
     <func>
diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
index f1377cabda..e3a3fc27f2 100644
--- a/lib/ssl/doc/src/ssl_app.xml
+++ b/lib/ssl/doc/src/ssl_app.xml
@@ -75,10 +75,10 @@
           </p>
       </item>
 
-      <tag><c><![CDATA[session_cb_init_args = list() <optional>]]></c></tag>
+      <tag><c><![CDATA[session_cb_init_args = proplist:proplist() <optional>]]></c></tag>
       <item>
 	<p>
-	  List of arguments to the init function in session cache
+	  List of additional user defined arguments to the init function in session cache
 	  callback module, defaults to [].
 	</p>
       </item>
diff --git a/lib/ssl/doc/src/ssl_crl_cache.xml b/lib/ssl/doc/src/ssl_crl_cache.xml
new file mode 100644
index 0000000000..1ed76d3e2a
--- /dev/null
+++ b/lib/ssl/doc/src/ssl_crl_cache.xml
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE erlref SYSTEM "erlref.dtd">
+
+<erlref>
+  <header>
+    <copyright>
+      <year>2015</year><year>2015</year>
+      <holder>Ericsson AB. All Rights Reserved.</holder>
+    </copyright>
+    <legalnotice>
+      The contents of this file are subject to the Erlang Public License,
+      Version 1.1, (the "License"); you may not use this file except in
+      compliance with the License. You should have received a copy of the
+      Erlang Public License along with this software. If not, it can be
+      retrieved online at http://www.erlang.org/.
+
+      Software distributed under the License is distributed on an "AS IS"
+      basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+      the License for the specific language governing rights and limitations
+      under the License.
+    </legalnotice>
+    <title>ssl_crl_cache</title>
+    <file>ssl_crl_cache.xml</file>
+  </header>
+  
+  <module>ssl_crl_cache</module>
+  <modulesummary>CRL cache </modulesummary>
+  <description>
+    <p>
+      Implements an internal CRL (Certificate Revocation List) cache.
+      In addition to implementing the <seealso
+      marker="ssl_cache_crl_api"> ssl_cache_crl_api</seealso>
+      the following functions are available.
+    </p>
+  </description>
+  
+    <funcs>
+      <func>
+      <name>insert(CRLSrc) -> ok | {error, Reason}</name>
+      <name>insert(URI, CRLSrc) -> ok | {error, Reason}</name>
+      <fsummary> </fsummary>
+      <type>
+	<v> CRLSrc = {file, string()} | {der, [ <seealso
+	marker="public_key:public_key"> der_encoded() </seealso> ]}</v>
+	<v> URI = http_uri:uri()</v>
+	<v> Reason = term()</v>
+      </type>
+      <desc>
+	Insert CRLs into the ssl applications local cache.
+      </desc>
+    </func>
+
+     <func>
+      <name>delete(Entries) -> ok |  {error, Reason} </name>
+      <fsummary> </fsummary>
+      <type>
+	<v> Entries =  http_uri:uri() | {file, string()} | {der, [<seealso
+	marker="public_key:public_key"> der_encoded() </seealso>]}</v>
+	<v> Reason = term()</v>
+      </type>
+      <desc>
+	Delete CRLs from the ssl applications local cache.
+      </desc>
+     </func>     
+    </funcs>
+</erlref>
+\ No newline at end of file
diff --git a/lib/ssl/doc/src/ssl_crl_cache_api.xml b/lib/ssl/doc/src/ssl_crl_cache_api.xml
new file mode 100644
index 0000000000..24365c9f59
--- /dev/null
+++ b/lib/ssl/doc/src/ssl_crl_cache_api.xml
@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE erlref SYSTEM "erlref.dtd">
+
+<erlref>
+  <header>
+    <copyright>
+      <year>2015</year><year>2015</year>
+      <holder>Ericsson AB. All Rights Reserved.</holder>
+    </copyright>
+    <legalnotice>
+      The contents of this file are subject to the Erlang Public License,
+      Version 1.1, (the "License"); you may not use this file except in
+      compliance with the License. You should have received a copy of the
+      Erlang Public License along with this software. If not, it can be
+      retrieved online at http://www.erlang.org/.
+
+      Software distributed under the License is distributed on an "AS IS"
+      basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+      the License for the specific language governing rights and limitations
+      under the License.
+    </legalnotice>
+    <title>ssl_crl_cache_api</title>
+    <file>ssl_crl_cache_api.xml</file>
+  </header>
+  
+  <module>ssl_crl_cache_api</module>
+  <modulesummary>API for a SSL/TLS CRL (Certificate Revocation List) cache.</modulesummary>
+  <description>
+    <p>
+      When SSL/TLS performs certificate path validation according to 
+      <url href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280 </url> it should
+      also perform CRL validation checks. To enable the CRL checks the application
+      needs access to CRLs. A database of CRLs can be set up in many different ways.
+      This module provides an API to integrate an arbitrary CRL cache with the erlang
+      ssl application. It is also used by the application itself to provide a simple
+      default implementation of a CRL cache. 
+    </p>
+  </description>
+  
+  <section>
+    <title>Common Data Types</title>
+    
+    <p>The following data types are used in the functions below:
+    </p>
+    
+    <p><c>cache_ref() = opaque()</c></p> 
+    <p> dist_point() = #'DistributionPoint'{} see <seealso
+    marker="public_key:cert_records"> X509 certificates records</seealso></p>
+  </section>
+  
+  <funcs>
+    <func>
+      <name>lookup(DistributionPoint, DbHandle) -> not_available | CRLs </name>
+      <fsummary> </fsummary>
+      <type>
+        <v> DistributionPoint = dist_point() </v>
+	<v> DbHandle  = cache_ref() </v>
+	<v> CRLs = [<seealso
+	   marker="public_key:public_key">public_key:der_encoded()</seealso>] </v>
+	</type>
+	<desc> <p>Lookup the CRLs belonging to the distribution point <c> Distributionpoint </c> </p>.
+	This function may choose to only look in the cache or to follow distribution point
+	links depending on how the cache is administrated.
+	</desc>
+    </func>
+    
+    <func>
+      <name>select(Issuer, DbHandle) -> CRLs </name>
+      <fsummary>Select the CRLs in the cache that are issued by <c>Issuer</c></fsummary>
+      <type>
+	<v> Issuer = <seealso
+	marker="public_key:public_key">public_key:issuer_name()</seealso></v>
+	<v> DbHandle  = cache_ref() </v>
+	</type>
+	<desc>
+	  <p>Select the CRLs in the cache that are issued by <c>Issuer</c> </p>
+	</desc>
+    </func>
+    
+    <func>
+      <name>fresh_crl(DistributionPoint, CRL) -> FreshCRL</name>
+      <fsummary> <c>fun fresh_crl/2 </c> will be used as input option <c>update_crl</c> to
+      public_key:pkix_crls_validate/3 </fsummary>
+      <type>
+	<v> DistributionPoint = dist_point() </v>
+	<v> CRL = [<seealso
+	marker="public_key:public_key">public_key:der_encoded()</seealso>] </v>
+	<v> FreshCRL = [<seealso
+	marker="public_key:public_key">public_key:der_encoded()</seealso>] </v>
+      </type>
+      <desc>
+	<p> <c>fun fresh_crl/2 </c> will be used as input option <c>update_crl</c> to
+	<seealso marker="public_key#pkix_path_validation-3">public_key:pkix_crls_validate/3 </seealso> </p>
+      </desc>
+    </func>
+  </funcs>
+</erlref>
+\ No newline at end of file
diff --git a/lib/ssl/doc/src/ssl_session_cache_api.xml b/lib/ssl/doc/src/ssl_session_cache_api.xml
index 82de1784ca..9f87d31e90 100644
--- a/lib/ssl/doc/src/ssl_session_cache_api.xml
+++ b/lib/ssl/doc/src/ssl_session_cache_api.xml
@@ -4,7 +4,7 @@
 <erlref>
   <header>
     <copyright>
-      <year>1999</year><year>2013</year>
+      <year>1999</year><year>2015</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
@@ -79,17 +79,25 @@
     </func>
 
     <func>
-      <name>init() -> opaque() </name>
+      <name>init(Args) -> opaque() </name>
       <fsummary>Return cache reference</fsummary>
       <type>
-	<v></v>
+	<v>Args = proplists:proplist()</v>
+	<d>Will always include the property {role, client | server}. Currently this
+	is the only predefined property, there may also be user defined properties.
+	<seealso marker="ssl_app"> See also application environment variable
+	session_cb_init_args</seealso>
+	</d>
       </type>
       <desc>
 	<p>Performs possible initializations of the cache and returns
 	a reference to it that will be used as parameter to the other
-	api functions. Will be called by the cache handling processes
-	init function, hence putting the same requirements on it as
-	a normal process init function.
+	API functions. Will be called by the cache handling processes
+	init function, hence putting the same requirements on it as a
+	normal process init function. Note that this function will be
+	called twice when starting the ssl application, once with the
+	role client and once with the role server, as the ssl application
+	must be prepared to take on both roles.
 	</p>
       </desc>
     </func>
@@ -111,14 +119,14 @@
     
     <func>
       <name>select_session(Cache, PartialKey) -> [session()]</name>
-      <fsummary>>Selects sessions that could be reused.</fsummary>
+      <fsummary>Selects a sessions that could be reused.</fsummary>
       <type>
 	<v> Cache = cache_ref()</v>
 	<v> PartialKey = partialkey()</v>
 	<v> Session = session()</v>
       </type>
       <desc>
-	<p>Selects sessions that could be reused. Should be callable
+	<p>Selects a sessions that could be reused. Should be callable
 	from any process.
 	</p>
       </desc>