3 files changed, 104 insertions, 26 deletions

diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index b53344e381..7a5f72710a 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -4,7 +4,7 @@
 <erlref>
   <header>
     <copyright>
-      <year>1999</year><year>2014</year>
+      <year>1999</year><year>2015</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
@@ -38,7 +38,9 @@
       <item>ssl requires the crypto and public_key applications.</item>
       <item>Supported SSL/TLS-versions are SSL-3.0, TLS-1.0,
       TLS-1.1 and TLS-1.2.</item>
-      <item>For security reasons sslv2 is not supported.</item>
+      <item>For security reasons SSL-2.0 is not supported.</item>
+      <item>For security reasons SSL-3.0 is no longer supported by default,
+      but may be configured.</item>
       <item>Ephemeral Diffie-Hellman cipher suites are supported
       but not Diffie Hellman Certificates cipher suites.</item>
       <item>Elliptic Curve cipher suites are supported if crypto
@@ -136,7 +138,7 @@
     </c></p>
 
    <p><c>cipher() = rc4_128 | des_cbc | '3des_ede_cbc'
-      | aes_128_cbc | aes_256_cbc </c></p>
+      | aes_128_cbc | aes_256_cbc | aes_128_gcm | aes_256_gcm </c></p>
 
    <p> <c>hash() = md5 | sha
     </c></p>
@@ -163,7 +165,7 @@
       is supplied it will override the certfile option.</item>
       
       <tag>{certfile, path()}</tag>
-      <item>Path to a file containing the user's certificate.</item>
+      <item>Path to a file containing the user's PEM encoded certificate.</item>
       
       <tag>{key, {'RSAPrivateKey'| 'DSAPrivateKey' | 'ECPrivateKey' |'PrivateKeyInfo', der_encoded()}}</tag>
       <item> The DER encoded users private key. If this option
@@ -302,7 +304,7 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revo
 
       </item>
 
-      <tag>{partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} | unknown_ca </tag>
+      <tag>{partial_chain, fun(Chain::[DerCert]) -> {trusted_ca, DerCert} | unknown_ca }</tag>
       <item>
 	Claim an intermediat CA in the chain as trusted. TLS will then perform the public_key:pkix_path_validation/3
 	with the selected CA as trusted anchor and the rest of the chain.
@@ -311,7 +313,7 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revo
       <tag>{versions, [protocol()]}</tag>
       <item>TLS protocol versions that will be supported by started clients and servers.
       This option overrides the application environment option <c>protocol_version</c>. If the
-      environment option is not set it defaults to all versions supported by the SSL application. See also
+      environment option is not set it defaults to all versions, except SSL-3.0, supported by the SSL application. See also
       <seealso marker="ssl:ssl_app">ssl(6)</seealso>
       </item>
 
@@ -348,11 +350,23 @@ fun(srp, Username :: string(), UserState :: term()) ->
 	</p>
       </item>
 
+      <tag>{padding_check, boolean()}</tag>
+      <item>
+	<p> This option only affects TLS-1.0 connections.
+	If set to false it disables the block cipher padding check
+	to be able to interoperate with legacy software.
+	</p>
+	
+	<warning><p> Using this option makes TLS vulnerable to
+	the Poodle attack</p></warning>
+	
+      </item>
+      
     </taglist>
-
+    
   </section>
-
-   <section>
+  
+  <section>
     <title>SSL OPTION DESCRIPTIONS - CLIENT SIDE</title>
 
     <p>Options described here are client specific or has a slightly different
@@ -413,6 +427,23 @@ fun(srp, Username :: string(), UserState :: term()) ->
         Indication extension will be sent if possible, this option may also be
         used to disable that behavior.</p>
       </item>
+      <tag>{fallback, boolean()}</tag>
+      <item>
+	<p> Send special cipher suite TLS_FALLBACK_SCSV to avoid undesired TLS version downgrade.
+	Defaults to false</p>
+	<warning><p>Note this option is not needed in normal TLS usage and should not be used
+	to implement new clients. But legacy clients that that retries connections in the following manner</p>
+
+	<p><c> ssl:connect(Host, Port, [...{versions, ['tlsv2', 'tlsv1.1', 'tlsv1', 'sslv3']}])</c></p>
+	<p><c>  ssl:connect(Host, Port, [...{versions, [tlsv1.1', 'tlsv1', 'sslv3']}, {fallback, true}])</c></p>
+	<p><c>  ssl:connect(Host, Port, [...{versions, ['tlsv1', 'sslv3']}, {fallback, true}]) </c></p>
+	<p><c>  ssl:connect(Host, Port, [...{versions, ['sslv3']}, {fallback, true}]) </c></p>
+	 
+	 <p>may use it to avoid undesired TLS version downgrade. Note that TLS_FALLBACK_SCSV must also
+	 be supported by the server for the prevention to work.
+	</p></warning>
+      </item>
+      
     </taglist>
    </section>
 
@@ -538,7 +569,19 @@ fun(srp, Username :: string(), UserState :: term()) ->
 	</p>
     </desc>
     </func>
-    
+
+    <func>
+      <name>clear_pem_cache() -> ok </name>
+      <fsummary> Clears the pem cache</fsummary>
+
+      <desc><p>PEM files, used by ssl API-functions, are cached. The
+      cache is regularly checked to see if any cache entries should be
+      invalidated, however this function provides a way to
+      unconditionally clear the whole cache.
+      </p>
+      </desc>
+    </func>
+   
     <func>
       <name>connect(Socket, SslOptions) -> </name>
       <name>connect(Socket, SslOptions, Timeout) -> {ok, SslSocket}
@@ -904,19 +947,37 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
     
     <func>
-      <name>versions() ->
-	[{SslAppVer, SupportedSslVer, AvailableSslVsn}]</name>
+      <name>versions() -> [versions_info()]</name>
       <fsummary>Returns version information relevant for the
 	ssl application.</fsummary>
       <type>
-	<v>SslAppVer = string()</v>
-      	<v>SupportedSslVer = [protocol()]</v>
-      	<v>AvailableSslVsn = [protocol()]</v>
+	<v>versions_info() = {app_vsn, string()} | {supported | available, [protocol()] </v>
       </type>
       <desc>
 	<p>
 	  Returns version information relevant for the
-	  ssl application.</p>
+	  ssl application.
+	</p>
+	<taglist>
+	  <tag>app_vsn</tag>
+	  <item> The application version of the OTP ssl application.</item>
+
+	  <tag>supported</tag>
+
+	  <item>TLS/SSL versions supported by default.
+	  Overridden by a versions option on
+	  <seealso marker="#connect-2"> connect/[2,3,4]</seealso>, <seealso
+	  marker="#listen-2"> listen/2</seealso> and <seealso
+	  marker="#ssl_accept-2">ssl_accept/[1,2,3]</seealso>. For the
+	  negotiated TLS/SSL version see <seealso
+	  marker="#connection_info-1">ssl:connection_info/1
+	  </seealso></item>
+	  
+	  <tag>available</tag>
+	  <item>All TLS/SSL versions that the Erlang ssl application
+	  can support. Note that TLS 1.2 requires sufficient support
+	  from the crypto application. </item>
+	</taglist>
       </desc>
     </func>
     <func>
diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
index 43cb3934f7..e3a3fc27f2 100644
--- a/lib/ssl/doc/src/ssl_app.xml
+++ b/lib/ssl/doc/src/ssl_app.xml
@@ -4,7 +4,7 @@
 <appref>
   <header>
     <copyright>
-      <year>1999</year><year>2013</year>
+      <year>1999</year><year>2015</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
@@ -75,14 +75,23 @@
           </p>
       </item>
 
-      <tag><c><![CDATA[session_cb_init_args = list() <optional>]]></c></tag>
+      <tag><c><![CDATA[session_cb_init_args = proplist:proplist() <optional>]]></c></tag>
       <item>
 	<p>
-	  List of arguments to the init function in session cache
+	  List of additional user defined arguments to the init function in session cache
 	  callback module, defaults to [].
 	</p>
       </item>
-
+      
+      <tag><c><![CDATA[ssl_pem_cache_clean = integer() <optional>]]></c></tag>
+      <item>
+	<p>
+	  Number of milliseconds between PEM cache validations.
+	</p>
+	<seealso
+	    marker="ssl#clear_pem_cache-0">ssl:clear_pem_cache/0</seealso>
+	
+      </item>
     </taglist>
   </section>
 
diff --git a/lib/ssl/doc/src/ssl_session_cache_api.xml b/lib/ssl/doc/src/ssl_session_cache_api.xml
index 82de1784ca..cb97bbfbb2 100644
--- a/lib/ssl/doc/src/ssl_session_cache_api.xml
+++ b/lib/ssl/doc/src/ssl_session_cache_api.xml
@@ -4,7 +4,7 @@
 <erlref>
   <header>
     <copyright>
-      <year>1999</year><year>2013</year>
+      <year>1999</year><year>2014</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
@@ -79,17 +79,25 @@
     </func>
 
     <func>
-      <name>init() -> opaque() </name>
+      <name>init(Args) -> opaque() </name>
       <fsummary>Return cache reference</fsummary>
       <type>
-	<v></v>
+	<v>Args = proplists:proplist()</v>
+	<d>Will always include the property {role, client | server}. Currently this
+	is the only predefined property, there may also be user defined properties.
+	<seealso marker="ssl_app"> See also application environment variable
+	session_cb_init_args</seealso>
+	</d>
       </type>
       <desc>
 	<p>Performs possible initializations of the cache and returns
 	a reference to it that will be used as parameter to the other
-	api functions. Will be called by the cache handling processes
-	init function, hence putting the same requirements on it as
-	a normal process init function.
+	API functions. Will be called by the cache handling processes
+	init function, hence putting the same requirements on it as a
+	normal process init function. Note that this function will be
+	called twice when starting the ssl application, once with the
+	role client and once with the role server, as the ssl application
+	must be prepared to take on both roles.
 	</p>
       </desc>
     </func>