2 files changed, 19 insertions, 71 deletions

diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 88ba12b83b..29ec3f9d57 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -28,75 +28,15 @@
   <p>This document describes the changes made to the SSL application.</p>
 
 
-<section><title>SSL 8.2</title>
+<section><title>SSL 8.1.3</title>
 
-    <section><title>Improvements and New Features</title>
+    <section><title>Fixed Bugs and Malfunctions</title>
       <list>
         <item>
           <p>
-	    TLS-1.2 clients will now always send hello messages on
-	    its own format, as opposed to earlier versions that will
-	    send the hello on the lowest supported version, this is a
-	    change supported by the latest RFC.</p>
-          <p>
-	    This will make interoperability with some newer servers
-	    smoother. Potentially, but unlikely, this could cause a
-	    problem with older servers if they do not adhere to the
-	    RFC and ignore unknown extensions.</p>
-          <p>
-	    *** POTENTIAL INCOMPATIBILITY ***</p>
-          <p>
-	    Own Id: OTP-13820</p>
-        </item>
-        <item>
-          <p>
-	    Allow Erlang/OTP to use OpenSSL in FIPS-140 mode, in
-	    order to satisfy specific security requirements (mostly
-	    by different parts of the US federal government). </p>
-          <p>
-	    See the new crypto users guide "FIPS mode" chapter about
-	    building and using the FIPS support which is disabled by
-	    default.</p>
-          <p>
-	    (Thanks to dszoboszlay and legoscia)</p>
-          <p>
-	    Own Id: OTP-13921 Aux Id: PR-1180 </p>
-        </item>
-        <item>
-          <p>
-	    Implemented DTLS cookie generation, requiered by spec,
-	    instead of using hardcode value.</p>
-          <p>
-	    Own Id: OTP-14076</p>
-        </item>
-        <item>
-          <p>
-	    Extend connection_information/[1,2] . The values
-	    session_id, master_secret, client_random and
-	    server_random can no be accessed by
-	    connection_information/2. Note only session_id will be
-	    added to connection_information/1. The rational is that
-	    values concerning the connection security should have to
-	    be explicitly requested.</p>
-          <p>
-	    Own Id: OTP-14291</p>
-        </item>
-        <item>
-          <p>
-	    Chacha cipher suites are currently not tested enough to
-	    be most prefered ones</p>
-          <p>
-	    Own Id: OTP-14382</p>
-        </item>
-        <item>
-          <p>
-	    Basic support for DTLS that been tested together with
-	    OpenSSL.</p>
-          <p>
-	    Test by providing the option {protocol, dtls} to the ssl
-	    API functions connect and listen.</p>
+	    Remove debug printout</p>
           <p>
-	    Own Id: OTP-14388</p>
+	    Own Id: OTP-14396</p>
         </item>
       </list>
     </section>
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 2c09122fe6..2940ccb1e7 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -127,7 +127,7 @@
       <item><p><c>hostname() | ipaddress()</c></p></item>
 
       <tag><c>hostname() =</c></tag>
-      <item><p><c>string()</c></p></item>
+      <item><p><c>string() - DNS hostname</c></p></item>
 
       <tag><c>ip_address() =</c></tag>
       <item><p><c>{N1,N2,N3,N4} % IPv4 | {K1,K2,K3,K4,K5,K6,K7,K8} % IPv6
@@ -249,7 +249,7 @@
       be PEER, CA, ROOT-CA; if 2 the path can be PEER, CA, CA, 
       ROOT-CA, and so on. The default value is 1.</p></item>
 
-      <tag><c>{verify_fun, {Verifyfun :: fun(), InitialUserState ::
+      <tag><marker id="verify_fun"/><c>{verify_fun, {Verifyfun :: fun(), InitialUserState ::
       term()}}</c></tag>
       <item><p>The verification fun is to be defined as follows:</p>
 
@@ -582,15 +582,23 @@ fun(srp, Username :: string(), UserState :: term()) ->
       <item><p>Specifies the username and password to use to authenticate
       to the server.</p></item>
 
-      <tag><c>{server_name_indication, hostname()}</c></tag>
-      <item><p>Can be specified when upgrading a TCP socket to a TLS
-        socket to use the TLS Server Name Indication extension.</p></item>
+      <tag><c>{server_name_indication, HostName :: hostname()}</c></tag>
+      <item><p>Specify the hostname to be used in TLS Server Name Indication extension.
+      Is usefull when upgrading a TCP socket to a TLS socket or if the hostname can not be 
+      derived from the Host argument to <seealso marker="ssl#connect-3">ssl:connect/3</seealso>.
+      Will also cause the client to preform host name verification of the peer certificate
+      <seealso marker="public_key:public_key#pkix_verify_hostname-2">public_key:pkix_verify_hostname(PeerCert, [{dns_id, HostName}])</seealso>
+      </p> during the x509-path validation. If the check fails the error {bad_cert, hostname_check_failiure} will be
+      propagated to the path validation fun <seealso marker="#verify_fun">verify_fun</seealso>
+      </item>
 
 	<tag><c>{server_name_indication, disable}</c></tag>
       <item>
         <p>When starting a TLS connection without upgrade, the Server Name
-        Indication extension is sent if possible. This option can be
-        used to disable that behavior.</p>
+        Indication extension is sent if possible that is can be derived from the Host argument 
+        to <seealso marker="ssl#connect-3">ssl:connect/3</seealso>.  
+	This option can be used to disable that behavior.</p>
+	<note><p> Note that this also disables the default host name verification check of the peer certificate.</p></note>
       </item>
       <tag><c>{fallback, boolean()}</c></tag>
       <item>