1 files changed, 1100 insertions, 824 deletions

diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 4b406b4c1e..1e97fe046b 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2013-2018. All Rights Reserved.
+%% Copyright Ericsson AB 2013-2019. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
@@ -35,12 +35,13 @@
 -include("ssl_internal.hrl").
 -include("ssl_srp.hrl").
 -include_lib("public_key/include/public_key.hrl").
+-include_lib("kernel/include/logger.hrl").
 
 %% Setup
 
--export([connect/8, handshake/7, handshake/2, handshake/3,
+-export([connect/8, handshake/7, handshake/2, handshake/3, handle_common_event/5,
          handshake_continue/3, handshake_cancel/1,
-	 socket_control/4, socket_control/5, start_or_recv_cancel_timer/2]).
+	 socket_control/4, socket_control/5]).
 
 %% User Events 
 -export([send/2, recv/3, close/2, shutdown/2,
@@ -51,7 +52,7 @@
 
 %% Alert and close handling
 -export([handle_own_alert/4, handle_alert/3, 
-	 handle_normal_shutdown/3, stop/2, stop_and_reply/3,
+	 handle_normal_shutdown/3, 
          handle_trusted_certs_db/1]).
 
 %% Data handling
@@ -59,7 +60,7 @@
 
 %% Help functions for tls|dtls_connection.erl
 -export([handle_session/7, ssl_config/3,
-	 prepare_connection/2, hibernate_after/3, map_extensions/1]).
+	 prepare_connection/2, hibernate_after/3]).
 
 %% General gen_statem state functions with extra callback argument 
 %% to determine if it is an SSL/TLS or DTLS gen_statem machine
@@ -70,14 +71,14 @@
 -export([terminate/3, format_status/2]).
 
 %% Erlang Distribution export
--export([get_sslsocket/1, dist_handshake_complete/2]).
+-export([dist_handshake_complete/2]).
 
 %%====================================================================
 %% Setup
 %%====================================================================
 %%--------------------------------------------------------------------
 -spec connect(tls_connection | dtls_connection,
-	      host(), inet:port_number(), 
+	      ssl:host(), inet:port_number(), 
 	      port() | {tuple(), port()}, %% TLS | DTLS  
 	      {#ssl_options{}, #socket_options{},
 	       %% Tracker only needed on server side
@@ -143,7 +144,7 @@ handshake(#sslsocket{pid = [Pid|_]} = Socket, SslOptions, Timeout) ->
     end.
 
 %%--------------------------------------------------------------------
--spec handshake_continue(#sslsocket{}, [ssl_option()],
+-spec handshake_continue(#sslsocket{}, [ssl:tls_server_option()],
                          timeout()) ->  {ok,  #sslsocket{}}| {error, reason()}.
 %%
 %% Description: Continues handshake with new options
@@ -182,27 +183,23 @@ socket_control(Connection, Socket, Pid, Transport) ->
 %%--------------------------------------------------------------------	    
 socket_control(Connection, Socket, Pids, Transport, udp_listener) ->
     %% dtls listener process must have the socket control
-    {ok, Connection:socket(Pids, Transport, Socket, Connection, undefined)};
+    {ok, Connection:socket(Pids, Transport, Socket, undefined)};
 
 socket_control(tls_connection = Connection, Socket, [Pid|_] = Pids, Transport, ListenTracker) ->
     case Transport:controlling_process(Socket, Pid) of
 	ok ->
-	    {ok, Connection:socket(Pids, Transport, Socket, Connection, ListenTracker)};
+	    {ok, Connection:socket(Pids, Transport, Socket, ListenTracker)};
 	{error, Reason}	->
 	    {error, Reason}
     end;
 socket_control(dtls_connection = Connection, {_, Socket}, [Pid|_] = Pids, Transport, ListenTracker) ->
     case Transport:controlling_process(Socket, Pid) of
 	ok ->
-	    {ok, Connection:socket(Pids, Transport, Socket, Connection, ListenTracker)};
+	    {ok, Connection:socket(Pids, Transport, Socket, ListenTracker)};
 	{error, Reason}	->
 	    {error, Reason}
     end.
 
-start_or_recv_cancel_timer(infinity, _RecvFrom) ->
-    undefined;
-start_or_recv_cancel_timer(Timeout, RecvFrom) ->
-    erlang:send_after(Timeout, self(), {cancel_start_or_recv, RecvFrom}).
 
 %%====================================================================
 %% User events
@@ -215,9 +212,9 @@ start_or_recv_cancel_timer(Timeout, RecvFrom) ->
 %%--------------------------------------------------------------------
 send(Pid, Data) -> 
     call(Pid, {application_data, 
-				    %% iolist_to_binary should really
-				    %% be called iodata_to_binary()
-				    erlang:iolist_to_binary(Data)}).
+				    %% iolist_to_iovec should really
+				    %% be called iodata_to_iovec()
+				    erlang:iolist_to_iovec(Data)}).
 
 %%--------------------------------------------------------------------
 -spec recv(pid(), integer(), timeout()) ->  
@@ -315,9 +312,6 @@ renegotiation(ConnectionPid) ->
 internal_renegotiation(ConnectionPid, #{current_write := WriteState}) ->
     gen_statem:cast(ConnectionPid, {internal_renegotiate, WriteState}). 
 
-get_sslsocket(ConnectionPid) ->
-    call(ConnectionPid, get_sslsocket).
-
 dist_handshake_complete(ConnectionPid, DHandle) ->
     gen_statem:cast(ConnectionPid, {dist_handshake_complete, DHandle}).
 
@@ -335,8 +329,8 @@ prf(ConnectionPid, Secret, Label, Seed, WantedLength) ->
 %% Alert and close handling
 %%====================================================================
 handle_own_alert(Alert, _, StateName,
-		 #state{role = Role,
-                        protocol_cb = Connection,
+		 #state{static_env = #static_env{role = Role,
+                                                 protocol_cb = Connection},
                         ssl_options = SslOpts} = State) ->
     try %% Try to tell the other side
         send_alert(Alert, StateName, State)
@@ -344,187 +338,356 @@ handle_own_alert(Alert, _, StateName,
 	    ignore
     end,
     try %% Try to tell the local user
-	log_alert(SslOpts#ssl_options.log_alert, Role, Connection:protocol_name(), StateName, Alert#alert{role = Role}),
+	log_alert(SslOpts#ssl_options.log_level, Role,
+	          Connection:protocol_name(), StateName,
+	          Alert#alert{role = Role}),
 	handle_normal_shutdown(Alert,StateName, State)
     catch _:_ ->
 	    ok
     end,
-    stop({shutdown, own_alert}, State).
-
-handle_normal_shutdown(Alert, _, #state{socket = Socket,
-					transport_cb = Transport,
-					protocol_cb = Connection,
-					start_or_recv_from = StartFrom,
-					tracker = Tracker,
-					role = Role, renegotiation = {false, first}} = State) ->
+    {stop, {shutdown, own_alert}, State}.
+
+handle_normal_shutdown(Alert, _, #state{static_env = #static_env{role = Role,
+                                                                 socket = Socket,
+                                                                 transport_cb = Transport,
+                                                                 protocol_cb = Connection,
+                                                                 tracker = Tracker},
+                                        handshake_env = #handshake_env{renegotiation = {false, first}},
+					start_or_recv_from = StartFrom} = State) ->
     Pids = Connection:pids(State),
     alert_user(Pids, Transport, Tracker,Socket, StartFrom, Alert, Role, Connection);
 
-handle_normal_shutdown(Alert, StateName, #state{socket = Socket,
-						socket_options = Opts,
-						transport_cb = Transport,
-						protocol_cb = Connection,
-						user_application = {_Mon, Pid},
-						tracker = Tracker,
-						start_or_recv_from = RecvFrom, role = Role} = State) ->
+handle_normal_shutdown(Alert, StateName, #state{static_env = #static_env{role = Role,
+                                                                         socket = Socket,
+                                                                         transport_cb = Transport,
+                                                                         protocol_cb = Connection,
+                                                                         tracker = Tracker},
+                                                connection_env  = #connection_env{user_application = {_Mon, Pid}},
+                                                socket_options = Opts,
+						start_or_recv_from = RecvFrom} = State) ->
     Pids = Connection:pids(State),
     alert_user(Pids, Transport, Tracker, Socket, StateName, Opts, Pid, RecvFrom, Alert, Role, Connection).
 
 handle_alert(#alert{level = ?FATAL} = Alert, StateName,
-	     #state{socket = Socket, transport_cb = Transport, 
-		    protocol_cb = Connection,
-		    ssl_options = SslOpts, start_or_recv_from = From, host = Host,
-		    port = Port, session = Session, user_application = {_Mon, Pid},
-		    role = Role, socket_options = Opts, tracker = Tracker} = State) ->
+	     #state{static_env = #static_env{role = Role,
+                                             socket = Socket,
+                                             host = Host,
+                                             port = Port,
+                                             tracker = Tracker,
+                                             transport_cb = Transport,
+                                             protocol_cb = Connection},
+                    connection_env  = #connection_env{user_application = {_Mon, Pid}},
+		    ssl_options = SslOpts,
+                    start_or_recv_from = From,
+                    session = Session, 
+		    socket_options = Opts} = State) ->
     invalidate_session(Role, Host, Port, Session),
-    log_alert(SslOpts#ssl_options.log_alert, Role, Connection:protocol_name(), 
+    log_alert(SslOpts#ssl_options.log_level, Role, Connection:protocol_name(), 
               StateName, Alert#alert{role = opposite_role(Role)}),
     Pids = Connection:pids(State),
-    alert_user(Pids, Transport, Tracker, Socket, StateName, Opts, Pid, From, Alert, Role, Connection),
-    stop(normal, State);
+    alert_user(Pids, Transport, Tracker, Socket, StateName, Opts, Pid, From, Alert,
+               opposite_role(Role), Connection),
+    {stop, {shutdown, normal}, State};
 
 handle_alert(#alert{level = ?WARNING, description = ?CLOSE_NOTIFY} = Alert, 
-	     StateName, State) -> 
+	     downgrade= StateName, State) -> 
+    {next_state, StateName, State, [{next_event, internal, Alert}]};
+handle_alert(#alert{level = ?WARNING, description = ?CLOSE_NOTIFY} = Alert, 
+	    StateName, State) -> 
     handle_normal_shutdown(Alert, StateName, State),
-    stop({shutdown, peer_close}, State);
-
+    {stop,{shutdown, peer_close}, State};
 handle_alert(#alert{level = ?WARNING, description = ?NO_RENEGOTIATION} = Alert, StateName, 
-	     #state{role = Role, ssl_options = SslOpts, protocol_cb = Connection, 
-                    renegotiation = {true, internal}} = State) ->
-    log_alert(SslOpts#ssl_options.log_alert, Role, 
+	     #state{static_env = #static_env{role = Role,
+                                             protocol_cb = Connection},
+                    handshake_env = #handshake_env{renegotiation = {true, internal}},
+                    ssl_options = SslOpts} = State) ->
+    log_alert(SslOpts#ssl_options.log_level, Role, 
               Connection:protocol_name(), StateName, Alert#alert{role = opposite_role(Role)}),
     handle_normal_shutdown(Alert, StateName, State),
-    stop({shutdown, peer_close}, State);
+    {stop,{shutdown, peer_close}, State};
 
 handle_alert(#alert{level = ?WARNING, description = ?NO_RENEGOTIATION} = Alert, connection = StateName, 
-	     #state{role = Role,
-                    ssl_options = SslOpts, renegotiation = {true, From},
-		    protocol_cb = Connection} = State0) ->
-    log_alert(SslOpts#ssl_options.log_alert,  Role,
+	     #state{static_env = #static_env{role = Role,
+                                             protocol_cb = Connection},
+                    handshake_env = #handshake_env{renegotiation = {true, From}} = HsEnv,
+                    ssl_options = SslOpts                 
+		   } = State0) ->
+    log_alert(SslOpts#ssl_options.log_level,  Role,
               Connection:protocol_name(), StateName, Alert#alert{role = opposite_role(Role)}),
     gen_statem:reply(From, {error, renegotiation_rejected}),
     State = Connection:reinit_handshake_data(State0),
-    Connection:next_event(connection, no_record, State#state{renegotiation = undefined});
+    Connection:next_event(connection, no_record, State#state{handshake_env = HsEnv#handshake_env{renegotiation = undefined}});
 
 handle_alert(#alert{level = ?WARNING, description = ?NO_RENEGOTIATION} = Alert, StateName, 
-	     #state{role = Role,
-                    ssl_options = SslOpts, renegotiation = {true, From},
-		    protocol_cb = Connection} = State0) ->
-    log_alert(SslOpts#ssl_options.log_alert,  Role,
+	     #state{static_env = #static_env{role = Role,
+                                             protocol_cb = Connection},
+                    handshake_env = #handshake_env{renegotiation = {true, From}} = HsEnv,
+                    ssl_options = SslOpts
+                   } = State0) ->
+    log_alert(SslOpts#ssl_options.log_level,  Role,
               Connection:protocol_name(), StateName, Alert#alert{role = opposite_role(Role)}),
     gen_statem:reply(From, {error, renegotiation_rejected}),
     %% Go back to connection!
-    State = Connection:reinit(State0#state{renegotiation = undefined}),
+    State = Connection:reinit(State0#state{handshake_env = HsEnv#handshake_env{renegotiation = undefined}}),
     Connection:next_event(connection, no_record, State);
 
 %% Gracefully log and ignore all other warning alerts
 handle_alert(#alert{level = ?WARNING} = Alert, StateName,
-	     #state{ssl_options = SslOpts, protocol_cb = Connection, role = Role} = State) ->
-    log_alert(SslOpts#ssl_options.log_alert,  Role,
-              Connection:protocol_name(), StateName, Alert#alert{role = opposite_role(Role)}),
+	     #state{static_env = #static_env{role = Role,
+                                             protocol_cb = Connection},
+                    ssl_options = SslOpts} = State) ->
+    log_alert(SslOpts#ssl_options.log_level, Role,
+              Connection:protocol_name(), StateName,
+              Alert#alert{role = opposite_role(Role)}),
     Connection:next_event(StateName, no_record, State).
 
 %%====================================================================
 %% Data handling
 %%====================================================================
-
-passive_receive(State0 = #state{user_data_buffer = Buffer}, StateName, Connection) -> 
-    case Buffer of
-	<<>> ->
-	    {Record, State} = Connection:next_record(State0),
-	    Connection:next_event(StateName, Record, State);
+passive_receive(State0 = #state{user_data_buffer = {_,BufferSize,_}}, StateName, Connection, StartTimerAction) ->
+    case BufferSize of
+	0 ->
+	    Connection:next_event(StateName, no_record, State0, StartTimerAction);
 	_ ->
 	    case read_application_data(<<>>, State0) of
                 {stop, _, _} = ShutdownError ->
                     ShutdownError;
                 {Record, State} ->
-                    Connection:next_event(StateName, Record, State)
+                    case State#state.start_or_recv_from of
+                        undefined ->
+                            %% Cancel recv timeout as data has been delivered
+                            Connection:next_event(StateName, Record, State, 
+                                                  [{{timeout, recv}, infinity, timeout}]);
+                        _ ->
+                            Connection:next_event(StateName, Record, State, StartTimerAction)
+                    end
             end
     end.
 
-read_application_data(Data, #state{user_application = {_Mon, Pid},
-				   socket = Socket,
-				   protocol_cb = Connection,
-				   transport_cb = Transport,
-				   socket_options = SOpts,
-				   bytes_to_read = BytesToRead,
-				   start_or_recv_from = RecvFrom,
-				   timer = Timer,
-				   user_data_buffer = Buffer0,
-				   tracker = Tracker} = State0) ->
-    Buffer1 = if 
-		  Buffer0 =:= <<>> -> Data;
-		  Data =:= <<>> -> Buffer0;
-		  true -> <<Buffer0/binary, Data/binary>>
-	      end,
-    case get_data(SOpts, BytesToRead, Buffer1) of
-	{ok, ClientData, Buffer} -> % Send data
-            #state{ssl_options = #ssl_options{erl_dist = Dist},
-                   erl_dist_data = DistData} = State0,
-            case Dist andalso is_dist_up(DistData) of                
-                       true ->                                
-                           dist_app_data(ClientData, State0#state{user_data_buffer = Buffer,
-                                                                      bytes_to_read = undefined});
-                       _ ->
-                           SocketOpt =
-                               deliver_app_data(Connection:pids(State0),
-                                                Transport, Socket, SOpts,
-                                                ClientData, Pid, RecvFrom, Tracker, Connection),
-                           cancel_timer(Timer),
-                           State =
-                               State0#state{
-                                 user_data_buffer = Buffer,
-                          start_or_recv_from = undefined,
-                          timer = undefined,
-                          bytes_to_read = undefined,
-                          socket_options = SocketOpt
-                                },
-                           if
-                               SocketOpt#socket_options.active =:= false;
-                               Buffer =:= <<>> ->
-                                   %% Passive mode, wait for active once or recv
-                            %% Active and empty, get more data
-                                   {no_record, State};
-                               true -> %% We have more data
-                                   read_application_data(<<>>, State)
-                           end
-                   end;
-	{more, Buffer} -> % no reply, we need more data
-            {no_record, State0#state{user_data_buffer = Buffer}};
-	{passive, Buffer} ->
-	    {no_record, State0#state{user_data_buffer = Buffer}};
-	{error,_Reason} -> %% Invalid packet in packet mode
-	    deliver_packet_error(Connection:pids(State0),
-                                 Transport, Socket, SOpts, Buffer1, Pid, RecvFrom, Tracker, Connection),
-            stop(normal, State0)
+read_application_data(
+  Data,
+  #state{
+     user_data_buffer = {Front0,BufferSize0,Rear0},
+     connection_env = #connection_env{erl_dist_handle = DHandle}} = State) ->
+    %%
+    Front = Front0,
+    BufferSize = BufferSize0 + byte_size(Data),
+    Rear = [Data|Rear0],
+    case DHandle of
+        undefined ->
+            read_application_data(State, Front, BufferSize, Rear);
+        _ ->
+            try read_application_dist_data(DHandle, Front, BufferSize, Rear) of
+                Buffer ->
+                    {no_record, State#state{user_data_buffer = Buffer}}
+            catch error:_ ->
+                    {stop,disconnect,
+                     State#state{user_data_buffer = {Front,BufferSize,Rear}}}
+            end
     end.
 
-dist_app_data(ClientData, #state{erl_dist_data = #{dist_handle := undefined,
-                                                   dist_buffer := DistBuff} = DistData} = State) ->
-    {no_record, State#state{erl_dist_data = DistData#{dist_buffer => [ClientData, DistBuff]}}};
-dist_app_data(ClientData, #state{erl_dist_data = #{dist_handle := DHandle,
-                                                   dist_buffer := DistBuff} = ErlDistData,
-                                 user_data_buffer = Buffer,
-                                 socket_options = SOpts} = State) ->
-    Data = merge_dist_data(DistBuff, ClientData),
-    try erlang:dist_ctrl_put_data(DHandle, Data) of
-        _ when SOpts#socket_options.active =:= false;
-               Buffer =:= <<>> ->
+
+read_application_data(#state{
+                         socket_options = SocketOpts,
+                         bytes_to_read = BytesToRead,
+                         start_or_recv_from = RecvFrom} = State, Front, BufferSize, Rear) ->
+    read_application_data(State, Front, BufferSize, Rear, SocketOpts, RecvFrom, BytesToRead).
+
+%% Pick binary from queue front, if empty wait for more data
+read_application_data(State, [Bin|Front], BufferSize, Rear, SocketOpts, RecvFrom, BytesToRead) ->
+    read_application_data_bin(State, Front, BufferSize, Rear, SocketOpts, RecvFrom, BytesToRead, Bin);
+read_application_data(State, [] = Front, BufferSize, [] = Rear, SocketOpts, RecvFrom, BytesToRead) ->
+    0 = BufferSize, % Assert
+    {no_record, State#state{socket_options = SocketOpts,
+                            bytes_to_read = BytesToRead,
+                            start_or_recv_from = RecvFrom,
+                            user_data_buffer = {Front,BufferSize,Rear}}};
+read_application_data(State, [], BufferSize, Rear, SocketOpts, RecvFrom, BytesToRead) ->
+    [Bin|Front] = lists:reverse(Rear),
+    read_application_data_bin(State, Front, BufferSize, [], SocketOpts, RecvFrom, BytesToRead, Bin).
+
+read_application_data_bin(State, Front, BufferSize, Rear, SocketOpts, RecvFrom, BytesToRead, <<>>) ->
+    %% Done with this binary - get next
+    read_application_data(State, Front, BufferSize, Rear, SocketOpts, RecvFrom, BytesToRead);
+read_application_data_bin(State, Front0, BufferSize0, Rear0, SocketOpts0, RecvFrom, BytesToRead, Bin0) ->
+    %% Decode one packet from a binary
+    case get_data(SocketOpts0, BytesToRead, Bin0) of
+	{ok, Data, Bin} -> % Send data
+            BufferSize = BufferSize0 - (byte_size(Bin0) - byte_size(Bin)),
+            read_application_data_deliver(
+              State, [Bin|Front0], BufferSize, Rear0, SocketOpts0, RecvFrom, Data);
+        {more, undefined} ->
+            %% We need more data, do not know how much
+            if
+                byte_size(Bin0) < BufferSize0 ->
+                    %% We have more data in the buffer besides the first binary - concatenate all and retry
+                    Bin = iolist_to_binary([Bin0,Front0|lists:reverse(Rear0)]),
+                    read_application_data_bin(
+                      State, [], BufferSize0, [], SocketOpts0, RecvFrom, BytesToRead, Bin);
+                true ->
+                    %% All data is in the first binary, no use to retry - wait for more
+                    {no_record, State#state{socket_options = SocketOpts0,
+                                            bytes_to_read = BytesToRead,
+                                            start_or_recv_from = RecvFrom,
+                                            user_data_buffer = {[Bin0|Front0],BufferSize0,Rear0}}}
+            end;
+        {more, Size} when Size =< BufferSize0 ->
+            %% We have a packet in the buffer - collect it in a binary and decode
+            {Data,Front,Rear} = iovec_from_front(Size - byte_size(Bin0), Front0, Rear0, [Bin0]),
+            Bin = iolist_to_binary(Data),
+            read_application_data_bin(
+              State, Front, BufferSize0, Rear, SocketOpts0, RecvFrom, BytesToRead, Bin);
+        {more, _Size} ->
+            %% We do not have a packet in the buffer - wait for more
+            {no_record, State#state{socket_options = SocketOpts0,
+                                    bytes_to_read = BytesToRead,
+                                    start_or_recv_from = RecvFrom,
+                                    user_data_buffer = {[Bin0|Front0],BufferSize0,Rear0}}};
+        passive ->
+            {no_record, State#state{socket_options = SocketOpts0,
+                                    bytes_to_read = BytesToRead,
+                                    start_or_recv_from = RecvFrom,
+                                    user_data_buffer = {[Bin0|Front0],BufferSize0,Rear0}}};
+	{error,_Reason} ->
+            %% Invalid packet in packet mode
+            #state{
+               static_env =
+                   #static_env{
+                      socket = Socket,
+                      protocol_cb = Connection,
+                      transport_cb = Transport,
+                      tracker = Tracker},
+               connection_env =
+                   #connection_env{user_application = {_Mon, Pid}}} = State,
+            Buffer = iolist_to_binary([Bin0,Front0|lists:reverse(Rear0)]),
+	    deliver_packet_error(
+              Connection:pids(State), Transport, Socket, SocketOpts0,
+              Buffer, Pid, RecvFrom, Tracker, Connection),
+            {stop, {shutdown, normal}, State#state{socket_options = SocketOpts0,
+                                                   bytes_to_read = BytesToRead,
+                                                   start_or_recv_from = RecvFrom,
+                                                   user_data_buffer = {[Buffer],BufferSize0,[]}}}
+    end.
+
+read_application_data_deliver(State, Front, BufferSize, Rear, SocketOpts0, RecvFrom, Data) ->
+    #state{
+       static_env =
+           #static_env{
+              socket = Socket,
+              protocol_cb = Connection,
+              transport_cb = Transport,
+              tracker = Tracker},
+       connection_env =
+           #connection_env{user_application = {_Mon, Pid}}} = State,
+    SocketOpts =
+        deliver_app_data(
+          Connection:pids(State), Transport, Socket, SocketOpts0, Data, Pid, RecvFrom, Tracker, Connection),
+    if
+        SocketOpts#socket_options.active =:= false ->
             %% Passive mode, wait for active once or recv
-            %% Active and empty, get more data
-            {no_record, State#state{erl_dist_data = ErlDistData#{dist_buffer => <<>>}}};
-        _ -> %% We have more data
-            read_application_data(<<>>, State)
-    catch error:_ ->
-            stop(State, disconnect)
+            {no_record,
+             State#state{
+               user_data_buffer = {Front,BufferSize,Rear},
+               start_or_recv_from = undefined,
+                bytes_to_read = undefined,
+               socket_options = SocketOpts
+              }};
+        true -> %% Try to deliver more data
+            read_application_data(State, Front, BufferSize, Rear, SocketOpts, undefined, undefined)
+    end.
+
+
+read_application_dist_data(DHandle, [Bin|Front], BufferSize, Rear) ->
+    read_application_dist_data(DHandle, Front, BufferSize, Rear, Bin);
+read_application_dist_data(_DHandle, [] = Front, BufferSize, [] = Rear) ->
+    BufferSize = 0,
+    {Front,BufferSize,Rear};
+read_application_dist_data(DHandle, [], BufferSize, Rear) ->
+    [Bin|Front] = lists:reverse(Rear),
+    read_application_dist_data(DHandle, Front, BufferSize, [], Bin).
+%%
+read_application_dist_data(DHandle, Front0, BufferSize, Rear0, Bin0) ->
+    case Bin0 of
+        %%
+        %% START Optimization
+        %% It is cheaper to match out several packets in one match operation than to loop for each
+        <<SizeA:32, DataA:SizeA/binary,
+          SizeB:32, DataB:SizeB/binary,
+          SizeC:32, DataC:SizeC/binary,
+          SizeD:32, DataD:SizeD/binary, Rest/binary>> ->
+            %% We have 4 complete packets in the first binary
+            erlang:dist_ctrl_put_data(DHandle, DataA),
+            erlang:dist_ctrl_put_data(DHandle, DataB),
+            erlang:dist_ctrl_put_data(DHandle, DataC),
+            erlang:dist_ctrl_put_data(DHandle, DataD),
+            read_application_dist_data(
+              DHandle, Front0, BufferSize - (4*4+SizeA+SizeB+SizeC+SizeD), Rear0, Rest);
+        <<SizeA:32, DataA:SizeA/binary,
+          SizeB:32, DataB:SizeB/binary,
+          SizeC:32, DataC:SizeC/binary, Rest/binary>> ->
+            %% We have 3 complete packets in the first binary
+            erlang:dist_ctrl_put_data(DHandle, DataA),
+            erlang:dist_ctrl_put_data(DHandle, DataB),
+            erlang:dist_ctrl_put_data(DHandle, DataC),
+            read_application_dist_data(
+              DHandle, Front0, BufferSize - (3*4+SizeA+SizeB+SizeC), Rear0, Rest);
+        <<SizeA:32, DataA:SizeA/binary,
+          SizeB:32, DataB:SizeB/binary, Rest/binary>> ->
+            %% We have 2 complete packets in the first binary
+            erlang:dist_ctrl_put_data(DHandle, DataA),
+            erlang:dist_ctrl_put_data(DHandle, DataB),
+            read_application_dist_data(
+              DHandle, Front0, BufferSize - (2*4+SizeA+SizeB), Rear0, Rest);
+        %% END Optimization
+        %%
+        %% Basic one packet code path
+        <<Size:32, Data:Size/binary, Rest/binary>> ->
+            %% We have a complete packet in the first binary
+            erlang:dist_ctrl_put_data(DHandle, Data),
+            read_application_dist_data(DHandle, Front0, BufferSize - (4+Size), Rear0, Rest);
+        <<Size:32, FirstData/binary>> when 4+Size =< BufferSize ->
+            %% We have a complete packet in the buffer
+            %% - fetch the missing content from the buffer front
+            {Data,Front,Rear} = iovec_from_front(Size - byte_size(FirstData), Front0, Rear0, [FirstData]),
+            erlang:dist_ctrl_put_data(DHandle, Data),
+            read_application_dist_data(DHandle, Front, BufferSize - (4+Size), Rear);
+        <<Bin/binary>> ->
+            %% In OTP-21 the match context reuse optimization fails if we use Bin0 in recursion, so here we
+            %% match out the whole binary which will trick the optimization into keeping the match context
+            %% for the first binary contains complete packet code above
+            case Bin of
+                <<_Size:32, _InsufficientData/binary>> ->
+                    %% We have a length field in the first binary but there is not enough data
+                    %% in the buffer to form a complete packet - await more data
+                    {[Bin|Front0],BufferSize,Rear0};
+                <<IncompleteLengthField/binary>> when 4 < BufferSize ->
+                    %% We do not have a length field in the first binary but the buffer
+                    %% contains enough data to maybe form a packet
+                    %% - fetch a tiny binary from the buffer front to complete the length field
+                    {LengthField,Front,Rear} =
+                        iovec_from_front(4 - byte_size(IncompleteLengthField), Front0, Rear0, [IncompleteLengthField]),
+                    LengthBin = iolist_to_binary(LengthField),
+                    read_application_dist_data(DHandle, Front, BufferSize, Rear, LengthBin);
+                <<IncompleteLengthField/binary>> ->
+                    %% We do not have enough data in the buffer to even form a length field - await more data
+                    {[IncompleteLengthField|Front0],BufferSize,Rear0}
+            end
     end.
 
-merge_dist_data(<<>>, ClientData) ->
-    ClientData;
-merge_dist_data(DistBuff, <<>>) ->
-    DistBuff;
-merge_dist_data(DistBuff, ClientData) ->
-    [DistBuff, ClientData].
+iovec_from_front(Size, [], Rear, Acc) ->
+    iovec_from_front(Size, lists:reverse(Rear), [], Acc);
+iovec_from_front(Size, [Bin|Front], Rear, Acc) ->
+    case Bin of
+        <<Last:Size/binary>> -> % Just enough
+            {lists:reverse(Acc, [Last]),Front,Rear};
+        <<Last:Size/binary, Rest/binary>> -> % More than enough, split here
+            {lists:reverse(Acc, [Last]),[Rest|Front],Rear};
+        <<_/binary>> -> % Not enough
+            BinSize = byte_size(Bin),
+            iovec_from_front(Size - BinSize, Front, Rear, [Bin|Acc])
+    end.
+
+
 %%====================================================================
 %% Help functions for tls|dtls_connection.erl
 %%====================================================================
@@ -537,8 +700,8 @@ handle_session(#server_hello{cipher_suite = CipherSuite,
 			     compression_method = Compression}, 
 	       Version, NewId, ConnectionStates, ProtoExt, Protocol0,
 	       #state{session = #session{session_id = OldId},
-		      negotiated_version = ReqVersion,
-		      negotiated_protocol = CurrentProtocol} = State0) ->
+		      handshake_env = #handshake_env{negotiated_protocol = CurrentProtocol} = HsEnv,
+                      connection_env = #connection_env{negotiated_version = ReqVersion} = CEnv} = State0) ->
     #{key_exchange := KeyAlgorithm} =
 	ssl_cipher_format:suite_definition(CipherSuite),
     
@@ -551,12 +714,12 @@ handle_session(#server_hello{cipher_suite = CipherSuite,
 				    {ProtoExt =:= npn, Protocol0}
 			    end,
 
-    State = State0#state{key_algorithm = KeyAlgorithm,
-			 negotiated_version = Version,
-			 connection_states = ConnectionStates,
-			 premaster_secret = PremasterSecret,
-			 expecting_next_protocol_negotiation = ExpectNPN,
-			 negotiated_protocol = Protocol},
+    State = State0#state{connection_states = ConnectionStates,
+			 handshake_env = HsEnv#handshake_env{kex_algorithm = KeyAlgorithm,
+                                                             premaster_secret = PremasterSecret,
+                                                             expecting_next_protocol_negotiation = ExpectNPN,
+                                                             negotiated_protocol = Protocol},
+                         connection_env = CEnv#connection_env{negotiated_version = Version}},
     
     case ssl_session:is_new(OldId, NewId) of
 	true ->
@@ -570,10 +733,9 @@ handle_session(#server_hello{cipher_suite = CipherSuite,
 %%--------------------------------------------------------------------
 -spec ssl_config(#ssl_options{}, client | server, #state{}) -> #state{}.
 %%--------------------------------------------------------------------
-ssl_config(Opts, Role, State) ->
-    ssl_config(Opts, Role, State, new).
-
-ssl_config(Opts, Role, State0, Type) ->
+ssl_config(Opts, Role, #state{static_env = InitStatEnv0, 
+                              handshake_env = HsEnv,
+                              connection_env = CEnv} = State0) ->
     {ok, #{cert_db_ref := Ref, 
            cert_db_handle := CertDbHandle, 
            fileref_db_handle := FileRefHandle, 
@@ -585,24 +747,19 @@ ssl_config(Opts, Role, State0, Type) ->
 	ssl_config:init(Opts, Role), 
     TimeStamp = erlang:monotonic_time(),
     Session = State0#state.session,
-    State = State0#state{session = Session#session{own_certificate = OwnCert,
-                                                   time_stamp = TimeStamp},
-                         file_ref_db = FileRefHandle,
-                         cert_db_ref = Ref,
-                         cert_db = CertDbHandle,
-                         crl_db = CRLDbHandle,
-                         session_cache = CacheHandle,
-                         private_key = Key,
-                         diffie_hellman_params = DHParams,
-                         ssl_options = Opts},
-    case Type of
-        new ->
-            Handshake = ssl_handshake:init_handshake_history(),
-            State#state{tls_handshake_history = Handshake};
-        continue ->
-            State
-    end.
-
+    
+    State0#state{session = Session#session{own_certificate = OwnCert,
+                                           time_stamp = TimeStamp},
+                 static_env = InitStatEnv0#static_env{
+                                file_ref_db = FileRefHandle,
+                                cert_db_ref = Ref,
+                                cert_db = CertDbHandle,
+                                crl_db = CRLDbHandle,
+                                session_cache = CacheHandle
+                               },
+                 handshake_env = HsEnv#handshake_env{diffie_hellman_params = DHParams},
+                 connection_env = CEnv#connection_env{private_key = Key},
+                 ssl_options = Opts}.
 
 %%====================================================================
 %% gen_statem general state functions with connection cb argument
@@ -615,10 +772,11 @@ ssl_config(Opts, Role, State0, Type) ->
 %%--------------------------------------------------------------------
 
 init({call, From}, {start, Timeout}, State0, Connection) ->
-    Timer = start_or_recv_cancel_timer(Timeout, From),
-    Connection:next_event(hello, no_record, State0#state{start_or_recv_from = From, timer = Timer});
+    Connection:next_event(hello, no_record, State0#state{start_or_recv_from = From},
+                          [{{timeout, handshake}, Timeout, close}]);
 init({call, From}, {start, {Opts, EmOpts}, Timeout}, 
-     #state{role = Role, ssl_options = OrigSSLOptions,
+     #state{static_env = #static_env{role = Role},
+            ssl_options = OrigSSLOptions,
             socket_options = SockOpts} = State0, Connection) ->
     try 
         SslOpts = ssl:handle_options(Opts, OrigSSLOptions),
@@ -627,7 +785,7 @@ init({call, From}, {start, {Opts, EmOpts}, Timeout},
 	     State#state{ssl_options = SslOpts, 
                          socket_options = new_emulated(EmOpts, SockOpts)}, Connection)
     catch throw:Error ->
-	    stop_and_reply(normal, {reply, From, {error, Error}}, State0)
+	   {stop_and_reply, {shutdown, normal}, {reply, From, {error, Error}}, State0}
     end;
 init({call, From}, {new_user, _} = Msg, State, Connection) ->
     handle_call(Msg, From, ?FUNCTION_NAME, State, Connection);
@@ -643,7 +801,7 @@ init(_Type, _Event, _State, _Connection) ->
 		   gen_statem:state_function_result().
 %%--------------------------------------------------------------------
 error({call, From}, {close, _}, State, _Connection) ->
-    stop_and_reply(normal, {reply, From, ok}, State);
+    {stop_and_reply, {shutdown, normal}, {reply, From, ok}, State};
 error({call, From}, _Msg, State, _Connection) ->
     {next_state, ?FUNCTION_NAME, State, [{reply, From, {error, closed}}]}.
 
@@ -662,20 +820,18 @@ hello(info, Msg, State, _) ->
 hello(Type, Msg, State, Connection) ->
     handle_common_event(Type, Msg, ?FUNCTION_NAME, State, Connection).
 
-user_hello({call, From}, cancel, #state{negotiated_version = Version} = State, _) ->
+user_hello({call, From}, cancel, #state{connection_env = #connection_env{negotiated_version = Version}} = State, _) ->
     gen_statem:reply(From, ok),
     handle_own_alert(?ALERT_REC(?FATAL, ?USER_CANCELED, user_canceled),
                      Version, ?FUNCTION_NAME, State);
-user_hello({call, From}, {handshake_continue, NewOptions, Timeout}, #state{hello = Hello,
-                                                                           role = Role,
-                                                                           start_or_recv_from = RecvFrom,
-                                                                           ssl_options = Options0} = State0, _Connection) ->
-    Timer = start_or_recv_cancel_timer(Timeout, RecvFrom),
+user_hello({call, From}, {handshake_continue, NewOptions, Timeout},
+           #state{static_env = #static_env{role = Role},
+                  handshake_env = #handshake_env{hello = Hello},
+                  ssl_options = Options0} = State0, _Connection) ->
     Options = ssl:handle_options(NewOptions, Options0#ssl_options{handshake = full}),
-    State = ssl_config(Options, Role, State0, continue),
-    {next_state, hello, State#state{start_or_recv_from = From,
-                                    timer = Timer}, 
-     [{next_event, internal, Hello}]};
+    State = ssl_config(Options, Role, State0),
+    {next_state, hello, State#state{start_or_recv_from = From}, 
+     [{next_event, internal, Hello}, {{timeout, handshake}, Timeout, close}]};
 user_hello(_, _, _, _) ->
     {keep_state_and_data, [postpone]}.
 
@@ -688,60 +844,63 @@ user_hello(_, _, _, _) ->
 abbreviated({call, From}, Msg, State, Connection) ->
     handle_call(Msg, From, ?FUNCTION_NAME, State, Connection);
 abbreviated(internal, #finished{verify_data = Data} = Finished,
-	    #state{role = server,
-		   negotiated_version = Version,
-		   expecting_finished = true,
-		   tls_handshake_history = Handshake,
+	    #state{static_env = #static_env{role = server},
+                   handshake_env = #handshake_env{tls_handshake_history = Hist,
+                                                  expecting_finished = true} = HsEnv,
+		   connection_env = #connection_env{negotiated_version = Version},
 		   session = #session{master_secret = MasterSecret},
 		   connection_states = ConnectionStates0} =
 		State0, Connection) ->
     case ssl_handshake:verify_connection(ssl:tls_version(Version), Finished, client,
 					 get_current_prf(ConnectionStates0, write),
-					 MasterSecret, Handshake) of
+					 MasterSecret, Hist) of
         verified ->
 	    ConnectionStates =
 		ssl_record:set_client_verify_data(current_both, Data, ConnectionStates0),
 	    {Record, State} = prepare_connection(State0#state{connection_states = ConnectionStates,
-							      expecting_finished = false}, Connection),
-	    Connection:next_event(connection, Record, State);
+                                                              handshake_env = HsEnv#handshake_env{expecting_finished = false}}, Connection),
+	    Connection:next_event(connection, Record, State, [{{timeout, handshake}, infinity, close}]);
 	#alert{} = Alert ->
 	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0)
     end;
 abbreviated(internal, #finished{verify_data = Data} = Finished,
-	    #state{role = client, tls_handshake_history = Handshake0,
+	    #state{static_env = #static_env{role = client},
+                   handshake_env = #handshake_env{tls_handshake_history = Hist0},
+                   connection_env = #connection_env{negotiated_version = Version},
 		   session = #session{master_secret = MasterSecret},
-		   negotiated_version = Version,
 		   connection_states = ConnectionStates0} = State0, Connection) ->
     case ssl_handshake:verify_connection(ssl:tls_version(Version), Finished, server,
 					 get_pending_prf(ConnectionStates0, write),
-					 MasterSecret, Handshake0) of
+					 MasterSecret, Hist0) of
         verified ->
 	    ConnectionStates1 =
 		ssl_record:set_server_verify_data(current_read, Data, ConnectionStates0),
-	    {State1, Actions} =
+	    {#state{handshake_env = HsEnv} = State1, Actions} =
 		finalize_handshake(State0#state{connection_states = ConnectionStates1},
 				   ?FUNCTION_NAME, Connection),
-	    {Record, State} = prepare_connection(State1#state{expecting_finished = false}, Connection),
-	    Connection:next_event(connection, Record, State, Actions);
+	    {Record, State} = prepare_connection(State1#state{handshake_env = HsEnv#handshake_env{expecting_finished = false}}, Connection),
+	    Connection:next_event(connection, Record, State, [{{timeout, handshake}, infinity, close} | Actions]);
 	#alert{} = Alert ->
 	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0)
     end;
 %% only allowed to send next_protocol message after change cipher spec
 %% & before finished message and it is not allowed during renegotiation
 abbreviated(internal, #next_protocol{selected_protocol = SelectedProtocol},
-	    #state{role = server, expecting_next_protocol_negotiation = true} = State,
+	    #state{static_env = #static_env{role = server},
+                   handshake_env = #handshake_env{expecting_next_protocol_negotiation = true} = HsEnv} = State,
 	    Connection) ->
     Connection:next_event(?FUNCTION_NAME, no_record, 
-			  State#state{negotiated_protocol = SelectedProtocol,
-                                      expecting_next_protocol_negotiation = false});
+			  State#state{handshake_env = HsEnv#handshake_env{negotiated_protocol = SelectedProtocol,
+                                                                         expecting_next_protocol_negotiation = false}});
 abbreviated(internal, 
 	    #change_cipher_spec{type = <<1>>},  
-            #state{connection_states = ConnectionStates0} = State, Connection) ->
+            #state{connection_states = ConnectionStates0,
+                   handshake_env = HsEnv} = State, Connection) ->
     ConnectionStates1 =
 	ssl_record:activate_pending_connection_state(ConnectionStates0, read, Connection),
     Connection:next_event(?FUNCTION_NAME, no_record, State#state{connection_states = 
                                                                      ConnectionStates1,
-                                                                 expecting_finished = true});
+                                                                 handshake_env = HsEnv#handshake_env{expecting_finished = true}});
 abbreviated(info, Msg, State, _) ->
     handle_info(Msg, ?FUNCTION_NAME, State);
 abbreviated(Type, Msg, State, Connection) ->
@@ -759,32 +918,34 @@ certify({call, From}, Msg, State, Connection) ->
 certify(info, Msg, State, _) ->
     handle_info(Msg, ?FUNCTION_NAME, State);
 certify(internal, #certificate{asn1_certificates = []},
-	#state{role = server, negotiated_version = Version,
+	#state{static_env = #static_env{role = server},
+               connection_env = #connection_env{negotiated_version = Version},
 	       ssl_options = #ssl_options{verify = verify_peer,
 					  fail_if_no_peer_cert = true}} =
 	    State, _) ->
     Alert =  ?ALERT_REC(?FATAL,?HANDSHAKE_FAILURE),
     handle_own_alert(Alert, Version, ?FUNCTION_NAME, State);
 certify(internal, #certificate{asn1_certificates = []},
-	#state{role = server,
+	#state{static_env = #static_env{role = server},
 	       ssl_options = #ssl_options{verify = verify_peer,
 					  fail_if_no_peer_cert = false}} =
 	State0, Connection) ->
     Connection:next_event(?FUNCTION_NAME, no_record, State0#state{client_certificate_requested = false});
 certify(internal, #certificate{},
-	#state{role = server,
-	       negotiated_version = Version,
+	#state{static_env = #static_env{role = server},
+               connection_env = #connection_env{negotiated_version = Version},
 	       ssl_options = #ssl_options{verify = verify_none}} =
 	    State, _) ->
     Alert =  ?ALERT_REC(?FATAL,?UNEXPECTED_MESSAGE, unrequested_certificate),
     handle_own_alert(Alert, Version, ?FUNCTION_NAME, State);
 certify(internal, #certificate{} = Cert,
-        #state{negotiated_version = Version,
-	       role = Role,
-               host = Host,
-	       cert_db = CertDbHandle,
-	       cert_db_ref = CertDbRef,
-	       crl_db = CRLDbInfo,
+        #state{static_env = #static_env{
+                               role = Role,
+                               host = Host,
+                               cert_db = CertDbHandle,
+                               cert_db_ref = CertDbRef,
+                               crl_db = CRLDbInfo},
+               connection_env = #connection_env{negotiated_version = Version},
 	       ssl_options = Opts} = State, Connection) ->
     case ssl_handshake:certify(Cert, CertDbHandle, CertDbRef, 
 			       Opts, CRLDbInfo, Role, Host) of
@@ -795,112 +956,132 @@ certify(internal, #certificate{} = Cert,
             handle_own_alert(Alert, Version, ?FUNCTION_NAME, State)
     end;
 certify(internal, #server_key_exchange{exchange_keys = Keys},
-        #state{role = client, negotiated_version = Version,
-	       key_algorithm = Alg,
-	       public_key_info = PubKeyInfo,
+        #state{static_env = #static_env{role = client},
+               handshake_env = #handshake_env{kex_algorithm = KexAlg,
+                                              public_key_info = PubKeyInfo} = HsEnv,
+               connection_env = #connection_env{negotiated_version = Version},
                session = Session,
 	       connection_states = ConnectionStates} = State, Connection)
-  when Alg == dhe_dss; Alg == dhe_rsa;
-       Alg == ecdhe_rsa; Alg == ecdhe_ecdsa;
-       Alg == dh_anon; Alg == ecdh_anon;
-       Alg == psk; Alg == dhe_psk; Alg == ecdhe_psk; Alg == rsa_psk;
-       Alg == srp_dss; Alg == srp_rsa; Alg == srp_anon ->
-
-    Params = ssl_handshake:decode_server_key(Keys, Alg, ssl:tls_version(Version)),
+  when KexAlg == dhe_dss; 
+       KexAlg == dhe_rsa;
+       KexAlg == ecdhe_rsa; 
+       KexAlg == ecdhe_ecdsa;
+       KexAlg == dh_anon; 
+       KexAlg == ecdh_anon;
+       KexAlg == psk; 
+       KexAlg == dhe_psk; 
+       KexAlg == ecdhe_psk; 
+       KexAlg == rsa_psk;
+       KexAlg == srp_dss; 
+       KexAlg == srp_rsa; 
+       KexAlg == srp_anon ->
+
+    Params = ssl_handshake:decode_server_key(Keys, KexAlg, ssl:tls_version(Version)),
 
     %% Use negotiated value if TLS-1.2 otherwhise return default
-    HashSign = negotiated_hashsign(Params#server_key_params.hashsign, Alg, PubKeyInfo, ssl:tls_version(Version)),
+    HashSign = negotiated_hashsign(Params#server_key_params.hashsign, KexAlg, PubKeyInfo, ssl:tls_version(Version)),
 
-    case is_anonymous(Alg) of
+    case is_anonymous(KexAlg) of
 	true ->
 	    calculate_secret(Params#server_key_params.params,
-			     State#state{hashsign_algorithm = HashSign}, Connection);
+			     State#state{handshake_env = HsEnv#handshake_env{hashsign_algorithm = HashSign}}, Connection);
 	false ->
 	    case  ssl_handshake:verify_server_key(Params, HashSign, 
 						  ConnectionStates, ssl:tls_version(Version), PubKeyInfo) of
 		true ->
 		    calculate_secret(Params#server_key_params.params,
-				     State#state{hashsign_algorithm = HashSign,
-                                                 session = session_handle_params(Params#server_key_params.params, Session)}, 
-				     Connection);
+				     State#state{handshake_env = HsEnv#handshake_env{hashsign_algorithm = HashSign},
+                                                 session = session_handle_params(Params#server_key_params.params, Session)},
+                    Connection);
 		false ->
 		    handle_own_alert(?ALERT_REC(?FATAL, ?DECRYPT_ERROR),
 						Version, ?FUNCTION_NAME, State)
 	    end
     end;
 certify(internal, #certificate_request{},
-	#state{role = client, negotiated_version = Version,
-               key_algorithm = Alg} = State, _)
-  when Alg == dh_anon; Alg == ecdh_anon;
-       Alg == psk; Alg == dhe_psk; Alg == ecdhe_psk; Alg == rsa_psk;
-       Alg == srp_dss; Alg == srp_rsa; Alg == srp_anon ->
+	#state{static_env = #static_env{role = client},
+               handshake_env = #handshake_env{kex_algorithm = KexAlg},
+               connection_env = #connection_env{negotiated_version = Version}} = State, _)
+  when KexAlg == dh_anon; 
+       KexAlg == ecdh_anon;
+       KexAlg == psk; 
+       KexAlg == dhe_psk; 
+       KexAlg == ecdhe_psk; 
+       KexAlg == rsa_psk;
+       KexAlg == srp_dss; 
+       KexAlg == srp_rsa; 
+       KexAlg == srp_anon ->
     handle_own_alert(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE),
                      Version, ?FUNCTION_NAME, State);
 certify(internal, #certificate_request{},
-	#state{session = #session{own_certificate = undefined},
-	       role = client} = State, Connection) ->
+	#state{static_env = #static_env{role = client},
+               session = #session{own_certificate = undefined}} = State, Connection) ->
     %% The client does not have a certificate and will send an empty reply, the server may fail 
     %% or accept the connection by its own preference. No signature algorihms needed as there is
     %% no certificate to verify.
     Connection:next_event(?FUNCTION_NAME, no_record, State#state{client_certificate_requested = true});
 certify(internal, #certificate_request{} = CertRequest,
-	#state{session = #session{own_certificate = Cert},
-	       role = client,
-	       ssl_options = #ssl_options{signature_algs = SupportedHashSigns},
-	       negotiated_version = Version} = State, Connection) ->
-    case ssl_handshake:select_hashsign(CertRequest, Cert, SupportedHashSigns, ssl:tls_version(Version)) of
+	#state{static_env = #static_env{role = client},
+               handshake_env = HsEnv,
+               connection_env = #connection_env{negotiated_version = Version},
+               session = #session{own_certificate = Cert},
+               ssl_options = #ssl_options{signature_algs = SupportedHashSigns}} = State, Connection) ->
+    case ssl_handshake:select_hashsign(CertRequest, Cert, 
+                                       SupportedHashSigns, ssl:tls_version(Version)) of
 	#alert {} = Alert ->
 	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State);
 	NegotiatedHashSign -> 	
 	    Connection:next_event(?FUNCTION_NAME, no_record,
 				  State#state{client_certificate_requested = true,
-                                              cert_hashsign_algorithm = NegotiatedHashSign})
+                                              handshake_env = HsEnv#handshake_env{cert_hashsign_algorithm = NegotiatedHashSign}})
     end;
 %% PSK and RSA_PSK might bypass the Server-Key-Exchange
 certify(internal, #server_hello_done{},
-	#state{session = #session{master_secret = undefined},
-	       negotiated_version = Version,
-	       psk_identity = PSKIdentity,
-	       ssl_options = #ssl_options{user_lookup_fun = PSKLookup},
-	       premaster_secret = undefined,
-	       role = client,
-	       key_algorithm = Alg} = State0, Connection)
-  when Alg == psk ->
-    case ssl_handshake:premaster_secret({Alg, PSKIdentity}, PSKLookup) of
+	#state{static_env = #static_env{role = client},
+               session = #session{master_secret = undefined},
+               connection_env = #connection_env{negotiated_version = Version},
+               handshake_env = #handshake_env{kex_algorithm = KexAlg,
+                                              premaster_secret = undefined,
+                                              server_psk_identity = PSKIdentity} = HsEnv,
+	       ssl_options = #ssl_options{user_lookup_fun = PSKLookup}} = State0, Connection)
+  when KexAlg == psk ->
+    case ssl_handshake:premaster_secret({KexAlg, PSKIdentity}, PSKLookup) of
 	#alert{} = Alert ->
 	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0);
 	PremasterSecret ->
 	    State = master_secret(PremasterSecret,
-				  State0#state{premaster_secret = PremasterSecret}),
-	    client_certify_and_key_exchange(State, Connection)
+				  State0#state{handshake_env =
+                                                   HsEnv#handshake_env{premaster_secret = PremasterSecret}}),
+            client_certify_and_key_exchange(State, Connection)
     end;
 certify(internal, #server_hello_done{},
-	#state{session = #session{master_secret = undefined},
-	       ssl_options = #ssl_options{user_lookup_fun = PSKLookup},
-	       negotiated_version = {Major, Minor} = Version,
-	       psk_identity = PSKIdentity,
-	       premaster_secret = undefined,
-	       role = client,
-	       key_algorithm = Alg} = State0, Connection)
-  when Alg == rsa_psk ->
+	#state{static_env = #static_env{role = client},
+               connection_env = #connection_env{negotiated_version = {Major, Minor}} = Version,
+               handshake_env = #handshake_env{kex_algorithm = KexAlg,
+                                              premaster_secret = undefined,
+                                              server_psk_identity = PSKIdentity} = HsEnv,
+               session = #session{master_secret = undefined},
+	       ssl_options = #ssl_options{user_lookup_fun = PSKLookup}} = State0, Connection)
+  when KexAlg == rsa_psk ->
     Rand = ssl_cipher:random_bytes(?NUM_OF_PREMASTERSECRET_BYTES-2),
     RSAPremasterSecret = <<?BYTE(Major), ?BYTE(Minor), Rand/binary>>,
-    case ssl_handshake:premaster_secret({Alg, PSKIdentity}, PSKLookup, 
+    case ssl_handshake:premaster_secret({KexAlg, PSKIdentity}, PSKLookup, 
 					RSAPremasterSecret) of
 	#alert{} = Alert ->
 	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0);
 	PremasterSecret ->
 	    State = master_secret(PremasterSecret, 
-				  State0#state{premaster_secret = RSAPremasterSecret}),
+				  State0#state{handshake_env = 
+                                                   HsEnv#handshake_env{premaster_secret = RSAPremasterSecret}}),
 	    client_certify_and_key_exchange(State, Connection)
     end;
 %% Master secret was determined with help of server-key exchange msg
 certify(internal, #server_hello_done{}, 
-	#state{session = #session{master_secret = MasterSecret} = Session,
-	       connection_states = ConnectionStates0,
-	       negotiated_version = Version,
-	       premaster_secret = undefined,
-	       role = client} = State0, Connection) ->
+	#state{static_env = #static_env{role = client},
+               connection_env = #connection_env{negotiated_version = Version},
+               handshake_env = #handshake_env{premaster_secret = undefined},
+               session = #session{master_secret = MasterSecret} = Session,
+	       connection_states = ConnectionStates0} = State0, Connection) ->
     case ssl_handshake:master_secret(ssl:tls_version(Version), Session,
 				     ConnectionStates0, client) of
 	{MasterSecret, ConnectionStates} ->
@@ -911,11 +1092,11 @@ certify(internal, #server_hello_done{},
     end;
 %% Master secret is calculated from premaster_secret
 certify(internal, #server_hello_done{},
-	#state{session = Session0,
-	       connection_states = ConnectionStates0,
-	       negotiated_version = Version,
-	       premaster_secret = PremasterSecret,
-	       role = client} = State0, Connection) ->
+	#state{static_env = #static_env{role = client},
+               connection_env = #connection_env{negotiated_version = Version},
+               handshake_env = #handshake_env{premaster_secret = PremasterSecret},
+               session = Session0,
+	       connection_states = ConnectionStates0} = State0, Connection) ->
     case ssl_handshake:master_secret(ssl:tls_version(Version), PremasterSecret,
 				     ConnectionStates0, client) of
 	{MasterSecret, ConnectionStates} ->
@@ -927,14 +1108,15 @@ certify(internal, #server_hello_done{},
 	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0)
     end;
 certify(internal = Type, #client_key_exchange{} = Msg,
-	#state{role = server,
+	#state{static_env = #static_env{role = server},
 	       client_certificate_requested = true,
 	       ssl_options = #ssl_options{fail_if_no_peer_cert = true}} = State, 
 	Connection) ->
     %% We expect a certificate here
     handle_common_event(Type, Msg, ?FUNCTION_NAME, State, Connection);
 certify(internal, #client_key_exchange{exchange_keys = Keys},
-	State = #state{key_algorithm = KeyAlg, negotiated_version = Version}, Connection) ->
+	State = #state{handshake_env = #handshake_env{kex_algorithm = KeyAlg}, 
+                       connection_env = #connection_env{negotiated_version = Version}}, Connection) ->
     try
 	certify_client_key_exchange(ssl_handshake:decode_client_key(Keys, KeyAlg, ssl:tls_version(Version)),
 				    State, Connection)
@@ -957,69 +1139,70 @@ cipher(info, Msg, State, _) ->
     handle_info(Msg, ?FUNCTION_NAME, State);
 cipher(internal, #certificate_verify{signature = Signature, 
 				     hashsign_algorithm = CertHashSign},
-       #state{role = server,
-	      key_algorithm = KexAlg,
-	      public_key_info = PublicKeyInfo,
-	      negotiated_version = Version,
-	      session = #session{master_secret = MasterSecret},
-	      tls_handshake_history = Handshake
+       #state{static_env = #static_env{role = server},
+              handshake_env = #handshake_env{tls_handshake_history = Hist,
+                                             kex_algorithm = KexAlg,
+                                             public_key_info = PubKeyInfo} = HsEnv,
+              connection_env = #connection_env{negotiated_version = Version},
+	      session = #session{master_secret = MasterSecret}
 	     } = State, Connection) ->
     
     TLSVersion = ssl:tls_version(Version),
     %% Use negotiated value if TLS-1.2 otherwhise return default
-    HashSign = negotiated_hashsign(CertHashSign, KexAlg, PublicKeyInfo, TLSVersion),
-    case ssl_handshake:certificate_verify(Signature, PublicKeyInfo,
-					  TLSVersion, HashSign, MasterSecret, Handshake) of
+    HashSign = negotiated_hashsign(CertHashSign, KexAlg, PubKeyInfo, TLSVersion),
+    case ssl_handshake:certificate_verify(Signature, PubKeyInfo,
+					  TLSVersion, HashSign, MasterSecret, Hist) of
 	valid ->
 	    Connection:next_event(?FUNCTION_NAME, no_record,
-				  State#state{cert_hashsign_algorithm = HashSign});
+				  State#state{handshake_env = HsEnv#handshake_env{cert_hashsign_algorithm = HashSign}});
 	#alert{} = Alert ->
 	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State)
     end;
 %% client must send a next protocol message if we are expecting it
 cipher(internal, #finished{},
-       #state{role = server, expecting_next_protocol_negotiation = true,
-	      negotiated_protocol = undefined, negotiated_version = Version} = State0,
+       #state{static_env = #static_env{role = server},
+              handshake_env = #handshake_env{expecting_next_protocol_negotiation = true,
+                                             negotiated_protocol = undefined},
+              connection_env = #connection_env{negotiated_version = Version}} = State0,
        _Connection) ->
     handle_own_alert(?ALERT_REC(?FATAL,?UNEXPECTED_MESSAGE), Version, ?FUNCTION_NAME, State0);
 cipher(internal, #finished{verify_data = Data} = Finished,
-       #state{negotiated_version = Version,
-	      host = Host,
-	      port = Port,
-	      role = Role,
-	      expecting_finished = true,
+       #state{static_env = #static_env{role = Role,
+                                       host = Host,
+                                       port = Port},
+              handshake_env = #handshake_env{tls_handshake_history = Hist,
+                                             expecting_finished = true} = HsEnv,
+              connection_env = #connection_env{negotiated_version = Version},
 	      session = #session{master_secret = MasterSecret}
 	      = Session0,
               ssl_options = SslOpts,
-	      connection_states = ConnectionStates0,
-	      tls_handshake_history = Handshake0} = State, Connection) ->
+	      connection_states = ConnectionStates0} = State, Connection) ->
     case ssl_handshake:verify_connection(ssl:tls_version(Version), Finished,
 					 opposite_role(Role),
 					 get_current_prf(ConnectionStates0, read),
-					 MasterSecret, Handshake0) of
+					 MasterSecret, Hist) of
         verified ->
-	    Session = register_session(Role, host_id(Role, Host, SslOpts), Port, Session0),
+	    Session = handle_session(Role, SslOpts, Host, Port, Session0),
 	    cipher_role(Role, Data, Session, 
-			State#state{expecting_finished = false}, Connection);
+			State#state{handshake_env = HsEnv#handshake_env{expecting_finished = false}}, Connection);
         #alert{} = Alert ->
 	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State)
     end;
 %% only allowed to send next_protocol message after change cipher spec
 %% & before finished message and it is not allowed during renegotiation
 cipher(internal, #next_protocol{selected_protocol = SelectedProtocol},
-       #state{role = server, expecting_next_protocol_negotiation = true,
-	      expecting_finished = true} = State, Connection) ->
-    Connection:next_event(?FUNCTION_NAME, no_record, 
-			  State#state{expecting_next_protocol_negotiation = false,
-                                      negotiated_protocol = SelectedProtocol
-                                     });
-cipher(internal, #change_cipher_spec{type = <<1>>},  #state{connection_states = ConnectionStates0} =
+       #state{static_env = #static_env{role = server},
+              handshake_env = #handshake_env{expecting_finished = true,
+                                             expecting_next_protocol_negotiation = true} = HsEnv} = State, Connection) ->
+    Connection:next_event(?FUNCTION_NAME, no_record,
+			  State#state{handshake_env = HsEnv#handshake_env{negotiated_protocol = SelectedProtocol,
+                                                                          expecting_next_protocol_negotiation = false}});
+cipher(internal, #change_cipher_spec{type = <<1>>},  #state{handshake_env = HsEnv, connection_states = ConnectionStates0} =
 	   State, Connection) ->
     ConnectionStates =
 	ssl_record:activate_pending_connection_state(ConnectionStates0, read, Connection),
-    Connection:next_event(?FUNCTION_NAME, no_record, State#state{connection_states = 
-                                                                     ConnectionStates,
-                                                                 expecting_finished = true});
+    Connection:next_event(?FUNCTION_NAME, no_record, State#state{handshake_env = HsEnv#handshake_env{expecting_finished = true},
+                                                                 connection_states = ConnectionStates});
 cipher(Type, Msg, State, Connection) ->
     handle_common_event(Type, Msg, ?FUNCTION_NAME, State, Connection).
 
@@ -1029,15 +1212,17 @@ cipher(Type, Msg, State, Connection) ->
 			gen_statem:state_function_result().
 %%--------------------------------------------------------------------
 connection({call, RecvFrom}, {recv, N, Timeout},  
-	   #state{protocol_cb = Connection,  socket_options =
-		      #socket_options{active = false}} = State0, Connection) ->
-    Timer = start_or_recv_cancel_timer(Timeout, RecvFrom),
+	   #state{static_env = #static_env{protocol_cb = Connection},
+                  socket_options =
+                      #socket_options{active = false}} = State0, Connection) ->
     passive_receive(State0#state{bytes_to_read = N,
-                                 start_or_recv_from = RecvFrom, 
-                                 timer = Timer}, ?FUNCTION_NAME, Connection);
-connection({call, From}, renegotiate, #state{protocol_cb = Connection} = State, 
+                                 start_or_recv_from = RecvFrom}, ?FUNCTION_NAME, Connection,
+                    [{{timeout, recv}, Timeout, timeout}]);
+
+connection({call, From}, renegotiate, #state{static_env = #static_env{protocol_cb = Connection},
+                                             handshake_env = HsEnv} = State,
 	   Connection) ->
-    Connection:renegotiate(State#state{renegotiation = {true, From}}, []);
+    Connection:renegotiate(State#state{handshake_env = HsEnv#handshake_env{renegotiation = {true, From}}}, []);
 connection({call, From}, peer_certificate, 
 	   #state{session = #session{peer_certificate = Cert}} = State, _) ->
     hibernate_after(?FUNCTION_NAME, State, [{reply, From,  {ok, Cert}}]); 
@@ -1048,35 +1233,36 @@ connection({call, From}, {connection_information, false}, State, _) ->
     Info = connection_info(State),
     hibernate_after(?FUNCTION_NAME, State, [{reply, From, {ok, Info}}]);
 connection({call, From}, negotiated_protocol, 
-	   #state{negotiated_protocol = undefined} = State, _) ->
+	   #state{handshake_env = #handshake_env{negotiated_protocol = undefined}} = State, _) ->
     hibernate_after(?FUNCTION_NAME, State, [{reply, From, {error, protocol_not_negotiated}}]);
 connection({call, From}, negotiated_protocol, 
-	   #state{negotiated_protocol = SelectedProtocol} = State, _) ->
+	   #state{handshake_env = #handshake_env{negotiated_protocol = SelectedProtocol}} = State, _) ->
     hibernate_after(?FUNCTION_NAME, State,
 		    [{reply, From, {ok, SelectedProtocol}}]);
 connection({call, From}, Msg, State, Connection) ->
     handle_call(Msg, From, ?FUNCTION_NAME, State, Connection);
-connection(cast, {internal_renegotiate, WriteState}, #state{protocol_cb = Connection,
+connection(cast, {internal_renegotiate, WriteState}, #state{static_env = #static_env{protocol_cb = Connection},
+                                                            handshake_env = HsEnv,
                                                             connection_states = ConnectionStates} 
            = State, Connection) -> 
-    Connection:renegotiate(State#state{renegotiation = {true, internal},
+    Connection:renegotiate(State#state{handshake_env = HsEnv#handshake_env{renegotiation = {true, internal}},
                                        connection_states = ConnectionStates#{current_write => WriteState}}, []);
 connection(cast, {dist_handshake_complete, DHandle},
            #state{ssl_options = #ssl_options{erl_dist = true},
-                  erl_dist_data = ErlDistData,
+                  connection_env = CEnv,
                   socket_options = SockOpts} = State0, Connection) ->
     process_flag(priority, normal),
     State1 =
         State0#state{
-          socket_options =
-              SockOpts#socket_options{active = true},
-          erl_dist_data = ErlDistData#{dist_handle => DHandle}},
-    {Record, State} = dist_app_data(<<>>, State1),
+          socket_options = SockOpts#socket_options{active = true},
+          connection_env = CEnv#connection_env{erl_dist_handle = DHandle},
+          bytes_to_read = undefined},
+    {Record, State} = read_application_data(<<>>, State1),
     Connection:next_event(connection, Record, State);
 connection(info, Msg, State, _) ->
     handle_info(Msg, ?FUNCTION_NAME, State);
-connection(internal, {recv, _}, State, Connection) ->
-    passive_receive(State, ?FUNCTION_NAME, Connection);
+connection(internal, {recv, Timeout}, State, Connection) ->
+    passive_receive(State, ?FUNCTION_NAME, Connection, [{{timeout, recv}, Timeout, timeout}]);
 connection(Type, Msg, State, Connection) ->
     handle_common_event(Type, Msg, ?FUNCTION_NAME, State, Connection).
 
@@ -1085,22 +1271,6 @@ connection(Type, Msg, State, Connection) ->
 		#state{}, tls_connection | dtls_connection) ->
 		       gen_statem:state_function_result().
 %%--------------------------------------------------------------------
-downgrade(internal, #alert{description = ?CLOSE_NOTIFY},
-	  #state{transport_cb = Transport, socket = Socket,
-		 downgrade = {Pid, From}} = State, _) ->
-    tls_socket:setopts(Transport, Socket, [{active, false}, {packet, 0}, {mode, binary}]),
-    Transport:controlling_process(Socket, Pid),
-    gen_statem:reply(From, {ok, Socket}),
-    stop(normal, State);
-downgrade(timeout, downgrade, #state{downgrade = {_, From}} = State, _) ->
-    gen_statem:reply(From, {error, timeout}),
-    stop(normal, State);
-downgrade(
-  info, {CloseTag, Socket},
-  #state{socket = Socket, close_tag = CloseTag, downgrade = {_, From}} =
-      State, _) ->
-    gen_statem:reply(From, {error, CloseTag}),
-    stop(normal, State);
 downgrade(Type, Event, State, Connection) ->
     handle_common_event(Type, Event, ?FUNCTION_NAME, State, Connection).
 
@@ -1109,95 +1279,87 @@ downgrade(Type, Event, State, Connection) ->
 %% common or unexpected events for the state.
 %%--------------------------------------------------------------------
 handle_common_event(internal, {handshake, {#hello_request{} = Handshake, _}}, connection = StateName,  
-		    #state{role = client} = State, _) ->
+		    #state{static_env = #static_env{role = client}, 
+                           handshake_env = HsEnv} = State, _) ->
     %% Should not be included in handshake history
-    {next_state, StateName, State#state{renegotiation = {true, peer}}, [{next_event, internal, Handshake}]};
-handle_common_event(internal, {handshake, {#hello_request{}, _}}, StateName, #state{role = client}, _) 
+    {next_state, StateName, State#state{handshake_env = HsEnv#handshake_env{renegotiation = {true, peer}}},
+     [{next_event, internal, Handshake}]};
+handle_common_event(internal, {handshake, {#hello_request{}, _}}, StateName,
+                    #state{static_env = #static_env{role = client}}, _)
   when StateName =/= connection ->
-    {keep_state_and_data};
+    keep_state_and_data;
 handle_common_event(internal, {handshake, {Handshake, Raw}}, StateName,
-		    #state{tls_handshake_history = Hs0} = State0,
+		    #state{handshake_env = #handshake_env{tls_handshake_history = Hist0}} = State0,
 		    Connection) ->
    
     PossibleSNI = Connection:select_sni_extension(Handshake),
     %% This function handles client SNI hello extension when Handshake is
     %% a client_hello, which needs to be determined by the connection callback.
     %% In other cases this is a noop
-    State = handle_sni_extension(PossibleSNI, State0),
-    HsHist = ssl_handshake:update_handshake_history(Hs0, iolist_to_binary(Raw)),
-    {next_state, StateName, State#state{tls_handshake_history = HsHist}, 
+    State = #state{handshake_env = HsEnv} = handle_sni_extension(PossibleSNI, State0),
+
+    Hist = ssl_handshake:update_handshake_history(Hist0, Raw),
+    {next_state, StateName, State#state{handshake_env = HsEnv#handshake_env{tls_handshake_history = Hist}}, 
      [{next_event, internal, Handshake}]};
 handle_common_event(internal, {protocol_record, TLSorDTLSRecord}, StateName, State, Connection) -> 
-    Connection:handle_common_event(internal, TLSorDTLSRecord, StateName, State);
+    Connection:handle_protocol_record(TLSorDTLSRecord, StateName, State);
 handle_common_event(timeout, hibernate, _, _, _) ->
     {keep_state_and_data, [hibernate]};
-handle_common_event(internal, {application_data, Data}, StateName, State0, Connection) ->
-    case read_application_data(Data, State0) of
-	{stop, _, _} = Stop->
-            Stop;
-	{Record, State1} ->
-            case Connection:next_event(StateName, Record, State1) of
-                {next_state, StateName, State} ->
-                    hibernate_after(StateName, State, []);
-                {next_state, StateName, State, Actions} -> 
-                    hibernate_after(StateName, State, Actions);
-                {stop, _, _} = Stop ->
-                    Stop
-            end 
-    end;
 handle_common_event(internal, #change_cipher_spec{type = <<1>>}, StateName, 
-		    #state{negotiated_version = Version} = State,  _) ->
+		    #state{connection_env = #connection_env{negotiated_version = Version}} = State,  _) ->
     handle_own_alert(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE), Version, 
 				StateName, State);
-handle_common_event(_Type, Msg, StateName, #state{negotiated_version = Version} = State, 
+handle_common_event({timeout, handshake}, close, _StateName, #state{start_or_recv_from = StartFrom} = State, _) ->
+    {stop_and_reply,
+     {shutdown, user_timeout},
+     {reply, StartFrom, {error, timeout}}, State#state{start_or_recv_from = undefined}};
+handle_common_event({timeout, recv}, timeout, StateName, #state{start_or_recv_from = RecvFrom} = State, _) ->
+    {next_state, StateName, State#state{start_or_recv_from = undefined,
+                                        bytes_to_read = undefined}, [{reply, RecvFrom, {error, timeout}}]};
+handle_common_event(Type, Msg, StateName, #state{connection_env =
+                                                      #connection_env{negotiated_version = Version}} = State, 
 		    _) ->
-    Alert =  ?ALERT_REC(?FATAL,?UNEXPECTED_MESSAGE, {unexpected_msg, Msg}),
+    Alert =  ?ALERT_REC(?FATAL,?UNEXPECTED_MESSAGE, {unexpected_msg, {Type,Msg}}),
     handle_own_alert(Alert, Version, StateName, State).
 
 handle_call({application_data, _Data}, _, _, _, _) ->
     %% In renegotiation priorities handshake, send data when handshake is finished
     {keep_state_and_data, [postpone]};
-handle_call({close, {Pid, Timeout}}, From, StateName, State0, Connection) when is_pid(Pid) ->
-    %% terminate will send close alert to peer
-    State = State0#state{downgrade = {Pid, From}},
-    Connection:terminate(downgrade, StateName, State),
-    %% User downgrades connection
-    %% When downgrading an TLS connection to a transport connection
-    %% we must recive the close alert from the peer before releasing the 
-    %% transport socket.
-    {next_state, downgrade, State#state{terminated = true}, [{timeout, Timeout, downgrade}]};
-handle_call({close, _} = Close, From, StateName, State, _Connection) ->
+handle_call({close, _} = Close, From, StateName, #state{connection_env = CEnv} = State, _Connection) ->
     %% Run terminate before returning so that the reuseaddr
     %% inet-option works properly
     Result = terminate(Close, StateName, State),
-    stop_and_reply(
-      {shutdown, normal},
-      {reply, From, Result}, State#state{terminated = true});
+    {stop_and_reply,
+     {shutdown, normal},
+     {reply, From, Result}, State#state{connection_env = CEnv#connection_env{terminated = true}}};
 handle_call({shutdown, read_write = How}, From, StateName,
-	    #state{transport_cb = Transport,
-		   socket = Socket} = State, _) ->
-
+	    #state{static_env = #static_env{transport_cb = Transport,
+                                            socket = Socket},
+                   connection_env = CEnv} = State, _) ->
     try send_alert(?ALERT_REC(?WARNING, ?CLOSE_NOTIFY),
-                       StateName, State) of
+                   StateName, State) of
         _ -> 
             case Transport:shutdown(Socket, How) of
                 ok ->
-                    {next_state, StateName, State#state{terminated = true}, [{reply, From, ok}]};
+                    {next_state, StateName, State#state{connection_env = 
+                                                            CEnv#connection_env{terminated = true}},
+                     [{reply, From, ok}]};
                 Error ->
-                    {stop, StateName, State#state{terminated = true}, [{reply, From, Error}]}
+                    {stop_and_reply, {shutdown, normal}, {reply, From, Error}, 
+                     State#state{connection_env = CEnv#connection_env{terminated = true}}}
             end
     catch
         throw:Return ->
             Return
     end;
 handle_call({shutdown, How0}, From, StateName,
-	    #state{transport_cb = Transport,
-		   socket = Socket} = State, _) ->
+	    #state{static_env = #static_env{transport_cb = Transport,
+                                            socket = Socket}} = State, _) ->
     case Transport:shutdown(Socket, How0) of
 	ok ->
 	    {next_state, StateName, State, [{reply, From, ok}]};
 	Error ->
-            {stop, StateName, State, [{reply, From, Error}]}
+            {stop_and_reply, {shutdown, normal}, {reply, From, Error}, State}
     end;
 handle_call({recv, _N, _Timeout}, From, _,  
 		  #state{socket_options = 
@@ -1206,40 +1368,47 @@ handle_call({recv, _N, _Timeout}, From, _,
 handle_call({recv, N, Timeout}, RecvFrom, StateName, State, _) ->
     %% Doing renegotiate wait with handling request until renegotiate is
     %% finished. 
-    Timer = start_or_recv_cancel_timer(Timeout, RecvFrom),
-    {next_state, StateName, State#state{bytes_to_read = N, start_or_recv_from = RecvFrom,
-					timer = Timer}, 
-     [{next_event, internal, {recv, RecvFrom}}]};
+    {next_state, StateName, State#state{bytes_to_read = N, start_or_recv_from = RecvFrom}, 
+     [{next_event, internal, {recv, RecvFrom}} , {{timeout, recv}, Timeout, timeout}]};
 handle_call({new_user, User}, From, StateName, 
-		  State =#state{user_application = {OldMon, _}}, _) ->
+            State = #state{connection_env = #connection_env{user_application = {OldMon, _}} = CEnv}, _) ->
     NewMon = erlang:monitor(process, User),
     erlang:demonitor(OldMon, [flush]),
-    {next_state, StateName, State#state{user_application = {NewMon,User}},
+    {next_state, StateName, State#state{connection_env = CEnv#connection_env{user_application = {NewMon, User}}},
      [{reply, From, ok}]};
 handle_call({get_opts, OptTags}, From, _,
-		  #state{socket = Socket,
-			 transport_cb = Transport,
+            #state{static_env = #static_env{socket = Socket,
+                                            transport_cb = Transport},
 			 socket_options = SockOpts}, Connection) ->
     OptsReply = get_socket_opts(Connection, Transport, Socket, OptTags, SockOpts, []),
     {keep_state_and_data, [{reply, From, OptsReply}]};
 handle_call({set_opts, Opts0}, From, StateName, 
-	    #state{socket_options = Opts1, 
-			 socket = Socket,
-			 transport_cb = Transport} = State0, Connection) ->
+	    #state{static_env =  #static_env{socket = Socket,
+                                            transport_cb = Transport,
+                                            tracker = Tracker},
+                   connection_env = 
+                       #connection_env{user_application = {_Mon, Pid}},
+                   socket_options = Opts1
+                  } = State0, Connection) ->
     {Reply, Opts} = set_socket_opts(Connection, Transport, Socket, Opts0, Opts1, []),
+    case {proplists:lookup(active, Opts0), Opts} of
+        {{_, N}, #socket_options{active=false}} when is_integer(N) ->
+            send_user(
+              Pid,
+              format_passive(
+                Connection:pids(State0), Transport, Socket, Tracker, Connection));
+        _ ->
+            ok
+    end,
     State = State0#state{socket_options = Opts},
     handle_active_option(Opts#socket_options.active, StateName, From, Reply, State);
     
 handle_call(renegotiate, From, StateName, _, _) when StateName =/= connection ->
     {keep_state_and_data, [{reply, From, {error, already_renegotiating}}]};
 
-handle_call(get_sslsocket, From, _StateName, State, Connection) ->
-    SslSocket = Connection:socket(State),
-    {keep_state_and_data, [{reply, From, SslSocket}]};
-
 handle_call({prf, Secret, Label, Seed, WantedLength}, From, _,
 	    #state{connection_states = ConnectionStates,
-		   negotiated_version = Version}, _) ->
+		   connection_env = #connection_env{negotiated_version = Version}}, _) ->
     #{security_parameters := SecParams} =
 	ssl_record:current_connection_state(ConnectionStates, read),
     #security_parameters{master_secret = MasterSecret,
@@ -1266,70 +1435,59 @@ handle_call(_,_,_,_,_) ->
     {keep_state_and_data, [postpone]}.
 
 handle_info({ErrorTag, Socket, econnaborted}, StateName,  
-	    #state{socket = Socket, transport_cb = Transport,
-		   protocol_cb = Connection,
-		   start_or_recv_from = StartFrom, role = Role,
-		   error_tag = ErrorTag,
-		   tracker = Tracker} = State)  when StateName =/= connection ->
+	    #state{static_env = #static_env{role = Role,
+                                            socket = Socket,
+                                            transport_cb = Transport,
+                                            error_tag = ErrorTag,
+                                            tracker = Tracker,
+                                            protocol_cb = Connection},
+		   start_or_recv_from = StartFrom
+		  } = State)  when StateName =/= connection ->
     Pids = Connection:pids(State),
     alert_user(Pids, Transport, Tracker,Socket, 
 	       StartFrom, ?ALERT_REC(?FATAL, ?CLOSE_NOTIFY), Role, Connection),
-    stop(normal, State);
+    {stop, {shutdown, normal}, State};
 
-handle_info({ErrorTag, Socket, Reason}, StateName, #state{socket = Socket,
-							  error_tag = ErrorTag} = State)  ->
+handle_info({ErrorTag, Socket, Reason}, StateName, #state{static_env = #static_env{socket = Socket,
+                                                                                   error_tag = ErrorTag}} = State)  ->
     Report = io_lib:format("SSL: Socket error: ~p ~n", [Reason]),
-    error_logger:error_report(Report),
+    ?LOG_ERROR(Report),
     handle_normal_shutdown(?ALERT_REC(?FATAL, ?CLOSE_NOTIFY), StateName, State),
-    stop(normal, State);
+    {stop, {shutdown,normal}, State};
 
 handle_info({'DOWN', MonitorRef, _, _, Reason}, _,
-            #state{user_application = {MonitorRef, _Pid},
+            #state{connection_env = #connection_env{user_application = {MonitorRef, _Pid}},
                    ssl_options = #ssl_options{erl_dist = true}}) ->
     {stop, {shutdown, Reason}};
 handle_info({'DOWN', MonitorRef, _, _, _}, _,
-            #state{user_application = {MonitorRef, _Pid}}) ->
-    {stop, normal};
+            #state{connection_env = #connection_env{user_application = {MonitorRef, _Pid}}}) ->
+    {stop, {shutdown, normal}};
 handle_info({'EXIT', Pid, _Reason}, StateName,
-            #state{user_application = {_MonitorRef, Pid}} = State) ->
+            #state{connection_env = #connection_env{user_application = {_MonitorRef, Pid}}} = State) ->
     %% It seems the user application has linked to us
     %% - ignore that and let the monitor handle this
     {next_state, StateName, State};
 %%% So that terminate will be run when supervisor issues shutdown
 handle_info({'EXIT', _Sup, shutdown}, _StateName, State) ->
-    stop(shutdown, State);
-handle_info({'EXIT', Socket, normal}, _StateName, #state{socket = Socket} = State) ->
+    {stop, shutdown, State};
+handle_info({'EXIT', Socket, normal}, _StateName, #state{static_env = #static_env{socket = Socket}} = State) ->
     %% Handle as transport close"
-    stop({shutdown, transport_closed}, State);
-handle_info({'EXIT', Socket, Reason}, _StateName, #state{socket = Socket} = State) ->
-    stop({shutdown, Reason}, State);
-
-handle_info(allow_renegotiate, StateName, State) ->
-    {next_state, StateName, State#state{allow_renegotiate = true}};
-
-handle_info({cancel_start_or_recv, StartFrom}, StateName,
-	    #state{renegotiation = {false, first}} = State) when StateName =/= connection ->
-    stop_and_reply(
-      {shutdown, user_timeout},
-      {reply, StartFrom, {error, timeout}},
-      State#state{timer = undefined});
-handle_info({cancel_start_or_recv, RecvFrom}, StateName, 
-	    #state{start_or_recv_from = RecvFrom} = State) when RecvFrom =/= undefined ->
-    {next_state, StateName, State#state{start_or_recv_from = undefined,
-					bytes_to_read = undefined,
-					timer = undefined}, [{reply, RecvFrom, {error, timeout}}]};
-handle_info({cancel_start_or_recv, _RecvFrom}, StateName, State) ->
-    {next_state, StateName, State#state{timer = undefined}};
+    {stop,{shutdown, transport_closed}, State};
+handle_info({'EXIT', Socket, Reason}, _StateName, #state{static_env = #static_env{socket = Socket}} = State) ->
+    {stop,{shutdown, Reason}, State};
 
-handle_info(Msg, StateName, #state{socket = Socket, error_tag = Tag} = State) ->
+handle_info(allow_renegotiate, StateName, #state{handshake_env = HsEnv} = State) ->
+    {next_state, StateName, State#state{handshake_env = HsEnv#handshake_env{allow_renegotiate = true}}};
+
+handle_info(Msg, StateName, #state{static_env = #static_env{socket = Socket, error_tag = Tag}} = State) ->
     Report = io_lib:format("SSL: Got unexpected info: ~p ~n", [{Msg, Tag, Socket}]),
-    error_logger:info_report(Report),
+    ?LOG_NOTICE(Report),
     {next_state, StateName, State}.
 
 %%====================================================================
 %% general gen_statem callbacks
 %%====================================================================
-terminate(_, _, #state{terminated = true}) ->
+terminate(_, _, #state{connection_env = #connection_env{terminated = true}}) ->
     %% Happens when user closes the connection using ssl:close/1
     %% we want to guarantee that Transport:close has been called
     %% when ssl:close/1 returns unless it is a downgrade where
@@ -1338,14 +1496,15 @@ terminate(_, _, #state{terminated = true}) ->
     %% before run by gen_statem which will end up here
     ok;
 terminate({shutdown, transport_closed} = Reason, 
-	  _StateName, #state{protocol_cb = Connection,
-			     socket = Socket, transport_cb = Transport} = State) ->
+	  _StateName, #state{static_env = #static_env{protocol_cb = Connection,
+                                                      socket = Socket,
+                                                      transport_cb = Transport}} = State) ->
     handle_trusted_certs_db(State),
     Connection:close(Reason, Socket, Transport, undefined, undefined);
 terminate({shutdown, own_alert}, _StateName, #state{
-						protocol_cb = Connection,
-						socket = Socket, 
-						transport_cb = Transport} = State) ->
+						static_env = #static_env{protocol_cb = Connection,
+                                                                         socket = Socket,
+                                                                         transport_cb = Transport}} = State) ->
     handle_trusted_certs_db(State),
     case application:get_env(ssl, alert_timeout) of
 	{ok, Timeout} when is_integer(Timeout) ->
@@ -1353,23 +1512,27 @@ terminate({shutdown, own_alert}, _StateName, #state{
 	_ ->
 	    Connection:close({timeout, ?DEFAULT_TIMEOUT}, Socket, Transport, undefined, undefined)
     end;
-terminate(downgrade = Reason, connection, #state{protocol_cb = Connection,
-                                        transport_cb = Transport, socket = Socket
-                                       } = State) ->
+terminate({shutdown, downgrade = Reason}, downgrade, #state{static_env = #static_env{protocol_cb = Connection,
+                                                                                     transport_cb = Transport,
+                                                                                     socket = Socket}
+                                                           } = State) ->
     handle_trusted_certs_db(State),
     Connection:close(Reason, Socket, Transport, undefined, undefined);
-terminate(Reason, connection, #state{protocol_cb = Connection,
+terminate(Reason, connection, #state{static_env = #static_env{
+                                                     protocol_cb = Connection,
+                                                     transport_cb = Transport,
+                                                     socket = Socket},
                                      connection_states = ConnectionStates,
-                                     ssl_options = #ssl_options{padding_check = Check},
-                                     transport_cb = Transport, socket = Socket
+                                     ssl_options = #ssl_options{padding_check = Check}
                                     } = State) ->
     handle_trusted_certs_db(State),
     Alert = terminate_alert(Reason),
     %% Send the termination ALERT if possible
-    catch (Connection:send_alert_in_connection(Alert, State)),
+    catch (ok = Connection:send_alert_in_connection(Alert, State)),
     Connection:close({timeout, ?DEFAULT_TIMEOUT}, Socket, Transport, ConnectionStates, Check);
-terminate(Reason, _StateName, #state{transport_cb = Transport, protocol_cb = Connection,
-				     socket = Socket 
+terminate(Reason, _StateName, #state{static_env = #static_env{transport_cb = Transport,
+                                                              protocol_cb = Connection,
+                                                              socket = Socket}
 				    } = State) ->
     handle_trusted_certs_db(State),
     Connection:close(Reason, Socket, Transport, undefined, undefined).
@@ -1388,14 +1551,9 @@ format_status(terminate, [_, StateName, State]) ->
     [{data, [{"State", {StateName, State#state{connection_states = ?SECRET_PRINTOUT,
 					       protocol_buffers =  ?SECRET_PRINTOUT,
 					       user_data_buffer = ?SECRET_PRINTOUT,
-					       tls_handshake_history =  ?SECRET_PRINTOUT,
+					       handshake_env =  ?SECRET_PRINTOUT,
+                                               connection_env = ?SECRET_PRINTOUT,
 					       session =  ?SECRET_PRINTOUT,
-					       private_key =  ?SECRET_PRINTOUT,
-					       diffie_hellman_params = ?SECRET_PRINTOUT,
-					       diffie_hellman_keys =  ?SECRET_PRINTOUT,
-					       srp_params = ?SECRET_PRINTOUT,
-					       srp_keys =  ?SECRET_PRINTOUT,
-					       premaster_secret =  ?SECRET_PRINTOUT,
 					       ssl_options = NewOptions,
 					       flight_buffer =  ?SECRET_PRINTOUT}
 		       }}]}].
@@ -1403,16 +1561,16 @@ format_status(terminate, [_, StateName, State]) ->
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
-send_alert(Alert, connection, #state{protocol_cb = Connection} = State) ->
+send_alert(Alert, connection, #state{static_env = #static_env{protocol_cb = Connection}} = State) ->
      Connection:send_alert_in_connection(Alert, State);
-send_alert(Alert, _, #state{protocol_cb = Connection} = State) ->
+send_alert(Alert, _, #state{static_env = #static_env{protocol_cb = Connection}} = State) ->
     Connection:send_alert(Alert, State).
 
-connection_info(#state{sni_hostname = SNIHostname, 
-		       session = #session{session_id = SessionId,
+connection_info(#state{static_env = #static_env{protocol_cb = Connection},
+                       handshake_env = #handshake_env{sni_hostname = SNIHostname},
+                       session = #session{session_id = SessionId,
                                           cipher_suite = CipherSuite, ecc = ECCCurve},
-		       protocol_cb = Connection,
-		       negotiated_version =  {_,_} = Version, 
+		       connection_env = #connection_env{negotiated_version =  {_,_} = Version}, 
 		       ssl_options = Opts}) ->
     RecordCB = record_cb(Connection),
     CipherSuiteDef = #{key_exchange := KexAlg} = ssl_cipher_format:suite_definition(CipherSuite),
@@ -1438,18 +1596,24 @@ security_info(#state{connection_states = ConnectionStates}) ->
 	ssl_record:current_connection_state(ConnectionStates, read),
     [{client_random, ClientRand}, {server_random, ServerRand}, {master_secret, MasterSecret}].
 
-do_server_hello(Type, #hello_extensions{next_protocol_negotiation = NextProtocols} =
+do_server_hello(Type, #{next_protocol_negotiation := NextProtocols} =
 		    ServerHelloExt,
-		#state{negotiated_version = Version,
+		#state{connection_env = #connection_env{negotiated_version = Version},
+                       handshake_env = HsEnv,
 		       session = #session{session_id = SessId},
-		       connection_states = ConnectionStates0}
+		       connection_states = ConnectionStates0,
+                       ssl_options = #ssl_options{versions = [HighestVersion|_]}}
 		= State0, Connection) when is_atom(Type) ->
-
+    %% TLS 1.3 - Section 4.1.3
+    %% Override server random values for TLS 1.3 downgrade protection mechanism.
+    ConnectionStates1 = update_server_random(ConnectionStates0, Version, HighestVersion),
+    State1 = State0#state{connection_states = ConnectionStates1},
     ServerHello =
-	ssl_handshake:server_hello(SessId, ssl:tls_version(Version), ConnectionStates0, ServerHelloExt),
+	ssl_handshake:server_hello(SessId, ssl:tls_version(Version),
+                                   ConnectionStates1, ServerHelloExt),
     State = server_hello(ServerHello,
-			 State0#state{expecting_next_protocol_negotiation =
-					  NextProtocols =/= undefined}, Connection),
+			 State1#state{handshake_env = HsEnv#handshake_env{expecting_next_protocol_negotiation =
+                                                                              NextProtocols =/= undefined}}, Connection),
     case Type of
 	new ->
 	    new_server_hello(ServerHello, State, Connection);
@@ -1457,11 +1621,65 @@ do_server_hello(Type, #hello_extensions{next_protocol_negotiation = NextProtocol
 	    resumed_server_hello(State, Connection)
     end.
 
+update_server_random(#{pending_read := #{security_parameters := ReadSecParams0} =
+                           ReadState0,
+                       pending_write := #{security_parameters := WriteSecParams0} =
+                           WriteState0} = ConnectionStates,
+                     Version, HighestVersion) ->
+    ReadRandom = override_server_random(
+                   ReadSecParams0#security_parameters.server_random,
+                   Version,
+                   HighestVersion),
+    WriteRandom = override_server_random(
+                    WriteSecParams0#security_parameters.server_random,
+                    Version,
+                    HighestVersion),
+    ReadSecParams = ReadSecParams0#security_parameters{server_random = ReadRandom},
+    WriteSecParams = WriteSecParams0#security_parameters{server_random = WriteRandom},
+    ReadState = ReadState0#{security_parameters => ReadSecParams},
+    WriteState = WriteState0#{security_parameters => WriteSecParams},
+
+    ConnectionStates#{pending_read => ReadState, pending_write => WriteState}.
+
+%% TLS 1.3 - Section 4.1.3
+%%
+%% If negotiating TLS 1.2, TLS 1.3 servers MUST set the last eight bytes
+%% of their Random value to the bytes:
+%%
+%%   44 4F 57 4E 47 52 44 01
+%%
+%% If negotiating TLS 1.1 or below, TLS 1.3 servers MUST and TLS 1.2
+%% servers SHOULD set the last eight bytes of their Random value to the
+%% bytes:
+%%
+%%   44 4F 57 4E 47 52 44 00
+override_server_random(<<Random0:24/binary,_:8/binary>> = Random, {M,N}, {Major,Minor})
+  when Major > 3 orelse Major =:= 3 andalso Minor >= 4 -> %% TLS 1.3 or above
+    if M =:= 3 andalso N =:= 3 ->                         %% Negotating TLS 1.2
+            Down = ?RANDOM_OVERRIDE_TLS12,
+            <<Random0/binary,Down/binary>>;
+       M =:= 3 andalso N < 3 ->                           %% Negotating TLS 1.1 or prior
+            Down = ?RANDOM_OVERRIDE_TLS11,
+            <<Random0/binary,Down/binary>>;
+       true ->
+            Random
+    end;
+override_server_random(<<Random0:24/binary,_:8/binary>> = Random, {M,N}, {Major,Minor})
+  when Major =:= 3 andalso Minor =:= 3 ->   %% TLS 1.2
+    if M =:= 3 andalso N < 3 ->             %% Negotating TLS 1.1 or prior
+            Down = ?RANDOM_OVERRIDE_TLS11,
+            <<Random0/binary,Down/binary>>;
+       true ->
+            Random
+    end;
+override_server_random(Random, _, _) ->
+    Random.
+
 new_server_hello(#server_hello{cipher_suite = CipherSuite,
 			      compression_method = Compression,
 			      session_id = SessionId},
-		#state{session = Session0,
-		       negotiated_version = Version} = State0, Connection) ->
+                 #state{session = Session0,
+                        connection_env = #connection_env{negotiated_version = Version}} = State0, Connection) ->
     try server_certify_and_key_exchange(State0, Connection) of
         #state{} = State1 ->
             {State, Actions} = server_hello_done(State1, Connection),
@@ -1477,7 +1695,7 @@ new_server_hello(#server_hello{cipher_suite = CipherSuite,
 
 resumed_server_hello(#state{session = Session,
 			    connection_states = ConnectionStates0,
-			    negotiated_version = Version} = State0, Connection) ->
+			    connection_env = #connection_env{negotiated_version = Version}} = State0, Connection) ->
 
     case ssl_handshake:master_secret(ssl:tls_version(Version), Session,
 				     ConnectionStates0, server) of
@@ -1494,19 +1712,20 @@ resumed_server_hello(#state{session = Session,
 server_hello(ServerHello, State0, Connection) ->
     CipherSuite = ServerHello#server_hello.cipher_suite,
     #{key_exchange := KeyAlgorithm}  = ssl_cipher_format:suite_definition(CipherSuite),
-    State = Connection:queue_handshake(ServerHello, State0),
-    State#state{key_algorithm = KeyAlgorithm}.
+    #state{handshake_env = HsEnv} = State = Connection:queue_handshake(ServerHello, State0),
+    State#state{handshake_env = HsEnv#handshake_env{kex_algorithm = KeyAlgorithm}}.
 
 server_hello_done(State, Connection) ->
     HelloDone = ssl_handshake:server_hello_done(),
     Connection:send_handshake(HelloDone, State).
 
 handle_peer_cert(Role, PeerCert, PublicKeyInfo,
-		 #state{session = #session{cipher_suite = CipherSuite} = Session} = State0,
+		 #state{handshake_env = HsEnv,
+                    session = #session{cipher_suite = CipherSuite} = Session} = State0,
 		 Connection) ->
-    State1 = State0#state{session =
-			 Session#session{peer_certificate = PeerCert},
-			 public_key_info = PublicKeyInfo},
+    State1 = State0#state{handshake_env = HsEnv#handshake_env{public_key_info = PublicKeyInfo},
+                          session =
+                              Session#session{peer_certificate = PeerCert}},
     #{key_exchange := KeyAlgorithm} = ssl_cipher_format:suite_definition(CipherSuite),
     State = handle_peer_cert_key(Role, PeerCert, PublicKeyInfo, KeyAlgorithm, State1),
     Connection:next_event(certify, no_record, State).
@@ -1514,27 +1733,20 @@ handle_peer_cert(Role, PeerCert, PublicKeyInfo,
 handle_peer_cert_key(client, _,
 		     {?'id-ecPublicKey',  #'ECPoint'{point = _ECPoint} = PublicKey,
 		      PublicKeyParams},
-		     KeyAlg, #state{session = Session} = State)  when KeyAlg == ecdh_rsa;
+		     KeyAlg, #state{handshake_env = HsEnv,
+                                    session = Session} = State)  when KeyAlg == ecdh_rsa;
                                                                       KeyAlg == ecdh_ecdsa ->
     ECDHKey = public_key:generate_key(PublicKeyParams),
     PremasterSecret = ssl_handshake:premaster_secret(PublicKey, ECDHKey),
-    master_secret(PremasterSecret, State#state{diffie_hellman_keys = ECDHKey,
+    master_secret(PremasterSecret, State#state{handshake_env = HsEnv#handshake_env{kex_keys = ECDHKey},
                                                session = Session#session{ecc = PublicKeyParams}});
-%% We do currently not support cipher suites that use fixed DH.
-%% If we want to implement that the following clause can be used
-%% to extract DH parameters form cert.
-%% handle_peer_cert_key(client, _PeerCert, {?dhpublicnumber, PublicKey, PublicKeyParams},
-%%                      {_,SignAlg},
-%% 		        #state{diffie_hellman_keys = {_, MyPrivatKey}} = State) when
-%%                                                                           SignAlg == dh_rsa;
-%% 									     SignAlg == dh_dss ->
-%%     dh_master_secret(PublicKeyParams, PublicKey, MyPrivatKey, State);
 handle_peer_cert_key(_, _, _, _, State) ->
     State.
 
-certify_client(#state{client_certificate_requested = true, role = client,
-		      cert_db = CertDbHandle,
-                      cert_db_ref = CertDbRef,
+certify_client(#state{static_env = #static_env{role = client,
+                                               cert_db = CertDbHandle,
+                                               cert_db_ref = CertDbRef},
+                      client_certificate_requested = true,
 		      session = #session{own_certificate = OwnCert}}
 	       = State, Connection) ->
     Certificate = ssl_handshake:certificate(OwnCert, CertDbHandle, CertDbRef, client),
@@ -1542,16 +1754,17 @@ certify_client(#state{client_certificate_requested = true, role = client,
 certify_client(#state{client_certificate_requested = false} = State, _) ->
     State.
 
-verify_client_cert(#state{client_certificate_requested = true, role = client,
-			  negotiated_version = Version,
-			  private_key = PrivateKey,
+verify_client_cert(#state{static_env = #static_env{role = client},
+                          handshake_env = #handshake_env{tls_handshake_history = Hist,
+                                                         cert_hashsign_algorithm = HashSign},
+                          connection_env = #connection_env{negotiated_version = Version,
+                                                           private_key = PrivateKey},
+                          client_certificate_requested = true,
 			  session = #session{master_secret = MasterSecret,
-					     own_certificate = OwnCert},
-			  cert_hashsign_algorithm = HashSign,
-			  tls_handshake_history = Handshake0} = State, Connection) ->
+					     own_certificate = OwnCert}} = State, Connection) ->
 
     case ssl_handshake:client_certificate_verify(OwnCert, MasterSecret,
-						 ssl:tls_version(Version), HashSign, PrivateKey, Handshake0) of
+						 ssl:tls_version(Version), HashSign, PrivateKey, Hist) of
         #certificate_verify{} = Verified ->
            Connection:queue_handshake(Verified, State);
 	ignore ->
@@ -1562,7 +1775,7 @@ verify_client_cert(#state{client_certificate_requested = true, role = client,
 verify_client_cert(#state{client_certificate_requested = false} = State, _) ->
     State.
 
-client_certify_and_key_exchange(#state{negotiated_version = Version} =
+client_certify_and_key_exchange(#state{connection_env = #connection_env{negotiated_version = Version}} =
 				State0, Connection) ->
     try do_client_certify_and_key_exchange(State0, Connection) of
         State1 = #state{} ->
@@ -1587,7 +1800,9 @@ server_certify_and_key_exchange(State0, Connection) ->
     request_client_cert(State2, Connection).
 
 certify_client_key_exchange(#encrypted_premaster_secret{premaster_secret= EncPMS},
-			    #state{private_key = Key, client_hello_version = {Major, Minor} = Version} = State, Connection) ->
+			    #state{connection_env = #connection_env{private_key = Key}, 
+                                   handshake_env = #handshake_env{client_hello_version = {Major, Minor} = Version}}
+                            = State, Connection) ->
     FakeSecret = make_premaster_secret(Version, rsa),
     %% Countermeasure for Bleichenbacher attack always provide some kind of premaster secret
     %% and fail handshake later.RFC 5246 section 7.4.7.1.
@@ -1608,14 +1823,15 @@ certify_client_key_exchange(#encrypted_premaster_secret{premaster_secret= EncPMS
         end,    
     calculate_master_secret(PremasterSecret, State, Connection, certify, cipher);
 certify_client_key_exchange(#client_diffie_hellman_public{dh_public = ClientPublicDhKey},
-			    #state{diffie_hellman_params = #'DHParameter'{} = Params,
-				   diffie_hellman_keys = {_, ServerDhPrivateKey}} = State,
+			    #state{handshake_env = #handshake_env{diffie_hellman_params = #'DHParameter'{} = Params,
+                                                                  kex_keys = {_, ServerDhPrivateKey}}
+				  } = State,
 			    Connection) ->
     PremasterSecret = ssl_handshake:premaster_secret(ClientPublicDhKey, ServerDhPrivateKey, Params),
     calculate_master_secret(PremasterSecret, State, Connection, certify, cipher);
 
 certify_client_key_exchange(#client_ec_diffie_hellman_public{dh_public = ClientPublicEcDhPoint},
-			    #state{diffie_hellman_keys = ECDHKey} = State, Connection) ->
+			    #state{handshake_env = #handshake_env{kex_keys = ECDHKey}} = State, Connection) ->
     PremasterSecret = ssl_handshake:premaster_secret(#'ECPoint'{point = ClientPublicEcDhPoint}, ECDHKey),
     calculate_master_secret(PremasterSecret, State, Connection, certify, cipher);
 certify_client_key_exchange(#client_psk_identity{} = ClientKey,
@@ -1625,8 +1841,8 @@ certify_client_key_exchange(#client_psk_identity{} = ClientKey,
     PremasterSecret = ssl_handshake:premaster_secret(ClientKey, PSKLookup),
     calculate_master_secret(PremasterSecret, State0, Connection, certify, cipher);
 certify_client_key_exchange(#client_dhe_psk_identity{} = ClientKey,
-			    #state{diffie_hellman_params = #'DHParameter'{} = Params,
-				   diffie_hellman_keys = {_, ServerDhPrivateKey},
+			    #state{handshake_env = #handshake_env{diffie_hellman_params = #'DHParameter'{} = Params,
+                                                                  kex_keys = {_, ServerDhPrivateKey}},
 				   ssl_options = 
 				       #ssl_options{user_lookup_fun = PSKLookup}} = State0,
 			    Connection) ->
@@ -1634,7 +1850,7 @@ certify_client_key_exchange(#client_dhe_psk_identity{} = ClientKey,
 	ssl_handshake:premaster_secret(ClientKey, ServerDhPrivateKey, Params, PSKLookup),
     calculate_master_secret(PremasterSecret, State0, Connection, certify, cipher);
 certify_client_key_exchange(#client_ecdhe_psk_identity{} = ClientKey,
-			    #state{diffie_hellman_keys = ServerEcDhPrivateKey,
+			    #state{handshake_env = #handshake_env{kex_keys = ServerEcDhPrivateKey},
 				   ssl_options =
 				       #ssl_options{user_lookup_fun = PSKLookup}} = State,
 			    Connection) ->
@@ -1642,28 +1858,29 @@ certify_client_key_exchange(#client_ecdhe_psk_identity{} = ClientKey,
 	ssl_handshake:premaster_secret(ClientKey, ServerEcDhPrivateKey, PSKLookup),
     calculate_master_secret(PremasterSecret, State, Connection, certify, cipher);
 certify_client_key_exchange(#client_rsa_psk_identity{} = ClientKey,
-			    #state{private_key = Key,
+			    #state{connection_env = #connection_env{private_key = Key},
 				   ssl_options = 
 				       #ssl_options{user_lookup_fun = PSKLookup}} = State0,
 			    Connection) ->
     PremasterSecret = ssl_handshake:premaster_secret(ClientKey, Key, PSKLookup),
     calculate_master_secret(PremasterSecret, State0, Connection, certify, cipher);
 certify_client_key_exchange(#client_srp_public{} = ClientKey,
-			    #state{srp_params = Params,
-				   srp_keys = Key
+			    #state{handshake_env = #handshake_env{srp_params = Params,
+                                                                  kex_keys = Key}
 				  } = State0, Connection) ->
     PremasterSecret = ssl_handshake:premaster_secret(ClientKey, Key, Params),
     calculate_master_secret(PremasterSecret, State0, Connection, certify, cipher).
 
-certify_server(#state{key_algorithm = Algo} = State, _) when Algo == dh_anon; 
-							     Algo == ecdh_anon; 
-							     Algo == psk; 
-							     Algo == dhe_psk; 
-							     Algo == ecdhe_psk; 
-							     Algo == srp_anon  ->
+certify_server(#state{handshake_env = #handshake_env{kex_algorithm = KexAlg}} = 
+                   State, _) when KexAlg == dh_anon; 
+                                  KexAlg == ecdh_anon; 
+                                  KexAlg == psk; 
+                                  KexAlg == dhe_psk; 
+                                  KexAlg == ecdhe_psk; 
+                                  KexAlg == srp_anon  ->
     State;
-certify_server(#state{cert_db = CertDbHandle,
-		      cert_db_ref = CertDbRef,
+certify_server(#state{static_env = #static_env{cert_db = CertDbHandle,
+                                               cert_db_ref = CertDbRef},
 		      session = #session{own_certificate = OwnCert}} = State, Connection) ->
     case ssl_handshake:certificate(OwnCert, CertDbHandle, CertDbRef, server) of
 	Cert = #certificate{} ->
@@ -1672,18 +1889,19 @@ certify_server(#state{cert_db = CertDbHandle,
 	    throw(Alert)
     end.
 
-key_exchange(#state{role = server, key_algorithm = rsa} = State,_) ->
+key_exchange(#state{static_env = #static_env{role = server}, 
+                    handshake_env = #handshake_env{kex_algorithm = rsa}} = State,_) ->
     State;
-key_exchange(#state{role = server, key_algorithm = Algo,
-		    hashsign_algorithm = HashSignAlgo,
-		    diffie_hellman_params = #'DHParameter'{} = Params,
-		    private_key = PrivateKey,
-		    connection_states = ConnectionStates0,
-		    negotiated_version = Version
-		   } = State0, Connection)
-  when Algo == dhe_dss;
-       Algo == dhe_rsa;
-       Algo == dh_anon ->
+key_exchange(#state{static_env = #static_env{role = server}, 
+		    handshake_env = #handshake_env{kex_algorithm = KexAlg,
+                                                   diffie_hellman_params = #'DHParameter'{} = Params,
+                                                   hashsign_algorithm = HashSignAlgo},
+                    connection_env = #connection_env{negotiated_version = Version,
+                                                     private_key = PrivateKey},
+		    connection_states = ConnectionStates0} = State0, Connection)
+  when KexAlg == dhe_dss;
+       KexAlg == dhe_rsa;
+       KexAlg == dh_anon ->
     DHKeys = public_key:generate_key(Params),
     #{security_parameters := SecParams} =
 	ssl_record:pending_connection_state(ConnectionStates0, read),
@@ -1693,22 +1911,26 @@ key_exchange(#state{role = server, key_algorithm = Algo,
 					       HashSignAlgo, ClientRandom,
 					       ServerRandom,
 					       PrivateKey}),
-    State = Connection:queue_handshake(Msg, State0),
-    State#state{diffie_hellman_keys = DHKeys};
-key_exchange(#state{role = server, private_key = #'ECPrivateKey'{parameters = ECCurve} = Key, key_algorithm = Algo,
+    #state{handshake_env = HsEnv} = State = Connection:queue_handshake(Msg, State0),
+    State#state{handshake_env = HsEnv#handshake_env{kex_keys = DHKeys}};
+key_exchange(#state{static_env = #static_env{role = server},
+                    handshake_env = #handshake_env{kex_algorithm = KexAlg} = HsEnv,
+                    connection_env = #connection_env{private_key = #'ECPrivateKey'{parameters = ECCurve} = Key},
                    session = Session} = State, _)
-  when Algo == ecdh_ecdsa; Algo == ecdh_rsa ->
-    State#state{diffie_hellman_keys = Key,
+  when KexAlg == ecdh_ecdsa; 
+       KexAlg == ecdh_rsa ->
+    State#state{handshake_env = HsEnv#handshake_env{kex_keys = Key},
                 session = Session#session{ecc = ECCurve}};
-key_exchange(#state{role = server, key_algorithm = Algo,
-		    hashsign_algorithm = HashSignAlgo,
-		    private_key = PrivateKey,
+key_exchange(#state{static_env = #static_env{role = server}, 
+                    handshake_env = #handshake_env{kex_algorithm = KexAlg,
+                                                   hashsign_algorithm = HashSignAlgo},
+                    connection_env = #connection_env{negotiated_version = Version,
+                                                     private_key = PrivateKey},
 		    session = #session{ecc = ECCCurve},
-		    connection_states = ConnectionStates0,
-		    negotiated_version = Version
-		   } = State0, Connection)
-  when Algo == ecdhe_ecdsa; Algo == ecdhe_rsa;
-       Algo == ecdh_anon ->
+		    connection_states = ConnectionStates0} = State0, Connection)
+  when KexAlg == ecdhe_ecdsa; 
+       KexAlg == ecdhe_rsa;
+       KexAlg == ecdh_anon ->
 
     ECDHKeys = public_key:generate_key(ECCCurve),
     #{security_parameters := SecParams} = 
@@ -1720,18 +1942,19 @@ key_exchange(#state{role = server, key_algorithm = Algo,
 				       HashSignAlgo, ClientRandom,
 				       ServerRandom,
 				       PrivateKey}),
-    State = Connection:queue_handshake(Msg, State0),
-    State#state{diffie_hellman_keys = ECDHKeys};
-key_exchange(#state{role = server, key_algorithm = psk,
+    #state{handshake_env = HsEnv} = State = Connection:queue_handshake(Msg, State0),
+    State#state{handshake_env = HsEnv#handshake_env{kex_keys = ECDHKeys}};
+key_exchange(#state{static_env = #static_env{role = server}, 
+                    handshake_env = #handshake_env{kex_algorithm = psk},
 		    ssl_options = #ssl_options{psk_identity = undefined}} = State, _) ->
     State;
-key_exchange(#state{role = server, key_algorithm = psk,
+key_exchange(#state{static_env = #static_env{role = server}, 
 		    ssl_options = #ssl_options{psk_identity = PskIdentityHint},
-		    hashsign_algorithm = HashSignAlgo,
-		    private_key = PrivateKey,
-		    connection_states = ConnectionStates0,
-		    negotiated_version = Version
-		   } = State0, Connection) ->
+		    handshake_env = #handshake_env{kex_algorithm = psk,
+                                                   hashsign_algorithm = HashSignAlgo},     
+                    connection_env = #connection_env{negotiated_version = Version,
+                                                     private_key = PrivateKey},
+             connection_states = ConnectionStates0} = State0, Connection) ->
     #{security_parameters := SecParams} = 
 	ssl_record:pending_connection_state(ConnectionStates0, read),
     #security_parameters{client_random = ClientRandom,
@@ -1740,15 +1963,16 @@ key_exchange(#state{role = server, key_algorithm = psk,
 				     {psk, PskIdentityHint,
 				      HashSignAlgo, ClientRandom,
 				      ServerRandom,
-						       PrivateKey}),
+                                      PrivateKey}),
     Connection:queue_handshake(Msg, State0);
-key_exchange(#state{role = server, key_algorithm = dhe_psk,
+key_exchange(#state{static_env = #static_env{role = server},                    
 		    ssl_options = #ssl_options{psk_identity = PskIdentityHint},
-		    hashsign_algorithm = HashSignAlgo,
-		    diffie_hellman_params = #'DHParameter'{} = Params,
-		    private_key = PrivateKey,
-		    connection_states = ConnectionStates0,
-		    negotiated_version = Version
+		    handshake_env = #handshake_env{kex_algorithm = dhe_psk,
+                                                   diffie_hellman_params = #'DHParameter'{} = Params,
+                                                   hashsign_algorithm = HashSignAlgo},                                        
+                    connection_env = #connection_env{negotiated_version = Version,
+                                                     private_key = PrivateKey},
+		    connection_states = ConnectionStates0
 		   } = State0, Connection) ->
     DHKeys = public_key:generate_key(Params),
     #{security_parameters := SecParams} =
@@ -1761,15 +1985,16 @@ key_exchange(#state{role = server, key_algorithm = dhe_psk,
 				       HashSignAlgo, ClientRandom,
 				       ServerRandom,
 				       PrivateKey}),
-    State = Connection:queue_handshake(Msg, State0),
-    State#state{diffie_hellman_keys = DHKeys};
-key_exchange(#state{role = server, key_algorithm = ecdhe_psk,
+    #state{handshake_env = HsEnv} = State = Connection:queue_handshake(Msg, State0),
+    State#state{handshake_env = HsEnv#handshake_env{kex_keys = DHKeys}};
+key_exchange(#state{static_env = #static_env{role = server}, 
 		    ssl_options = #ssl_options{psk_identity = PskIdentityHint},
-		    hashsign_algorithm = HashSignAlgo,
-		    private_key = PrivateKey,
+                    handshake_env = #handshake_env{kex_algorithm = ecdhe_psk,
+                                                   hashsign_algorithm = HashSignAlgo},
+                    connection_env = #connection_env{negotiated_version = Version,
+                                                     private_key = PrivateKey},
                     session = #session{ecc = ECCCurve},
-		    connection_states = ConnectionStates0,
-		    negotiated_version = Version
+		    connection_states = ConnectionStates0
 		   } = State0, Connection) ->
     ECDHKeys = public_key:generate_key(ECCCurve),
     #{security_parameters := SecParams} =
@@ -1782,17 +2007,19 @@ key_exchange(#state{role = server, key_algorithm = ecdhe_psk,
 				       HashSignAlgo, ClientRandom,
 				       ServerRandom,
 				       PrivateKey}),
-    State = Connection:queue_handshake(Msg, State0),
-    State#state{diffie_hellman_keys = ECDHKeys};
-key_exchange(#state{role = server, key_algorithm = rsa_psk,
+    #state{handshake_env = HsEnv} = State = Connection:queue_handshake(Msg, State0),
+    State#state{handshake_env = HsEnv#handshake_env{kex_keys = ECDHKeys}};
+key_exchange(#state{static_env = #static_env{role = server}, 
+                    handshake_env = #handshake_env{kex_algorithm = rsa_psk},
 		    ssl_options = #ssl_options{psk_identity = undefined}} = State, _) ->
     State;
-key_exchange(#state{role = server, key_algorithm = rsa_psk,
+key_exchange(#state{static_env = #static_env{role = server}, 
 		    ssl_options = #ssl_options{psk_identity = PskIdentityHint},
-		    hashsign_algorithm = HashSignAlgo,
-		    private_key = PrivateKey,
-		    connection_states = ConnectionStates0,
-		    negotiated_version = Version
+                    handshake_env = #handshake_env{kex_algorithm = rsa_psk,
+                                                   hashsign_algorithm = HashSignAlgo}, 
+                    connection_env = #connection_env{negotiated_version = Version,
+                                                     private_key = PrivateKey},
+		    connection_states = ConnectionStates0
 		   } = State0, Connection) ->
     #{security_parameters := SecParams} =
 	ssl_record:pending_connection_state(ConnectionStates0, read),
@@ -1804,17 +2031,18 @@ key_exchange(#state{role = server, key_algorithm = rsa_psk,
 				       ServerRandom,
 				       PrivateKey}),
     Connection:queue_handshake(Msg, State0);
-key_exchange(#state{role = server, key_algorithm = Algo,
+key_exchange(#state{static_env = #static_env{role = server}, 
 		    ssl_options = #ssl_options{user_lookup_fun = LookupFun},
-		    hashsign_algorithm = HashSignAlgo,
+                    handshake_env = #handshake_env{kex_algorithm = KexAlg,
+                                                   hashsign_algorithm = HashSignAlgo}, 
+                    connection_env = #connection_env{negotiated_version = Version,
+                                                     private_key = PrivateKey},
 		    session = #session{srp_username = Username},
-		    private_key = PrivateKey,
-		    connection_states = ConnectionStates0,
-		    negotiated_version = Version
+		    connection_states = ConnectionStates0
 		   } = State0, Connection)
-  when Algo == srp_dss;
-       Algo == srp_rsa;
-       Algo == srp_anon ->
+  when KexAlg == srp_dss;
+       KexAlg == srp_rsa;
+       KexAlg == srp_anon ->
     SrpParams = handle_srp_identity(Username, LookupFun),
     Keys = case generate_srp_server_keys(SrpParams, 0) of
 	       Alert = #alert{} ->
@@ -1831,82 +2059,86 @@ key_exchange(#state{role = server, key_algorithm = Algo,
 				       HashSignAlgo, ClientRandom,
 				       ServerRandom,
 				       PrivateKey}),
-    State = Connection:queue_handshake(Msg, State0),
-    State#state{srp_params = SrpParams,
-		srp_keys = Keys};
-key_exchange(#state{role = client,
-		    key_algorithm = rsa,
-		    public_key_info = PublicKeyInfo,
-		    negotiated_version = Version,
-		    premaster_secret = PremasterSecret} = State0, Connection) ->
+    #state{handshake_env = HsEnv} = State = Connection:queue_handshake(Msg, State0),
+    State#state{handshake_env = HsEnv#handshake_env{srp_params = SrpParams,
+                                                    kex_keys = Keys}};
+key_exchange(#state{static_env = #static_env{role = client},
+                    handshake_env = #handshake_env{kex_algorithm = rsa,
+                                                   public_key_info = PublicKeyInfo,
+                                                   premaster_secret = PremasterSecret},
+                    connection_env = #connection_env{negotiated_version = Version}
+		   } = State0, Connection) ->
     Msg = rsa_key_exchange(ssl:tls_version(Version), PremasterSecret, PublicKeyInfo),
     Connection:queue_handshake(Msg, State0);
-key_exchange(#state{role = client,
-		    key_algorithm = Algorithm,
-		    negotiated_version = Version,
-		    diffie_hellman_keys = {DhPubKey, _}
-		   } = State0, Connection)
-  when Algorithm == dhe_dss;
-       Algorithm == dhe_rsa;
-       Algorithm == dh_anon ->
+key_exchange(#state{static_env = #static_env{role = client},
+                    handshake_env = #handshake_env{kex_algorithm = KexAlg,
+                                                   kex_keys = {DhPubKey, _}},
+                    connection_env = #connection_env{negotiated_version = Version}
+                   } = State0, Connection)
+  when KexAlg == dhe_dss;
+       KexAlg == dhe_rsa;
+       KexAlg == dh_anon ->
     Msg =  ssl_handshake:key_exchange(client, ssl:tls_version(Version), {dh, DhPubKey}),
     Connection:queue_handshake(Msg, State0);
 
-key_exchange(#state{role = client,
-		    key_algorithm = Algorithm,
-		    negotiated_version = Version,
-                    session = Session,
-		    diffie_hellman_keys = #'ECPrivateKey'{parameters = ECCurve} = Key} = State0, Connection)
-  when Algorithm == ecdhe_ecdsa; Algorithm == ecdhe_rsa;
-       Algorithm == ecdh_ecdsa; Algorithm == ecdh_rsa;
-       Algorithm == ecdh_anon ->
+key_exchange(#state{static_env = #static_env{role = client},
+                    handshake_env = #handshake_env{kex_algorithm = KexAlg,
+                                                   kex_keys = #'ECPrivateKey'{parameters = ECCurve} = Key},
+                    connection_env = #connection_env{negotiated_version = Version},
+                    session = Session
+		   } = State0, Connection)
+  when KexAlg == ecdhe_ecdsa; 
+       KexAlg == ecdhe_rsa;
+       KexAlg == ecdh_ecdsa; 
+       KexAlg == ecdh_rsa;
+       KexAlg == ecdh_anon ->
     Msg = ssl_handshake:key_exchange(client, ssl:tls_version(Version), {ecdh, Key}),
     Connection:queue_handshake(Msg, State0#state{session = Session#session{ecc = ECCurve}});
-key_exchange(#state{role = client,
-		    ssl_options = SslOpts,
-		    key_algorithm = psk,
-		    negotiated_version = Version} = State0, Connection) ->
+key_exchange(#state{static_env = #static_env{role = client},
+                    handshake_env = #handshake_env{kex_algorithm = psk},
+                    connection_env = #connection_env{negotiated_version = Version},
+		    ssl_options = SslOpts} = State0, Connection) ->
     Msg =  ssl_handshake:key_exchange(client, ssl:tls_version(Version), 
 				      {psk, SslOpts#ssl_options.psk_identity}),
     Connection:queue_handshake(Msg, State0);
-key_exchange(#state{role = client,
-		    ssl_options = SslOpts,
-		    key_algorithm = dhe_psk,
-		    negotiated_version = Version,
-		    diffie_hellman_keys = {DhPubKey, _}} = State0, Connection) ->
+key_exchange(#state{static_env = #static_env{role = client},
+                    handshake_env = #handshake_env{kex_algorithm = dhe_psk,
+                                                   kex_keys = {DhPubKey, _}},
+                    connection_env = #connection_env{negotiated_version = Version},
+		    ssl_options = SslOpts} = State0, Connection) ->
     Msg =  ssl_handshake:key_exchange(client, ssl:tls_version(Version),
 				      {dhe_psk, 
 				       SslOpts#ssl_options.psk_identity, DhPubKey}),
     Connection:queue_handshake(Msg, State0);
 
-key_exchange(#state{role = client,
-		    ssl_options = SslOpts,
-		    key_algorithm = ecdhe_psk,
-		    negotiated_version = Version,
-		    diffie_hellman_keys = ECDHKeys} = State0, Connection) ->
+key_exchange(#state{static_env = #static_env{role = client},
+                    handshake_env = #handshake_env{kex_algorithm = ecdhe_psk,
+                                                   kex_keys = ECDHKeys},
+                    connection_env = #connection_env{negotiated_version = Version},
+		    ssl_options = SslOpts} = State0, Connection) ->
     Msg =  ssl_handshake:key_exchange(client, ssl:tls_version(Version),
 				      {ecdhe_psk,
 				       SslOpts#ssl_options.psk_identity, ECDHKeys}),
     Connection:queue_handshake(Msg, State0);
 
-key_exchange(#state{role = client,
-		    ssl_options = SslOpts,
-		    key_algorithm = rsa_psk,
-		    public_key_info = PublicKeyInfo,
-		    negotiated_version = Version,
-		    premaster_secret = PremasterSecret}
+key_exchange(#state{static_env = #static_env{role = client},
+                    handshake_env = #handshake_env{kex_algorithm = rsa_psk,
+                                                   public_key_info = PublicKeyInfo,
+                                                   premaster_secret = PremasterSecret},
+                    connection_env = #connection_env{negotiated_version = Version},
+		    ssl_options = SslOpts}
 	     = State0, Connection) ->
     Msg = rsa_psk_key_exchange(ssl:tls_version(Version), SslOpts#ssl_options.psk_identity,
 			       PremasterSecret, PublicKeyInfo),
     Connection:queue_handshake(Msg, State0);
-key_exchange(#state{role = client,
-		    key_algorithm = Algorithm,
-		    negotiated_version = Version,
-		    srp_keys = {ClientPubKey, _}}
+key_exchange(#state{static_env = #static_env{role = client},
+                    handshake_env = #handshake_env{kex_algorithm = KexAlg,
+                                                   kex_keys = {ClientPubKey, _}},
+                    connection_env = #connection_env{negotiated_version = Version}}
 	     = State0, Connection)
-  when Algorithm == srp_dss;
-       Algorithm == srp_rsa;
-       Algorithm == srp_anon ->
+  when KexAlg == srp_dss;
+       KexAlg == srp_rsa;
+       KexAlg == srp_anon ->
     Msg =  ssl_handshake:key_exchange(client, ssl:tls_version(Version), {srp, ClientPubKey}),
     Connection:queue_handshake(Msg, State0).
 
@@ -1943,18 +2175,24 @@ rsa_psk_key_exchange(Version, PskIdentity, PremasterSecret,
 rsa_psk_key_exchange(_, _, _, _) ->
     throw (?ALERT_REC(?FATAL,?HANDSHAKE_FAILURE, pub_key_is_not_rsa)).
 
-request_client_cert(#state{key_algorithm = Alg} = State, _)
-  when Alg == dh_anon; Alg == ecdh_anon;
-       Alg == psk; Alg == dhe_psk; Alg == ecdhe_psk; Alg == rsa_psk;
-       Alg == srp_dss; Alg == srp_rsa; Alg == srp_anon ->
+request_client_cert(#state{handshake_env = #handshake_env{kex_algorithm = Alg}} = State, _)
+  when Alg == dh_anon; 
+       Alg == ecdh_anon;
+       Alg == psk; 
+       Alg == dhe_psk; 
+       Alg == ecdhe_psk; 
+       Alg == rsa_psk;
+       Alg == srp_dss; 
+       Alg == srp_rsa; 
+       Alg == srp_anon ->
     State;
 
-request_client_cert(#state{ssl_options = #ssl_options{verify = verify_peer, 
-						      signature_algs = SupportedHashSigns},
-			   connection_states = ConnectionStates0,
-			   cert_db = CertDbHandle,
-			   cert_db_ref = CertDbRef,
-			   negotiated_version = Version} = State0, Connection) ->
+request_client_cert(#state{static_env = #static_env{cert_db = CertDbHandle,
+                                                    cert_db_ref = CertDbRef},
+                           connection_env = #connection_env{negotiated_version = Version},
+                           ssl_options = #ssl_options{verify = verify_peer,
+                                                      signature_algs = SupportedHashSigns},
+                           connection_states = ConnectionStates0} = State0, Connection) ->
     #{security_parameters :=
 	  #security_parameters{cipher_suite = CipherSuite}} =
 	ssl_record:pending_connection_state(ConnectionStates0, read),
@@ -1971,7 +2209,7 @@ request_client_cert(#state{ssl_options = #ssl_options{verify = verify_none}} =
     State.
 
 calculate_master_secret(PremasterSecret, 
-			#state{negotiated_version = Version,
+			#state{connection_env = #connection_env{negotiated_version = Version},
 			       connection_states = ConnectionStates0,
 			       session = Session0} = State0, Connection,
 			_Current, Next) ->
@@ -1998,27 +2236,29 @@ finalize_handshake(State0, StateName, Connection) ->
     State = next_protocol(State2, Connection),
     finished(State, StateName, Connection).
 
-next_protocol(#state{role = server} = State, _) ->
+next_protocol(#state{static_env = #static_env{role = server}} = State, _) ->
     State;
-next_protocol(#state{negotiated_protocol = undefined} = State, _) ->
+next_protocol(#state{handshake_env = #handshake_env{negotiated_protocol = undefined}} = State, _) ->
     State;
-next_protocol(#state{expecting_next_protocol_negotiation = false} = State, _) ->
+next_protocol(#state{handshake_env = #handshake_env{expecting_next_protocol_negotiation = false}} = State, _) ->
     State;
-next_protocol(#state{negotiated_protocol = NextProtocol} = State0, Connection) ->
+next_protocol(#state{handshake_env = #handshake_env{negotiated_protocol = NextProtocol}} = State0, Connection) ->
     NextProtocolMessage = ssl_handshake:next_protocol(NextProtocol),
     Connection:queue_handshake(NextProtocolMessage, State0).
 
 cipher_protocol(State, Connection) ->
     Connection:queue_change_cipher(#change_cipher_spec{}, State).
 
-finished(#state{role = Role, negotiated_version = Version,
+finished(#state{static_env = #static_env{role = Role},
+                handshake_env = #handshake_env{tls_handshake_history = Hist},
+                connection_env = #connection_env{negotiated_version = Version},
 		session = Session,
-                connection_states = ConnectionStates0,
-                tls_handshake_history = Handshake0} = State0, StateName, Connection) ->
+                connection_states = ConnectionStates0} = State0, 
+         StateName, Connection) ->
     MasterSecret = Session#session.master_secret,
     Finished = ssl_handshake:finished(ssl:tls_version(Version), Role,
 				       get_current_prf(ConnectionStates0, write),
-				       MasterSecret, Handshake0),
+				       MasterSecret, Hist),
     ConnectionStates = save_verify_data(Role, Finished, ConnectionStates0, StateName),
     Connection:send_handshake(Finished, State0#state{connection_states =
 								 ConnectionStates}).
@@ -2034,64 +2274,71 @@ save_verify_data(server, #finished{verify_data = Data}, ConnectionStates, abbrev
 
 calculate_secret(#server_dh_params{dh_p = Prime, dh_g = Base, 
 				   dh_y = ServerPublicDhKey} = Params,
-		 State, Connection) ->
+		 #state{handshake_env = HsEnv} = State, Connection) ->
     Keys = {_, PrivateDhKey} = crypto:generate_key(dh, [Prime, Base]),
     PremasterSecret =
 	ssl_handshake:premaster_secret(ServerPublicDhKey, PrivateDhKey, Params),
     calculate_master_secret(PremasterSecret,
-			    State#state{diffie_hellman_keys = Keys}, 
+			    State#state{handshake_env = HsEnv#handshake_env{kex_keys = Keys}}, 
 			    Connection, certify, certify);
 
 calculate_secret(#server_ecdh_params{curve = ECCurve, public = ECServerPubKey},
-		     State=#state{session=Session}, Connection) ->
+		     #state{handshake_env = HsEnv,
+                            session = Session} = State, Connection) ->
     ECDHKeys = public_key:generate_key(ECCurve),
     PremasterSecret = 
 	ssl_handshake:premaster_secret(#'ECPoint'{point = ECServerPubKey}, ECDHKeys),
     calculate_master_secret(PremasterSecret,
-			    State#state{diffie_hellman_keys = ECDHKeys,
+			    State#state{handshake_env = HsEnv#handshake_env{kex_keys = ECDHKeys},
 					session = Session#session{ecc = ECCurve}},
 			    Connection, certify, certify);
 
 calculate_secret(#server_psk_params{
 		    hint = IdentityHint},
-		 State, Connection) ->
+		 #state{handshake_env = HsEnv} = State, Connection) ->
     %% store for later use
-    Connection:next_event(certify, no_record, State#state{psk_identity = IdentityHint});
+    Connection:next_event(certify, no_record, 
+                          State#state{handshake_env = 
+                                          HsEnv#handshake_env{server_psk_identity = IdentityHint}});
 
 calculate_secret(#server_dhe_psk_params{
 		    dh_params = #server_dh_params{dh_p = Prime, dh_g = Base}} = ServerKey,
-		    #state{ssl_options = #ssl_options{user_lookup_fun = PSKLookup}} = 
+		    #state{handshake_env = HsEnv,
+                           ssl_options = #ssl_options{user_lookup_fun = PSKLookup}} = 
 		     State, Connection) ->
     Keys = {_, PrivateDhKey} =
 	crypto:generate_key(dh, [Prime, Base]),
     PremasterSecret = ssl_handshake:premaster_secret(ServerKey, PrivateDhKey, PSKLookup),
-    calculate_master_secret(PremasterSecret, State#state{diffie_hellman_keys = Keys},
+    calculate_master_secret(PremasterSecret, State#state{handshake_env = HsEnv#handshake_env{kex_keys = Keys}},
 			    Connection, certify, certify);
 
 calculate_secret(#server_ecdhe_psk_params{
                     dh_params = #server_ecdh_params{curve = ECCurve}} = ServerKey,
                  #state{ssl_options = #ssl_options{user_lookup_fun = PSKLookup}} = 
-		     State=#state{session=Session}, Connection) ->
+		     #state{handshake_env = HsEnv,
+                            session = Session} = State, Connection) ->
     ECDHKeys = public_key:generate_key(ECCurve),
 
     PremasterSecret = ssl_handshake:premaster_secret(ServerKey, ECDHKeys, PSKLookup),
     calculate_master_secret(PremasterSecret,
-			    State#state{diffie_hellman_keys = ECDHKeys,
+			    State#state{handshake_env = HsEnv#handshake_env{kex_keys = ECDHKeys},
 					session = Session#session{ecc = ECCurve}},
 			    Connection, certify, certify);
 
 calculate_secret(#server_srp_params{srp_n = Prime, srp_g = Generator} = ServerKey,
-		 #state{ssl_options = #ssl_options{srp_identity = SRPId}} = State, 
+		 #state{handshake_env = HsEnv,
+                        ssl_options = #ssl_options{srp_identity = SRPId}} = State, 
 		 Connection) ->
     Keys = generate_srp_client_keys(Generator, Prime, 0),
     PremasterSecret = ssl_handshake:premaster_secret(ServerKey, Keys, SRPId),
-    calculate_master_secret(PremasterSecret, State#state{srp_keys = Keys}, Connection, 
+    calculate_master_secret(PremasterSecret, State#state{handshake_env = HsEnv#handshake_env{kex_keys = Keys}}, Connection, 
 			    certify, certify).
 
 master_secret(#alert{} = Alert, _) ->
     Alert;
-master_secret(PremasterSecret, #state{session = Session,
-				      negotiated_version = Version, role = Role,
+master_secret(PremasterSecret, #state{static_env = #static_env{role = Role},
+                                      connection_env = #connection_env{negotiated_version = Version},
+                                      session = Session,
 				      connection_states = ConnectionStates0} = State) ->
     case ssl_handshake:master_secret(ssl:tls_version(Version), PremasterSecret,
 				     ConnectionStates0, Role) of
@@ -2151,7 +2398,7 @@ cipher_role(client, Data, Session, #state{connection_states = ConnectionStates0}
      {Record, State} = prepare_connection(State0#state{session = Session,
 						       connection_states = ConnectionStates},
 					 Connection),
-    Connection:next_event(connection, Record, State);
+    Connection:next_event(connection, Record, State, [{{timeout, handshake}, infinity, close}]);
 cipher_role(server, Data, Session,  #state{connection_states = ConnectionStates0} = State0,
 	    Connection) ->
     ConnectionStates1 = ssl_record:set_client_verify_data(current_read, Data, 
@@ -2160,15 +2407,15 @@ cipher_role(server, Data, Session,  #state{connection_states = ConnectionStates0
 	finalize_handshake(State0#state{connection_states = ConnectionStates1,
 					session = Session}, cipher, Connection),
     {Record, State} = prepare_connection(State1, Connection),
-    Connection:next_event(connection, Record, State, Actions).
-
-is_anonymous(Algo) when Algo == dh_anon;
-			Algo == ecdh_anon;
-			Algo == psk;
-			Algo == dhe_psk;
-			Algo == ecdhe_psk;
-			Algo == rsa_psk;
-			Algo == srp_anon ->
+    Connection:next_event(connection, Record, State, [{{timeout, handshake}, infinity, close} | Actions]).
+
+is_anonymous(KexAlg) when KexAlg == dh_anon;
+                          KexAlg == ecdh_anon;
+                          KexAlg == psk;
+                          KexAlg == dhe_psk;
+                          KexAlg == ecdhe_psk;
+                          KexAlg == rsa_psk;
+                          KexAlg == srp_anon ->
     true;
 is_anonymous(_) ->
     false.
@@ -2282,6 +2529,30 @@ set_socket_opts(ConnectionCb, Transport, Socket, [{active, Active}| Opts], SockO
        Active == false ->
     set_socket_opts(ConnectionCb, Transport, Socket, Opts, 
 		    SockOpts#socket_options{active = Active}, Other);
+set_socket_opts(ConnectionCb, Transport, Socket, [{active, Active1} = Opt| Opts],
+                SockOpts=#socket_options{active = Active0}, Other)
+  when Active1 >= -32768, Active1 =< 32767 ->
+    Active = if
+        is_integer(Active0), Active0 + Active1 < -32768 ->
+            error;
+        is_integer(Active0), Active0 + Active1 =< 0 ->
+            false;
+        is_integer(Active0), Active0 + Active1 > 32767 ->
+            error;
+        Active1 =< 0 ->
+            false;
+        is_integer(Active0) ->
+            Active0 + Active1;
+        true ->
+            Active1
+    end,
+    case Active of
+        error ->
+            {{error, {options, {socket_options, Opt}} }, SockOpts};
+        _ ->
+            set_socket_opts(ConnectionCb, Transport, Socket, Opts,
+                            SockOpts#socket_options{active = Active}, Other)
+    end;
 set_socket_opts(_,_, _, [{active, _} = Opt| _], SockOpts, _) ->
     {{error, {options, {socket_options, Opt}} }, SockOpts};
 set_socket_opts(ConnectionCb, Transport, Socket, [Opt | Opts], SockOpts, Other) ->
@@ -2296,22 +2567,6 @@ hibernate_after(connection = StateName,
 hibernate_after(StateName, State, Actions) ->
     {next_state, StateName, State, Actions}.
 
-map_extensions(#hello_extensions{renegotiation_info = RenegotiationInfo,
-                                 signature_algs = SigAlg,          
-                                 alpn = Alpn,
-                                 next_protocol_negotiation = Next, 
-                                 srp = SRP,
-                                 ec_point_formats = ECPointFmt,
-                                 elliptic_curves = ECCCurves,
-                                 sni = SNI}) ->
-    #{renegotiation_info => ssl_handshake:extension_value(RenegotiationInfo),
-      signature_algs =>  ssl_handshake:extension_value(SigAlg),
-      alpn =>  ssl_handshake:extension_value(Alpn),
-      srp  => ssl_handshake:extension_value(SRP),
-      next_protocol => ssl_handshake:extension_value(Next),
-      ec_point_formats  => ssl_handshake:extension_value(ECPointFmt),
-      elliptic_curves => ssl_handshake:extension_value(ECCCurves),
-      sni => ssl_handshake:extension_value(SNI)}.
 
 terminate_alert(normal) ->
     ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY);
@@ -2325,18 +2580,18 @@ handle_trusted_certs_db(#state{ssl_options =
 				   #ssl_options{cacertfile = <<>>, cacerts = []}}) ->
     %% No trusted certs specified
     ok;
-handle_trusted_certs_db(#state{cert_db_ref = Ref,
-			       cert_db = CertDb,
-			       ssl_options = #ssl_options{cacertfile = <<>>}}) when CertDb =/= undefined ->
+handle_trusted_certs_db(#state{static_env = #static_env{cert_db_ref = Ref,
+                                                        cert_db = CertDb},
+                               ssl_options = #ssl_options{cacertfile = <<>>}}) when CertDb =/= undefined ->
     %% Certs provided as DER directly can not be shared
     %% with other connections and it is safe to delete them when the connection ends.
     ssl_pkix_db:remove_trusted_certs(Ref, CertDb);
-handle_trusted_certs_db(#state{file_ref_db = undefined}) ->
+handle_trusted_certs_db(#state{static_env = #static_env{file_ref_db = undefined}}) ->
     %% Something went wrong early (typically cacertfile does not
     %% exist) so there is nothing to handle
     ok;
-handle_trusted_certs_db(#state{cert_db_ref = Ref,
-			       file_ref_db = RefDb,
+handle_trusted_certs_db(#state{static_env = #static_env{cert_db_ref = Ref,
+                                                        file_ref_db = RefDb},
 			       ssl_options = #ssl_options{cacertfile = File}}) ->
     case ssl_pkix_db:ref_count(Ref, RefDb, -1) of
 	0 ->
@@ -2345,7 +2600,7 @@ handle_trusted_certs_db(#state{cert_db_ref = Ref,
 	    ok
     end.
 
-prepare_connection(#state{renegotiation = Renegotiate, 
+prepare_connection(#state{handshake_env = #handshake_env{renegotiation = Renegotiate}, 
 			  start_or_recv_from = RecvFrom} = State0, Connection) 
   when Renegotiate =/= {false, first}, 
        RecvFrom =/= undefined ->
@@ -2355,42 +2610,54 @@ prepare_connection(State0, Connection) ->
     State = Connection:reinit(State0),
     {no_record, ack_connection(State)}.
 
-ack_connection(#state{renegotiation = {true, Initiater}} = State) when Initiater == peer;
-                                                                       Initiater == internal ->
-    State#state{renegotiation = undefined};
-ack_connection(#state{renegotiation = {true, From}} = State) ->    
+ack_connection(#state{handshake_env = #handshake_env{renegotiation = {true, Initiater}} = HsEnv} = State) when Initiater == peer;
+                                                                                                               Initiater == internal ->
+    State#state{handshake_env = HsEnv#handshake_env{renegotiation = undefined}};
+ack_connection(#state{handshake_env = #handshake_env{renegotiation = {true, From}} = HsEnv} = State) ->    
     gen_statem:reply(From, ok),
-    State#state{renegotiation = undefined};
-ack_connection(#state{renegotiation = {false, first}, 
-		      start_or_recv_from = StartFrom,
-		      timer = Timer} = State) when StartFrom =/= undefined ->
+    State#state{handshake_env = HsEnv#handshake_env{renegotiation = undefined}};
+ack_connection(#state{handshake_env = #handshake_env{renegotiation = {false, first}} = HsEnv, 
+		      start_or_recv_from = StartFrom} = State) when StartFrom =/= undefined ->
     gen_statem:reply(StartFrom, connected),
-    cancel_timer(Timer),
-    State#state{renegotiation = undefined, 
-		start_or_recv_from = undefined, timer = undefined};
+    State#state{handshake_env = HsEnv#handshake_env{renegotiation = undefined}, 
+		start_or_recv_from = undefined};
 ack_connection(State) ->
     State.
 
-cancel_timer(undefined) ->
-    ok;
-cancel_timer(Timer) ->
-    erlang:cancel_timer(Timer),
-    ok.
-
 session_handle_params(#server_ecdh_params{curve = ECCurve}, Session) ->
     Session#session{ecc = ECCurve};
 session_handle_params(_, Session) ->
     Session.
 
-register_session(client, Host, Port, #session{is_resumable = new} = Session0) ->
+handle_session(Role = server, #ssl_options{reuse_sessions = true} = SslOpts, 
+               Host, Port, Session0) ->
+    register_session(Role, host_id(Role, Host, SslOpts), Port, Session0, true);
+handle_session(Role = client, #ssl_options{verify = verify_peer,
+                                           reuse_sessions = Reuse} = SslOpts, 
+               Host, Port, Session0) when Reuse =/= false ->
+    register_session(Role, host_id(Role, Host, SslOpts), Port, Session0, reg_type(Reuse));
+handle_session(server, _, Host, Port, Session) ->
+    %% Remove "session of type new" entry from session DB 
+    ssl_manager:invalidate_session(Host, Port, Session),
+    Session;
+handle_session(client, _,_,_, Session) ->
+    %% In client case there is no entry yet, so nothing to remove
+    Session.
+
+reg_type(save) ->
+    true;
+reg_type(true) ->
+    unique.
+
+register_session(client, Host, Port, #session{is_resumable = new} = Session0, Save) ->
     Session = Session0#session{is_resumable = true},
-    ssl_manager:register_session(Host, Port, Session),
+    ssl_manager:register_session(Host, Port, Session, Save),
     Session;
-register_session(server, _, Port, #session{is_resumable = new} = Session0) ->
+register_session(server, _, Port, #session{is_resumable = new} = Session0, _) ->
     Session = Session0#session{is_resumable = true},
     ssl_manager:register_session(Port, Session),
     Session;
-register_session(_, _, _, Session) ->
+register_session(_, _, _, Session, _) ->
     Session. %% Already registered
 
 host_id(client, _Host, #ssl_options{server_name_indication = Hostname}) when is_list(Hostname) ->
@@ -2399,19 +2666,21 @@ host_id(_, Host, _) ->
     Host.
 
 handle_new_session(NewId, CipherSuite, Compression, 
-		   #state{session = Session0,
-			  protocol_cb = Connection} = State0) ->
+		   #state{static_env = #static_env{protocol_cb = Connection},
+                          session = Session0
+			 } = State0) ->
     Session = Session0#session{session_id = NewId,
 			       cipher_suite = CipherSuite,
 			       compression_method = Compression},
     Connection:next_event(certify, no_record, State0#state{session = Session}).
 
-handle_resumed_session(SessId, #state{connection_states = ConnectionStates0,
-				      negotiated_version = Version,
-				      host = Host, port = Port,
-				      protocol_cb = Connection,
-				      session_cache = Cache,
-				      session_cache_cb = CacheCb} = State) ->
+handle_resumed_session(SessId, #state{static_env = #static_env{host = Host,
+                                                               port = Port,
+                                                               protocol_cb = Connection,
+                                                               session_cache = Cache,
+                                                               session_cache_cb = CacheCb},
+                                      connection_env = #connection_env{negotiated_version = Version},
+                                      connection_states = ConnectionStates0} = State) ->
     Session = CacheCb:lookup(Cache, {{Host, Port}, SessId}),
     case ssl_handshake:master_secret(ssl:tls_version(Version), Session,
 				     ConnectionStates0, client) of
@@ -2468,8 +2737,13 @@ ssl_options_list([Key | Keys], [Value | Values], Acc) ->
 handle_active_option(false, connection = StateName, To, Reply, State) ->
     hibernate_after(StateName, State, [{reply, To, Reply}]);
 
-handle_active_option(_, connection = StateName0, To, Reply, #state{protocol_cb = Connection,
-							      user_data_buffer = <<>>} = State0) ->
+handle_active_option(_, connection = StateName, To, _Reply, #state{connection_env = #connection_env{terminated = true},
+                                                                   user_data_buffer = {_,0,_}} = State) ->
+    handle_normal_shutdown(?ALERT_REC(?FATAL, ?CLOSE_NOTIFY, all_data_deliverd), StateName, 
+                           State#state{start_or_recv_from = To}),
+    {stop,{shutdown, peer_close}, State};
+handle_active_option(_, connection = StateName0, To, Reply, #state{static_env = #static_env{protocol_cb = Connection},
+                                                                   user_data_buffer = {_,0,_}} = State0) ->
     case Connection:next_event(StateName0, no_record, State0) of
 	{next_state, StateName, State} ->
 	    hibernate_after(StateName, State, [{reply, To, Reply}]);
@@ -2478,12 +2752,13 @@ handle_active_option(_, connection = StateName0, To, Reply, #state{protocol_cb =
 	{stop, _, _} = Stop ->
 	    Stop
     end;
-handle_active_option(_, StateName, To, Reply, #state{user_data_buffer = <<>>} = State) ->
+handle_active_option(_, StateName, To, Reply, #state{user_data_buffer = {_,0,_}} = State) ->
     %% Active once already set 
     {next_state, StateName, State, [{reply, To, Reply}]};
 
-%% user_data_buffer =/= <<>>
-handle_active_option(_, StateName0, To, Reply, #state{protocol_cb = Connection} = State0) -> 
+%% user_data_buffer nonempty
+handle_active_option(_, StateName0, To, Reply,
+                     #state{static_env = #static_env{protocol_cb = Connection}} = State0) ->
     case read_application_data(<<>>, State0) of
 	{stop, _, _} = Stop ->
 	    Stop;
@@ -2501,33 +2776,25 @@ handle_active_option(_, StateName0, To, Reply, #state{protocol_cb = Connection}
 
 
 %% Picks ClientData 
-get_data(_, _, <<>>) ->
-    {more, <<>>};
-%% Recv timed out save buffer data until next recv
-get_data(#socket_options{active=false}, undefined, Buffer) ->
-    {passive, Buffer};
-get_data(#socket_options{active=Active, packet=Raw}, BytesToRead, Buffer) 
+get_data(#socket_options{active=false}, undefined, _Bin) ->
+    %% Recv timed out save buffer data until next recv
+    passive;
+get_data(#socket_options{active=Active, packet=Raw}, BytesToRead, Bin)
   when Raw =:= raw; Raw =:= 0 ->   %% Raw Mode
-    if 
-	Active =/= false orelse BytesToRead =:= 0  ->
+    case Bin of
+        <<_/binary>> when Active =/= false orelse BytesToRead =:= 0 ->
 	    %% Active true or once, or passive mode recv(0)  
-	    {ok, Buffer, <<>>};
-	byte_size(Buffer) >= BytesToRead ->  
+	    {ok, Bin, <<>>};
+        <<Data:BytesToRead/binary, Rest/binary>> ->
 	    %% Passive Mode, recv(Bytes) 
-	    <<Data:BytesToRead/binary, Rest/binary>> = Buffer,
-	    {ok, Data, Rest};
-	true ->
+            {ok, Data, Rest};
+        <<_/binary>> ->
 	    %% Passive Mode not enough data
-	    {more, Buffer}
+            {more, BytesToRead}
     end;
-get_data(#socket_options{packet=Type, packet_size=Size}, _, Buffer) ->
+get_data(#socket_options{packet=Type, packet_size=Size}, _, Bin) ->
     PacketOpts = [{packet_size, Size}], 
-    case decode_packet(Type, Buffer, PacketOpts) of
-	{more, _} ->
-	    {more, Buffer};
-	Decoded ->
-	    Decoded
-    end.
+    decode_packet(Type, Bin, PacketOpts).
 
 decode_packet({http, headers}, Buffer, PacketOpts) ->
     decode_packet(httph, Buffer, PacketOpts);
@@ -2545,24 +2812,39 @@ decode_packet(Type, Buffer, PacketOpts) ->
 %% Note that if the user has explicitly configured the socket to expect
 %% HTTP headers using the {packet, httph} option, we don't do any automatic
 %% switching of states.
-deliver_app_data(CPids, Transport, Socket, SOpts = #socket_options{active=Active, packet=Type},
-		 Data, Pid, From, Tracker, Connection) ->
-    send_or_reply(Active, Pid, From, 
-                  format_reply(CPids, Transport, Socket, SOpts, Data, Tracker, Connection)),
-    SO = case Data of
-	     {P, _, _, _} when ((P =:= http_request) or (P =:= http_response)),
-			       ((Type =:= http) or (Type =:= http_bin)) ->
-	         SOpts#socket_options{packet={Type, headers}};
-	     http_eoh when tuple_size(Type) =:= 2 ->
-                 % End of headers - expect another Request/Response line
-	         {Type1, headers} = Type,
-	         SOpts#socket_options{packet=Type1};
-	     _ ->
-	         SOpts
-	 end,
+deliver_app_data(
+  CPids, Transport, Socket,
+  #socket_options{active=Active, packet=Type} = SOpts,
+  Data, Pid, From, Tracker, Connection) ->
+    %%
+    send_or_reply(
+      Active, Pid, From,
+      format_reply(
+        CPids, Transport, Socket, SOpts, Data, Tracker, Connection)),
+    SO =
+        case Data of
+            {P, _, _, _}
+              when ((P =:= http_request) or (P =:= http_response)),
+                   ((Type =:= http) or (Type =:= http_bin)) ->
+                SOpts#socket_options{packet={Type, headers}};
+            http_eoh when tuple_size(Type) =:= 2 ->
+                %% End of headers - expect another Request/Response line
+                {Type1, headers} = Type,
+                SOpts#socket_options{packet=Type1};
+            _ ->
+                SOpts
+        end,
     case Active of
         once ->
             SO#socket_options{active=false};
+        1 ->
+            send_user(
+              Pid,
+              format_passive(
+                CPids, Transport, Socket, Tracker, Connection)),
+            SO#socket_options{active=false};
+        N when is_integer(N) ->
+            SO#socket_options{active=N - 1};
 	_ ->
 	    SO
     end.
@@ -2572,7 +2854,7 @@ format_reply(_, _, _,#socket_options{active = false, mode = Mode, packet = Packe
     {ok, do_format_reply(Mode, Packet, Header, Data)};
 format_reply(CPids, Transport, Socket, #socket_options{active = _, mode = Mode, packet = Packet,
 						header = Header}, Data, Tracker, Connection) ->
-    {ssl, Connection:socket(CPids, Transport, Socket, Connection, Tracker), 
+    {ssl, Connection:socket(CPids, Transport, Socket, Tracker),
      do_format_reply(Mode, Packet, Header, Data)}.
 
 deliver_packet_error(CPids, Transport, Socket, 
@@ -2584,7 +2866,7 @@ format_packet_error(_, _, _,#socket_options{active = false, mode = Mode}, Data,
     {error, {invalid_packet, do_format_reply(Mode, raw, 0, Data)}};
 format_packet_error(CPids, Transport, Socket, #socket_options{active = _, mode = Mode}, 
                     Data, Tracker, Connection) ->
-    {ssl_error, Connection:socket(CPids, Transport, Socket, Connection, Tracker), 
+    {ssl_error, Connection:socket(CPids, Transport, Socket, Tracker),
      {invalid_packet, do_format_reply(Mode, raw, 0, Data)}}.
 
 do_format_reply(binary, _, N, Data) when N > 0 ->  % Header mode
@@ -2599,6 +2881,9 @@ do_format_reply(list, Packet, _, Data)
 do_format_reply(list, _,_, Data) ->
     binary_to_list(Data).
 
+format_passive(CPids, Transport, Socket, Tracker, Connection) ->
+    {ssl_passive, Connection:socket(CPids, Transport, Socket, Tracker)}.
+
 header(0, <<>>) ->
     <<>>;
 header(_, <<>>) ->
@@ -2640,22 +2925,20 @@ alert_user(Pids, Transport, Tracker, Socket, Active, Pid, From, Alert, Role, Con
     case ssl_alert:reason_code(Alert, Role) of
 	closed ->
 	    send_or_reply(Active, Pid, From,
-			  {ssl_closed, Connection:socket(Pids, 
-							 Transport, Socket, Connection, Tracker)});
+			  {ssl_closed, Connection:socket(Pids, Transport, Socket, Tracker)});
 	ReasonCode ->
 	    send_or_reply(Active, Pid, From,
-			  {ssl_error, Connection:socket(Pids, 
-							Transport, Socket, Connection, Tracker), ReasonCode})
+			  {ssl_error, Connection:socket(Pids, Transport, Socket, Tracker), ReasonCode})
     end.
 
-log_alert(true, Role, ProtocolName, StateName, #alert{role = Role} = Alert) ->
+log_alert(Level, Role, ProtocolName, StateName, #alert{role = Role} = Alert) ->
     Txt = ssl_alert:own_alert_txt(Alert),
-    error_logger:info_report(io_lib:format("~s ~p: In state ~p ~s\n", [ProtocolName, Role, StateName, Txt]));
-log_alert(true, Role, ProtocolName, StateName, Alert) ->
+    Report = io_lib:format("~s ~p: In state ~p ~s\n", [ProtocolName, Role, StateName, Txt]),
+    ssl_logger:notice(Level, Report);
+log_alert(Level, Role, ProtocolName, StateName, Alert) ->
     Txt = ssl_alert:alert_txt(Alert),
-    error_logger:info_report(io_lib:format("~s ~p: In state ~p ~s\n", [ProtocolName, Role, StateName, Txt]));
-log_alert(false, _, _, _, _) ->
-    ok.
+    Report = io_lib:format("~s ~p: In state ~p ~s\n", [ProtocolName, Role, StateName, Txt]),
+    ssl_logger:notice(Level, Report).
 
 invalidate_session(client, Host, Port, Session) ->
     ssl_manager:invalidate_session(Host, Port, Session);
@@ -2664,7 +2947,9 @@ invalidate_session(server, _, Port, Session) ->
 
 handle_sni_extension(undefined, State) ->
     State;
-handle_sni_extension(#sni{hostname = Hostname}, State0) ->
+handle_sni_extension(#sni{hostname = Hostname}, #state{static_env = #static_env{role = Role} = InitStatEnv0,
+                                                       handshake_env = HsEnv,
+                                                       connection_env = CEnv} = State0) ->
     NewOptions = update_ssl_options_from_sni(State0#state.ssl_options, Hostname),
     case NewOptions of
 	undefined ->
@@ -2678,19 +2963,21 @@ handle_sni_extension(#sni{hostname = Hostname}, State0) ->
                    private_key := Key,
                    dh_params := DHParams,
                    own_certificate := OwnCert}} =
-                 ssl_config:init(NewOptions, State0#state.role),
+                 ssl_config:init(NewOptions, Role),
              State0#state{
                session = State0#state.session#session{own_certificate = OwnCert},
-               file_ref_db = FileRefHandle,
-               cert_db_ref = Ref,
-               cert_db = CertDbHandle,
-               crl_db = CRLDbHandle,
-               session_cache = CacheHandle,
-               private_key = Key,
-	      diffie_hellman_params = DHParams,
-	      ssl_options = NewOptions,
-	      sni_hostname = Hostname
-	     }
+               static_env = InitStatEnv0#static_env{
+                                        file_ref_db = FileRefHandle,
+                                        cert_db_ref = Ref,
+                                        cert_db = CertDbHandle,
+                                        crl_db = CRLDbHandle,
+                                        session_cache = CacheHandle
+                             },
+               connection_env = CEnv#connection_env{private_key = Key},
+               ssl_options = NewOptions,
+               handshake_env = HsEnv#handshake_env{sni_hostname = Hostname,
+                                                   diffie_hellman_params = DHParams}
+              }
     end.
 
 update_ssl_options_from_sni(OrigSSLOptions, SNIHostname) ->
@@ -2713,14 +3000,3 @@ new_emulated([], EmOpts) ->
     EmOpts;
 new_emulated(NewEmOpts, _) ->
     NewEmOpts.
-
-stop(Reason, State) ->
-    {stop, Reason, State}.
-
-stop_and_reply(Reason, Replies, State) ->
-    {stop_and_reply, Reason, Replies, State}.
-
-is_dist_up(#{dist_handle := Handle}) when Handle =/= undefined ->
-    true;
-is_dist_up(_) ->
-    false.