1 files changed, 43 insertions, 22 deletions

diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index 88105cac5a..c19c1787ff 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -3,16 +3,17 @@
 %%
 %% Copyright Ericsson AB 2007-2015. All Rights Reserved.
 %%
-%% The contents of this file are subject to the Erlang Public License,
-%% Version 1.1, (the "License"); you may not use this file except in
-%% compliance with the License. You should have received a copy of the
-%% Erlang Public License along with this software. If not, it can be
-%% retrieved online at http://www.erlang.org/.
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
 %%
-%% Software distributed under the License is distributed on an "AS IS"
-%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
-%% the License for the specific language governing rights and limitations
-%% under the License.
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
 %%
 %% %CopyrightEnd%
 %%
@@ -61,17 +62,25 @@
 -define(CDR_HDR_SIZE, 12).
 
 -define(DEFAULT_TIMEOUT, 5000).
+-define(NO_DIST_POINT, "http://dummy/no_distribution_point").
+-define(NO_DIST_POINT_PATH, "dummy/no_distribution_point").
 
 %% Common enumerate values in for SSL-protocols 
 -define(NULL, 0).
 -define(TRUE, 0).
 -define(FALSE, 1).
 
--define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]).
--define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1, sslv3]).
+%% sslv3 is considered insecure due to lack of padding check (Poodle attack)
+%% Keep as interop with legacy software but do not support as default 
+-define(ALL_AVAILABLE_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1, sslv3]).
+-define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]).
+-define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]).
 -define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
 -define(MIN_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
 
+-define('24H_in_msec', 86400000).
+-define('24H_in_sec', 86400).
+
 -record(ssl_options, {
 	  protocol    :: tls | dtls,
 	  versions    :: [ssl_record:ssl_version()], %% ssl_record:atom_version() in API
@@ -84,16 +93,16 @@
 	  validate_extensions_fun, 
 	  depth                :: integer(),
 	  certfile             :: binary(),
-	  cert                 :: public_key:der_encoded() | secret_printout(),
+	  cert                 :: public_key:der_encoded() | secret_printout() | 'undefined',
 	  keyfile              :: binary(),
-	  key	               :: {'RSAPrivateKey' | 'DSAPrivateKey' | 'ECPrivateKey' | 'PrivateKeyInfo', public_key:der_encoded()} | secret_printout(),
-	  password	       :: string() | secret_printout(),
-	  cacerts              :: [public_key:der_encoded()] | secret_printout(),
+	  key	               :: {'RSAPrivateKey' | 'DSAPrivateKey' | 'ECPrivateKey' | 'PrivateKeyInfo', public_key:der_encoded()} | secret_printout() | 'undefined',
+	  password	       :: string() | secret_printout() | 'undefined',
+	  cacerts              :: [public_key:der_encoded()] | secret_printout() | 'undefined',
 	  cacertfile           :: binary(),
 	  dh                   :: public_key:der_encoded() | secret_printout(),
-	  dhfile               :: binary() | secret_printout(),
+	  dhfile               :: binary() | secret_printout() | 'undefined',
 	  user_lookup_fun,  % server option, fun to lookup the user
-	  psk_identity         :: binary() | secret_printout() ,
+	  psk_identity         :: binary() | secret_printout() | 'undefined',
 	  srp_identity,  % client option {User, Password}
 	  ciphers,    % 
 	  %% Local policy for the server if it want's to reuse the session
@@ -105,21 +114,33 @@
 	  reuse_sessions       :: boolean(),
 	  renegotiate_at,
 	  secure_renegotiate,
+	  client_renegotiation,
 	  %% undefined if not hibernating, or number of ms of
 	  %% inactivity after which ssl_connection will go into
 	  %% hibernation
-	  hibernate_after      :: boolean(),
+	  hibernate_after      :: timeout(),
 	  %% This option should only be set to true by inet_tls_dist
 	  erl_dist = false     :: boolean(),
-	  next_protocols_advertised = undefined, %% [binary()],
+          alpn_advertised_protocols = undefined :: [binary()] | undefined ,
+          alpn_preferred_protocols = undefined  :: [binary()] | undefined,
+	  next_protocols_advertised = undefined :: [binary()] | undefined,
 	  next_protocol_selector = undefined,  %% fun([binary()]) -> binary())
 	  log_alert             :: boolean(),
 	  server_name_indication = undefined,
+	  sni_hosts  :: [{inet:hostname(), [tuple()]}],
+	  sni_fun :: function() | undefined,
 	  %% Should the server prefer its own cipher order over the one provided by
 	  %% the client?
-	  honor_cipher_order = false,
-	  padding_check = true,
-	  fallback = false
+	  honor_cipher_order = false :: boolean(),
+	  padding_check = true       :: boolean(),
+	  %%Should we use 1/n-1 or 0/n splitting to mitigate BEAST, or disable
+	  %%mitigation entirely?
+	  beast_mitigation = one_n_minus_one :: one_n_minus_one | zero_n | disabled,
+	  fallback = false           :: boolean(),
+	  crl_check                  :: boolean() | peer | best_effort, 
+	  crl_cache,
+	  signature_algs,
+	  v2_hello_compatible        :: boolean()
 	  }).
 
 -record(socket_options,