16 files changed, 581 insertions, 458 deletions

diff --git a/lib/ssl/src/inet_ssl_dist.erl b/lib/ssl/src/inet_ssl_dist.erl
index f62aefd35a..6c0fbc0618 100644
--- a/lib/ssl/src/inet_ssl_dist.erl
+++ b/lib/ssl/src/inet_ssl_dist.erl
@@ -1,8 +1,8 @@
-%%<copyright>
-%% <year>2000-2008</year>
-%% <holder>Ericsson AB, All Rights Reserved</holder>
-%%</copyright>
-%%<legalnotice>
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2000-2011. All Rights Reserved.
+%%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
 %% compliance with the License. You should have received a copy of the
@@ -14,8 +14,9 @@
 %% the License for the specific language governing rights and limitations
 %% under the License.
 %%
-%% The Initial Developer of the Original Code is Ericsson AB.
-%%</legalnotice>
+%% %CopyrightEnd%
+%%
+
 %%
 -module(inet_ssl_dist).
 
@@ -135,6 +136,9 @@ accept_connection(AcceptPid, Socket, MyNode, Allowed, SetupTime) ->
 	       [self(), AcceptPid, Socket, MyNode,
 		Allowed, SetupTime]).
 
+%% Suppress dialyzer warning, we do not really care about old ssl code
+%% as we intend to remove it.
+-spec(do_accept(_,_,_,_,_,_) -> no_return()).
 do_accept(Kernel, AcceptPid, Socket, MyNode, Allowed, SetupTime) ->
     process_flag(priority, max),
     receive
@@ -167,8 +171,8 @@ do_accept(Kernel, AcceptPid, Socket, MyNode, Allowed, SetupTime) ->
 					ssl_prim:getll(S)
 				end,
 		      f_address = fun get_remote_id/2,
-		      mf_tick = {?MODULE, tick},
-		      mf_getstat = {?MODULE,getstat}
+		      mf_tick = fun ?MODULE:tick/1,
+		      mf_getstat = fun ?MODULE:getstat/1
 		     },
 		    dist_util:handshake_other_started(HSData);
 		{false,IP} ->
@@ -204,6 +208,9 @@ setup(Node, Type, MyNode, LongOrShortNames,SetupTime) ->
 				   LongOrShortNames,
 				   SetupTime]).
 
+%% Suppress dialyzer warning, we do not really care about old ssl code
+%% as we intend to remove it.
+-spec(do_setup(_,_,_,_,_,_) -> no_return()).
 do_setup(Kernel, Node, Type, MyNode, LongOrShortNames,SetupTime) ->
     process_flag(priority, max),
     ?trace("~p~n",[{inet_ssl_dist,self(),setup,Node}]),
@@ -258,8 +265,8 @@ do_setup(Kernel, Node, Type, MyNode, LongOrShortNames,SetupTime) ->
 				   protocol = ssl,
 				   family = inet}
 			      end,
-			      mf_tick = {?MODULE, tick},
-			      mf_getstat = {?MODULE,getstat},
+			      mf_tick = fun ?MODULE:tick/1,
+			      mf_getstat = fun ?MODULE:getstat/1,
 			      request_type = Type
 			     },
 			    dist_util:handshake_we_started(HSData);
diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src
index f4e6b59b6d..d3e426f254 100644
--- a/lib/ssl/src/ssl.appup.src
+++ b/lib/ssl/src/ssl.appup.src
@@ -1,9 +1,17 @@
 %% -*- erlang -*-
 {"%VSN%",
  [
+  {"4.1.3", [{restart_application, ssl}]},
+  {"4.1.2", [{restart_application, ssl}]},
+  {"4.1.1", [{restart_application, ssl}]},
+  {"4.1", [{restart_application, ssl}]},
   {"4.0.1", [{restart_application, ssl}]}
  ], 
  [
+  {"4.1.3", [{restart_application, ssl}]},
+  {"4.1.2", [{restart_application, ssl}]},
+  {"4.1.1", [{restart_application, ssl}]},
+  {"4.1", [{restart_application, ssl}]},
   {"4.0.1", [{restart_application, ssl}]}
  ]}.
 
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index ef94750d02..7b1fda4cf9 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 1999-2010. All Rights Reserved.
+%% Copyright Ericsson AB 1999-2011. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -49,10 +49,30 @@
 		 inet_ssl,          %% inet options for internal ssl socket 
 		 cb                 %% Callback info
 		}).
-
-%%--------------------------------------------------------------------
--spec start() -> ok.
--spec start(permanent | transient | temporary) -> ok.  
+-type option()       :: socketoption() | ssloption() | transportoption().
+-type socketoption() :: [{property(), term()}]. %% See gen_tcp and inet
+-type property()     :: atom().
+-type ssloption()    :: {verify, verify_type()} |
+			{verify_fun, {fun(), InitialUserState::term()}} |
+                        {fail_if_no_peer_cert, boolean()} | {depth, integer()} |
+                        {cert, Der::binary()} | {certfile, path()} | {key, Der::binary()} |
+                        {keyfile, path()} | {password, string()} | {cacerts, [Der::binary()]} |
+                        {cacertfile, path()} | {dh, Der::binary()} | {dhfile, path()} |
+                        {ciphers, ciphers()} | {ssl_imp, ssl_imp()} | {reuse_sessions, boolean()} |
+                        {reuse_session, fun()} | {hibernate_after, integer()|undefined}.
+
+-type verify_type()  :: verify_none | verify_peer.
+-type path()         :: string().
+-type ciphers()      :: [erl_cipher_suite()] |
+			string(). % (according to old API)
+-type ssl_imp()      :: new | old.
+
+-type transportoption() :: {CallbackModule::atom(), DataTag::atom(), ClosedTag::atom()}.
+
+
+%%--------------------------------------------------------------------
+-spec start() -> ok  | {error, reason()}.
+-spec start(permanent | transient | temporary) -> ok | {error, reason()}.
 %%
 %% Description: Utility function that starts the ssl, 
 %% crypto and public_key applications. Default type
@@ -77,9 +97,12 @@ stop() ->
     application:stop(ssl).
 
 %%--------------------------------------------------------------------
--spec connect(host() | port(), list()) -> {ok, #sslsocket{}}.
--spec connect(host() | port(), list() | port_num(), timeout() | list()) -> {ok, #sslsocket{}}.
--spec connect(host() | port(), port_num(), list(), timeout()) -> {ok, #sslsocket{}}.      
+-spec connect(host() | port(), [option()]) -> {ok, #sslsocket{}} |
+					      {error, reason()}.
+-spec connect(host() | port(), [option()] | port_num(), timeout() | list()) ->
+		     {ok, #sslsocket{}} | {error, reason()}.
+-spec connect(host() | port(), port_num(), list(), timeout()) ->
+		     {ok, #sslsocket{}} | {error, reason()}.
 
 %%
 %% Description: Connect to a ssl server.
@@ -126,7 +149,7 @@ connect(Host, Port, Options0, Timeout) ->
     end.
 
 %%--------------------------------------------------------------------
--spec listen(port_num(), list()) ->{ok, #sslsocket{}} | {error, reason()}.
+-spec listen(port_num(), [option()]) ->{ok, #sslsocket{}} | {error, reason()}.
 		    
 %%
 %% Description: Creates a ssl listen socket.
@@ -150,8 +173,10 @@ listen(Port, Options0) ->
     end.
 
 %%--------------------------------------------------------------------
--spec transport_accept(#sslsocket{}) -> {ok, #sslsocket{}}.
--spec transport_accept(#sslsocket{}, timeout()) -> {ok, #sslsocket{}}.
+-spec transport_accept(#sslsocket{}) -> {ok, #sslsocket{}} |
+					{error, reason()}.
+-spec transport_accept(#sslsocket{}, timeout()) -> {ok, #sslsocket{}} |
+						   {error, reason()}.
 %%
 %% Description: Performs transport accept on a ssl listen socket 
 %%--------------------------------------------------------------------
@@ -189,9 +214,10 @@ transport_accept(#sslsocket{} = ListenSocket, Timeout) ->
     ssl_broker:transport_accept(Pid, ListenSocket, Timeout).
 
 %%--------------------------------------------------------------------
--spec ssl_accept(#sslsocket{}) -> {ok, #sslsocket{}} | {error, reason()}.
--spec ssl_accept(#sslsocket{}, list() | timeout()) -> {ok, #sslsocket{}} | {error, reason()}.
--spec ssl_accept(port(), list(), timeout()) -> {ok, #sslsocket{}} | {error, reason()}.
+-spec ssl_accept(#sslsocket{}) -> ok | {error, reason()}.
+-spec ssl_accept(#sslsocket{} | port(), timeout()| [option()]) ->
+			ok | {ok, #sslsocket{}} | {error, reason()}.
+-spec ssl_accept(port(), [option()], timeout()) -> {ok, #sslsocket{}} | {error, reason()}.
 %%
 %% Description: Performs accept on a ssl listen socket. e.i. performs
 %%              ssl handshake. 
@@ -684,7 +710,8 @@ handle_options(Opts0, _Role) ->
       reuse_sessions = handle_option(reuse_sessions, Opts, true),
       secure_renegotiate = handle_option(secure_renegotiate, Opts, false),
       renegotiate_at = handle_option(renegotiate_at, Opts, ?DEFAULT_RENEGOTIATE_AT),
-      debug      = handle_option(debug, Opts, [])
+      debug      = handle_option(debug, Opts, []),
+      hibernate_after = handle_option(hibernate_after, Opts, undefined)
      },
 
     CbInfo  = proplists:get_value(cb_info, Opts, {gen_tcp, tcp, tcp_closed, tcp_error}),    
@@ -693,7 +720,7 @@ handle_options(Opts0, _Role) ->
 		  depth, cert, certfile, key, keyfile,
 		  password, cacerts, cacertfile, dh, dhfile, ciphers,
 		  debug, reuse_session, reuse_sessions, ssl_imp,
-		  cb_info, renegotiate_at, secure_renegotiate],
+		  cb_info, renegotiate_at, secure_renegotiate, hibernate_after],
     
     SockOpts = lists:foldl(fun(Key, PropList) -> 
 				   proplists:delete(Key, PropList)
@@ -747,7 +774,7 @@ validate_option(depth, Value) when is_integer(Value),
 validate_option(cert, Value) when Value == undefined;
                                  is_binary(Value) ->
     Value;
-validate_option(certfile, Value) when is_list(Value) ->
+validate_option(certfile, Value) when Value == undefined; is_list(Value) ->
     Value;
 
 validate_option(key, undefined) ->
@@ -800,6 +827,10 @@ validate_option(renegotiate_at, Value) when is_integer(Value) ->
 
 validate_option(debug, Value) when is_list(Value); Value == true ->
     Value;
+validate_option(hibernate_after, undefined) ->
+    undefined;
+validate_option(hibernate_after, Value) when is_integer(Value), Value >= 0 ->
+    Value;
 validate_option(Opt, Value) ->
     throw({error, {eoptions, {Opt, Value}}}).
     
@@ -890,7 +921,7 @@ cipher_suites(Version, [{_,_,_}| _] = Ciphers0) ->
     Ciphers = [ssl_cipher:suite(C) || C <- Ciphers0],
     cipher_suites(Version, Ciphers);
 cipher_suites(Version, [Cipher0 | _] = Ciphers0) when is_binary(Cipher0) ->
-    Supported = ssl_cipher:suites(Version),
+    Supported = ssl_cipher:suites(Version) ++ ssl_cipher:anonymous_suites(),
     case [Cipher || Cipher <- Ciphers0, lists:member(Cipher, Supported)] of
 	[] ->
 	    Supported;
diff --git a/lib/ssl/src/ssl_app.erl b/lib/ssl/src/ssl_app.erl
index 8d50fd7bdb..c9f81726b9 100644
--- a/lib/ssl/src/ssl_app.erl
+++ b/lib/ssl/src/ssl_app.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %% 
-%% Copyright Ericsson AB 1998-2009. All Rights Reserved.
+%% Copyright Ericsson AB 1998-2011. All Rights Reserved.
 %% 
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 5571fb01f6..8c0c2bfa5d 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -28,7 +28,6 @@
 -include("ssl_handshake.hrl").
 -include("ssl_alert.hrl").
 -include("ssl_internal.hrl").
--include("ssl_debug.hrl").
 -include_lib("public_key/include/public_key.hrl"). 
 
 -export([trusted_cert_and_path/2,
diff --git a/lib/ssl/src/ssl_certificate_db.erl b/lib/ssl/src/ssl_certificate_db.erl
index 2a5a7f3394..3eceefa304 100644
--- a/lib/ssl/src/ssl_certificate_db.erl
+++ b/lib/ssl/src/ssl_certificate_db.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2010. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2011. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -27,7 +27,9 @@
 
 -export([create/0, remove/1, add_trusted_certs/3, 
 	 remove_trusted_certs/2, lookup_trusted_cert/3, issuer_candidate/1,
-	 lookup_cached_certs/1, cache_pem_file/3]).
+	 lookup_cached_certs/1, cache_pem_file/4, uncache_pem_file/2, lookup/2]).
+
+-type time()      :: {non_neg_integer(), non_neg_integer(), non_neg_integer()}.
 
 %%====================================================================
 %% Internal application API
@@ -98,17 +100,35 @@ add_trusted_certs(Pid, File, [CertsDb, FileToRefDb, PidToFileDb]) ->
     insert(Pid, File, PidToFileDb),
     {ok, Ref}.
 %%--------------------------------------------------------------------
--spec cache_pem_file(pid(), string(), certdb_ref()) -> term().
+-spec cache_pem_file(pid(), string(), time(), certdb_ref()) -> term().
 %%
 %% Description: Cache file as binary in DB
 %%--------------------------------------------------------------------
-cache_pem_file(Pid, File, [CertsDb, _FileToRefDb, PidToFileDb]) ->
+cache_pem_file(Pid, File, Time, [CertsDb, _FileToRefDb, PidToFileDb]) ->
     {ok, PemBin} = file:read_file(File), 
     Content = public_key:pem_decode(PemBin),
-    insert({file, File}, Content, CertsDb),
+    insert({file, File}, {Time, Content}, CertsDb),
     insert(Pid, File, PidToFileDb),
     {ok, Content}.
 
+%--------------------------------------------------------------------
+-spec uncache_pem_file(string(), certdb_ref()) -> no_return().
+%%
+%% Description: If a cached file is no longer valid (changed on disk)
+%% we must terminate the connections using the old file content, and
+%% when those processes are finish the cache will be cleaned. It is
+%% a rare but possible case a new ssl client/server is started with
+%% a filename with the same name as previously started client/server
+%% but with different content.
+%% --------------------------------------------------------------------
+uncache_pem_file(File, [_CertsDb, _FileToRefDb, PidToFileDb]) ->
+    Pids = select(PidToFileDb, [{{'$1', File},[],['$$']}]),
+    lists:foreach(fun([Pid]) ->
+			  exit(Pid, shutdown)
+		  end, Pids).
+
+
+
 %%--------------------------------------------------------------------
 -spec remove_trusted_certs(pid(), certdb_ref()) -> term().
 				  
@@ -174,6 +194,22 @@ issuer_candidate(PrevCandidateKey) ->
     end.
 
 %%--------------------------------------------------------------------
+-spec lookup(term(), term()) -> term() | undefined.
+%%
+%% Description: Looks up an element in a certificat <Db>.
+%%--------------------------------------------------------------------
+lookup(Key, Db) ->
+    case ets:lookup(Db, Key) of
+	[] ->
+	    undefined;
+	Contents  ->
+	    Pick = fun({_, Data}) -> Data;
+		      ({_,_,Data}) -> Data
+		   end,
+	    [Pick(Data) || Data <- Contents]
+    end.
+
+%%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
 certificate_db_name() ->
@@ -191,16 +227,8 @@ ref_count(Key, Db,N) ->
 delete(Key, Db) ->
     _ = ets:delete(Db, Key).
 
-lookup(Key, Db) ->
-    case ets:lookup(Db, Key) of
-	[] ->
-	    undefined;
-	Contents  ->
-	    Pick = fun({_, Data}) -> Data;
-		      ({_,_,Data}) -> Data
-		   end,
-	    [Pick(Data) || Data <- Contents]
-    end.
+select(Db, MatchSpec)->
+    ets:select(Db, MatchSpec).
 
 remove_certs(Ref, CertsDb) ->
     ets:match_delete(CertsDb, {{Ref, '_', '_'}, '_'}).
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 8230149304..72f02a4362 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -29,12 +29,11 @@
 -include("ssl_record.hrl").
 -include("ssl_cipher.hrl").
 -include("ssl_alert.hrl").
--include("ssl_debug.hrl").
 -include_lib("public_key/include/public_key.hrl").
 
 -export([security_parameters/2, suite_definition/1,
 	 decipher/5, cipher/4, 
-	 suite/1, suites/1,
+	 suite/1, suites/1, anonymous_suites/0,
 	 openssl_suite/1, openssl_suite_name/1, filter/2]).
 
 -compile(inline).
@@ -75,20 +74,12 @@ cipher(?RC4, CipherState, Mac, Fragment) ->
                  S -> S
              end,
     GenStreamCipherList = [Fragment, Mac],
-
-    ?DBG_HEX(GenStreamCipherList),
-    ?DBG_HEX(State0),
     {State1, T} = crypto:rc4_encrypt_with_state(State0, GenStreamCipherList),
-    ?DBG_HEX(T),
     {T, CipherState#cipher_state{state = State1}};
 cipher(?DES, CipherState, Mac, Fragment) ->
     block_cipher(fun(Key, IV, T) ->
 			 crypto:des_cbc_encrypt(Key, IV, T)
 		 end, block_size(des_cbc), CipherState, Mac, Fragment);
-%% cipher(?DES40, CipherState, Mac, Fragment) ->
-%%     block_cipher(fun(Key, IV, T) ->
-%% 			 crypto:des_cbc_encrypt(Key, IV, T)
-%% 		 end, block_size(des_cbc), CipherState, Mac, Fragment);
 cipher(?'3DES', CipherState, Mac, Fragment) ->
     block_cipher(fun(<<K1:8/binary, K2:8/binary, K3:8/binary>>, IV, T) ->
 			 crypto:des3_cbc_encrypt(K1, K2, K3, IV, T)
@@ -109,11 +100,7 @@ block_cipher(Fun, BlockSz, #cipher_state{key=Key, iv=IV} = CS0,
     TotSz = byte_size(Mac) + erlang:iolist_size(Fragment) + 1,
     {PaddingLength, Padding} = get_padding(TotSz, BlockSz),
     L = [Fragment, Mac, PaddingLength, Padding],
-    ?DBG_HEX(Key),
-    ?DBG_HEX(IV),
-    ?DBG_HEX(L),
     T = Fun(Key, IV, L),
-    ?DBG_HEX(T),
     NextIV = next_iv(T, IV),
     {T, CS0#cipher_state{iv=NextIV}}.
 
@@ -127,26 +114,29 @@ block_cipher(Fun, BlockSz, #cipher_state{key=Key, iv=IV} = CS0,
 decipher(?NULL, _HashSz, CipherState, Fragment, _) ->
     {Fragment, <<>>, CipherState};
 decipher(?RC4, HashSz, CipherState, Fragment, _) ->
-    ?DBG_TERM(CipherState#cipher_state.key),
     State0 = case CipherState#cipher_state.state of
                  undefined -> crypto:rc4_set_key(CipherState#cipher_state.key);
                  S -> S
              end,
-    ?DBG_HEX(State0),
-    ?DBG_HEX(Fragment),
-    {State1, T} = crypto:rc4_encrypt_with_state(State0, Fragment),
-    ?DBG_HEX(T),
-    GSC = generic_stream_cipher_from_bin(T, HashSz),
-    #generic_stream_cipher{content=Content, mac=Mac} = GSC,
-    {Content, Mac, CipherState#cipher_state{state=State1}};
+    try crypto:rc4_encrypt_with_state(State0, Fragment) of
+	{State, Text} ->
+	    GSC = generic_stream_cipher_from_bin(Text, HashSz),
+	    #generic_stream_cipher{content = Content, mac = Mac} = GSC,
+	    {Content, Mac, CipherState#cipher_state{state = State}}
+    catch
+	_:_ ->
+	    %% This is a DECRYPTION_FAILED but
+	    %% "differentiating between bad_record_mac and decryption_failed
+	    %% alerts may permit certain attacks against CBC mode as used in
+	    %% TLS [CBCATT].  It is preferable to uniformly use the
+	    %% bad_record_mac alert to hide the specific type of the error."
+	    ?ALERT_REC(?FATAL, ?BAD_RECORD_MAC)
+    end;
+
 decipher(?DES, HashSz, CipherState, Fragment, Version) ->
     block_decipher(fun(Key, IV, T) ->
 			   crypto:des_cbc_decrypt(Key, IV, T)
 		   end, CipherState, HashSz, Fragment, Version);
-%% decipher(?DES40, HashSz, CipherState, Fragment, Version) ->
-%%     block_decipher(fun(Key, IV, T) ->
-%% 			   crypto:des_cbc_decrypt(Key, IV, T)
-%% 		   end, CipherState, HashSz, Fragment, Version);
 decipher(?'3DES', HashSz, CipherState, Fragment, Version) ->
     block_decipher(fun(<<K1:8/binary, K2:8/binary, K3:8/binary>>, IV, T) ->
 			   crypto:des3_cbc_decrypt(K1, K2, K3, IV, T)
@@ -164,22 +154,27 @@ decipher(?AES, HashSz, CipherState, Fragment, Version) ->
 
 block_decipher(Fun, #cipher_state{key=Key, iv=IV} = CipherState0, 
 	       HashSz, Fragment, Version) ->
-    ?DBG_HEX(Key),
-    ?DBG_HEX(IV),
-    ?DBG_HEX(Fragment),
-    T = Fun(Key, IV, Fragment),
-    ?DBG_HEX(T),
-    GBC = generic_block_cipher_from_bin(T, HashSz),
-    case is_correct_padding(GBC, Version) of  
-	true ->
-	    Content = GBC#generic_block_cipher.content,
-	    Mac = GBC#generic_block_cipher.mac,
-	    CipherState1 = CipherState0#cipher_state{iv=next_iv(Fragment, IV)},
-	    {Content, Mac, CipherState1};
-	false ->
+    try Fun(Key, IV, Fragment) of
+	Text ->
+	    GBC = generic_block_cipher_from_bin(Text, HashSz),
+	    case is_correct_padding(GBC, Version) of
+		true ->
+		    Content = GBC#generic_block_cipher.content,
+		    Mac = GBC#generic_block_cipher.mac,
+		    CipherState1 = CipherState0#cipher_state{iv=next_iv(Fragment, IV)},
+		    {Content, Mac, CipherState1};
+		false ->
+		    ?ALERT_REC(?FATAL, ?BAD_RECORD_MAC)
+	    end
+    catch
+	_:_ ->
+	    %% This is a DECRYPTION_FAILED but
+	    %% "differentiating between bad_record_mac and decryption_failed
+	    %% alerts may permit certain attacks against CBC mode as used in
+	    %% TLS [CBCATT].  It is preferable to uniformly use the
+	    %% bad_record_mac alert to hide the specific type of the error."
 	    ?ALERT_REC(?FATAL, ?BAD_RECORD_MAC)
     end.
-	    
 %%--------------------------------------------------------------------
 -spec suites(tls_version()) -> [cipher_suite()].
 %%
@@ -191,6 +186,19 @@ suites({3, N}) when N == 1; N == 2 ->
     ssl_tls1:suites().
 
 %%--------------------------------------------------------------------
+-spec anonymous_suites() -> [cipher_suite()].
+%%
+%% Description: Returns a list of the anonymous cipher suites, only supported
+%% if explicitly set by user. Intended only for testing.
+%%--------------------------------------------------------------------
+anonymous_suites() ->
+    [?TLS_DH_anon_WITH_RC4_128_MD5,
+     ?TLS_DH_anon_WITH_DES_CBC_SHA,
+     ?TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
+     ?TLS_DH_anon_WITH_AES_128_CBC_SHA,
+     ?TLS_DH_anon_WITH_AES_256_CBC_SHA].
+
+%%--------------------------------------------------------------------
 -spec suite_definition(cipher_suite()) -> erl_cipher_suite().
 %%
 %% Description: Return erlang cipher suite definition.
@@ -235,7 +243,20 @@ suite_definition(?TLS_RSA_WITH_AES_256_CBC_SHA) ->
 suite_definition(?TLS_DHE_DSS_WITH_AES_256_CBC_SHA) ->
     {dhe_dss, aes_256_cbc, sha};
 suite_definition(?TLS_DHE_RSA_WITH_AES_256_CBC_SHA) ->
-    {dhe_rsa, aes_256_cbc, sha}.
+    {dhe_rsa, aes_256_cbc, sha};
+
+%%% DH-ANON deprecated by TLS spec and not available
+%%% by default, but good for testing purposes.
+suite_definition(?TLS_DH_anon_WITH_RC4_128_MD5) ->
+    {dh_anon, rc4_128, md5};
+suite_definition(?TLS_DH_anon_WITH_DES_CBC_SHA) ->
+    {dh_anon, des_cbc, sha};
+suite_definition(?TLS_DH_anon_WITH_3DES_EDE_CBC_SHA) ->
+    {dh_anon, '3des_ede_cbc', sha};
+suite_definition(?TLS_DH_anon_WITH_AES_128_CBC_SHA) ->
+    {dh_anon, aes_128_cbc, sha};
+suite_definition(?TLS_DH_anon_WITH_AES_256_CBC_SHA) ->
+    {dh_anon, aes_256_cbc, sha}.
 
 %%--------------------------------------------------------------------
 -spec suite(erl_cipher_suite()) -> cipher_suite().
@@ -266,12 +287,12 @@ suite({dhe_rsa, des_cbc, sha}) ->
     ?TLS_DHE_RSA_WITH_DES_CBC_SHA;
 suite({dhe_rsa, '3des_ede_cbc', sha}) ->
     ?TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA; 
-%% suite({dh_anon, rc4_128, md5}) ->
-%%     ?TLS_DH_anon_WITH_RC4_128_MD5;
-%% suite({dh_anon, des40_cbc, sha}) ->
-%%     ?TLS_DH_anon_WITH_DES_CBC_SHA;
-%% suite({dh_anon, '3des_ede_cbc', sha}) ->
-%%     ?TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;
+suite({dh_anon, rc4_128, md5}) ->
+    ?TLS_DH_anon_WITH_RC4_128_MD5;
+suite({dh_anon, des_cbc, sha}) ->
+    ?TLS_DH_anon_WITH_DES_CBC_SHA;
+suite({dh_anon, '3des_ede_cbc', sha}) ->
+    ?TLS_DH_anon_WITH_3DES_EDE_CBC_SHA;
 
 %%% TSL V1.1 AES suites
 suite({rsa, aes_128_cbc, sha}) ->
@@ -280,16 +301,16 @@ suite({dhe_dss, aes_128_cbc, sha}) ->
     ?TLS_DHE_DSS_WITH_AES_128_CBC_SHA; 
 suite({dhe_rsa, aes_128_cbc, sha}) ->
     ?TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
-%% suite({dh_anon, aes_128_cbc, sha}) ->
-%%     ?TLS_DH_anon_WITH_AES_128_CBC_SHA;
+suite({dh_anon, aes_128_cbc, sha}) ->
+    ?TLS_DH_anon_WITH_AES_128_CBC_SHA;
 suite({rsa, aes_256_cbc, sha}) ->
     ?TLS_RSA_WITH_AES_256_CBC_SHA;
 suite({dhe_dss, aes_256_cbc, sha}) ->
     ?TLS_DHE_DSS_WITH_AES_256_CBC_SHA;
 suite({dhe_rsa, aes_256_cbc, sha}) ->
-    ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA.
-%% suite({dh_anon, aes_256_cbc, sha}) ->
-%%     ?TLS_DH_anon_WITH_AES_256_CBC_SHA.
+    ?TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
+suite({dh_anon, aes_256_cbc, sha}) ->
+    ?TLS_DH_anon_WITH_AES_256_CBC_SHA.
 
 %%--------------------------------------------------------------------
 -spec openssl_suite(openssl_cipher_suite()) -> cipher_suite().
@@ -390,8 +411,6 @@ bulk_cipher_algorithm(null) ->
 %%     ?IDEA;
 bulk_cipher_algorithm(rc4_128) ->
     ?RC4;
-%% bulk_cipher_algorithm(des40_cbc) ->
-%%     ?DES40;
 bulk_cipher_algorithm(des_cbc) ->
     ?DES;
 bulk_cipher_algorithm('3des_ede_cbc') ->
@@ -405,7 +424,6 @@ type(Cipher) when Cipher == null;
     ?STREAM;
 
 type(Cipher) when Cipher == idea_cbc;
-		  Cipher == des40_cbc;
 		  Cipher == des_cbc;
 		  Cipher == '3des_ede_cbc';
 		  Cipher == aes_128_cbc;
@@ -417,8 +435,6 @@ key_material(null) ->
 key_material(Cipher) when Cipher == idea_cbc;
  			  Cipher == rc4_128 ->
     16;
-%%key_material(des40_cbc) ->	
-%%   5;
 key_material(des_cbc) ->
     8;
 key_material('3des_ede_cbc') ->
@@ -433,8 +449,7 @@ expanded_key_material(null) ->
 expanded_key_material(Cipher) when Cipher == idea_cbc;
  				   Cipher == rc4_128 ->
     16;
-expanded_key_material(Cipher) when Cipher == des_cbc;
- 				   Cipher == des40_cbc ->
+expanded_key_material(Cipher) when Cipher == des_cbc ->
     8;
 expanded_key_material('3des_ede_cbc') ->
     24;
@@ -445,8 +460,6 @@ expanded_key_material(Cipher) when Cipher == aes_128_cbc;
 
 effective_key_bits(null) ->
     0;
-%%effective_key_bits(des40_cbc) -> 
-%%    40;
 effective_key_bits(des_cbc) ->
     56;
 effective_key_bits(Cipher) when Cipher == idea_cbc;
@@ -465,7 +478,6 @@ iv_size(Cipher) ->
     block_size(Cipher).
 
 block_size(Cipher) when Cipher == idea_cbc;
-			Cipher == des40_cbc;
 			Cipher == des_cbc;
 			Cipher == '3des_ede_cbc' -> 
     8;
@@ -580,5 +592,3 @@ filter_rsa_suites(Use, KeyUse, CipherSuits, RsaSuites) ->
 	false ->
 	    CipherSuits -- RsaSuites
     end.
-
-
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index bd1ba6978a..574e1e9468 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2010. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2011. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -29,7 +29,6 @@
 
 -behaviour(gen_fsm).
 
--include("ssl_debug.hrl").
 -include("ssl_handshake.hrl").
 -include("ssl_alert.hrl").
 -include("ssl_record.hrl").
@@ -71,7 +70,6 @@
 	  %% {{md5_hash, sha_hash}, {prev_md5, prev_sha}} (binary())
           tls_handshake_hashes, % see above 
           tls_cipher_texts,     % list() received but not deciphered yet
-          own_cert,             % binary()  
           session,              % #session{} from ssl_handshake.hrl
 	  session_cache,        % 
 	  session_cache_cb,     %
@@ -91,7 +89,8 @@
 	  log_alert,           % boolean() 
 	  renegotiation,        % {boolean(), From | internal | peer}
 	  recv_during_renegotiation,  %boolean() 
-	  send_queue           % queue()
+	  send_queue,           % queue()
+	  terminated = false   %
 	 }).
 
 -define(DEFAULT_DIFFIE_HELLMAN_PARAMS, 
@@ -290,9 +289,9 @@ start_link(Role, Host, Port, Socket, Options, User, CbInfo) ->
 %% gen_fsm callbacks
 %%====================================================================
 %%--------------------------------------------------------------------
--spec init(list()) -> {ok, state_name(), #state{}} | {stop, term()}.                   
+-spec init(list()) -> {ok, state_name(), #state{}, timeout()} | {stop, term()}.
 %% Possible return values not used now.
-%%			  | {ok, state_name(), #state{}, timeout()} |
+%%			  | {ok, state_name(), #state{}} |
 %%			  ignore  
 %% Description:Whenever a gen_fsm is started using gen_fsm:start/[3,4] or
 %% gen_fsm:start_link/3,4, this function is called by the new process to 
@@ -305,13 +304,14 @@ init([Role, Host, Port, Socket, {SSLOpts0, _} = Options,
 
     try ssl_init(SSLOpts0, Role) of
 	{ok, Ref, CacheRef, OwnCert, Key, DHParams} ->	   
+	    Session = State0#state.session,
 	    State = State0#state{tls_handshake_hashes = Hashes0,
-				 own_cert = OwnCert,
+				 session = Session#session{own_certificate = OwnCert},
 				 cert_db_ref = Ref,
 				 session_cache = CacheRef,
 				 private_key = Key,
 				 diffie_hellman_params = DHParams},
-	    {ok, hello, State}
+	    {ok, hello, State, get_timeout(State)}
     catch   
 	throw:Error ->
 	    {stop, Error}
@@ -332,14 +332,13 @@ init([Role, Host, Port, Socket, {SSLOpts0, _} = Options,
 %%--------------------------------------------------------------------
 hello(start, #state{host = Host, port = Port, role = client,
 		    ssl_options = SslOpts, 
+		    session = #session{own_certificate = Cert} = Session0,
 		    transport_cb = Transport, socket = Socket,
 		    connection_states = ConnectionStates,
-		    renegotiation = {Renegotiation, _}}
-      = State0) ->
-
+		    renegotiation = {Renegotiation, _}} = State0) ->
     Hello = ssl_handshake:client_hello(Host, Port, 
 				       ConnectionStates, 
-				       SslOpts, Renegotiation),
+				       SslOpts, Renegotiation, Cert),
 
     Version = Hello#client_hello.client_version,
     Hashes0 = ssl_handshake:init_hashes(),
@@ -348,13 +347,13 @@ hello(start, #state{host = Host, port = Port, role = client,
     Transport:send(Socket, BinMsg),
     State1 = State0#state{connection_states = CS2,
 			 negotiated_version = Version, %% Requested version
-			 session = 
-                         #session{session_id = Hello#client_hello.session_id,
-                                  is_resumable = false},
+			  session =
+			      Session0#session{session_id = Hello#client_hello.session_id,
+					       is_resumable = false},
 			  tls_handshake_hashes = Hashes1},
     {Record, State} = next_record(State1),
     next_state(hello, Record, State);
-    
+
 hello(start, #state{role = server} = State0) ->
     {Record, State} = next_record(State0),
     next_state(hello, Record, State);
@@ -371,10 +370,9 @@ hello(#server_hello{cipher_suite = CipherSuite,
 	     negotiated_version = ReqVersion,
 	     renegotiation = {Renegotiation, _},
 	     ssl_options = SslOptions} = State0) ->
-
     case ssl_handshake:hello(Hello, SslOptions, ConnectionStates0, Renegotiation) of
 	{Version, NewId, ConnectionStates} ->
-	    {KeyAlgorithm, _, _} = 
+	    {KeyAlgorithm, _, _} =
 		ssl_cipher:suite_definition(CipherSuite),
 	    
 	    PremasterSecret = make_premaster_secret(ReqVersion, KeyAlgorithm),
@@ -397,13 +395,11 @@ hello(#server_hello{cipher_suite = CipherSuite,
 
 hello(Hello = #client_hello{client_version = ClientVersion}, 
       State = #state{connection_states = ConnectionStates0,
-		     port = Port, session = Session0,
+		     port = Port, session = #session{own_certificate = Cert} = Session0,
 		     renegotiation = {Renegotiation, _},
 		     session_cache = Cache,		  
 		     session_cache_cb = CacheCb,
-		     ssl_options = SslOpts,
-		     own_cert = Cert}) ->
-    
+		     ssl_options = SslOpts}) ->
     case ssl_handshake:hello(Hello, SslOpts, {Port, Session0, Cache, CacheCb,
 				     ConnectionStates0, Cert}, Renegotiation) of
         {Version, {Type, Session}, ConnectionStates} ->       
@@ -416,6 +412,9 @@ hello(Hello = #client_hello{client_version = ClientVersion},
             {stop, normal, State}
     end;
 
+hello(timeout, State) ->
+    { next_state, hello, State, hibernate };
+
 hello(Msg, State) ->
     handle_unexpected_message(Msg, hello, State).
 %%--------------------------------------------------------------------
@@ -464,6 +463,9 @@ abbreviated(#finished{verify_data = Data} = Finished,
             {stop, normal, State} 
     end;
 
+abbreviated(timeout, State) ->
+    { next_state, abbreviated, State, hibernate };
+
 abbreviated(Msg, State) ->
     handle_unexpected_message(Msg, abbreviated, State).
 
@@ -512,7 +514,7 @@ certify(#certificate{} = Cert,
 certify(#server_key_exchange{} = KeyExchangeMsg, 
         #state{role = client, negotiated_version = Version,
 	       key_algorithm = Alg} = State0) 
-  when Alg == dhe_dss; Alg == dhe_rsa ->
+  when Alg == dhe_dss; Alg == dhe_rsa;  Alg == dh_anon ->
     case handle_server_key(KeyExchangeMsg, State0) of
 	#state{} = State1 ->
 	    {Record, State} = next_record(State1),
@@ -537,7 +539,7 @@ certify(#server_hello_done{},
 	       connection_states = ConnectionStates0,
 	       negotiated_version = Version,
 	       premaster_secret = undefined,
-	       role = client} = State0) ->    
+	       role = client} = State0) ->
     case ssl_handshake:master_secret(Version, Session, 
 				     ConnectionStates0, client) of
 	{MasterSecret, ConnectionStates1} -> 
@@ -586,6 +588,9 @@ certify(#client_key_exchange{exchange_keys = Keys},
 	    {stop, normal, State}
     end;
 
+certify(timeout, State) ->
+    { next_state, certify, State, hibernate };
+
 certify(Msg, State) ->
     handle_unexpected_message(Msg, certify, State).
 
@@ -613,25 +618,9 @@ certify_client_key_exchange(#client_diffie_hellman_public{dh_public = ClientPubl
 			    #state{negotiated_version = Version,
 				   diffie_hellman_params = #'DHParameter'{prime = P,
 									  base = G},
-				   diffie_hellman_keys = {_, ServerDhPrivateKey},
-				   role = Role,
-				   session = Session,
-				   connection_states = ConnectionStates0} = State0) ->
-
-    PMpint = crypto:mpint(P),
-    GMpint = crypto:mpint(G),	
-    PremasterSecret = crypto:dh_compute_key(mpint_binary(ClientPublicDhKey),
-					    ServerDhPrivateKey,
-					    [PMpint, GMpint]),
-
-    case ssl_handshake:master_secret(Version, PremasterSecret,
-				     ConnectionStates0, Role) of
-	{MasterSecret, ConnectionStates} ->
-	    State1 = State0#state{session = 
-				      Session#session{master_secret
-						      = MasterSecret},
-				  connection_states = ConnectionStates},
-
+				   diffie_hellman_keys = {_, ServerDhPrivateKey}} = State0) ->
+    case dh_master_secret(crypto:mpint(P), crypto:mpint(G), ClientPublicDhKey, ServerDhPrivateKey, State0) of
+	#state{} = State1 ->
 	    {Record, State} = next_record(State1),
 	    next_state(cipher, Record, State);
 	#alert{} = Alert ->
@@ -653,12 +642,10 @@ cipher(#certificate_verify{signature = Signature},
 	      public_key_info = PublicKeyInfo,
 	      negotiated_version = Version,
 	      session = #session{master_secret = MasterSecret},
-	      key_algorithm = Algorithm,
 	      tls_handshake_hashes = Hashes
 	     } = State0) -> 
     case ssl_handshake:certificate_verify(Signature, PublicKeyInfo,
-					  Version, MasterSecret, 
-					  Algorithm, Hashes) of
+					  Version, MasterSecret, Hashes) of
 	valid ->
 	    {Record, State} = next_record(State0),
 	    next_state(cipher, Record, State);
@@ -674,8 +661,7 @@ cipher(#finished{verify_data = Data} = Finished,
 	      role = Role,
 	      session = #session{master_secret = MasterSecret} 
 	      = Session0,
-	      tls_handshake_hashes = Hashes0} = State) ->    
-    
+	      tls_handshake_hashes = Hashes0} = State) ->
     case ssl_handshake:verify_connection(Version, Finished, 
 					 opposite_role(Role), 
                                          MasterSecret, Hashes0) of
@@ -687,6 +673,9 @@ cipher(#finished{verify_data = Data} = Finished,
             {stop, normal, State} 
     end;
 
+cipher(timeout, State) ->
+    { next_state, cipher, State, hibernate };
+
 cipher(Msg, State) ->
     handle_unexpected_message(Msg, cipher, State).
 
@@ -696,15 +685,15 @@ cipher(Msg, State) ->
 %%--------------------------------------------------------------------
 connection(#hello_request{}, #state{host = Host, port = Port,
 				    socket = Socket,
+				    session = #session{own_certificate = Cert},
 				    ssl_options = SslOpts,
 				    negotiated_version = Version,
 				    transport_cb = Transport,
 				    connection_states = ConnectionStates0,
 				    renegotiation = {Renegotiation, _},
 				    tls_handshake_hashes = Hashes0} = State0) ->
-   
     Hello = ssl_handshake:client_hello(Host, Port, ConnectionStates0,
-				       SslOpts, Renegotiation),
+				       SslOpts, Renegotiation, Cert),
   
     {BinMsg, ConnectionStates1, Hashes1} =
         encode_handshake(Hello, Version, ConnectionStates0, Hashes0),
@@ -716,6 +705,9 @@ connection(#hello_request{}, #state{host = Host, port = Port,
 connection(#client_hello{} = Hello, #state{role = server} = State) ->
     hello(Hello, State);
 
+connection(timeout, State) ->
+    {next_state, connection, State, hibernate};
+
 connection(Msg, State) ->
     handle_unexpected_message(Msg, connection, State).
 %%--------------------------------------------------------------------
@@ -728,7 +720,7 @@ connection(Msg, State) ->
 %% the event. Not currently used!
 %%--------------------------------------------------------------------
 handle_event(_Event, StateName, State) ->
-    {next_state, StateName, State}.
+    {next_state, StateName, State, get_timeout(State)}.
 
 %%--------------------------------------------------------------------
 -spec handle_sync_event(term(), from(), state_name(), #state{}) -> 
@@ -759,7 +751,8 @@ handle_sync_event({application_data, Data0}, From, connection,
 	    {Msgs, [], ConnectionStates} ->
 		Result = Transport:send(Socket, Msgs),
 		{reply, Result,
-		 connection, State#state{connection_states = ConnectionStates}};
+		 connection, State#state{connection_states = ConnectionStates},
+                 get_timeout(State)};
 	    {Msgs, RestData, ConnectionStates} ->
 		if 
 		    Msgs =/= [] ->
@@ -772,12 +765,14 @@ handle_sync_event({application_data, Data0}, From, connection,
 					renegotiation = {true, internal}})
 	end
     catch throw:Error ->
-	    {reply, Error, connection, State}
+	    {reply, Error, connection, State, get_timeout(State)}
     end;
 handle_sync_event({application_data, Data}, From, StateName, 
 		  #state{send_queue = Queue} = State) ->
     %% In renegotiation priorities handshake, send data when handshake is finished
-    {next_state, StateName, State#state{send_queue = queue:in({From, Data}, Queue)}};
+    {next_state, StateName,
+     State#state{send_queue = queue:in({From, Data}, Queue)},
+     get_timeout(State)};
 
 handle_sync_event(start, From, hello, State) ->
     hello(start, State#state{from = From});
@@ -791,12 +786,16 @@ handle_sync_event(start, From, hello, State) ->
 %% here to make sure it is the users problem and not owers if
 %% they upgrade a active socket. 
 handle_sync_event(start, _, connection, State) ->
-    {reply, connected, connection, State};
+    {reply, connected, connection, State, get_timeout(State)};
 handle_sync_event(start, From, StateName, State) ->
-    {next_state, StateName, State#state{from = From}};
+    {next_state, StateName, State#state{from = From}, get_timeout(State)};
 
-handle_sync_event(close, _, _StateName, State) ->
-    {stop, normal, ok, State};
+handle_sync_event(close, _, StateName, State) ->
+    %% Run terminate before returning
+    %% so that the reuseaddr inet-option will work
+    %% as intended.
+    (catch terminate(user_close, StateName, State)),
+    {stop, normal, ok, State#state{terminated = true}};
 
 handle_sync_event({shutdown, How0}, _, StateName,
 		  #state{transport_cb = Transport,
@@ -815,7 +814,7 @@ handle_sync_event({shutdown, How0}, _, StateName,
     
     case Transport:shutdown(Socket, How0) of
 	ok ->
-	    {reply, ok, StateName, State};
+	    {reply, ok, StateName, State, get_timeout(State)};
 	Error ->
 	    {stop, normal, Error, State}
     end;
@@ -826,30 +825,33 @@ handle_sync_event({recv, N}, From, connection = StateName, State0) ->
 %% Doing renegotiate wait with handling request until renegotiate is
 %% finished. Will be handled by next_state_connection/2.
 handle_sync_event({recv, N}, From, StateName, State) ->
-    {next_state, StateName, State#state{bytes_to_read = N, from = From,
-				       recv_during_renegotiation = true}};
+    {next_state, StateName,
+     State#state{bytes_to_read = N, from = From,
+                 recv_during_renegotiation = true},
+     get_timeout(State)};
 
 handle_sync_event({new_user, User}, _From, StateName, 
 		  State =#state{user_application = {OldMon, _}}) ->
     NewMon = erlang:monitor(process, User),
     erlang:demonitor(OldMon, [flush]),
-    {reply, ok, StateName, State#state{user_application = {NewMon,User}}};
+    {reply, ok, StateName, State#state{user_application = {NewMon,User}},
+     get_timeout(State)};
 
 handle_sync_event({get_opts, OptTags}, _From, StateName,
 		  #state{socket = Socket,
 			 socket_options = SockOpts} = State) ->
     OptsReply = get_socket_opts(Socket, OptTags, SockOpts, []),
-    {reply, OptsReply, StateName, State};
+    {reply, OptsReply, StateName, State, get_timeout(State)};
 
 handle_sync_event(sockname, _From, StateName,
 		  #state{socket = Socket} = State) ->
     SockNameReply = inet:sockname(Socket),
-    {reply, SockNameReply, StateName, State};
+    {reply, SockNameReply, StateName, State, get_timeout(State)};
 
 handle_sync_event(peername, _From, StateName,
 		  #state{socket = Socket} = State) ->
     PeerNameReply = inet:peername(Socket),
-    {reply, PeerNameReply, StateName, State};
+    {reply, PeerNameReply, StateName, State, get_timeout(State)};
 
 handle_sync_event({set_opts, Opts0}, _From, StateName, 
 		  #state{socket_options = Opts1, 
@@ -859,27 +861,27 @@ handle_sync_event({set_opts, Opts0}, _From, StateName,
     State1 = State0#state{socket_options = Opts},
     if 
 	Opts#socket_options.active =:= false ->
-	    {reply, ok, StateName, State1};
+	    {reply, ok, StateName, State1, get_timeout(State1)};
 	Buffer =:= <<>>, Opts1#socket_options.active =:= false ->
             %% Need data, set active once
 	    {Record, State2} = next_record_if_active(State1),
 	    case next_state(StateName, Record, State2) of
-		{next_state, StateName, State} ->
-		    {reply, ok, StateName, State};
+		{next_state, StateName, State, Timeout} ->
+		    {reply, ok, StateName, State, Timeout};
 		{stop, Reason, State} ->
 		    {stop, Reason, State}
 	    end;
 	Buffer =:= <<>> ->
             %% Active once already set 
-	    {reply, ok, StateName, State1};
+	    {reply, ok, StateName, State1, get_timeout(State1)};
 	true ->
 	    case application_data(<<>>, State1) of
 		Stop = {stop,_,_} ->
 		    Stop;
 		{Record, State2} ->
 		    case next_state(StateName, Record, State2) of
-			{next_state, StateName, State} ->
-			    {reply, ok, StateName, State};
+			{next_state, StateName, State, Timeout} ->
+			    {reply, ok, StateName, State, Timeout};
 			{stop, Reason, State} ->
 			    {stop, Reason, State}
 		    end
@@ -890,7 +892,7 @@ handle_sync_event(renegotiate, From, connection, State) ->
     renegotiate(State#state{renegotiation = {true, From}});
 
 handle_sync_event(renegotiate, _, StateName, State) ->
-    {reply, {error, already_renegotiating}, StateName, State};
+    {reply, {error, already_renegotiating}, StateName, State, get_timeout(State)};
 
 handle_sync_event(info, _, StateName, 
 		  #state{negotiated_version = Version,
@@ -898,19 +900,19 @@ handle_sync_event(info, _, StateName,
     
     AtomVersion = ssl_record:protocol_version(Version),
     {reply, {ok, {AtomVersion, ssl_cipher:suite_definition(Suite)}}, 
-     StateName, State};
+     StateName, State, get_timeout(State)};
 
 handle_sync_event(session_info, _, StateName, 
 		  #state{session = #session{session_id = Id,
 					    cipher_suite = Suite}} = State) ->
     {reply, [{session_id, Id}, 
 	     {cipher_suite, ssl_cipher:suite_definition(Suite)}], 
-     StateName, State};
+     StateName, State, get_timeout(State)};
 
 handle_sync_event(peer_certificate, _, StateName, 
 		  #state{session = #session{peer_certificate = Cert}} 
 		  = State) ->
-    {reply, {ok, Cert}, StateName, State}.
+    {reply, {ok, Cert}, StateName, State, get_timeout(State)}.
 
 %%--------------------------------------------------------------------
 -spec handle_info(msg(),state_name(), #state{}) -> 
@@ -974,7 +976,7 @@ handle_info({'DOWN', MonitorRef, _, _, _}, _,
 handle_info(Msg, StateName, State) ->
     Report = io_lib:format("SSL: Got unexpected info: ~p ~n", [Msg]),
     error_logger:info_report(Report),
-    {next_state, StateName, State}.
+    {next_state, StateName, State, get_timeout(State)}.
 
 %%--------------------------------------------------------------------
 -spec terminate(reason(), state_name(), #state{}) -> term().
@@ -984,24 +986,28 @@ handle_info(Msg, StateName, State) ->
 %% necessary cleaning up. When it returns, the gen_fsm terminates with
 %% Reason. The return value is ignored.
 %%--------------------------------------------------------------------
-terminate(_Reason, connection, #state{negotiated_version = Version,
+terminate(_, _, #state{terminated = true}) ->
+    %% Happens when user closes the connection using ssl:close/1
+    %% we want to guarantee that Transport:close has been called
+    %% when ssl:close/1 returns.
+    ok;
+terminate(Reason, connection, #state{negotiated_version = Version,
 				      connection_states = ConnectionStates,
 				      transport_cb = Transport,
 				      socket = Socket, send_queue = SendQueue,
 				      renegotiation = Renegotiate}) ->
     notify_senders(SendQueue),
     notify_renegotiater(Renegotiate),
-    {BinAlert, _} = encode_alert(?ALERT_REC(?WARNING,?CLOSE_NOTIFY),
-				 Version, ConnectionStates),
+    BinAlert = terminate_alert(Reason, Version, ConnectionStates),
     Transport:send(Socket, BinAlert),
-    workaround_transport_delivery_problems(Socket, Transport),
+    workaround_transport_delivery_problems(Socket, Transport, Reason),
     Transport:close(Socket);
-terminate(_Reason, _StateName, #state{transport_cb = Transport, 
+terminate(Reason, _StateName, #state{transport_cb = Transport,
 				      socket = Socket, send_queue = SendQueue,
 				      renegotiation = Renegotiate}) ->
     notify_senders(SendQueue),
     notify_renegotiater(Renegotiate),
-    workaround_transport_delivery_problems(Socket, Transport),
+    workaround_transport_delivery_problems(Socket, Transport, Reason),
     Transport:close(Socket).
 
 %%--------------------------------------------------------------------
@@ -1058,6 +1064,8 @@ init_certificates(#ssl_options{cacerts = CaCerts,
 	end,
     init_certificates(Cert, CertDbRef, CacheRef, CertFile, Role).
 
+init_certificates(undefined, CertDbRef, CacheRef, "", _) ->
+    {ok, CertDbRef, CacheRef, undefined};
 
 init_certificates(undefined, CertDbRef, CacheRef, CertFile, client) ->
     try 
@@ -1068,18 +1076,18 @@ init_certificates(undefined, CertDbRef, CacheRef, CertFile, client) ->
     end;
 
 init_certificates(undefined, CertDbRef, CacheRef, CertFile, server) ->
-     try 
+    try
 	[OwnCert] = ssl_certificate:file_to_certificats(CertFile),
 	{ok, CertDbRef, CacheRef, OwnCert}
-     catch
-	 Error:Reason ->
-	     handle_file_error(?LINE, Error, Reason, CertFile, ecertfile,
-			       erlang:get_stacktrace())
-     end;
+    catch
+	Error:Reason ->
+	    handle_file_error(?LINE, Error, Reason, CertFile, ecertfile,
+			      erlang:get_stacktrace())
+    end;
 init_certificates(Cert, CertDbRef, CacheRef, _, _) ->
     {ok, CertDbRef, CacheRef, Cert}.
 
-init_private_key(undefined, "", _Password, client) -> 
+init_private_key(undefined, "", _Password, _Client) ->
     undefined;
 init_private_key(undefined, KeyFile, Password, _)  -> 
     try
@@ -1099,12 +1107,13 @@ init_private_key({rsa, PrivateKey}, _, _,_) ->
 init_private_key({dsa, PrivateKey},_,_,_) ->
     public_key:der_decode('DSAPrivateKey', PrivateKey).
 
+-spec(handle_file_error(_,_,_,_,_,_) -> no_return()).
 handle_file_error(Line, Error, {badmatch, Reason}, File, Throw, Stack) ->
     file_error(Line, Error, Reason, File, Throw, Stack);
 handle_file_error(Line, Error, Reason, File, Throw, Stack) ->
     file_error(Line, Error, Reason, File, Throw, Stack).
 
--spec(file_error/6 :: (_,_,_,_,_,_) -> no_return()).
+-spec(file_error(_,_,_,_,_,_) -> no_return()).
 file_error(Line, Error, Reason, File, Throw, Stack) ->
     Report = io_lib:format("SSL: ~p: ~p:~p ~s~n  ~p~n",
 			   [Line, Error, Reason, File, Stack]),
@@ -1164,7 +1173,7 @@ certify_client(#state{client_certificate_requested = true, role = client,
                       transport_cb = Transport,
                       negotiated_version = Version,
                       cert_db_ref = CertDbRef,
-                      own_cert = OwnCert,
+		      session = #session{own_certificate = OwnCert},
                       socket = Socket,
                       tls_handshake_hashes = Hashes0} = State) ->
     Certificate = ssl_handshake:certificate(OwnCert, CertDbRef, client),
@@ -1180,18 +1189,17 @@ verify_client_cert(#state{client_certificate_requested = true, role = client,
 			  connection_states = ConnectionStates0,
 			  transport_cb = Transport,
 			  negotiated_version = Version,
-			  own_cert = OwnCert,
 			  socket = Socket,
-			  key_algorithm = KeyAlg,
 			  private_key = PrivateKey,
-			  session = #session{master_secret = MasterSecret},
+			  session = #session{master_secret = MasterSecret,
+					     own_certificate = OwnCert},
 			  tls_handshake_hashes = Hashes0} = State) ->
+
     case ssl_handshake:client_certificate_verify(OwnCert, MasterSecret, 
-						 Version, KeyAlg, 
-						 PrivateKey, Hashes0) of
+						 Version, PrivateKey, Hashes0) of
         #certificate_verify{} = Verified ->
             {BinVerified, ConnectionStates1, Hashes1} = 
-                encode_handshake(Verified, KeyAlg, Version, 
+                encode_handshake(Verified, Version,
                                  ConnectionStates0, Hashes0),
             Transport:send(Socket, BinVerified),
             State#state{connection_states = ConnectionStates1,
@@ -1340,15 +1348,17 @@ server_hello_done(#state{transport_cb = Transport,
     Transport:send(Socket, BinHelloDone),
     State#state{connection_states = NewConnectionStates,
 		tls_handshake_hashes = NewHashes}.
-   
-certify_server(#state{transport_cb = Transport,
-                      socket = Socket,
-                      negotiated_version = Version,
-                      connection_states = ConnectionStates,
-                      tls_handshake_hashes = Hashes,
-                      cert_db_ref = CertDbRef,
-                      own_cert = OwnCert} = State) ->
 
+certify_server(#state{key_algorithm = dh_anon} = State) ->
+    State;
+
+certify_server(#state{transport_cb = Transport,
+		      socket = Socket,
+		      negotiated_version = Version,
+		      connection_states = ConnectionStates,
+		      tls_handshake_hashes = Hashes,
+		      cert_db_ref = CertDbRef,
+		      session = #session{own_certificate = OwnCert}} = State) ->
     case ssl_handshake:certificate(OwnCert, CertDbRef, server) of
 	CertMsg = #certificate{} ->
 	    {BinCertMsg, NewConnectionStates, NewHashes} =
@@ -1373,8 +1383,8 @@ key_exchange(#state{role = server, key_algorithm = Algo,
 		    transport_cb = Transport
 		   } = State) 
   when Algo == dhe_dss;
-       Algo == dhe_rsa ->
-
+       Algo == dhe_rsa;
+       Algo == dh_anon ->
     Keys = crypto:dh_generate_key([crypto:mpint(P), crypto:mpint(G)]),
     ConnectionState = 
 	ssl_record:pending_connection_state(ConnectionStates0, read),
@@ -1392,11 +1402,6 @@ key_exchange(#state{role = server, key_algorithm = Algo,
 		diffie_hellman_keys = Keys,
                 tls_handshake_hashes = Hashes1};
 
-
-%% key_algorithm = dh_anon is not supported. Should be by default disabled
-%% if support is implemented and then we need a key_exchange clause for it
-%% here. 
-   
 key_exchange(#state{role = client, 
 		    connection_states = ConnectionStates0,
 		    key_algorithm = rsa,
@@ -1419,7 +1424,8 @@ key_exchange(#state{role = client,
 		    socket = Socket, transport_cb = Transport,
 		    tls_handshake_hashes = Hashes0} = State) 
   when Algorithm == dhe_dss;
-       Algorithm == dhe_rsa ->
+       Algorithm == dhe_rsa;
+       Algorithm == dh_anon ->
     Msg =  ssl_handshake:key_exchange(client, {dh, DhPubKey}),
     {BinMsg, ConnectionStates1, Hashes1} =
         encode_handshake(Msg, Version, ConnectionStates0, Hashes0),
@@ -1427,8 +1433,6 @@ key_exchange(#state{role = client,
     State#state{connection_states = ConnectionStates1,
                 tls_handshake_hashes = Hashes1}.
 
--spec(rsa_key_exchange/2 :: (_,_) -> no_return()).
-
 rsa_key_exchange(PremasterSecret, PublicKeyInfo = {Algorithm, _, _})  
   when Algorithm == ?rsaEncryption;
        Algorithm == ?md2WithRSAEncryption;
@@ -1497,23 +1501,30 @@ save_verify_data(client, #finished{verify_data = Data}, ConnectionStates, abbrev
 save_verify_data(server, #finished{verify_data = Data}, ConnectionStates, abbreviated) ->
     ssl_record:set_server_verify_data(current_write, Data, ConnectionStates).
 
+handle_server_key(#server_key_exchange{params =
+					   #server_dh_params{dh_p = P,
+							     dh_g = G,
+							     dh_y = ServerPublicDhKey},
+				       signed_params = <<>>},
+		  #state{key_algorithm = dh_anon} = State) ->
+    dh_master_secret(P, G, ServerPublicDhKey, undefined, State);
+
 handle_server_key(
   #server_key_exchange{params = 
 		       #server_dh_params{dh_p = P,
 					 dh_g = G,
 					 dh_y = ServerPublicDhKey}, 
 		       signed_params = Signed}, 
-  #state{session = Session, negotiated_version = Version, role = Role,
-	 public_key_info = PubKeyInfo,
+  #state{public_key_info = PubKeyInfo,
 	 key_algorithm = KeyAlgo,
-	 connection_states = ConnectionStates0} = State) ->
+	 connection_states = ConnectionStates} = State) ->
      
     PLen = size(P),
     GLen = size(G),
     YLen = size(ServerPublicDhKey),
 
     ConnectionState = 
-	ssl_record:pending_connection_state(ConnectionStates0, read),
+	ssl_record:pending_connection_state(ConnectionStates, read),
     SecParams = ConnectionState#connection_state.security_parameters,
     #security_parameters{client_random = ClientRandom,
 			 server_random = ServerRandom} = SecParams, 
@@ -1527,29 +1538,11 @@ handle_server_key(
     
     case verify_dh_params(Signed, Hash, PubKeyInfo) of
 	true ->
-	    PMpint = mpint_binary(P),
-	    GMpint = mpint_binary(G),	
-	    Keys = {_, ClientDhPrivateKey} = 
-		crypto:dh_generate_key([PMpint,GMpint]),
-	    PremasterSecret = 
-		crypto:dh_compute_key(mpint_binary(ServerPublicDhKey), 
-				      ClientDhPrivateKey, [PMpint, GMpint]),
-	    case ssl_handshake:master_secret(Version, PremasterSecret, 
-					     ConnectionStates0, Role) of
-		{MasterSecret, ConnectionStates} ->
-		    State#state{diffie_hellman_keys = Keys,
-				 session = 
-				 Session#session{master_secret 
-						 = MasterSecret},
-				 connection_states = ConnectionStates};
-		#alert{} = Alert ->
-		    Alert
-	    end;
+	    dh_master_secret(P, G, ServerPublicDhKey, undefined, State);
 	false ->
-	    ?ALERT_REC(?FATAL,?HANDSHAKE_FAILURE)
+	    ?ALERT_REC(?FATAL, ?DECRYPT_ERROR)
     end.
 
-
 verify_dh_params(Signed, Hashes, {?rsaEncryption, PubKey, _PubKeyParams}) ->
     case public_key:decrypt_public(Signed, PubKey, 
 				   [{rsa_pad, rsa_pkcs1_padding}]) of
@@ -1561,6 +1554,30 @@ verify_dh_params(Signed, Hashes, {?rsaEncryption, PubKey, _PubKeyParams}) ->
 verify_dh_params(Signed, Hash, {?'id-dsa', PublicKey, PublicKeyParams}) ->
     public_key:verify(Hash, none, Signed, {PublicKey, PublicKeyParams}). 
 
+dh_master_secret(Prime, Base, PublicDhKey, undefined, State) ->
+    PMpint = mpint_binary(Prime),
+    GMpint = mpint_binary(Base),
+    Keys = {_, PrivateDhKey} =
+	crypto:dh_generate_key([PMpint,GMpint]),
+    dh_master_secret(PMpint, GMpint, PublicDhKey, PrivateDhKey, State#state{diffie_hellman_keys = Keys});
+
+dh_master_secret(PMpint, GMpint, PublicDhKey, PrivateDhKey,
+		 #state{session = Session,
+			negotiated_version = Version, role = Role,
+			connection_states = ConnectionStates0} = State) ->
+    PremasterSecret =
+	crypto:dh_compute_key(mpint_binary(PublicDhKey), PrivateDhKey,
+			      [PMpint, GMpint]),
+    case ssl_handshake:master_secret(Version, PremasterSecret,
+				     ConnectionStates0, Role) of
+	{MasterSecret, ConnectionStates} ->
+	    State#state{
+	      session =
+		  Session#session{master_secret = MasterSecret},
+	      connection_states = ConnectionStates};
+	#alert{} = Alert ->
+	    Alert
+    end.
 
 cipher_role(client, Data, Session, #state{connection_states = ConnectionStates0} = State) -> 
     ConnectionStates = ssl_record:set_server_verify_data(current_both, Data, ConnectionStates0),
@@ -1578,20 +1595,13 @@ cipher_role(server, Data, Session,  #state{connection_states = ConnectionStates0
 							     tls_handshake_hashes =
 							     Hashes})).
 encode_alert(#alert{} = Alert, Version, ConnectionStates) ->
-    ?DBG_TERM(Alert),
     ssl_record:encode_alert_record(Alert, Version, ConnectionStates).
 
 encode_change_cipher(#change_cipher_spec{}, Version, ConnectionStates) ->
-    ?DBG_TERM(#change_cipher_spec{}),
     ssl_record:encode_change_cipher_spec(Version, ConnectionStates).
 
-encode_handshake(HandshakeRec, Version, ConnectionStates, Hashes) ->
-    encode_handshake(HandshakeRec, null, Version, 
-		     ConnectionStates, Hashes).
-
-encode_handshake(HandshakeRec, SigAlg, Version, ConnectionStates0, Hashes0) ->
-    ?DBG_TERM(HandshakeRec),
-    Frag = ssl_handshake:encode_handshake(HandshakeRec, Version, SigAlg),
+encode_handshake(HandshakeRec, Version, ConnectionStates0, Hashes0) ->
+    Frag = ssl_handshake:encode_handshake(HandshakeRec, Version),
     Hashes1 = ssl_handshake:update_hashes(Hashes0, Frag),
     {E, ConnectionStates1} =
         ssl_record:encode_handshake(Frag, Version, ConnectionStates0),
@@ -1789,7 +1799,7 @@ handle_tls_handshake(Handle, StateName, #state{tls_packets = [Packet]} = State)
 handle_tls_handshake(Handle, StateName, #state{tls_packets = [Packet | Packets]} = State0) ->
     FsmReturn = {next_state, StateName, State0#state{tls_packets = Packets}},
     case Handle(Packet, FsmReturn) of
-	{next_state, NextStateName, State} ->
+	{next_state, NextStateName, State, _Timeout} ->
 	    handle_tls_handshake(Handle, NextStateName, State);
 	{stop, _,_} = Stop ->
 	    Stop
@@ -1800,11 +1810,11 @@ next_state(_, #alert{} = Alert, #state{negotiated_version = Version} = State) ->
     {stop, normal, State};
 
 next_state(Next, no_record, State) ->
-    {next_state, Next, State};
+    {next_state, Next, State, get_timeout(State)};
 
 next_state(Next, #ssl_tls{type = ?ALERT, fragment = EncAlerts}, State) ->
     Alerts = decode_alerts(EncAlerts),
-    handle_alerts(Alerts,  {next_state, Next, State});
+    handle_alerts(Alerts,  {next_state, Next, State, get_timeout(State)});
 
 next_state(StateName, #ssl_tls{type = ?HANDSHAKE, fragment = Data},
 	   State0 = #state{tls_handshake_buffer = Buf0, negotiated_version = Version}) ->
@@ -1848,7 +1858,6 @@ next_state(StateName, #ssl_tls{type = ?APPLICATION_DATA, fragment = Data}, State
 next_state(StateName, #ssl_tls{type = ?CHANGE_CIPHER_SPEC, fragment = <<1>>} = 
  	   _ChangeCipher, 
  	   #state{connection_states = ConnectionStates0} = State0) ->
-    ?DBG_TERM(_ChangeCipher),
     ConnectionStates1 =
  	ssl_record:activate_pending_connection_state(ConnectionStates0, read),
     {Record, State} = next_record(State0#state{connection_states = ConnectionStates1}),
@@ -1925,14 +1934,22 @@ next_state_connection(StateName, #state{send_queue = Queue0,
 	    next_state_is_connection(State)
     end.
 
+%% In next_state_is_connection/1: clear tls_handshake_hashes,
+%% premaster_secret and public_key_info (only needed during handshake)
+%% to reduce memory foot print of a connection.
 next_state_is_connection(State = 
 		      #state{recv_during_renegotiation = true, socket_options = 
 			     #socket_options{active = false}})  -> 
-    passive_receive(State#state{recv_during_renegotiation = false}, connection);
+    passive_receive(State#state{recv_during_renegotiation = false,
+				premaster_secret = undefined,
+				public_key_info = undefined,
+				tls_handshake_hashes = {<<>>, <<>>}}, connection);
 
 next_state_is_connection(State0) ->
     {Record, State} = next_record_if_active(State0),
-    next_state(connection, Record, State).
+    next_state(connection, Record, State#state{premaster_secret = undefined,
+					       public_key_info = undefined,
+					       tls_handshake_hashes = {<<>>, <<>>}}).
 
 register_session(_, _, _, #session{is_resumable = true} = Session) ->
     Session; %% Already registered
@@ -2048,7 +2065,7 @@ handle_alerts([], Result) ->
 handle_alerts(_, {stop, _, _} = Stop) ->
     %% If it is a fatal alert immediately close 
     Stop;
-handle_alerts([Alert | Alerts], {next_state, StateName, State}) ->
+handle_alerts([Alert | Alerts], {next_state, StateName, State, _Timeout}) ->
     handle_alerts(Alerts, handle_alert(Alert, StateName, State)).
 
 handle_alert(#alert{level = ?FATAL} = Alert, StateName,
@@ -2179,7 +2196,7 @@ renegotiate(#state{role = server,
 		   negotiated_version = Version,
 		   connection_states = ConnectionStates0} = State0) ->
     HelloRequest = ssl_handshake:hello_request(),
-    Frag = ssl_handshake:encode_handshake(HelloRequest, Version, null),
+    Frag = ssl_handshake:encode_handshake(HelloRequest, Version),
     Hs0 = ssl_handshake:init_hashes(),
     {BinMsg, ConnectionStates} = 
 	ssl_record:encode_handshake(Frag, Version, ConnectionStates0),
@@ -2199,10 +2216,23 @@ notify_renegotiater({true, From}) when not is_atom(From)  ->
 notify_renegotiater(_) ->
     ok.
 
-workaround_transport_delivery_problems(Socket, Transport) ->
+terminate_alert(Reason, Version, ConnectionStates) when Reason == normal; Reason == shutdown;
+							Reason == user_close ->
+    {BinAlert, _} = encode_alert(?ALERT_REC(?WARNING, ?CLOSE_NOTIFY),
+				 Version, ConnectionStates),
+    BinAlert;
+terminate_alert(_, Version, ConnectionStates) ->
+    {BinAlert, _} = encode_alert(?ALERT_REC(?FATAL, ?INTERNAL_ERROR),
+				 Version, ConnectionStates),
+    BinAlert.
+
+workaround_transport_delivery_problems(_,_, user_close) ->
+    ok;
+workaround_transport_delivery_problems(Socket, Transport, _) ->
     %% Standard trick to try to make sure all
     %% data sent to to tcp port is really sent
-    %% before tcp port is closed.
+    %% before tcp port is closed so that the peer will
+    %% get a correct error message.
     inet:setopts(Socket, [{active, false}]),
     Transport:shutdown(Socket, write),
     Transport:recv(Socket, 0).
@@ -2216,3 +2246,8 @@ linux_workaround_transport_delivery_problems(#alert{level = ?FATAL}, Socket) ->
     end;
 linux_workaround_transport_delivery_problems(_, _) ->
     ok.
+
+get_timeout(#state{ssl_options=#ssl_options{hibernate_after=undefined}}) ->
+    infinity;
+get_timeout(#state{ssl_options=#ssl_options{hibernate_after=HibernateAfter}}) ->
+    HibernateAfter.
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 5b1a510034..1f4c44d115 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2010. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2011. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -28,16 +28,15 @@
 -include("ssl_cipher.hrl").
 -include("ssl_alert.hrl").
 -include("ssl_internal.hrl").
--include("ssl_debug.hrl").
 -include_lib("public_key/include/public_key.hrl").
 
--export([master_secret/4, client_hello/5, server_hello/4, hello/4,
+-export([master_secret/4, client_hello/6, server_hello/4, hello/4,
 	 hello_request/0, certify/6, certificate/3,
-	 client_certificate_verify/6, certificate_verify/6,
+	 client_certificate_verify/5, certificate_verify/5,
 	 certificate_request/2, key_exchange/2, server_key_exchange_hash/2,
 	 finished/4, verify_connection/5, get_tls_handshake/2,
-	 decode_client_key/3, server_hello_done/0, sig_alg/1,
-	 encode_handshake/3, init_hashes/0, update_hashes/2,
+	 decode_client_key/3, server_hello_done/0,
+	 encode_handshake/2, init_hashes/0, update_hashes/2,
 	 decrypt_premaster_secret/2]).
 
 -type tls_handshake() :: #client_hello{} | #server_hello{} |
@@ -50,13 +49,13 @@
 %%====================================================================
 %%--------------------------------------------------------------------
 -spec client_hello(host(), port_num(), #connection_states{},
-		   #ssl_options{}, boolean()) -> #client_hello{}.
+		   #ssl_options{}, boolean(), der_cert()) -> #client_hello{}.
 %%
 %% Description: Creates a client hello message.
 %%--------------------------------------------------------------------
 client_hello(Host, Port, ConnectionStates, #ssl_options{versions = Versions,
 							ciphers = UserSuites} 
-	     = SslOpts, Renegotiation) ->
+	     = SslOpts, Renegotiation, OwnCert) ->
     
     Fun = fun(Version) ->
 		  ssl_record:protocol_version(Version)
@@ -66,7 +65,7 @@ client_hello(Host, Port, ConnectionStates, #ssl_options{versions = Versions,
     SecParams = Pending#connection_state.security_parameters,
     Ciphers = available_suites(UserSuites, Version),
 
-    Id = ssl_manager:client_session_id(Host, Port, SslOpts),
+    Id = ssl_manager:client_session_id(Host, Port, SslOpts, OwnCert),
 
     #client_hello{session_id = Id, 
 		  client_version = Version,
@@ -195,14 +194,12 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbRef,
 		{fun(OtpCert, ExtensionOrError, {SslState, UserState}) ->
 			 case ssl_certificate:validate_extension(OtpCert,
 								 ExtensionOrError,
-								SslState) of
-			    {valid, _} ->
-				apply_user_fun(Fun, OtpCert,
-					       ExtensionOrError, UserState,
-					       SslState);
-			    {fail, Reason} ->
-				apply_user_fun(Fun, OtpCert, Reason, UserState,
-					       SslState);
+								 SslState) of
+			     {valid, NewSslState} ->
+				 {valid, {NewSslState, UserState}};
+			     {fail, Reason} ->
+				 apply_user_fun(Fun, OtpCert, Reason, UserState,
+						SslState);
 			     {unknown, _} ->
 				 apply_user_fun(Fun, OtpCert,
 						ExtensionOrError, UserState, SslState)
@@ -237,7 +234,7 @@ certificate(OwnCert, CertDbRef, client) ->
 	    {error, _} -> 
 		%% If no suitable certificate is available, the client
 		%% SHOULD send a certificate message containing no
-		%% certificates. (chapter 7.4.6. rfc 4346) 
+		%% certificates. (chapter 7.4.6. RFC 4346)
 		[]	 
 	end,
     #certificate{asn1_certificates = Chain};
@@ -252,17 +249,17 @@ certificate(OwnCert, CertDbRef, server) ->
 
 %%--------------------------------------------------------------------
 -spec client_certificate_verify(undefined | der_cert(), binary(),
-				tls_version(), key_algo(), private_key(),
+				tls_version(), private_key(),
 				{{binary(), binary()},{binary(), binary()}}) ->  
     #certificate_verify{} | ignore | #alert{}.
 %%
 %% Description: Creates a certificate_verify message, called by the client.
 %%--------------------------------------------------------------------
-client_certificate_verify(undefined, _, _, _, _, _) ->
+client_certificate_verify(undefined, _, _, _, _) ->
     ignore;
-client_certificate_verify(_, _, _, _, undefined, _) ->
+client_certificate_verify(_, _, _, undefined, _) ->
     ignore;
-client_certificate_verify(OwnCert, MasterSecret, Version, Algorithm,
+client_certificate_verify(OwnCert, MasterSecret, Version,
 			  PrivateKey, {Hashes0, _}) ->
     case public_key:pkix_is_fixed_dh_cert(OwnCert) of
 	true ->
@@ -270,33 +267,30 @@ client_certificate_verify(OwnCert, MasterSecret, Version, Algorithm,
 	false ->	    
 	    Hashes = 
 		calc_certificate_verify(Version, MasterSecret,
-					Algorithm, Hashes0), 
+					alg_oid(PrivateKey), Hashes0),
 	    Signed = digitally_signed(Hashes, PrivateKey),
 	    #certificate_verify{signature = Signed}
     end.
 
 %%--------------------------------------------------------------------
 -spec certificate_verify(binary(), public_key_info(), tls_version(),
-			 binary(), key_algo(),
-			 {_, {binary(), binary()}}) -> valid | #alert{}.
+			 binary(), {_, {binary(), binary()}}) -> valid | #alert{}.
 %%
 %% Description: Checks that the certificate_verify message is valid.
 %%--------------------------------------------------------------------
-certificate_verify(Signature, {_, PublicKey, _}, Version, 
-		   MasterSecret, Algorithm, {_, Hashes0}) 
-  when Algorithm == rsa;
-       Algorithm == dhe_rsa ->
+certificate_verify(Signature, {?'rsaEncryption'= Algorithm, PublicKey, _}, Version,
+		   MasterSecret, {_, Hashes0}) ->
     Hashes = calc_certificate_verify(Version, MasterSecret,
 					   Algorithm, Hashes0),
-    case public_key:decrypt_public(Signature, PublicKey, 
+    case public_key:decrypt_public(Signature, PublicKey,
 				   [{rsa_pad, rsa_pkcs1_padding}]) of
 	Hashes ->
 	    valid;
 	_ ->
 	    ?ALERT_REC(?FATAL, ?BAD_CERTIFICATE)
     end;
-certificate_verify(Signature, {_, PublicKey, PublicKeyParams}, Version, 
-		   MasterSecret, dhe_dss = Algorithm, {_, Hashes0}) ->
+certificate_verify(Signature, {?'id-dsa' = Algorithm, PublicKey, PublicKeyParams}, Version,
+		   MasterSecret, {_, Hashes0}) ->
     Hashes = calc_certificate_verify(Version, MasterSecret,
 				     Algorithm, Hashes0),
     case public_key:verify(Hashes, none, Signature, {PublicKey, PublicKeyParams}) of
@@ -355,15 +349,22 @@ key_exchange(server, {dh, {<<?UINT32(Len), PublicKey:Len/binary>>, _},
     YLen = byte_size(PublicKey),
     ServerDHParams = #server_dh_params{dh_p = PBin, 
 				       dh_g = GBin, dh_y = PublicKey},    
-    Hash = 
-	server_key_exchange_hash(KeyAlgo, <<ClientRandom/binary, 
-					    ServerRandom/binary, 
-					    ?UINT16(PLen), PBin/binary, 
-					    ?UINT16(GLen), GBin/binary,
-					    ?UINT16(YLen), PublicKey/binary>>),
-    Signed = digitally_signed(Hash, PrivateKey),
-    #server_key_exchange{params = ServerDHParams,
-			 signed_params = Signed}.
+
+    case KeyAlgo of
+	dh_anon ->
+	    #server_key_exchange{params = ServerDHParams,
+				 signed_params = <<>>};
+	_ ->
+	    Hash =
+		server_key_exchange_hash(KeyAlgo, <<ClientRandom/binary,
+						    ServerRandom/binary,
+						    ?UINT16(PLen), PBin/binary,
+						    ?UINT16(GLen), GBin/binary,
+						    ?UINT16(YLen), PublicKey/binary>>),
+	    Signed = digitally_signed(Hash, PrivateKey),
+	    #server_key_exchange{params = ServerDHParams,
+				 signed_params = Signed}
+    end.
 
 %%--------------------------------------------------------------------
 -spec master_secret(tls_version(), #session{} | binary(), #connection_states{},
@@ -424,13 +425,11 @@ finished(Version, Role, MasterSecret, {Hashes, _}) -> % use the current hashes
 verify_connection(Version, #finished{verify_data = Data}, 
 		  Role, MasterSecret, {_, {MD5, SHA}}) -> 
     %% use the previous hashes
-    ?DBG_HEX(crypto:md5_final(MD5)),
-    ?DBG_HEX(crypto:sha_final(SHA)),
     case calc_finished(Version, Role, MasterSecret, {MD5, SHA}) of
 	Data ->
 	    verified;
-	_E ->
- 	    ?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE)
+	_ ->
+	    ?ALERT_REC(?FATAL, ?DECRYPT_ERROR)
     end.
 %%--------------------------------------------------------------------
 -spec server_hello_done() ->  #server_hello_done{}.
@@ -441,13 +440,12 @@ server_hello_done() ->
     #server_hello_done{}.
 
 %%--------------------------------------------------------------------
--spec encode_handshake(tls_handshake(), tls_version(), key_algo()) -> iolist().
+-spec encode_handshake(tls_handshake(), tls_version()) -> iolist().
 %%     
 %% Description: Encode a handshake packet to binary
 %%--------------------------------------------------------------------
-encode_handshake(Package, Version, KeyAlg) ->
-    SigAlg = sig_alg(KeyAlg),
-    {MsgType, Bin} = enc_hs(Package, Version, SigAlg),
+encode_handshake(Package, Version) ->
+    {MsgType, Bin} = enc_hs(Package, Version),
     Len = byte_size(Bin),
     [MsgType, ?uint24(Len), Bin].
 
@@ -504,11 +502,8 @@ update_hashes(Hashes, % special-case SSL2 client hello
 		   CipherSuites:CSLength/binary,
 		   ChallengeData:CDLength/binary>>);
 update_hashes({{MD50, SHA0}, _Prev}, Data) ->
-    ?DBG_HEX(Data),
     {MD51, SHA1} = {crypto:md5_update(MD50, Data),
 		    crypto:sha_update(SHA0, Data)},
-    ?DBG_HEX(crypto:md5_final(MD51)),
-    ?DBG_HEX(crypto:sha_final(SHA1)),
     {{MD51, SHA1}, {MD50, SHA0}}.
 
 %%--------------------------------------------------------------------
@@ -522,11 +517,11 @@ decrypt_premaster_secret(Secret, RSAPrivateKey) ->
 				   [{rsa_pad, rsa_pkcs1_padding}])
     catch
 	_:_ ->
-	    throw(?ALERT_REC(?FATAL, ?DECRYPTION_FAILED))
+	    throw(?ALERT_REC(?FATAL, ?DECRYPT_ERROR))
     end.
 
 %%--------------------------------------------------------------------
--spec server_key_exchange_hash(rsa | dhe_rsa| dhe_dss, binary()) -> binary().
+-spec server_key_exchange_hash(rsa | dhe_rsa| dhe_dss | dh_anon, binary()) -> binary().
 
 %%
 %% Description: Calculate server key exchange hash
@@ -541,21 +536,6 @@ server_key_exchange_hash(dhe_dss, Value) ->
     crypto:sha(Value).
 
 %%--------------------------------------------------------------------
--spec sig_alg(atom()) -> integer().
-
-%%
-%% Description: Translate atom representation to enum representation.
-%%--------------------------------------------------------------------
-sig_alg(dh_anon) ->
-    ?SIGNATURE_ANONYMOUS;
-sig_alg(Alg) when Alg == dhe_rsa; Alg == rsa ->
-    ?SIGNATURE_RSA;
-sig_alg(dhe_dss) ->
-    ?SIGNATURE_DSA;
-sig_alg(_) ->
-    ?NULL.
-
-%%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
 get_tls_handshake_aux(<<?BYTE(Type), ?UINT24(Length), 
@@ -589,7 +569,7 @@ select_session(Hello, Port, Session, Version,
 	       #ssl_options{ciphers = UserSuites} = SslOpts, Cache, CacheCb, Cert) ->
     SuggestedSessionId = Hello#client_hello.session_id,
     SessionId = ssl_manager:server_session_id(Port, SuggestedSessionId, 
-					      SslOpts),
+					      SslOpts, Cert),
     
     Suites = available_suites(Cert, UserSuites, Version), 
     case ssl_session:is_new(SuggestedSessionId, SessionId) of
@@ -794,8 +774,7 @@ master_secret(Version, MasterSecret, #security_parameters{
      ServerWriteKey, ClientIV, ServerIV} =
 	setup_keys(Version, MasterSecret, ServerRandom, 
 		   ClientRandom, HashSize, KML, EKML, IVS),
-    ?DBG_HEX(ClientWriteKey),
-    ?DBG_HEX(ClientIV),
+
     ConnStates1 = ssl_record:set_master_secret(MasterSecret, ConnectionStates),
     ConnStates2 =
 	ssl_record:set_mac_secret(ClientWriteMacSecret, ServerWriteMacSecret,
@@ -819,8 +798,6 @@ dec_hs(?CLIENT_HELLO, <<?BYTE(Major), ?BYTE(Minor),
 		       ?UINT16(CDLength), 
 		       CipherSuites:CSLength/binary, 
 		       ChallengeData:CDLength/binary>>) ->
-    ?DBG_HEX(CipherSuites),
-    ?DBG_HEX(CipherSuites),
     #client_hello{client_version = {Major, Minor},
 		  random = ssl_ssl2:client_random(ChallengeData, CDLength),
 		  session_id = 0,
@@ -876,6 +853,13 @@ dec_hs(?CERTIFICATE, <<?UINT24(ACLen), ASN1Certs:ACLen/binary>>) ->
 dec_hs(?SERVER_KEY_EXCHANGE, <<?UINT16(PLen), P:PLen/binary,
 			      ?UINT16(GLen), G:GLen/binary,
 			      ?UINT16(YLen), Y:YLen/binary,
+			       ?UINT16(0)>>) -> %% May happen if key_algorithm is dh_anon
+    #server_key_exchange{params = #server_dh_params{dh_p = P,dh_g = G,
+						    dh_y = Y},
+			 signed_params = <<>>};
+dec_hs(?SERVER_KEY_EXCHANGE, <<?UINT16(PLen), P:PLen/binary,
+			      ?UINT16(GLen), G:GLen/binary,
+			      ?UINT16(YLen), Y:YLen/binary,
 			      ?UINT16(Len), Sig:Len/binary>>) ->
     #server_key_exchange{params = #server_dh_params{dh_p = P,dh_g = G, 
 						    dh_y = Y},
@@ -958,14 +942,14 @@ certs_from_list(ACList) ->
                         <<?UINT24(CertLen), Cert/binary>>
 		    end || Cert <- ACList]).
 
-enc_hs(#hello_request{}, _Version, _) ->
+enc_hs(#hello_request{}, _Version) ->
     {?HELLO_REQUEST, <<>>};
 enc_hs(#client_hello{client_version = {Major, Minor},
 		     random = Random,
 		     session_id = SessionID,
 		     cipher_suites = CipherSuites,
 		     compression_methods = CompMethods, 
-		     renegotiation_info = RenegotiationInfo}, _Version, _) ->
+		     renegotiation_info = RenegotiationInfo}, _Version) ->
     SIDLength = byte_size(SessionID),
     BinCompMethods = list_to_binary(CompMethods),
     CmLength = byte_size(BinCompMethods),
@@ -983,20 +967,20 @@ enc_hs(#server_hello{server_version = {Major, Minor},
 		     session_id = Session_ID,
 		     cipher_suite = Cipher_suite,
 		     compression_method = Comp_method,
-		     renegotiation_info = RenegotiationInfo}, _Version, _) ->
+		     renegotiation_info = RenegotiationInfo}, _Version) ->
     SID_length = byte_size(Session_ID),
     Extensions  = hello_extensions(RenegotiationInfo),
     ExtensionsBin = enc_hello_extensions(Extensions),
     {?SERVER_HELLO, <<?BYTE(Major), ?BYTE(Minor), Random:32/binary,
 		     ?BYTE(SID_length), Session_ID/binary,
                      Cipher_suite/binary, ?BYTE(Comp_method), ExtensionsBin/binary>>};
-enc_hs(#certificate{asn1_certificates = ASN1CertList}, _Version, _) ->
+enc_hs(#certificate{asn1_certificates = ASN1CertList}, _Version) ->
     ASN1Certs = certs_from_list(ASN1CertList),
     ACLen = erlang:iolist_size(ASN1Certs),
     {?CERTIFICATE, <<?UINT24(ACLen), ASN1Certs:ACLen/binary>>};
 enc_hs(#server_key_exchange{params = #server_dh_params{
 			      dh_p = P, dh_g = G, dh_y = Y},
-	signed_params = SignedParams}, _Version, _) ->
+	signed_params = SignedParams}, _Version) ->
     PLen = byte_size(P),
     GLen = byte_size(G),
     YLen = byte_size(Y),
@@ -1008,21 +992,21 @@ enc_hs(#server_key_exchange{params = #server_dh_params{
     };
 enc_hs(#certificate_request{certificate_types = CertTypes,
 			    certificate_authorities = CertAuths}, 
-       _Version, _) ->
+       _Version) ->
     CertTypesLen = byte_size(CertTypes),
     CertAuthsLen = byte_size(CertAuths),
     {?CERTIFICATE_REQUEST,
        <<?BYTE(CertTypesLen), CertTypes/binary,
 	?UINT16(CertAuthsLen), CertAuths/binary>>
     };
-enc_hs(#server_hello_done{}, _Version, _) ->
+enc_hs(#server_hello_done{}, _Version) ->
     {?SERVER_HELLO_DONE, <<>>};
-enc_hs(#client_key_exchange{exchange_keys = ExchangeKeys}, Version, _) ->
+enc_hs(#client_key_exchange{exchange_keys = ExchangeKeys}, Version) ->
     {?CLIENT_KEY_EXCHANGE, enc_cke(ExchangeKeys, Version)};
-enc_hs(#certificate_verify{signature = BinSig}, _, _) ->
+enc_hs(#certificate_verify{signature = BinSig}, _) ->
     EncSig = enc_bin_sig(BinSig),
     {?CERTIFICATE_VERIFY, EncSig};
-enc_hs(#finished{verify_data = VerifyData}, _Version, _) ->
+enc_hs(#finished{verify_data = VerifyData}, _Version) ->
     {?FINISHED, VerifyData}.
 
 enc_cke(#encrypted_premaster_secret{premaster_secret = PKEPMS},{3, 0}) ->
@@ -1152,7 +1136,7 @@ calc_certificate_verify({3, N}, _, Algorithm, Hashes)
 key_exchange_alg(rsa) ->
     ?KEY_EXCHANGE_RSA;
 key_exchange_alg(Alg) when Alg == dhe_rsa; Alg == dhe_dss;
-			    Alg == dh_dss; Alg == dh_rsa  ->
+			    Alg == dh_dss; Alg == dh_rsa; Alg == dh_anon ->
     ?KEY_EXCHANGE_DIFFIE_HELLMAN;
 key_exchange_alg(_) ->
     ?NULL.
@@ -1166,3 +1150,8 @@ apply_user_fun(Fun, OtpCert, ExtensionOrError, UserState0, SslState) ->
 	{unknown, UserState} ->
 	    {unknown, {SslState, UserState}}
     end.
+
+alg_oid(#'RSAPrivateKey'{}) ->
+    ?'rsaEncryption';
+alg_oid(#'DSAPrivateKey'{}) ->
+    ?'id-dsa'.
diff --git a/lib/ssl/src/ssl_handshake.hrl b/lib/ssl/src/ssl_handshake.hrl
index 74fba3786c..fb0ebac7d1 100644
--- a/lib/ssl/src/ssl_handshake.hrl
+++ b/lib/ssl/src/ssl_handshake.hrl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2010. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2011. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -26,9 +26,16 @@
 -ifndef(ssl_handshake).
 -define(ssl_handshake, true).
 
+-include_lib("public_key/include/public_key.hrl").
+
+-type algo_oid()          :: ?'rsaEncryption' | ?'id-dsa'.
+-type public_key_params() :: #'Dss-Parms'{} | term().
+-type public_key_info()   :: {algo_oid(), #'RSAPublicKey'{} | integer() , public_key_params()}.
+
 -record(session, {
 	  session_id,
 	  peer_certificate,
+	  own_certificate,
 	  compression_method,
 	  cipher_suite,
 	  master_secret,
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index ddb05e70f6..c28daa271e 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2010. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2011. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -19,12 +19,29 @@
 
 %%
 
-
 -ifndef(ssl_internal).
 -define(ssl_internal, true).
 
 -include_lib("public_key/include/public_key.hrl"). 
 
+-type reason()            :: term().
+-type reply()             :: term().
+-type msg()               :: term().
+-type from()              :: term().
+-type host()		  :: string() | tuple().
+-type port_num()	  :: integer().
+-type session_id()        :: 0 | binary().
+-type tls_version()       :: {integer(), integer()}.
+-type tls_atom_version()  :: sslv3 | tlsv1.
+-type cache_ref()         :: term().
+-type certdb_ref()        :: term().
+-type key_algo()          :: null | rsa | dhe_rsa | dhe_dss | dh_anon.
+-type der_cert()          :: binary().
+-type private_key()       :: #'RSAPrivateKey'{} | #'DSAPrivateKey'{}.
+-type issuer()            :: tuple().
+-type serialnumber()      :: integer().
+-type cert_key()          :: {reference(), integer(), issuer()}.
+
 %% basic binary constructors
 -define(BOOLEAN(X),  X:8/unsigned-big-integer).
 -define(BYTE(X),     X:8/unsigned-big-integer).
@@ -81,7 +98,11 @@
 	  reuse_sessions, % boolean()
 	  renegotiate_at,
 	  secure_renegotiate,
-	  debug           %
+	  debug,
+	  hibernate_after % undefined if not hibernating,
+                          % or number of ms of inactivity
+			  % after which ssl_connection will
+                          % go into hibernation
 	  }).
 
 -record(socket_options,
@@ -93,28 +114,6 @@
 	  active = true
 	 }).
 
--type reason()            :: term().
--type reply()             :: term().
--type msg()               :: term().
--type from()              :: term().
--type host()		  :: string() | tuple().
--type port_num()	  :: integer().
--type session_id()        :: 0 | binary().
--type tls_version()       :: {integer(), integer()}.
--type tls_atom_version()  :: sslv3 | tlsv1.
--type cache_ref()         :: term(). 
--type certdb_ref()        :: term(). 
--type key_algo()          :: null | rsa | dhe_rsa | dhe_dss.
--type enum_algo()          :: integer().
--type public_key()        :: #'RSAPublicKey'{} | integer().
--type public_key_params() :: #'Dss-Parms'{} | term().
--type public_key_info()   :: {enum_algo(), public_key(), public_key_params()}.
--type der_cert()          :: binary().
--type private_key()       :: #'RSAPrivateKey'{} | #'DSAPrivateKey'{}.
--type issuer()            :: tuple().
--type serialnumber()      :: integer().
--type cert_key()          :: {reference(), integer(), issuer()}.
-
 -endif. % -ifdef(ssl_internal).
 
 
diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl
index 3b02d96562..f845b1ecc0 100644
--- a/lib/ssl/src/ssl_manager.erl
+++ b/lib/ssl/src/ssl_manager.erl
@@ -29,8 +29,8 @@
 %% Internal application API
 -export([start_link/1, 
 	 connection_init/2, cache_pem_file/1,
-	 lookup_trusted_cert/3, issuer_candidate/1, client_session_id/3, 
-	 server_session_id/3,
+	 lookup_trusted_cert/3, issuer_candidate/1, client_session_id/4,
+	 server_session_id/4,
 	 register_session/2, register_session/3, invalidate_session/2,
 	 invalidate_session/3]).
 
@@ -43,6 +43,7 @@
 
 -include("ssl_handshake.hrl").
 -include("ssl_internal.hrl").
+-include_lib("kernel/include/file.hrl").
 
 -record(state, {
 	  session_cache,
@@ -76,16 +77,17 @@ start_link(Opts) ->
 connection_init(Trustedcerts, Role) ->
     call({connection_init, Trustedcerts, Role}).
 %%--------------------------------------------------------------------
--spec cache_pem_file(string()) -> {ok, term()}.	
+-spec cache_pem_file(string()) -> {ok, term()} | {error, reason()}.
 %%		    
-%% Description: Cach a pem file and 
+%% Description: Cach a pem file and return its content.
 %%--------------------------------------------------------------------
-cache_pem_file(File) ->   
-    case ssl_certificate_db:lookup_cached_certs(File) of
-	[{_,Content}] ->
-	    {ok, Content};
-	[] ->
-	    call({cache_pem, File})
+cache_pem_file(File) ->
+    try file:read_file_info(File) of
+	{ok, #file_info{mtime = LastWrite}} ->
+	    cache_pem_file(File, LastWrite)
+    catch
+	_:Reason ->
+	    {error, Reason}
     end.
 %%--------------------------------------------------------------------
 -spec lookup_trusted_cert(reference(), serialnumber(), issuer()) -> 
@@ -106,20 +108,21 @@ lookup_trusted_cert(Ref, SerialNumber, Issuer) ->
 issuer_candidate(PrevCandidateKey) ->
     ssl_certificate_db:issuer_candidate(PrevCandidateKey).
 %%--------------------------------------------------------------------
--spec client_session_id(host(), port_num(), #ssl_options{}) -> session_id().
+-spec client_session_id(host(), port_num(), #ssl_options{},
+			der_cert() | undefined) -> session_id().
 %%
 %% Description: Select a session id for the client.
 %%--------------------------------------------------------------------
-client_session_id(Host, Port, SslOpts) ->
-    call({client_session_id, Host, Port, SslOpts}).
+client_session_id(Host, Port, SslOpts, OwnCert) ->
+    call({client_session_id, Host, Port, SslOpts, OwnCert}).
 
 %%--------------------------------------------------------------------
--spec server_session_id(host(), port_num(), #ssl_options{}) -> session_id().
+-spec server_session_id(host(), port_num(), #ssl_options{}, der_cert()) -> session_id().
 %%
 %% Description: Select a session id for the server.
 %%--------------------------------------------------------------------
-server_session_id(Port, SuggestedSessionId, SslOpts) ->
-    call({server_session_id, Port, SuggestedSessionId, SslOpts}).
+server_session_id(Port, SuggestedSessionId, SslOpts, OwnCert) ->
+    call({server_session_id, Port, SuggestedSessionId, SslOpts, OwnCert}).
 
 %%--------------------------------------------------------------------
 -spec register_session(port_num(), #session{}) -> ok.
@@ -201,28 +204,35 @@ handle_call({{connection_init, Trustedcerts, _Role}, Pid}, _From,
 	end,
     {reply, Result, State};
 
-handle_call({{client_session_id, Host, Port, SslOpts}, _}, _, 
+handle_call({{client_session_id, Host, Port, SslOpts, OwnCert}, _}, _,
 	    #state{session_cache = Cache,
 		  session_cache_cb = CacheCb} = State) ->
-    Id = ssl_session:id({Host, Port, SslOpts}, Cache, CacheCb),
+    Id = ssl_session:id({Host, Port, SslOpts}, Cache, CacheCb, OwnCert),
     {reply, Id, State};
 
-handle_call({{server_session_id, Port, SuggestedSessionId, SslOpts}, _},
+handle_call({{server_session_id, Port, SuggestedSessionId, SslOpts, OwnCert}, _},
 	    _, #state{session_cache_cb = CacheCb,
 		      session_cache = Cache,
 		      session_lifetime = LifeTime} = State) ->
     Id = ssl_session:id(Port, SuggestedSessionId, SslOpts,
-			Cache, CacheCb, LifeTime),
+			Cache, CacheCb, LifeTime, OwnCert),
     {reply, Id, State};
 
-handle_call({{cache_pem, File},Pid}, _, State = #state{certificate_db = Db}) ->
-    try ssl_certificate_db:cache_pem_file(Pid,File,Db) of
+handle_call({{cache_pem, File, LastWrite}, Pid}, _, 
+	    #state{certificate_db = Db} = State) ->
+    try ssl_certificate_db:cache_pem_file(Pid, File, LastWrite, Db) of
 	Result ->
 	    {reply, Result, State}
     catch 
 	_:Reason ->
 	    {reply, {error, Reason}, State}
-    end.
+    end;
+handle_call({{recache_pem, File, LastWrite}, Pid}, From,
+	    #state{certificate_db = Db} = State) ->
+    ssl_certificate_db:uncache_pem_file(File, Db),
+    cast({recache_pem, File, LastWrite, Pid, From}),
+    {noreply, State}.
+
 %%--------------------------------------------------------------------
 -spec  handle_cast(msg(), #state{}) -> {noreply, #state{}}.
 %% Possible return values not used now.  
@@ -259,7 +269,21 @@ handle_cast({invalidate_session, Port, #session{session_id = ID}},
 	    #state{session_cache = Cache,
 		   session_cache_cb = CacheCb} = State) ->
     CacheCb:delete(Cache, {Port, ID}),
-    {noreply, State}.
+    {noreply, State};
+
+handle_cast({recache_pem, File, LastWrite, Pid, From},
+	    #state{certificate_db = [_, FileToRefDb, _]} = State0) ->
+    case ssl_certificate_db:lookup(File, FileToRefDb) of
+	undefined ->
+	    {reply, Msg, State} = handle_call({{cache_pem, File, LastWrite}, Pid}, From, State0),
+	    gen_server:reply(From, Msg),
+	    {noreply, State};
+	_ -> %% Send message to self letting cleanup messages be handled
+	     %% first so that no reference to the old version of file
+             %% exists when we cache the new one.
+	    cast({recache_pem, File, LastWrite, Pid, From}),
+	    {noreply, State0}
+    end.
 
 %%--------------------------------------------------------------------
 -spec handle_info(msg(), #state{}) -> {noreply, #state{}}.
@@ -286,12 +310,14 @@ handle_info({'EXIT', _, _}, State) ->
 handle_info({'DOWN', _Ref, _Type, _Pid, ecacertfile}, State) ->
     {noreply, State};
 
+handle_info({'DOWN', _Ref, _Type, Pid, shutdown}, State) ->
+    handle_info({remove_trusted_certs, Pid}, State);
 handle_info({'DOWN', _Ref, _Type, Pid, _Reason}, State) ->
     erlang:send_after(?CERTIFICATE_CACHE_CLEANUP, self(), 
 		      {remove_trusted_certs, Pid}),
     {noreply, State};
 handle_info({remove_trusted_certs, Pid}, 
-	    State = #state{certificate_db = Db}) ->
+	    #state{certificate_db = Db} = State) ->
     ssl_certificate_db:remove_trusted_certs(Pid, Db),
     {noreply, State};
 
@@ -362,3 +388,16 @@ session_validation({{{Host, Port}, _}, Session}, LifeTime) ->
 session_validation({{Port, _}, Session}, LifeTime) ->
     validate_session(Port, Session, LifeTime),
     LifeTime.
+
+cache_pem_file(File, LastWrite) ->
+    case ssl_certificate_db:lookup_cached_certs(File) of
+	[{_, {Mtime, Content}}] ->
+	    case LastWrite of
+		Mtime ->
+		    {ok, Content};
+		_ ->
+		    call({recache_pem, File, LastWrite})
+	    end;
+	[] ->
+	    call({cache_pem, File, LastWrite})
+    end.
diff --git a/lib/ssl/src/ssl_record.erl b/lib/ssl/src/ssl_record.erl
index 803baeb09c..f1c0073965 100644
--- a/lib/ssl/src/ssl_record.erl
+++ b/lib/ssl/src/ssl_record.erl
@@ -30,7 +30,6 @@
 -include("ssl_alert.hrl").
 -include("ssl_handshake.hrl").
 -include("ssl_cipher.hrl").
--include("ssl_debug.hrl").
 
 %% Connection state handling
 -export([init_connection_states/1, 
@@ -649,9 +648,7 @@ cipher(Type, Version, Fragment, CS0) ->
 						      BCA}
 				}} = 
 	hash_and_bump_seqno(CS0, Type, Version, Length, Fragment),
-    ?DBG_HEX(Fragment),
     {Ciphered, CipherS1} = ssl_cipher:cipher(BCA, CipherS0, MacHash, Fragment),
-    ?DBG_HEX(Ciphered),
     CS2 = CS1#connection_state{cipher_state=CipherS1},
     {Ciphered, CS2}.
 
diff --git a/lib/ssl/src/ssl_session.erl b/lib/ssl/src/ssl_session.erl
index 25e7445180..dc4b7a711c 100644
--- a/lib/ssl/src/ssl_session.erl
+++ b/lib/ssl/src/ssl_session.erl
@@ -28,7 +28,7 @@
 -include("ssl_internal.hrl").
 
 %% Internal application API
--export([is_new/2, id/3, id/6, valid_session/2]).
+-export([is_new/2, id/4, id/7, valid_session/2]).
 
 -define(GEN_UNIQUE_ID_MAX_TRIES, 10).
 
@@ -48,13 +48,14 @@ is_new(_ClientSuggestion, _ServerDecision) ->
     true.
 
 %%--------------------------------------------------------------------
--spec id({host(), port_num(), #ssl_options{}}, cache_ref(), atom()) -> binary().
+-spec id({host(), port_num(), #ssl_options{}}, cache_ref(), atom(),
+	 undefined | binary()) -> binary().
 %%
 %% Description: Should be called by the client side to get an id 
 %%              for the client hello message.
 %%--------------------------------------------------------------------
-id(ClientInfo, Cache, CacheCb) ->
-    case select_session(ClientInfo, Cache, CacheCb) of
+id(ClientInfo, Cache, CacheCb, OwnCert) ->
+    case select_session(ClientInfo, Cache, CacheCb, OwnCert) of
 	no_session ->
 	    <<>>;
 	SessionId ->
@@ -63,19 +64,19 @@ id(ClientInfo, Cache, CacheCb) ->
 
 %%--------------------------------------------------------------------
 -spec id(port_num(), binary(), #ssl_options{}, cache_ref(), 
-	 atom(), seconds()) -> binary().
+	 atom(), seconds(), binary()) -> binary().
 %%
 %% Description: Should be called by the server side to get an id 
 %%              for the server hello message.
 %%--------------------------------------------------------------------
-id(Port, <<>>, _, Cache, CacheCb, _) ->
+id(Port, <<>>, _, Cache, CacheCb, _, _) ->
     new_id(Port, ?GEN_UNIQUE_ID_MAX_TRIES, Cache, CacheCb);
 
 id(Port, SuggestedSessionId, #ssl_options{reuse_sessions = ReuseEnabled,
 					  reuse_session = ReuseFun}, 
-   Cache, CacheCb, SecondLifeTime) ->
+   Cache, CacheCb, SecondLifeTime, OwnCert) ->
     case is_resumable(SuggestedSessionId, Port, ReuseEnabled, 
-		      ReuseFun, Cache, CacheCb, SecondLifeTime) of
+		      ReuseFun, Cache, CacheCb, SecondLifeTime, OwnCert) of
 	true ->
 	    SuggestedSessionId;
 	false ->
@@ -93,19 +94,20 @@ valid_session(#session{time_stamp = TimeStamp}, LifeTime) ->
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
-select_session({HostIP, Port, SslOpts}, Cache, CacheCb) ->    
+select_session({HostIP, Port, SslOpts}, Cache, CacheCb, OwnCert) ->
     Sessions = CacheCb:select_session(Cache, {HostIP, Port}),
-    select_session(Sessions, SslOpts).
+    select_session(Sessions, SslOpts, OwnCert).
 
-select_session([], _) ->
+select_session([], _, _) ->
     no_session;
 
 select_session(Sessions, #ssl_options{ciphers = Ciphers,
-				      reuse_sessions = ReuseSession}) ->
+				      reuse_sessions = ReuseSession}, OwnCert) ->
     IsResumable = 
  	fun(Session) -> 
  		ReuseSession andalso (Session#session.is_resumable) andalso  
  		    lists:member(Session#session.cipher_suite, Ciphers)
+		    andalso (OwnCert == Session#session.own_certificate)
  	end,
     case [Id || [Id, Session] <- Sessions, IsResumable(Session)] of
  	[] ->
@@ -140,14 +142,16 @@ new_id(Port, Tries, Cache, CacheCb) ->
     end.
 
 is_resumable(SuggestedSessionId, Port, ReuseEnabled, ReuseFun, Cache, 
-	     CacheCb, SecondLifeTime) ->
+	     CacheCb, SecondLifeTime, OwnCert) ->
     case CacheCb:lookup(Cache, {Port, SuggestedSessionId}) of
 	#session{cipher_suite = CipherSuite,
+		 own_certificate = SessionOwnCert,
 		 compression_method = Compression,
 		 is_resumable = Is_resumable,
 		 peer_certificate = PeerCert} = Session ->
 	    ReuseEnabled 
 		andalso Is_resumable  
+		andalso (OwnCert == SessionOwnCert)
 		andalso valid_session(Session, SecondLifeTime) 
 		andalso ReuseFun(SuggestedSessionId, PeerCert, 
 				 Compression, CipherSuite);
diff --git a/lib/ssl/src/ssl_ssl3.erl b/lib/ssl/src/ssl_ssl3.erl
index 1add203fb0..f2926b2d2f 100644
--- a/lib/ssl/src/ssl_ssl3.erl
+++ b/lib/ssl/src/ssl_ssl3.erl
@@ -25,7 +25,6 @@
 -module(ssl_ssl3).
 
 -include("ssl_cipher.hrl").
--include("ssl_debug.hrl").
 -include("ssl_internal.hrl").
 -include("ssl_record.hrl"). 			% MD5 and SHA
 
@@ -41,9 +40,6 @@
 -spec master_secret(binary(), binary(), binary()) -> binary().
 
 master_secret(PremasterSecret, ClientRandom, ServerRandom) ->
-    ?DBG_HEX(PremasterSecret),
-    ?DBG_HEX(ClientRandom),
-    ?DBG_HEX(ServerRandom),
     %%  draft-ietf-tls-ssl-version3-00 - 6.2.2 
     %% key_block =
     %%   MD5(master_secret + SHA(`A' + master_secret +
@@ -55,9 +51,8 @@ master_secret(PremasterSecret, ClientRandom, ServerRandom) ->
     %%   MD5(master_secret + SHA(`CCC' + master_secret +
     %%                           ServerHello.random +
     %%                           ClientHello.random)) + [...];
-    B = generate_keyblock(PremasterSecret, ClientRandom, ServerRandom, 48),
-    ?DBG_HEX(B),
-    B.
+    Block = generate_keyblock(PremasterSecret, ClientRandom, ServerRandom, 48),
+    Block.
 
 -spec finished(client | server, binary(), {binary(), binary()}) -> binary().
 
@@ -79,10 +74,9 @@ finished(Role, MasterSecret, {MD5Hash, SHAHash}) ->
     SHA = handshake_hash(?SHA, MasterSecret, Sender, SHAHash),
     <<MD5/binary, SHA/binary>>.
 
--spec certificate_verify(key_algo(), binary(), {binary(), binary()}) -> binary().
+-spec certificate_verify(OID::tuple(), binary(), {binary(), binary()}) -> binary().
 
-certificate_verify(Algorithm, MasterSecret, {MD5Hash, SHAHash}) 
-  when Algorithm == rsa; Algorithm == dhe_rsa ->
+certificate_verify(?'rsaEncryption', MasterSecret, {MD5Hash, SHAHash}) ->
      %% md5_hash
      %%           MD5(master_secret + pad_2 +
      %%               MD5(handshake_messages + master_secret + pad_1));
@@ -94,7 +88,7 @@ certificate_verify(Algorithm, MasterSecret, {MD5Hash, SHAHash})
     SHA = handshake_hash(?SHA, MasterSecret, undefined, SHAHash),
     <<MD5/binary, SHA/binary>>;
 
-certificate_verify(dhe_dss, MasterSecret, {_, SHAHash}) ->
+certificate_verify(?'id-dsa', MasterSecret, {_, SHAHash}) ->
      %% sha_hash
      %%           SHA(master_secret + pad_2 +
      %%               SHA(handshake_messages + master_secret + pad_1));
@@ -108,17 +102,9 @@ mac_hash(Method, Mac_write_secret, Seq_num, Type, Length, Fragment) ->
     %%      hash(MAC_write_secret + pad_1 + seq_num +
     %%           SSLCompressed.type + SSLCompressed.length +
     %%           SSLCompressed.fragment));
-    case Method of
-        ?NULL -> ok;
-        _ ->
-	    ?DBG_HEX(Mac_write_secret),
-	    ?DBG_HEX(hash(Method, Fragment)),
-            ok
-    end,
     Mac = mac_hash(Method, Mac_write_secret, 
 		   [<<?UINT64(Seq_num), ?BYTE(Type), 
 		     ?UINT16(Length)>>, Fragment]),
-    ?DBG_HEX(Mac),
     Mac.
 
 -spec setup_keys(binary(), binary(), binary(),  
@@ -140,12 +126,6 @@ setup_keys(MasterSecret, ServerRandom, ClientRandom, HS, KML, _EKML, IVS) ->
     <<ClientWriteMacSecret:HS/binary, ServerWriteMacSecret:HS/binary,
      ClientWriteKey:KML/binary, ServerWriteKey:KML/binary,
      ClientIV:IVS/binary, ServerIV:IVS/binary>> = KeyBlock,
-    ?DBG_HEX(ClientWriteMacSecret),
-    ?DBG_HEX(ServerWriteMacSecret),
-    ?DBG_HEX(ClientWriteKey),
-    ?DBG_HEX(ServerWriteKey),
-    ?DBG_HEX(ClientIV),
-    ?DBG_HEX(ServerIV),
     {ClientWriteMacSecret, ServerWriteMacSecret, ClientWriteKey,
      ServerWriteKey, ClientIV, ServerIV}.
 
diff --git a/lib/ssl/src/ssl_tls1.erl b/lib/ssl/src/ssl_tls1.erl
index d1bc0730ba..5f9850c386 100644
--- a/lib/ssl/src/ssl_tls1.erl
+++ b/lib/ssl/src/ssl_tls1.erl
@@ -27,7 +27,6 @@
 -include("ssl_cipher.hrl").
 -include("ssl_internal.hrl").
 -include("ssl_record.hrl"). 			
--include("ssl_debug.hrl").
 
 -export([master_secret/3, finished/3, certificate_verify/2, mac_hash/7, 
 	 setup_keys/6, suites/0]).
@@ -60,15 +59,14 @@ finished(Role, MasterSecret, {MD5Hash, SHAHash}) ->
     SHA = hash_final(?SHA, SHAHash),
     prf(MasterSecret, finished_label(Role), [MD5, SHA], 12).
 
--spec certificate_verify(key_algo(), {binary(), binary()}) -> binary().
+-spec certificate_verify(OID::tuple(), {binary(), binary()}) -> binary().
 
-certificate_verify(Algorithm, {MD5Hash, SHAHash}) when Algorithm == rsa;
-						       Algorithm == dhe_rsa ->
+certificate_verify(?'rsaEncryption', {MD5Hash, SHAHash}) ->
     MD5 = hash_final(?MD5, MD5Hash),
     SHA = hash_final(?SHA, SHAHash),
     <<MD5/binary, SHA/binary>>;
 
-certificate_verify(dhe_dss, {_, SHAHash}) ->
+certificate_verify(?'id-dsa', {_, SHAHash}) ->
     hash_final(?SHA, SHAHash).
 
 -spec setup_keys(binary(), binary(), binary(), integer(), 
@@ -130,18 +128,10 @@ mac_hash(Method, Mac_write_secret, Seq_num, Type, {Major, Minor},
     %% HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +
     %%              TLSCompressed.version + TLSCompressed.length +
     %%              TLSCompressed.fragment));
-    case Method of
-        ?NULL -> ok;
-        _ ->
-	    ?DBG_HEX(Mac_write_secret),
-	    ?DBG_HEX(hash(Method, Fragment)),
-            ok
-    end,
     Mac = hmac_hash(Method, Mac_write_secret, 
 		    [<<?UINT64(Seq_num), ?BYTE(Type), 
 		      ?BYTE(Major), ?BYTE(Minor), ?UINT16(Length)>>, 
 		     Fragment]),
-    ?DBG_HEX(Mac),
     Mac.
 
 -spec suites() -> [cipher_suite()].