7 files changed, 190 insertions, 35 deletions
diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl
index f078b87bce..e8cfbbe2e3 100644
--- a/lib/ssl/src/dtls_connection.erl
+++ b/lib/ssl/src/dtls_connection.erl
@@ -115,7 +115,7 @@ send_handshake_flight(#state{socket = Socket,
     {Encoded, ConnectionStates} =
 	encode_handshake_flight(lists:reverse(Flight), Version, 1400, Epoch, ConnectionStates0),
     send(Transport, Socket, Encoded),
-    start_flight(State0#state{connection_states = ConnectionStates});
+    {State0#state{connection_states = ConnectionStates}, []};
 
 send_handshake_flight(#state{socket = Socket,
 			     transport_cb = Transport,
@@ -129,7 +129,7 @@ send_handshake_flight(#state{socket = Socket,
     {EncChangeCipher, ConnectionStates} = encode_change_cipher(ChangeCipher, Version, Epoch, ConnectionStates1),
 
     send(Transport, Socket, [HsBefore, EncChangeCipher]),
-    start_flight(State0#state{connection_states = ConnectionStates});
+    {State0#state{connection_states = ConnectionStates}, []};
 
 send_handshake_flight(#state{socket = Socket,
 			     transport_cb = Transport,
@@ -145,7 +145,7 @@ send_handshake_flight(#state{socket = Socket,
     {HsAfter, ConnectionStates} =
 	encode_handshake_flight(lists:reverse(Flight1), Version, 1400, Epoch, ConnectionStates2),
     send(Transport, Socket, [HsBefore, EncChangeCipher, HsAfter]),
-    start_flight(State0#state{connection_states = ConnectionStates});
+    {State0#state{connection_states = ConnectionStates}, []};
 
 send_handshake_flight(#state{socket = Socket,
 			     transport_cb = Transport,
@@ -159,7 +159,7 @@ send_handshake_flight(#state{socket = Socket,
     {HsAfter, ConnectionStates} =
 	encode_handshake_flight(lists:reverse(Flight1), Version, 1400, Epoch, ConnectionStates1),
     send(Transport, Socket, [EncChangeCipher, HsAfter]),
-    start_flight(State0#state{connection_states = ConnectionStates}).
+    {State0#state{connection_states = ConnectionStates}, []}.
 
 queue_change_cipher(ChangeCipher, #state{flight_buffer = Flight,
 					 connection_states = ConnectionStates0} = State) -> 
@@ -235,12 +235,14 @@ init([Role, Host, Port, Socket, Options,  User, CbInfo]) ->
     end.
 
 callback_mode() ->
-    state_functions.
+    [state_functions, state_enter].
 
 %%--------------------------------------------------------------------
 %% State functions 
 %%--------------------------------------------------------------------
 
+init(enter, _, State) ->
+    {keep_state, State};     
 init({call, From}, {start, Timeout}, 
      #state{host = Host, port = Port, role = client,
 	    ssl_options = SslOpts,
@@ -282,6 +284,8 @@ init({call, _} = Type, Event, #state{role = server} = State) ->
 init(Type, Event, State) ->
     ssl_connection:init(Type, Event, State, ?MODULE).
  
+error(enter, _, State) ->
+    {keep_state, State};     
 error({call, From}, {start, _Timeout}, {Error, State}) ->
     {stop_and_reply, normal, {reply, From, {error, Error}}, State};
 error({call, From}, Msg, State) ->
@@ -295,6 +299,11 @@ error(_, _, _) ->
 	    #state{}) ->
 		   gen_statem:state_function_result().
 %%--------------------------------------------------------------------
+hello(enter, _, #state{role = server} = State) ->
+    {keep_state, State};     
+hello(enter, _, #state{role = client} = State0) ->
+    {State, Actions} = handle_flight_timer(State0),
+    {keep_state, State, Actions}; 
 hello(internal, #client_hello{cookie = <<>>,
 			      client_version = Version} = Hello, #state{role = server,
 									transport_cb = Transport,
@@ -302,7 +311,13 @@ hello(internal, #client_hello{cookie = <<>>,
                                                                         protocol_specific = #{current_cookie_secret := Secret}} = State0) ->
     {ok, {IP, Port}} = dtls_socket:peername(Transport, Socket),
     Cookie = dtls_handshake:cookie(Secret, IP, Port, Hello),
-    VerifyRequest = dtls_handshake:hello_verify_request(Cookie, Version),
+    %% FROM RFC 6347 regarding HelloVerifyRequest message:
+    %% The server_version field has the same syntax as in TLS.  However, in
+    %% order to avoid the requirement to do version negotiation in the
+    %% initial handshake, DTLS 1.2 server implementations SHOULD use DTLS
+    %% version 1.0 regardless of the version of TLS that is expected to be
+    %% negotiated.
+    VerifyRequest = dtls_handshake:hello_verify_request(Cookie, ?HELLO_VERIFY_REQUEST_VERSION),
     State1 = prepare_flight(State0#state{negotiated_version = Version}),
     {State2, Actions} = send_handshake(VerifyRequest, State1),
     {Record, State} = next_record(State2),
@@ -374,6 +389,9 @@ hello(state_timeout, Event, State) ->
 hello(Type, Event, State) ->
     ssl_connection:hello(Type, Event, State, ?MODULE).
 
+abbreviated(enter, _, State0) ->
+    {State, Actions} = handle_flight_timer(State0),
+    {keep_state, State, Actions}; 
 abbreviated(info, Event, State) ->
     handle_info(Event, abbreviated, State);
 abbreviated(internal = Type, 
@@ -391,6 +409,9 @@ abbreviated(state_timeout, Event, State) ->
 abbreviated(Type, Event, State) ->
     ssl_connection:abbreviated(Type, Event, State, ?MODULE).
 
+certify(enter, _, State0) ->
+    {State, Actions} = handle_flight_timer(State0),
+    {keep_state, State, Actions}; 
 certify(info, Event, State) ->
     handle_info(Event, certify, State);
 certify(internal = Type, #server_hello_done{} = Event, State) ->
@@ -400,6 +421,9 @@ certify(state_timeout, Event, State) ->
 certify(Type, Event, State) ->
     ssl_connection:certify(Type, Event, State, ?MODULE).
 
+cipher(enter, _, State0) ->
+    {State, Actions} = handle_flight_timer(State0),
+    {keep_state, State, Actions}; 
 cipher(info, Event, State) ->
     handle_info(Event, cipher, State);
 cipher(internal = Type, #change_cipher_spec{type = <<1>>} = Event,  
@@ -417,6 +441,8 @@ cipher(state_timeout, Event, State) ->
 cipher(Type, Event, State) ->
      ssl_connection:cipher(Type, Event, State, ?MODULE).
 
+connection(enter, _, State) ->
+    {keep_state, State};     
 connection(info, Event, State) ->
     handle_info(Event, connection, State);
 connection(internal, #hello_request{}, #state{host = Host, port = Port,
@@ -449,6 +475,9 @@ connection(internal, #client_hello{}, #state{role = server, allow_renegotiate =
 connection(Type, Event, State) ->
      ssl_connection:connection(Type, Event, State, ?MODULE).
 
+%%TODO does this make sense for DTLS ?
+downgrade(enter, _, State) ->
+    {keep_state, State};
 downgrade(Type, Event, State) ->
      ssl_connection:downgrade(Type, Event, State, ?MODULE).
 
@@ -695,7 +724,7 @@ next_record(#state{unprocessed_handshake_events = N} = State) when N > 0 ->
 next_record(#state{protocol_buffers =
 		       #protocol_buffers{dtls_cipher_texts = [#ssl_tls{epoch = Epoch} = CT | Rest]}
 		   = Buffers,
-		   connection_states = ConnectionStates} = State) ->
+		   connection_states = #{current_read := #{epoch := Epoch}} = ConnectionStates} = State) ->
     CurrentRead = dtls_record:get_connection_state_by_epoch(Epoch, ConnectionStates, read),
     case dtls_record:replay_detect(CT, CurrentRead) of
         false ->
@@ -706,6 +735,23 @@ next_record(#state{protocol_buffers =
                                         Buffers#protocol_buffers{dtls_cipher_texts = Rest},
                                     connection_states = ConnectionStates})
     end;
+next_record(#state{protocol_buffers =
+		       #protocol_buffers{dtls_cipher_texts = [#ssl_tls{epoch = Epoch} | Rest]}
+		   = Buffers,
+		   connection_states = #{current_read := #{epoch := CurrentEpoch}} = ConnectionStates} = State) 
+  when Epoch > CurrentEpoch ->
+    %% TODO Buffer later Epoch message, drop it for now
+    next_record(State#state{protocol_buffers =
+                                Buffers#protocol_buffers{dtls_cipher_texts = Rest},
+                            connection_states = ConnectionStates});
+next_record(#state{protocol_buffers =
+		       #protocol_buffers{dtls_cipher_texts = [ _ | Rest]}
+		   = Buffers,
+		   connection_states = ConnectionStates} = State) ->
+    %% Drop old epoch message
+    next_record(State#state{protocol_buffers =
+                                Buffers#protocol_buffers{dtls_cipher_texts = Rest},
+                            connection_states = ConnectionStates});
 next_record(#state{role = server,
 		   socket = {Listener, {Client, _}},
 		   transport_cb = gen_udp} = State) -> 
@@ -750,31 +796,62 @@ next_event(connection = StateName, no_record,
 	{#ssl_tls{epoch = Epoch,
 		  type = ?HANDSHAKE,
 		  version = _Version}, State1} = _Record when Epoch == CurrentEpoch-1 ->
-	    {State, MoreActions} = send_handshake_flight(State1, Epoch),
-	    {next_state, StateName, State, Actions ++ MoreActions};
+	    {State2, MoreActions} = send_handshake_flight(State1, CurrentEpoch),
+            {NextRecord, State} = next_record(State2),
+            next_event(StateName, NextRecord, State, Actions ++ MoreActions);
+        %% From FLIGHT perspective CHANGE_CIPHER_SPEC is treated as a handshake
+        {#ssl_tls{epoch = Epoch,
+		  type = ?CHANGE_CIPHER_SPEC,
+		  version = _Version}, State1} = _Record when Epoch == CurrentEpoch-1 ->
+	    {State2, MoreActions} = send_handshake_flight(State1, CurrentEpoch),
+	    {NextRecord, State} = next_record(State2),
+            next_event(StateName, NextRecord, State, Actions ++ MoreActions);
 	{#ssl_tls{epoch = _Epoch,
-		  version = _Version}, State} ->
+		  version = _Version}, State1} ->
 	    %% TODO maybe buffer later epoch
-	    {next_state, StateName, State, Actions};
+            {Record, State} = next_record(State1),
+            next_event(StateName, Record, State, Actions); 
 	{#alert{} = Alert, State} ->
 	    {next_state, StateName, State, [{next_event, internal, Alert} | Actions]}
     end;
+next_event(connection = StateName, Record,
+	   #state{connection_states = #{current_read := #{epoch := CurrentEpoch}}} = State0, Actions) ->
+    case Record of
+	#ssl_tls{epoch = CurrentEpoch} ->
+	    {next_state, StateName, State0, [{next_event, internal, {protocol_record, Record}} | Actions]};
+	#ssl_tls{epoch = Epoch,
+                 type = ?HANDSHAKE,
+                 version = _Version} when Epoch == CurrentEpoch-1 ->
+	    {State1, MoreActions} = send_handshake_flight(State0, CurrentEpoch),
+            {NextRecord, State} = next_record(State1),
+            next_event(StateName, NextRecord, State, Actions ++ MoreActions);
+        %% From FLIGHT perspective CHANGE_CIPHER_SPEC is treated as a handshake
+        #ssl_tls{epoch = Epoch,
+                 type = ?CHANGE_CIPHER_SPEC,
+                 version = _Version} when Epoch == CurrentEpoch-1 ->
+	    {State1, MoreActions} = send_handshake_flight(State0, CurrentEpoch),
+            {NextRecord, State} = next_record(State1),
+            next_event(StateName, NextRecord, State, Actions ++ MoreActions); 
+        _ -> 
+            next_event(StateName, no_record, State0, Actions) 
+    end;
 next_event(StateName, Record, 
-	   #state{connection_states = #{current_read := #{epoch := CurrentEpoch}}} = State, Actions) ->
+	   #state{connection_states = #{current_read := #{epoch := CurrentEpoch}}} = State0, Actions) ->
     case Record of
 	no_record ->
-	    {next_state, StateName, State, Actions};
+	    {next_state, StateName, State0, Actions};
 	#ssl_tls{epoch = CurrentEpoch,
 		  version = Version} = Record ->
 	    {next_state, StateName, 
-	     dtls_version(StateName, Version, State), 
+	     dtls_version(StateName, Version, State0), 
 	     [{next_event, internal, {protocol_record, Record}} | Actions]};
 	#ssl_tls{epoch = _Epoch,
 		 version = _Version} = _Record ->
 	    %% TODO maybe buffer later epoch
-	    {next_state, StateName, State, Actions};
+            {Record, State} = next_record(State0),
+            next_event(StateName, Record, State, Actions); 
 	#alert{} = Alert ->
-	    {next_state, StateName, State, [{next_event, internal, Alert} | Actions]}
+	    {next_state, StateName, State0, [{next_event, internal, Alert} | Actions]}
     end.
 
 decode_cipher_text(#state{protocol_buffers = #protocol_buffers{dtls_cipher_texts = [ CT | Rest]} = Buffers,
@@ -814,13 +891,13 @@ next_flight(Flight) ->
 	    change_cipher_spec => undefined,
 	    handshakes_after_change_cipher_spec => []}.
 	
-start_flight(#state{transport_cb = gen_udp,
-		    flight_state = {retransmit, Timeout}} = State) ->
+handle_flight_timer(#state{transport_cb = gen_udp,
+                          flight_state = {retransmit, Timeout}} = State) ->
     start_retransmision_timer(Timeout, State);
-start_flight(#state{transport_cb = gen_udp,
+handle_flight_timer(#state{transport_cb = gen_udp,
 		    flight_state = connection} = State) ->
     {State, []};
-start_flight(State) ->
+handle_flight_timer(State) ->
     %% No retransmision needed i.e DTLS over SCTP
     {State#state{flight_state = reliable}, []}.
 
diff --git a/lib/ssl/src/dtls_handshake.hrl b/lib/ssl/src/dtls_handshake.hrl
index 0a980c5f31..50e92027d2 100644
--- a/lib/ssl/src/dtls_handshake.hrl
+++ b/lib/ssl/src/dtls_handshake.hrl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2013-2016. All Rights Reserved.
+%% Copyright Ericsson AB 2013-2017. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
 -include("ssl_handshake.hrl"). %% Common TLS and DTLS records and Constantes
 
 -define(HELLO_VERIFY_REQUEST, 3).
+-define(HELLO_VERIFY_REQUEST_VERSION, {254, 255}).
 
 -record(client_hello, {
 	  client_version,
diff --git a/lib/ssl/src/dtls_socket.erl b/lib/ssl/src/dtls_socket.erl
index 2a746d97f0..fbbd479428 100644
--- a/lib/ssl/src/dtls_socket.erl
+++ b/lib/ssl/src/dtls_socket.erl
@@ -79,30 +79,31 @@ socket(Pid, Transport, Socket, ConnectionCb) ->
     #sslsocket{pid = Pid, 
 	       %% "The name "fd" is keept for backwards compatibility
 	       fd = {Transport, Socket, ConnectionCb}}.
-%% Vad göra med emulerade
-setopts(gen_udp, #sslsocket{pid = {Socket, _}}, Options) ->
-    {SockOpts, _} = tls_socket:split_options(Options),
-    inet:setopts(Socket, SockOpts);
-setopts(_, #sslsocket{pid = {ListenSocket, #config{transport_info = {Transport,_,_,_}}}}, Options) ->
-    {SockOpts, _} = tls_socket:split_options(Options),
-    Transport:setopts(ListenSocket, SockOpts);
+setopts(_, #sslsocket{pid = {udp, #config{udp_handler = {ListenPid, _}}}}, Options) ->
+    SplitOpts = tls_socket:split_options(Options),
+    dtls_udp_listener:set_sock_opts(ListenPid, SplitOpts);
 %%% Following clauses will not be called for emulated options, they are  handled in the connection process
 setopts(gen_udp, Socket, Options) ->
     inet:setopts(Socket, Options);
 setopts(Transport, Socket, Options) ->
     Transport:setopts(Socket, Options).
 
+getopts(_, #sslsocket{pid = {udp, #config{udp_handler = {ListenPid, _}}}}, Options) ->
+    SplitOpts = tls_socket:split_options(Options),
+    dtls_udp_listener:get_sock_opts(ListenPid, SplitOpts);
 getopts(gen_udp,  #sslsocket{pid = {Socket, #config{emulated = EmOpts}}}, Options) ->
     {SockOptNames, EmulatedOptNames} = tls_socket:split_options(Options),
     EmulatedOpts = get_emulated_opts(EmOpts, EmulatedOptNames),
     SocketOpts = tls_socket:get_socket_opts(Socket, SockOptNames, inet),
     {ok, EmulatedOpts ++ SocketOpts}; 
-getopts(Transport,  #sslsocket{pid = {ListenSocket, #config{emulated = EmOpts}}}, Options) ->
+getopts(_Transport,  #sslsocket{pid = {Socket, #config{emulated = EmOpts}}}, Options) ->
     {SockOptNames, EmulatedOptNames} = tls_socket:split_options(Options),
     EmulatedOpts = get_emulated_opts(EmOpts, EmulatedOptNames),
-    SocketOpts = tls_socket:get_socket_opts(ListenSocket, SockOptNames, Transport),
+    SocketOpts = tls_socket:get_socket_opts(Socket, SockOptNames, inet),
     {ok, EmulatedOpts ++ SocketOpts}; 
 %%% Following clauses will not be called for emulated options, they are  handled in the connection process
+getopts(gen_udp, {_,{{_, _},Socket}}, Options) ->
+    inet:getopts(Socket, Options);
 getopts(gen_udp, {_,Socket}, Options) ->
     inet:getopts(Socket, Options);
 getopts(Transport, Socket, Options) ->
diff --git a/lib/ssl/src/dtls_udp_listener.erl b/lib/ssl/src/dtls_udp_listener.erl
index f0ace2d887..c789a32087 100644
--- a/lib/ssl/src/dtls_udp_listener.erl
+++ b/lib/ssl/src/dtls_udp_listener.erl
@@ -23,9 +23,11 @@
 
 -behaviour(gen_server).
 
+-include("ssl_internal.hrl").
+
 %% API
 -export([start_link/4, active_once/3, accept/2, sockname/1, close/1,
-        get_all_opts/1]).
+        get_all_opts/1, get_sock_opts/2, set_sock_opts/2]).
 
 %% gen_server callbacks
 -export([init/1, handle_call/3, handle_cast/2, handle_info/2,
@@ -61,8 +63,12 @@ sockname(UDPConnection) ->
     call(UDPConnection, sockname).
 close(UDPConnection) ->
     call(UDPConnection, close).
+get_sock_opts(UDPConnection, SplitSockOpts) ->
+    call(UDPConnection,  {get_sock_opts, SplitSockOpts}).
 get_all_opts(UDPConnection) ->
     call(UDPConnection, get_all_opts).
+set_sock_opts(UDPConnection, Opts) ->
+     call(UDPConnection, {set_sock_opts, Opts}).
 
 %%%===================================================================
 %%% gen_server callbacks
@@ -108,9 +114,21 @@ handle_call(close, _, #state{dtls_processes = Processes,
                           end, queue:to_list(Accepters)),
             {reply, ok,  State#state{close = true, accepters = queue:new()}}
     end;
+handle_call({get_sock_opts, {SocketOptNames, EmOptNames}}, _, #state{listner = Socket,
+                                                               emulated_options = EmOpts} = State) ->
+    case get_socket_opts(Socket, SocketOptNames) of
+        {ok, Opts} ->
+            {reply, {ok, emulated_opts_list(EmOpts, EmOptNames, []) ++ Opts}, State};
+        {error, Reason} ->
+            {reply,  {error, Reason}, State}
+    end;
 handle_call(get_all_opts, _, #state{dtls_options = DTLSOptions,
                                     emulated_options = EmOpts} = State) ->
-    {reply, {ok, EmOpts, DTLSOptions}, State}.
+    {reply, {ok, EmOpts, DTLSOptions}, State};
+handle_call({set_sock_opts, {SocketOpts, NewEmOpts}}, _, #state{listner = Socket, emulated_options = EmOpts0} = State) ->
+    set_socket_opts(Socket, SocketOpts),
+    EmOpts = do_set_emulated_opts(NewEmOpts, EmOpts0),
+    {reply, ok, State#state{emulated_options = EmOpts}}.
 
 handle_cast({active_once, Client, Pid}, State0) ->
     State = handle_active_once(Client, Pid, State0),
@@ -121,6 +139,18 @@ handle_info({udp, Socket, IP, InPortNo, _} = Msg, #state{listner = Socket} = Sta
     next_datagram(Socket),
     {noreply, State};
 
+%% UDP socket does not have a connection and should not receive an econnreset
+%% This does however happens on on some windows versions. Just ignoring it
+%% appears to make things work as expected! 
+handle_info({udp_error, Socket, econnreset = Error}, #state{listner = Socket} = State) ->
+    Report = io_lib:format("Ignore SSL UDP Listener: Socket error: ~p ~n", [Error]),
+    error_logger:info_report(Report),
+    {noreply, State};
+handle_info({udp_error, Socket, Error}, #state{listner = Socket} = State) ->
+    Report = io_lib:format("SSL UDP Listener shutdown: Socket error: ~p ~n", [Error]),
+    error_logger:info_report(Report),
+    {noreply, State#state{close=true}};
+
 handle_info({'DOWN', _, process, Pid, _}, #state{clients = Clients,
 						 dtls_processes = Processes0,
                                                  close = ListenClosed} = State) ->
@@ -247,3 +277,28 @@ call(Server, Msg) ->
         exit:{{shutdown, _},_} ->
             {error, closed}
     end.
+
+set_socket_opts(_, []) ->
+    ok;
+set_socket_opts(Socket, SocketOpts) ->
+    inet:setopts(Socket, SocketOpts).
+
+get_socket_opts(_, []) ->
+     {ok, []};
+get_socket_opts(Socket, SocketOpts) ->
+    inet:getopts(Socket, SocketOpts).
+
+do_set_emulated_opts([], Opts) ->
+    Opts;
+do_set_emulated_opts([{mode, Value} | Rest], Opts) ->
+    do_set_emulated_opts(Rest,  Opts#socket_options{mode = Value}); 
+do_set_emulated_opts([{active, Value} | Rest], Opts) ->
+    do_set_emulated_opts(Rest,  Opts#socket_options{active = Value}).
+
+emulated_opts_list(_,[], Acc) ->
+    Acc;
+emulated_opts_list( Opts, [mode | Rest], Acc) ->
+    emulated_opts_list(Opts, Rest, [{mode, Opts#socket_options.mode} | Acc]); 
+emulated_opts_list(Opts, [active | Rest], Acc) ->
+    emulated_opts_list(Opts, Rest, [{active, Opts#socket_options.active} | Acc]).
+
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 5421bdef99..75eb308ba5 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -427,6 +427,16 @@ eccs_filter_supported(Curves) ->
 %%--------------------------------------------------------------------
 getopts(#sslsocket{pid = Pid}, OptionTags) when is_pid(Pid), is_list(OptionTags) ->
     ssl_connection:get_opts(Pid, OptionTags);
+getopts(#sslsocket{pid = {udp, #config{transport_info = {Transport,_,_,_}}}} = ListenSocket, OptionTags) when is_list(OptionTags) ->
+    try dtls_socket:getopts(Transport, ListenSocket, OptionTags) of
+        {ok, _} = Result ->
+            Result;
+	{error, InetError} ->
+	    {error, {options, {socket_options, OptionTags, InetError}}}
+    catch
+	_:Error ->
+	    {error, {options, {socket_options, OptionTags, Error}}}
+    end;
 getopts(#sslsocket{pid = {_,  #config{transport_info = {Transport,_,_,_}}}} = ListenSocket,
 	OptionTags) when is_list(OptionTags) ->
     try tls_socket:getopts(Transport, ListenSocket, OptionTags) of
@@ -455,7 +465,7 @@ setopts(#sslsocket{pid = Pid}, Options0) when is_pid(Pid), is_list(Options0)  ->
 	_:_ ->
 	    {error, {options, {not_a_proplist, Options0}}}
     end;
-setopts(#sslsocket{pid = {{udp, _}, #config{transport_info = {Transport,_,_,_}}}} = ListenSocket, Options) when is_list(Options) ->
+setopts(#sslsocket{pid = {udp, #config{transport_info = {Transport,_,_,_}}}} = ListenSocket, Options) when is_list(Options) ->
     try dtls_socket:setopts(Transport, ListenSocket, Options) of
 	ok ->
 	    ok;
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 58db8449d6..3cf466e78f 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -2295,6 +2295,8 @@ is_acceptable_hash_sign({_, dsa} = Algos, dsa, _, srp_dss, SupportedHashSigns) -
     is_acceptable_hash_sign(Algos, SupportedHashSigns); 
 is_acceptable_hash_sign({_, ecdsa} = Algos, ecdsa, _, dhe_ecdsa, SupportedHashSigns) ->
     is_acceptable_hash_sign(Algos, SupportedHashSigns); 
+is_acceptable_hash_sign({_, ecdsa} = Algos, ecdsa, ecdsa, ecdh_ecdsa, SupportedHashSigns) ->
+    is_acceptable_hash_sign(Algos, SupportedHashSigns); 
 is_acceptable_hash_sign({_, ecdsa} = Algos, ecdsa, ecdsa, ecdhe_ecdsa, SupportedHashSigns) ->
     is_acceptable_hash_sign(Algos, SupportedHashSigns); 
 is_acceptable_hash_sign(_, _, _, KeyExAlgo, _) when 
diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index 96c3ab86e9..352874c77d 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -600,8 +600,12 @@ next_record(#state{protocol_buffers =
 next_record(#state{protocol_buffers = #protocol_buffers{tls_packets = [], tls_cipher_texts = []},
 		   socket = Socket,
 		   transport_cb = Transport} = State) ->
-    tls_socket:setopts(Transport, Socket, [{active,once}]),
-    {no_record, State};
+    case tls_socket:setopts(Transport, Socket, [{active,once}]) of
+	ok ->
+	    {no_record, State};
+	_ ->
+	    {socket_closed, State}
+    end;
 next_record(State) ->
     {no_record, State}.
 
@@ -626,10 +630,15 @@ passive_receive(State0 = #state{user_data_buffer = Buffer}, StateName) ->
 next_event(StateName, Record, State) ->
     next_event(StateName, Record, State, []).
 
+next_event(StateName, socket_closed, State, _) ->
+    ssl_connection:handle_normal_shutdown(?ALERT_REC(?FATAL, ?CLOSE_NOTIFY), StateName, State),
+    {stop, {shutdown, transport_closed}, State};
 next_event(connection = StateName, no_record, State0, Actions) ->
     case next_record_if_active(State0) of
 	{no_record, State} ->
 	    ssl_connection:hibernate_after(StateName, State, Actions);
+	{socket_closed, State} ->
+	    next_event(StateName, socket_closed, State, Actions);
 	{#ssl_tls{} = Record, State} ->
 	    {next_state, StateName, State, [{next_event, internal, {protocol_record, Record}} | Actions]};
 	{#alert{} = Alert, State} ->