11 files changed, 282 insertions, 141 deletions

diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl
index 070a90d481..f607c86ae3 100644
--- a/lib/ssl/src/dtls_connection.erl
+++ b/lib/ssl/src/dtls_connection.erl
@@ -39,7 +39,7 @@
 -export([start_fsm/8, start_link/7, init/1]).
 
 %% State transition handling	 
--export([next_record/1, next_event/3]).
+-export([next_record/1, next_event/3, next_event/4]).
 
 %% Handshake handling
 -export([renegotiate/2, 
@@ -53,7 +53,7 @@
 %% Data handling
 
 -export([encode_data/3, passive_receive/2,  next_record_if_active/1, handle_common_event/4,
-	 send/3]).
+	 send/3, socket/5]).
 
 %% gen_statem state functions
 -export([init/3, error/3, downgrade/3, %% Initiation and take down states
@@ -77,20 +77,6 @@ start_fsm(Role, Host, Port, Socket, {#ssl_options{erl_dist = false},_, Tracker}
     catch
 	error:{badmatch, {error, _} = Error} ->
 	    Error
-    end;
-
-start_fsm(Role, Host, Port, Socket, {#ssl_options{erl_dist = true},_, Tracker} = Opts,
-	  User, {CbModule, _,_, _} = CbInfo, 
-	  Timeout) -> 
-    try 
-	{ok, Pid} = dtls_connection_sup:start_child_dist([Role, Host, Port, Socket, 
-							  Opts, User, CbInfo]), 
-	{ok, SslSocket} = ssl_connection:socket_control(?MODULE, Socket, Pid, CbModule, Tracker),
-	ok = ssl_connection:handshake(SslSocket, Timeout),
-	{ok, SslSocket} 
-    catch
-	error:{badmatch, {error, _} = Error} ->
-	    Error
     end.
 
 send_handshake(Handshake, #state{connection_states = ConnectionStates} = States) ->
@@ -201,6 +187,7 @@ reinit_handshake_data(#state{protocol_buffers = Buffers} = State) ->
     State#state{premaster_secret = undefined,
 		public_key_info = undefined,
 		tls_handshake_history = ssl_handshake:init_handshake_history(),
+                flight_state = {retransmit, ?INITIAL_RETRANSMIT_TIMEOUT},
 		protocol_buffers =
 		    Buffers#protocol_buffers{
 		      dtls_handshake_next_seq = 0,
@@ -213,6 +200,9 @@ select_sni_extension(#client_hello{extensions = HelloExtensions}) ->
 select_sni_extension(_) ->
     undefined.
 
+socket(Pid,  Transport, Socket, Connection, _) ->
+    dtls_socket:socket(Pid, Transport, Socket, Connection).
+
 %%====================================================================
 %% tls_connection_sup API
 %%====================================================================
@@ -243,7 +233,7 @@ callback_mode() ->
     state_functions.
 
 %%--------------------------------------------------------------------
-%% State functionsconnection/2
+%% State functions 
 %%--------------------------------------------------------------------
 
 init({call, From}, {start, Timeout}, 
@@ -262,17 +252,19 @@ init({call, From}, {start, Timeout},
     Version = Hello#client_hello.client_version,
     HelloVersion = dtls_record:lowest_protocol_version(SslOpts#ssl_options.versions),
     State1 = prepare_flight(State0#state{negotiated_version = Version}),
-    State2 = send_handshake(Hello, State1#state{negotiated_version = HelloVersion}),  
+    {State2, Actions} = send_handshake(Hello, State1#state{negotiated_version = HelloVersion}),  
     State3 = State2#state{negotiated_version = Version, %% Requested version
 			  session =
 			      Session0#session{session_id = Hello#client_hello.session_id},
 			  start_or_recv_from = From,
-			  timer = Timer},
+			  timer = Timer,
+                          flight_state = {retransmit, ?INITIAL_RETRANSMIT_TIMEOUT}
+                         },
     {Record, State} = next_record(State3),
-    next_event(hello, Record, State);
+    next_event(hello, Record, State, Actions);
 init({call, _} = Type, Event, #state{role = server, transport_cb = gen_udp} = State) ->
     ssl_connection:init(Type, Event, 
-			State#state{flight_state = {waiting, undefined, ?INITIAL_RETRANSMIT_TIMEOUT}},
+			State#state{flight_state = {retransmit, ?INITIAL_RETRANSMIT_TIMEOUT}},
 			?MODULE);
 init({call, _} = Type, Event, #state{role = server} = State) ->
     %% I.E. DTLS over sctp
@@ -302,9 +294,9 @@ hello(internal, #client_hello{cookie = <<>>,
     Cookie = dtls_handshake:cookie(<<"secret">>, IP, Port, Hello),
     VerifyRequest = dtls_handshake:hello_verify_request(Cookie, Version),
     State1 = prepare_flight(State0#state{negotiated_version = Version}),
-    State2 = send_handshake(VerifyRequest, State1),
+    {State2, Actions} = send_handshake(VerifyRequest, State1),
     {Record, State} = next_record(State2),
-    next_event(hello, Record, State#state{tls_handshake_history = ssl_handshake:init_handshake_history()});
+    next_event(hello, Record, State#state{tls_handshake_history = ssl_handshake:init_handshake_history()}, Actions);
 hello(internal, #client_hello{cookie = Cookie} = Hello, #state{role = server,
 							       transport_cb = Transport,
 							       socket = Socket} = State0) ->
@@ -333,13 +325,13 @@ hello(internal, #hello_verify_request{cookie = Cookie}, #state{role = client,
 					Cache, CacheCb, Renegotiation, OwnCert),
     Version = Hello#client_hello.client_version,
     HelloVersion = dtls_record:lowest_protocol_version(SslOpts#ssl_options.versions),
-    State2 = send_handshake(Hello, State1#state{negotiated_version = HelloVersion}), 
+    {State2, Actions} = send_handshake(Hello, State1#state{negotiated_version = HelloVersion}), 
     State3 = State2#state{negotiated_version = Version, %% Requested version
 			  session =
 			      Session0#session{session_id = 
 						   Hello#client_hello.session_id}},
     {Record, State} = next_record(State3),
-    next_event(hello, Record, State);
+    next_event(hello, Record, State, Actions);
 hello(internal, #server_hello{} = Hello,
       #state{connection_states = ConnectionStates0,
 	     negotiated_version = ReqVersion,
@@ -356,13 +348,13 @@ hello(internal, #server_hello{} = Hello,
 hello(internal, {handshake, {#client_hello{cookie = <<>>} = Handshake, _}}, State) ->
     %% Initial hello should not be in handshake history
     {next_state, hello, State, [{next_event, internal, Handshake}]};
-
 hello(internal, {handshake, {#hello_verify_request{} = Handshake, _}}, State) ->
     %% hello_verify should not be in handshake history
     {next_state, hello, State, [{next_event, internal, Handshake}]};
-
 hello(info, Event, State) ->
     handle_info(Event, hello, State);
+hello(state_timeout, Event, State) ->
+    handle_state_timeout(Event, hello, State);
 hello(Type, Event, State) ->
     ssl_connection:hello(Type, Event, State, ?MODULE).
 
@@ -375,7 +367,11 @@ abbreviated(internal = Type,
     ConnectionStates = dtls_record:next_epoch(ConnectionStates1, read),
     ssl_connection:abbreviated(Type, Event, State#state{connection_states = ConnectionStates}, ?MODULE);
 abbreviated(internal = Type, #finished{} = Event, #state{connection_states = ConnectionStates} = State) ->
-    ssl_connection:cipher(Type, Event, prepare_flight(State#state{connection_states = ConnectionStates}), ?MODULE);
+    ssl_connection:abbreviated(Type, Event, 
+                               prepare_flight(State#state{connection_states = ConnectionStates,
+                                                          flight_state = connection}), ?MODULE);
+abbreviated(state_timeout, Event, State) ->
+    handle_state_timeout(Event, abbreviated, State);
 abbreviated(Type, Event, State) ->
     ssl_connection:abbreviated(Type, Event, State, ?MODULE).
 
@@ -383,6 +379,8 @@ certify(info, Event, State) ->
     handle_info(Event, certify, State);
 certify(internal = Type, #server_hello_done{} = Event, State) ->
     ssl_connection:certify(Type, Event, prepare_flight(State), ?MODULE);
+certify(state_timeout, Event, State) ->
+    handle_state_timeout(Event, certify, State);
 certify(Type, Event, State) ->
     ssl_connection:certify(Type, Event, State, ?MODULE).
 
@@ -395,7 +393,11 @@ cipher(internal = Type, #change_cipher_spec{type = <<1>>} = Event,
     ssl_connection:cipher(Type, Event, State#state{connection_states = ConnectionStates}, ?MODULE);
 cipher(internal = Type, #finished{} = Event, #state{connection_states = ConnectionStates} = State) ->
     ssl_connection:cipher(Type, Event, 
-			  prepare_flight(State#state{connection_states = ConnectionStates}), ?MODULE);
+			  prepare_flight(State#state{connection_states = ConnectionStates,
+                                                     flight_state = connection}), 
+                          ?MODULE);
+cipher(state_timeout, Event, State) ->
+    handle_state_timeout(Event, cipher, State);
 cipher(Type, Event, State) ->
      ssl_connection:cipher(Type, Event, State, ?MODULE).
 
@@ -409,12 +411,12 @@ connection(internal, #hello_request{}, #state{host = Host, port = Port,
 				    renegotiation = {Renegotiation, _}} = State0) ->
     Hello = dtls_handshake:client_hello(Host, Port, ConnectionStates0, SslOpts,
 					Cache, CacheCb, Renegotiation, Cert),
-    State1 = send_handshake(Hello, State0),
+    {State1, Actions} = send_handshake(Hello, State0),
     {Record, State} =
 	next_record(
 	  State1#state{session = Session0#session{session_id
 						  = Hello#client_hello.session_id}}),
-    next_event(hello, Record, State);
+    next_event(hello, Record, State, Actions);
 connection(internal, #client_hello{} = Hello, #state{role = server, allow_renegotiate = true} = State) ->
     %% Mitigate Computational DoS attack
     %% http://www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html
@@ -434,7 +436,6 @@ connection(Type, Event, State) ->
 downgrade(Type, Event, State) ->
      ssl_connection:downgrade(Type, Event, State, ?MODULE).
 
-
 %%--------------------------------------------------------------------
 %% Description: This function is called by a gen_fsm when it receives any
 %% other message than a synchronous or asynchronous event
@@ -442,16 +443,6 @@ downgrade(Type, Event, State) ->
 %%--------------------------------------------------------------------
 
 %% raw data from socket, unpack records
-handle_info({_,flight_retransmission_timeout}, connection, _) ->
-    {next_state, keep_state_and_data};
-handle_info({Ref, flight_retransmission_timeout}, StateName, 
-	    #state{flight_state = {waiting, Ref, NextTimeout}} = State0) ->
-    State1 = send_handshake_flight(State0#state{flight_state = {retransmit_timer, NextTimeout}}, 
-				   retransmit_epoch(StateName, State0)),
-    {Record, State} = next_record(State1),
-    next_event(StateName, Record, State);
-handle_info({_, flight_retransmission_timeout}, _, _) ->
-    {next_state, keep_state_and_data};
 handle_info({Protocol, _, _, _, Data}, StateName,
             #state{data_tag = Protocol} = State0) ->
     case next_dtls_record(Data, State0) of
@@ -489,7 +480,6 @@ handle_call(Event, From, StateName, State) ->
 handle_common_event(internal, #alert{} = Alert, StateName, 
 		    #state{negotiated_version = Version} = State) ->
     ssl_connection:handle_own_alert(Alert, Version, StateName, State);
-
 %%% DTLS record protocol level handshake messages 
 handle_common_event(internal, #ssl_tls{type = ?HANDSHAKE,
 				       fragment = Data}, 
@@ -498,19 +488,14 @@ handle_common_event(internal, #ssl_tls{type = ?HANDSHAKE,
 			   negotiated_version = Version} = State0) ->
     try
 	case dtls_handshake:get_dtls_handshake(Version, Data, Buffers0) of
-	    {more_data, Buffers} ->
+	    {[], Buffers} ->
 		{Record, State} = next_record(State0#state{protocol_buffers = Buffers}),
 		next_event(StateName, Record, State);
 	    {Packets, Buffers} ->
 		State = State0#state{protocol_buffers = Buffers},
 		Events = dtls_handshake_events(Packets),
-		case StateName of
-		    connection ->
-			ssl_connection:hibernate_after(StateName, State, Events);
-		    _ ->
-			{next_state, StateName, 
-			 State#state{unprocessed_handshake_events = unprocessed_events(Events)}, Events}
-		end
+                {next_state, StateName, 
+                 State#state{unprocessed_handshake_events = unprocessed_events(Events)}, Events}
 	end
     catch throw:#alert{} = Alert ->
 	    ssl_connection:handle_own_alert(Alert, Version, StateName, State0)
@@ -534,6 +519,13 @@ handle_common_event(internal, #ssl_tls{type = ?ALERT, fragment = EncAlerts}, Sta
 handle_common_event(internal, #ssl_tls{type = _Unknown}, StateName, State) ->
     {next_state, StateName, State}.
 
+handle_state_timeout(flight_retransmission_timeout, StateName, 
+                    #state{flight_state = {retransmit, NextTimeout}} = State0) ->
+    {State1, Actions} = send_handshake_flight(State0#state{flight_state = {retransmit, NextTimeout}}, 
+                                              retransmit_epoch(StateName, State0)),
+    {Record, State} = next_record(State1),
+    next_event(StateName, Record, State, Actions).
+
 send(Transport, {_, {{_,_}, _} = Socket}, Data) ->
     send(Transport, Socket, Data);
 send(Transport, Socket, Data) ->
@@ -645,7 +637,8 @@ initial_state(Role, Host, Port, Socket, {SSLOptions, SocketOptions, _}, User,
 	   allow_renegotiate = SSLOptions#ssl_options.client_renegotiation,
 	   start_or_recv_from = undefined,
 	   protocol_cb = ?MODULE,
-	   flight_buffer = new_flight()
+	   flight_buffer = new_flight(),
+           flight_state = {retransmit, ?INITIAL_RETRANSMIT_TIMEOUT}
 	  }.
 
 next_dtls_record(Data, #state{protocol_buffers = #protocol_buffers{
@@ -714,14 +707,14 @@ next_event(connection = StateName, no_record,
 	   #state{connection_states = #{current_read := #{epoch := CurrentEpoch}}} = State0, Actions) ->
     case next_record_if_active(State0) of
 	{no_record, State} ->
-	    ssl_connection:hibernate_after(StateName, State, Actions);
+            ssl_connection:hibernate_after(StateName, State, Actions);
 	{#ssl_tls{epoch = CurrentEpoch} = Record, State} ->
 	    {next_state, StateName, State, [{next_event, internal, {protocol_record, Record}} | Actions]};
 	{#ssl_tls{epoch = Epoch,
 		  type = ?HANDSHAKE,
 		  version = _Version}, State1} = _Record when Epoch == CurrentEpoch-1 ->
-	    State = send_handshake_flight(State1, Epoch),
-	    {next_state, StateName, State, Actions};
+	    {State, MoreActions} = send_handshake_flight(State1, Epoch),
+	    {next_state, StateName, State, Actions ++ MoreActions};
 	{#ssl_tls{epoch = _Epoch,
 		  version = _Version}, State} ->
 	    %% TODO maybe buffer later epoch
@@ -772,17 +765,20 @@ next_flight(Flight) ->
     Flight#{handshakes => [],
 	    change_cipher_spec => undefined,
 	    handshakes_after_change_cipher_spec => []}.
-
 	
 start_flight(#state{transport_cb = gen_udp,
-		    flight_state = {retransmit_timer, Timeout}} = State) ->
-    Ref = erlang:make_ref(),
-    _ = erlang:send_after(Timeout, self(), {Ref, flight_retransmission_timeout}),    
-    State#state{flight_state = {waiting, Ref, new_timeout(Timeout)}};
-
+		    flight_state = {retransmit, Timeout}} = State) ->
+    start_retransmision_timer(Timeout, State);
+start_flight(#state{transport_cb = gen_udp,
+		    flight_state = connection} = State) ->
+    {State, []};
 start_flight(State) ->
     %% No retransmision needed i.e DTLS over SCTP
-    State#state{flight_state = reliable}.
+    {State#state{flight_state = reliable}, []}.
+
+start_retransmision_timer(Timeout, State) ->
+    {State#state{flight_state = {retransmit, new_timeout(Timeout)}}, 
+     [{state_timeout, Timeout, flight_retransmission_timeout}]}.
 
 new_timeout(N) when N =< 30 -> 
     N * 2;
@@ -806,13 +802,13 @@ renegotiate(#state{role = server,
 		   connection_states = CS0} = State0, Actions) ->
     HelloRequest = ssl_handshake:hello_request(),
     CS = CS0#{write_msg_seq => 0},
-    State1 = send_handshake(HelloRequest, 
-			    State0#state{connection_states =
-					     CS}),
+    {State1, MoreActions} = send_handshake(HelloRequest, 
+                                           State0#state{connection_states =
+                                                        CS}),
     Hs0 = ssl_handshake:init_handshake_history(),
     {Record, State} = next_record(State1#state{tls_handshake_history = Hs0,
 					       protocol_buffers = #protocol_buffers{}}),
-    next_event(hello, Record, State, Actions).
+    next_event(hello, Record, State, Actions ++ MoreActions).
 
 handle_alerts([], Result) ->
     Result;
@@ -823,15 +819,11 @@ handle_alerts([Alert | Alerts], {next_state, StateName, State}) ->
 handle_alerts([Alert | Alerts], {next_state, StateName, State, _Actions}) ->
      handle_alerts(Alerts, ssl_connection:handle_alert(Alert, StateName, State)).
 
-retransmit_epoch(StateName, #state{connection_states = ConnectionStates}) ->
+retransmit_epoch(_StateName, #state{connection_states = ConnectionStates}) ->
     #{epoch := Epoch} = 
 	ssl_record:current_connection_state(ConnectionStates, write),
-    case StateName of
-	connection ->
-	    Epoch-1;
-	_ ->
-	    Epoch
-    end.	
+    Epoch.
+
 	    
 update_handshake_history(#hello_verify_request{}, _, Hist) ->
     Hist;
@@ -846,3 +838,4 @@ unprocessed_events(Events) ->
     %% handshake events left to process before we should
     %% process more TLS-records received on the socket. 
     erlang:length(Events)-1.
+
diff --git a/lib/ssl/src/dtls_handshake.erl b/lib/ssl/src/dtls_handshake.erl
index af3708ddb7..fd1f9698fe 100644
--- a/lib/ssl/src/dtls_handshake.erl
+++ b/lib/ssl/src/dtls_handshake.erl
@@ -136,9 +136,11 @@ handshake_bin([Type, Length, Data], Seq) ->
     
 %%--------------------------------------------------------------------
 -spec get_dtls_handshake(dtls_record:dtls_version(), binary(), #protocol_buffers{}) ->
-     {[{dtls_handshake(), binary()}], #protocol_buffers{}} | {more_data, #protocol_buffers{}}.
+                                {[dtls_handshake()], #protocol_buffers{}}.                
 %%
-%% Description: ...
+%% Description:  Given buffered and new data from dtls_record, collects
+%% and returns it as a list of handshake messages, also returns 
+%% possible leftover data in the new "protocol_buffers".
 %%--------------------------------------------------------------------
 get_dtls_handshake(Version, Fragment, ProtocolBuffers) ->
     handle_fragments(Version, Fragment, ProtocolBuffers, []).
@@ -288,8 +290,6 @@ do_handle_fragments(_, [], Buffers, Acc) ->
     {lists:reverse(Acc), Buffers};
 do_handle_fragments(Version, [Fragment | Fragments], Buffers0, Acc) ->
     case reassemble(Version, Fragment, Buffers0) of
-	{more_data, _} = More when Acc == []->
-	    More;
 	{more_data, Buffers} when Fragments == [] ->
 	    {lists:reverse(Acc), Buffers};
 	{more_data, Buffers} ->
diff --git a/lib/ssl/src/dtls_socket.erl b/lib/ssl/src/dtls_socket.erl
index 570b3ae83a..ac1a7b37c6 100644
--- a/lib/ssl/src/dtls_socket.erl
+++ b/lib/ssl/src/dtls_socket.erl
@@ -71,11 +71,14 @@ connect(Address, Port, #config{transport_info = {Transport, _, _, _} = CbInfo,
 close(gen_udp, {_Client, _Socket}) ->
     ok.
 
+socket(Pid, gen_udp = Transport, {{_, _}, Socket}, ConnectionCb) ->
+    #sslsocket{pid = Pid, 
+	       %% "The name "fd" is keept for backwards compatibility
+	       fd = {Transport, Socket, ConnectionCb}};
 socket(Pid, Transport, Socket, ConnectionCb) ->
     #sslsocket{pid = Pid, 
 	       %% "The name "fd" is keept for backwards compatibility
-	       fd = {Transport, Socket, ConnectionCb}}.	
-
+	       fd = {Transport, Socket, ConnectionCb}}.
 %% Vad göra med emulerade
 setopts(gen_udp, #sslsocket{pid = {Socket, _}}, Options) ->
     {SockOpts, _} = tls_socket:split_options(Options),
@@ -108,11 +111,15 @@ getstat(gen_udp, {_,Socket}, Options) ->
 	inet:getstat(Socket, Options);
 getstat(Transport, Socket, Options) ->
 	Transport:getstat(Socket, Options).
+peername(udp, _) ->
+    {error, enotconn};
 peername(gen_udp, {_, {Client, _Socket}}) ->
     {ok, Client};
 peername(Transport, Socket) ->
     Transport:peername(Socket).
-sockname(gen_udp, {_,Socket}) ->
+sockname(gen_udp, {_, {_,Socket}}) ->
+    inet:sockname(Socket);
+sockname(gen_udp, Socket) ->
     inet:sockname(Socket);
 sockname(Transport, Socket) ->
     Transport:sockname(Socket).
diff --git a/lib/ssl/src/dtls_udp_listener.erl b/lib/ssl/src/dtls_udp_listener.erl
index b7f115582e..ab3d0783bd 100644
--- a/lib/ssl/src/dtls_udp_listener.erl
+++ b/lib/ssl/src/dtls_udp_listener.erl
@@ -24,7 +24,8 @@
 -behaviour(gen_server).
 
 %% API
--export([start_link/4, active_once/3, accept/2, sockname/1]).
+-export([start_link/4, active_once/3, accept/2, sockname/1, close/1,
+        get_all_opts/1]).
 
 %% gen_server callbacks
 -export([init/1, handle_call/3, handle_cast/2, handle_info/2,
@@ -39,7 +40,8 @@
 	 clients = set_new(),
 	 dtls_processes = kv_new(),
 	 accepters  = queue:new(),
-	 first
+	 first,
+         close
 	}).
 
 %%%===================================================================
@@ -53,10 +55,14 @@ active_once(UDPConnection, Client, Pid) ->
     gen_server:cast(UDPConnection, {active_once, Client, Pid}).
 
 accept(UDPConnection, Accepter) ->
-    gen_server:call(UDPConnection, {accept, Accepter}, infinity).
+    call(UDPConnection, {accept, Accepter}).
 
 sockname(UDPConnection) ->
-    gen_server:call(UDPConnection, sockname, infinity).
+    call(UDPConnection, sockname).
+close(UDPConnection) ->
+    call(UDPConnection, close).
+get_all_opts(UDPConnection) ->
+    call(UDPConnection, get_all_opts).
 
 %%%===================================================================
 %%% gen_server callbacks
@@ -69,10 +75,13 @@ init([Port, EmOpts, InetOptions, DTLSOptions]) ->
 		    first = true,
 		    dtls_options = DTLSOptions,
 		    emulated_options = EmOpts,
-		    listner = Socket}}
+		    listner = Socket,
+                    close = false}}
     catch _:_ ->
 	    {error, closed}
     end.
+handle_call({accept, _}, _, #state{close = true} = State) ->
+    {reply, {error, closed}, State};
 
 handle_call({accept, Accepter}, From, #state{first = true,
 					     accepters = Accepters,
@@ -87,7 +96,21 @@ handle_call({accept, Accepter}, From, #state{accepters = Accepters} = State0) ->
     {noreply, State};
 handle_call(sockname, _, #state{listner = Socket} = State) ->
     Reply = inet:sockname(Socket),
-    {reply, Reply, State}.
+    {reply, Reply, State};
+handle_call(close, _, #state{dtls_processes = Processes,
+                             accepters = Accepters} = State) ->
+    case kv_empty(Processes) of
+        true ->
+            {stop, normal, ok, State#state{close=true}};
+        false -> 
+            lists:foreach(fun({_, From}) ->
+                                  gen_server:reply(From, {error, closed})
+                          end, queue:to_list(Accepters)),
+            {reply, ok,  State#state{close = true, accepters = queue:new()}}
+    end;
+handle_call(get_all_opts, _, #state{dtls_options = DTLSOptions,
+                                    emulated_options = EmOpts} = State) ->
+    {reply, {ok, EmOpts, DTLSOptions}, State}.
 
 handle_cast({active_once, Client, Pid}, State0) ->
     State = handle_active_once(Client, Pid, State0),
@@ -99,11 +122,17 @@ handle_info({udp, Socket, IP, InPortNo, _} = Msg, #state{listner = Socket} = Sta
     {noreply, State};
 
 handle_info({'DOWN', _, process, Pid, _}, #state{clients = Clients,
-						 dtls_processes = Processes0} = State) ->
+						 dtls_processes = Processes0,
+                                                 close = ListenClosed} = State) ->
     Client = kv_get(Pid, Processes0),
     Processes = kv_delete(Pid, Processes0),
-    {noreply, State#state{clients = set_delete(Client, Clients),
-			  dtls_processes = Processes}}.
+    case ListenClosed andalso kv_empty(Processes) of
+        true ->
+            {stop, normal, State};
+        false ->
+            {noreply, State#state{clients = set_delete(Client, Clients),
+                                  dtls_processes = Processes}}
+    end.
 
 terminate(_Reason, _State) ->
     ok.
@@ -182,6 +211,7 @@ setup_new_connection(User, From, Client, Msg, #state{dtls_processes = Processes,
 	    gen_server:reply(From, {error, Reason}),
 	    State
     end.
+
 kv_update(Key, Value, Store) ->
     gb_trees:update(Key, Value, Store).
 kv_lookup(Key, Store) ->
@@ -194,6 +224,8 @@ kv_delete(Key, Store) ->
     gb_trees:delete(Key, Store).
 kv_new() ->
     gb_trees:empty().
+kv_empty(Store) ->
+    gb_trees:is_empty(Store).
 
 set_new() ->
     gb_sets:empty().
@@ -203,3 +235,15 @@ set_delete(Item, Set) ->
     gb_sets:delete(Item, Set).
 set_is_member(Item, Set) ->
     gb_sets:is_member(Item, Set).
+
+call(Server, Msg) ->
+    try
+        gen_server:call(Server, Msg, infinity)
+    catch
+	exit:{noproc, _} ->
+	    {error, closed};
+        exit:{normal, _} ->
+            {error, closed};
+        exit:{{shutdown, _},_} ->
+            {error, closed}
+    end.
diff --git a/lib/ssl/src/dtls_v1.erl b/lib/ssl/src/dtls_v1.erl
index ffd3e4b833..dd0d35d404 100644
--- a/lib/ssl/src/dtls_v1.erl
+++ b/lib/ssl/src/dtls_v1.erl
@@ -21,12 +21,21 @@
 
 -include("ssl_cipher.hrl").
 
--export([suites/1, mac_hash/7, ecc_curves/1, corresponding_tls_version/1, corresponding_dtls_version/1]).
+-export([suites/1, all_suites/1, mac_hash/7, ecc_curves/1, 
+         corresponding_tls_version/1, corresponding_dtls_version/1]).
 
 -spec suites(Minor:: 253|255) -> [ssl_cipher:cipher_suite()].
 
 suites(Minor) ->
-   tls_v1:suites(corresponding_minor_tls_version(Minor)).
+    lists:filter(fun(Cipher) -> 
+                         is_acceptable_cipher(ssl_cipher:suite_definition(Cipher)) 
+                 end,
+                 tls_v1:suites(corresponding_minor_tls_version(Minor))).
+all_suites(Version) ->
+    lists:filter(fun(Cipher) -> 
+                         is_acceptable_cipher(ssl_cipher:suite_definition(Cipher)) 
+                 end,
+                 ssl_cipher:all_suites(corresponding_tls_version(Version))).
 
 mac_hash(Version, MacAlg, MacSecret, SeqNo, Type, Length, Fragment) ->
     tls_v1:mac_hash(MacAlg, MacSecret, SeqNo, Type, Version,
@@ -50,3 +59,5 @@ corresponding_minor_dtls_version(2) ->
     255;
 corresponding_minor_dtls_version(3) ->
     253.
+is_acceptable_cipher(Suite) ->
+    not ssl_cipher:is_stream_ciphersuite(Suite).
diff --git a/lib/ssl/src/ssl.app.src b/lib/ssl/src/ssl.app.src
index 148989174d..064dcd6892 100644
--- a/lib/ssl/src/ssl.app.src
+++ b/lib/ssl/src/ssl.app.src
@@ -63,7 +63,7 @@
     {applications, [crypto, public_key, kernel, stdlib]},
     {env, []},
     {mod, {ssl_app, []}},
-    {runtime_dependencies, ["stdlib-3.1","public_key-1.2","kernel-3.0",
+    {runtime_dependencies, ["stdlib-3.2","public_key-1.2","kernel-3.0",
 			    "erts-7.0","crypto-3.3", "inets-5.10.7"]}]}.
 
 
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 4a5a7e25ea..ed04c7e67b 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -187,16 +187,24 @@ ssl_accept(ListenSocket, SslOptions)  when is_port(ListenSocket) ->
 
 ssl_accept(#sslsocket{} = Socket, [], Timeout) when (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)->
     ssl_accept(Socket, Timeout);
-ssl_accept(#sslsocket{fd = {_, _, _, Tracker}} = Socket, SslOpts0, Timeout) when
+ssl_accept(#sslsocket{fd = {_, _, _, Tracker}} = Socket, SslOpts, Timeout) when
       (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)->
     try
-	{ok, EmOpts, InheritedSslOpts} = tls_socket:get_all_opts(Tracker),
-	SslOpts = handle_options(SslOpts0, InheritedSslOpts),
+	{ok, EmOpts, _} = tls_socket:get_all_opts(Tracker),
 	ssl_connection:handshake(Socket, {SslOpts, 
 					  tls_socket:emulated_socket_options(EmOpts, #socket_options{})}, Timeout)
     catch
 	Error = {error, _Reason} -> Error
     end;
+ssl_accept(#sslsocket{pid = Pid, fd = {_, _, _}} = Socket, SslOpts, Timeout) when
+      (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)->
+    try
+        {ok, EmOpts, _} = dtls_udp_listener:get_all_opts(Pid),
+	ssl_connection:handshake(Socket, {SslOpts,  
+                                          tls_socket:emulated_socket_options(EmOpts, #socket_options{})}, Timeout)
+    catch
+	Error = {error, _Reason} -> Error
+    end;
 ssl_accept(Socket, SslOptions, Timeout) when is_port(Socket),
 					     (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) ->
     {Transport,_,_,_} =
@@ -215,7 +223,6 @@ ssl_accept(Socket, SslOptions, Timeout) when is_port(Socket),
     catch
 	Error = {error, _Reason} -> Error
     end.
-
 %%--------------------------------------------------------------------
 -spec  close(#sslsocket{}) -> term().
 %%
@@ -223,6 +230,8 @@ ssl_accept(Socket, SslOptions, Timeout) when is_port(Socket),
 %%--------------------------------------------------------------------
 close(#sslsocket{pid = Pid}) when is_pid(Pid) ->
     ssl_connection:close(Pid, {close, ?DEFAULT_TIMEOUT});
+close(#sslsocket{pid = {udp, #config{udp_handler = {Pid, _}}}}) ->
+   dtls_udp_listener:close(Pid);
 close(#sslsocket{pid = {ListenSocket, #config{transport_info={Transport,_, _, _}}}}) ->
     Transport:close(ListenSocket).
 
@@ -251,6 +260,8 @@ send(#sslsocket{pid = Pid}, Data) when is_pid(Pid) ->
     ssl_connection:send(Pid, Data);
 send(#sslsocket{pid = {_, #config{transport_info={gen_udp, _, _, _}}}}, _) ->
     {error,enotconn}; %% Emulate connection behaviour
+send(#sslsocket{pid = {udp,_}}, _) ->
+    {error,enotconn};
 send(#sslsocket{pid = {ListenSocket, #config{transport_info={Transport, _, _, _}}}}, Data) ->
     Transport:send(ListenSocket, Data). %% {error,enotconn}
 
@@ -265,6 +276,8 @@ recv(Socket, Length) ->
 recv(#sslsocket{pid = Pid}, Length, Timeout) when is_pid(Pid),
 						  (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)->
     ssl_connection:recv(Pid, Length, Timeout);
+recv(#sslsocket{pid = {udp,_}}, _, _) ->
+    {error,enotconn};
 recv(#sslsocket{pid = {Listen,
 		       #config{transport_info = {Transport, _, _, _}}}}, _,_) when is_port(Listen)->
     Transport:recv(Listen, 0). %% {error,enotconn}
@@ -277,10 +290,14 @@ recv(#sslsocket{pid = {Listen,
 %%--------------------------------------------------------------------
 controlling_process(#sslsocket{pid = Pid}, NewOwner) when is_pid(Pid), is_pid(NewOwner) ->
     ssl_connection:new_user(Pid, NewOwner);
+controlling_process(#sslsocket{pid = {udp, _}},
+		    NewOwner) when is_pid(NewOwner) ->
+    ok; %% Meaningless but let it be allowed to conform with TLS 
 controlling_process(#sslsocket{pid = {Listen,
 				      #config{transport_info = {Transport, _, _, _}}}},
 		    NewOwner) when is_port(Listen),
 				   is_pid(NewOwner) ->
+     %% Meaningless but let it be allowed to conform with normal sockets  
     Transport:controlling_process(Listen, NewOwner).
 
 
@@ -297,7 +314,9 @@ connection_information(#sslsocket{pid = Pid}) when is_pid(Pid) ->
             Error
     end;
 connection_information(#sslsocket{pid = {Listen, _}}) when is_port(Listen) -> 
-    {error, enotconn}.
+    {error, enotconn};
+connection_information(#sslsocket{pid = {udp,_}}) ->
+    {error,enotconn}. 
 
 %%--------------------------------------------------------------------
 -spec connection_information(#sslsocket{}, [atom()]) -> {ok, list()} | {error, reason()}.
@@ -333,10 +352,18 @@ connection_info(#sslsocket{} = SSLSocket) ->
 %%
 %% Description: same as inet:peername/1.
 %%--------------------------------------------------------------------
+peername(#sslsocket{pid = Pid, fd = {Transport, Socket, _}}) when is_pid(Pid)->
+    dtls_socket:peername(Transport, Socket);
 peername(#sslsocket{pid = Pid, fd = {Transport, Socket, _, _}}) when is_pid(Pid)->
     tls_socket:peername(Transport, Socket);
+peername(#sslsocket{pid = {udp = Transport, #config{udp_handler = {_Pid, _}}}}) ->
+    dtls_socket:peername(Transport, undefined);
+peername(#sslsocket{pid = Pid, fd = {gen_udp= Transport, Socket, _, _}}) when is_pid(Pid) ->
+    dtls_socket:peername(Transport, Socket);
 peername(#sslsocket{pid = {ListenSocket,  #config{transport_info = {Transport,_,_,_}}}}) ->
-    tls_socket:peername(Transport, ListenSocket). %% Will return {error, enotconn}
+    tls_socket:peername(Transport, ListenSocket); %% Will return {error, enotconn}
+peername(#sslsocket{pid = {udp,_}}) ->
+    {error,enotconn}.
 
 %%--------------------------------------------------------------------
 -spec peercert(#sslsocket{}) ->{ok, DerCert::binary()} | {error, reason()}.
@@ -350,6 +377,8 @@ peercert(#sslsocket{pid = Pid}) when is_pid(Pid) ->
         Result ->
 	    Result
     end;
+peercert(#sslsocket{pid = {udp, _}}) ->
+    {error, enotconn};
 peercert(#sslsocket{pid = {Listen, _}}) when is_port(Listen) ->
     {error, enotconn}.
 
@@ -506,6 +535,8 @@ getstat(#sslsocket{pid = Pid, fd = {Transport, Socket, _, _}}, Options) when is_
 shutdown(#sslsocket{pid = {Listen, #config{transport_info = {Transport,_, _, _}}}},
 	 How) when is_port(Listen) ->
     Transport:shutdown(Listen, How);
+shutdown(#sslsocket{pid = {udp,_}},_) ->
+    {error, enotconn};
 shutdown(#sslsocket{pid = Pid}, How) ->
     ssl_connection:shutdown(Pid, How).
 
@@ -518,7 +549,7 @@ sockname(#sslsocket{pid = {Listen,  #config{transport_info = {Transport, _, _, _
     tls_socket:sockname(Transport, Listen);
 sockname(#sslsocket{pid = {udp, #config{udp_handler = {Pid, _}}}}) ->
     dtls_udp_listener:sockname(Pid);
-sockname(#sslsocket{pid = Pid, fd = {gen_udp= Transport, Socket, _, _}}) when is_pid(Pid) ->
+sockname(#sslsocket{pid = Pid, fd = {Transport, Socket, _}}) when is_pid(Pid) ->
     dtls_socket:sockname(Transport, Socket);
 sockname(#sslsocket{pid = Pid, fd = {Transport, Socket, _, _}}) when is_pid(Pid) ->
     tls_socket:sockname(Transport, Socket).
@@ -531,6 +562,8 @@ sockname(#sslsocket{pid = Pid, fd = {Transport, Socket, _, _}}) when is_pid(Pid)
 %%--------------------------------------------------------------------
 session_info(#sslsocket{pid = Pid}) when is_pid(Pid) ->
     ssl_connection:session_info(Pid);
+session_info(#sslsocket{pid = {udp,_}}) ->
+    {error, enotconn};
 session_info(#sslsocket{pid = {Listen,_}}) when is_port(Listen) ->
     {error, enotconn}.
 
@@ -555,6 +588,8 @@ versions() ->
 %%--------------------------------------------------------------------
 renegotiate(#sslsocket{pid = Pid}) when is_pid(Pid) ->
     ssl_connection:renegotiation(Pid);
+renegotiate(#sslsocket{pid = {udp,_}}) ->
+    {error, enotconn};
 renegotiate(#sslsocket{pid = {Listen,_}}) when is_port(Listen) ->
     {error, enotconn}.
 
@@ -568,6 +603,8 @@ renegotiate(#sslsocket{pid = {Listen,_}}) when is_port(Listen) ->
 prf(#sslsocket{pid = Pid},
     Secret, Label, Seed, WantedLength) when is_pid(Pid) ->
     ssl_connection:prf(Pid, Secret, Label, Seed, WantedLength);
+prf(#sslsocket{pid = {udp,_}}, _,_,_,_) ->
+    {error, enotconn};
 prf(#sslsocket{pid = {Listen,_}}, _,_,_,_) when is_port(Listen) ->
     {error, enotconn}.
 
@@ -696,7 +733,7 @@ handle_options(Opts0, Role) ->
 		       [RecordCb:protocol_version(Vsn) || Vsn <- Vsns]
 	       end,
 
-    Protocol = proplists:get_value(protocol, Opts, tls),
+    Protocol = handle_option(protocol, Opts, tls),
 
     SSLOptions = #ssl_options{
 		    versions   = Versions,
@@ -755,7 +792,7 @@ handle_options(Opts0, Role) ->
 		    honor_ecc_order = handle_option(honor_ecc_order, Opts,
 						       default_option_role(server, false, Role),
 						       server, Role),
-		    protocol = Protocol, 
+		    protocol = Protocol,
 		    padding_check =  proplists:get_value(padding_check, Opts, true),
 		    beast_mitigation = handle_option(beast_mitigation, Opts, one_n_minus_one),
 		    fallback = handle_option(fallback, Opts,
@@ -1032,6 +1069,10 @@ validate_option(v2_hello_compatible, Value) when is_boolean(Value)  ->
     Value;
 validate_option(max_handshake_size, Value) when is_integer(Value)  andalso Value =< ?MAX_UNIT24 ->
     Value;
+validate_option(protocol, Value = tls) ->
+    Value;
+validate_option(protocol, Value = dtls) ->
+    Value;
 validate_option(Opt, Value) ->
     throw({error, {options, {Opt, Value}}}).
 
@@ -1069,17 +1110,37 @@ validate_binary_list(Opt, List) ->
            (Bin) ->
             throw({error, {options, {Opt, {invalid_protocol, Bin}}}})
         end, List).
-
 validate_versions([], Versions) ->
     Versions;
 validate_versions([Version | Rest], Versions) when Version == 'tlsv1.2';
                                                    Version == 'tlsv1.1';
                                                    Version == tlsv1;
                                                    Version == sslv3 ->
-    validate_versions(Rest, Versions);
+    tls_validate_versions(Rest, Versions);                                      
+validate_versions([Version | Rest], Versions) when Version == 'dtlsv1';
+                                                   Version == 'dtlsv2'->
+    dtls_validate_versions(Rest, Versions);
 validate_versions([Ver| _], Versions) ->
     throw({error, {options, {Ver, {versions, Versions}}}}).
 
+tls_validate_versions([], Versions) ->
+    Versions;
+tls_validate_versions([Version | Rest], Versions) when Version == 'tlsv1.2';
+                                                   Version == 'tlsv1.1';
+                                                   Version == tlsv1;
+                                                   Version == sslv3 ->
+    tls_validate_versions(Rest, Versions);                  
+tls_validate_versions([Ver| _], Versions) ->
+    throw({error, {options, {Ver, {versions, Versions}}}}).
+
+dtls_validate_versions([], Versions) ->
+    Versions;
+dtls_validate_versions([Version | Rest], Versions) when  Version == 'dtlsv1';
+                                                         Version == 'dtlsv2'->
+    dtls_validate_versions(Rest, Versions);
+dtls_validate_versions([Ver| _], Versions) ->
+    throw({error, {options, {Ver, {versions, Versions}}}}).
+
 validate_inet_option(mode, Value)
   when Value =/= list, Value =/= binary ->
     throw({error, {options, {mode,Value}}});
@@ -1151,18 +1212,18 @@ handle_cipher_option(Value, Version)  when is_list(Value) ->
 binary_cipher_suites(Version, []) -> 
     %% Defaults to all supported suites that does
     %% not require explicit configuration
-    ssl_cipher:filter_suites(ssl_cipher:suites(Version));
+    ssl_cipher:filter_suites(ssl_cipher:suites(tls_version(Version)));
 binary_cipher_suites(Version, [Tuple|_] = Ciphers0) when is_tuple(Tuple) ->
     Ciphers = [ssl_cipher:suite(C) || C <- Ciphers0],
     binary_cipher_suites(Version, Ciphers);
 
 binary_cipher_suites(Version, [Cipher0 | _] = Ciphers0) when is_binary(Cipher0) ->
-    All = ssl_cipher:all_suites(Version),
+    All = ssl_cipher:all_suites(tls_version(Version)),
     case [Cipher || Cipher <- Ciphers0, lists:member(Cipher, All)] of
 	[] ->
 	    %% Defaults to all supported suites that does
 	    %% not require explicit configuration
-	    ssl_cipher:filter_suites(ssl_cipher:suites(Version));
+	    ssl_cipher:filter_suites(ssl_cipher:suites(tls_version(Version)));
 	Ciphers ->
 	    Ciphers
     end;
@@ -1175,7 +1236,8 @@ binary_cipher_suites(Version, Ciphers0)  ->
     Ciphers = [ssl_cipher:openssl_suite(C) || C <- string:tokens(Ciphers0, ":")],
     binary_cipher_suites(Version, Ciphers).
 
-handle_eccs_option(Value, {_Major, Minor}) when is_list(Value) ->
+handle_eccs_option(Value, Version) when is_list(Value) ->
+    {_Major, Minor} = tls_version(Version),
     try tls_v1:ecc_curves(Minor, Value) of
         Curves -> #elliptic_curves{elliptic_curve_list = Curves}
     catch
@@ -1348,7 +1410,10 @@ new_ssl_options([{signature_algs, Value} | Rest], #ssl_options{} = Opts, RecordC
 					 handle_hashsigns_option(Value, 
 								 tls_version(RecordCB:highest_protocol_version()))}, 
 		    RecordCB);
-
+new_ssl_options([{protocol, dtls = Value} | Rest], #ssl_options{} = Opts, dtls_record = RecordCB) -> 
+    new_ssl_options(Rest, Opts#ssl_options{protocol = Value}, RecordCB);
+new_ssl_options([{protocol, tls = Value} | Rest], #ssl_options{} = Opts, tls_record = RecordCB) -> 
+    new_ssl_options(Rest, Opts#ssl_options{protocol = Value}, RecordCB);
 new_ssl_options([{Key, Value} | _Rest], #ssl_options{}, _) -> 
     throw({error, {options, {Key, Value}}}).
 
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 32fec03b8e..8e6860e9dc 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -40,7 +40,8 @@
 	 ec_keyed_suites/0, anonymous_suites/1, psk_suites/1, srp_suites/0,
 	 rc4_suites/1, des_suites/1, openssl_suite/1, openssl_suite_name/1, filter/2, filter_suites/1,
 	 hash_algorithm/1, sign_algorithm/1, is_acceptable_hash/2, is_fallback/1,
-	 random_bytes/1, calc_aad/3, calc_mac_hash/4]).
+	 random_bytes/1, calc_aad/3, calc_mac_hash/4,
+         is_stream_ciphersuite/1]).
 
 -export_type([cipher_suite/0,
 	      erl_cipher_suite/0, openssl_cipher_suite/0,
@@ -310,18 +311,21 @@ aead_decipher(Type, #cipher_state{key = Key, iv = IV} = CipherState,
 %%--------------------------------------------------------------------
 suites({3, 0}) ->
     ssl_v3:suites();
-suites({3, N}) ->
-    tls_v1:suites(N);
-suites(Version) ->
-    suites(dtls_v1:corresponding_tls_version(Version)).
+suites({3, Minor}) ->
+    tls_v1:suites(Minor);
+suites({_, Minor}) ->
+    dtls_v1:suites(Minor).
 
-all_suites(Version) ->
+all_suites({3, _} = Version) ->
     suites(Version)
 	++ anonymous_suites(Version)
 	++ psk_suites(Version)
 	++ srp_suites()
         ++ rc4_suites(Version)
-        ++ des_suites(Version).
+        ++ des_suites(Version);
+all_suites(Version) ->
+    dtls_v1:all_suites(Version).
+
 %%--------------------------------------------------------------------
 -spec anonymous_suites(ssl_record:ssl_version() | integer()) -> [cipher_suite()].
 %%
@@ -1541,6 +1545,10 @@ calc_mac_hash(Type, Version,
 	     MacSecret, SeqNo, Type,
 	     Length, PlainFragment).
 
+is_stream_ciphersuite({_, rc4_128, _, _}) ->
+    true;
+is_stream_ciphersuite(_) ->
+    false.
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 4fbac4cad3..5244db31af 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -148,19 +148,19 @@ socket_control(Connection, Socket, Pid, Transport) ->
 %%--------------------------------------------------------------------	    
 socket_control(Connection, Socket, Pid, Transport, udp_listner) ->
     %% dtls listner process must have the socket control
-    {ok, dtls_socket:socket(Pid, Transport, Socket, Connection)};
+    {ok, Connection:socket(Pid, Transport, Socket, Connection, undefined)};
 
 socket_control(tls_connection = Connection, Socket, Pid, Transport, ListenTracker) ->
     case Transport:controlling_process(Socket, Pid) of
 	ok ->
-	    {ok, tls_socket:socket(Pid, Transport, Socket, Connection, ListenTracker)};
+	    {ok, Connection:socket(Pid, Transport, Socket, Connection, ListenTracker)};
 	{error, Reason}	->
 	    {error, Reason}
     end;
 socket_control(dtls_connection = Connection, {_, Socket}, Pid, Transport, ListenTracker) ->
     case Transport:controlling_process(Socket, Pid) of
 	ok ->
-	    {ok, tls_socket:socket(Pid, Transport, Socket, Connection, ListenTracker)};
+	    {ok, Connection:socket(Pid, Transport, Socket, Connection, ListenTracker)};
 	{error, Reason}	->
 	    {error, Reason}
     end.
@@ -363,11 +363,13 @@ init({call, From}, {start, Timeout}, State0, Connection) ->
 							  timer = Timer}),
     Connection:next_event(hello, Record, State);
 init({call, From}, {start, {Opts, EmOpts}, Timeout}, 
-     #state{role = Role} = State0, Connection) ->
+     #state{role = Role, ssl_options = OrigSSLOptions,
+            socket_options = SockOpts} = State0, Connection) ->
     try 
-	State = ssl_config(Opts, Role, State0),
+        SslOpts = ssl:handle_options(Opts, OrigSSLOptions),
+	State = ssl_config(SslOpts, Role, State0),
 	init({call, From}, {start, Timeout}, 
-	     State#state{ssl_options = Opts, socket_options = EmOpts}, Connection)
+	     State#state{ssl_options = SslOpts, socket_options = new_emulated(EmOpts, SockOpts)}, Connection)
     catch throw:Error ->
 	    {stop_and_reply, normal, {reply, From, {error, Error}}}
     end;
@@ -432,11 +434,11 @@ abbreviated(internal, #finished{verify_data = Data} = Finished,
         verified ->
 	    ConnectionStates1 =
 		ssl_record:set_server_verify_data(current_read, Data, ConnectionStates0),
-	    State1 =
+	    {State1, Actions} =
 		finalize_handshake(State0#state{connection_states = ConnectionStates1},
 				   abbreviated, Connection),
 	    {Record, State} = prepare_connection(State1#state{expecting_finished = false}, Connection),
-	    Connection:next_event(connection, Record, State);
+	    Connection:next_event(connection, Record, State, Actions);
 	#alert{} = Alert ->
 	    handle_own_alert(Alert, Version, abbreviated, State0)
     end;
@@ -856,6 +858,7 @@ handle_common_event(internal, #change_cipher_spec{type = <<1>>}, StateName,
 				StateName, State);
 handle_common_event(_Type, Msg, StateName, #state{negotiated_version = Version} = State, 
 		    _) ->
+    ct:pal("Unexpected msg ~p", [Msg]),
     Alert =  ?ALERT_REC(?FATAL,?UNEXPECTED_MESSAGE),
     handle_own_alert(Alert, Version, {StateName, Msg}, State).
 
@@ -1236,13 +1239,13 @@ new_server_hello(#server_hello{cipher_suite = CipherSuite,
 		       negotiated_version = Version} = State0, Connection) ->
     try server_certify_and_key_exchange(State0, Connection) of
         #state{} = State1 ->
-            State2 = server_hello_done(State1, Connection),
+            {State2, Actions} = server_hello_done(State1, Connection),
 	    Session =
 		Session0#session{session_id = SessionId,
 				 cipher_suite = CipherSuite,
 				 compression_method = Compression},
 	    {Record, State} = Connection:next_record(State2#state{session = Session}),
-	    Connection:next_event(certify, Record, State)
+	    Connection:next_event(certify, Record, State, Actions)
     catch
         #alert{} = Alert ->
 	    handle_own_alert(Alert, Version, hello, State0)
@@ -1257,10 +1260,10 @@ resumed_server_hello(#state{session = Session,
 	{_, ConnectionStates1} ->
 	    State1 = State0#state{connection_states = ConnectionStates1,
 				  session = Session},
-	    State2 =
+	    {State2, Actions} =
 		finalize_handshake(State1, abbreviated, Connection),
 	    {Record, State} = Connection:next_record(State2),
-	    Connection:next_event(abbreviated, Record, State);
+	    Connection:next_event(abbreviated, Record, State, Actions);
 	#alert{} = Alert ->
 	    handle_own_alert(Alert, Version, hello, State0)
     end.
@@ -1343,12 +1346,12 @@ client_certify_and_key_exchange(#state{negotiated_version = Version} =
 				State0, Connection) ->
     try do_client_certify_and_key_exchange(State0, Connection) of
         State1 = #state{} ->
-	    State2 = finalize_handshake(State1, certify, Connection),
+	    {State2, Actions} = finalize_handshake(State1, certify, Connection),
             State3 = State2#state{
 		       %% Reinitialize
 		       client_certificate_requested = false},
 	    {Record, State} = Connection:next_record(State3),
-	    Connection:next_event(cipher, Record, State)
+	    Connection:next_event(cipher, Record, State, Actions)
     catch
         throw:#alert{} = Alert ->
 	    handle_own_alert(Alert, Version, certify, State0)
@@ -1870,11 +1873,11 @@ cipher_role(server, Data, Session,  #state{connection_states = ConnectionStates0
 	    Connection) ->
     ConnectionStates1 = ssl_record:set_client_verify_data(current_read, Data, 
 							  ConnectionStates0),
-    State1 =
+    {State1, Actions} =
 	finalize_handshake(State0#state{connection_states = ConnectionStates1,
 					session = Session}, cipher, Connection),
     {Record, State} = prepare_connection(State1, Connection),
-    Connection:next_event(connection, Record, State).
+    Connection:next_event(connection, Record, State, Actions).
 
 is_anonymous(Algo) when Algo == dh_anon;
 			Algo == ecdh_anon;
@@ -2305,7 +2308,7 @@ format_reply(_, _,#socket_options{active = false, mode = Mode, packet = Packet,
     {ok, do_format_reply(Mode, Packet, Header, Data)};
 format_reply(Transport, Socket, #socket_options{active = _, mode = Mode, packet = Packet,
 						header = Header}, Data, Tracker, Connection) ->
-    {ssl, tls_socket:socket(self(), Transport, Socket, Connection, Tracker), 
+    {ssl, Connection:socket(self(), Transport, Socket, Connection, Tracker), 
      do_format_reply(Mode, Packet, Header, Data)}.
 
 deliver_packet_error(Transport, Socket, SO= #socket_options{active = Active}, Data, Pid, From, Tracker, Connection) ->
@@ -2314,7 +2317,7 @@ deliver_packet_error(Transport, Socket, SO= #socket_options{active = Active}, Da
 format_packet_error(_, _,#socket_options{active = false, mode = Mode}, Data, _, _) ->
     {error, {invalid_packet, do_format_reply(Mode, raw, 0, Data)}};
 format_packet_error(Transport, Socket, #socket_options{active = _, mode = Mode}, Data, Tracker, Connection) ->
-    {ssl_error, tls_socket:socket(self(), Transport, Socket, Connection, Tracker), 
+    {ssl_error, Connection:socket(self(), Transport, Socket, Connection, Tracker), 
      {invalid_packet, do_format_reply(Mode, raw, 0, Data)}}.
 
 do_format_reply(binary, _, N, Data) when N > 0 ->  % Header mode
@@ -2369,11 +2372,11 @@ alert_user(Transport, Tracker, Socket, Active, Pid, From, Alert, Role, Connectio
     case ssl_alert:reason_code(Alert, Role) of
 	closed ->
 	    send_or_reply(Active, Pid, From,
-			  {ssl_closed, tls_socket:socket(self(), 
+			  {ssl_closed, Connection:socket(self(), 
 							 Transport, Socket, Connection, Tracker)});
 	ReasonCode ->
 	    send_or_reply(Active, Pid, From,
-			  {ssl_error, tls_socket:socket(self(), 
+			  {ssl_error, Connection:socket(self(), 
 							Transport, Socket, Connection, Tracker), ReasonCode})
     end.
 
@@ -2472,3 +2475,8 @@ update_ssl_options_from_sni(OrigSSLOptions, SNIHostname) ->
         _ ->
             ssl:handle_options(SSLOption, OrigSSLOptions)
     end.
+
+new_emulated([], EmOpts) ->
+    EmOpts;
+new_emulated(NewEmOpts, _) ->
+    NewEmOpts.
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index c34af9f82c..c10ec3a2d6 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -76,7 +76,7 @@
 -define(ALL_SUPPORTED_VERSIONS, ['tlsv1.2', 'tlsv1.1', tlsv1]).
 -define(MIN_SUPPORTED_VERSIONS, ['tlsv1.1', tlsv1]).
 -define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
--define(MIN_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
+-define(MIN_DATAGRAM_SUPPORTED_VERSIONS, [dtlsv1]).
 
 -define('24H_in_msec', 86400000).
 -define('24H_in_sec', 86400).
diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index 77606911be..c6e530e164 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -48,7 +48,7 @@
 -export([encode_data/3, encode_alert/3]).
 
 %% State transition handling	 
--export([next_record/1, next_event/3]).
+-export([next_record/1, next_event/3, next_event/4]).
 
 %% Handshake handling
 -export([renegotiate/2, send_handshake/2, 
@@ -59,7 +59,8 @@
 -export([send_alert/2, close/5]).
 
 %% Data handling
--export([passive_receive/2, next_record_if_active/1, handle_common_event/4, send/3]).
+-export([passive_receive/2, next_record_if_active/1, handle_common_event/4, send/3,
+        socket/5]).
 
 %% gen_statem state functions
 -export([init/3, error/3, downgrade/3, %% Initiation and take down states
@@ -117,7 +118,7 @@ send_handshake_flight(#state{socket = Socket,
 			     transport_cb = Transport,
 			     flight_buffer = Flight} = State0) ->
     send(Transport, Socket, Flight),
-    State0#state{flight_buffer = []}.
+    {State0#state{flight_buffer = []}, []}.
 
 queue_change_cipher(Msg, #state{negotiated_version = Version,
 				  flight_buffer = Flight0,
@@ -191,6 +192,10 @@ init([Role, Host, Port, Socket, Options,  User, CbInfo]) ->
 callback_mode() ->
     state_functions.
 
+socket(Pid,  Transport, Socket, Connection, Tracker) ->
+    tls_socket:socket(Pid, Transport, Socket, Connection, Tracker).
+
+
 %%--------------------------------------------------------------------
 %% State functions
 %%--------------------------------------------------------------------
@@ -340,12 +345,12 @@ connection(internal, #hello_request{},
 		  renegotiation = {Renegotiation, _}} = State0) ->
     Hello = tls_handshake:client_hello(Host, Port, ConnectionStates0, SslOpts,
 				       Cache, CacheCb, Renegotiation, Cert),
-    State1 = send_handshake(Hello, State0),
+    {State1, Actions} = send_handshake(Hello, State0),
     {Record, State} =
 	next_record(
 	  State1#state{session = Session0#session{session_id
 						  = Hello#client_hello.session_id}}),
-    next_event(hello, Record, State);
+    next_event(hello, Record, State, Actions);
 connection(internal, #client_hello{} = Hello, 
 	   #state{role = server, allow_renegotiate = true} = State0) ->
     %% Mitigate Computational DoS attack