9 files changed, 1113 insertions, 20 deletions

diff --git a/lib/ssl/test/Makefile b/lib/ssl/test/Makefile
index 09cc5981e7..886cc7726b 100644
--- a/lib/ssl/test/Makefile
+++ b/lib/ssl/test/Makefile
@@ -36,6 +36,7 @@ VSN=$(GS_VSN)
 
 MODULES = \
 	ssl_test_lib \
+	ssl_alpn_handshake_SUITE \
 	ssl_basic_SUITE \
 	ssl_bench_SUITE \
 	ssl_cipher_SUITE \
@@ -52,6 +53,7 @@ MODULES = \
 	ssl_to_openssl_SUITE \
 	ssl_ECC_SUITE \
 	ssl_upgrade_SUITE\
+	ssl_sni_SUITE \
 	make_certs\
 	erl_make_certs
 
diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl
index b534c0130e..12ad1e5402 100644
--- a/lib/ssl/test/erl_make_certs.erl
+++ b/lib/ssl/test/erl_make_certs.erl
@@ -114,7 +114,7 @@ verify_signature(DerEncodedCert, DerKey, _KeyParams) ->
 	#'DSAPrivateKey'{p=P, q=Q, g=G, y=Y} ->
 	    public_key:pkix_verify(DerEncodedCert, {Y, #'Dss-Parms'{p=P, q=Q, g=G}});
 	#'ECPrivateKey'{version = _Version, privateKey = _PrivKey,
-			parameters = Params, publicKey = {0, PubKey}} ->
+			parameters = Params, publicKey = PubKey} ->
 	    public_key:pkix_verify(DerEncodedCert, {#'ECPoint'{point = PubKey}, Params})
     end.
 
@@ -292,7 +292,7 @@ publickey(#'DSAPrivateKey'{p=P, q=Q, g=G, y=Y}) ->
 publickey(#'ECPrivateKey'{version = _Version,
 			  privateKey = _PrivKey,
 			  parameters = Params,
-			  publicKey = {0, PubKey}}) ->
+			  publicKey = PubKey}) ->
     Algo = #'PublicKeyAlgorithm'{algorithm= ?'id-ecPublicKey', parameters=Params},
     #'OTPSubjectPublicKeyInfo'{algorithm = Algo,
 			       subjectPublicKey = #'ECPoint'{point = PubKey}}.
@@ -401,9 +401,9 @@ gen_ec2(CurveId) ->
      {PubKey, PrivKey} = crypto:generate_key(ecdh, CurveId),
 
     #'ECPrivateKey'{version = 1,
-		    privateKey = binary_to_list(PrivKey),
+		    privateKey = PrivKey,
 		    parameters = {namedCurve, pubkey_cert_records:namedCurves(CurveId)},
-		    publicKey = {0, PubKey}}.
+		    publicKey = PubKey}.
 
 %% See fips_186-3.pdf
 dsa_search(T, P0, Q, Iter) when Iter > 0 ->
diff --git a/lib/ssl/test/make_certs.erl b/lib/ssl/test/make_certs.erl
index 77631f62d3..4a193d48fe 100644
--- a/lib/ssl/test/make_certs.erl
+++ b/lib/ssl/test/make_certs.erl
@@ -81,7 +81,7 @@ all(DataDir, PrivDir, C = #config{}) ->
     create_rnd(DataDir, PrivDir),			% For all requests
     rootCA(PrivDir, "erlangCA", C),
     intermediateCA(PrivDir, "otpCA", "erlangCA", C),
-    endusers(PrivDir, "otpCA", ["client", "server", "revoked"], C),
+    endusers(PrivDir, "otpCA", ["client", "server", "revoked", "a.server", "b.server"], C),
     endusers(PrivDir, "erlangCA", ["localhost"], C),
     %% Create keycert files 
     SDir = filename:join([PrivDir, "server"]),
diff --git a/lib/ssl/test/ssl_alpn_handshake_SUITE.erl b/lib/ssl/test/ssl_alpn_handshake_SUITE.erl
new file mode 100644
index 0000000000..ccd70fa605
--- /dev/null
+++ b/lib/ssl/test/ssl_alpn_handshake_SUITE.erl
@@ -0,0 +1,414 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2008-2015. All Rights Reserved.
+%%
+%% The contents of this file are subject to the Erlang Public License,
+%% Version 1.1, (the "License"); you may not use this file except in
+%% compliance with the License. You should have received a copy of the
+%% Erlang Public License along with this software. If not, it can be
+%% retrieved online at http://www.erlang.org/.
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and limitations
+%% under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+%%
+-module(ssl_alpn_handshake_SUITE).
+
+%% Note: This directive should only be used in test suites.
+-compile(export_all).
+-include_lib("common_test/include/ct.hrl").
+
+-define(SLEEP, 500).
+
+%%--------------------------------------------------------------------
+%% Common Test interface functions -----------------------------------
+%%--------------------------------------------------------------------
+
+suite() -> [{ct_hooks,[ts_install_cth]}].
+
+all() ->
+    [{group, 'tlsv1.2'},
+     {group, 'tlsv1.1'},
+     {group, 'tlsv1'},
+     {group, 'sslv3'}].
+
+groups() ->
+    [
+     {'tlsv1.2', [], alpn_tests()},
+     {'tlsv1.1', [], alpn_tests()},
+     {'tlsv1', [], alpn_tests()},
+     {'sslv3', [], alpn_not_supported()}
+    ].
+
+alpn_tests() ->
+    [empty_protocols_are_not_allowed,
+     protocols_must_be_a_binary_list,
+     empty_client,
+     empty_server,
+     empty_client_empty_server,
+     no_matching_protocol,
+     client_alpn_and_server_alpn,
+     client_alpn_and_server_no_support,
+     client_no_support_and_server_alpn,
+     client_alpn_npn_and_server_alpn,
+     client_alpn_npn_and_server_alpn_npn,
+     client_alpn_and_server_alpn_npn,
+     client_renegotiate,
+     session_reused
+    ].
+
+alpn_not_supported() ->
+    [alpn_not_supported_client,
+     alpn_not_supported_server
+    ].
+
+init_per_suite(Config) ->
+    catch crypto:stop(),
+    try crypto:start() of
+	ok ->
+	    ssl:start(),
+	    Result =
+		(catch make_certs:all(?config(data_dir, Config),
+				      ?config(priv_dir, Config))),
+	    ct:log("Make certs  ~p~n", [Result]),
+	    ssl_test_lib:cert_options(Config)
+    catch _:_ ->
+	    {skip, "Crypto did not start"}
+    end.
+
+end_per_suite(_Config) ->
+    ssl:stop(),
+    application:unload(ssl),
+    application:stop(crypto).
+
+
+init_per_group(GroupName, Config) ->
+    case ssl_test_lib:is_tls_version(GroupName) of
+	true ->
+	    case ssl_test_lib:sufficient_crypto_support(GroupName) of
+		true ->
+		    ssl_test_lib:init_tls_version(GroupName),
+		    Config;
+		false ->
+		    {skip, "Missing crypto support"}
+	    end;
+	_ ->
+	    ssl:start(),
+	    Config
+    end.
+
+end_per_group(_GroupName, Config) ->
+    Config.
+
+%%--------------------------------------------------------------------
+%% Test Cases --------------------------------------------------------
+%%--------------------------------------------------------------------
+
+empty_protocols_are_not_allowed(Config) when is_list(Config) ->
+    {error, {options, {alpn_preferred_protocols, {invalid_protocol, <<>>}}}}
+	= (catch ssl:listen(9443,
+			    [{alpn_preferred_protocols, [<<"foo/1">>, <<"">>]}])),
+    {error, {options, {alpn_advertised_protocols, {invalid_protocol, <<>>}}}}
+	= (catch ssl:connect({127,0,0,1}, 9443,
+			     [{alpn_advertised_protocols, [<<"foo/1">>, <<"">>]}])).
+
+%--------------------------------------------------------------------------------
+
+protocols_must_be_a_binary_list(Config) when is_list(Config) ->
+    Option1 = {alpn_preferred_protocols, hello},
+    {error, {options, Option1}} = (catch ssl:listen(9443, [Option1])),
+    Option2 = {alpn_preferred_protocols, [<<"foo/1">>, hello]},
+    {error, {options, {alpn_preferred_protocols, {invalid_protocol, hello}}}}
+        = (catch ssl:listen(9443, [Option2])),
+    Option3 = {alpn_advertised_protocols, hello},
+    {error, {options, Option3}} = (catch ssl:connect({127,0,0,1}, 9443, [Option3])),
+    Option4 = {alpn_advertised_protocols, [<<"foo/1">>, hello]},
+    {error, {options, {alpn_advertised_protocols, {invalid_protocol, hello}}}}
+        = (catch ssl:connect({127,0,0,1}, 9443, [Option4])).
+
+%--------------------------------------------------------------------------------
+
+empty_client(Config) when is_list(Config) ->
+    run_failing_handshake(Config,
+        [{alpn_advertised_protocols, []}],
+        [{alpn_preferred_protocols, [<<"spdy/2">>, <<"spdy/3">>, <<"http/2">>]}],
+        {connect_failed,{tls_alert,"no application protocol"}}).
+
+%--------------------------------------------------------------------------------
+
+empty_server(Config) when is_list(Config) ->
+    run_failing_handshake(Config,
+        [{alpn_advertised_protocols, [<<"http/1.0">>, <<"http/1.1">>]}],
+        [{alpn_preferred_protocols, []}],
+        {connect_failed,{tls_alert,"no application protocol"}}).
+
+%--------------------------------------------------------------------------------
+
+empty_client_empty_server(Config) when is_list(Config) ->
+    run_failing_handshake(Config,
+        [{alpn_advertised_protocols, []}],
+        [{alpn_preferred_protocols, []}],
+        {connect_failed,{tls_alert,"no application protocol"}}).
+
+%--------------------------------------------------------------------------------
+
+no_matching_protocol(Config) when is_list(Config) ->
+    run_failing_handshake(Config,
+        [{alpn_advertised_protocols, [<<"http/1.0">>, <<"http/1.1">>]}],
+        [{alpn_preferred_protocols, [<<"spdy/2">>, <<"spdy/3">>, <<"http/2">>]}],
+        {connect_failed,{tls_alert,"no application protocol"}}).
+
+%--------------------------------------------------------------------------------
+
+client_alpn_and_server_alpn(Config) when is_list(Config) ->
+    run_handshake(Config,
+		    [{alpn_advertised_protocols, [<<"http/1.0">>, <<"http/1.1">>]}],
+		    [{alpn_preferred_protocols, [<<"spdy/2">>, <<"http/1.1">>, <<"http/1.0">>]}],
+		    {ok, <<"http/1.1">>}).
+
+%--------------------------------------------------------------------------------
+
+client_alpn_and_server_no_support(Config) when is_list(Config) ->
+    run_handshake(Config,
+		    [{alpn_advertised_protocols, [<<"http/1.0">>, <<"http/1.1">>]}],
+		    [],
+		    {error, protocol_not_negotiated}).
+
+%--------------------------------------------------------------------------------
+
+client_no_support_and_server_alpn(Config) when is_list(Config) ->
+    run_handshake(Config,
+		    [],
+		    [{alpn_preferred_protocols, [<<"spdy/2">>, <<"http/1.1">>, <<"http/1.0">>]}],
+		    {error, protocol_not_negotiated}).
+
+%--------------------------------------------------------------------------------
+
+client_alpn_npn_and_server_alpn(Config) when is_list(Config) ->
+    run_handshake(Config,
+		    [{alpn_advertised_protocols, [<<"http/1.0">>, <<"http/1.1">>]},
+		        {client_preferred_next_protocols, {client, [<<"spdy/2">>], <<"spdy/3">>}}],
+		    [{alpn_preferred_protocols, [<<"spdy/2">>, <<"http/1.1">>, <<"http/1.0">>]}],
+		    {ok, <<"http/1.1">>}).
+
+%--------------------------------------------------------------------------------
+
+client_alpn_npn_and_server_alpn_npn(Config) when is_list(Config) ->
+    run_handshake(Config,
+		    [{alpn_advertised_protocols, [<<"http/1.0">>, <<"http/1.1">>]},
+		        {client_preferred_next_protocols, {client, [<<"spdy/2">>], <<"spdy/3">>}}],
+		    [{alpn_preferred_protocols, [<<"spdy/2">>, <<"http/1.1">>, <<"http/1.0">>]},
+		        {next_protocols_advertised, [<<"spdy/2">>, <<"http/1.0">>]}],
+		    {ok, <<"http/1.1">>}).
+
+%--------------------------------------------------------------------------------
+
+client_alpn_and_server_alpn_npn(Config) when is_list(Config) ->
+    run_handshake(Config,
+		    [{alpn_advertised_protocols, [<<"http/1.0">>, <<"http/1.1">>]}],
+		    [{alpn_preferred_protocols, [<<"spdy/2">>, <<"http/1.1">>, <<"http/1.0">>]},
+		        {next_protocols_advertised, [<<"spdy/2">>, <<"http/1.0">>]}],
+		    {ok, <<"http/1.1">>}).
+
+%--------------------------------------------------------------------------------
+
+client_renegotiate(Config) when is_list(Config) ->
+    Data = "hello world",
+    
+    ClientOpts0 = ?config(client_opts, Config),
+    ClientOpts = [{alpn_advertised_protocols, [<<"http/1.0">>]}] ++ ClientOpts0,
+    ServerOpts0 = ?config(server_opts, Config),
+    ServerOpts = [{alpn_preferred_protocols, [<<"spdy/2">>, <<"http/1.1">>, <<"http/1.0">>]}] ++  ServerOpts0,
+    ExpectedProtocol = {ok, <<"http/1.0">>},
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+                    {from, self()},
+                    {mfa, {?MODULE, ssl_receive_and_assert_alpn, [ExpectedProtocol, Data]}},
+                    {options, ServerOpts}]),
+
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+               {host, Hostname},
+               {from, self()},
+               {mfa, {?MODULE, assert_alpn_and_renegotiate_and_send_data, [ExpectedProtocol, Data]}},
+               {options, ClientOpts}]),
+
+    ssl_test_lib:check_result(Server, ok, Client, ok).
+
+%--------------------------------------------------------------------------------
+
+session_reused(Config) when  is_list(Config)->
+    ClientOpts0 = ?config(client_opts, Config),
+    ClientOpts = [{alpn_advertised_protocols, [<<"http/1.0">>]}] ++ ClientOpts0,
+    ServerOpts0 = ?config(server_opts, Config),
+    ServerOpts = [{alpn_preferred_protocols, [<<"spdy/2">>, <<"http/1.1">>, <<"http/1.0">>]}] ++  ServerOpts0,
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+                    {from, self()},
+                    {mfa, {ssl_test_lib, session_info_result, []}},
+					{options, ServerOpts}]),
+
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+               {host, Hostname},
+               {from, self()},
+               {mfa, {ssl_test_lib, no_result_msg, []}},
+               {options, ClientOpts}]),
+
+    SessionInfo = 
+	receive
+	    {Server, Info} ->
+		Info
+	end,
+        
+    Server ! {listen, {mfa, {ssl_test_lib, no_result, []}}},
+    
+    %% Make sure session is registered
+    ct:sleep(?SLEEP),
+
+    Client1 =
+	ssl_test_lib:start_client([{node, ClientNode},
+				   {port, Port}, {host, Hostname},
+				   {mfa, {ssl_test_lib, session_info_result, []}},
+				   {from, self()},  {options, ClientOpts}]),
+
+      receive
+	{Client1, SessionInfo} ->
+	    ok;
+	{Client1, Other} ->
+	    ct:fail(Other)
+      end,
+    
+    ssl_test_lib:close(Server), 
+    ssl_test_lib:close(Client),
+    ssl_test_lib:close(Client1).
+
+%--------------------------------------------------------------------------------
+
+alpn_not_supported_client(Config) when is_list(Config) ->
+    ClientOpts0 = ?config(client_opts, Config),
+    PrefProtocols = {client_preferred_next_protocols,
+		     {client, [<<"http/1.0">>], <<"http/1.1">>}},
+    ClientOpts = [PrefProtocols] ++ ClientOpts0,
+    {ClientNode, _ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Client = ssl_test_lib:start_client_error([{node, ClientNode}, 
+			    {port, 8888}, {host, Hostname},
+			    {from, self()},  {options, ClientOpts}]),
+    
+    ssl_test_lib:check_result(Client, {error, 
+				       {options, 
+					{not_supported_in_sslv3, PrefProtocols}}}).
+
+%--------------------------------------------------------------------------------
+
+alpn_not_supported_server(Config) when is_list(Config)->
+    ServerOpts0 = ?config(server_opts, Config),
+    AdvProtocols = {next_protocols_advertised, [<<"spdy/2">>, <<"http/1.1">>, <<"http/1.0">>]},
+    ServerOpts = [AdvProtocols] ++  ServerOpts0,
+  
+    {error, {options, {not_supported_in_sslv3, AdvProtocols}}} = ssl:listen(0, ServerOpts).
+
+%%--------------------------------------------------------------------
+%% Internal functions ------------------------------------------------
+%%--------------------------------------------------------------------
+
+run_failing_handshake(Config, ClientExtraOpts, ServerExtraOpts, ExpectedResult) ->
+    ClientOpts = ClientExtraOpts ++ ?config(client_opts, Config),
+    ServerOpts = ServerExtraOpts ++ ?config(server_opts, Config),
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+                    {from, self()},
+                    {mfa, {?MODULE, placeholder, []}},
+                    {options, ServerOpts}]),
+
+    Port = ssl_test_lib:inet_port(Server),
+    ExpectedResult
+        = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+               {host, Hostname},
+               {from, self()},
+               {mfa, {?MODULE, placeholder, []}},
+               {options, ClientOpts}]).
+
+run_handshake(Config, ClientExtraOpts, ServerExtraOpts, ExpectedProtocol) ->
+    Data = "hello world",
+
+    ClientOpts0 = ?config(client_opts, Config),
+    ClientOpts = ClientExtraOpts ++ ClientOpts0,
+    ServerOpts0 = ?config(server_opts, Config),
+    ServerOpts = ServerExtraOpts ++  ServerOpts0,
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+                    {from, self()},
+                    {mfa, {?MODULE, ssl_receive_and_assert_alpn, [ExpectedProtocol, Data]}},
+                    {options, ServerOpts}]),
+
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+               {host, Hostname},
+               {from, self()},
+               {mfa, {?MODULE, ssl_send_and_assert_alpn, [ExpectedProtocol, Data]}},
+               {options, ClientOpts}]),
+
+    ssl_test_lib:check_result(Server, ok, Client, ok).
+
+assert_alpn(Socket, Protocol) ->
+    ct:log("Negotiated Protocol ~p, Expecting: ~p ~n",
+		       [ssl:negotiated_protocol(Socket), Protocol]),
+    Protocol = ssl:negotiated_protocol(Socket).
+
+assert_alpn_and_renegotiate_and_send_data(Socket, Protocol, Data) ->
+    assert_alpn(Socket, Protocol),
+    ct:log("Renegotiating ~n", []),
+    ok = ssl:renegotiate(Socket),
+    ssl:send(Socket, Data),
+    assert_alpn(Socket, Protocol),
+    ok.
+
+ssl_send_and_assert_alpn(Socket, Protocol, Data) ->
+    assert_alpn(Socket, Protocol),
+    ssl_send(Socket, Data).
+
+ssl_receive_and_assert_alpn(Socket, Protocol, Data) ->
+    assert_alpn(Socket, Protocol),
+    ssl_receive(Socket, Data).
+
+ssl_send(Socket, Data) ->
+    ct:log("Connection info: ~p~n",
+               [ssl:connection_info(Socket)]),
+    ssl:send(Socket, Data).
+
+ssl_receive(Socket, Data) ->
+    ssl_receive(Socket, Data, []).
+
+ssl_receive(Socket, Data, Buffer) ->
+    ct:log("Connection info: ~p~n",
+               [ssl:connection_info(Socket)]),
+    receive
+    {ssl, Socket, MoreData} ->
+        ct:log("Received ~p~n",[MoreData]),
+        NewBuffer = Buffer ++ MoreData,
+        case NewBuffer of
+            Data ->
+                ssl:send(Socket, "Got it"),
+                ok;
+            _ ->
+                ssl_receive(Socket, Data, NewBuffer)
+        end;
+    Other ->
+        ct:fail({unexpected_message, Other})
+    after 4000 ->
+        ct:fail({did_not_get, Data})
+    end.
+
+connection_info_result(Socket) ->
+    ssl:connection_info(Socket).
diff --git a/lib/ssl/test/ssl_handshake_SUITE.erl b/lib/ssl/test/ssl_handshake_SUITE.erl
index 8dca733526..d4433393a1 100644
--- a/lib/ssl/test/ssl_handshake_SUITE.erl
+++ b/lib/ssl/test/ssl_handshake_SUITE.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2008-2014. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -40,7 +40,47 @@ all() -> [decode_hello_handshake,
 	  encode_single_hello_sni_extension_correctly,
 	  decode_single_hello_sni_extension_correctly,
 	  decode_empty_server_sni_correctly,
-	  select_proper_tls_1_2_rsa_default_hashsign].
+	  select_proper_tls_1_2_rsa_default_hashsign,
+	  ignore_hassign_extension_pre_tls_1_2].
+
+%%--------------------------------------------------------------------
+init_per_suite(Config) ->
+    Config.
+end_per_suite(Config) ->
+    Config.
+
+init_per_group(_GroupName, Config) ->
+    Config.
+
+end_per_group(_,Config) ->
+    Config.
+
+init_per_testcase(ignore_hassign_extension_pre_tls_1_2, Config0) ->
+    catch crypto:stop(),
+    try crypto:start() of
+	ok ->
+	    case is_supported(sha512) of
+		true ->
+		    ssl:start(),
+		    %% make rsa certs using oppenssl
+		    Result =
+			(catch make_certs:all(?config(data_dir, Config0),
+					      ?config(priv_dir, Config0))),
+		    ct:log("Make certs  ~p~n", [Result]),
+		    ssl_test_lib:cert_options(Config0);
+		false ->
+		    {skip, "Crypto did not support sha512"}  
+	    end
+    catch _:_ ->
+	    {skip, "Crypto did not start"}
+    end;
+init_per_testcase(_, Config0) ->
+    Config0.
+
+end_per_testcase(ignore_hassign_extension_pre_tls_1_2, _) ->
+    crypto:stop();
+end_per_testcase(_TestCase, Config) ->
+    Config.
 
 %%--------------------------------------------------------------------
 %% Test Cases --------------------------------------------------------
@@ -121,3 +161,18 @@ select_proper_tls_1_2_rsa_default_hashsign(_Config) ->
     {md5sha, rsa} = ssl_handshake:select_hashsign_algs(undefined, ?rsaEncryption, {3,2}),
     {md5sha, rsa} = ssl_handshake:select_hashsign_algs(undefined, ?rsaEncryption, {3,0}).
 
+
+ignore_hassign_extension_pre_tls_1_2(Config) ->
+    Opts = ?config(server_opts, Config),
+    CertFile = proplists:get_value(certfile, Opts),
+    [{_, Cert, _}] = ssl_test_lib:pem_to_der(CertFile),
+    HashSigns = #hash_sign_algos{hash_sign_algos = [{sha512, rsa}, {sha, dsa}]},
+    {sha512, rsa} = ssl_handshake:select_hashsign(HashSigns, Cert, {3,3}),
+    %%% Ignore
+    {md5sha, rsa} = ssl_handshake:select_hashsign(HashSigns, Cert, {3,2}),
+    {md5sha, rsa} = ssl_handshake:select_hashsign(HashSigns, Cert, {3,0}).
+
+is_supported(Hash) ->
+    Algos = crypto:supports(),
+    Hashs = proplists:get_value(hashs, Algos), 
+    lists:member(Hash, Hashs).
diff --git a/lib/ssl/test/ssl_npn_handshake_SUITE.erl b/lib/ssl/test/ssl_npn_handshake_SUITE.erl
index 30c0a67a36..326f907e66 100644
--- a/lib/ssl/test/ssl_npn_handshake_SUITE.erl
+++ b/lib/ssl/test/ssl_npn_handshake_SUITE.erl
@@ -172,7 +172,7 @@ no_client_negotiate_but_server_supports_npn(Config) when is_list(Config) ->
     run_npn_handshake(Config,
 			   [],
 			   [{next_protocols_advertised, [<<"spdy/1">>, <<"http/1.1">>, <<"http/1.0">>]}],
-			   {error, next_protocol_not_negotiated}).
+			   {error, protocol_not_negotiated}).
 %--------------------------------------------------------------------------------
 
 
@@ -180,7 +180,7 @@ client_negotiate_server_does_not_support(Config) when is_list(Config) ->
     run_npn_handshake(Config,
 			   [{client_preferred_next_protocols, {client, [<<"spdy/2">>], <<"http/1.1">>}}],
 			   [],
-			   {error, next_protocol_not_negotiated}).
+			   {error, protocol_not_negotiated}).
 
 %--------------------------------------------------------------------------------
 renegotiate_from_client_after_npn_handshake(Config) when is_list(Config) ->
@@ -311,8 +311,8 @@ run_npn_handshake(Config, ClientExtraOpts, ServerExtraOpts, ExpectedProtocol) ->
 
 assert_npn(Socket, Protocol) ->
     ct:log("Negotiated Protocol ~p, Expecting: ~p ~n",
-		       [ssl:negotiated_next_protocol(Socket), Protocol]),
-    Protocol = ssl:negotiated_next_protocol(Socket).
+		       [ssl:negotiated_protocol(Socket), Protocol]),
+    Protocol = ssl:negotiated_protocol(Socket).
 
 assert_npn_and_renegotiate_and_send_data(Socket, Protocol, Data) ->
     assert_npn(Socket, Protocol),
diff --git a/lib/ssl/test/ssl_sni_SUITE.erl b/lib/ssl/test/ssl_sni_SUITE.erl
new file mode 100644
index 0000000000..46cd644e4d
--- /dev/null
+++ b/lib/ssl/test/ssl_sni_SUITE.erl
@@ -0,0 +1,168 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2008-2015. All Rights Reserved.
+%%
+%% The contents of this file are subject to the Erlang Public License,
+%% Version 1.1, (the "License"); you may not use this file except in
+%% compliance with the License. You should have received a copy of the
+%% Erlang Public License along with this software. If not, it can be
+%% retrieved online at http://www.erlang.org/.
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and limitations
+%% under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+%%
+
+-module(ssl_sni_SUITE).
+
+-compile(export_all).
+
+-include_lib("common_test/include/ct.hrl").
+-include_lib("public_key/include/public_key.hrl").
+
+%%--------------------------------------------------------------------
+%% Common Test interface functions -----------------------------------
+%%--------------------------------------------------------------------
+suite() -> [{ct_hooks,[ts_install_cth]}].
+
+all() -> [no_sni_header, sni_match, sni_no_match] ++ [no_sni_header_fun, sni_match_fun, sni_no_match_fun].
+
+init_per_suite(Config0) ->
+    catch crypto:stop(),
+    try crypto:start() of
+        ok ->
+            ssl:start(),
+            Result =
+            (catch make_certs:all(?config(data_dir, Config0),
+                                  ?config(priv_dir, Config0))),
+            ct:log("Make certs  ~p~n", [Result]),
+            ssl_test_lib:cert_options(Config0)
+        catch _:_  ->
+            {skip, "Crypto did not start"}
+    end.
+
+end_per_suite(_) ->
+    ssl:stop(),
+    application:stop(crypto).
+
+%%--------------------------------------------------------------------
+%% Test Cases --------------------------------------------------------
+%%--------------------------------------------------------------------
+no_sni_header(Config) ->
+    run_handshake(Config, undefined, undefined, "server").
+
+no_sni_header_fun(Config) ->
+    run_sni_fun_handshake(Config, undefined, undefined, "server").
+
+sni_match(Config) ->
+    run_handshake(Config, "a.server", "a.server", "a.server").
+
+sni_match_fun(Config) ->
+    run_sni_fun_handshake(Config, "a.server", "a.server", "a.server").
+
+sni_no_match(Config) ->
+    run_handshake(Config, "c.server", undefined, "server").
+
+sni_no_match_fun(Config) ->
+    run_sni_fun_handshake(Config, "c.server", undefined, "server").
+
+
+%%--------------------------------------------------------------------
+%% Internal Functions ------------------------------------------------
+%%--------------------------------------------------------------------
+
+
+ssl_recv(SSLSocket, Expect) ->
+    ssl_recv(SSLSocket, "", Expect).
+
+ssl_recv(SSLSocket, CurrentData, ExpectedData) ->
+    receive
+        {ssl, SSLSocket, Data} ->
+            NeweData = CurrentData ++ Data,
+            case NeweData of
+                ExpectedData ->
+                    ok;
+                _  ->
+                    ssl_recv(SSLSocket, NeweData, ExpectedData)
+            end;
+        Other ->
+            ct:fail({unexpected_message, Other})
+        after 4000 ->
+            ct:fail({timeout, CurrentData, ExpectedData})
+    end.
+
+
+
+send_and_hostname(SSLSocket) ->
+    ssl:send(SSLSocket, "OK"),
+    {ok, [{sni_hostname, Hostname}]} = ssl:connection_information(SSLSocket, [sni_hostname]),
+    Hostname.
+
+rdnPart([[#'AttributeTypeAndValue'{type=Type, value=Value} | _] | _], Type) -> Value;
+rdnPart([_ | Tail], Type) -> rdnPart(Tail, Type);
+rdnPart([], _) -> unknown.
+
+rdn_to_string({utf8String, Binary}) ->
+    erlang:binary_to_list(Binary);
+rdn_to_string({printableString, String}) ->
+    String.
+
+recv_and_certificate(SSLSocket) ->
+    ssl_recv(SSLSocket, "OK"),
+    {ok, PeerCert} = ssl:peercert(SSLSocket),
+    #'OTPCertificate'{tbsCertificate = #'OTPTBSCertificate'{subject = {rdnSequence, Subject}}} = public_key:pkix_decode_cert(PeerCert, otp),
+    ct:log("Subject of certificate received from server: ~p", [Subject]),
+    rdn_to_string(rdnPart(Subject, ?'id-at-commonName')).
+
+run_sni_fun_handshake(Config, SNIHostname, ExpectedSNIHostname, ExpectedCN) ->
+    ct:log("Start running handshake for sni_fun, Config: ~p, SNIHostname: ~p, ExpectedSNIHostname: ~p, ExpectedCN: ~p", [Config, SNIHostname, ExpectedSNIHostname, ExpectedCN]),
+    [{sni_hosts, ServerSNIConf}] = ?config(sni_server_opts, Config),
+    SNIFun = fun(Domain) -> proplists:get_value(Domain, ServerSNIConf, undefined) end,
+    ServerOptions = ?config(server_opts, Config) ++ [{sni_fun, SNIFun}],
+    ClientOptions = 
+    case SNIHostname of
+        undefined ->
+            ?config(client_opts, Config);
+        _ ->
+            [{server_name_indication, SNIHostname}] ++ ?config(client_opts, Config)
+    end,
+    ct:log("Options: ~p", [[ServerOptions, ClientOptions]]),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+                                        {from, self()}, {mfa, {?MODULE, send_and_hostname, []}},
+                                        {options, ServerOptions}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+                                        {host, Hostname}, {from, self()},
+                                        {mfa, {?MODULE, recv_and_certificate, []}},
+                                        {options, ClientOptions}]),
+    ssl_test_lib:check_result(Server, ExpectedSNIHostname, Client, ExpectedCN).
+
+
+run_handshake(Config, SNIHostname, ExpectedSNIHostname, ExpectedCN) ->
+    ct:log("Start running handshake, Config: ~p, SNIHostname: ~p, ExpectedSNIHostname: ~p, ExpectedCN: ~p", [Config, SNIHostname, ExpectedSNIHostname, ExpectedCN]),
+    ServerOptions = ?config(sni_server_opts, Config) ++ ?config(server_opts, Config),
+    ClientOptions = 
+    case SNIHostname of
+        undefined ->
+            ?config(client_opts, Config);
+        _ ->
+            [{server_name_indication, SNIHostname}] ++ ?config(client_opts, Config)
+    end,
+    ct:log("Options: ~p", [[ServerOptions, ClientOptions]]),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+                                        {from, self()}, {mfa, {?MODULE, send_and_hostname, []}},
+                                        {options, ServerOptions}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+                                        {host, Hostname}, {from, self()},
+                                        {mfa, {?MODULE, recv_and_certificate, []}},
+                                        {options, ClientOptions}]),
+    ssl_test_lib:check_result(Server, ExpectedSNIHostname, Client, ExpectedCN).
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 7d0546210c..8b98e6f16b 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -354,6 +354,11 @@ cert_options(Config) ->
     BadKeyFile = filename:join([?config(priv_dir, Config), 
 			      "badkey.pem"]),
     PskSharedSecret = <<1,2,3,4,5,6,7,8,9,10,11,12,13,14,15>>,
+
+    SNIServerACertFile = filename:join([?config(priv_dir, Config), "a.server", "cert.pem"]),
+    SNIServerAKeyFile = filename:join([?config(priv_dir, Config), "a.server", "key.pem"]),
+    SNIServerBCertFile = filename:join([?config(priv_dir, Config), "b.server", "cert.pem"]),
+    SNIServerBKeyFile = filename:join([?config(priv_dir, Config), "b.server", "key.pem"]),
     [{client_opts, [{ssl_imp, new},{reuseaddr, true}]}, 
      {client_verification_opts, [{cacertfile, ClientCaCertFile}, 
 				{certfile, ClientCertFile},  
@@ -414,7 +419,17 @@ cert_options(Config) ->
      {server_bad_cert, [{ssl_imp, new},{cacertfile, ServerCaCertFile},
 			{certfile, BadCertFile}, {keyfile, ServerKeyFile}]},
      {server_bad_key, [{ssl_imp, new},{cacertfile, ServerCaCertFile},
-		       {certfile, ServerCertFile}, {keyfile, BadKeyFile}]}
+		       {certfile, ServerCertFile}, {keyfile, BadKeyFile}]},
+     {sni_server_opts, [{sni_hosts, [
+                                     {"a.server", [
+                                                   {certfile, SNIServerACertFile},
+                                                   {keyfile, SNIServerAKeyFile}
+                                                  ]},
+                                     {"b.server", [
+                                                   {certfile, SNIServerBCertFile},
+                                                   {keyfile, SNIServerBKeyFile}
+                                                  ]}
+                                    ]}]}
      | Config].
 
 
@@ -1090,6 +1105,8 @@ cipher_restriction(Config0) ->
 
 check_sane_openssl_version(Version) ->
     case {Version, os:cmd("openssl version")} of
+	{_, "OpenSSL 1.0.2" ++ _} ->
+	    true;
 	{_, "OpenSSL 1.0.1" ++ _} ->
 	    true;
 	{'tlsv1.2', "OpenSSL 1.0" ++ _} ->
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index 942c446ec4..0413415e49 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -50,9 +50,9 @@ all() ->
 
 groups() ->
     [{basic, [], basic_tests()},
-     {'tlsv1.2', [], all_versions_tests() ++ npn_tests()},
-     {'tlsv1.1', [], all_versions_tests() ++ npn_tests()},
-     {'tlsv1', [], all_versions_tests()++ npn_tests()},
+     {'tlsv1.2', [], all_versions_tests() ++ alpn_tests() ++ npn_tests() ++ sni_server_tests()},
+     {'tlsv1.1', [], all_versions_tests() ++ alpn_tests() ++ npn_tests() ++ sni_server_tests()},
+     {'tlsv1', [], all_versions_tests()++ alpn_tests() ++ npn_tests() ++ sni_server_tests()},
      {'sslv3', [], all_versions_tests()}].
 
 basic_tests() ->
@@ -79,6 +79,18 @@ all_versions_tests() ->
      expired_session,
      ssl2_erlang_server_openssl_client].
 
+alpn_tests() ->
+    [erlang_client_alpn_openssl_server_alpn,
+     erlang_server_alpn_openssl_client_alpn,
+     erlang_client_alpn_openssl_server,
+     erlang_client_openssl_server_alpn,
+     erlang_server_alpn_openssl_client,
+     erlang_server_openssl_client_alpn,
+     erlang_client_alpn_openssl_server_alpn_renegotiate,
+     erlang_server_alpn_openssl_client_alpn_renegotiate,
+     erlang_client_alpn_npn_openssl_server_alpn_npn,
+     erlang_server_alpn_npn_openssl_client_alpn_npn].
+
 npn_tests() ->
     [erlang_client_openssl_server_npn,
      erlang_server_openssl_client_npn,
@@ -89,6 +101,14 @@ npn_tests() ->
      erlang_client_openssl_server_npn_only_client,
      erlang_client_openssl_server_npn_only_server].
 
+sni_server_tests() ->
+    [erlang_server_openssl_client_sni_match,
+     erlang_server_openssl_client_sni_match_fun,
+     erlang_server_openssl_client_sni_no_match,
+     erlang_server_openssl_client_sni_no_match_fun,
+     erlang_server_openssl_client_sni_no_header,
+     erlang_server_openssl_client_sni_no_header_fun].
+
 
 init_per_suite(Config0) ->
     Dog = ct:timetrap(?LONG_TIMEOUT *2),
@@ -161,6 +181,36 @@ special_init(ssl2_erlang_server_openssl_client, Config) ->
     check_sane_openssl_sslv2(Config);
 
 special_init(TestCase, Config)
+    when TestCase == erlang_client_alpn_openssl_server_alpn;
+         TestCase == erlang_server_alpn_openssl_client_alpn;
+         TestCase == erlang_client_alpn_openssl_server;
+         TestCase == erlang_client_openssl_server_alpn;
+         TestCase == erlang_server_alpn_openssl_client;
+         TestCase == erlang_server_openssl_client_alpn ->
+    check_openssl_alpn_support(Config);
+
+special_init(TestCase, Config)
+    when TestCase == erlang_client_alpn_openssl_server_alpn_renegotiate;
+         TestCase == erlang_server_alpn_openssl_client_alpn_renegotiate ->
+    {ok, Version} = application:get_env(ssl, protocol_version),
+    case check_sane_openssl_renegotaite(Config, Version) of
+	{skip, _} = Skip ->
+	    Skip;
+	_ ->
+	    check_openssl_alpn_support(Config)
+    end;
+
+special_init(TestCase, Config)
+    when TestCase == erlang_client_alpn_npn_openssl_server_alpn_npn;
+         TestCase == erlang_server_alpn_npn_openssl_client_alpn_npn ->
+    case check_openssl_alpn_support(Config) of
+        {skip, _} = Skip ->
+            Skip;
+        _ ->
+            check_openssl_npn_support(Config)
+    end;
+
+special_init(TestCase, Config)
     when TestCase == erlang_client_openssl_server_npn;
          TestCase == erlang_server_openssl_client_npn;        
          TestCase == erlang_server_openssl_client_npn_only_server;
@@ -179,6 +229,16 @@ special_init(TestCase, Config)
 	_ -> 
 	    check_openssl_npn_support(Config)
     end;
+
+special_init(TestCase, Config)
+  when TestCase == erlang_server_openssl_client_sni_match;
+       TestCase == erlang_server_openssl_client_sni_no_match;
+       TestCase == erlang_server_openssl_client_sni_no_header;
+       TestCase == erlang_server_openssl_client_sni_match_fun;
+       TestCase == erlang_server_openssl_client_sni_no_match_fun;
+       TestCase == erlang_server_openssl_client_sni_no_header_fun ->
+    check_openssl_sni_support(Config);
+
 special_init(_, Config) ->
     Config.
 
@@ -924,6 +984,128 @@ ssl2_erlang_server_openssl_client(Config) when is_list(Config) ->
     process_flag(trap_exit, false).
 
 %%--------------------------------------------------------------------
+
+erlang_client_alpn_openssl_server_alpn(Config) when is_list(Config) ->
+    Data = "From openssl to erlang",
+    start_erlang_client_and_openssl_server_for_alpn_negotiation(Config, Data, fun(Client, OpensslPort) ->
+        true = port_command(OpensslPort, Data),
+
+        ssl_test_lib:check_result(Client, ok)
+    end),
+    ok.
+
+%%--------------------------------------------------------------------
+
+erlang_server_alpn_openssl_client_alpn(Config) when is_list(Config) ->
+    Data = "From openssl to erlang",
+    start_erlang_server_and_openssl_client_for_alpn_negotiation(Config, Data, fun(Client, OpensslPort) ->
+        true = port_command(OpensslPort, Data),
+
+        ssl_test_lib:check_result(Client, ok)
+    end),
+    ok.
+
+%%--------------------------------------------------------------------------
+
+erlang_client_alpn_openssl_server(Config) when is_list(Config) ->
+    Data = "From openssl to erlang",
+    start_erlang_client_and_openssl_server_with_opts(Config,
+						     [{alpn_advertised_protocols, [<<"spdy/2">>]}],
+                                                     "",
+						     Data, fun(Server, OpensslPort) ->
+        true = port_command(OpensslPort, Data),
+        ssl_test_lib:check_result(Server, ok)
+    end),
+    ok.
+
+%%--------------------------------------------------------------------------
+
+erlang_client_openssl_server_alpn(Config) when is_list(Config) ->
+    Data = "From openssl to erlang",
+    start_erlang_client_and_openssl_server_with_opts(Config,
+						     [],
+                                                     "-alpn spdy/2",
+						     Data, fun(Server, OpensslPort) ->
+        true = port_command(OpensslPort, Data),
+        ssl_test_lib:check_result(Server, ok)
+    end),
+    ok.
+
+%%--------------------------------------------------------------------------
+
+erlang_server_alpn_openssl_client(Config) when is_list(Config) ->
+    Data = "From openssl to erlang",
+    start_erlang_server_and_openssl_client_with_opts(Config,
+						     [{alpn_advertised_protocols, [<<"spdy/2">>]}],
+                                                     "",
+						     Data, fun(Server, OpensslPort) ->
+        true = port_command(OpensslPort, Data),
+        ssl_test_lib:check_result(Server, ok)
+    end),
+    ok.
+
+%%--------------------------------------------------------------------------
+
+erlang_server_openssl_client_alpn(Config) when is_list(Config) ->
+    Data = "From openssl to erlang",
+    start_erlang_server_and_openssl_client_with_opts(Config,
+						     [],
+                                                     "-alpn spdy/2",
+						     Data, fun(Server, OpensslPort) ->
+        true = port_command(OpensslPort, Data),
+        ssl_test_lib:check_result(Server, ok)
+    end),
+    ok.
+
+%%--------------------------------------------------------------------
+
+erlang_client_alpn_openssl_server_alpn_renegotiate(Config) when is_list(Config) ->
+    Data = "From openssl to erlang",
+    start_erlang_client_and_openssl_server_for_alpn_negotiation(Config, Data, fun(Client, OpensslPort) ->
+        true = port_command(OpensslPort, ?OPENSSL_RENEGOTIATE),
+        ct:sleep(?SLEEP),
+        true = port_command(OpensslPort, Data),
+
+        ssl_test_lib:check_result(Client, ok)
+    end),
+    ok.
+
+%%--------------------------------------------------------------------
+
+erlang_server_alpn_openssl_client_alpn_renegotiate(Config) when is_list(Config) ->
+    Data = "From openssl to erlang",
+    start_erlang_server_and_openssl_client_for_alpn_negotiation(Config, Data, fun(Client, OpensslPort) ->
+        true = port_command(OpensslPort, ?OPENSSL_RENEGOTIATE),
+        ct:sleep(?SLEEP),
+        true = port_command(OpensslPort, Data),
+
+        ssl_test_lib:check_result(Client, ok)
+    end),
+    ok.
+
+%%--------------------------------------------------------------------
+
+erlang_client_alpn_npn_openssl_server_alpn_npn(Config) when is_list(Config) ->
+    Data = "From openssl to erlang",
+    start_erlang_client_and_openssl_server_for_alpn_npn_negotiation(Config, Data, fun(Client, OpensslPort) ->
+        true = port_command(OpensslPort, Data),
+
+        ssl_test_lib:check_result(Client, ok)
+    end),
+    ok.
+
+%%--------------------------------------------------------------------
+
+erlang_server_alpn_npn_openssl_client_alpn_npn(Config) when is_list(Config) ->
+    Data = "From openssl to erlang",
+    start_erlang_server_and_openssl_client_for_alpn_npn_negotiation(Config, Data, fun(Client, OpensslPort) ->
+        true = port_command(OpensslPort, Data),
+
+        ssl_test_lib:check_result(Client, ok)
+    end),
+    ok.
+
+%%--------------------------------------------------------------------
 erlang_client_openssl_server_npn() ->
     [{doc,"Test erlang client with openssl server doing npn negotiation"}].
 
@@ -1016,6 +1198,25 @@ erlang_server_openssl_client_npn_only_client(Config) when is_list(Config) ->
         ssl_test_lib:check_result(Server, ok)
     end),
     ok.
+%--------------------------------------------------------------------------
+erlang_server_openssl_client_sni_no_header(Config) when is_list(Config) ->
+    erlang_server_openssl_client_sni_test(Config, undefined, undefined, "server").
+
+erlang_server_openssl_client_sni_no_header_fun(Config) when is_list(Config) ->
+    erlang_server_openssl_client_sni_test_sni_fun(Config, undefined, undefined, "server").
+
+erlang_server_openssl_client_sni_match(Config) when is_list(Config) ->
+    erlang_server_openssl_client_sni_test(Config, "a.server", "a.server", "a.server").
+
+erlang_server_openssl_client_sni_match_fun(Config) when is_list(Config) ->
+    erlang_server_openssl_client_sni_test_sni_fun(Config, "a.server", "a.server", "a.server").
+
+erlang_server_openssl_client_sni_no_match(Config) when is_list(Config) ->
+    erlang_server_openssl_client_sni_test(Config, "c.server", undefined, "server").
+
+erlang_server_openssl_client_sni_no_match_fun(Config) when is_list(Config) ->
+    erlang_server_openssl_client_sni_test_sni_fun(Config, "c.server", undefined, "server").
+
 
 %%--------------------------------------------------------------------
 %% Internal functions ------------------------------------------------
@@ -1042,6 +1243,89 @@ run_suites(Ciphers, Version, Config, Type) ->
 	    ct:fail(cipher_suite_failed_see_test_case_log)
     end.
 
+client_read_check([], _NewData) -> ok;
+client_read_check([Hd | T], NewData) ->
+    case binary:match(NewData, list_to_binary(Hd)) of
+        nomatch ->
+            nomatch;
+        _ ->
+            client_read_check(T, NewData)
+    end.
+client_read_bulk(Port, DataExpected, DataReceived) ->
+    receive
+        {Port, {data, TheData}} ->
+            Data = list_to_binary(TheData),
+            NewData = <<DataReceived/binary, Data/binary>>,
+            ct:log("New Data: ~p", [NewData]),
+            case client_read_check(DataExpected, NewData) of
+                ok ->
+                    ok;
+                _ ->
+                    client_read_bulk(Port, DataExpected, NewData)
+            end;
+        _ ->
+            ct:fail("unexpected_message")
+    after 4000 ->
+              ct:fail("timeout")
+    end.
+client_read_bulk(Port, DataExpected) ->
+    client_read_bulk(Port, DataExpected, <<"">>).
+
+send_and_hostname(SSLSocket) ->
+    ssl:send(SSLSocket, "OK"),
+    {ok, [{sni_hostname, Hostname}]} = ssl:connection_information(SSLSocket, [sni_hostname]),
+    Hostname.
+
+erlang_server_openssl_client_sni_test(Config, SNIHostname, ExpectedSNIHostname, ExpectedCN) ->
+    ct:log("Start running handshake, Config: ~p, SNIHostname: ~p, ExpectedSNIHostname: ~p, ExpectedCN: ~p", [Config, SNIHostname, ExpectedSNIHostname, ExpectedCN]),
+    ServerOptions = ?config(sni_server_opts, Config) ++ ?config(server_opts, Config),
+    {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+                                        {from, self()}, {mfa, {?MODULE, send_and_hostname, []}},
+                                        {options, ServerOptions}]),
+    Port = ssl_test_lib:inet_port(Server),
+    ClientCommand = case SNIHostname of
+                        undefined ->
+                            "openssl s_client -connect " ++ Hostname ++ ":" ++ integer_to_list(Port);
+                        _ ->
+                            "openssl s_client -connect " ++ Hostname ++ ":" ++ integer_to_list(Port) ++ " -servername " ++ SNIHostname
+                    end,
+    ct:log("Options: ~p", [[ServerOptions, ClientCommand]]),
+    ClientPort = open_port({spawn, ClientCommand}, [stderr_to_stdout]),
+    ssl_test_lib:check_result(Server, ExpectedSNIHostname),
+    ExpectedClientOutput = ["OK", "/CN=" ++ ExpectedCN ++ "/"],
+    ok = client_read_bulk(ClientPort, ExpectedClientOutput),
+    ssl_test_lib:close_port(ClientPort),
+    ssl_test_lib:close(Server),
+    ok.
+
+
+erlang_server_openssl_client_sni_test_sni_fun(Config, SNIHostname, ExpectedSNIHostname, ExpectedCN) ->
+    ct:log("Start running handshake for sni_fun, Config: ~p, SNIHostname: ~p, ExpectedSNIHostname: ~p, ExpectedCN: ~p", [Config, SNIHostname, ExpectedSNIHostname, ExpectedCN]),
+    [{sni_hosts, ServerSNIConf}] = ?config(sni_server_opts, Config),
+    SNIFun = fun(Domain) -> proplists:get_value(Domain, ServerSNIConf, undefined) end,
+    ServerOptions = ?config(server_opts, Config) ++ [{sni_fun, SNIFun}],
+    {_, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+                                        {from, self()}, {mfa, {?MODULE, send_and_hostname, []}},
+                                        {options, ServerOptions}]),
+    Port = ssl_test_lib:inet_port(Server),
+    ClientCommand = case SNIHostname of
+                        undefined ->
+                            "openssl s_client -connect " ++ Hostname ++ ":" ++ integer_to_list(Port);
+                        _ ->
+                            "openssl s_client -connect " ++ Hostname ++ ":" ++ integer_to_list(Port) ++ " -servername " ++ SNIHostname
+                    end,
+    ct:log("Options: ~p", [[ServerOptions, ClientCommand]]),
+    ClientPort = open_port({spawn, ClientCommand}, [stderr_to_stdout]),
+    ssl_test_lib:check_result(Server, ExpectedSNIHostname),
+    ExpectedClientOutput = ["OK", "/CN=" ++ ExpectedCN ++ "/"],
+    ok = client_read_bulk(ClientPort, ExpectedClientOutput),
+    ssl_test_lib:close_port(ClientPort),
+    ssl_test_lib:close(Server),
+    ok.
+
+
 cipher(CipherSuite, Version, Config, ClientOpts, ServerOpts) ->
     process_flag(trap_exit, true),
     ct:log("Testing CipherSuite ~p~n", [CipherSuite]),
@@ -1139,6 +1423,142 @@ start_erlang_client_and_openssl_server_with_opts(Config, ErlangClientOpts, Opens
     ssl_test_lib:close(Client),
     process_flag(trap_exit, false).
 
+start_erlang_client_and_openssl_server_for_alpn_negotiation(Config, Data, Callback) ->
+    process_flag(trap_exit, true),
+    ServerOpts = ?config(server_opts, Config),
+    ClientOpts0 = ?config(client_opts, Config),
+    ClientOpts = [{alpn_advertised_protocols, [<<"spdy/2">>]} | ClientOpts0],
+
+    {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config),
+
+    Data = "From openssl to erlang",
+
+    Port = ssl_test_lib:inet_port(node()),
+    CertFile = proplists:get_value(certfile, ServerOpts),
+    KeyFile = proplists:get_value(keyfile, ServerOpts),
+    Version = tls_record:protocol_version(tls_record:highest_protocol_version([])),
+
+    Cmd = "openssl s_server -msg -alpn http/1.1,spdy/2  -accept " ++ integer_to_list(Port)  ++  ssl_test_lib:version_flag(Version) ++
+    " -cert " ++ CertFile  ++ " -key " ++ KeyFile,
+
+    ct:log("openssl cmd: ~p~n", [Cmd]),
+
+    OpensslPort =  open_port({spawn, Cmd}, [stderr_to_stdout]),
+
+    ssl_test_lib:wait_for_openssl_server(),
+
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+                    {host, Hostname},
+                    {from, self()},
+                    {mfa, {?MODULE,
+                           erlang_ssl_receive_and_assert_negotiated_protocol, [<<"spdy/2">>, Data]}},
+                    {options, ClientOpts}]),
+
+    Callback(Client, OpensslPort),
+
+    %% Clean close down!   Server needs to be closed first !!
+    ssl_test_lib:close_port(OpensslPort),
+
+    ssl_test_lib:close(Client),
+    process_flag(trap_exit, false).
+
+start_erlang_server_and_openssl_client_for_alpn_negotiation(Config, Data, Callback) ->
+    process_flag(trap_exit, true),
+    ServerOpts0 = ?config(server_opts, Config),
+    ServerOpts = [{alpn_preferred_protocols, [<<"spdy/2">>]} | ServerOpts0],
+
+    {_, ServerNode, _} = ssl_test_lib:run_where(Config),
+
+
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+                    {from, self()},
+                    {mfa, {?MODULE, erlang_ssl_receive_and_assert_negotiated_protocol, [<<"spdy/2">>, Data]}},
+                    {options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Version = tls_record:protocol_version(tls_record:highest_protocol_version([])),
+    Cmd = "openssl s_client -alpn http/1.0,spdy/2 -msg -port " ++ integer_to_list(Port)  ++ ssl_test_lib:version_flag(Version) ++
+    " -host localhost",
+
+    ct:log("openssl cmd: ~p~n", [Cmd]),
+
+    OpenSslPort =  open_port({spawn, Cmd}, [stderr_to_stdout]),
+
+    Callback(Server, OpenSslPort),
+
+    ssl_test_lib:close(Server),
+
+    ssl_test_lib:close_port(OpenSslPort),
+    process_flag(trap_exit, false).
+
+start_erlang_client_and_openssl_server_for_alpn_npn_negotiation(Config, Data, Callback) ->
+    process_flag(trap_exit, true),
+    ServerOpts = ?config(server_opts, Config),
+    ClientOpts0 = ?config(client_opts, Config),
+    ClientOpts = [{alpn_advertised_protocols, [<<"spdy/2">>]},
+        {client_preferred_next_protocols, {client, [<<"spdy/3">>, <<"http/1.1">>]}} | ClientOpts0],
+
+    {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config),
+
+    Data = "From openssl to erlang",
+
+    Port = ssl_test_lib:inet_port(node()),
+    CertFile = proplists:get_value(certfile, ServerOpts),
+    KeyFile = proplists:get_value(keyfile, ServerOpts),
+    Version = tls_record:protocol_version(tls_record:highest_protocol_version([])),
+
+    Cmd = "openssl s_server -msg -alpn http/1.1,spdy/2 -nextprotoneg spdy/3 -accept " ++ integer_to_list(Port)  ++  ssl_test_lib:version_flag(Version) ++
+    " -cert " ++ CertFile  ++ " -key " ++ KeyFile,
+
+    ct:log("openssl cmd: ~p~n", [Cmd]),
+
+    OpensslPort =  open_port({spawn, Cmd}, [stderr_to_stdout]),
+
+    ssl_test_lib:wait_for_openssl_server(),
+
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+                    {host, Hostname},
+                    {from, self()},
+                    {mfa, {?MODULE,
+                           erlang_ssl_receive_and_assert_negotiated_protocol, [<<"spdy/2">>, Data]}},
+                    {options, ClientOpts}]),
+
+    Callback(Client, OpensslPort),
+
+    %% Clean close down!   Server needs to be closed first !!
+    ssl_test_lib:close_port(OpensslPort),
+
+    ssl_test_lib:close(Client),
+    process_flag(trap_exit, false).
+
+start_erlang_server_and_openssl_client_for_alpn_npn_negotiation(Config, Data, Callback) ->
+    process_flag(trap_exit, true),
+    ServerOpts0 = ?config(server_opts, Config),
+    ServerOpts = [{alpn_preferred_protocols, [<<"spdy/2">>]},
+        {next_protocols_advertised, [<<"spdy/3">>, <<"http/1.1">>]} | ServerOpts0],
+
+    {_, ServerNode, _} = ssl_test_lib:run_where(Config),
+
+
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+                    {from, self()},
+                    {mfa, {?MODULE, erlang_ssl_receive_and_assert_negotiated_protocol, [<<"spdy/2">>, Data]}},
+                    {options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Version = tls_record:protocol_version(tls_record:highest_protocol_version([])),
+    Cmd = "openssl s_client -alpn http/1.1,spdy/2 -nextprotoneg spdy/3 -msg -port " ++ integer_to_list(Port)  ++ ssl_test_lib:version_flag(Version) ++
+    " -host localhost",
+
+    ct:log("openssl cmd: ~p~n", [Cmd]),
+
+    OpenSslPort =  open_port({spawn, Cmd}, [stderr_to_stdout]),
+
+    Callback(Server, OpenSslPort),
+
+    ssl_test_lib:close(Server),
+
+    ssl_test_lib:close_port(OpenSslPort),
+    process_flag(trap_exit, false).
+
 start_erlang_client_and_openssl_server_for_npn_negotiation(Config, Data, Callback) ->
     process_flag(trap_exit, true),
     ServerOpts = ?config(server_opts, Config),
@@ -1167,7 +1587,7 @@ start_erlang_client_and_openssl_server_for_npn_negotiation(Config, Data, Callbac
                     {host, Hostname},
                     {from, self()},
                     {mfa, {?MODULE,
-                           erlang_ssl_receive_and_assert_npn, [<<"spdy/2">>, Data]}},
+                           erlang_ssl_receive_and_assert_negotiated_protocol, [<<"spdy/2">>, Data]}},
                     {options, ClientOpts}]),
 
     Callback(Client, OpensslPort),
@@ -1188,7 +1608,7 @@ start_erlang_server_and_openssl_client_for_npn_negotiation(Config, Data, Callbac
 
     Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
                     {from, self()},
-                    {mfa, {?MODULE, erlang_ssl_receive_and_assert_npn, [<<"spdy/2">>, Data]}},
+                    {mfa, {?MODULE, erlang_ssl_receive_and_assert_negotiated_protocol, [<<"spdy/2">>, Data]}},
                     {options, ServerOpts}]),
     Port = ssl_test_lib:inet_port(Server),
     Version = tls_record:protocol_version(tls_record:highest_protocol_version([])),
@@ -1236,10 +1656,10 @@ start_erlang_server_and_openssl_client_with_opts(Config, ErlangServerOpts, OpenS
     process_flag(trap_exit, false).
 
 
-erlang_ssl_receive_and_assert_npn(Socket, Protocol, Data) ->
-    {ok, Protocol} = ssl:negotiated_next_protocol(Socket),
+erlang_ssl_receive_and_assert_negotiated_protocol(Socket, Protocol, Data) ->
+    {ok, Protocol} = ssl:negotiated_protocol(Socket),
     erlang_ssl_receive(Socket, Data),
-    {ok, Protocol} = ssl:negotiated_next_protocol(Socket),
+    {ok, Protocol} = ssl:negotiated_protocol(Socket),
     ok.
 
 erlang_ssl_receive(Socket, Data) ->
@@ -1287,6 +1707,14 @@ server_sent_garbage(Socket) ->
 	    
     end.
     
+check_openssl_sni_support(Config) ->
+    HelpText = os:cmd("openssl s_client --help"),
+    case string:str(HelpText, "-servername") of
+        0 ->
+            {skip, "Current openssl doesn't support SNI"};
+        _ ->
+            Config
+    end.
 
 check_openssl_npn_support(Config) ->
     HelpText = os:cmd("openssl s_client --help"),
@@ -1297,6 +1725,15 @@ check_openssl_npn_support(Config) ->
             Config
     end.
 
+check_openssl_alpn_support(Config) ->
+    HelpText = os:cmd("openssl s_client --help"),
+    case string:str(HelpText, "alpn") of
+        0 ->
+            {skip, "Openssl not compiled with alpn support"};
+        _ ->
+            Config
+    end.
+
 check_sane_openssl_renegotaite(Config, Version) when Version == 'tlsv1.1';
 						     Version == 'tlsv1.2' ->
     case os:cmd("openssl version") of