7 files changed, 477 insertions, 100 deletions
diff --git a/lib/ssl/test/Makefile b/lib/ssl/test/Makefile
index 3639c2b2da..09cc5981e7 100644
--- a/lib/ssl/test/Makefile
+++ b/lib/ssl/test/Makefile
@@ -1,7 +1,7 @@
 #
 # %CopyrightBegin%
 #
-# Copyright Ericsson AB 1999-2013. All Rights Reserved.
+# Copyright Ericsson AB 1999-2015. All Rights Reserved.
 #
 # The contents of this file are subject to the Erlang Public License,
 # Version 1.1, (the "License"); you may not use this file except in
@@ -47,9 +47,11 @@ MODULES = \
 	ssl_npn_handshake_SUITE \
 	ssl_packet_SUITE \
 	ssl_payload_SUITE \
+	ssl_pem_cache_SUITE \
 	ssl_session_cache_SUITE	\
 	ssl_to_openssl_SUITE \
 	ssl_ECC_SUITE \
+	ssl_upgrade_SUITE\
 	make_certs\
 	erl_make_certs
 
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index dc9e8934e6..77ef8088b4 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2007-2014. All Rights Reserved.
+%% Copyright Ericsson AB 2007-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -65,7 +65,7 @@ groups() ->
      {'tlsv1.2', [], all_versions_groups()},
      {'tlsv1.1', [], all_versions_groups()},
      {'tlsv1', [], all_versions_groups() ++ rizzo_tests()},
-     {'sslv3', [], all_versions_groups() ++ rizzo_tests()},
+     {'sslv3', [], all_versions_groups() ++ rizzo_tests() ++ [ciphersuite_vs_version]},
      {api,[], api_tests()},
      {session, [], session_tests()},
      {renegotiate, [], renegotiate_tests()},
@@ -90,7 +90,8 @@ basic_tests() ->
      version_option,
      connect_twice,
      connect_dist,
-     clear_pem_cache
+     clear_pem_cache,
+     defaults
     ].
 
 options_tests() ->
@@ -116,7 +117,6 @@ options_tests() ->
      tcp_reuseaddr,
      honor_server_cipher_order,
      honor_client_cipher_order,
-     ciphersuite_vs_version,
      unordered_protocol_versions_server,
      unordered_protocol_versions_client
 ].
@@ -177,6 +177,9 @@ cipher_tests() ->
      srp_cipher_suites,
      srp_anon_cipher_suites,
      srp_dsa_cipher_suites,
+     rc4_rsa_cipher_suites,
+     rc4_ecdh_rsa_cipher_suites,
+     rc4_ecdsa_cipher_suites,
      default_reject_anonymous].
 
 cipher_tests_ec() ->
@@ -256,11 +259,6 @@ init_per_testcase(Case, Config) when Case ==  unordered_protocol_versions_client
 	_ ->
 	    {skip, "TLS 1.2 need but not supported on this platform"}
     end;
-init_per_testcase(no_authority_key_identifier, Config) ->
-    %% Clear cach so that root cert will not
-    %% be found.
-    ssl:clear_pem_cache(),
-    Config;
 
 init_per_testcase(protocol_versions, Config)  ->
     ssl:stop(),
@@ -343,7 +341,7 @@ alerts(Config) when is_list(Config) ->
 		  end, Alerts).
 %%--------------------------------------------------------------------
 new_options_in_accept() ->
-    [{doc,"Test that you can set ssl options in ssl_accept/3 and not tcp upgrade"}].
+    [{doc,"Test that you can set ssl options in ssl_accept/3 and not only in tcp upgrade"}].
 new_options_in_accept(Config) when is_list(Config) -> 
     ClientOpts = ?config(client_opts, Config),
     ServerOpts0 = ?config(server_dsa_opts, Config),
@@ -361,7 +359,9 @@ new_options_in_accept(Config) when is_list(Config) ->
 					{host, Hostname},
 					{from, self()}, 
 					{mfa, {?MODULE, connection_info_result, []}},
-					{options, [{versions, [sslv3]} | ClientOpts]}]),
+					{options, [{versions, [sslv3]},
+						   {ciphers,[{rsa,rc4_128,sha}
+							    ]} | ClientOpts]}]),
     
     ct:log("Testcase ~p, Client ~p  Server ~p ~n",
 		       [self(), Client, Server]),
@@ -391,7 +391,7 @@ connection_info(Config) when is_list(Config) ->
 			   {from, self()}, 
 			   {mfa, {?MODULE, connection_info_result, []}},
 			   {options, 
-			    [{ciphers,[{rsa,rc4_128,sha,no_export}]} | 
+			    [{ciphers,[{rsa,des_cbc,sha,no_export}]} | 
 			     ClientOpts]}]),
     
     ct:log("Testcase ~p, Client ~p  Server ~p ~n",
@@ -400,7 +400,7 @@ connection_info(Config) when is_list(Config) ->
     Version = 
 	tls_record:protocol_version(tls_record:highest_protocol_version([])),
     
-    ServerMsg = ClientMsg = {ok, {Version, {rsa,rc4_128,sha}}},
+    ServerMsg = ClientMsg = {ok, {Version, {rsa, des_cbc, sha}}},
 			   
     ssl_test_lib:check_result(Server, ServerMsg, Client, ClientMsg),
     
@@ -1779,6 +1779,32 @@ srp_dsa_cipher_suites(Config) when is_list(Config) ->
     Version = tls_record:protocol_version(tls_record:highest_protocol_version([])),
     Ciphers = ssl_test_lib:srp_dss_suites(),
     run_suites(Ciphers, Version, Config, srp_dsa).
+%%-------------------------------------------------------------------
+rc4_rsa_cipher_suites()->
+    [{doc, "Test the RC4 ciphersuites"}].
+rc4_rsa_cipher_suites(Config) when is_list(Config) ->
+    NVersion = tls_record:highest_protocol_version([]),
+    Version = tls_record:protocol_version(NVersion),
+    Ciphers = ssl_test_lib:rc4_suites(NVersion),
+    run_suites(Ciphers, Version, Config, rc4_rsa).
+%-------------------------------------------------------------------
+rc4_ecdh_rsa_cipher_suites()->
+    [{doc, "Test the RC4 ciphersuites"}].
+rc4_ecdh_rsa_cipher_suites(Config) when is_list(Config) ->
+    NVersion = tls_record:highest_protocol_version([]),
+    Version = tls_record:protocol_version(NVersion),
+    Ciphers = ssl_test_lib:rc4_suites(NVersion),
+    run_suites(Ciphers, Version, Config, rc4_ecdh_rsa).
+
+%%-------------------------------------------------------------------
+rc4_ecdsa_cipher_suites()->
+    [{doc, "Test the RC4 ciphersuites"}].
+rc4_ecdsa_cipher_suites(Config) when is_list(Config) ->
+    NVersion = tls_record:highest_protocol_version([]),
+    Version = tls_record:protocol_version(NVersion),
+    Ciphers = ssl_test_lib:rc4_suites(NVersion),
+    run_suites(Ciphers, Version, Config, rc4_ecdsa).
+
 %%--------------------------------------------------------------------
 default_reject_anonymous()->
     [{doc,"Test that by default anonymous cipher suites are rejected "}].
@@ -2507,6 +2533,16 @@ no_reuses_session_server_restart_new_cert_file(Config) when is_list(Config) ->
     ssl_test_lib:close(Client1).
 
 %%--------------------------------------------------------------------
+defaults(Config) when is_list(Config)->
+    [_, 
+     {supported, Supported},
+     {available, Available}]
+	= ssl:versions(),
+    true = lists:member(sslv3, Available),
+    false = lists:member(sslv3, Supported),
+    false = lists:member({rsa,rc4_128,sha}, ssl:cipher_suites()),
+    true = lists:member({rsa,rc4_128,sha}, ssl:cipher_suites(all)).
+%%--------------------------------------------------------------------
 reuseaddr() ->
     [{doc,"Test reuseaddr option"}].
 
@@ -2631,6 +2667,8 @@ honor_cipher_order(Config, Honor, ServerCiphers, ClientCiphers, Expected) ->
     ssl_test_lib:close(Client).
 
 %%--------------------------------------------------------------------
+ciphersuite_vs_version()  ->
+    [{doc,"Test a SSLv3 client can not negotiate a TLSv* cipher suite."}].
 ciphersuite_vs_version(Config) when is_list(Config) ->
     
     {_ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
@@ -3694,8 +3732,20 @@ run_suites(Ciphers, Version, Config, Type) ->
 		 ?config(server_ecdsa_opts, Config)};
 	    ecdh_rsa ->
 		{?config(client_opts, Config),
-		 ?config(server_ecdh_rsa_opts, Config)}
-	    end,
+		 ?config(server_ecdh_rsa_opts, Config)};
+	    rc4_rsa ->
+		{?config(client_opts, Config),
+		 [{ciphers, Ciphers} |
+		  ?config(server_opts, Config)]};
+	    rc4_ecdh_rsa ->
+		{?config(client_opts, Config),
+		 [{ciphers, Ciphers} |
+		  ?config(server_ecdh_rsa_opts, Config)]};
+	    rc4_ecdsa ->
+		{?config(client_opts, Config),
+		 [{ciphers, Ciphers} |
+		  ?config(server_ecdsa_opts, Config)]}
+	end,
 
     Result =  lists:map(fun(Cipher) ->
 				cipher(Cipher, Version, Config, ClientOpts, ServerOpts) end,
@@ -3716,6 +3766,7 @@ erlang_cipher_suite(Suite) ->
 cipher(CipherSuite, Version, Config, ClientOpts, ServerOpts) ->
     %% process_flag(trap_exit, true),
     ct:log("Testing CipherSuite ~p~n", [CipherSuite]),
+    ct:log("Server Opts ~p~n", [ServerOpts]),
     {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
 
     ErlangCipherSuite = erlang_cipher_suite(CipherSuite),
diff --git a/lib/ssl/test/ssl_certificate_verify_SUITE.erl b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
index b7864ba6e7..dab7a941db 100644
--- a/lib/ssl/test/ssl_certificate_verify_SUITE.erl
+++ b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
@@ -443,7 +443,7 @@ verify_fun_always_run_client(Config) when is_list(Config) ->
 			    {unknown, UserState};
 		       (_, valid, [ChainLen]) ->
 			    {valid, [ChainLen + 1]};
-		       (_, valid_peer, [2]) ->
+		       (_, valid_peer, [1]) ->
 			    {fail, "verify_fun_was_always_run"};
 		       (_, valid_peer, UserState) ->
 			    {valid, UserState}
@@ -482,7 +482,7 @@ verify_fun_always_run_server(Config) when is_list(Config) ->
 			    {unknown, UserState};
 		       (_, valid, [ChainLen]) ->
 			    {valid, [ChainLen + 1]};
-		       (_, valid_peer, [2]) ->
+		       (_, valid_peer, [1]) ->
 			    {fail, "verify_fun_was_always_run"};
 		       (_, valid_peer, UserState) ->
 			    {valid, UserState}
diff --git a/lib/ssl/test/ssl_cipher_SUITE.erl b/lib/ssl/test/ssl_cipher_SUITE.erl
index f2dc1b52c1..3433f9a445 100644
--- a/lib/ssl/test/ssl_cipher_SUITE.erl
+++ b/lib/ssl/test/ssl_cipher_SUITE.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2008-2013. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -38,7 +38,7 @@
 suite() -> [{ct_hooks,[ts_install_cth]}].
 
 all() ->
-    [aes_decipher_good, aes_decipher_good_tls11, aes_decipher_fail, aes_decipher_fail_tls11].
+    [aes_decipher_good, aes_decipher_fail, padding_test].
 
 groups() ->
     [].
@@ -73,93 +73,122 @@ end_per_testcase(_TestCase, Config) ->
 %% Test Cases --------------------------------------------------------
 %%--------------------------------------------------------------------
 aes_decipher_good() ->
-    [{doc,"Decipher a known cryptotext."}].
+    [{doc,"Decipher a known cryptotext using a correct key"}].
 
 aes_decipher_good(Config) when is_list(Config) ->
     HashSz = 32,
-    CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
-				key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>},
-    Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
-		 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
-		 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
-		 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
-    Content = <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56, "HELLO\n">>,
-    Mac = <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>,
-    Version = {3,0},
-    {Content, Mac, _} = ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, Fragment, Version),
-    Version1 = {3,1},
-    {Content, Mac, _} = ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, Fragment, Version1),
-    ok.
+    CipherState = correct_cipher_state(),
+    decipher_check_good(HashSz, CipherState, {3,0}),
+    decipher_check_good(HashSz, CipherState, {3,1}),
+    decipher_check_good(HashSz, CipherState, {3,2}),
+    decipher_check_good(HashSz, CipherState, {3,3}).
 
 %%--------------------------------------------------------------------
-
-aes_decipher_good_tls11() ->
-    [{doc,"Decipher a known TLS 1.1 cryptotext."}].
-
-%% the fragment is actuall a TLS 1.1 record, with
-%% Version = TLS 1.1, we get the correct NextIV in #cipher_state
-aes_decipher_good_tls11(Config) when is_list(Config) ->
-    HashSz = 32,
-    CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
-				key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>},
-    Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
-		 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
-		 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
-		 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
-    Content = <<"HELLO\n">>,
-    NextIV = <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>,
-    Mac = <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>,
-    Version = {3,2},
-    {Content, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, Fragment, Version),
-    Version1 = {3,2},
-    {Content, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, Fragment, Version1),
-    ok.
-
-%%--------------------------------------------------------------------
-
 aes_decipher_fail() ->
-    [{doc,"Decipher a known cryptotext."}].
+    [{doc,"Decipher a known cryptotext using a incorrect key"}].
 
-%% same as above, last byte of key replaced
 aes_decipher_fail(Config) when is_list(Config) ->
     HashSz = 32,
-    CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
-				key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>},
-    Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
-		 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
-		 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
-		 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
-    Version = {3,0},
-    {Content, Mac, _} = ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, Fragment, Version),
-    32 = byte_size(Content),
-    32 = byte_size(Mac),
-    Version1 = {3,1},
-    {Content1, Mac1, _} = ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, Fragment, Version1),
-    32 = byte_size(Content1),
-    32 = byte_size(Mac1),
-    ok.
+    CipherState = incorrect_cipher_state(),
+    decipher_check_fail(HashSz, CipherState, {3,0}),
+    decipher_check_fail(HashSz, CipherState, {3,1}),
+    decipher_check_fail(HashSz, CipherState, {3,2}),
+    decipher_check_fail(HashSz, CipherState, {3,3}).
 
 %%--------------------------------------------------------------------
-
-aes_decipher_fail_tls11() ->
-    [{doc,"Decipher a known TLS 1.1 cryptotext."}].
-
-%% same as above, last byte of key replaced
-%% stricter padding checks in TLS 1.1 mean we get an alert instead
-aes_decipher_fail_tls11(Config) when is_list(Config) ->
-    HashSz = 32,
-    CipherState = #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
-				key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>},
-    Fragment = <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
-		 190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
-		 198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
-		 108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>,
-    Version = {3,2},
-    #alert{level = ?FATAL, description = ?BAD_RECORD_MAC} =
-	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, Fragment, Version),
-    Version1 = {3,3},
-    #alert{level = ?FATAL, description = ?BAD_RECORD_MAC} =
-	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, Fragment, Version1),
-    ok.
-
+padding_test(Config) when is_list(Config)  ->
+    HashSz = 16,
+    CipherState = correct_cipher_state(),
+    pad_test(HashSz, CipherState, {3,0}),
+    pad_test(HashSz, CipherState, {3,1}),
+    pad_test(HashSz, CipherState, {3,2}),
+    pad_test(HashSz, CipherState, {3,3}).
+
+%%--------------------------------------------------------------------    
+% Internal functions  --------------------------------------------------------
 %%--------------------------------------------------------------------
+decipher_check_good(HashSz, CipherState, Version) ->
+    {Content, NextIV, Mac} = content_nextiv_mac(Version),
+    {Content, Mac, _} = 
+	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, aes_fragment(Version), Version, true).
+
+decipher_check_fail(HashSz, CipherState, Version) ->
+    {Content, NextIV, Mac} = content_nextiv_mac(Version),
+    true = {Content, Mac, #cipher_state{iv = NextIV}} =/= 
+	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, aes_fragment(Version), Version, true).
+
+pad_test(HashSz, CipherState, {3,0} = Version) ->
+    %% 3.0 does not have padding test
+    {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version),
+    {Content, Mac, #cipher_state{iv = NextIV}} = 
+	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, badpad_aes_fragment({3,0}), {3,0}, true),    
+    {Content, Mac, #cipher_state{iv = NextIV}} = 
+	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, badpad_aes_fragment({3,0}), {3,0}, false);
+pad_test(HashSz, CipherState, {3,1} = Version) ->
+    %% 3.1 should have padding test, but may be disabled
+    {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version),
+    BadCont = badpad_content(Content),
+    {Content, Mac, #cipher_state{iv = NextIV}} = 
+	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, badpad_aes_fragment({3,1}) , {3,1}, false),
+    {BadCont, Mac, #cipher_state{iv = NextIV}} = 
+	ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, badpad_aes_fragment({3,1}), {3,1}, true);
+pad_test(HashSz, CipherState, Version) ->
+    %% 3.2 and 3.3 must have padding test
+    {Content, NextIV, Mac} = badpad_content_nextiv_mac(Version),
+    BadCont = badpad_content(Content),
+    {BadCont, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES_CBC, HashSz, CipherState, 
+									      badpad_aes_fragment(Version), Version, false),
+    {BadCont, Mac, #cipher_state{iv = NextIV}} = ssl_cipher:decipher(?AES_CBC, HashSz, CipherState,  
+								     badpad_aes_fragment(Version), Version, true).
+    
+aes_fragment({3,N}) when N == 0; N == 1->
+    <<197,9,6,109,242,87,80,154,85,250,110,81,119,95,65,185,53,206,216,153,246,169,
+      119,177,178,238,248,174,253,220,242,81,33,0,177,251,91,44,247,53,183,198,165,
+      63,20,194,159,107>>;
+	
+aes_fragment(_) ->
+    <<220,193,179,139,171,33,143,245,202,47,123,251,13,232,114,8,
+      190,162,74,31,186,227,119,155,94,74,119,79,169,193,240,160,
+      198,181,81,19,98,162,213,228,74,224,253,168,156,59,195,122,
+      108,101,107,242,20,15,169,150,163,107,101,94,93,104,241,165>>.
+
+badpad_aes_fragment({3,N})  when N == 0; N == 1 ->
+    <<186,139,125,10,118,21,26,248,120,108,193,104,87,118,145,79,225,55,228,10,105,
+      30,190,37,1,88,139,243,210,99,65,41>>;
+badpad_aes_fragment(_) ->
+    <<137,31,14,77,228,80,76,103,183,125,55,250,68,190,123,131,117,23,229,180,207,
+      94,121,137,117,157,109,99,113,61,190,138,131,229,201,120,142,179,172,48,77,
+      234,19,240,33,38,91,93>>.
+
+content_nextiv_mac({3,N})  when N == 0; N == 1 ->
+    {<<"HELLO\n">>,
+     <<72,196,247,97,62,213,222,109,210,204,217,186,172,184, 197,148>>,
+     <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>};
+content_nextiv_mac(_) ->
+    {<<"HELLO\n">>,
+     <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>,
+     <<71,136,212,107,223,200,70,232,127,116,148,205,232,35,158,113,237,174,15,217,192,168,35,8,6,107,107,233,25,174,90,111>>}.
+
+badpad_content_nextiv_mac({3,N})  when N == 0; N == 1 ->
+    {<<"HELLO\n">>,
+     <<225,55,228,10,105,30,190,37,1,88,139,243,210,99,65,41>>,
+      <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>
+    };
+badpad_content_nextiv_mac(_) ->
+    {<<"HELLO\n">>,
+     <<133,211,45,189,179,229,56,86,11,178,239,159,14,160,253,140>>,
+      <<183,139,16,132,10,209,67,86,168,100,61,217,145,57,36,56>>
+    }.
+
+badpad_content(Content) ->
+    %% BadContent will fail mac test 
+    <<16#F0, Content/binary>>.
+  
+correct_cipher_state() ->
+    #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
+		  key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,148>>}.
+
+incorrect_cipher_state() ->
+    #cipher_state{iv = <<59,201,85,117,188,206,224,136,5,109,46,70,104,79,4,9>>,
+		  key = <<72,196,247,97,62,213,222,109,210,204,217,186,172,184,197,254>>}.
+    
diff --git a/lib/ssl/test/ssl_pem_cache_SUITE.erl b/lib/ssl/test/ssl_pem_cache_SUITE.erl
new file mode 100644
index 0000000000..843079e2fe
--- /dev/null
+++ b/lib/ssl/test/ssl_pem_cache_SUITE.erl
@@ -0,0 +1,127 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2015-2015. All Rights Reserved.
+%%
+%% The contents of this file are subject to the Erlang Public License,
+%% Version 1.1, (the "License"); you may not use this file except in
+%% compliance with the License. You should have received a copy of the
+%% Erlang Public License along with this software. If not, it can be
+%% retrieved online at http://www.erlang.org/.2
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and limitations
+%% under the License.
+%%
+%% %CopyrightEnd%
+%%
+
+%%
+
+-module(ssl_pem_cache_SUITE).
+
+%% Note: This directive should only be used in test suites.
+-compile(export_all).
+
+-include_lib("common_test/include/ct.hrl").
+-include_lib("kernel/include/file.hrl").
+
+-define(CLEANUP_INTERVAL, 5000).
+
+%%--------------------------------------------------------------------
+%% Common Test interface functions -----------------------------------
+%%--------------------------------------------------------------------
+all() ->
+    [pem_cleanup].
+
+groups() ->
+    [].
+
+init_per_suite(Config0) ->
+    catch crypto:stop(),
+    try crypto:start() of
+	ok ->
+	    ssl:start(),
+	    %% make rsa certs using oppenssl
+	    Result =
+		(catch make_certs:all(?config(data_dir, Config0),
+				      ?config(priv_dir, Config0))),
+	    ct:log("Make certs  ~p~n", [Result]),
+
+	    Config1 = ssl_test_lib:make_dsa_cert(Config0),
+	    ssl_test_lib:cert_options(Config1)
+    catch _:_ ->
+	    {skip, "Crypto did not start"}
+    end.
+
+end_per_suite(_Config) ->
+    application:stop(crypto).
+
+init_per_group(_GroupName, Config) ->
+    Config.
+
+end_per_group(_GroupName, Config) ->
+    Config.
+
+init_per_testcase(pem_cleanup, Config) ->
+    ssl:stop(),
+    application:load(ssl),
+    application:set_env(ssl, ssl_pem_cache_clean, ?CLEANUP_INTERVAL),
+    ssl:start(),
+    Config.
+
+end_per_testcase(_TestCase, Config) ->
+    %%ssl:stop(),
+    Config.
+
+%%--------------------------------------------------------------------
+%% Test Cases --------------------------------------------------------
+%%--------------------------------------------------------------------
+pem_cleanup() ->
+    [{doc, "Test pem cache invalidate mechanism"}].
+pem_cleanup(Config)when is_list(Config) ->
+    process_flag(trap_exit, true),
+    ClientOpts = ?config(client_opts, Config),
+    ServerOpts = ?config(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    Server =
+	ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+				   {from, self()},
+				   {mfa, {ssl_test_lib, no_result, []}},
+				   {options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client =
+	ssl_test_lib:start_client([{node, ClientNode},
+		      {port, Port}, {host, Hostname},
+				   {mfa, {ssl_test_lib, no_result, []}},
+				   {from, self()}, {options, ClientOpts}]),
+
+    Size = ssl_pkix_db:db_size(get_pem_cache()),
+    Certfile = proplists:get_value(certfile, ServerOpts),
+    {ok, FileInfo} = file:read_file_info(Certfile),
+    Time = later(), 
+    ok = file:write_file_info(Certfile, FileInfo#file_info{mtime = Time}),
+    ct:sleep(2 * ?CLEANUP_INTERVAL),
+    Size1 = ssl_pkix_db:db_size(get_pem_cache()),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client),
+    false = Size == Size1.
+       
+get_pem_cache() ->
+    {status, _, _, StatusInfo} = sys:get_status(whereis(ssl_manager)),
+    [_, _,_, _, Prop] = StatusInfo,
+    State = ssl_test_lib:state(Prop),
+    case element(5, State) of
+	[_CertDb, _FileRefDb, PemChace] ->
+	    PemChace;
+	_ ->
+	    undefined
+    end.
+
+later()->
+    DateTime = calendar:now_to_local_time(os:timestamp()), 
+    Gregorian = calendar:datetime_to_gregorian_seconds(DateTime),
+    calendar:gregorian_seconds_to_datetime(Gregorian + (2 * ?CLEANUP_INTERVAL)).
+	
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index d2e6e41482..d6fbb73249 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2008-2014. All Rights Reserved.
+%% Copyright Ericsson AB 2008-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -187,6 +187,7 @@ run_client(Opts) ->
     Transport =  proplists:get_value(transport, Opts, ssl),
     Options = proplists:get_value(options, Opts),
     ct:log("~p:~p~n~p:connect(~p, ~p)@~p~n", [?MODULE,?LINE, Transport, Host, Port, Node]),
+    ct:log("SSLOpts: ~p", [Options]),
     case rpc:call(Node, Transport, connect, [Host, Port, Options]) of
 	{ok, Socket} ->
 	    Pid ! {connected, Socket},
@@ -918,6 +919,10 @@ srp_dss_suites() ->
 	 {srp_dss, aes_256_cbc, sha}],
     ssl_cipher:filter_suites(Suites).
 
+rc4_suites(Version) ->
+    Suites = ssl_cipher:rc4_suites(Version),
+    ssl_cipher:filter_suites(Suites).
+
 pem_to_der(File) ->
     {ok, PemBin} = file:read_file(File),
     public_key:pem_decode(PemBin).
@@ -1125,7 +1130,8 @@ filter_suites(Ciphers0) ->
     Supported0 = ssl_cipher:suites(Version)
 	++ ssl_cipher:anonymous_suites(Version)
 	++ ssl_cipher:psk_suites(Version)
-	++ ssl_cipher:srp_suites(),
+	++ ssl_cipher:srp_suites() 
+	++ ssl_cipher:rc4_suites(Version),
     Supported1 = ssl_cipher:filter_suites(Supported0),
     Supported2 = [ssl:suite_definition(S) || S <- Supported1],
     [Cipher || Cipher <- Ciphers0, lists:member(Cipher, Supported2)].
diff --git a/lib/ssl/test/ssl_upgrade_SUITE.erl b/lib/ssl/test/ssl_upgrade_SUITE.erl
new file mode 100644
index 0000000000..6a6a1b4a7a
--- /dev/null
+++ b/lib/ssl/test/ssl_upgrade_SUITE.erl
@@ -0,0 +1,162 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2014-2015. All Rights Reserved.
+%%
+%% The contents of this file are subject to the Erlang Public License,
+%% Version 1.1, (the "License"); you may not use this file except in
+%% compliance with the License. You should have received a copy of the
+%% Erlang Public License along with this software. If not, it can be
+%% retrieved online at http://www.erlang.org/.2
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and limitations
+%% under the License.
+%%
+%% %CopyrightEnd%
+%%
+-module(ssl_upgrade_SUITE).
+
+%% Note: This directive should only be used in test suites.
+-compile(export_all).
+
+-include_lib("common_test/include/ct.hrl").
+
+-record(state, {
+	  config,
+	  server,
+	  client,
+	  soft
+	 }).
+
+all() -> 
+    [
+     minor_upgrade,
+     major_upgrade
+    ].
+
+init_per_suite(Config0) ->
+    catch crypto:stop(),
+    try crypto:start() of
+	ok ->
+	    case ct_release_test:init(Config0) of
+		{skip, Reason} ->
+		    {skip, Reason};
+		Config ->
+		    Result =
+			(catch make_certs:all(?config(data_dir, Config),
+					      ?config(priv_dir, Config))),
+		    ct:log("Make certs  ~p~n", [Result]),
+		    ssl_test_lib:cert_options(Config)
+	    end
+    catch _:_ ->
+	    {skip, "Crypto did not start"}
+    end.
+
+end_per_suite(Config) ->
+    ct_release_test:cleanup(Config),
+    crypto:stop().
+
+init_per_testcase(_TestCase, Config) ->
+    Config.
+end_per_testcase(_TestCase, Config) ->
+    Config.
+
+major_upgrade(Config) when is_list(Config) ->
+    ct_release_test:upgrade(ssl, major,{?MODULE, #state{config = Config}}, Config).
+
+minor_upgrade(Config) when is_list(Config) ->
+    ct_release_test:upgrade(ssl, minor,{?MODULE, #state{config = Config}}, Config).
+
+upgrade_init(CTData, #state{config = Config} = State) -> 
+    {ok, {_, _, Up, _Down}} = ct_release_test:get_appup(CTData, ssl),
+    ct:pal("Up: ~p", [Up]),
+    Soft = is_soft(Up), %% It is symmetrical, if upgrade is soft so is downgrade  
+    case Soft of 
+	true ->
+	    {Server, Client} = soft_start_connection(Config),
+	    State#state{server = Server, client = Client,
+			soft = Soft};
+	false ->
+	    State#state{soft = Soft}
+    end.
+
+upgrade_upgraded(_, #state{soft = false, config = Config} = State) -> 
+    {Server, Client} = restart_start_connection(Config),
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client),
+    State;
+
+upgrade_upgraded(_, #state{server = Server0, client = Client0,
+			   config = Config, soft = true} = State) -> 
+    Server0 ! changed_version,
+    Client0 ! changed_version,
+    ssl_test_lib:check_result(Server0, ok, Client0, ok),
+    ssl_test_lib:close(Server0),
+    ssl_test_lib:close(Client0),
+    {Server, Client} = soft_start_connection(Config),
+    State#state{server = Server, client = Client}.
+
+upgrade_downgraded(_, #state{soft = false, config = Config} = State) -> 
+    {Server, Client} = restart_start_connection(Config),
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client),
+    State;
+
+upgrade_downgraded(_, #state{server = Server, client = Client, soft = true} = State) -> 
+    Server ! changed_version,
+    Client ! changed_version,
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client),
+    State.
+
+use_connection(Socket) ->
+    ssl_test_lib:send_recv_result_active(Socket),
+    receive 
+	changed_version ->
+	    ssl_test_lib:send_recv_result_active(Socket)
+    end.
+
+soft_start_connection(Config) ->
+    ClientOpts = ?config(client_verification_opts, Config),
+    ServerOpts = ?config(server_verification_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+					{from, self()}, 
+					{mfa, {?MODULE, use_connection, []}},
+					{options, ServerOpts}]),
+    
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+					{from, self()}, 
+					{mfa, {?MODULE, use_connection, []}},
+					{options, ClientOpts}]),
+    {Server, Client}.
+
+restart_start_connection(Config) ->
+    ClientOpts = ?config(client_verification_opts, Config),
+    ServerOpts = ?config(server_verification_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+					{from, self()}, 
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ServerOpts}]),
+    
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+					{from, self()}, 
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ClientOpts}]),
+    {Server, Client}.
+
+is_soft([{restart_application, ssl}]) ->	       
+    false;
+is_soft(_) ->	
+    true.
+