10 files changed, 35 insertions, 33 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index c9b02d44ec..47100c0d81 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -94,7 +94,7 @@
       {log_alert, boolean()} | {server_name_indication, hostname() | disable}
     </c></p>
 
-    <p><c>transportoption() = {cb_info, {CallbackModule::atom(), DataTag::atom(), ClosedTag::atom(), ErrTag:atom()}}
+    <p><c>transportoption() = {cb_info, {CallbackModule :: atom(), DataTag :: atom(), ClosedTag :: atom(), ErrTag:atom()}}
 	- defaults to {gen_tcp, tcp, tcp_closed, tcp_error}. Can be used to customize
 	the transport layer. The callback module must implement a reliable transport
 	protocol and behave as gen_tcp and in addition have functions corresponding to
@@ -303,20 +303,20 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revo
       </taglist>
       </item>
 
-      <tag>{crl_check, boolean() | peer | best_effort )</tag>
+      <tag>{crl_check, boolean() | peer | best_effort }</tag>
       <item>
 	Perform CRL (Certificate Revocation List) verification
 	<seealso marker="public_key:public_key#pkix_crl_validate-3">
-	public_key:pkix_crls_validate/3</seealso>, during the
+	(public_key:pkix_crls_validate/3)</seealso> on all the certificates during the path validation
 	<seealso
-	marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_validation/3  </seealso>
-	invokation on all the certificates in the peer certificate chain. Defaults to
-	false.
-
+	    marker="public_key:public_key#pkix_path_validation-3">(public_key:pkix_path_validation/3)
+	</seealso>
+	of the certificate chain. Defaults to false.
+	
 	<p><c>peer</c> - check is only performed on
 	the peer certificate.</p>
 
-	<p><c>best_effort</c> - if certificate revokation status can not be determined
+	<p><c>best_effort</c> - if certificate revocation status can not be determined
 	it will be accepted as valid.</p>
 
 	<p>The CA certificates specified for the connection will be used to 
@@ -326,7 +326,7 @@ fun(OtpCert :: #'OTPCertificate'{}, Event :: {bad_cert, Reason :: atom() | {revo
 	<seealso marker="ssl:ssl_crl_cache_api">ssl_crl_cache_api(3)</seealso>.</p>
       </item>
 
-      <tag>{crl_cache, {Module::atom, {DbHandle::internal | term(), Args::list()}}</tag>
+      <tag>{crl_cache, {Module :: atom(), {DbHandle :: internal | term(), Args :: list()}}}</tag>
       <item>
 	<p>Module defaults to ssl_crl_cache with <c> DbHandle </c> internal and an
 	empty argument list. The following arguments may be specified for the internal cache.</p>
diff --git a/lib/ssl/doc/src/ssl_crl_cache.xml b/lib/ssl/doc/src/ssl_crl_cache.xml
index 1ed76d3e2a..b291c7b633 100644
--- a/lib/ssl/doc/src/ssl_crl_cache.xml
+++ b/lib/ssl/doc/src/ssl_crl_cache.xml
@@ -29,7 +29,7 @@
     <p>
       Implements an internal CRL (Certificate Revocation List) cache.
       In addition to implementing the <seealso
-      marker="ssl_cache_crl_api"> ssl_cache_crl_api</seealso>
+      marker="ssl_cache_crl_api"> ssl_cache_crl_api</seealso> behaviour
       the following functions are available.
     </p>
   </description>
diff --git a/lib/ssl/doc/src/ssl_crl_cache_api.xml b/lib/ssl/doc/src/ssl_crl_cache_api.xml
index 24365c9f59..3f518496be 100644
--- a/lib/ssl/doc/src/ssl_crl_cache_api.xml
+++ b/lib/ssl/doc/src/ssl_crl_cache_api.xml
@@ -27,13 +27,15 @@
   <modulesummary>API for a SSL/TLS CRL (Certificate Revocation List) cache.</modulesummary>
   <description>
     <p>
-      When SSL/TLS performs certificate path validation according to 
-      <url href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280 </url> it should
-      also perform CRL validation checks. To enable the CRL checks the application
-      needs access to CRLs. A database of CRLs can be set up in many different ways.
-      This module provides an API to integrate an arbitrary CRL cache with the erlang
-      ssl application. It is also used by the application itself to provide a simple
-      default implementation of a CRL cache. 
+      When SSL/TLS performs certificate path validation according to
+      <url href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280 </url>
+      it should also perform CRL validation checks. To enable the CRL
+      checks the application needs access to CRLs. A database of CRLs
+      can be set up in many different ways. This module provides the
+      behavior of the API needed to integrate an arbitrary CRL cache
+      with the erlang ssl application. It is also used by the
+      application itself to provide a simple default implementation of
+      a CRL cache.
     </p>
   </description>
   
diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl
index 508983ddac..f177a8610d 100644
--- a/lib/ssl/src/dtls_connection.erl
+++ b/lib/ssl/src/dtls_connection.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2013-2014. All Rights Reserved.
+%% Copyright Ericsson AB 2013-2015. All Rights Reserved.
 %%
 %% The contents of this file are subject to the Erlang Public License,
 %% Version 1.1, (the "License"); you may not use this file except in
@@ -146,7 +146,7 @@ init([Role, Host, Port, Socket, {SSLOpts0, _} = Options,  User, CbInfo]) ->
     Handshake = ssl_handshake:init_handshake_history(),
     TimeStamp = calendar:datetime_to_gregorian_seconds({date(), time()}),
     try ssl_config:init(SSLOpts0, Role) of
-	{ok, Ref, CertDbHandle, FileRefHandle, CacheHandle, OwnCert, Key, DHParams} ->
+	{ok, Ref, CertDbHandle, FileRefHandle, CacheHandle,  CRLDbInfo, OwnCert, Key, DHParams} ->
 	    Session = State0#state.session,
 	    State = State0#state{
 		      tls_handshake_history = Handshake,
@@ -155,6 +155,7 @@ init([Role, Host, Port, Socket, {SSLOpts0, _} = Options,  User, CbInfo]) ->
 		      file_ref_db = FileRefHandle,
 		      cert_db_ref = Ref,
 		      cert_db = CertDbHandle,
+		      crl_db = CRLDbInfo,
 		      session_cache = CacheHandle,
 		      private_key = Key,
 		      diffie_hellman_params = DHParams},
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 764bd82de0..34e4a8b447 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -84,7 +84,7 @@ trusted_cert_and_path(CertChain, CertDbHandle, CertDbRef, PartialChainHandler) -
     end.
 
 %%--------------------------------------------------------------------
--spec certificate_chain(undefined | binary(), db_handle(), certdb_ref()) ->
+-spec certificate_chain(undefined | binary() | #'OTPCertificate'{} , db_handle(), certdb_ref()) ->
 			  {error, no_cert} | {ok, #'OTPCertificate'{} | undefined, [der_cert()]}.
 %%
 %% Description: Return the certificate chain to send to peer.
diff --git a/lib/ssl/src/ssl_crl.erl b/lib/ssl/src/ssl_crl.erl
index b8761f0601..1a08d3c80a 100644
--- a/lib/ssl/src/ssl_crl.erl
+++ b/lib/ssl/src/ssl_crl.erl
@@ -73,8 +73,6 @@ verify_crl_issuer(CRL, ErlCertCandidate, Issuer, NotIssuer) ->
 		true ->
 		    throw({ok, ErlCertCandidate});
 		false ->
-		    NotIssuer;
-		_ ->
 		    NotIssuer
 	    end;
 	_ ->
diff --git a/lib/ssl/src/ssl_crl_cache.erl b/lib/ssl/src/ssl_crl_cache.erl
index b2bdb19979..b9d6a61c3b 100644
--- a/lib/ssl/src/ssl_crl_cache.erl
+++ b/lib/ssl/src/ssl_crl_cache.erl
@@ -34,7 +34,7 @@
 %% Cache callback API
 %%====================================================================
 
-lookup(#'DistributionPoint'{distributionPoint={fullName, Names}}, 
+lookup(#'DistributionPoint'{distributionPoint = {fullName, Names}},
        CRLDbInfo) ->
     get_crls(Names, CRLDbInfo);
 lookup(_,_) ->
@@ -48,8 +48,8 @@ select(Issuer, {{_Cache, Mapping},_}) ->
 	    CRLs
     end.
 
-fresh_crl(DistributionPoint, CRL) ->
-    case get_crls(DistributionPoint, undefined) of
+fresh_crl(#'DistributionPoint'{distributionPoint = {fullName, Names}}, CRL) ->
+    case get_crls(Names, undefined) of
 	not_available ->
 	    CRL;
 	[NewCRL] ->
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 6cab8eb7a1..5c5f386c6f 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1998,12 +1998,12 @@ crl_check(OtpCert, Check, CertDbHandle, CertDbRef, {Callback, CRLDbHandle}, _) -
 	    case dps_and_crls(OtpCert, Callback, CRLDbHandle, same_issuer) of
 		[] ->
 		    valid; %% No relevant CRL existed
-		Dps ->
-		    crl_check_same_issuer(OtpCert, Check, Dps, Options)		
+		DpsAndCRls ->
+		    crl_check_same_issuer(OtpCert, Check, DpsAndCRls, Options)		
 	    end;
-	Dps ->  %% This DP list may be empty if relevant CRLs existed 
+	DpsAndCRLs ->  %% This DP list may be empty if relevant CRLs existed 
 	    %% but could not be retrived, will result in {bad_cert, revocation_status_undetermined}
-	    case public_key:pkix_crls_validate(OtpCert, Dps, Options) of
+	    case public_key:pkix_crls_validate(OtpCert, DpsAndCRLs, Options) of
 		{bad_cert, revocation_status_undetermined} ->
 		    crl_check_same_issuer(OtpCert, Check, dps_and_crls(OtpCert, Callback, 
 								       CRLDbHandle, same_issuer), Options);
diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl
index 9c4b2a8bad..396013825e 100644
--- a/lib/ssl/src/ssl_manager.erl
+++ b/lib/ssl/src/ssl_manager.erl
@@ -101,8 +101,10 @@ start_link_dist(Opts) ->
     gen_server:start_link({local, DistMangerName}, ?MODULE, [DistMangerName, Opts], []).
 
 %%--------------------------------------------------------------------
--spec connection_init(binary()| {der, list()}, client | server, {Cb :: atom(), Handle:: term()}) ->
-			     {ok, certdb_ref(), db_handle(), db_handle(), db_handle(), db_handle()}.
+-spec connection_init(binary()| {der, list()}, client | server, 
+		      {Cb :: atom(), Handle:: term()}) ->
+			     {ok, certdb_ref(), db_handle(), db_handle(), 
+			      db_handle(), db_handle(), CRLInfo::term()}.
 %%			     
 %% Description: Do necessary initializations for a new connection.
 %%--------------------------------------------------------------------
diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl
index b0b6d5a8e3..548ec4aebe 100644
--- a/lib/ssl/src/tls_handshake.erl
+++ b/lib/ssl/src/tls_handshake.erl
@@ -82,8 +82,7 @@ client_hello(Host, Port, ConnectionStates,
 	    boolean()) ->
 		   {tls_record:tls_version(), session_id(), #connection_states{}, binary() | undefined}|
 		   {tls_record:tls_version(), {resumed | new, #session{}}, #connection_states{},
-		    [binary()] | undefined,
-		    [ssl_handshake:oid()] | undefined, [ssl_handshake:oid()] | undefined} |
+		   #hello_extensions{}} |
 		   #alert{}.
 %%
 %% Description: Handles a recieved hello message