7 files changed, 184 insertions, 22 deletions

diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 6c01954010..7e751a215d 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -30,7 +30,39 @@
   </header>
   <p>This document describes the changes made to the SSL application.</p>
   
-  <section><title>SSL 5.1</title>
+  <section><title>SSL 5.1.1</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    ssl:recv/3 could "loose" data when the timeout occurs. If
+	    the timout in ssl:connect or ssl:ssl_accept expired the
+	    ssl connection process was not terminated as it should,
+	    this due to gen_fsm:send_all_state_event timout is a
+	    client side time out. These timouts are now handled by
+	    the gen_fsm-procss instead.</p>
+          <p>
+	    Own Id: OTP-10569</p>
+        </item>
+      </list>
+    </section>
+
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+	    Better termination handling that avoids hanging.</p>
+          <p>
+	    Own Id: OTP-10574</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>SSL 5.1</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
       <list>
diff --git a/lib/ssl/src/Makefile b/lib/ssl/src/Makefile
index c5c5bf593a..6be8a1456e 100644
--- a/lib/ssl/src/Makefile
+++ b/lib/ssl/src/Makefile
@@ -130,3 +130,23 @@ release_spec: opt
 
 release_docs_spec:
 
+# ----------------------------------------------------
+# Dependencies
+# ----------------------------------------------------
+$(EBIN)/inet_tls_dist.$(EMULATOR): ../../kernel/include/net_address.hrl  ../../kernel/include/dist.hrl  ../../kernel/include/dist_util.hrl
+$(EBIN)/ssl.$(EMULATOR): ssl_internal.hrl ssl_record.hrl ssl_cipher.hrl ssl_handshake.hrl ../../public_key/include/public_key.hrl
+$(EBIN)/ssl_alert.$(EMULATOR): ssl_alert.hrl ssl_record.hrl  
+$(EBIN)/ssl_certificate.$(EMULATOR): ssl_internal.hrl ssl_alert.hrl ssl_handshake.hrl ../../public_key/include/public_key.hrl
+$(EBIN)/ssl_certificate_db.$(EMULATOR): ssl_internal.hrl ../../public_key/include/public_key.hrl ../../kernel/include/file.hrl
+$(EBIN)/ssl_cipher.$(EMULATOR): ssl_internal.hrl ssl_record.hrl ssl_cipher.hrl ssl_handshake.hrl ssl_alert.hrl ../../public_key/include/public_key.hrl
+$(EBIN)/ssl_connection.$(EMULATOR): ssl_internal.hrl ssl_record.hrl ssl_cipher.hrl ssl_handshake.hrl ssl_alert.hrl ../../public_key/include/public_key.hrl
+$(EBIN)/ssl_handshake.$(EMULATOR): ssl_internal.hrl ssl_record.hrl ssl_cipher.hrl ssl_handshake.hrl ssl_alert.hrl ../../public_key/include/public_key.hrl
+$(EBIN)/ssl_manager.$(EMULATOR): ssl_internal.hrl ssl_handshake.hrl ../../kernel/include/file.hrl
+$(EBIN)/ssl_record.$(EMULATOR):  ssl_internal.hrl ssl_record.hrl ssl_cipher.hrl ssl_handshake.hrl ssl_alert.hrl
+$(EBIN)/ssl_session.$(EMULATOR):  ssl_internal.hrl ssl_handshake.hrl
+$(EBIN)/ssl_session_cache.$(EMULATOR):  ssl_internal.hrl ssl_handshake.hrl
+$(EBIN)/ssl_session_cache_api.$(EMULATOR):  ssl_internal.hrl ssl_handshake.hrl
+$(EBIN)/ssl_ssl3.$(EMULATOR): ssl_internal.hrl ssl_record.hrl ssl_cipher.hrl
+$(EBIN)/ssl_tls1.$(EMULATOR): ssl_internal.hrl ssl_record.hrl ssl_cipher.hrl
+
+
diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl
index 0cf4f2ce33..13689ce7d8 100644
--- a/lib/ssl/src/ssl_manager.erl
+++ b/lib/ssl/src/ssl_manager.erl
@@ -24,8 +24,6 @@
 -module(ssl_manager).
 -behaviour(gen_server).
 
--include("ssl_internal.hrl").
-
 %% Internal application API
 -export([start_link/1, start_link_dist/1,
 	 connection_init/2, cache_pem_file/2,
diff --git a/lib/ssl/src/ssl_session.erl b/lib/ssl/src/ssl_session.erl
index 2ad422fc03..a24b2d9444 100644
--- a/lib/ssl/src/ssl_session.erl
+++ b/lib/ssl/src/ssl_session.erl
@@ -72,15 +72,12 @@ valid_session(#session{time_stamp = TimeStamp}, LifeTime) ->
 
 server_id(Port, <<>>, _SslOpts, _Cert, _, _) ->
     {ssl_manager:new_session_id(Port), undefined};
-server_id(Port, SuggestedId,
-	  #ssl_options{reuse_sessions = ReuseEnabled,
-		       reuse_session = ReuseFun},
-	  Cert, Cache, CacheCb) ->
+server_id(Port, SuggestedId, Options, Cert, Cache, CacheCb) ->
     LifeTime = case application:get_env(ssl, session_lifetime) of
 		   {ok, Time} when is_integer(Time) -> Time;
 		   _ -> ?'24H_in_sec'
 	       end,
-    case is_resumable(SuggestedId, Port, ReuseEnabled,ReuseFun,
+    case is_resumable(SuggestedId, Port, Options,
 		      Cache, CacheCb, LifeTime, Cert)
     of
 	{true, Resumed} ->
@@ -112,9 +109,9 @@ select_session(Sessions, #ssl_options{ciphers = Ciphers}, OwnCert) ->
 	[[Id, _]|_] -> Id
     end.
 
-is_resumable(_, _, false, _, _, _, _, _) ->
+is_resumable(_, _, #ssl_options{reuse_sessions = false}, _, _, _, _) ->
     {false, undefined};
-is_resumable(SuggestedSessionId, Port, true, ReuseFun, Cache,
+is_resumable(SuggestedSessionId, Port, #ssl_options{reuse_session = ReuseFun} = Options, Cache,
 	     CacheCb, SecondLifeTime, OwnCert) ->
     case CacheCb:lookup(Cache, {Port, SuggestedSessionId}) of
 	#session{cipher_suite = CipherSuite,
@@ -125,6 +122,7 @@ is_resumable(SuggestedSessionId, Port, true, ReuseFun, Cache,
 	    case resumable(IsResumable)
 		andalso (OwnCert == SessionOwnCert)
 		andalso valid_session(Session, SecondLifeTime)
+		andalso reusable_options(Options, Session)
 		andalso ReuseFun(SuggestedSessionId, PeerCert,
 				 Compression, CipherSuite)
 	    of
@@ -139,3 +137,9 @@ resumable(new) ->
     false;
 resumable(IsResumable) ->
     IsResumable.
+
+reusable_options(#ssl_options{fail_if_no_peer_cert = true,
+			   verify = verify_peer}, Session) ->
+    (Session#session.peer_certificate =/= undefined);
+reusable_options(_,_) ->
+    true.
diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl
index 254aa6d2f9..d6bdd05d01 100644
--- a/lib/ssl/test/erl_make_certs.erl
+++ b/lib/ssl/test/erl_make_certs.erl
@@ -137,10 +137,10 @@ decode_key(PemBin, Pw) ->
 
 encode_key(Key = #'RSAPrivateKey'{}) ->
     {ok, Der} = 'OTP-PUB-KEY':encode('RSAPrivateKey', Key),
-    {'RSAPrivateKey', list_to_binary(Der), not_encrypted};   
+    {'RSAPrivateKey', Der, not_encrypted};
 encode_key(Key = #'DSAPrivateKey'{}) ->
     {ok, Der} = 'OTP-PUB-KEY':encode('DSAPrivateKey', Key),
-    {'DSAPrivateKey', list_to_binary(Der), not_encrypted}.
+    {'DSAPrivateKey', Der, not_encrypted}.
 
 make_tbs(SubjectKey, Opts) ->    
     Version = list_to_atom("v"++integer_to_list(proplists:get_value(version, Opts, 3))),
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index a202aca943..4c3548a703 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -248,6 +248,7 @@ api_tests() ->
     [connection_info,
      peername,
      peercert,
+     peercert_with_client_cert,
      sockname,
      versions,
      controlling_process,
@@ -274,6 +275,7 @@ certificate_verify_tests() ->
      server_verify_client_once_passive,
      server_verify_client_once_active,
      server_verify_client_once_active_once,
+     new_server_wants_peer_cert,
      client_verify_none_passive,
      client_verify_none_active,
      client_verify_none_active_once,
@@ -788,6 +790,43 @@ peercert(Config) when is_list(Config) ->
 
 peercert_result(Socket) ->
     ssl:peercert(Socket).
+%%--------------------------------------------------------------------
+
+peercert_with_client_cert(doc) ->
+    [""];
+peercert_with_client_cert(suite) ->
+    [];
+peercert_with_client_cert(Config) when is_list(Config) ->
+    ClientOpts = ?config(client_dsa_opts, Config),
+    ServerOpts = ?config(server_dsa_verify_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    Server = ssl_test_lib:start_server([{node, ClientNode}, {port, 0},
+					{from, self()},
+			   {mfa, {?MODULE, peercert_result, []}},
+			   {options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ServerNode}, {port, Port},
+					{host, Hostname},
+			   {from, self()},
+			   {mfa, {?MODULE, peercert_result, []}},
+			   {options, ClientOpts}]),
+
+    ServerCertFile = proplists:get_value(certfile, ServerOpts),
+    [{'Certificate', ServerBinCert, _}]= ssl_test_lib:pem_to_der(ServerCertFile),
+     ClientCertFile = proplists:get_value(certfile, ClientOpts),
+    [{'Certificate', ClientBinCert, _}]= ssl_test_lib:pem_to_der(ClientCertFile),
+
+    ServerMsg = {ok, ClientBinCert},
+    ClientMsg = {ok, ServerBinCert},
+
+    test_server:format("Testcase ~p, Client ~p  Server ~p ~n",
+		       [self(), Client, Server]),
+
+    ssl_test_lib:check_result(Server, ServerMsg, Client, ClientMsg),
+
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
 
 %%--------------------------------------------------------------------
 sockname(doc) -> 
@@ -3610,9 +3649,14 @@ no_reuses_session_server_restart_new_cert(Config) when is_list(Config) ->
 
     %% Make sure session is registered
     test_server:sleep(?SLEEP),
+    Monitor = erlang:monitor(process, Server),
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client0),
-
+    receive
+	{'DOWN', Monitor, _, _, _} ->
+	    ok
+    end,
+    
     Server1 =
 	ssl_test_lib:start_server([{node, ServerNode}, {port, Port},
 				   {from, self()},
@@ -3719,10 +3763,14 @@ reuseaddr(Config) when is_list(Config) ->
 				   {from, self()},
 				   {mfa, {ssl_test_lib, no_result, []}},
 				   {options, [{active, false} | ClientOpts]}]),
-    test_server:sleep(?SLEEP),
+    Monitor = erlang:monitor(process, Server),
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client),
-
+    receive
+	{'DOWN', Monitor, _, _, _} ->
+	    ok
+    end,
+    
     Server1 =
 	ssl_test_lib:start_server([{node, ServerNode}, {port, Port},
 				   {from, self()},
@@ -4041,6 +4089,67 @@ client_server_opts({KeyAlgo,_,_}, Config) when KeyAlgo == dss orelse KeyAlgo ==
     {?config(client_dsa_opts, Config),
      ?config(server_dsa_opts, Config)}.
 
+
+%%--------------------------------------------------------------------
+
+new_server_wants_peer_cert(doc) ->
+    ["Test that server configured to do client certification does"
+     " not reuse session without a client certificate."];
+new_server_wants_peer_cert(suite) ->
+    [];
+new_server_wants_peer_cert(Config) when is_list(Config) ->
+    ServerOpts = ?config(server_opts, Config),
+    VServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}
+		  | ?config(server_verification_opts, Config)],
+    ClientOpts = ?config(client_verification_opts, Config),
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    Server =
+	ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+				   {from, self()},
+				   {mfa, {?MODULE, peercert_result, []}},
+				   {options,  [ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client =
+	ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+				   {host, Hostname},
+				   {from, self()},
+				   {mfa, {ssl_test_lib, no_result, []}},
+				   {options, ClientOpts}]),
+
+    Monitor = erlang:monitor(process, Server),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client),
+    receive
+	{'DOWN', Monitor, _, _, _} ->
+	    ok
+    end,
+    
+    Server1 = ssl_test_lib:start_server([{node, ServerNode}, {port, Port},
+					 {from, self()},
+					 {mfa, {?MODULE, peercert_result, []}},
+					 {options,  VServerOpts}]), 
+    Client1 =
+	ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+				   {host, Hostname},
+				   {from, self()},
+				   {mfa, {ssl_test_lib, no_result, []}},
+				   {options, [ClientOpts]}]),
+
+    CertFile = proplists:get_value(certfile, ClientOpts),
+    [{'Certificate', BinCert, _}]= ssl_test_lib:pem_to_der(CertFile),
+
+    ServerMsg = {error, no_peercert},
+    Sever1Msg = {ok, BinCert},
+   
+    ssl_test_lib:check_result(Server, ServerMsg, Server1, Sever1Msg),
+
+    ssl_test_lib:close(Server1),
+    ssl_test_lib:close(Client),
+    ssl_test_lib:close(Client1).
+
+
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index 98ef050b14..f4e19b3f87 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -1080,14 +1080,13 @@ ssl2_erlang_server_openssl_client(Config) when is_list(Config) ->
     
     OpenSslPort =  open_port({spawn, Cmd}, [stderr_to_stdout]), 
     port_command(OpenSslPort, Data),
-    
+    receive
+	{'EXIT', OpenSslPort, _} ->
+	    ok
+
+    end,
     ssl_test_lib:check_result(Server, {error,"protocol version"}),
-    
-    %% Clean close down!   Server needs to be closed first !!
-    ssl_test_lib:close(Server),
-    close_port(OpenSslPort),
-    process_flag(trap_exit, false),
-    ok.
+    process_flag(trap_exit, false).
 
 %%--------------------------------------------------------------------
 erlang_client_openssl_server_npn(doc) ->