7 files changed, 115 insertions, 31 deletions
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index bf87644116..aaf03d1cd8 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -221,7 +221,7 @@
       <url href="http://www.ietf.org/rfc/rfc5746.txt">RFC 5746</url>. 
       By default <c>secure_renegotiate</c> is set to <c>false</c>, 
       that is, secure renegotiation is used if possible,
-      but it fallback to unsecure renegotiation if the peer
+      but it falls back to insecure renegotiation if the peer
       does not support 
       <url href="http://www.ietf.org/rfc/rfc5746.txt">RFC 5746</url>.</p>
       </item>
@@ -307,7 +307,7 @@ atom()}} |
 	<tag><c>unknown_ca</c></tag>
 	<item><p>No trusted CA was found in the trusted store. The trusted CA is
 	normally a so called ROOT CA, which is a self-signed certificate. Trust can
-	be claimed for an intermediat CA (trusted anchor does not have to be
+	be claimed for an intermediate CA (trusted anchor does not have to be
 	self-signed according to X-509) by using option <c>partial_chain</c>.</p>
 	</item>
 
@@ -352,7 +352,7 @@ marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_valid
 	  <tag><c>{http, timeout()}</c></tag>
 	  <item><p>
 	    Enables fetching of CRLs specified as http URIs in<seealso 
-	    marker="public_key:public_key_records"> X509 cerificate extensions.</seealso>
+	    marker="public_key:public_key_records"> X509 certificate extensions.</seealso>
 	    Requires the OTP inets application.</p>
 	  </item>	    
 	</taglist>    
@@ -611,14 +611,14 @@ fun(srp, Username :: string(), UserState :: term()) ->
 
       <tag><c>{sni_hosts, [{hostname(), ssloptions()}]}</c></tag>
       <item><p>If the server receives a SNI (Server Name Indication) from the client
-      matching a host listed in the <c>sni_hosts</c> option, the speicific options for
+      matching a host listed in the <c>sni_hosts</c> option, the specific options for
       that host will override previously specified options.
 
       The option <c>sni_fun</c>, and <c>sni_hosts</c> are mutually exclusive.</p></item>
 
       <tag><c>{sni_fun, SNIfun::fun()}</c></tag>
       <item><p>If the server receives a SNI (Server Name Indication) from the client,
-      the given function will be called to retrive <c>ssloptions()</c> for indicated server.
+      the given function will be called to retrieve <c>ssloptions()</c> for the indicated server.
       These options will be merged into predefined <c>ssloptions()</c>.
 
       The function should be defined as:
@@ -632,7 +632,7 @@ fun(srp, Username :: string(), UserState :: term()) ->
       of resources of such an operation is higher for the server than the
       client. This can act as a vector for denial of service attacks. The SSL
       application already takes measures to counter-act such attempts,
-      but client-initiated renegotiation can be stricly disabled by setting
+      but client-initiated renegotiation can be strictly disabled by setting
       this option to <c>false</c>. The default value is <c>true</c>.
       Note that disabling renegotiation can result in long-lived connections
       becoming unusable due to limits on the number of messages the underlying
@@ -748,10 +748,10 @@ fun(srp, Username :: string(), UserState :: term()) ->
 	  <v>How =  timeout() | {NewController::pid(), timeout()} </v>
 	  <v>Reason = term()</v>
       </type>
-      <desc><p>Closes or downgrades an SSL connection, in the later case the transport
-      connection will be handed over to the <c>NewController</c> process after reciving
-      the TLS close alert from the peer. The retuned transport socket will have
-      the following options set [{active, false}, {packet, 0}, {mode, binary}].</p>
+      <desc><p>Closes or downgrades an SSL connection. In the latter case the transport
+      connection will be handed over to the <c>NewController</c> process after receiving
+      the TLS close alert from the peer. The returned transport socket will have
+      the following options set: <c>[{active, false}, {packet, 0}, {mode, binary}]</c></p>
       </desc>
     </func>
 
@@ -818,7 +818,7 @@ fun(srp, Username :: string(), UserState :: term()) ->
         <v>Reason = term()</v>
       </type>
       <desc><p>Returns the connection information you requested. The connection information you can request contains protocol, cipher_suite, and sni_hostname.
-      <c>{ok, Info}</c> will be returned if it executes sucessfully. The Info is a proplists containing the information you requested.
+      <c>{ok, Info}</c> will be returned if it executes successfully. <c>Info</c> is a proplist containing the information you requested.
       Otherwise, <c>{error, Reason}</c> will be returned.</p>
       </desc>
     </func>
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 4658e76ab1..e9dc5764a3 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -56,15 +56,15 @@
 %% errors. Returns {RootCert, Path, VerifyErrors}
 %%--------------------------------------------------------------------
 trusted_cert_and_path(CertChain, CertDbHandle, CertDbRef, PartialChainHandler) ->
-    Path = [Cert | _] = lists:reverse(CertChain),
-    OtpCert = public_key:pkix_decode_cert(Cert, otp),
+    Path = [BinCert | _] = lists:reverse(CertChain),
+    OtpCert = public_key:pkix_decode_cert(BinCert, otp),
     SignedAndIssuerID =
 	case public_key:pkix_is_self_signed(OtpCert) of
 	    true ->
 		{ok, IssuerId} = public_key:pkix_issuer_id(OtpCert, self),
 		{self, IssuerId};
 	    false ->
-		other_issuer(OtpCert, CertDbHandle)
+		other_issuer(OtpCert, BinCert, CertDbHandle)
 	end,
     
     case SignedAndIssuerID of
@@ -187,7 +187,7 @@ public_key_type(?'id-ecPublicKey') ->
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
-certificate_chain(OtpCert, _Cert, CertDbHandle, CertsDbRef, Chain) ->
+certificate_chain(OtpCert, BinCert, CertDbHandle, CertsDbRef, Chain) ->
     IssuerAndSelfSigned = 
 	case public_key:pkix_is_self_signed(OtpCert) of
 	    true ->
@@ -200,7 +200,7 @@ certificate_chain(OtpCert, _Cert, CertDbHandle, CertsDbRef, Chain) ->
 	{_, true = SelfSigned} ->
 	    certificate_chain(CertDbHandle, CertsDbRef, Chain, ignore, ignore, SelfSigned);
 	{{error, issuer_not_found}, SelfSigned} ->
-	    case find_issuer(OtpCert, CertDbHandle) of
+	    case find_issuer(OtpCert, BinCert, CertDbHandle) of
 		{ok, {SerialNr, Issuer}} ->
 		    certificate_chain(CertDbHandle, CertsDbRef, Chain,
 				      SerialNr, Issuer, SelfSigned);
@@ -232,12 +232,12 @@ certificate_chain(CertDbHandle, CertsDbRef, Chain, SerialNr, Issuer, _SelfSigned
 	    {ok, undefined, lists:reverse(Chain)}		      
     end.
 
-find_issuer(OtpCert, CertDbHandle) ->
+find_issuer(OtpCert, BinCert, CertDbHandle) ->
     IsIssuerFun =
 	fun({_Key, {_Der, #'OTPCertificate'{} = ErlCertCandidate}}, Acc) ->
 		case public_key:pkix_is_issuer(OtpCert, ErlCertCandidate) of
 		    true ->
-			case verify_cert_signer(OtpCert, ErlCertCandidate#'OTPCertificate'.tbsCertificate) of
+			case verify_cert_signer(BinCert, ErlCertCandidate#'OTPCertificate'.tbsCertificate) of
 			    true ->
 				throw(public_key:pkix_issuer_id(ErlCertCandidate, self));
 			    false ->
@@ -265,9 +265,9 @@ is_valid_extkey_usage(KeyUse, server) ->
     %% Server wants to verify client
     is_valid_key_usage(KeyUse, ?'id-kp-clientAuth').
 
-verify_cert_signer(OtpCert, SignerTBSCert) -> 
+verify_cert_signer(BinCert, SignerTBSCert) ->
     PublicKey = public_key(SignerTBSCert#'OTPTBSCertificate'.subjectPublicKeyInfo),
-    public_key:pkix_verify(public_key:pkix_encode('OTPCertificate', OtpCert, otp),  PublicKey).
+    public_key:pkix_verify(BinCert, PublicKey).
 
 public_key(#'OTPSubjectPublicKeyInfo'{algorithm = #'PublicKeyAlgorithm'{algorithm = ?'id-ecPublicKey',
 									parameters = Params},
@@ -281,12 +281,12 @@ public_key(#'OTPSubjectPublicKeyInfo'{algorithm = #'PublicKeyAlgorithm'{algorith
 				      subjectPublicKey = Key}) ->
     {Key, Params}.
 
-other_issuer(OtpCert, CertDbHandle) ->
+other_issuer(OtpCert, BinCert, CertDbHandle) ->
     case public_key:pkix_issuer_id(OtpCert, other) of
 	{ok, IssuerId} ->
 	    {other, IssuerId};
 	{error, issuer_not_found} ->
-	    case find_issuer(OtpCert, CertDbHandle) of
+	    case find_issuer(OtpCert, BinCert, CertDbHandle) of
 		{ok, IssuerId} ->
 		    {other, IssuerId};
 		Other ->
diff --git a/lib/ssl/src/ssl_record.erl b/lib/ssl/src/ssl_record.erl
index 75cfecdf5e..ce6b8fb84f 100644
--- a/lib/ssl/src/ssl_record.erl
+++ b/lib/ssl/src/ssl_record.erl
@@ -311,9 +311,19 @@ set_pending_cipher_state(#connection_states{pending_read = Read,
 %%
 %% Description: Encodes a handshake message to send on the ssl-socket.
 %%--------------------------------------------------------------------
-encode_handshake(Frag, Version, ConnectionStates) ->
-    encode_plain_text(?HANDSHAKE, Version, Frag, ConnectionStates).
-
+encode_handshake(Frag, Version, 
+		 #connection_states{current_write = 
+					#connection_state{
+					   security_parameters =
+					       #security_parameters{bulk_cipher_algorithm = BCA}}} = 
+		     ConnectionStates) ->
+    case iolist_size(Frag) of
+	N  when N > ?MAX_PLAIN_TEXT_LENGTH ->
+	    Data = split_bin(iolist_to_binary(Frag), ?MAX_PLAIN_TEXT_LENGTH, Version, BCA),
+	    encode_iolist(?HANDSHAKE, Data, Version, ConnectionStates);
+	_  ->
+	    encode_plain_text(?HANDSHAKE, Version, Frag, ConnectionStates)
+    end.
 %%--------------------------------------------------------------------
 -spec encode_alert_record(#alert{}, ssl_version(), #connection_states{}) ->
 				 {iolist(), #connection_states{}}.
diff --git a/lib/ssl/test/Makefile b/lib/ssl/test/Makefile
index 999df320a3..89a62c3a4b 100644
--- a/lib/ssl/test/Makefile
+++ b/lib/ssl/test/Makefile
@@ -81,7 +81,7 @@ HRL_FILES_NEEDED_IN_TEST = \
 
 TARGET_FILES = $(MODULES:%=$(EBIN)/%.$(EMULATOR))
 
-INCLUDES = -I. -I$(ERL_TOP)/lib/test_server/include/
+INCLUDES = -I.
 
 DATADIRS = ssl_basic_SUITE_data
 
@@ -100,8 +100,7 @@ RELSYSDIR = $(RELEASE_PATH)/ssl_test
 # The path to the test_server ebin dir is needed when 
 # running the target "targets".
 # ----------------------------------------------------
-ERL_COMPILE_FLAGS += -pa ../../../internal_tools/test_server/ebin \
-	             $(INCLUDES) 
+ERL_COMPILE_FLAGS += $(INCLUDES)
 
 # ----------------------------------------------------
 # Targets
diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl
index 8e909a5b74..f5cada9021 100644
--- a/lib/ssl/test/erl_make_certs.erl
+++ b/lib/ssl/test/erl_make_certs.erl
@@ -334,7 +334,9 @@ make_key(dsa, _Opts) ->
     gen_dsa2(128, 20);  %% Bytes i.e. {1024, 160}
 make_key(ec, _Opts) ->
     %% (OBS: for testing only)
-    gen_ec2(secp256k1).
+    CurveOid = hd(tls_v1:ecc_curves(0)),
+    NamedCurve = pubkey_cert_records:namedCurves(CurveOid),
+    gen_ec2(NamedCurve).
     
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %% RSA key generation  (OBS: for testing only)
diff --git a/lib/ssl/test/ssl_certificate_verify_SUITE.erl b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
index 5940a86a7f..968ef30791 100644
--- a/lib/ssl/test/ssl_certificate_verify_SUITE.erl
+++ b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
@@ -75,7 +75,8 @@ error_handling_tests()->
      unknown_server_ca_accept_verify_none,
      unknown_server_ca_accept_verify_peer,
      unknown_server_ca_accept_backwardscompatibility,
-     no_authority_key_identifier].
+     no_authority_key_identifier,
+     no_authority_key_identifier_and_nonstandard_encoding].
 
 init_per_suite(Config0) ->
     catch crypto:stop(),
@@ -850,6 +851,68 @@ delete_authority_key_extension([Head | Rest], Acc) ->
 
 %%--------------------------------------------------------------------
 
+no_authority_key_identifier_and_nonstandard_encoding() ->
+    [{doc, "Test cert with nonstandard encoding that does not have"
+      " authorityKeyIdentifier extension but are present in trusted certs db."}].
+
+no_authority_key_identifier_and_nonstandard_encoding(Config) when is_list(Config) ->
+    ClientOpts = ?config(client_verification_opts, Config),
+    ServerOpts = ?config(server_verification_opts, Config),
+    PrivDir = ?config(priv_dir, Config),
+
+    KeyFile = filename:join(PrivDir, "otpCA/private/key.pem"),
+    [KeyEntry] = ssl_test_lib:pem_to_der(KeyFile),
+    Key = ssl_test_lib:public_key(public_key:pem_entry_decode(KeyEntry)),
+
+    CertFile = proplists:get_value(certfile, ServerOpts),
+    NewCertFile = filename:join(PrivDir, "server/new_cert.pem"),
+    [{'Certificate', DerCert, _}] = ssl_test_lib:pem_to_der(CertFile),
+    ServerCert = public_key:pkix_decode_cert(DerCert, plain),
+    ServerTbsCert = ServerCert#'Certificate'.tbsCertificate,
+    Extensions0 =  ServerTbsCert#'TBSCertificate'.extensions,
+    %% need to remove authorityKeyIdentifier extension to cause DB lookup by signature
+    Extensions = delete_authority_key_extension(Extensions0, []),
+    NewExtensions = replace_key_usage_extension(Extensions, []),
+    NewServerTbsCert = ServerTbsCert#'TBSCertificate'{extensions = NewExtensions},
+
+    ct:log("Extensions ~p~n, NewExtensions: ~p~n", [Extensions, NewExtensions]),
+
+    TbsDer = public_key:pkix_encode('TBSCertificate', NewServerTbsCert, plain),
+    Sig = public_key:sign(TbsDer, md5, Key),
+    NewServerCert = ServerCert#'Certificate'{tbsCertificate = NewServerTbsCert, signature = Sig},
+    NewDerCert = public_key:pkix_encode('Certificate', NewServerCert, plain),
+    ssl_test_lib:der_to_pem(NewCertFile, [{'Certificate', NewDerCert, not_encrypted}]),
+    NewServerOpts = [{certfile, NewCertFile} | proplists:delete(certfile, ServerOpts)],
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+					{mfa, {ssl_test_lib,
+					       send_recv_result_active, []}},
+					{options, [{active, true} | NewServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+					{from, self()},
+					{mfa, {ssl_test_lib,
+					       send_recv_result_active, []}},
+					{options, [{verify, verify_peer} | ClientOpts]}]),
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
+
+replace_key_usage_extension([], Acc) ->
+    lists:reverse(Acc);
+replace_key_usage_extension([#'Extension'{extnID = ?'id-ce-keyUsage'} = E | Rest], Acc) ->
+    %% A nonstandard DER encoding of [digitalSignature, keyEncipherment]
+    Val = <<3, 2, 0, 16#A0>>,
+    replace_key_usage_extension(Rest, [E#'Extension'{extnValue = Val} | Acc]);
+replace_key_usage_extension([Head | Rest], Acc) ->
+    replace_key_usage_extension(Rest, [Head | Acc]).
+
+%%--------------------------------------------------------------------
+
 invalid_signature_server() ->
     [{doc,"Test client with invalid signature"}].
 
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index fc0c0e64d1..2686dfc1a1 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -818,7 +818,17 @@ rsa_suites(CounterPart) ->
 		    (_) ->
 			 false
 		 end,
-		 ssl:cipher_suites()).
+                 common_ciphers(CounterPart)).
+
+common_ciphers(crypto) ->
+    ssl:cipher_suites();
+common_ciphers(openssl) ->
+    OpenSslSuites =
+        string:tokens(string:strip(os:cmd("openssl ciphers"), right, $\n), ":"),
+    [ssl:suite_definition(S)
+     || S <- ssl_cipher:suites(tls_record:highest_protocol_version([])),
+        lists:member(ssl_cipher:openssl_suite_name(S), OpenSslSuites)
+    ].
 
 rsa_non_signed_suites() ->
     lists:filter(fun({rsa, _, _}) ->