6 files changed, 93 insertions, 48 deletions

diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src
index 11728128c4..057906bcb3 100644
--- a/lib/ssl/src/ssl.appup.src
+++ b/lib/ssl/src/ssl.appup.src
@@ -1,6 +1,9 @@
 %% -*- erlang -*-
 {"%VSN%",
  [
+  {<<"7\\.2">>, [{load_module, tls_connection, soft_purge, soft_purge, []},
+		 {load_module, ssl_tls_dist_proxy, soft_purge, soft_purge, []}
+		]},
   {<<"7\\..*">>, [{restart_application, ssl}]},
   {<<"6\\..*">>, [{restart_application, ssl}]},
   {<<"5\\..*">>, [{restart_application, ssl}]},
@@ -8,6 +11,9 @@
   {<<"3\\..*">>, [{restart_application, ssl}]}
  ], 
  [
+  {<<"7\\.2">>, [{load_module, tls_connection, soft_purge, soft_purge, []},
+		 {load_module, ssl_tls_dist_proxy, soft_purge, soft_purge, []}
+		]},
   {<<"7\\..*">>, [{restart_application, ssl}]},
   {<<"6\\..*">>, [{restart_application, ssl}]},
   {<<"5\\..*">>, [{restart_application, ssl}]},
diff --git a/lib/ssl/src/ssl_tls_dist_proxy.erl b/lib/ssl/src/ssl_tls_dist_proxy.erl
index 3edd352891..080817d204 100644
--- a/lib/ssl/src/ssl_tls_dist_proxy.erl
+++ b/lib/ssl/src/ssl_tls_dist_proxy.erl
@@ -196,6 +196,7 @@ accept_loop(Proxy, world = Type, Listen, Extra) ->
     case gen_tcp:accept(Listen) of
 	{ok, Socket} ->
 	    Opts = get_ssl_options(server),
+	    wait_for_code_server(),
 	    case ssl:ssl_accept(Socket, Opts) of
 		{ok, SslSocket} ->
 		    PairHandler =
@@ -217,6 +218,35 @@ accept_loop(Proxy, world = Type, Listen, Extra) ->
     end,
     accept_loop(Proxy, Type, Listen, Extra).
 
+wait_for_code_server() ->
+    %% This is an ugly hack.  Upgrading a socket to TLS requires the
+    %% crypto module to be loaded.  Loading the crypto module triggers
+    %% its on_load function, which calls code:priv_dir/1 to find the
+    %% directory where its NIF library is.  However, distribution is
+    %% started earlier than the code server, so the code server is not
+    %% necessarily started yet, and code:priv_dir/1 might fail because
+    %% of that, if we receive an incoming connection on the
+    %% distribution port early enough.
+    %%
+    %% If the on_load function of a module fails, the module is
+    %% unloaded, and the function call that triggered loading it fails
+    %% with 'undef', which is rather confusing.
+    %%
+    %% Thus, the ssl_tls_dist_proxy process will terminate, and be
+    %% restarted by ssl_dist_sup.  However, it won't have any memory
+    %% of being asked by net_kernel to listen for incoming
+    %% connections.  Hence, the node will believe that it's open for
+    %% distribution, but it actually isn't.
+    %%
+    %% So let's avoid that by waiting for the code server to start.
+    case whereis(code_server) of
+	undefined ->
+	    timer:sleep(10),
+	    wait_for_code_server();
+	Pid when is_pid(Pid) ->
+	    ok
+    end.
+
 try_connect(Port) ->
     case gen_tcp:connect({127,0,0,1}, Port, [{active, false}, {packet,?PPRE}, nodelay()]) of
 	R = {ok, _S} ->
diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index b2b85eaf8d..c3f0206d25 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -764,6 +764,8 @@ handle_tls_handshake(Handle, StateName,
     case Handle(Packet, FsmReturn) of
 	{next_state, NextStateName, State, _Timeout} ->
 	    handle_tls_handshake(Handle, NextStateName, State);
+	{next_state, NextStateName, State} ->
+	    handle_tls_handshake(Handle, NextStateName, State);
 	{stop, _,_} = Stop ->
 	    Stop
     end;
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index 9a76d603b1..77c29668b5 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -1158,23 +1158,27 @@ cipher_restriction(Config0) ->
     end.
 
 check_sane_openssl_version(Version) ->
-    case {Version, os:cmd("openssl version")} of
-	{_, "OpenSSL 1.0.2" ++ _} ->
-	    true;
-	{_, "OpenSSL 1.0.1" ++ _} ->
-	    true;
-	{'tlsv1.2', "OpenSSL 1.0" ++ _} ->
-	    false;
-	{'tlsv1.1', "OpenSSL 1.0" ++ _} ->
-	    false;
-	{'tlsv1.2', "OpenSSL 0" ++ _} ->
-	    false;
-	{'tlsv1.1', "OpenSSL 0" ++ _} ->
-	    false;
-	{_, _} ->
-	    true
+    case supports_ssl_tls_version(Version) of 
+	true ->
+	    case {Version, os:cmd("openssl version")} of
+		{_, "OpenSSL 1.0.2" ++ _} ->
+		    true;
+		{_, "OpenSSL 1.0.1" ++ _} ->
+		    true;
+		{'tlsv1.2', "OpenSSL 1.0" ++ _} ->
+		    false;
+		{'tlsv1.1', "OpenSSL 1.0" ++ _} ->
+		    false;
+		{'tlsv1.2', "OpenSSL 0" ++ _} ->
+		    false;
+		{'tlsv1.1', "OpenSSL 0" ++ _} ->
+		    false;
+		{_, _} ->
+		    true
+	    end;
+	false ->
+	    false
     end.
-
 enough_openssl_crl_support("OpenSSL 0." ++ _) -> false;
 enough_openssl_crl_support(_) -> true.
 
@@ -1198,7 +1202,9 @@ version_flag('tlsv1.1') ->
 version_flag('tlsv1.2') ->
     "-tls1_2";
 version_flag(sslv3) ->
-    "-ssl3".
+    "-ssl3";
+version_flag(sslv2) ->
+    "-ssl2".
 
 filter_suites(Ciphers0) ->
     Version = tls_record:highest_protocol_version([]),
@@ -1249,3 +1255,25 @@ portable_open_port(Exe, Args) ->
     ct:pal("open_port({spawn_executable, ~p}, [{args, ~p}, stderr_to_stdout]).", [AbsPath, Args]),
     open_port({spawn_executable, AbsPath}, 
 	      [{args, Args}, stderr_to_stdout]). 
+
+supports_ssl_tls_version(Version) ->
+    VersionFlag = version_flag(Version),
+    Exe = "openssl",
+    Args = ["s_client", VersionFlag],
+    Port = ssl_test_lib:portable_open_port(Exe, Args),
+    do_supports_ssl_tls_version(Port).
+
+do_supports_ssl_tls_version(Port) ->
+    receive 
+	{Port, {data, "unknown option"  ++ _}} -> 
+	    false;
+	{Port, {data, Data}} ->
+	    case lists:member("error", string:tokens(Data, ":")) of
+		true ->
+		    false;
+		false ->
+		    do_supports_ssl_tls_version(Port)
+	    end
+    after 500 ->
+	    true
+    end.
diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl
index 13523730b0..ecf6c4d6b8 100644
--- a/lib/ssl/test/ssl_to_openssl_SUITE.erl
+++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl
@@ -175,7 +175,12 @@ special_init(TestCase, Config)
     check_sane_openssl_renegotaite(Config, Version);
 
 special_init(ssl2_erlang_server_openssl_client, Config) ->
-    check_sane_openssl_sslv2(Config);
+    case ssl_test_lib:supports_ssl_tls_version(sslv2) of
+	true ->
+	     Config;
+	false ->
+	     {skip, "sslv2 not supported by openssl"}
+    end;
 
 special_init(TestCase, Config)
     when TestCase == erlang_client_alpn_openssl_server_alpn;
@@ -1440,7 +1445,7 @@ start_erlang_client_and_openssl_server_for_alpn_negotiation(Config, Data, Callba
 
     Exe = "openssl",
     Args = ["s_server", "-msg", "-alpn", "http/1.1,spdy/2", "-accept", integer_to_list(Port), ssl_test_lib:version_flag(Version),
-	    "-cert", CertFile, "-key" ++ KeyFile],
+	    "-cert", CertFile, "-key", KeyFile],
     OpensslPort = ssl_test_lib:portable_open_port(Exe, Args),  
     ssl_test_lib:wait_for_openssl_server(Port),
 
@@ -1475,7 +1480,7 @@ start_erlang_server_and_openssl_client_for_alpn_negotiation(Config, Data, Callba
     Version = tls_record:protocol_version(tls_record:highest_protocol_version([])),
 
     Exe = "openssl",
-    Args = ["s_client", "-alpn", "http/1.0,spdy/2" "-msg" "-port", 
+    Args = ["s_client", "-alpn", "http/1.0,spdy/2", "-msg", "-port", 
 	    integer_to_list(Port), ssl_test_lib:version_flag(Version),
 	    "-host", "localhost"],
 
@@ -1507,7 +1512,7 @@ start_erlang_client_and_openssl_server_for_alpn_npn_negotiation(Config, Data, Ca
     Exe = "openssl",
     Args = ["s_server", "-msg", "-alpn", "http/1.1,spdy/2", "-nextprotoneg", 
 	    "spdy/3", "-accept", integer_to_list(Port), ssl_test_lib:version_flag(Version),
-	    "-cert" ++ CertFile  ++ "-key" ++ KeyFile],
+	    "-cert", CertFile, "-key",  KeyFile],
 
     OpensslPort = ssl_test_lib:portable_open_port(Exe, Args),  
 
@@ -1756,32 +1761,6 @@ check_sane_openssl_renegotaite(Config) ->
 	    Config
     end.
 
-check_sane_openssl_sslv2(Config) ->
-    Exe = "openssl",
-    Args = ["s_client", "-ssl2"],
-    Port = ssl_test_lib:portable_open_port(Exe, Args),
-    case supports_sslv2(Port) of
-	true ->
-	    Config;
-	false ->
-	    {skip, "sslv2 not supported by openssl"}
-    end.
-
-supports_sslv2(Port) ->
-    receive 
-	{Port, {data, "unknown option -ssl2" ++ _}} -> 
-	    false;
-	{Port, {data, Data}} ->
-	    case lists:member("error", string:tokens(Data, ":")) of
-		true ->
-		    false;
-		false ->
-		    supports_sslv2(Port)
-	    end
-    after 500 ->
-	    true
-    end.
-
 workaround_openssl_s_clinent() ->
     %% http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683159
     %% https://bugs.archlinux.org/task/33919
diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk
index aa1af21990..9f79a7fb34 100644
--- a/lib/ssl/vsn.mk
+++ b/lib/ssl/vsn.mk
@@ -1 +1 @@
-SSL_VSN = 7.2
+SSL_VSN = 7.2.1