19 files changed, 988 insertions, 617 deletions

diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml
index 874c5dd11d..0449e83177 100644
--- a/lib/ssl/doc/src/notes.xml
+++ b/lib/ssl/doc/src/notes.xml
@@ -27,6 +27,130 @@
   </header>
   <p>This document describes the changes made to the SSL application.</p>
 
+<section><title>SSL 9.2.3.3</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Correct handshake handling, might cause strange symptoms
+	    such as ASN.1 certificate decoding issues.</p>
+          <p>
+	    Own Id: OTP-15879 Aux Id: ERL-968 </p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>SSL 9.2.3.2</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Returned "alert error string" is now same as logged alert
+	    string</p>
+          <p>
+	    Own Id: OTP-15844</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>SSL 9.2.3.1</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Correct solution for retaining tcp flow control OTP-15802
+	    (ERL-934) as to not break ssl:recv as reported in
+	    (ERL-938)</p>
+          <p>
+	    Own Id: OTP-15823 Aux Id: ERL-934, ERL-938 </p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>SSL 9.2.3</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Missing check of size of user_data_buffer made internal
+	    socket behave as an active socket instead of active N.
+	    This could cause memory problems.</p>
+          <p>
+	    Own Id: OTP-15802 Aux Id: ERL-934 </p>
+        </item>
+      </list>
+    </section>
+
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+	    Back port of bug fix ERL-893 from OTP-22 and document
+	    enhancements that will solve dialyzer warnings for users
+	    of the ssl application.</p>
+          <p>
+	    This change also affects public_key, eldap (and inet
+	    doc).</p>
+          <p>
+	    Own Id: OTP-15785 Aux Id: ERL-929, ERL-893, PR-2215 </p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>SSL 9.2.2</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    With the default BEAST Mitigation strategy for TLS 1.0 an
+	    empty TLS fragment could be sent after a one-byte
+	    fragment. This glitch has been fixed.</p>
+          <p>
+	    Own Id: OTP-15054 Aux Id: ERIERL-346 </p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>SSL 9.2.1</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    The timeout for a passive receive was sometimes not
+	    cancelled and later caused a server crash. This bug has
+	    now been corrected.</p>
+          <p>
+	    Own Id: OTP-14701 Aux Id: ERL-883, ERL-884 </p>
+        </item>
+        <item>
+          <p>
+	    Add tag for passive message (active N) in cb_info to
+	    retain transport transparency.</p>
+          <p>
+	    Own Id: OTP-15679 Aux Id: ERL-861 </p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
 <section><title>SSL 9.2</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
diff --git a/lib/ssl/doc/src/ssl.xml b/lib/ssl/doc/src/ssl.xml
index 90a9181ede..c448d345de 100644
--- a/lib/ssl/doc/src/ssl.xml
+++ b/lib/ssl/doc/src/ssl.xml
@@ -101,16 +101,21 @@
     <datatype>
       <name name="transport_option"/>
       <desc>
-	<p>Defaults to <c>{gen_tcp, tcp, tcp_closed, tcp_error}</c>
-	for TLS and <c>{gen_udp, udp, udp_closed, udp_error}</c> for
-	DTLS. Can be used to customize the transport layer. The tag
-	values should be the values used by the underlying transport
-	in its active mode messages. For TLS the callback module must implement a
-	reliable transport protocol, behave as <c>gen_tcp</c>, and have functions
-	corresponding to <c>inet:setopts/2</c>, <c>inet:getopts/2</c>,
-	<c>inet:peername/1</c>, <c>inet:sockname/1</c>, and <c>inet:port/1</c>.
-	The callback <c>gen_tcp</c> is treated specially and calls <c>inet</c>
-	directly. For DTLS this feature must be considered exprimental.
+	<p>Defaults to <c>{gen_tcp, tcp, tcp_closed, tcp_error,
+	tcp_passive}</c> for TLS (for backward compatibility a four
+	tuple will be converted to a five tuple with the last element
+	"second_element"_passive) and <c>{gen_udp, udp, udp_closed,
+	udp_error}</c> for DTLS (might also be changed to five tuple in
+	the future). Can be used to customize the transport layer. The
+	tag values should be the values used by the underlying
+	transport in its active mode messages. For TLS the callback
+	module must implement a reliable transport protocol, behave as
+	<c>gen_tcp</c>, and have functions corresponding to
+	<c>inet:setopts/2</c>, <c>inet:getopts/2</c>,
+	<c>inet:peername/1</c>, <c>inet:sockname/1</c>, and
+	<c>inet:port/1</c>.  The callback <c>gen_tcp</c> is treated
+	specially and calls <c>inet</c> directly. For DTLS this
+	feature must be considered exprimental.
 	</p>
       </desc>
     </datatype>
@@ -123,7 +128,7 @@
       <name name="hostname"/>
      </datatype>
 
-       <datatype>
+     <datatype>
       <name name="ip_address"/>
      </datatype>
 
@@ -131,19 +136,19 @@
        <name name="protocol_version"/>
      </datatype>
 
-       <datatype>
+     <datatype>
        <name name="tls_version"/>
      </datatype>
-     
+
      <datatype>
        <name name="dtls_version"/>
      </datatype>
-     
+
      <datatype>
        <name name="legacy_version"/>
      </datatype>
-     
-       <datatype>
+
+     <datatype>
        <name name="prf_random"/>
      </datatype>
      
@@ -204,10 +209,6 @@
      </datatype>
 
      <datatype>
-      <name name="eccs"/>
-     </datatype>
-
-     <datatype>
       <name name="named_curve"/>
      </datatype>
 
@@ -239,6 +240,10 @@
       <name name="tls_alert"/>
      </datatype>
 
+     <datatype>
+      <name name="reason"/>
+     </datatype>
+
     <datatype_title>TLS/DTLS OPTION DESCRIPTIONS - COMMON for SERVER and CLIENT</datatype_title>
     
     <datatype>
@@ -327,14 +332,7 @@
 	matters.</p>
       </desc>
     </datatype>
-    
-    <datatype>
-      <name name="eccs"/>
-      <desc><p> Allows to specify the order of preference for named curves
-      and to restrict their usage when using a cipher suite supporting them.</p>
-      </desc>
-    </datatype>
-    
+
     <datatype>
       <name name="secure_renegotiation"/>
       <desc><p>Specifies if to reject renegotiation attempt that does
@@ -1066,13 +1064,8 @@ fun(srp, Username :: string(), UserState :: term()) ->
   <funcs>
 
     <func>
-      <name since="OTP 20.3">append_cipher_suites(Deferred, Suites) -> ciphers() </name>
+      <name name="append_cipher_suites" arity="2" since="OTP 20.3"/>
       <fsummary></fsummary>
-      <type>
-        <v>Deferred = <seealso marker="#type-ciphers">ciphers()</seealso> |
-	<seealso marker="#type-cipher_filters">cipher_filters()</seealso></v>
-	<v>Suites  =  <seealso marker="#type-ciphers">ciphers()</seealso></v>
-      </type>
       <desc><p>Make <c>Deferred</c> suites become the least preferred
       suites, that is put them at the end of the cipher suite list
       <c>Suites</c> after removing them from <c>Suites</c> if
@@ -1083,25 +1076,18 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
     
     <func>
-      <name since="OTP R14B">cipher_suites() -></name>
-      <name since="OTP R14B">cipher_suites(Type) -> [old_cipher_suite()]</name>
+      <name name="cipher_suites" arity="0" since="OTP R14B"/>
+      <name name="cipher_suites" arity="1" since="OTP R14B"/>
       <fsummary>Returns a list of supported cipher suites.</fsummary>
-      <type>
-        <v>Type = erlang | openssl | all</v>
-      </type>
       <desc>
 	<p>Deprecated in OTP 21, use <seealso marker="#cipher_suites-2">cipher_suites/2</seealso> instead.</p>
       </desc>
     </func>
     
    <func>
-      <name since="OTP 20.3">cipher_suites(Supported, Version) ->  ciphers()</name>
+      <name name="cipher_suites" arity="2" since="OTP 20.3"/>
       <fsummary>Returns a list of all default or
       all supported cipher suites.</fsummary>
-      <type>
-        <v> Supported = default | all | anonymous </v>
-	<v> Version = <seealso marker="#type-protocol_version">protocol_version() </seealso></v>
-      </type>
       <desc><p>Returns all default or all supported (except anonymous),
       or all anonymous cipher suites for a
       TLS version</p>
@@ -1109,16 +1095,9 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
-      <name since="OTP 19.2">eccs() -></name>
-      <name since="OTP 19.2">eccs(Version) -> NamedCurves</name>
+      <name name="eccs" arity="0" since="OTP 19.2"/>
+      <name name="eccs" arity="1" since="OTP 19.2"/>
       <fsummary>Returns a list of supported ECCs.</fsummary>
-
-      <type>
-	<v> Version = <seealso marker="#type-protocol_version">protocol_version() </seealso></v>
-	<v> NamedCurves = <seealso marker="#type-named_curve">[named_curve()] </seealso></v>
-	
-      </type>
-      
       <desc><p>Returns a list of supported ECCs. <c>eccs()</c>
       is equivalent to calling <c>eccs(Protocol)</c> with all
       supported protocols and then deduplicating the output.</p>
@@ -1126,9 +1105,8 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
     
     <func>
-      <name since="OTP 17.5">clear_pem_cache() -> ok </name>
+      <name name="clear_pem_cache" arity="0" since="OTP 17.5"/>
       <fsummary> Clears the pem cache</fsummary>
-
       <desc><p>PEM files, used by ssl API-functions, are cached. The
       cache is regularly checked to see if any cache entries should be
       invalidated, however this function provides a way to
@@ -1138,19 +1116,10 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
    
     <func>
-      <name since="OTP R14B">connect(Socket, Options) -> </name>
-      <name since="">connect(Socket, Options, Timeout) -> {ok, SslSocket} | {ok, SslSocket, Ext}
-	| {error, Reason}</name>
+      <name name="connect" arity="2" since="OTP R14B"/>
+      <name name="connect" arity="3" clause_i="1" since=""/>
       <fsummary>Upgrades a <c>gen_tcp</c>, or
 	equivalent, connected socket to an TLS socket.</fsummary>
-      <type>
-	<v>Socket = <seealso marker="#type-socket"> socket() </seealso></v>
-	<v>Options = <seealso marker="#type-tls_client_option"> [tls_client_option()] </seealso></v>
-	<v>Timeout = timeout()</v>
-	<v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-	<v>Ext = <seealso marker="#type-protocol_extensions">protocol_extensions()</seealso></v>
-	<v>Reason = closed | timeout | <seealso marker="#type-error_alert"> error_alert() </seealso></v>
-      </type>
       <desc><p>Upgrades a <c>gen_tcp</c>, or equivalent,
 	  connected socket to an TLS socket, that is, performs the
 	  client-side TLS handshake.</p>
@@ -1182,18 +1151,9 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
-      <name since="">connect(Host, Port, Options) -></name>
-      <name since="">connect(Host, Port, Options, Timeout) ->
-	  {ok, SslSocket}| {ok, SslSocket, Ext} | {error, Reason}</name>
+      <name since="" name="connect" arity="3" clause_i="2"/>
+      <name since="" name="connect" arity="4"/>
       <fsummary>Opens an TLS/DTLS connection to <c>Host</c>, <c>Port</c>.</fsummary>
-      <type>
-	  <v>Host =<seealso marker="#type-host"> host() </seealso> </v>
-	  <v>Port = <seealso marker="kernel:inet#type-port_number">inet:port_number()</seealso></v>
-	  <v>Options = <seealso marker="#type-tls_client_option"> [tls_client_option()]</seealso></v>
-	  <v>Timeout = timeout()</v>
-	  <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-	  <v>Reason = closed | timeout | <seealso marker="#type-error_alert"> error_alert() </seealso></v>
-      </type>
       <desc><p>Opens an TLS/DTLS connection to <c>Host</c>, <c>Port</c>.</p>
       
       <p> When the option <c>verify</c> is set to <c>verify_peer</c> the check 
@@ -1230,24 +1190,15 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
-      <name since="">close(SslSocket) -> ok | {error, Reason}</name>
+      <name since="" name="close" arity="1" />
       <fsummary>Closes an TLS/DTLS connection.</fsummary>
-      <type>
-	  <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-	  <v>Reason = term()</v>
-      </type>
       <desc><p>Closes an TLS/DTLS connection.</p>
       </desc>
     </func>
 
     <func>
-      <name since="OTP 18.1">close(SslSocket, How) -> ok | {ok, port()} | {error, Reason}</name>
+      <name since="OTP 18.1" name="close" arity="2"/>
       <fsummary>Closes an TLS connection.</fsummary>
-      <type>
-	  <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-	  <v>How =  timeout() | {NewController::pid(), timeout()} </v>
-	  <v>Reason = term()</v>
-      </type>
       <desc><p>Closes or downgrades an TLS connection. In the latter case the transport
       connection will be handed over to the <c>NewController</c> process after receiving
       the TLS close alert from the peer. The returned transport socket will have
@@ -1256,15 +1207,9 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
     
     <func>
-      <name since="">controlling_process(SslSocket, NewOwner) ->
-	ok | {error, Reason}</name>
+      <name since="" name="controlling_process" arity="2" />
 	<fsummary>Assigns a new controlling process to the
 	TLS/DTLS socket.</fsummary>
-	<type>
-	  <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-	  <v>NewOwner = pid()</v>
-	  <v>Reason = term()</v>
-	</type>
 	<desc><p>Assigns a new controlling process to the SSL socket. A
 	controlling process is the owner of an SSL socket, and receives
 	all messages from the socket.</p>
@@ -1272,17 +1217,9 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
-      <name since="OTP 18.0">connection_information(SslSocket) ->
-        {ok, Result} |  {error, Reason} </name>
+      <name since="OTP 18.0" name="connection_information" arity="1"/>
       <fsummary>Returns all the connection information.
       </fsummary>
-      <type>
-	<v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-        <v>Item = protocol | selected_cipher_suite | sni_hostname | ecc | session_id | atom()</v>
-	<d>Meaningful atoms, not specified above, are the ssl option names.</d>
-	<v>Result = [{Item::atom(), Value::term()}]</v>
-        <v>Reason = term()</v>
-      </type>
       <desc><p>Returns the most relevant information about the connection, ssl options that
       are undefined will be filtered out. Note that values that affect the security of the
       connection will only be returned if explicitly requested by connection_information/2.</p>
@@ -1293,34 +1230,23 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
-      <name since="OTP 18.0">connection_information(SslSocket, Items) ->
-        {ok, Result} |  {error, Reason} </name>
+      <name since="OTP 18.0" name="connection_information" arity="2"/>
       <fsummary>Returns the requested connection information.
       </fsummary>
-      <type>
-	<v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-	<v>Items = [Item]</v>
-	<v>Item = protocol | cipher_suite | sni_hostname | ecc | session_id | client_random 
-          | server_random  | master_secret | atom()</v>
-	<d>Note that client_random, server_random  and master_secret are values
-        that affect the security of connection. Meaningful atoms, not specified above, are the ssl option names.</d>
-	<v>Result = [{Item::atom(), Value::term()}]</v>
-        <v>Reason = term()</v>
-      </type>
       <desc><p>Returns the requested information items about the connection,
       if they are defined.</p>
+      <p>Note that client_random, server_random  and master_secret are values
+      that affect the security of connection. Meaningful atoms, not specified
+      above, are the ssl option names.</p>
+
       <note><p>If only undefined options are requested the
       resulting list can be empty.</p></note>
       </desc>
     </func>
 
       <func>
-      <name since="OTP 20.3">filter_cipher_suites(Suites, Filters) -> ciphers()</name>
+      <name since="OTP 20.3" name="filter_cipher_suites" arity="2" />
       <fsummary></fsummary>
-      <type>
-	<v> Suites =  <seealso marker="#type-ciphers"> ciphers() </seealso></v>
-        <v> Filters =  <seealso marker="#type-cipher_filters"> cipher_filters() </seealso></v>
-      </type>
       <desc><p>Removes cipher suites if any of the filter functions
       returns false for any part of the cipher suite. This function
       also calls default filter functions to make sure the cipher
@@ -1330,24 +1256,16 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
     
     <func>
-      <name since="">format_error(Reason) -> string()</name>
+      <name since="" name="format_error" arity="1" />
       <fsummary>Returns an error string.</fsummary>
-      <type>
-        <v>Reason = term()</v>
-      </type>
       <desc>
         <p>Presents the error returned by an SSL function as a printable string.</p>
       </desc>
     </func>
    
     <func>
-      <name since="">getopts(SslSocket, OptionNames) ->
-	{ok, [socketoption()]} | {error, Reason}</name>
+      <name since="" name="getopts" arity="2" />
       <fsummary>Gets the values of the specified options.</fsummary>
-      <type>
-	<v>Socket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-	<v>OptionNames = [atom()]</v>
-      </type>
       <desc>
 	<p>Gets the values of the specified socket options.
 	</p>
@@ -1355,16 +1273,9 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
-      <name since="OTP 19.0">getstat(SslSocket) ->
-        {ok, OptionValues} | {error, inet:posix()}</name>
-      <name since="OTP 19.0">getstat(SslSocket, OptionNames) ->
-        {ok, OptionValues} | {error, inet:posix()}</name>
+      <name since="OTP 19.0" name="getstat" arity="1" />
+      <name since="OTP 19.0" name="getstat" arity="2" />
       <fsummary>Get one or more statistic options for a socket</fsummary>
-      <type>
-    <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-    <v>OptionNames = [atom()]</v>
-        <v>OptionValues = [{inet:stat_option(), integer()}]</v>
-      </type>
       <desc>
         <p>Gets one or more statistic options for the underlying TCP socket.</p>
         <p>See inet:getstat/2 for statistic options description.</p>
@@ -1372,14 +1283,9 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
-      <name since="OTP 21.0">handshake(HsSocket) -> </name>
-      <name since="OTP 21.0">handshake(HsSocket, Timeout) -> {ok, SslSocket}  | {error, Reason}</name>
+      <name since="OTP 21.0" name="handshake" arity="1" />
+      <name since="OTP 21.0" name="handshake" arity="2" clause_i="1" />
       <fsummary>Performs server-side SSL/TLS handshake.</fsummary>
-      <type>
-        <v>HsSocket = SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-        <v>Timeout = timeout()</v>
-        <v>Reason = closed | timeout | <seealso marker="#type-error_alert"> error_alert() </seealso></v>
-      </type>
       <desc>
         <p>Performs the SSL/TLS/DTLS server-side handshake.</p>
 	<p>Returns a new TLS/DTLS socket if the handshake is successful.</p>
@@ -1392,17 +1298,9 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
-      <name since="OTP 21.0">handshake(Socket, Options) -> </name>
-      <name since="OTP 21.0">handshake(Socket, Options, Timeout) -> {ok, SslSocket} | {ok, SslSocket, Ext} | {error, Reason}</name>
+      <name since="OTP 21.0" name="handshake" arity="2" clause_i="2" />
+      <name since="OTP 21.0" name="handshake" arity="3" />
       <fsummary>Performs server-side SSL/TLS/DTLS handshake.</fsummary>
-      <type>
-        <v>Socket = socket() |  <seealso marker="#type-sslsocket"> socket() </seealso> </v>
-	<v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso> </v>
-	<v>Ext =  <seealso marker="#type-protocol_extensions">protocol_extensions()</seealso></v>
-	<v>Options = <seealso marker="#type-tls_server_option"> [server_option()] </seealso>  </v>
-        <v>Timeout = timeout()</v>
-        <v>Reason = closed | timeout | <seealso marker="#type-error_alert"> error_alert() </seealso></v>
-      </type>
       <desc>
         <p>If <c>Socket</c> is a ordinary <c>socket()</c>: upgrades a <c>gen_tcp</c>,
 	or equivalent, socket to an SSL socket, that is, performs
@@ -1438,52 +1336,33 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
-      <name since="OTP 21.0">handshake_cancel(SslSocket) -> ok </name>
+      <name since="OTP 21.0" name="handshake_cancel" arity="1" />
       <fsummary>Cancel handshake with a fatal alert</fsummary>
-      <type>
-        <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-      </type>
       <desc>
         <p>Cancel the handshake with a fatal <c>USER_CANCELED</c> alert.</p>
       </desc>
     </func>
 
     <func>
-      <name since="OTP 21.0">handshake_continue(HsSocket, Options) -> {ok, SslSocket} | {error, Reason}</name>
-      <name since="OTP 21.0">handshake_continue(HsSocket, Options, Timeout) -> {ok, SslSocket} | {error, Reason}</name>
+      <name since="OTP 21.0" name="handshake_continue" arity="2" />
+      <name since="OTP 21.0" name="handshake_continue" arity="3" />
       <fsummary>Continue the SSL/TLS handshake.</fsummary>
-      <type>
-	<v>HsSocket = SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-	<v>Options = <seealso marker="#type-tls_option"> tls_option() </seealso> </v>
-	<v>Timeout = timeout()</v>
-	<v>Reason = closed | timeout | <seealso marker="#type-error_alert"> error_alert() </seealso></v>
-      </type>
       <desc>
         <p>Continue the SSL/TLS handshake possiby with new, additional or changed options.</p>
       </desc>
     </func>
     
     <func>
-      <name since="">listen(Port, Options) ->
-	{ok, ListenSocket} | {error, Reason}</name>
+      <name since="" name="listen" arity="2" />
       <fsummary>Creates an SSL listen socket.</fsummary>
-      <type>
-	<v>Port = <seealso marker="kernel:inet#type-port_number">inet:port_number()</seealso></v>
-	<v>Options = <seealso marker="#type-tls_server_option"> [server_option()] </seealso></v>
-	<v>ListenSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-      </type>
       <desc>
 	<p>Creates an SSL listen socket.</p>
       </desc>
     </func>
 
     <func>
-      <name since="OTP 18.0">negotiated_protocol(SslSocket) -> {ok, Protocol} | {error, protocol_not_negotiated}</name>
+      <name since="OTP 18.0" name="negotiated_protocol" arity="1" />
       <fsummary>Returns the protocol negotiated through ALPN or NPN extensions.</fsummary>
-      <type>
-        <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-        <v>Protocol = binary()</v>
-      </type>
       <desc>
         <p>
           Returns the protocol negotiated through ALPN or NPN extensions.
@@ -1492,12 +1371,8 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
     
     <func>
-      <name since="">peercert(SslSocket) -> {ok, Cert} | {error, Reason}</name>
+      <name since="" name="peercert" arity="1" />
       <fsummary>Returns the peer certificate.</fsummary>
-     <type>
-        <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-        <v>Cert = binary()</v>
-      </type>
       <desc>
         <p>The peer certificate is returned as a DER-encoded binary.
 	  The certificate can be decoded with
@@ -1507,27 +1382,16 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
-      <name since="">peername(SslSocket) -> {ok, {Address, Port}} |
-	{error, Reason}</name>
+      <name since="" name="peername" arity="1" />
       <fsummary>Returns the peer address and port.</fsummary>
-      <type>
-        <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-        <v>Address = ipaddress()</v>
-	<v>Port = <seealso marker="kernel:inet#type-port_number">inet:port_number()</seealso></v>
-      </type>
       <desc>
         <p>Returns the address and port number of the peer.</p>
       </desc>
     </func>
     
       <func>
-      <name since="OTP 20.3">prepend_cipher_suites(Preferred, Suites) -> ciphers()</name>
+      <name since="OTP 20.3" name="prepend_cipher_suites" arity="2" />
       <fsummary></fsummary>
-      <type>
-	<v>Preferred = <seealso marker="#type-ciphers">ciphers()</seealso> |
-	<seealso marker="#type-cipher_filters">cipher_filters()</seealso></v>
-	<v>Suites  =  <seealso marker="#type-ciphers">ciphers()</seealso></v>
-      </type>
       <desc><p>Make <c>Preferred</c> suites become the most preferred
       suites that is put them at the head of the cipher suite list
       <c>Suites</c> after removing them from <c>Suites</c> if
@@ -1538,15 +1402,8 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
-      <name since="OTP R15B01">prf(Socket, Secret, Label, Seed, WantedLength) -> {ok, binary()} | {error, reason()}</name>
+      <name since="OTP R15B01" name="prf" arity="5" />
       <fsummary>Uses a session Pseudo-Random Function to generate key material.</fsummary>
-      <type>
-	<v>Socket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-	<v>Secret = binary() | master_secret</v>
-	<v>Label = binary()</v>
-	<v>Seed = [binary() | <seealso marker="#type-prf_random"> prf_random()</seealso>]</v>
-	<v>WantedLength = non_neg_integer()</v>
-      </type>
       <desc>
         <p>Uses the Pseudo-Random Function (PRF) of a TLS session to generate
 	  extra key material. It either takes user-generated values for
@@ -1558,16 +1415,14 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
     
     <func>
-      <name since="">recv(SslSocket, Length) -> </name>
-      <name since="">recv(SslSocket, Length, Timeout) -> {ok, Data} | {error,
-	Reason}</name>
+      <name since="" name="recv" arity="2" />
+      <name since="" name="recv" arity="3" />
       <fsummary>Receives data on a socket.</fsummary>
-      <type>
-        <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-        <v>Length = integer()</v>
-        <v>Timeout = timeout()</v>
-        <v>Data = [char()] | binary()</v>
-      </type>
+      <type_desc variable="HttpPacket">See the description of
+        <c>HttpPacket</c> in
+        <seealso marker="erts:erlang#decode_packet/3"><c>erlang:decode_packet/3</c></seealso>
+	in ERTS.
+      </type_desc>
       <desc>
         <p>Receives a packet from a socket in passive
           mode. A closed socket is indicated by return value
@@ -1585,11 +1440,8 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
     
     <func>
-      <name since="OTP R14B">renegotiate(SslSocket) -> ok | {error, Reason}</name>
+      <name since="OTP R14B" name="renegotiate" arity="1" />
       <fsummary>Initiates a new handshake.</fsummary>
-      <type>
-	<v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-      </type>
       <desc><p>Initiates a new handshake. A notable return value is
       <c>{error, renegotiation_rejected}</c> indicating that the peer
       refused to go through with the renegotiation, but the connection
@@ -1598,40 +1450,27 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
     
     <func>
-      <name since="">send(SslSocket, Data) -> ok | {error, Reason}</name>
+      <name since="" name="send" arity="2" />
       <fsummary>Writes data to a socket.</fsummary>
-      <type>
-        <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-        <v>Data = iodata()</v>
-      </type>
       <desc>
-        <p>Writes <c>Data</c> to <c>Socket</c>.</p>
+        <p>Writes <c>Data</c> to <c>SslSocket</c>.</p>
         <p>A notable return value is <c>{error, closed}</c> indicating that
           the socket is closed.</p>
       </desc>
     </func>
 
     <func>
-      <name since="">setopts(SslSocket, Options) -> ok | {error, Reason}</name>
+      <name since="" name="setopts" arity="2" />
       <fsummary>Sets socket options.</fsummary>
-      <type>
-        <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-        <v>Options = <seealso marker="#type-socket_option"> [socket_option()] </seealso></v>
-      </type>
       <desc>
         <p>Sets options according to <c>Options</c> for socket
-          <c>Socket</c>.</p>
+          <c>SslSocket</c>.</p>
       </desc>
     </func>
 
     <func>
-      <name since="OTP R14B">shutdown(SslSocket, How) -> ok | {error, Reason}</name>
+      <name since="OTP R14B" name="shutdown" arity="2" />
       <fsummary>Immediately closes a socket.</fsummary>
-      <type>
-        <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-        <v>How = read | write | read_write</v>
-        <v>Reason = reason()</v>
-      </type>
       <desc>
         <p>Immediately closes a socket in one or two directions.</p>
         <p><c>How == write</c> means closing the socket for writing,
@@ -1643,14 +1482,9 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
     
     <func>
-      <name since="">ssl_accept(SslSocket) -> </name>
-      <name since="">ssl_accept(SslSocket, Timeout) -> ok | {error, Reason}</name>
+      <name since="" name="ssl_accept" arity="1" />
+      <name since="" name="ssl_accept" arity="2" />
       <fsummary>Performs server-side SSL/TLS handshake.</fsummary>
-      <type>
-        <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-        <v>Timeout = timeout()</v>
-        <v>Reason = closed | timeout | <seealso marker="#type-error_alert"> error_alert() </seealso></v>
-      </type>
       <desc>
 	<p>Deprecated in OTP 21, use <seealso marker="#handshake-1">handshake/[1,2]</seealso> instead.</p>
 	<note><p>handshake/[1,2] always returns a new socket.</p></note>
@@ -1658,15 +1492,8 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
-      <name since="">ssl_accept(Socket, Options) -> </name>
-      <name since="OTP R14B">ssl_accept(Socket, Options, Timeout) -> {ok, Socket} | ok | {error, Reason}</name>
+      <name since="OTP R14B" name="ssl_accept" arity="3" />
       <fsummary>Performs server-side SSL/TLS/DTLS handshake.</fsummary>
-      <type>
-        <v>Socket = socket() |  <seealso marker="#type-sslsocket"> sslsocket() </seealso> </v>
-	<v>Options =  <seealso marker="#type-tls_server_option"> [server_option()] </seealso> </v>
-        <v>Timeout = timeout()</v>
-        <v>Reason = closed | timeout | <seealso marker="#type-error_alert"> error_alert() </seealso></v>
-      </type>
       <desc>
 	<p>Deprecated in OTP 21, use  <seealso marker="#handshake-3">handshake/[2,3]</seealso> instead.</p>
 	<note><p>handshake/[2,3] always returns a new socket.</p></note>
@@ -1674,27 +1501,18 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
     
     <func>
-      <name since="">sockname(SslSocket) -> {ok, {Address, Port}} |
-	{error, Reason}</name>
+      <name since="" name="sockname" arity="1" />
       <fsummary>Returns the local address and port.</fsummary>
-      <type>
-        <v>SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-	<v>Address = <seealso marker="#type-ip_address">ip_address()</seealso></v>
-	<v>Port = <seealso marker="kernel:inet#type-port_number">inet:port_number()</seealso></v>
-      </type>
       <desc>
         <p>Returns the local address and port number of socket
-          <c>Socket</c>.</p>
+          <c>SslSocket</c>.</p>
       </desc>
     </func>
     
     <func>
-      <name since="OTP R14B">start() -> </name>
+      <name since="OTP R14B" name="start" arity="0" />
       <name since="OTP R14B">start(Type) -> ok | {error, Reason}</name>
       <fsummary>Starts the SSL application.</fsummary>
-      <type>
-        <v>Type = permanent | transient | temporary</v>
-      </type>
       <desc>
         <p>Starts the SSL application. Default type
           is <c>temporary</c>.</p>
@@ -1702,7 +1520,7 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
-      <name since="OTP R14B">stop() -> ok </name>
+      <name since="OTP R14B" name="stop" arity="0" />
       <fsummary>Stops the SSL application.</fsummary>
       <desc>
         <p>Stops the SSL application.</p>
@@ -1710,28 +1528,18 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
 
     <func>
-      <name since="OTP 21.0">suite_to_str(CipherSuite) -> String</name>
+      <name since="OTP 21.0" name="suite_to_str" arity="1" clause_i="1" />
       <fsummary>Returns the string representation of a cipher suite.</fsummary>
-      <type>
-        <v>CipherSuite =  <seealso marker="#type-erl_cipher_suite"> erl_cipher_suite() </seealso></v>
-	<v>String = string()</v>
-      </type>
       <desc>
         <p>Returns the string representation of a cipher suite.</p>
       </desc>
     </func>
 
     <func>
-      <name since="">transport_accept(ListenSocket) -></name>
-      <name since="">transport_accept(ListenSocket, Timeout) ->
-	{ok, SslSocket} | {error, Reason}</name>
+      <name since="" name="transport_accept" arity="1" />
+      <name since="" name="transport_accept" arity="2" />
       <fsummary>Accepts an incoming connection and
 	prepares for <c>ssl_accept</c>.</fsummary>
-      <type>
-        <v>ListenSocket = SslSocket =  <seealso marker="#type-sslsocket"> sslsocket() </seealso></v>
-        <v>Timeout = timeout()</v>
-        <v>Reason = reason()</v>
-      </type>
       <desc>
         <p>Accepts an incoming connection request on a listen socket.
 	<c>ListenSocket</c> must be a socket returned from
@@ -1757,13 +1565,9 @@ fun(srp, Username :: string(), UserState :: term()) ->
     </func>
     
     <func>
-      <name since="OTP R14B">versions() -> [versions_info()]</name>
+      <name since="OTP R14B" name="versions" arity="0" />
       <fsummary>Returns version information relevant for the
 	SSL application.</fsummary>
-      <type>
-	<v>versions_info() = {app_vsn, string()} | {supported | available, [ssl_tls_protocol()]} |
-	{supported_dtls | available_dtls, [dtls_protocol()]}	</v>
-      </type>
       <desc>
 	<p>Returns version information relevant for the SSL
 	application.</p>
diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl
index 2c6b71c97a..721689da8b 100644
--- a/lib/ssl/src/dtls_connection.erl
+++ b/lib/ssl/src/dtls_connection.erl
@@ -50,7 +50,7 @@
 -export([encode_alert/3, send_alert/2, send_alert_in_connection/2, close/5, protocol_name/0]).
 
 %% Data handling
--export([next_record/1, socket/4, setopts/3, getopts/3]).
+-export([socket/4, setopts/3, getopts/3]).
 
 %% gen_statem state functions
 -export([init/3, error/3, downgrade/3, %% Initiation and take down states
@@ -434,12 +434,12 @@ init({call, From}, {start, Timeout},
     HelloVersion = dtls_record:hello_version(Version, SslOpts#ssl_options.versions),
     State1 = prepare_flight(State0#state{connection_env = CEnv#connection_env{negotiated_version = Version}}),
     {State2, Actions} = send_handshake(Hello, State1#state{connection_env = CEnv#connection_env{negotiated_version = HelloVersion}}),  
-    State3 = State2#state{connection_env = CEnv#connection_env{negotiated_version = Version}, %% RequestedVersion
+    State = State2#state{connection_env = CEnv#connection_env{negotiated_version = Version}, %% RequestedVersion
 			  session =
 			      Session0#session{session_id = Hello#client_hello.session_id},
 			  start_or_recv_from = From},
-    {Record, State} = next_record(State3),
-    next_event(hello, Record, State, [{{timeout, handshake}, Timeout, close} | Actions]);
+
+    next_event(hello, no_record, State, [{{timeout, handshake}, Timeout, close} | Actions]);
 init({call, _} = Type, Event, #state{static_env = #static_env{role = server},
                                      protocol_specific = PS} = State) ->
     Result = gen_handshake(?FUNCTION_NAME, Type, Event, 
@@ -497,9 +497,8 @@ hello(internal, #client_hello{cookie = <<>>,
     %% negotiated.
     VerifyRequest = dtls_handshake:hello_verify_request(Cookie, ?HELLO_VERIFY_REQUEST_VERSION),
     State1 = prepare_flight(State0#state{connection_env = CEnv#connection_env{negotiated_version = Version}}),
-    {State2, Actions} = send_handshake(VerifyRequest, State1),
-    {Record, State} = next_record(State2),
-    next_event(?FUNCTION_NAME, Record, 
+    {State, Actions} = send_handshake(VerifyRequest, State1),
+    next_event(?FUNCTION_NAME, no_record, 
                State#state{handshake_env = HsEnv#handshake_env{
                                              tls_handshake_history = 
                                                  ssl_handshake:init_handshake_history()}}, 
@@ -701,12 +700,10 @@ connection(internal, #hello_request{}, #state{static_env = #static_env{host = Ho
     HelloVersion = dtls_record:hello_version(Version, SslOpts#ssl_options.versions),
     State1 = prepare_flight(State0),
     {State2, Actions} = send_handshake(Hello, State1#state{connection_env = CEnv#connection_env{negotiated_version = HelloVersion}}),
-    {Record, State} =
-	next_record(
-	  State2#state{protocol_specific = PS#{flight_state => initial_flight_state(DataTag)},
-                       session = Session0#session{session_id
-                                                  = Hello#client_hello.session_id}}),
-    next_event(hello, Record, State, Actions);
+    State = State2#state{protocol_specific = PS#{flight_state => initial_flight_state(DataTag)},
+                         session = Session0#session{session_id
+                                                    = Hello#client_hello.session_id}},
+    next_event(hello, no_record, State, Actions);
 connection(internal, #client_hello{} = Hello, #state{static_env = #static_env{role = server},
                                                      handshake_env = #handshake_env{allow_renegotiate = true} = HsEnv} = State) ->
     %% Mitigate Computational DoS attack
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index fb6b7ba8e8..00a7f0a53a 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -82,20 +82,25 @@
               protocol_extensions/0,
               session_id/0,
               error_alert/0,
-              srp_param_type/0]).
+              tls_alert/0,
+              srp_param_type/0,
+              named_curve/0]).
 
 %% -------------------------------------------------------------------------------------------------------
--type socket()                   :: gen_tcp:socket().
--type socket_option()            :: gen_tcp:connect_option() | gen_tcp:listen_option() | gen_udp:option().
--type sslsocket()                :: any().
--type tls_option()               :: tls_client_option() | tls_server_option().
--type tls_client_option()        :: client_option() | common_option() | socket_option() |  transport_option().
--type tls_server_option()        :: server_option() | common_option() | socket_option() | transport_option().
+
+-type socket()                   :: gen_tcp:socket(). % exported
+-type socket_option()            :: gen_tcp:connect_option() | gen_tcp:listen_option() | gen_udp:option(). % exported
+-type sslsocket()                :: any(). % exported
+-type tls_option()               :: tls_client_option() | tls_server_option(). % exported
+-type tls_client_option()        :: client_option() | common_option() | socket_option() |  transport_option(). % exported
+-type tls_server_option()        :: server_option() | common_option() | socket_option() | transport_option(). % exported
 -type active_msgs()              :: {ssl, sslsocket(), Data::binary() | list()} | {ssl_closed, sslsocket()} |
-                                    {ssl_error, sslsocket(), Reason::term()} | {ssl_passive, sslsocket()}.
+                                    {ssl_error, sslsocket(), Reason::any()} | {ssl_passive, sslsocket()}. % exported
 -type transport_option()         :: {cb_info, {CallbackModule::atom(), DataTag::atom(),
-				       ClosedTag::atom(), ErrTag::atom()}}.
--type host()                     :: hostname() | ip_address().
+                                               ClosedTag::atom(), ErrTag::atom()}} |  
+                                    {cb_info, {CallbackModule::atom(), DataTag::atom(),
+                                               ClosedTag::atom(), ErrTag::atom(), PassiveTag::atom()}}.
+-type host()                     :: hostname() | ip_address(). % exported
 -type hostname()                 :: string().
 -type ip_address()               :: inet:ip_address().
 -type session_id()               :: binary().
@@ -109,14 +114,14 @@
                                     aes_128_gcm |
                                     aes_256_gcm |
                                     chacha20_poly1305 |
-                                    legacy_cipher().
+                                    legacy_cipher(). % exported
 -type legacy_cipher()            ::  rc4_128 |
                                      des_cbc |
                                      '3des_ede_cbc'.
 
 -type hash()                     :: sha |
                                     sha2() |
-                                    legacy_hash().
+                                    legacy_hash(). % exported
 
 -type sha2()                    ::  sha224 |
                                     sha256 |
@@ -125,14 +130,15 @@
 
 -type legacy_hash()             :: md5.
 
--type sign_algo()               :: rsa | dsa | ecdsa.
+-type sign_algo()               :: rsa | dsa | ecdsa. % exported
+
 -type kex_algo()                :: rsa |
                                    dhe_rsa | dhe_dss |
                                    ecdhe_ecdsa | ecdh_ecdsa | ecdh_rsa |
                                    srp_rsa| srp_dss |
                                    psk | dhe_psk | rsa_psk |
-                                   dh_anon | ecdh_anon | srp_anon |
-                                   any. %% TLS 1.3
+                                   dh_anon | ecdh_anon | srp_anon.
+
 -type erl_cipher_suite()       :: #{key_exchange := kex_algo(),
                                     cipher := cipher(),
                                     mac    := hash() | aead,
@@ -170,7 +176,7 @@
                                  sect163r2 |
                                  secp160k1 |
                                  secp160r1 |
-                                 secp160r2.
+                                 secp160r2. % exported
 
 -type srp_param_type()        :: srp_1024 |
                                  srp_1536 |
@@ -178,9 +184,9 @@
                                  srp_3072 |
                                  srp_4096 |
                                  srp_6144 |
-                                 srp_8192.
+                                 srp_8192. % exported
 
--type error_alert()           :: {tls_alert, {tls_alert(), Description::string()}}.
+-type error_alert()           :: {tls_alert, {tls_alert(), Description::string()}}. % exported
 
 -type tls_alert()             :: close_notify | 
                                  unexpected_message | 
@@ -210,7 +216,8 @@
                                  bad_certificate_status_response |
                                  bad_certificate_hash_value |
                                  unknown_psk_identity |
-                                 no_application_protocol.
+                                 no_application_protocol. % exported
+
 %% -------------------------------------------------------------------------------------------------------
 -type common_option()        :: {protocol, protocol()} |
                                 {handshake, handshake_completion()} |
@@ -220,7 +227,6 @@
                                 {keyfile, key_pem()} |
                                 {password, key_password()} |
                                 {ciphers, cipher_suites()} |
-                                {eccs, eccs()} |
                                 {secure_renegotiate, secure_renegotiation()} |
                                 {depth, allowed_cert_chain_length()} |
                                 {verify_fun, custom_verify()} |
@@ -245,16 +251,15 @@
                                      #{algorithm := rsa | dss | ecdsa, 
                                        engine := crypto:engine_ref(), 
                                        key_id := crypto:key_id(), 
-                                       password => crypto:password()}.
+                                       password => crypto:password()}. % exported
 -type key_pem()                   :: file:filename().
 -type key_password()              :: string().
 -type cipher_suites()             :: ciphers().    
 -type ciphers()                   :: [erl_cipher_suite()] |
-                                     string(). % (according to old API)
+                                     string(). % (according to old API) exported
 -type cipher_filters()            :: list({key_exchange | cipher | mac | prf,
-                                        algo_filter()}).
+                                        algo_filter()}). % exported
 -type algo_filter()               :: fun((kex_algo()|cipher()|hash()|aead|default_prf) -> true | false).
--type eccs()                      :: [named_curve()].  
 -type secure_renegotiation()      :: boolean(). 
 -type allowed_cert_chain_length() :: integer().
 -type custom_verify()             ::  {Verifyfun :: fun(), InitialUserState :: term()}.
@@ -309,7 +314,6 @@
 -type ssl_imp()                  :: new | old.
 
 %% -------------------------------------------------------------------------------------------------------
-
 -type server_option()        :: {cacerts, server_cacerts()} |
                                 {cacertfile, server_cafile()} |
                                 {dh, dh_der()} |
@@ -347,7 +351,7 @@
 -type honor_ecc_order()          :: boolean().
 -type client_renegotiation()     :: boolean().
 %% -------------------------------------------------------------------------------------------------------
--type prf_random() :: client_random | server_random.
+-type prf_random() :: client_random | server_random. % exported
 -type protocol_extensions()  :: #{renegotiation_info => binary(),
                                   signature_algs => signature_algs(),
                                   alpn =>  app_level_protocol(),
@@ -355,7 +359,7 @@
                                   next_protocol => app_level_protocol(),
                                   ec_point_formats  => [0..2],
                                   elliptic_curves => [public_key:oid()],
-                                  sni => hostname()}.
+                                  sni => hostname()}. % exported
 %% -------------------------------------------------------------------------------------------------------
 
 %%%--------------------------------------------------------------------
@@ -391,18 +395,33 @@ stop() ->
 %%
 %% Description: Connect to an ssl server.
 %%--------------------------------------------------------------------
--spec connect(host() | port(), [client_option()]) -> {ok, #sslsocket{}} |
-					      {error, reason()}.
+-spec connect(TCPSocket, TLSOptions) ->
+                     {ok, sslsocket()} |
+                     {error, reason()} |
+                     {option_not_a_key_value_tuple, any()} when
+      TCPSocket :: socket(),
+      TLSOptions :: [tls_client_option()].
+
 connect(Socket, SslOptions) when is_port(Socket) ->
     connect(Socket, SslOptions, infinity).
 
--spec connect(host() | port(), [client_option()] | inet:port_number(),
-	      timeout() | list()) ->
-		     {ok, #sslsocket{}} | {error, reason()}.
+-spec connect(TCPSocket, TLSOptions, Timeout) ->
+                     {ok, sslsocket()} | {error, reason()} when
+      TCPSocket :: socket(),
+      TLSOptions :: [tls_client_option()],
+      Timeout :: timeout();
+             (Host, Port, TLSOptions) ->
+                     {ok, sslsocket()} |
+                     {ok, sslsocket(),Ext :: protocol_extensions()} |
+                     {error, reason()} |
+                     {option_not_a_key_value_tuple, any()} when
+      Host :: host(),
+      Port :: inet:port_number(),
+      TLSOptions :: [tls_client_option()].
 connect(Socket, SslOptions0, Timeout) when is_port(Socket),
-					    (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) ->
-    {Transport,_,_,_} = proplists:get_value(cb_info, SslOptions0,
-					      {gen_tcp, tcp, tcp_closed, tcp_error}),
+                                           (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) ->
+    CbInfo = handle_option(cb_info, SslOptions0, default_cb_info(tls)),
+    Transport = element(1, CbInfo),
     EmulatedOptions = tls_socket:emulated_options(),
     {ok, SocketValues} = tls_socket:getopts(Transport, Socket, EmulatedOptions),
     try handle_options(SslOptions0 ++ SocketValues, client) of
@@ -415,8 +434,16 @@ connect(Socket, SslOptions0, Timeout) when is_port(Socket),
 connect(Host, Port, Options) ->
     connect(Host, Port, Options, infinity).
 
--spec connect(host() | port(), inet:port_number(), [client_option()], timeout()) ->
-		     {ok, #sslsocket{}} | {error, reason()}.
+-spec connect(Host, Port, TLSOptions, Timeout) ->
+                     {ok, sslsocket()} |
+                     {ok, sslsocket(),Ext :: protocol_extensions()} |
+                     {error, reason()} |
+                     {option_not_a_key_value_tuple, any()} when
+      Host :: host(),
+      Port :: inet:port_number(),
+      TLSOptions :: [tls_client_option()],
+      Timeout :: timeout().
+
 connect(Host, Port, Options, Timeout) when (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) ->
     try
 	{ok, Config} = handle_options(Options, client, Host),
@@ -432,7 +459,10 @@ connect(Host, Port, Options, Timeout) when (is_integer(Timeout) andalso Timeout
     end.
 
 %%--------------------------------------------------------------------
--spec listen(inet:port_number(), [tls_server_option()]) ->{ok, #sslsocket{}} | {error, reason()}.
+-spec listen(Port, Options) -> {ok, ListenSocket} | {error, reason()} when
+      Port::inet:port_number(),
+      Options::[tls_server_option()],
+      ListenSocket :: sslsocket().
 
 %%
 %% Description: Creates an ssl listen socket.
@@ -451,13 +481,20 @@ listen(Port, Options0) ->
 %%
 %% Description: Performs transport accept on an ssl listen socket
 %%--------------------------------------------------------------------
--spec transport_accept(#sslsocket{}) -> {ok, #sslsocket{}} |
-					{error, reason()}.
+-spec transport_accept(ListenSocket) -> {ok, SslSocket} |
+					{error, reason()} when
+      ListenSocket :: sslsocket(),
+      SslSocket :: sslsocket().
+
 transport_accept(ListenSocket) ->
     transport_accept(ListenSocket, infinity).
 
--spec transport_accept(#sslsocket{}, timeout()) -> {ok, #sslsocket{}} |
-						   {error, reason()}.
+-spec transport_accept(ListenSocket, Timeout) -> {ok, SslSocket} |
+					{error, reason()} when
+      ListenSocket :: sslsocket(),
+      Timeout :: timeout(),
+      SslSocket :: sslsocket().
+
 transport_accept(#sslsocket{pid = {ListenSocket,
 				   #config{connection_cb = ConnectionCb} = Config}}, Timeout) 
   when (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) ->
@@ -473,12 +510,22 @@ transport_accept(#sslsocket{pid = {ListenSocket,
 %% Description: Performs accept on an ssl listen socket. e.i. performs
 %%              ssl handshake.
 %%--------------------------------------------------------------------
--spec ssl_accept(#sslsocket{}) -> ok | {error, timeout | closed | {options, any()}| error_alert()}.
+-spec ssl_accept(SslSocket) ->
+                        ok |
+                        {error, Reason} when
+      SslSocket :: sslsocket(),
+      Reason :: closed | timeout | error_alert().
+
 ssl_accept(ListenSocket) ->
     ssl_accept(ListenSocket, [], infinity).
 
--spec ssl_accept(#sslsocket{} | port(), timeout()| [tls_server_option()]) ->
-			ok | {ok, #sslsocket{}} | {error, timeout | closed | {options, any()}| error_alert()}.
+-spec ssl_accept(Socket, TimeoutOrOptions) ->
+			ok |
+                        {ok, sslsocket()} | {error, Reason} when
+      Socket :: sslsocket() | socket(),
+      TimeoutOrOptions :: timeout() | [tls_server_option()],
+      Reason :: timeout | closed | {options, any()} | error_alert().
+
 ssl_accept(Socket, Timeout)  when  (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) ->
     ssl_accept(Socket, [], Timeout);
 ssl_accept(ListenSocket, SslOptions) when is_port(ListenSocket) ->
@@ -486,8 +533,13 @@ ssl_accept(ListenSocket, SslOptions) when is_port(ListenSocket) ->
 ssl_accept(Socket, Timeout) ->
     ssl_accept(Socket, [], Timeout).
 
--spec ssl_accept(#sslsocket{} | port(), [tls_server_option()], timeout()) ->
-			ok | {ok, #sslsocket{}} | {error, timeout | closed | {options, any()}| error_alert()}.
+-spec ssl_accept(Socket, Options, Timeout) ->
+			ok | {ok, sslsocket()} | {error, Reason} when
+      Socket :: sslsocket() | socket(),
+      Options :: [tls_server_option()],
+      Timeout :: timeout(),
+      Reason :: timeout | closed | {options, any()} | error_alert().
+
 ssl_accept(Socket, SslOptions, Timeout) when is_port(Socket) ->
     handshake(Socket, SslOptions, Timeout);
 ssl_accept(Socket, SslOptions, Timeout) ->
@@ -504,12 +556,29 @@ ssl_accept(Socket, SslOptions, Timeout) ->
 %%--------------------------------------------------------------------
 
 %% Performs the SSL/TLS/DTLS server-side handshake.
--spec handshake(#sslsocket{}) -> {ok, #sslsocket{}} | {error, timeout | closed | {options, any()} | error_alert()}.
+
+-spec handshake(HsSocket) -> {ok, SslSocket} | {ok, SslSocket, Ext} | {error, Reason} when
+      HsSocket :: sslsocket(),
+      SslSocket :: sslsocket(),
+      Ext :: protocol_extensions(),
+      Reason :: closed | timeout | error_alert().
+
 handshake(ListenSocket) ->
     handshake(ListenSocket, infinity).
 
--spec handshake(#sslsocket{} | port(), timeout()| [tls_server_option()]) ->
-                       {ok, #sslsocket{}} | {error, timeout | closed | {options, any()} | error_alert()}.
+-spec handshake(HsSocket, Timeout) -> {ok, SslSocket} | {ok, SslSocket, Ext} | {error, Reason} when
+      HsSocket :: sslsocket(),
+      Timeout :: timeout(),
+      SslSocket :: sslsocket(),
+      Ext :: protocol_extensions(),
+      Reason :: closed | timeout | error_alert();
+               (Socket, Options) -> {ok, SslSocket} | {ok, SslSocket, Ext} | {error, Reason} when
+      Socket :: socket() | sslsocket(),
+      SslSocket :: sslsocket(),
+      Options :: [server_option()],
+      Ext :: protocol_extensions(),
+      Reason :: closed | timeout | error_alert().
+
 handshake(#sslsocket{} = Socket, Timeout) when  (is_integer(Timeout) andalso Timeout >= 0) or 
                                                 (Timeout == infinity) ->
     ssl_connection:handshake(Socket, Timeout);
@@ -517,8 +586,17 @@ handshake(#sslsocket{} = Socket, Timeout) when  (is_integer(Timeout) andalso Tim
 handshake(ListenSocket, SslOptions)  when is_port(ListenSocket) ->
     handshake(ListenSocket, SslOptions, infinity).
 
--spec handshake(#sslsocket{} | port(), [tls_server_option()], timeout()) ->
-			{ok, #sslsocket{}} | {error, timeout | closed | {options, any()} | error_alert()}.
+-spec handshake(Socket, Options, Timeout) ->
+                       {ok, SslSocket} |
+                       {ok, SslSocket, Ext} |
+                       {error, Reason} when
+      Socket :: socket() | sslsocket(),
+      SslSocket :: sslsocket(),
+      Options :: [server_option()],
+      Timeout :: timeout(),
+      Ext :: protocol_extensions(),
+      Reason :: closed | timeout | {options, any()} | error_alert().
+
 handshake(#sslsocket{} = Socket, [], Timeout) when (is_integer(Timeout) andalso Timeout >= 0) or 
                                                     (Timeout == infinity)->
     handshake(Socket, Timeout);
@@ -542,8 +620,8 @@ handshake(#sslsocket{pid = [Pid|_], fd = {_, _, _}} = Socket, SslOpts, Timeout)
     end;
 handshake(Socket, SslOptions, Timeout) when is_port(Socket),
                                             (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) ->
-    {Transport,_,_,_} =
-	proplists:get_value(cb_info, SslOptions, {gen_tcp, tcp, tcp_closed, tcp_error}),
+    CbInfo = handle_option(cb_info, SslOptions, default_cb_info(tls)),
+    Transport = element(1, CbInfo),
     EmulatedOptions = tls_socket:emulated_options(),
     {ok, SocketValues} = tls_socket:getopts(Transport, Socket, EmulatedOptions),
     ConnetionCb = connection_cb(SslOptions),
@@ -561,8 +639,12 @@ handshake(Socket, SslOptions, Timeout) when is_port(Socket),
 
 
 %%--------------------------------------------------------------------
--spec handshake_continue(#sslsocket{}, [tls_client_option() | tls_server_option()]) -> 
-                                {ok, #sslsocket{}} | {error, reason()}.
+-spec handshake_continue(HsSocket, Options) ->
+                                {ok, SslSocket} | {error, Reason} when
+      HsSocket :: sslsocket(),
+      Options :: [tls_client_option() | tls_server_option()],
+      SslSocket :: sslsocket(),
+      Reason :: closed | timeout | error_alert().
 %%
 %%
 %% Description: Continues the handshke possible with newly supplied options.
@@ -570,8 +652,13 @@ handshake(Socket, SslOptions, Timeout) when is_port(Socket),
 handshake_continue(Socket, SSLOptions) ->
     handshake_continue(Socket, SSLOptions, infinity).
 %%--------------------------------------------------------------------
--spec handshake_continue(#sslsocket{}, [tls_client_option() | tls_server_option()], timeout()) -> 
-                                {ok, #sslsocket{}} | {error, reason()}.
+-spec handshake_continue(HsSocket, Options, Timeout) ->
+                                {ok, SslSocket} | {error, Reason} when
+      HsSocket :: sslsocket(),
+      Options :: [tls_client_option() | tls_server_option()],
+      Timeout :: timeout(),
+      SslSocket :: sslsocket(),
+      Reason :: closed | timeout | error_alert().
 %%
 %%
 %% Description: Continues the handshke possible with newly supplied options.
@@ -579,7 +666,7 @@ handshake_continue(Socket, SSLOptions) ->
 handshake_continue(Socket, SSLOptions, Timeout) ->
     ssl_connection:handshake_continue(Socket, SSLOptions, Timeout).
 %%--------------------------------------------------------------------
--spec  handshake_cancel(#sslsocket{}) -> term().
+-spec  handshake_cancel(#sslsocket{}) -> any().
 %%
 %% Description: Cancels the handshakes sending a close alert.
 %%--------------------------------------------------------------------
@@ -587,7 +674,9 @@ handshake_cancel(Socket) ->
     ssl_connection:handshake_cancel(Socket).
 
 %%--------------------------------------------------------------------
--spec  close(#sslsocket{}) -> term().
+-spec  close(SslSocket) -> ok | {error, Reason} when
+      SslSocket :: sslsocket(),
+      Reason :: any().
 %%
 %% Description: Close an ssl connection
 %%--------------------------------------------------------------------
@@ -595,11 +684,14 @@ close(#sslsocket{pid = [Pid|_]}) when is_pid(Pid) ->
     ssl_connection:close(Pid, {close, ?DEFAULT_TIMEOUT});
 close(#sslsocket{pid = {dtls, #config{dtls_handler = {Pid, _}}}}) ->
    dtls_packet_demux:close(Pid);
-close(#sslsocket{pid = {ListenSocket, #config{transport_info={Transport,_, _, _}}}}) ->
+close(#sslsocket{pid = {ListenSocket, #config{transport_info={Transport,_,_,_,_}}}}) ->
     Transport:close(ListenSocket).
 
 %%--------------------------------------------------------------------
--spec  close(#sslsocket{}, timeout() | {pid(), integer()}) -> term().
+-spec  close(SslSocket, How) -> ok | {ok, port()} | {error,Reason} when
+      SslSocket :: sslsocket(),
+      How :: timeout() | {NewController::pid(), timeout()},
+      Reason :: any().
 %%
 %% Description: Close an ssl connection
 %%--------------------------------------------------------------------
@@ -611,11 +703,13 @@ close(#sslsocket{pid = [TLSPid|_]},
 close(#sslsocket{pid = [TLSPid|_]}, Timeout) when is_pid(TLSPid),
 					      (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity) ->
     ssl_connection:close(TLSPid, {close, Timeout});
-close(#sslsocket{pid = {ListenSocket, #config{transport_info={Transport,_, _, _}}}}, _) ->
+close(#sslsocket{pid = {ListenSocket, #config{transport_info={Transport,_,_,_,_}}}}, _) ->
     Transport:close(ListenSocket).
 
 %%--------------------------------------------------------------------
--spec send(#sslsocket{}, iodata()) -> ok | {error, reason()}.
+-spec send(SslSocket, Data) -> ok | {error, reason()} when
+      SslSocket :: sslsocket(),
+      Data :: iodata().
 %%
 %% Description: Sends data over the ssl connection
 %%--------------------------------------------------------------------
@@ -627,29 +721,45 @@ send(#sslsocket{pid = {_, #config{transport_info={_, udp, _, _}}}}, _) ->
     {error,enotconn}; %% Emulate connection behaviour
 send(#sslsocket{pid = {dtls,_}}, _) ->
     {error,enotconn};  %% Emulate connection behaviour
-send(#sslsocket{pid = {ListenSocket, #config{transport_info={Transport, _, _, _}}}}, Data) ->
+send(#sslsocket{pid = {ListenSocket, #config{transport_info = Info}}}, Data) ->
+    Transport = element(1, Info),
     Transport:send(ListenSocket, Data). %% {error,enotconn}
 
 %%--------------------------------------------------------------------
 %%
 %% Description: Receives data when active = false
 %%--------------------------------------------------------------------
--spec recv(#sslsocket{}, integer()) -> {ok, binary()| list()} | {error, reason()}.
+-spec recv(SslSocket, Length) -> {ok, Data} | {error, reason()} when
+      SslSocket :: sslsocket(),
+      Length :: integer(),
+      Data :: binary() | list() | HttpPacket,
+      HttpPacket :: any().
+
 recv(Socket, Length) ->
     recv(Socket, Length, infinity).
 
--spec recv(#sslsocket{}, integer(), timeout()) -> {ok, binary()| list()} | {error, reason()}.
+-spec recv(SslSocket, Length, Timeout) -> {ok, Data} | {error, reason()} when
+      SslSocket :: sslsocket(),
+      Length :: integer(),
+      Data :: binary() | list() | HttpPacket,
+      Timeout :: timeout(),
+      HttpPacket :: any().
+
 recv(#sslsocket{pid = [Pid|_]}, Length, Timeout) when is_pid(Pid),
 						  (is_integer(Timeout) andalso Timeout >= 0) or (Timeout == infinity)->
     ssl_connection:recv(Pid, Length, Timeout);
 recv(#sslsocket{pid = {dtls,_}}, _, _) ->
     {error,enotconn};
 recv(#sslsocket{pid = {Listen,
-		       #config{transport_info = {Transport, _, _, _}}}}, _,_) when is_port(Listen)->
+		       #config{transport_info = Info}}},_,_) when is_port(Listen)->
+    Transport = element(1, Info),
     Transport:recv(Listen, 0). %% {error,enotconn}
 
 %%--------------------------------------------------------------------
--spec controlling_process(#sslsocket{}, pid()) -> ok | {error, reason()}.
+-spec controlling_process(SslSocket, NewOwner) -> ok | {error, Reason} when
+      SslSocket :: sslsocket(),
+      NewOwner :: pid(),
+      Reason :: any().
 %%
 %% Description: Changes process that receives the messages when active = true
 %% or once.
@@ -660,7 +770,7 @@ controlling_process(#sslsocket{pid = {dtls, _}},
 		    NewOwner) when is_pid(NewOwner) ->
     ok; %% Meaningless but let it be allowed to conform with TLS 
 controlling_process(#sslsocket{pid = {Listen,
-				      #config{transport_info = {Transport, _, _, _}}}},
+				      #config{transport_info = {Transport,_,_,_,_}}}},
 		    NewOwner) when is_port(Listen),
 				   is_pid(NewOwner) ->
      %% Meaningless but let it be allowed to conform with normal sockets  
@@ -668,7 +778,11 @@ controlling_process(#sslsocket{pid = {Listen,
 
 
 %%--------------------------------------------------------------------
--spec connection_information(#sslsocket{}) -> {ok, list()} | {error, reason()}.
+-spec connection_information(SslSocket) -> {ok, Result} | {error, reason()} when
+      SslSocket :: sslsocket(),
+      Result :: [{OptionName, OptionValue}],
+      OptionName :: atom(),
+      OptionValue :: any().
 %%
 %% Description: Return SSL information for the connection
 %%--------------------------------------------------------------------
@@ -685,7 +799,12 @@ connection_information(#sslsocket{pid = {dtls,_}}) ->
     {error,enotconn}. 
 
 %%--------------------------------------------------------------------
--spec connection_information(#sslsocket{}, [atom()]) -> {ok, list()} | {error, reason()}.
+-spec connection_information(SslSocket, Items) -> {ok, Result} | {error, reason()} when
+      SslSocket :: sslsocket(),
+      Items :: [OptionName],
+      Result :: [{OptionName, OptionValue}],
+      OptionName :: atom(),
+      OptionValue :: any().
 %%
 %% Description: Return SSL information for the connection
 %%--------------------------------------------------------------------
@@ -699,23 +818,29 @@ connection_information(#sslsocket{pid = [Pid|_]}, Items) when is_pid(Pid) ->
     end.
 
 %%--------------------------------------------------------------------
--spec peername(#sslsocket{}) -> {ok, {inet:ip_address(), inet:port_number()}} | {error, reason()}.
+-spec peername(SslSocket) -> {ok, {Address, Port}} |
+                             {error, reason()} when
+      SslSocket :: sslsocket(),
+      Address :: inet:ip_address(),
+      Port :: inet:port_number().
 %%
 %% Description: same as inet:peername/1.
 %%--------------------------------------------------------------------
-peername(#sslsocket{pid = [Pid|_], fd = {Transport, Socket, _}}) when is_pid(Pid)->
+peername(#sslsocket{pid = [Pid|_], fd = {Transport, Socket,_}}) when is_pid(Pid)->
     dtls_socket:peername(Transport, Socket);
-peername(#sslsocket{pid = [Pid|_], fd = {Transport, Socket, _, _}}) when is_pid(Pid)->
+peername(#sslsocket{pid = [Pid|_], fd = {Transport, Socket,_,_}}) when is_pid(Pid)->
     tls_socket:peername(Transport, Socket);
-peername(#sslsocket{pid = {dtls, #config{dtls_handler = {_Pid, _}}}}) ->
+peername(#sslsocket{pid = {dtls, #config{dtls_handler = {_Pid,_}}}}) ->
     dtls_socket:peername(dtls, undefined);
-peername(#sslsocket{pid = {ListenSocket,  #config{transport_info = {Transport,_,_,_}}}}) ->
+peername(#sslsocket{pid = {ListenSocket,  #config{transport_info = {Transport,_,_,_,_}}}}) ->
     tls_socket:peername(Transport, ListenSocket); %% Will return {error, enotconn}
 peername(#sslsocket{pid = {dtls,_}}) ->
     {error,enotconn}.
 
 %%--------------------------------------------------------------------
--spec peercert(#sslsocket{}) ->{ok, DerCert::binary()} | {error, reason()}.
+-spec peercert(SslSocket) -> {ok, Cert} | {error, reason()} when
+      SslSocket :: sslsocket(),
+      Cert :: binary().
 %%
 %% Description: Returns the peercert.
 %%--------------------------------------------------------------------
@@ -732,7 +857,10 @@ peercert(#sslsocket{pid = {Listen, _}}) when is_port(Listen) ->
     {error, enotconn}.
 
 %%--------------------------------------------------------------------
--spec negotiated_protocol(#sslsocket{}) -> {ok, binary()} | {error, reason()}.
+-spec negotiated_protocol(SslSocket) -> {ok, Protocol} | {error, Reason} when
+      SslSocket :: sslsocket(),
+      Protocol :: binary(),
+      Reason :: protocol_not_negotiated.
 %%
 %% Description: Returns the protocol that has been negotiated. If no
 %% protocol has been negotiated will return {error, protocol_not_negotiated}
@@ -746,8 +874,9 @@ negotiated_protocol(#sslsocket{pid = [Pid|_]}) when is_pid(Pid) ->
 cipher_suites() ->
     cipher_suites(erlang).
 %%--------------------------------------------------------------------
--spec cipher_suites(erlang | openssl | all) -> 
-                           [old_cipher_suite() | string()].
+-spec cipher_suites(Type) -> [old_cipher_suite() | string()] when
+      Type :: erlang | openssl | all.
+
 %% Description: Returns all supported cipher suites.
 %%--------------------------------------------------------------------
 cipher_suites(erlang) ->
@@ -761,9 +890,10 @@ cipher_suites(all) ->
     [ssl_cipher_format:erl_suite_definition(Suite) || Suite <- available_suites(all)].
 
 %%--------------------------------------------------------------------
--spec cipher_suites(default | all | anonymous, ssl_record:ssl_version() |
-                    tls_record:tls_atom_version() |  dtls_record:dtls_atom_version()) -> 
-                           [erl_cipher_suite()].
+-spec cipher_suites(Supported, Version) -> ciphers() when
+      Supported :: default | all | anonymous,
+      Version :: protocol_version().
+
 %% Description: Returns all default and all supported cipher suites for a
 %% TLS/DTLS version
 %%--------------------------------------------------------------------
@@ -779,9 +909,11 @@ cipher_suites(Base, Version) ->
     [ssl_cipher_format:suite_definition(Suite) || Suite <- supported_suites(Base, Version)].
 
 %%--------------------------------------------------------------------
--spec filter_cipher_suites([erl_cipher_suite()], 
-                           [{key_exchange | cipher | mac | prf, fun()}] | []) -> 
-                                  [erl_cipher_suite()].
+-spec filter_cipher_suites(Suites, Filters) -> Ciphers when
+      Suites :: ciphers(),
+      Filters :: cipher_filters(),
+      Ciphers :: ciphers().
+
 %% Description: Removes cipher suites if any of the filter functions returns false
 %% for any part of the cipher suite. This function also calls default filter functions
 %% to make sure the cipher suite are supported by crypto.
@@ -798,10 +930,10 @@ filter_cipher_suites(Suites, Filters0) ->
                 prf_filters => add_filter(proplists:get_value(prf, Filters0), PrfF)},
     ssl_cipher:filter_suites(Suites, Filters).
 %%--------------------------------------------------------------------
--spec prepend_cipher_suites([erl_cipher_suite()] | 
-                            [{key_exchange | cipher | mac | prf, fun()}],
-                            [erl_cipher_suite()]) -> 
-                                   [erl_cipher_suite()].
+-spec prepend_cipher_suites(Preferred, Suites) -> ciphers() when
+      Preferred :: ciphers() | cipher_filters(),
+      Suites :: ciphers().
+
 %% Description: Make <Preferred> suites become the most prefered
 %%      suites that is put them at the head of the cipher suite list
 %%      and remove them from <Suites> if present. <Preferred> may be a
@@ -816,10 +948,10 @@ prepend_cipher_suites(Filters, Suites) ->
     Preferred = filter_cipher_suites(Suites, Filters), 
     Preferred ++ (Suites -- Preferred).
 %%--------------------------------------------------------------------
--spec append_cipher_suites(Deferred :: [erl_cipher_suite()] | 
-                                       [{key_exchange | cipher | mac | prf, fun()}],
-                           [erl_cipher_suite()]) -> 
-                                  [erl_cipher_suite()].
+-spec append_cipher_suites(Deferred, Suites) -> ciphers() when
+      Deferred :: ciphers() | cipher_filters(),
+      Suites :: ciphers().
+
 %% Description: Make <Deferred> suites suites become the 
 %% least prefered suites that is put them at the end of the cipher suite list
 %% and removed them from <Suites> if present.
@@ -833,7 +965,9 @@ append_cipher_suites(Filters, Suites) ->
     (Suites -- Deferred) ++  Deferred.
 
 %%--------------------------------------------------------------------
--spec eccs() -> tls_v1:curves().
+-spec eccs() -> NamedCurves when
+      NamedCurves :: [named_curve()].
+
 %% Description: returns all supported curves across all versions
 %%--------------------------------------------------------------------
 eccs() ->
@@ -841,27 +975,24 @@ eccs() ->
     eccs_filter_supported(Curves).
 
 %%--------------------------------------------------------------------
--spec eccs(tls_record:tls_atom_version() |
-           ssl_record:ssl_version() | dtls_record:dtls_atom_version()) ->
-                  tls_v1:curves().
+-spec eccs(Version) -> NamedCurves when
+      Version :: protocol_version(),
+      NamedCurves :: [named_curve()].
+
 %% Description: returns the curves supported for a given version of
 %% ssl/tls.
 %%--------------------------------------------------------------------
-eccs({3,0}) ->
+eccs(sslv3) ->
     [];
-eccs({3,_}) ->
-    Curves = tls_v1:ecc_curves(all),
-    eccs_filter_supported(Curves);
-eccs({254,_} = Version) ->
-    eccs(dtls_v1:corresponding_tls_version(Version));
+eccs('dtlsv1') ->
+    eccs('tlsv1.1');
+eccs('dtlsv1.2') ->
+    eccs('tlsv1.2');
 eccs(Version) when Version == 'tlsv1.2';
                    Version == 'tlsv1.1';
-                   Version == tlsv1;
-                   Version == sslv3 ->
-    eccs(tls_record:protocol_version(Version));
-eccs(Version) when Version == 'dtlsv1.2';
-                   Version == 'dtlsv1'->
-    eccs(dtls_v1:corresponding_tls_version(dtls_record:protocol_version(Version))).
+                   Version == tlsv1 ->
+    Curves = tls_v1:ecc_curves(all),
+    eccs_filter_supported(Curves).
 
 eccs_filter_supported(Curves) ->
     CryptoCurves = crypto:ec_curves(),
@@ -869,8 +1000,10 @@ eccs_filter_supported(Curves) ->
                  Curves).
 
 %%--------------------------------------------------------------------
--spec getopts(#sslsocket{}, [gen_tcp:option_name()]) ->
-		     {ok, [gen_tcp:option()]} | {error, reason()}.
+-spec getopts(SslSocket, OptionNames) ->
+		     {ok, [gen_tcp:option()]} | {error, reason()} when
+      SslSocket :: sslsocket(),
+      OptionNames :: [gen_tcp:option_name()].
 %%
 %% Description: Gets options
 %%--------------------------------------------------------------------
@@ -886,7 +1019,7 @@ getopts(#sslsocket{pid = {dtls, #config{transport_info = {Transport,_,_,_}}}} =
 	_:Error ->
 	    {error, {options, {socket_options, OptionTags, Error}}}
     end;
-getopts(#sslsocket{pid = {_,  #config{transport_info = {Transport,_,_,_}}}} = ListenSocket,
+getopts(#sslsocket{pid = {_,  #config{transport_info = {Transport,_,_,_,_}}}} = ListenSocket,
 	OptionTags) when is_list(OptionTags) ->
     try tls_socket:getopts(Transport, ListenSocket, OptionTags) of
 	{ok, _} = Result ->
@@ -901,7 +1034,9 @@ getopts(#sslsocket{}, OptionTags) ->
     {error, {options, {socket_options, OptionTags}}}.
 
 %%--------------------------------------------------------------------
--spec setopts(#sslsocket{},  [gen_tcp:option()]) -> ok | {error, reason()}.
+-spec setopts(SslSocket, Options) -> ok | {error, reason()} when
+      SslSocket :: sslsocket(),
+      Options :: [gen_tcp:option()].
 %%
 %% Description: Sets options
 %%--------------------------------------------------------------------
@@ -943,7 +1078,7 @@ setopts(#sslsocket{pid = {dtls, #config{transport_info = {Transport,_,_,_}}}} =
 	_:Error ->
 	    {error, {options, {socket_options, Options, Error}}}
     end;
-setopts(#sslsocket{pid = {_, #config{transport_info = {Transport,_,_,_}}}} = ListenSocket, Options) when is_list(Options) ->
+setopts(#sslsocket{pid = {_, #config{transport_info = {Transport,_,_,_,_}}}} = ListenSocket, Options) when is_list(Options) ->
     try tls_socket:setopts(Transport, ListenSocket, Options) of
 	ok ->
 	    ok;
@@ -957,9 +1092,9 @@ setopts(#sslsocket{}, Options) ->
     {error, {options,{not_a_proplist, Options}}}.
 
 %%---------------------------------------------------------------
--spec getstat(Socket) ->
-	{ok, OptionValues} | {error, inet:posix()} when
-      Socket :: #sslsocket{},
+-spec getstat(SslSocket) ->
+                     {ok, OptionValues} | {error, inet:posix()} when
+      SslSocket :: sslsocket(),
       OptionValues :: [{inet:stat_option(), integer()}].
 %%
 %% Description: Get all statistic options for a socket.
@@ -968,9 +1103,9 @@ getstat(Socket) ->
 	getstat(Socket, inet:stats()).
 
 %%---------------------------------------------------------------
--spec getstat(Socket, Options) ->
-	{ok, OptionValues} | {error, inet:posix()} when
-      Socket :: #sslsocket{},
+-spec getstat(SslSocket, Options) ->
+                     {ok, OptionValues} | {error, inet:posix()} when
+      SslSocket :: sslsocket(),
       Options :: [inet:stat_option()],
       OptionValues :: [{inet:stat_option(), integer()}].
 %%
@@ -983,12 +1118,15 @@ getstat(#sslsocket{pid = [Pid|_], fd = {Transport, Socket, _, _}}, Options) when
     tls_socket:getstat(Transport, Socket, Options).
 
 %%---------------------------------------------------------------
--spec shutdown(#sslsocket{}, read | write | read_write) ->  ok | {error, reason()}.
+-spec shutdown(SslSocket, How) ->  ok | {error, reason()} when
+      SslSocket :: sslsocket(),
+      How :: read | write | read_write.
 %%
 %% Description: Same as gen_tcp:shutdown/2
 %%--------------------------------------------------------------------
-shutdown(#sslsocket{pid = {Listen, #config{transport_info = {Transport,_, _, _}}}},
+shutdown(#sslsocket{pid = {Listen, #config{transport_info = Info}}},
 	 How) when is_port(Listen) ->
+    Transport = element(1, Info),
     Transport:shutdown(Listen, How);
 shutdown(#sslsocket{pid = {dtls,_}},_) ->
     {error, enotconn};
@@ -996,24 +1134,28 @@ shutdown(#sslsocket{pid = [Pid|_]}, How) when is_pid(Pid) ->
     ssl_connection:shutdown(Pid, How).
 
 %%--------------------------------------------------------------------
--spec sockname(#sslsocket{}) -> {ok, {inet:ip_address(), inet:port_number()}} | {error, reason()}.
+-spec sockname(SslSocket) ->
+                      {ok, {Address, Port}} | {error, reason()} when
+      SslSocket :: sslsocket(),
+      Address :: inet:ip_address(),
+      Port :: inet:port_number().
 %%
 %% Description: Same as inet:sockname/1
 %%--------------------------------------------------------------------
-sockname(#sslsocket{pid = {Listen,  #config{transport_info = {Transport, _, _, _}}}}) when is_port(Listen) ->
+sockname(#sslsocket{pid = {Listen,  #config{transport_info = {Transport,_,_,_,_}}}}) when is_port(Listen) ->
     tls_socket:sockname(Transport, Listen);
 sockname(#sslsocket{pid = {dtls, #config{dtls_handler = {Pid, _}}}}) ->
     dtls_packet_demux:sockname(Pid);
-sockname(#sslsocket{pid = [Pid|_], fd = {Transport, Socket, _}}) when is_pid(Pid) ->
+sockname(#sslsocket{pid = [Pid|_], fd = {Transport, Socket,_}}) when is_pid(Pid) ->
     dtls_socket:sockname(Transport, Socket);
-sockname(#sslsocket{pid = [Pid| _], fd = {Transport, Socket, _, _}}) when is_pid(Pid) ->
+sockname(#sslsocket{pid = [Pid| _], fd = {Transport, Socket,_,_}}) when is_pid(Pid) ->
     tls_socket:sockname(Transport, Socket).
 
 %%---------------------------------------------------------------
--spec versions() -> [{ssl_app, string()} | {supported, [tls_record:tls_atom_version()]} |
-                     {supported_dtls, [dtls_record:dtls_atom_version()]} |
-		     {available, [tls_record:tls_atom_version()]} |
-                     {available_dtls, [dtls_record:dtls_atom_version()]}].
+-spec versions() -> [VersionInfo] when
+      VersionInfo :: {ssl_app, string()} |
+                     {supported | available, [tls_version()]} |
+                     {supported_dtls | available_dtls, [dtls_version()]}.
 %%
 %% Description: Returns a list of relevant versions.
 %%--------------------------------------------------------------------
@@ -1031,7 +1173,8 @@ versions() ->
 
 
 %%---------------------------------------------------------------
--spec renegotiate(#sslsocket{}) -> ok | {error, reason()}.
+-spec renegotiate(SslSocket) -> ok | {error, reason()} when
+      SslSocket :: sslsocket().
 %%
 %% Description: Initiates a renegotiation.
 %%--------------------------------------------------------------------
@@ -1051,9 +1194,13 @@ renegotiate(#sslsocket{pid = {Listen,_}}) when is_port(Listen) ->
     {error, enotconn}.
 
 %%--------------------------------------------------------------------
--spec prf(#sslsocket{}, binary() | 'master_secret', binary(),
-	  [binary() | prf_random()], non_neg_integer()) ->
-		 {ok, binary()} | {error, reason()}.
+-spec prf(SslSocket, Secret, Label, Seed, WantedLength) ->
+                 {ok, binary()} | {error, reason()} when
+      SslSocket :: sslsocket(),
+      Secret :: binary() | 'master_secret',
+      Label::binary(),
+      Seed :: [binary() | prf_random()],
+      WantedLength :: non_neg_integer().
 %%
 %% Description: use a ssl sessions TLS PRF to generate key material
 %%--------------------------------------------------------------------
@@ -1074,7 +1221,8 @@ clear_pem_cache() ->
     ssl_pem_cache:clear().
 
 %%---------------------------------------------------------------
--spec format_error({error, term()}) -> list().
+-spec format_error({error, Reason}) -> string() when
+      Reason :: any().
 %%
 %% Description: Creates error string.
 %%--------------------------------------------------------------------
@@ -1114,7 +1262,14 @@ tls_version({254, _} = Version) ->
 
 
 %%--------------------------------------------------------------------
--spec suite_to_str(erl_cipher_suite()) -> string().
+-spec suite_to_str(CipherSuite) -> string() when
+      CipherSuite :: erl_cipher_suite();
+                  (CipherSuite) -> string() when
+      %% For internal use!
+      CipherSuite :: #{key_exchange := null,
+                       cipher := null,
+                       mac := null,
+                       prf := null}.
 %%
 %% Description: Return the string representation of a cipher suite.
 %%--------------------------------------------------------------------
@@ -1140,7 +1295,7 @@ supported_suites(all, Version) ->
 supported_suites(anonymous, Version) -> 
     ssl_cipher:anonymous_suites(Version).
 
-do_listen(Port, #config{transport_info = {Transport, _, _, _}} = Config, tls_connection) ->
+do_listen(Port, #config{transport_info = {Transport, _, _, _,_}} = Config, tls_connection) ->
     tls_socket:listen(Transport, Port, Config);
 
 do_listen(Port,  Config, dtls_connection) ->
@@ -1288,7 +1443,7 @@ handle_options(Opts0, Role, Host) ->
                     customize_hostname_check = handle_option(customize_hostname_check, Opts, [])
 		   },
 
-    CbInfo  = proplists:get_value(cb_info, Opts, default_cb_info(Protocol)),
+    CbInfo  = handle_option(cb_info, Opts, default_cb_info(Protocol)),
     SslOptions = [protocol, versions, verify, verify_fun, partial_chain,
 		  fail_if_no_peer_cert, verify_client_once,
 		  depth, cert, certfile, key, keyfile,
@@ -1330,6 +1485,10 @@ handle_option(sni_fun, Opts, Default) ->
         _ ->
             throw({error, {conflict_options, [sni_fun, sni_hosts]}})
     end;
+handle_option(cb_info, Opts, Default) ->
+    CbInfo = proplists:get_value(cb_info, Opts, Default),
+    true = validate_option(cb_info, CbInfo),
+    handle_cb_info(CbInfo, Default);
 handle_option(OptionName, Opts, Default) ->
     validate_option(OptionName,
 		    proplists:get_value(OptionName, Opts, Default)).
@@ -1551,9 +1710,29 @@ validate_option(handshake, full = Value) ->
     Value;
 validate_option(customize_hostname_check, Value) when is_list(Value) ->
     Value;
+validate_option(cb_info, {V1, V2, V3, V4}) when is_atom(V1),
+                                                is_atom(V2),
+                                                is_atom(V3),
+                                                is_atom(V4)
+                                                ->
+    true;
+validate_option(cb_info, {V1, V2, V3, V4, V5}) when is_atom(V1),
+                                                    is_atom(V2),
+                                                    is_atom(V3),
+                                                    is_atom(V4),
+                                                    is_atom(V5)
+                                                ->
+    true;
+validate_option(cb_info, _) ->
+    false;
 validate_option(Opt, Value) ->
     throw({error, {options, {Opt, Value}}}).
 
+handle_cb_info({V1, V2, V3, V4}, {_,_,_,_,_}) ->
+    {V1,V2,V3,V4, list_to_atom(atom_to_list(V2) ++ "passive")};
+handle_cb_info(CbInfo, _) ->
+    CbInfo.
+
 handle_hashsigns_option(Value, Version) when is_list(Value) 
                                              andalso Version >= {3, 3} ->
     case tls_v1:signature_algs(Version, Value) of
@@ -1964,7 +2143,7 @@ default_option_role(_,_,_) ->
     undefined.
 
 default_cb_info(tls) ->
-    {gen_tcp, tcp, tcp_closed, tcp_error};
+    {gen_tcp, tcp, tcp_closed, tcp_error, tcp_passive};
 default_cb_info(dtls) ->
     {gen_udp, udp, udp_closed, udp_error}.
 
diff --git a/lib/ssl/src/ssl_alert.erl b/lib/ssl/src/ssl_alert.erl
index 2a20d13cd5..81167b5ba3 100644
--- a/lib/ssl/src/ssl_alert.erl
+++ b/lib/ssl/src/ssl_alert.erl
@@ -32,7 +32,11 @@
 -include("ssl_record.hrl").
 -include("ssl_internal.hrl").
 
--export([decode/1, own_alert_txt/1, alert_txt/1, reason_code/2]).
+-export([decode/1, 
+         own_alert_txt/1, 
+         alert_txt/1,
+         alert_txt/4, 
+         reason_code/4]).
 
 %%====================================================================
 %% Internal application API
@@ -48,20 +52,29 @@ decode(Bin) ->
     decode(Bin, [], 0).
 
 %%--------------------------------------------------------------------
-%% -spec reason_code(#alert{}, client | server) ->
-%%                          {tls_alert, unicode:chardata()} | closed.
-%-spec reason_code(#alert{}, client | server) -> closed | {essl, string()}.
+-spec reason_code(#alert{}, client | server, ProtocolName::string(), StateName::atom()) ->
+                         {tls_alert, {atom(), unicode:chardata()}} | closed.
 %%
 %% Description: Returns the error reason that will be returned to the
 %% user.
 %%--------------------------------------------------------------------
 
-reason_code(#alert{description = ?CLOSE_NOTIFY}, _) ->
+reason_code(#alert{description = ?CLOSE_NOTIFY}, _, _, _) ->
     closed;
-reason_code(#alert{description = Description, role = Role} = Alert, Role) ->
-    {tls_alert, {description_atom(Description), own_alert_txt(Alert)}};
-reason_code(#alert{description = Description} = Alert, Role) ->
-    {tls_alert, {description_atom(Description), alert_txt(Alert#alert{role = Role})}}.
+reason_code(#alert{description = Description, role = Role} = Alert, Role, ProtocolName, StateName) ->
+    Txt = lists:flatten(alert_txt(ProtocolName, Role, StateName, own_alert_txt(Alert))),
+    {tls_alert, {description_atom(Description), Txt}};
+reason_code(#alert{description = Description} = Alert, Role, ProtocolName, StateName) ->
+    Txt = lists:flatten(alert_txt(ProtocolName, Role, StateName, alert_txt(Alert))),
+    {tls_alert, {description_atom(Description), Txt}}.
+
+%%--------------------------------------------------------------------
+-spec alert_txt(string(), server | client, StateNam::atom(), string()) -> string().
+%%
+%% Description: Generates alert text for log or string part of error return.
+%%--------------------------------------------------------------------
+alert_txt(ProtocolName, Role, StateName, Txt) ->
+    io_lib:format("~s ~p: In state ~p ~s\n", [ProtocolName, Role, StateName, Txt]).
 
 %%--------------------------------------------------------------------
 -spec own_alert_txt(#alert{}) -> string().
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index ad81288f64..a5f29c058a 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -114,7 +114,7 @@ handshake(Connection, Port, Socket, Opts, User, CbInfo, Timeout) ->
 
 %%--------------------------------------------------------------------
 -spec handshake(#sslsocket{}, timeout()) ->  {ok, #sslsocket{}} |
-                                                 {ok,  #sslsocket{}, map()}| {error, reason()}.
+                                             {ok,  #sslsocket{}, map()}| {error, reason()}.
 %%
 %% Description: Starts ssl handshake. 
 %%--------------------------------------------------------------------
@@ -129,8 +129,8 @@ handshake(#sslsocket{pid = [Pid|_]} = Socket, Timeout) ->
     end.
 
 %%--------------------------------------------------------------------
--spec handshake(#sslsocket{}, {#ssl_options{},#socket_options{}},
-		timeout()) ->   {ok, #sslsocket{}} | {error, reason()}.
+-spec handshake(#sslsocket{}, {#ssl_options{},#socket_options{}}, timeout()) ->
+                       {ok, #sslsocket{}} | {ok, #sslsocket{}, map()} | {error, reason()}.
 %%
 %% Description: Starts ssl handshake with some new options 
 %%--------------------------------------------------------------------
@@ -327,32 +327,33 @@ prf(ConnectionPid, Secret, Label, Seed, WantedLength) ->
 %%====================================================================
 %% Alert and close handling
 %%====================================================================
-handle_own_alert(Alert, _, StateName,
+handle_own_alert(Alert0, _, StateName,
 		 #state{static_env = #static_env{role = Role,
                                                  protocol_cb = Connection},
                         ssl_options = SslOpts} = State) ->
     try %% Try to tell the other side
-        send_alert(Alert, StateName, State)
+        send_alert(Alert0, StateName, State)
     catch _:_ ->  %% Can crash if we are in a uninitialized state
 	    ignore
     end,
     try %% Try to tell the local user
-	log_alert(SslOpts#ssl_options.log_alert, Role, Connection:protocol_name(), StateName, Alert#alert{role = Role}),
+        Alert = Alert0#alert{role = Role},
+	log_alert(SslOpts#ssl_options.log_alert, Role, Connection:protocol_name(), StateName, Alert),
 	handle_normal_shutdown(Alert,StateName, State)
     catch _:_ ->
 	    ok
     end,
     {stop, {shutdown, own_alert}, State}.
 
-handle_normal_shutdown(Alert, _, #state{static_env = #static_env{role = Role,
-                                                                 socket = Socket,
-                                                                 transport_cb = Transport,
-                                                                 protocol_cb = Connection,
-                                                                 tracker = Tracker},
-                                        handshake_env = #handshake_env{renegotiation = {false, first}},
-					start_or_recv_from = StartFrom} = State) ->
+handle_normal_shutdown(Alert, StateName, #state{static_env = #static_env{role = Role,
+                                                                         socket = Socket,
+                                                                         transport_cb = Transport,
+                                                                         protocol_cb = Connection,
+                                                                         tracker = Tracker},
+                                                handshake_env = #handshake_env{renegotiation = {false, first}},
+                                                start_or_recv_from = StartFrom} = State) ->
     Pids = Connection:pids(State),
-    alert_user(Pids, Transport, Tracker,Socket, StartFrom, Alert, Role, Connection);
+    alert_user(Pids, Transport, Tracker,Socket, StartFrom, Alert, Role, StateName, Connection);
 
 handle_normal_shutdown(Alert, StateName, #state{static_env = #static_env{role = Role,
                                                                          socket = Socket,
@@ -363,9 +364,9 @@ handle_normal_shutdown(Alert, StateName, #state{static_env = #static_env{role =
                                                 socket_options = Opts,
 						start_or_recv_from = RecvFrom} = State) ->
     Pids = Connection:pids(State),
-    alert_user(Pids, Transport, Tracker, Socket, StateName, Opts, Pid, RecvFrom, Alert, Role, Connection).
+    alert_user(Pids, Transport, Tracker, Socket, StateName, Opts, Pid, RecvFrom, Alert, Role, StateName, Connection).
 
-handle_alert(#alert{level = ?FATAL} = Alert, StateName,
+handle_alert(#alert{level = ?FATAL} = Alert0, StateName,
 	     #state{static_env = #static_env{role = Role,
                                              socket = Socket,
                                              host = Host,
@@ -379,10 +380,11 @@ handle_alert(#alert{level = ?FATAL} = Alert, StateName,
                     session = Session, 
 		    socket_options = Opts} = State) ->
     invalidate_session(Role, Host, Port, Session),
+    Alert = Alert0#alert{role = opposite_role(Role)},
     log_alert(SslOpts#ssl_options.log_alert, Role, Connection:protocol_name(), 
-              StateName, Alert#alert{role = opposite_role(Role)}),
+              StateName, Alert),
     Pids = Connection:pids(State),
-    alert_user(Pids, Transport, Tracker, Socket, StateName, Opts, Pid, From, Alert, Role, Connection),
+    alert_user(Pids, Transport, Tracker, Socket, StateName, Opts, Pid, From, Alert, Role, StateName, Connection),
     {stop, {shutdown, normal}, State};
 
 handle_alert(#alert{level = ?WARNING, description = ?CLOSE_NOTIFY} = Alert, 
@@ -392,13 +394,14 @@ handle_alert(#alert{level = ?WARNING, description = ?CLOSE_NOTIFY} = Alert,
 	    StateName, State) -> 
     handle_normal_shutdown(Alert, StateName, State),
     {stop,{shutdown, peer_close}, State};
-handle_alert(#alert{level = ?WARNING, description = ?NO_RENEGOTIATION} = Alert, StateName, 
+handle_alert(#alert{level = ?WARNING, description = ?NO_RENEGOTIATION} = Alert0, StateName, 
 	     #state{static_env = #static_env{role = Role,
                                              protocol_cb = Connection},
                     handshake_env = #handshake_env{renegotiation = {true, internal}},
                     ssl_options = SslOpts} = State) ->
+    Alert = Alert0#alert{role = opposite_role(Role)},
     log_alert(SslOpts#ssl_options.log_alert, Role, 
-              Connection:protocol_name(), StateName, Alert#alert{role = opposite_role(Role)}),
+              Connection:protocol_name(), StateName, Alert),
     handle_normal_shutdown(Alert, StateName, State),
     {stop,{shutdown, peer_close}, State};
 
@@ -442,8 +445,7 @@ handle_alert(#alert{level = ?WARNING} = Alert, StateName,
 passive_receive(State0 = #state{user_data_buffer = {_,BufferSize,_}}, StateName, Connection, StartTimerAction) ->
     case BufferSize of
 	0 ->
-	    {Record, State} = Connection:next_record(State0),
-	    Connection:next_event(StateName, Record, State, StartTimerAction);
+	    Connection:next_event(StateName, no_record, State0, StartTimerAction);
 	_ ->
 	    case read_application_data(<<>>, State0) of
                 {stop, _, _} = ShutdownError ->
@@ -1188,10 +1190,8 @@ cipher(internal, #finished{verify_data = Data} = Finished,
 cipher(internal, #next_protocol{selected_protocol = SelectedProtocol},
        #state{static_env = #static_env{role = server},
               handshake_env = #handshake_env{expecting_finished = true,
-                                             expecting_next_protocol_negotiation = true} = HsEnv} = State0, Connection) ->
-    {Record, State} = 
-	Connection:next_record(State0),
-    Connection:next_event(?FUNCTION_NAME, Record, 
+                                             expecting_next_protocol_negotiation = true} = HsEnv} = State, Connection) ->
+    Connection:next_event(?FUNCTION_NAME, no_record, 
 			  State#state{handshake_env = HsEnv#handshake_env{negotiated_protocol = SelectedProtocol,
                                                                           expecting_next_protocol_negotiation = false}});
 cipher(internal, #change_cipher_spec{type = <<1>>},  #state{handshake_env = HsEnv, connection_states = ConnectionStates0} =
@@ -1442,7 +1442,7 @@ handle_info({ErrorTag, Socket, econnaborted}, StateName,
 		  } = State)  when StateName =/= connection ->
     Pids = Connection:pids(State),
     alert_user(Pids, Transport, Tracker,Socket, 
-	       StartFrom, ?ALERT_REC(?FATAL, ?CLOSE_NOTIFY), Role, Connection),
+	       StartFrom, ?ALERT_REC(?FATAL, ?CLOSE_NOTIFY), Role, StateName, Connection),
     {stop, {shutdown, normal}, State};
 
 handle_info({ErrorTag, Socket, Reason}, StateName, #state{static_env = #static_env{socket = Socket,
@@ -2861,22 +2861,22 @@ send_user(Pid, Msg) ->
     Pid ! Msg,
     ok.
 
-alert_user(Pids, Transport, Tracker, Socket, connection, Opts, Pid, From, Alert, Role, Connection) ->
-    alert_user(Pids, Transport, Tracker, Socket, Opts#socket_options.active, Pid, From, Alert, Role, Connection);
-alert_user(Pids, Transport, Tracker, Socket,_, _, _, From, Alert, Role, Connection) ->
-    alert_user(Pids, Transport, Tracker, Socket, From, Alert, Role, Connection).
+alert_user(Pids, Transport, Tracker, Socket, connection, Opts, Pid, From, Alert, Role, StateName, Connection) ->
+    alert_user(Pids, Transport, Tracker, Socket, Opts#socket_options.active, Pid, From, Alert, Role, StateName, Connection);
+alert_user(Pids, Transport, Tracker, Socket,_, _, _, From, Alert, Role, StateName, Connection) ->
+    alert_user(Pids, Transport, Tracker, Socket, From, Alert, Role, StateName, Connection).
 
-alert_user(Pids, Transport, Tracker, Socket, From, Alert, Role, Connection) ->
-    alert_user(Pids, Transport, Tracker, Socket, false, no_pid, From, Alert, Role, Connection).
+alert_user(Pids, Transport, Tracker, Socket, From, Alert, Role, StateName, Connection) ->
+    alert_user(Pids, Transport, Tracker, Socket, false, no_pid, From, Alert, Role, StateName, Connection).
 
-alert_user(_, _, _, _, false = Active, Pid, From,  Alert, Role, _) when From =/= undefined ->
+alert_user(_, _, _, _, false = Active, Pid, From,  Alert, Role, StateName, Connection) when From =/= undefined ->
     %% If there is an outstanding ssl_accept | recv
     %% From will be defined and send_or_reply will
     %% send the appropriate error message.
-    ReasonCode = ssl_alert:reason_code(Alert, Role),
+    ReasonCode = ssl_alert:reason_code(Alert, Role, Connection:protocol_name(), StateName),
     send_or_reply(Active, Pid, From, {error, ReasonCode});
-alert_user(Pids, Transport, Tracker, Socket, Active, Pid, From, Alert, Role, Connection) ->
-    case ssl_alert:reason_code(Alert, Role) of
+alert_user(Pids, Transport, Tracker, Socket, Active, Pid, From, Alert, Role, StateName, Connection) ->
+    case ssl_alert:reason_code(Alert, Role, Connection:protocol_name(), StateName) of
 	closed ->
 	    send_or_reply(Active, Pid, From,
 			  {ssl_closed, Connection:socket(Pids, Transport, Socket, Tracker)});
@@ -2887,10 +2887,10 @@ alert_user(Pids, Transport, Tracker, Socket, Active, Pid, From, Alert, Role, Con
 
 log_alert(true, Role, ProtocolName, StateName, #alert{role = Role} = Alert) ->
     Txt = ssl_alert:own_alert_txt(Alert),
-    error_logger:info_report(io_lib:format("~s ~p: In state ~p ~s\n", [ProtocolName, Role, StateName, Txt]));
+    error_logger:info_report(ssl_alert:alert_txt(ProtocolName, Role, StateName, Txt));
 log_alert(true, Role, ProtocolName, StateName, Alert) ->
     Txt = ssl_alert:alert_txt(Alert),
-    error_logger:info_report(io_lib:format("~s ~p: In state ~p ~s\n", [ProtocolName, Role, StateName, Txt]));
+    error_logger:info_report(ssl_alert:alert_txt(ProtocolName, Role, StateName, Txt));
 log_alert(false, _, _, _, _) ->
     ok.
 
diff --git a/lib/ssl/src/ssl_connection.hrl b/lib/ssl/src/ssl_connection.hrl
index 9efd65b2d2..c90fe926b7 100644
--- a/lib/ssl/src/ssl_connection.hrl
+++ b/lib/ssl/src/ssl_connection.hrl
@@ -40,6 +40,7 @@
                      data_tag              :: atom(),   % ex tcp.
                      close_tag             :: atom(),   % ex tcp_closed
                      error_tag             :: atom(),   % ex tcp_error
+                     passive_tag           :: atom(),   % ex tcp_passive
                      host                  :: string() | inet:ip_address(),
                      port                  :: integer(),
                      socket                :: port() | tuple(), %% TODO: dtls socket
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 9ba62b3a12..dea78a876f 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -92,8 +92,8 @@ hello_request() ->
     #hello_request{}.
 
 %%--------------------------------------------------------------------
--spec server_hello(#session{}, ssl_record:ssl_version(), ssl_record:connection_states(),
-		   #hello_extensions{}) -> #server_hello{}.
+%%-spec server_hello(binary(), ssl_record:ssl_version(), ssl_record:connection_states(),
+%%		   Extension::map()) -> #server_hello{}.
 %%
 %% Description: Creates a server hello message.
 %%--------------------------------------------------------------------
@@ -357,7 +357,7 @@ certify(#certificate{asn1_certificates = ASN1Certs}, CertDbHandle, CertDbRef,
                                              CertDbHandle, CertDbRef)
 	end
     catch
-	error:{badmatch,{asn1, Asn1Reason}} ->
+	error:{badmatch,{error, {asn1, Asn1Reason}}} ->
 	    %% ASN-1 decode of certificate somehow failed
             ?ALERT_REC(?FATAL, ?CERTIFICATE_UNKNOWN, {failed_to_decode_certificate, Asn1Reason});
         error:OtherReason ->
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index 57c72aa122..ddd7a8eb7b 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -27,12 +27,12 @@
 
 -define(SECRET_PRINTOUT, "***").
 
--type reason()            :: term().
--type reply()             :: term().
--type msg()               :: term().
--type from()              :: term().
+-type reason()            :: any().
+-type reply()             :: any().
+-type msg()               :: any().
+-type from()              :: any().
 -type certdb_ref()        :: reference().
--type db_handle()         :: term().
+-type db_handle()         :: any().
 -type der_cert()          :: binary().
 -type issuer()            :: tuple().
 -type serialnumber()      :: integer().
@@ -82,25 +82,26 @@
 -define('24H_in_sec', 86400).
 
 -record(ssl_options, {
-	  protocol    :: tls | dtls,
-	  versions    :: [ssl_record:ssl_version()], %% ssl_record:atom_version() in API
-	  verify      :: verify_none | verify_peer,
+	  protocol    :: tls | dtls | 'undefined',
+	  versions    :: [ssl_record:ssl_version()] | 'undefined', %% ssl_record:atom_version() in API
+	  verify      :: verify_none | verify_peer | 'undefined',
 	  verify_fun,  %%:: fun(CertVerifyErrors::term()) -> boolean(),
-	  partial_chain       :: fun(),
-	  fail_if_no_peer_cert ::  boolean(),
-	  verify_client_once   ::  boolean(),
+	  partial_chain       :: fun() | 'undefined',
+	  fail_if_no_peer_cert ::  boolean() | 'undefined',
+	  verify_client_once   ::  boolean() | 'undefined',
 	  %% fun(Extensions, State, Verify, AccError) ->  {Extensions, State, AccError}
 	  validate_extensions_fun, 
-	  depth                :: integer(),
-	  certfile             :: binary(),
+	  depth                :: integer() | 'undefined',
+	  certfile             :: binary() | 'undefined',
 	  cert                 :: public_key:der_encoded() | secret_printout() | 'undefined',
-	  keyfile              :: binary(),
-	  key	               :: {'RSAPrivateKey' | 'DSAPrivateKey' | 'ECPrivateKey' | 'PrivateKeyInfo', 
-                                   public_key:der_encoded()} | key_map() | secret_printout() | 'undefined',
+	  keyfile              :: binary() | 'undefined',
+	  key	               :: {'RSAPrivateKey' | 'DSAPrivateKey' | 'ECPrivateKey' | 'PrivateKeyInfo' | 'undefined',
+                                   public_key:der_encoded()} | map()  %%map() -> ssl:key() how to handle dialyzer?
+                                | secret_printout() | 'undefined',
 	  password	       :: string() | secret_printout() | 'undefined',
 	  cacerts              :: [public_key:der_encoded()] | secret_printout() | 'undefined',
-	  cacertfile           :: binary(),
-	  dh                   :: public_key:der_encoded() | secret_printout(),
+	  cacertfile           :: binary() | 'undefined',
+	  dh                   :: public_key:der_encoded() | secret_printout() | 'undefined',
 	  dhfile               :: binary() | secret_printout() | 'undefined',
 	  user_lookup_fun,  % server option, fun to lookup the user
 	  psk_identity         :: binary() | secret_printout() | 'undefined',
@@ -112,23 +113,23 @@
 	  reuse_session        :: fun() | binary() | undefined, %% Server side is a fun()
 	  %% If false sessions will never be reused, if true they
 	  %% will be reused if possible.
-	  reuse_sessions       :: boolean() | save,  %% Only client side can use value save
+	  reuse_sessions       :: boolean() | save | 'undefined',  %% Only client side can use value save
 	  renegotiate_at,
 	  secure_renegotiate,
 	  client_renegotiation,
 	  %% undefined if not hibernating, or number of ms of
 	  %% inactivity after which ssl_connection will go into
 	  %% hibernation
-	  hibernate_after      :: timeout(),          
+	  hibernate_after      :: timeout() | 'undefined',
 	  %% This option should only be set to true by inet_tls_dist
 	  erl_dist = false     :: boolean(),
-          alpn_advertised_protocols = undefined :: [binary()] | undefined ,
+          alpn_advertised_protocols = undefined :: [binary()] | undefined,
           alpn_preferred_protocols = undefined  :: [binary()] | undefined,
 	  next_protocols_advertised = undefined :: [binary()] | undefined,
 	  next_protocol_selector = undefined,  %% fun([binary()]) -> binary())
 	  log_alert             :: boolean(),
 	  server_name_indication = undefined,
-	  sni_hosts  :: [{inet:hostname(), [tuple()]}],
+	  sni_hosts  :: [{inet:hostname(), [tuple()]}] | 'undefined',
 	  sni_fun :: function() | undefined,
 	  %% Should the server prefer its own cipher order over the one provided by
 	  %% the client?
@@ -138,7 +139,7 @@
 	  %%mitigation entirely?
 	  beast_mitigation = one_n_minus_one :: one_n_minus_one | zero_n | disabled,
 	  fallback = false           :: boolean(),
-	  crl_check                  :: boolean() | peer | best_effort, 
+	  crl_check                  :: boolean() | peer | best_effort | 'undefined',
 	  crl_cache,
 	  signature_algs,
 	  eccs,
@@ -178,9 +179,12 @@
                                   password => crypto:password()
                                  }.
 -type state_name()           :: hello | abbreviated | certify | cipher | connection.
--type gen_fsm_state_return() :: {next_state, state_name(), term()} |
-				{next_state, state_name(), term(), timeout()} |
-				{stop, term(), term()}.
+
+-type gen_fsm_state_return() :: {next_state, state_name(), any()} |
+				{next_state, state_name(), any(), timeout()} |
+				{stop, any(), any()}.
+-type ssl_options()          :: #ssl_options{}.
+
 -endif. % -ifdef(ssl_internal).
 
 
diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl
index 3229004c9d..ae05a1f873 100644
--- a/lib/ssl/src/tls_connection.erl
+++ b/lib/ssl/src/tls_connection.erl
@@ -60,7 +60,7 @@
          close/5, protocol_name/0]).
 
 %% Data handling
--export([next_record/1, socket/4, setopts/3, getopts/3]).
+-export([socket/4, setopts/3, getopts/3]).
 
 %% gen_statem state functions
 -export([init/3, error/3, downgrade/3, %% Initiation and take down states
@@ -79,7 +79,7 @@
 %% Setup
 %%====================================================================
 start_fsm(Role, Host, Port, Socket, {#ssl_options{erl_dist = false},_, Tracker} = Opts,
-	  User, {CbModule, _,_, _} = CbInfo, 
+	  User, {CbModule, _,_, _, _} = CbInfo, 
 	  Timeout) -> 
     try 
         {ok, Sender} = tls_sender:start(),
@@ -93,7 +93,7 @@ start_fsm(Role, Host, Port, Socket, {#ssl_options{erl_dist = false},_, Tracker}
     end;
 
 start_fsm(Role, Host, Port, Socket, {#ssl_options{erl_dist = true},_, Tracker} = Opts,
-	  User, {CbModule, _,_, _} = CbInfo, 
+	  User, {CbModule, _,_, _, _} = CbInfo, 
 	  Timeout) -> 
     try 
         {ok, Sender} = tls_sender:start([{spawn_opt, ?DIST_CNTRL_SPAWN_OPTS}]),
@@ -142,32 +142,60 @@ pids(#state{protocol_specific = #{sender := Sender}}) ->
 %%====================================================================
 %% State transition handling
 %%====================================================================
-next_record(#state{handshake_env = 
+next_record(_, #state{handshake_env = 
                        #handshake_env{unprocessed_handshake_events = N} = HsEnv} 
             = State) when N > 0 ->
     {no_record, State#state{handshake_env = 
                                 HsEnv#handshake_env{unprocessed_handshake_events = N-1}}};
-next_record(#state{protocol_buffers =
-                       #protocol_buffers{tls_cipher_texts = [_|_] = CipherTexts},
-                   connection_states = ConnectionStates,
-                   ssl_options = #ssl_options{padding_check = Check}} = State) ->
+next_record(_, #state{protocol_buffers =
+                          #protocol_buffers{tls_cipher_texts = [_|_] = CipherTexts},
+                      connection_states = ConnectionStates,
+                      ssl_options = #ssl_options{padding_check = Check}} = State) ->
     next_record(State, CipherTexts, ConnectionStates, Check);
-next_record(#state{protocol_buffers = #protocol_buffers{tls_cipher_texts = []},
-                   protocol_specific = #{active_n_toggle := true, active_n := N} = ProtocolSpec,
-                   static_env = #static_env{socket = Socket,
-                                            close_tag = CloseTag,
-                                            transport_cb = Transport}  
-                  } = State) ->
-    case tls_socket:setopts(Transport, Socket, [{active, N}]) of
- 	ok ->
-             {no_record, State#state{protocol_specific = ProtocolSpec#{active_n_toggle => false}}}; 
- 	_ ->
-             self() ! {CloseTag, Socket},
-             {no_record, State}
-     end;
-next_record(State) ->
+next_record(connection, #state{protocol_buffers = #protocol_buffers{tls_cipher_texts = []},
+                               protocol_specific = #{active_n_toggle := true}
+                              } = State) ->
+    %% If ssl application user is not reading data wait to activate socket
+    flow_ctrl(State); 
+  
+next_record(_, #state{protocol_buffers = #protocol_buffers{tls_cipher_texts = []},
+                      protocol_specific = #{active_n_toggle := true}
+                     } = State) ->
+    activate_socket(State);
+next_record(_, State) ->
     {no_record, State}.
 
+
+flow_ctrl(#state{user_data_buffer = {_,Size,_},
+                 socket_options = #socket_options{active = false},
+                 bytes_to_read = undefined} = State)  when Size =/= 0 ->
+    {no_record, State};
+flow_ctrl(#state{user_data_buffer = {_,Size,_},
+                 socket_options = #socket_options{active = false},
+                 bytes_to_read = 0} = State)  when Size =/= 0 ->
+    {no_record, State};
+flow_ctrl(#state{user_data_buffer = {_,Size,_}, 
+                 socket_options = #socket_options{active = false},
+                 bytes_to_read = BytesToRead} = State) when (Size >= BytesToRead) andalso
+                                                            (BytesToRead > 0) ->
+    {no_record, State};
+flow_ctrl(State) ->
+    activate_socket(State).
+
+
+activate_socket(#state{protocol_specific = #{active_n_toggle := true, active_n := N} = ProtocolSpec,
+                       static_env = #static_env{socket = Socket,
+                                                close_tag = CloseTag,
+                                                transport_cb = Transport}  
+                      } = State) ->                                                                                                            
+    case tls_socket:setopts(Transport, Socket, [{active, N}]) of
+        ok ->
+            {no_record, State#state{protocol_specific = ProtocolSpec#{active_n_toggle => false}}}; 
+        _ ->
+            self() ! {CloseTag, Socket},
+            {no_record, State}
+    end.
+
 %% Decipher next record and concatenate consecutive ?APPLICATION_DATA records into one
 %%
 next_record(State, CipherTexts, ConnectionStates, Check) ->
@@ -198,32 +226,39 @@ next_record_done(#state{protocol_buffers = Buffers} = State, CipherTexts, Connec
      State#state{protocol_buffers = Buffers#protocol_buffers{tls_cipher_texts = CipherTexts},
                  connection_states = ConnectionStates}}.
 
-
 next_event(StateName, Record, State) ->
     next_event(StateName, Record, State, []).
 %%
 next_event(StateName, no_record, State0, Actions) ->
-    case next_record(State0) of
+    case next_record(StateName, State0) of
  	{no_record, State} ->
             {next_state, StateName, State, Actions};
- 	{#ssl_tls{} = Record, State} ->
- 	    {next_state, StateName, State, [{next_event, internal, {protocol_record, Record}} | Actions]};
-	#alert{} = Alert ->
-	    {next_state, StateName, State0, [{next_event, internal, Alert} | Actions]}
+        {Record, State} ->
+            next_event(StateName, Record, State, Actions)
     end;
-next_event(StateName, Record, State, Actions) ->
-    case Record of
-	no_record ->
-	    {next_state, StateName, State, Actions};
-	#ssl_tls{} = Record ->
-	    {next_state, StateName, State, [{next_event, internal, {protocol_record, Record}} | Actions]};
-	#alert{} = Alert ->
-	    {next_state, StateName, State, [{next_event, internal, Alert} | Actions]}
-    end.
+next_event(StateName,  #ssl_tls{} = Record, State, Actions) ->
+    {next_state, StateName, State, [{next_event, internal, {protocol_record, Record}} | Actions]};
+next_event(StateName,  #alert{} = Alert, State, Actions) ->
+    {next_state, StateName, State, [{next_event, internal, Alert} | Actions]}.
 
 
 %%% TLS record protocol level application data messages 
-
+handle_protocol_record(#ssl_tls{type = ?APPLICATION_DATA, fragment = Data}, StateName, 
+                       #state{start_or_recv_from = From,
+                              socket_options = #socket_options{active = false}} = State0) when From =/= undefined ->
+    case ssl_connection:read_application_data(Data, State0) of
+       {stop, _, _} = Stop->
+            Stop;
+       {Record, #state{start_or_recv_from = Caller} = State1} ->
+            TimerAction = case Caller of
+                              undefined -> %% Passive recv complete cancel timer
+                                  [{{timeout, recv}, infinity, timeout}];
+                              _ ->
+                                  []
+                          end,
+            {next_state, StateName, State, Actions} = next_event(StateName, Record, State1, TimerAction), 
+            ssl_connection:hibernate_after(StateName, State, Actions)
+    end;
 handle_protocol_record(#ssl_tls{type = ?APPLICATION_DATA, fragment = Data}, StateName, State0) ->
     case ssl_connection:read_application_data(Data, State0) of
 	{stop, _, _} = Stop->
@@ -255,8 +290,7 @@ handle_protocol_record(#ssl_tls{type = ?HANDSHAKE, fragment = Data},
                     _ ->
                         HsEnv = State#state.handshake_env,
                         {next_state, StateName, 
-                         State#state{protocol_buffers = Buffers,
-                                     handshake_env = 
+                         State#state{handshake_env = 
                                          HsEnv#handshake_env{unprocessed_handshake_events 
                                                              = unprocessed_events(Events)}}, Events}
                 end
@@ -745,7 +779,7 @@ downgrade(Type, Event, State) ->
 callback_mode() ->
     state_functions.
 
-terminate({shutdown, sender_died, Reason}, _StateName,
+terminate({shutdown, {sender_died, Reason}}, _StateName,
           #state{static_env = #static_env{socket = Socket, 
                                           transport_cb = Transport}} 
           = State) ->
@@ -765,7 +799,7 @@ code_change(_OldVsn, StateName, State, _) ->
 %%% Internal functions
 %%--------------------------------------------------------------------
 initial_state(Role, Sender, Host, Port, Socket, {SSLOptions, SocketOptions, Tracker}, User,
-	      {CbModule, DataTag, CloseTag, ErrorTag}) ->
+	      {CbModule, DataTag, CloseTag, ErrorTag, PassiveTag}) ->
     #ssl_options{beast_mitigation = BeastMitigation,
                  erl_dist = IsErlDist} = SSLOptions,
     ConnectionStates = tls_record:init_connection_states(Role, BeastMitigation),
@@ -790,6 +824,7 @@ initial_state(Role, Sender, Host, Port, Socket, {SSLOptions, SocketOptions, Trac
                      data_tag = DataTag,
                      close_tag = CloseTag,
                      error_tag = ErrorTag,
+                     passive_tag = PassiveTag,
                      host = Host,
                      port = Port,
                      socket = Socket,
@@ -853,7 +888,7 @@ next_tls_record(Data, StateName,
     case tls_record:get_tls_records(Data, Versions, Buf0) of
 	{Records, Buf1} ->
 	    CT1 = CT0 ++ Records,
-	    next_record(State0#state{protocol_buffers =
+	    next_record(StateName, State0#state{protocol_buffers =
 					 Buffers#protocol_buffers{tls_record_buffer = Buf1,
 								  tls_cipher_texts = CT1}});
 	#alert{} = Alert ->
@@ -879,8 +914,9 @@ handle_info({Protocol, _, Data}, StateName,
 	    ssl_connection:handle_normal_shutdown(Alert, StateName, State0), 
 	    {stop, {shutdown, own_alert}, State0}
     end;
-handle_info({tcp_passive, Socket},  StateName, 
-            #state{static_env = #static_env{socket = Socket},
+handle_info({PassiveTag, Socket},  StateName, 
+            #state{static_env = #static_env{socket = Socket,
+                                            passive_tag = PassiveTag},
                    protocol_specific = PS
                   } = State) ->
     next_event(StateName, no_record, 
@@ -922,7 +958,7 @@ handle_info({CloseTag, Socket}, StateName,
     end;
 handle_info({'EXIT', Sender, Reason}, _,
             #state{protocol_specific = #{sender := Sender}} = State) ->
-    {stop, {shutdown, sender_died, Reason}, State};
+    {stop, {shutdown, {sender_died, Reason}}, State};
 handle_info(Msg, StateName, State) ->
     ssl_connection:StateName(info, Msg, State, ?MODULE).
 
diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl
index 0f0de5936a..c2b0d8e039 100644
--- a/lib/ssl/src/tls_handshake.erl
+++ b/lib/ssl/src/tls_handshake.erl
@@ -157,7 +157,7 @@ encode_handshake(Package, Version) ->
 %%--------------------------------------------------------------------
 -spec get_tls_handshake(tls_record:tls_version(), binary(), binary() | iolist(), 
                         #ssl_options{}) ->
-     {[tls_handshake()], binary()}.
+     {[{tls_handshake(), binary()}], binary()}.
 %%
 %% Description: Given buffered and new data from ssl_record, collects
 %% and returns it as a list of handshake messages, also returns leftover
diff --git a/lib/ssl/src/tls_record.erl b/lib/ssl/src/tls_record.erl
index b456197398..38022030ee 100644
--- a/lib/ssl/src/tls_record.erl
+++ b/lib/ssl/src/tls_record.erl
@@ -577,16 +577,18 @@ encode_fragments(_Type, _Version, _Data, CS, _CompS, _CipherS, _Seq, _CipherFrag
 
 %% 1/n-1 splitting countermeasure Rizzo/Duong-Beast, RC4 chiphers are
 %% not vulnerable to this attack.
-split_iovec([<<FirstByte:8, Rest/binary>>|Data], Version, BCA, one_n_minus_one)
+split_iovec(Data, Version, BCA, one_n_minus_one)
   when (BCA =/= ?RC4) andalso ({3, 1} == Version orelse
                                {3, 0} == Version) ->
-    [[FirstByte]|split_iovec([Rest|Data])];
+    {Part, RestData} = split_iovec(Data, 1, []),
+    [Part|split_iovec(RestData)];
 %% 0/n splitting countermeasure for clients that are incompatible with 1/n-1
 %% splitting.
 split_iovec(Data, Version, BCA, zero_n)
   when (BCA =/= ?RC4) andalso ({3, 1} == Version orelse
                                {3, 0} == Version) ->
-    [<<>>|split_iovec(Data)];
+    {Part, RestData} = split_iovec(Data, 0, []),
+    [Part|split_iovec(RestData)];
 split_iovec(Data, _Version, _BCA, _BeatMitigation) ->
     split_iovec(Data).
 
@@ -596,16 +598,16 @@ split_iovec(Data) ->
     {Part,Rest} = split_iovec(Data, ?MAX_PLAIN_TEXT_LENGTH, []),
     [Part|split_iovec(Rest)].
 %%
-split_iovec([Bin|Data], SplitSize, Acc) ->
+split_iovec([Bin|Data] = Bin_Data, SplitSize, Acc) ->
     BinSize = byte_size(Bin),
     if
+        BinSize =< SplitSize ->
+            split_iovec(Data, SplitSize - BinSize, [Bin|Acc]);
+        SplitSize == 0 ->
+            {lists:reverse(Acc), Bin_Data};
         SplitSize < BinSize ->
             {Last, Rest} = erlang:split_binary(Bin, SplitSize),
-            {lists:reverse(Acc, [Last]), [Rest|Data]};
-        BinSize < SplitSize ->
-            split_iovec(Data, SplitSize - BinSize, [Bin|Acc]);
-        true -> % Perfect match
-            {lists:reverse(Acc, [Bin]), Data}
+            {lists:reverse(Acc, [Last]), [Rest|Data]}
     end;
 split_iovec([], _SplitSize, Acc) ->
     {lists:reverse(Acc),[]}.
diff --git a/lib/ssl/src/tls_socket.erl b/lib/ssl/src/tls_socket.erl
index c3c41d3e12..6c32e6fa04 100644
--- a/lib/ssl/src/tls_socket.erl
+++ b/lib/ssl/src/tls_socket.erl
@@ -46,7 +46,7 @@
 send(Transport, Socket, Data) ->
     Transport:send(Socket, Data).
 
-listen(Transport, Port, #config{transport_info = {Transport, _, _, _}, 
+listen(Transport, Port, #config{transport_info = {Transport, _, _, _, _}, 
 				inet_user = Options, 
 				ssl = SslOpts, emulated = EmOpts} = Config) ->
     case Transport:listen(Port, Options ++ internal_inet_values()) of
@@ -59,7 +59,7 @@ listen(Transport, Port, #config{transport_info = {Transport, _, _, _},
 	    Err
     end.
 
-accept(ListenSocket, #config{transport_info = {Transport,_,_,_} = CbInfo,
+accept(ListenSocket, #config{transport_info = {Transport,_,_,_,_} = CbInfo,
 			     connection_cb = ConnectionCb,
 			     ssl = SslOpts,
 			     emulated = Tracker}, Timeout) -> 
@@ -80,7 +80,7 @@ accept(ListenSocket, #config{transport_info = {Transport,_,_,_} = CbInfo,
 	    {error, Reason}
     end.
 
-upgrade(Socket, #config{transport_info = {Transport,_,_,_}= CbInfo,
+upgrade(Socket, #config{transport_info = {Transport,_,_,_,_}= CbInfo,
 			ssl = SslOptions,
 			emulated = EmOpts, connection_cb = ConnectionCb}, Timeout) ->
     ok = setopts(Transport, Socket, tls_socket:internal_inet_values()),
@@ -98,7 +98,7 @@ connect(Address, Port,
 	#config{transport_info = CbInfo, inet_user = UserOpts, ssl = SslOpts,
 		emulated = EmOpts, inet_ssl = SocketOpts, connection_cb = ConnetionCb},
 	Timeout) ->
-    {Transport, _, _, _} = CbInfo,
+    {Transport, _, _, _, _} = CbInfo,
     try Transport:connect(Address, Port,  SocketOpts, Timeout) of
 	{ok, Socket} ->
 	    ssl_connection:connect(ConnetionCb, Address, Port, Socket, 
@@ -125,7 +125,7 @@ setopts(gen_tcp, Socket = #sslsocket{pid = {ListenSocket, #config{emulated = Tra
     ok = set_emulated_opts(Tracker, EmulatedOpts),
     check_active_n(EmulatedOpts, Socket),
     inet:setopts(ListenSocket, SockOpts);
-setopts(_, Socket = #sslsocket{pid = {ListenSocket, #config{transport_info = {Transport,_,_,_},
+setopts(_, Socket = #sslsocket{pid = {ListenSocket, #config{transport_info = {Transport,_,_,_,_},
 						  emulated = Tracker}}}, Options) ->
     {SockOpts, EmulatedOpts} = split_options(Options),
     ok = set_emulated_opts(Tracker, EmulatedOpts),
diff --git a/lib/ssl/test/ssl_ECC_SUITE.erl b/lib/ssl/test/ssl_ECC_SUITE.erl
index ca8d0ec70c..c64358960c 100644
--- a/lib/ssl/test/ssl_ECC_SUITE.erl
+++ b/lib/ssl/test/ssl_ECC_SUITE.erl
@@ -212,7 +212,7 @@ client_ecdsa_server_ecdsa_with_raw_key(Config)  when is_list(Config) ->
 
 ecc_default_order(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(0))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default}, 
                                                          {client_chain, Default}],
                                                         ecdhe_ecdsa, ecdhe_ecdsa,
@@ -227,7 +227,7 @@ ecc_default_order(Config) ->
 
 ecc_default_order_custom_curves(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(0))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default}, 
                                                          {client_chain, Default}],
                                                         ecdhe_ecdsa, ecdhe_ecdsa,
@@ -242,7 +242,7 @@ ecc_default_order_custom_curves(Config) ->
 
 ecc_client_order(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(0))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default}, 
                                                          {client_chain, Default}],
                                                         ecdhe_ecdsa, ecdhe_ecdsa,
@@ -257,7 +257,7 @@ ecc_client_order(Config) ->
 
 ecc_client_order_custom_curves(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(0))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
                                                         {client_chain, Default}],
                                                         ecdhe_ecdsa, ecdhe_ecdsa,
@@ -282,7 +282,7 @@ ecc_unknown_curve(Config) ->
 
 client_ecdh_rsa_server_ecdhe_ecdsa_server_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(0))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default},
                                                        {client_chain, Default}], 
                                                         ecdh_rsa, ecdhe_ecdsa, Config),
@@ -296,7 +296,7 @@ client_ecdh_rsa_server_ecdhe_ecdsa_server_custom(Config) ->
 
 client_ecdh_rsa_server_ecdhe_rsa_server_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(0))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default}, 
                                                          {client_chain, Default}],
                                                         ecdh_rsa, ecdhe_rsa, Config),
@@ -311,7 +311,7 @@ client_ecdh_rsa_server_ecdhe_rsa_server_custom(Config) ->
 
 client_ecdhe_rsa_server_ecdhe_ecdsa_server_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(0))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default}, 
                                                          {client_chain, Default}],
                                                         ecdhe_rsa, ecdhe_ecdsa, Config),
@@ -325,7 +325,7 @@ client_ecdhe_rsa_server_ecdhe_ecdsa_server_custom(Config) ->
 
 client_ecdhe_rsa_server_ecdhe_rsa_server_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(0))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default}, 
                                                          {client_chain, Default}], 
                                                         ecdhe_rsa, ecdhe_rsa, Config),
@@ -339,7 +339,7 @@ client_ecdhe_rsa_server_ecdhe_rsa_server_custom(Config) ->
      end.
 client_ecdhe_rsa_server_ecdh_rsa_server_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(0))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
     Ext = x509_test:extensions([{key_usage, [keyEncipherment]}]),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, [[], [], [{extensions, Ext}]]},
                                                          {client_chain, Default}], 
@@ -357,7 +357,7 @@ client_ecdhe_rsa_server_ecdh_rsa_server_custom(Config) ->
 
 client_ecdhe_ecdsa_server_ecdhe_ecdsa_server_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(0))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default}, 
                                                        {client_chain, Default}], 
                                                         ecdhe_ecdsa, ecdhe_ecdsa, Config),
@@ -371,7 +371,7 @@ client_ecdhe_ecdsa_server_ecdhe_ecdsa_server_custom(Config) ->
 
 client_ecdhe_ecdsa_server_ecdhe_rsa_server_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(0))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default}, 
                                                          {client_chain, Default}],
                                                         ecdhe_ecdsa, ecdhe_rsa, Config),
@@ -385,7 +385,7 @@ client_ecdhe_ecdsa_server_ecdhe_rsa_server_custom(Config) ->
 
 client_ecdhe_ecdsa_server_ecdhe_ecdsa_client_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(0))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default}, 
                                                        {client_chain, Default}],
                                                         ecdhe_ecdsa, ecdhe_ecdsa, Config),
@@ -399,7 +399,7 @@ client_ecdhe_ecdsa_server_ecdhe_ecdsa_client_custom(Config) ->
 
 client_ecdhe_rsa_server_ecdhe_ecdsa_client_custom(Config) ->
     Default = ssl_test_lib:default_cert_chain_conf(),
-    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(0))),
+    DefaultCurve = pubkey_cert_records:namedCurves(hd(tls_v1:ecc_curves(1))),
     {COpts0, SOpts0} = ssl_test_lib:make_ec_cert_chains([{server_chain, Default}, 
                                                          {client_chain, Default}],
                                                          ecdhe_rsa, ecdhe_ecdsa, Config),
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index e86d2eaf9e..4452adaea7 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -575,11 +575,10 @@ alerts(Config) when is_list(Config) ->
     Alerts = [?ALERT_REC(?WARNING, ?CLOSE_NOTIFY) | 
 	      [?ALERT_REC(?FATAL, Desc) || Desc <- Descriptions]],
     lists:foreach(fun(Alert) ->
-			case ssl_alert:alert_txt(Alert) of
-			    Txt when is_list(Txt) ->
-				ok;
-			    Other ->
-				ct:fail({unexpected, Other})
+                          try ssl_alert:alert_txt(Alert)
+                          catch
+			    C:E:T ->
+                                  ct:fail({unexpected, {C, E, T}})
 			end 
 		  end, Alerts).
 %%--------------------------------------------------------------------
@@ -1859,14 +1858,12 @@ eccs() ->
 
 eccs(Config) when is_list(Config) ->
     [_|_] = All = ssl:eccs(),
-    [] = SSL3 = ssl:eccs({3,0}),
-    [_|_] = Tls = ssl:eccs({3,1}),
-    [_|_] = Tls1 = ssl:eccs({3,2}),
-    [_|_] = Tls2 = ssl:eccs({3,3}),
     [] = SSL3 = ssl:eccs(sslv3),
     [_|_] = Tls = ssl:eccs(tlsv1),
     [_|_] = Tls1 = ssl:eccs('tlsv1.1'),
     [_|_] = Tls2 = ssl:eccs('tlsv1.2'),
+    [_|_] = Tls1 = ssl:eccs('dtlsv1'),
+    [_|_] = Tls2 = ssl:eccs('dtlsv1.2'),
     %% ordering is currently unverified by the test
     true = lists:sort(All) =:= lists:usort(SSL3 ++ Tls ++ Tls1 ++ Tls2),
     ok.
@@ -3849,7 +3846,7 @@ listen_socket(Config) ->
     {error, enotconn} = ssl:peername(ListenSocket),
     {error, enotconn} = ssl:peercert(ListenSocket),
     {error, enotconn} = ssl:renegotiate(ListenSocket),
-    {error, enotconn} = ssl:prf(ListenSocket, 'master_secret', <<"Label">>, client_random, 256),
+    {error, enotconn} = ssl:prf(ListenSocket, 'master_secret', <<"Label">>, [client_random], 256),
     {error, enotconn} = ssl:shutdown(ListenSocket, read_write),
 
     ok = ssl:close(ListenSocket).
@@ -4063,7 +4060,7 @@ tls_tcp_error_propagation_in_active_mode(Config) when is_list(Config) ->
     [_, _,_, _, Prop] = StatusInfo,
     State = ssl_test_lib:state(Prop),
     StaticEnv = element(2, State),
-    Socket = element(10, StaticEnv),
+    Socket = element(11, StaticEnv),
     %% Fake tcp error
     Pid ! {tcp_error, Socket, etimedout},
 
diff --git a/lib/ssl/test/ssl_certificate_verify_SUITE.erl b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
index c0a5367a57..653a8d58bd 100644
--- a/lib/ssl/test/ssl_certificate_verify_SUITE.erl
+++ b/lib/ssl/test/ssl_certificate_verify_SUITE.erl
@@ -89,7 +89,8 @@ tests() ->
      critical_extension_verify_server,
      critical_extension_verify_none,
      customize_hostname_check,
-     incomplete_chain
+     incomplete_chain,
+     long_chain
     ].
 
 error_handling_tests()->
@@ -447,7 +448,7 @@ server_require_peer_cert_partial_chain_fun_fail(Config) when is_list(Config) ->
     [{_,_,_}, {_, IntermidiateCA, _} | _] = public_key:pem_decode(ServerCAs),
 
     PartialChain =  fun(_CertChain) ->
-                            ture = false %% crash on purpose
+                            true = false %% crash on purpose
 		    end,
 
     Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, 0},
@@ -1156,6 +1157,44 @@ incomplete_chain(Config) when is_list(Config) ->
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client).
 
+long_chain() ->
+    [{doc,"Test option verify_peer"}].
+long_chain(Config) when is_list(Config) ->      
+    #{server_config := ServerConf,
+      client_config := ClientConf} = public_key:pkix_test_data(#{server_chain => #{root => [{key, ssl_test_lib:hardcode_rsa_key(1)}],
+                                                                                  intermediates => [[{key, ssl_test_lib:hardcode_rsa_key(2)}], 
+                                                                                                    [{key, ssl_test_lib:hardcode_rsa_key(3)}],
+                                                                                                    [{key, ssl_test_lib:hardcode_rsa_key(4)}]],
+                                                                                  peer => [{key, ssl_test_lib:hardcode_rsa_key(5)}]},
+                                                                 client_chain => #{root => [{key, ssl_test_lib:hardcode_rsa_key(3)}], 
+                                                                                  intermediates => [[{key, ssl_test_lib:hardcode_rsa_key(2)}]],
+                                                                                  peer => [{key, ssl_test_lib:hardcode_rsa_key(1)}]}}), 
+    [ServerRoot| _] = ServerCas = proplists:get_value(cacerts, ServerConf),
+    ClientCas = proplists:get_value(cacerts, ClientConf),
+    
+    Active = proplists:get_value(active, Config),
+    ReceiveFunction =  proplists:get_value(receive_function, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+                                        {mfa, {ssl_test_lib, ReceiveFunction, []}},
+                                        {options, [{active, Active}, {verify, verify_peer},
+                                                   {cacerts, [ServerRoot]} |  
+                                                   proplists:delete(cacerts, ServerConf)]}]),
+    Port  = ssl_test_lib:inet_port(Server),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+                                        {from, self()},
+                                        {mfa, {ssl_test_lib, ReceiveFunction, []}},
+                                        {options, [{active, Active}, 
+                                                   {verify, verify_peer},
+                                                   {depth, 5},
+                                                   {cacerts,  ServerCas ++ ClientCas} | 
+                                                   proplists:delete(cacerts, ClientConf)]}]),
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
+
 
 %%--------------------------------------------------------------------
 %% Internal functions ------------------------------------------------
diff --git a/lib/ssl/test/ssl_payload_SUITE.erl b/lib/ssl/test/ssl_payload_SUITE.erl
index 27b9c258a0..2d0ffd03d7 100644
--- a/lib/ssl/test/ssl_payload_SUITE.erl
+++ b/lib/ssl/test/ssl_payload_SUITE.erl
@@ -48,21 +48,27 @@ groups() ->
 
 payload_tests() ->
     [server_echos_passive_small,
+     server_echos_passive_chunk_small,
      server_echos_active_once_small,
      server_echos_active_small,
      client_echos_passive_small,
+     client_echos_passive_chunk_small,
      client_echos_active_once_small,
      client_echos_active_small,
      server_echos_passive_big,
+     server_echos_passive_chunk_big,
      server_echos_active_once_big,
      server_echos_active_big,
      client_echos_passive_big,
+     client_echos_passive_chunk_big,
      client_echos_active_once_big,
      client_echos_active_big,
      server_echos_passive_huge,
+     server_echos_passive_chunk_huge,
      server_echos_active_once_huge,
      server_echos_active_huge,
      client_echos_passive_huge,
+     client_echos_passive_chunk_huge,
      client_echos_active_once_huge,
      client_echos_active_huge,
      client_active_once_server_close].
@@ -109,9 +115,11 @@ end_per_group(GroupName, Config) ->
 
 init_per_testcase(TestCase, Config)
   when TestCase == server_echos_passive_huge;
+       TestCase == server_echos_passive_chunk_huge;
        TestCase == server_echos_active_once_huge;
        TestCase == server_echos_active_huge;
        TestCase == client_echos_passive_huge;
+       TestCase == client_echos_passive_chunk_huge;
        TestCase == client_echos_active_once_huge;
        TestCase == client_echos_active_huge ->
     case erlang:system_info(system_architecture) of
@@ -124,9 +132,11 @@ init_per_testcase(TestCase, Config)
 
 init_per_testcase(TestCase, Config)
   when TestCase == server_echos_passive_big;
+       TestCase == server_echos_passive_chunk_big;
        TestCase == server_echos_active_once_big;
        TestCase == server_echos_active_big;
        TestCase == client_echos_passive_big;
+       TestCase == client_echos_passive_chunk_big;
        TestCase == client_echos_active_once_big;
        TestCase == client_echos_active_big ->
     ct:timetrap({seconds, 60}),
@@ -157,6 +167,22 @@ server_echos_passive_small(Config) when is_list(Config) ->
 
 %%--------------------------------------------------------------------
 
+server_echos_passive_chunk_small() ->
+    [{doc, "Client sends 1000 bytes in passive mode to server, that receives them in chunks, "
+     "sends them back, and closes."}].
+
+server_echos_passive_chunk_small(Config) when is_list(Config) -> 
+    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
+    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    %%
+    Data = binary:copy(<<"1234567890">>, 100),
+    server_echos_passive_chunk(
+      Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname).
+
+
+%%--------------------------------------------------------------------
+
 server_echos_active_once_small() ->
     [{doc, "Client sends 1000 bytes in active once mode to server, that receives "
      " them, sends them back, and closes."}].
@@ -200,6 +226,21 @@ client_echos_passive_small(Config) when is_list(Config) ->
       Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname).
 
 %%--------------------------------------------------------------------
+client_echos_passive_chunk__small() ->
+    [{doc, "Server sends 1000 bytes in passive mode to client, that receives them in chunks, "
+      "sends them back, and closes."}].
+
+client_echos_passive_chunk_small(Config) when is_list(Config) -> 
+    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
+    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    %%
+    Data = binary:copy(<<"1234567890">>, 100),
+    client_echos_passive_chunk(
+      Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname).
+
+
+%%--------------------------------------------------------------------
 client_echos_active_once_small() ->
     ["Server sends 1000 bytes in active once mode to client, that receives "
      "them, sends them back, and closes."].
@@ -241,6 +282,19 @@ server_echos_passive_big(Config) when is_list(Config) ->
     Data = binary:copy(<<"1234567890">>, 5000),
     server_echos_passive(
       Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname).
+%%--------------------------------------------------------------------
+server_echos_passive_chunk_big() ->
+    [{doc, "Client sends 50000 bytes to server in passive mode, that receives them, "
+     "sends them back, and closes."}].
+
+server_echos_passive_chunk_big(Config) when is_list(Config) -> 
+    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
+    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    %%
+    Data = binary:copy(<<"1234567890">>, 5000),
+    server_echos_passive_chunk(
+      Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname).
 
 %%--------------------------------------------------------------------
 
@@ -286,6 +340,22 @@ client_echos_passive_big(Config) when is_list(Config) ->
     client_echos_passive(
       Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname).
 
+
+%%--------------------------------------------------------------------
+client_echos_passive_chunk_big() ->
+    [{doc, "Server sends 50000 bytes to client in passive mode, that receives them, "
+     "sends them back, and closes."}].
+
+client_echos_passive_chunk_big(Config) when is_list(Config) -> 
+    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
+    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    %%
+    Data = binary:copy(<<"1234567890">>, 5000),
+    client_echos_passive_chunk(
+      Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname).
+
+
 %%--------------------------------------------------------------------
 client_echos_active_once_big() ->
     [{doc, "Server sends 50000 bytes to client in active once mode, that receives"
@@ -329,6 +399,20 @@ server_echos_passive_huge(Config) when is_list(Config) ->
       Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname).
 
 %%--------------------------------------------------------------------
+server_echos_passive_chunk_huge() ->
+    [{doc, "Client sends 500000 bytes to server in passive mode, that receives "
+      " them, sends them back, and closes."}].
+
+server_echos_passive_chunk_huge(Config) when is_list(Config) -> 
+    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
+    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    %%
+    Data = binary:copy(<<"1234567890">>, 50000),
+    server_echos_passive_chunk(
+      Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname).
+
+%%--------------------------------------------------------------------
 server_echos_active_once_huge() ->
     [{doc, "Client sends 500000 bytes to server in active once mode, that receives "
       "them, sends them back, and closes."}].
@@ -369,7 +453,19 @@ client_echos_passive_huge(Config) when is_list(Config) ->
     Data = binary:copy(<<"1234567890">>, 50000),
     client_echos_passive(
       Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname).
+%%--------------------------------------------------------------------
+client_echos_passive_chunk_huge() ->
+    [{doc, "Server sends 500000 bytes to client in passive mode, that receives "
+     "them, sends them back, and closes."}].
 
+client_echos_passive_chunk_huge(Config) when is_list(Config) -> 
+    ClientOpts = ssl_test_lib:ssl_options(client_opts, Config),
+    ServerOpts = ssl_test_lib:ssl_options(server_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    %%
+    Data = binary:copy(<<"1234567890">>, 50000),
+    client_echos_passive_chunk(
+      Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname).
 %%--------------------------------------------------------------------
 client_echos_active_once_huge() ->
     [{doc, "Server sends 500000 bytes to client in active once mode, that receives "
@@ -442,6 +538,28 @@ server_echos_passive(
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client).
 
+server_echos_passive_chunk(
+  Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname) ->
+    Length = byte_size(Data),
+    Server =
+        ssl_test_lib:start_server(
+          [{node, ServerNode}, {port, 0},
+           {from, self()},
+           {mfa, {?MODULE, echoer_chunk, [Length]}},
+           {options, [{active, false}, {mode, binary} | ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client =
+        ssl_test_lib:start_client(
+          [{node, ClientNode}, {port, Port},
+           {host, Hostname},
+           {from, self()},
+           {mfa, {?MODULE, sender, [Data]}},
+           {options, [{active, false}, {mode, binary} | ClientOpts]}]),
+    %%
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    %%
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
 
 server_echos_active_once(
   Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname) ->
@@ -513,6 +631,31 @@ client_echos_passive(
     ssl_test_lib:close(Server),
     ssl_test_lib:close(Client).
 
+
+client_echos_passive_chunk(
+  Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname) ->
+    Length = byte_size(Data),
+    Server =
+        ssl_test_lib:start_server(
+          [{node, ServerNode}, {port, 0},
+           {from, self()},
+           {mfa, {?MODULE, sender, [Data]}},
+           {options, [{active, false}, {mode, binary} | ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+    Client =
+        ssl_test_lib:start_client(
+          [{node, ClientNode}, {port, Port},
+           {host, Hostname},
+           {from, self()},
+           {mfa, {?MODULE, echoer_chunk, [Length]}},
+           {options, [{active, false}, {mode, binary} | ClientOpts]}]),
+    %%
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    %%
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
+
+
 client_echos_active_once(
   Data, ClientOpts, ServerOpts, ClientNode, ServerNode, Hostname) ->
     Length = byte_size(Data),
@@ -615,6 +758,10 @@ echoer(Socket, Size) ->
     ct:log("Echoer recv: ~p~n", [ssl:getopts(Socket, [active])]),
     echo_recv(Socket, Size * 100).
 
+echoer_chunk(Socket, Size) ->
+    ct:log("Echoer recv: ~p~n", [ssl:getopts(Socket, [active])]),
+    echo_recv_chunk(Socket, Size, Size * 100).
+
 echoer_active_once(Socket, Size) ->
     ct:log("Echoer active once: ~p~n", [ssl:getopts(Socket, [active])]),
     echo_active_once(Socket, Size * 100).
@@ -632,6 +779,16 @@ echo_recv(Socket, Size) ->
     ok = ssl:send(Socket, Data),
     echo_recv(Socket, Size - byte_size(Data)).
 
+
+%% Receive Size bytes
+echo_recv_chunk(_Socket, _, 0) ->
+    ok;
+echo_recv_chunk(Socket, ChunkSize, Size) ->
+    {ok, Data} = ssl:recv(Socket, ChunkSize),
+    ok = ssl:send(Socket, Data),
+    echo_recv_chunk(Socket, ChunkSize, Size - ChunkSize).
+
+
 %% Receive Size bytes
 echo_active_once(_Socket, 0) ->
     ok;
diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl
index c6a4a45dce..bfed7d6fda 100644
--- a/lib/ssl/test/ssl_test_lib.erl
+++ b/lib/ssl/test/ssl_test_lib.erl
@@ -440,14 +440,17 @@ check_result(Pid, Msg) ->
     end.
 check_server_alert(Pid, Alert) ->
     receive
-	{Pid, {error, {tls_alert, {Alert, _}}}} ->
+	{Pid, {error, {tls_alert, {Alert, STxt}}}} ->
+            check_server_txt(STxt),
             ok
     end.
 check_server_alert(Server, Client, Alert) ->
     receive
-	{Server, {error, {tls_alert, {Alert, _}}}} ->
+	{Server, {error, {tls_alert, {Alert, STxt}}}} ->
+            check_server_txt(STxt),
 	    receive
-		{Client, {error, {tls_alert, {Alert, _}}}} ->
+		{Client, {error, {tls_alert, {Alert, CTxt}}}} ->
+                    check_client_txt(CTxt),
 		    ok;
 		{Client, {error, closed}} ->
 		    ok
@@ -455,20 +458,35 @@ check_server_alert(Server, Client, Alert) ->
     end.
 check_client_alert(Pid, Alert) ->
     receive
-	{Pid, {error, {tls_alert, {Alert, _}}}} ->
+	{Pid, {error, {tls_alert, {Alert, CTxt}}}} ->
+            check_client_txt(CTxt),
             ok
     end.
 check_client_alert(Server, Client, Alert) ->
     receive
-	{Client, {error, {tls_alert, {Alert, _}}}} ->
+	{Client, {error, {tls_alert, {Alert, CTxt}}}} ->
+            check_client_txt(CTxt),
 	    receive
-		{Server, {error, {tls_alert, {Alert, _}}}} ->
+		{Server, {error, {tls_alert, {Alert, STxt}}}} ->
+                      check_server_txt(STxt),
 		    ok;
 		{Server, {error, closed}} ->
 		    ok
 	    end
     end.
+check_server_txt("TLS server" ++ _) ->
+    ok;
+check_server_txt("DTLS server" ++ _) ->
+    ok;
+check_server_txt(Txt) ->
+    ct:fail({expected_server, {got, Txt}}).
 
+check_client_txt("TLS client" ++ _) ->
+    ok;
+check_client_txt("DTLS client" ++ _) ->
+    ok;
+check_client_txt(Txt) ->
+    ct:fail({expected_server, {got, Txt}}).
 
 wait_for_result(Server, ServerMsg, Client, ClientMsg) -> 
     receive 
@@ -1850,6 +1868,14 @@ check_sane_openssl_version(Version) ->
 	    case {Version, os:cmd("openssl version")} of
                 {'sslv3', "OpenSSL 1.0.2" ++ _} ->
                     false;
+                {'dtlsv1', "OpenSSL 0" ++ _} ->
+		    false;
+		{'dtlsv1.2', "OpenSSL 0" ++ _} ->
+		    false;
+                {'dtlsv1.2', "OpenSSL 1.0.2" ++ _} ->
+		    false;
+		{'dtlsv1',  "OpenSSL 1.0.0" ++ _} ->
+		    false;
                 {'dtlsv1', _} ->
 		    not is_fips(openssl);
 		{'dtlsv1.2', _} ->
@@ -1862,18 +1888,10 @@ check_sane_openssl_version(Version) ->
 		    false;
 		{'tlsv1.1', "OpenSSL 1.0.0" ++ _} ->
 		    false;
-                {'dtlsv1.2', "OpenSSL 1.0.2" ++ _} ->
-		    false;
-		{'dtlsv1',  "OpenSSL 1.0.0" ++ _} ->
-		    false;
 		{'tlsv1.2', "OpenSSL 0" ++ _} ->
 		    false;
 		{'tlsv1.1', "OpenSSL 0" ++ _} ->
 		    false;
-                {'dtlsv1', "OpenSSL 0" ++ _} ->
-		    false;
-		{'dtlsv1.2', "OpenSSL 0" ++ _} ->
-		    false;
 		{_, _} ->
 		    true
 	    end;
diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk
index 0d9f907d5c..453735710b 100644
--- a/lib/ssl/vsn.mk
+++ b/lib/ssl/vsn.mk
@@ -1 +1 @@
-SSL_VSN = 9.2
+SSL_VSN = 9.2.3.3