From 1b06210c16465bcb995b0a54ba1b24ef1de3c5a4 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Tue, 25 Aug 2015 18:19:38 +0200
Subject: ssl: Improve shutdown logic

Add possibility to downgrade an SSL/TLS connection to a tcp connection,
and give back the socket control to a user process.

Add application setting to be able to change fatal alert shutdown
timeout, also shorten the  default timeout. The fatal alert timeout is
the number of milliseconds between sending of a fatal alert and
closing the connection. Waiting a little while improves the
peers chances to properly receiving the alert so it may
shutdown gracefully.
---
 lib/ssl/doc/src/ssl_app.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'lib/ssl/doc/src/ssl_app.xml')

diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
index 2b6dc7e8be..51ce0cedf1 100644
--- a/lib/ssl/doc/src/ssl_app.xml
+++ b/lib/ssl/doc/src/ssl_app.xml
@@ -87,6 +87,17 @@
 	    marker="ssl#clear_pem_cache-0">ssl:clear_pem_cache/0</seealso>
 	
       </item>
+      <tag><c><![CDATA[alert_timeout = integer() <optional>]]></c></tag>
+      <item>
+	<p>
+	  Number of milliseconds between sending of a fatal alert and
+	  closing the connection. Waiting a little while improves the
+	  peers chances to properly receiving the alert so it may
+	  shutdown gracefully. Defaults to 5000 milliseconds.   
+	</p>
+      </item>
+
+      
     </taglist>
   </section>
 
-- 
cgit v1.2.3


From 42b8a29dbae1d626f32bc16dd81a129caf741138 Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 16 Nov 2015 21:58:36 +0100
Subject: ssl: Add upper limit for session cache

If upper limit is reached invalidate the current cache entries, e.i the session
lifetime is the max time a session will be keept, but it may be invalidated
earlier if the max limit for the table is reached. This will keep the ssl
manager process well behaved, not exhusting memeory. Invalidating the entries
will incrementally empty the cache to make room for fresh sessions entries.
---
 lib/ssl/doc/src/ssl_app.xml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'lib/ssl/doc/src/ssl_app.xml')

diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
index 51ce0cedf1..257175a33f 100644
--- a/lib/ssl/doc/src/ssl_app.xml
+++ b/lib/ssl/doc/src/ssl_app.xml
@@ -66,7 +66,7 @@
       to <c>ssl:connect/[2,3]</c> and <c>ssl:listen/2</c>.</p></item>
 
       <tag><c><![CDATA[session_lifetime = integer() <optional>]]></c></tag>
-      <item><p>Lifetime of the session data in seconds.</p></item>
+      <item><p>Maximum lifetime of the session data in seconds.</p></item>
 
       <tag><c><![CDATA[session_cb = atom() <optional>]]></c></tag>
       <item><p>Name of the session cache callback module that implements
@@ -77,6 +77,13 @@
 
       <item><p>List of extra user-defined arguments to the <c>init</c> function
       in the session cache callback module. Defaults to <c>[]</c>.</p></item>
+
+      <tag><c><![CDATA[session_cache_client_max = integer() <optional>]]></c></tag>
+      <tag><c><![CDATA[session_cache_server_max = integer() <optional>]]></c></tag>
+      <item><p>Limits the growth of the clients/servers session cache,
+      if the maximum number of sessions is reached, the current cache entries will
+      be invalidated regardless of their remaining lifetime. Defaults to 1000.
+      </p></item>
       
       <tag><c><![CDATA[ssl_pem_cache_clean = integer() <optional>]]></c></tag>
       <item>
-- 
cgit v1.2.3


From 55569124ac815eedc21c234c447e346b97f3c8fe Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 7 Dec 2015 10:31:35 +0100
Subject: ssl: Fix documentation mistakes

---
 lib/ssl/doc/src/ssl_app.xml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'lib/ssl/doc/src/ssl_app.xml')

diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
index 257175a33f..24b0f5300e 100644
--- a/lib/ssl/doc/src/ssl_app.xml
+++ b/lib/ssl/doc/src/ssl_app.xml
@@ -58,7 +58,7 @@
     <p><c>erl -ssl protocol_version "['tlsv1.2', 'tlsv1.1']"</c></p>
 
     <taglist>
-      <tag><c><![CDATA[protocol_version =  <seealso marker="kernel:error_logger">ssl:protocol()</seealso> <optional>]]></c>.</tag>
+      <tag><c> protocol_version = <seealso marker="ssl#type-protocol">ssl:protocol()</seealso> <![CDATA[<optional>]]></c></tag>
       <item><p>Protocol supported by started clients and
       servers. If this option is not set, it defaults to all
       protocols currently supported by the SSL application.
@@ -71,7 +71,7 @@
       <tag><c><![CDATA[session_cb = atom() <optional>]]></c></tag>
       <item><p>Name of the session cache callback module that implements
       the <c>ssl_session_cache_api</c> behavior. Defaults to
-      <c>ssl_session_cache.erl</c>.</p></item>
+      <c>ssl_session_cache</c>.</p></item>
 
       <tag><c><![CDATA[session_cb_init_args = proplist:proplist() <optional>]]></c></tag>
 
@@ -110,7 +110,10 @@
 
   <section>
     <title>ERROR LOGGER AND EVENT HANDLERS</title>
-    <p>The SSL application uses the default <seealso marker="kernel:error_logger">OTP error logger</seealso> to log unexpected errors and TLS alerts. The logging of TLS alerts may be turned off with the <c>log_alert</c> option. </p>
+    <p>The SSL application uses the default <seealso
+    marker="kernel:error_logger">OTP error logger</seealso> to log
+    unexpected errors and TLS alerts. The logging of TLS alerts may be
+    turned off with the <c>log_alert</c> option. </p>
   </section>
 
   <section>
-- 
cgit v1.2.3


From 8edbf8309fe6f095d43cc4bbc3eceaa81823c7f4 Mon Sep 17 00:00:00 2001
From: Lars Thorsen <lars.thorsen@ericsson.com>
Date: Thu, 10 Dec 2015 07:17:20 +0100
Subject: [ssl] Correct the documentation so it follows the DTD

---
 lib/ssl/doc/src/ssl_app.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'lib/ssl/doc/src/ssl_app.xml')

diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
index 24b0f5300e..1e3a1101ed 100644
--- a/lib/ssl/doc/src/ssl_app.xml
+++ b/lib/ssl/doc/src/ssl_app.xml
@@ -58,7 +58,7 @@
     <p><c>erl -ssl protocol_version "['tlsv1.2', 'tlsv1.1']"</c></p>
 
     <taglist>
-      <tag><c> protocol_version = <seealso marker="ssl#type-protocol">ssl:protocol()</seealso> <![CDATA[<optional>]]></c></tag>
+      <tag><c>protocol_version = </c><seealso marker="ssl#type-protocol">ssl:protocol()</seealso><c><![CDATA[<optional>]]></c></tag>
       <item><p>Protocol supported by started clients and
       servers. If this option is not set, it defaults to all
       protocols currently supported by the SSL application.
@@ -78,8 +78,8 @@
       <item><p>List of extra user-defined arguments to the <c>init</c> function
       in the session cache callback module. Defaults to <c>[]</c>.</p></item>
 
-      <tag><c><![CDATA[session_cache_client_max = integer() <optional>]]></c></tag>
-      <tag><c><![CDATA[session_cache_server_max = integer() <optional>]]></c></tag>
+      <tag><c><![CDATA[session_cache_client_max = integer() <optional>]]></c><br/>
+      <c><![CDATA[session_cache_server_max = integer() <optional>]]></c></tag>
       <item><p>Limits the growth of the clients/servers session cache,
       if the maximum number of sessions is reached, the current cache entries will
       be invalidated regardless of their remaining lifetime. Defaults to 1000.
-- 
cgit v1.2.3


From b1a1b4e8dc1929d438964017cec71869e8e24337 Mon Sep 17 00:00:00 2001
From: Lars Thorsen <lars.thorsen@ericsson.com>
Date: Thu, 10 Dec 2015 09:40:34 +0100
Subject: [ssl] Moved description details to man(6) page

---
 lib/ssl/doc/src/ssl_app.xml | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

(limited to 'lib/ssl/doc/src/ssl_app.xml')

diff --git a/lib/ssl/doc/src/ssl_app.xml b/lib/ssl/doc/src/ssl_app.xml
index 1e3a1101ed..6c82e32a74 100644
--- a/lib/ssl/doc/src/ssl_app.xml
+++ b/lib/ssl/doc/src/ssl_app.xml
@@ -33,7 +33,33 @@
   <appsummary>The ssl application provides secure communication over
   sockets.</appsummary>
 
-  <description></description>
+  <description>
+    <p>
+      The ssl application is an implementation of the SSL/TLS protocol in Erlang.
+    </p>
+    <list type="bulleted">
+      <item>Supported SSL/TLS-versions are SSL-3.0, TLS-1.0,
+      TLS-1.1, and TLS-1.2.</item>
+      <item>For security reasons SSL-2.0 is not supported.</item>
+      <item>For security reasons SSL-3.0 is no longer supported by default,
+      but can be configured.</item>
+      <item>Ephemeral Diffie-Hellman cipher suites are supported,
+      but not Diffie Hellman Certificates cipher suites.</item>
+      <item>Elliptic Curve cipher suites are supported if the Crypto 
+      application supports it and named curves are used.
+      </item>
+      <item>Export cipher suites are not supported as the
+      U.S. lifted its export restrictions in early 2000.</item>
+      <item>IDEA cipher suites are not supported as they have
+      become deprecated by the latest TLS specification so it is not 
+      motivated to implement them.</item>
+      <item>CRL validation is supported.</item>
+      <item>Policy certificate extensions are not supported.</item>
+      <item>'Server Name Indication' extension client side
+      (RFC 6066, Section 3) is supported.</item>
+    </list>
+   </description>
+
   <section>
     <title>DEPENDENCIES</title>
     <p>The SSL application uses the <c>public_key</c> and
-- 
cgit v1.2.3