diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index c16c076afd8a..5437ead9e46a 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -94,8 +94,9 @@
 	 connection_information/1, 
          connection_information/2]).
 %% Misc
--export([handle_options/2,
-         handle_options/3,
+-export([handle_options/3,
+         update_options/3,
+         option_rules/0,
          tls_version/1, 
          suite_to_str/1,
          suite_to_openssl_str/1,
@@ -640,7 +641,7 @@ listen(_Port, []) ->
     {error, nooptions};
 listen(Port, Options0) ->
     try
-	{ok, Config} = handle_options(Options0, server),
+	{ok, Config} = handle_options(Options0, server, undefined),
         do_listen(Port, Config, Config#config.connection_cb)
     catch
 	Error = {error, _} ->
@@ -1513,36 +1514,31 @@ do_listen(Port, #config{transport_info = {Transport, _, _, _,_}} = Config, tls_g
 do_listen(Port,  Config, dtls_gen_connection) ->
     dtls_socket:listen(Port, Config).
 	
--spec handle_options([any()], client | server) -> {ok, #config{}};
-                    ([any()], ssl_options()) -> ssl_options().
-
-handle_options(Opts, Role) ->
-    handle_options(undefined, undefined, Opts, Role, undefined).   
+%% Handle ssl options at handshake, handshake_continue
+-spec update_options([any()], client | server, map()) -> map().
+update_options(Opts, Role, InheritedSslOpts) when is_map(InheritedSslOpts) ->
+    {SslOpts, _} = split_options(Opts, option_rules()),
+    process_options(SslOpts, InheritedSslOpts, #{role => Role, rules => option_rules()}).
 
-handle_options(Opts, Role, InheritedSslOpts) ->
-    handle_options(undefined, undefined, Opts, Role, InheritedSslOpts).   
+-spec handle_options([any()], client | server, undefined|host()) -> {ok, #config{}}.
+handle_options(Opts, Role, Host) ->
+    handle_options(undefined, undefined, Opts, Role, Host).
 
-%% Handle ssl options at handshake, handshake_continue
-handle_options(_, _, Opts0, Role, InheritedSslOpts) when is_map(InheritedSslOpts) ->
-    {SslOpts, _} = expand_options(Opts0, ?RULES),
-    process_options(SslOpts, InheritedSslOpts, #{role => Role,
-                                                 rules => ?RULES});
 %% Handle all options in listen, connect and handshake
 handle_options(Transport, Socket, Opts0, Role, Host) ->
-    {SslOpts0, SockOpts0} = expand_options(Opts0, ?RULES),
-    
+    {SslOpts0, SockOpts0} = split_options(Opts0, option_rules()),
+
     %% Ensure all options are evaluated at startup
-    SslOpts1 = add_missing_options(SslOpts0, ?RULES),
-    SslOpts2 = #{protocol := Protocol}
-        = process_options(SslOpts1,
-                          #{},
-                          #{role => Role,
-                            host => Host,
-                            rules => ?RULES}),
-    
+    SslOpts1 = add_missing_options(SslOpts0, option_rules()),
+
+    Env = #{role => Role, host => Host, rules => option_rules()},
+    SslOpts2 = process_options(SslOpts1, #{}, Env),
+
     maybe_client_warn_no_verify(SslOpts2, Role),
     SslOpts = maps:without([warn_verify_none], SslOpts2),
+
     %% Handle special options
+    #{protocol := Protocol} = SslOpts2,
     {Sock, Emulated} = emulated_options(Transport, Socket, Protocol, SockOpts0),
     ConnetionCb = connection_cb(Protocol),
     CbInfo = handle_option_cb_info(Opts0, Protocol),
@@ -1557,6 +1553,110 @@ handle_options(Transport, Socket, Opts0, Role, Host) ->
            }}.
 
 
+%% This map stores all supported options with default values and
+%% list of dependencies:
+%%   #{<option> => {<default_value>, [<option>]},
+%%     ...}
+option_rules() ->
+    #{
+      alpn_advertised_protocols  => {undefined, [versions]},
+      alpn_preferred_protocols   => {undefined, [versions]},
+      anti_replay                => {undefined, [versions, session_tickets]},
+      beast_mitigation           => {one_n_minus_one, [versions]},
+      cacertfile                 => {undefined, [versions,
+                                                 verify_fun,
+                                                 cacerts]},
+      cacerts                    => {undefined, [versions]},
+      cert                       => {undefined, [versions]},
+      certs_keys                 => {undefined, [versions]},
+      certfile                   => {<<>>,      [versions]},
+      certificate_authorities    => {false,     [versions]},
+      ciphers                    => {[],        [versions]},
+      client_renegotiation       => {undefined, [versions]},
+      cookie                     => {true,      [versions]},
+      crl_cache                  => {{ssl_crl_cache, {internal, []}}, [versions]},
+      crl_check                  => {false,     [versions]},
+      customize_hostname_check   => {[],        [versions]},
+      depth                      => {10,         [versions]},
+      dh                         => {undefined, [versions]},
+      dhfile                     => {undefined, [versions]},
+      early_data                 => {undefined, [versions,
+                                                 session_tickets,
+                                                 use_ticket]},
+      eccs                       => {undefined, [versions]},
+      erl_dist                   => {false,     [versions]},
+      fail_if_no_peer_cert       => {false,     [versions]},
+      fallback                   => {false,     [versions]},
+      handshake                  => {full,      [versions]},
+      hibernate_after            => {infinity,  [versions]},
+      honor_cipher_order         => {false,     [versions]},
+      honor_ecc_order            => {undefined, [versions]},
+      keep_secrets               => {false,     [versions]},
+      key                        => {undefined, [versions]},
+      keyfile                    => {undefined, [versions,
+                                                 certfile]},
+      key_update_at              => {?KEY_USAGE_LIMIT_AES_GCM, [versions]},
+      log_level                  => {notice,    [versions]},
+      max_handshake_size         => {?DEFAULT_MAX_HANDSHAKE_SIZE, [versions]},
+      middlebox_comp_mode        => {true, [versions]},
+      max_fragment_length        => {undefined, [versions]},
+      next_protocol_selector     => {undefined, [versions]},
+      next_protocols_advertised  => {undefined, [versions]},
+      %% If enable OCSP stapling
+      ocsp_stapling              => {false, [versions]},
+      %% Optional arg, if give suggestion of OCSP responders
+      ocsp_responder_certs       => {[], [versions,
+                                          ocsp_stapling]},
+      %% Optional arg, if add nonce extension in request
+      ocsp_nonce                 => {true, [versions,
+                                            ocsp_stapling]},
+      padding_check              => {true,      [versions]},
+      partial_chain              => {fun(_) -> unknown_ca end, [versions]},
+      password                   => {"",        [versions]},
+      protocol                   => {tls,       []},
+      psk_identity               => {undefined, [versions]},
+      receiver_spawn_opts        => {[],        [versions]},
+      renegotiate_at             => {?DEFAULT_RENEGOTIATE_AT, [versions]},
+      reuse_session              => {undefined, [versions]},
+      reuse_sessions             => {true,      [versions]},
+      secure_renegotiate         => {true,      [versions]},
+      sender_spawn_opts          => {[],        [versions]},
+      server_name_indication     => {undefined, [versions]},
+      session_tickets            => {disabled,     [versions]},
+      signature_algs             => {undefined, [versions]},
+      signature_algs_cert        => {undefined, [versions]},
+      sni_fun                    => {undefined, [versions,
+                                                 sni_hosts]},
+      sni_hosts                  => {[],        [versions]},
+      srp_identity               => {undefined, [versions]},
+      supported_groups           => {undefined, [versions]},
+      use_ticket                 => {undefined, [versions]},
+      user_lookup_fun            => {undefined, [versions]},
+      verify                     => {verify_none, [versions,
+                                                   fail_if_no_peer_cert,
+                                                   partial_chain]},
+      verify_fun                 =>
+          {
+           {fun(_, {bad_cert, _}, UserState) ->
+                    {valid, UserState};
+               (_, {extension, #'Extension'{critical = true}}, UserState) ->
+                    %% This extension is marked as critical, so
+                    %% certificate verification should fail if we don't
+                    %% understand the extension.  However, this is
+                    %% `verify_none', so let's accept it anyway.
+                    {valid, UserState};
+               (_, {extension, _}, UserState) ->
+                    {unknown, UserState};
+               (_, valid, UserState) ->
+                    {valid, UserState};
+               (_, valid_peer, UserState) ->
+                    {valid, UserState}
+            end, []},
+           [versions, verify]},
+      versions                   => {[], [protocol]}
+     }.
+
+
 %% process_options(SSLOptions, OptionsMap, Env) where
 %% SSLOptions is the following tuple:
 %%   {InOptions, SkippedOptions, Counter}
@@ -1570,23 +1670,29 @@ handle_options(Transport, Socket, Opts0, Role, Host) ->
 %% after each successful pass.
 %% If the value of the counter is unchanged at the end of a pass,
 %% the processing stops due to faulty input data.
-process_options({[], [], _}, OptionsMap, _Env) ->
-    OptionsMap;
-process_options({[], [_|_] = Skipped, Counter}, OptionsMap, Env)
-  when length(Skipped) < Counter ->
-    %% Continue handling options if current pass was successful
-    process_options({Skipped, [], length(Skipped)}, OptionsMap, Env);
-process_options({[], [_|_], _Counter}, _OptionsMap, _Env) ->
-    throw({error, faulty_configuration});
-process_options({[{K0,V} = E|T], S, Counter}, OptionsMap0, Env) ->
+
+process_options(Opts, Map, Env) ->
+    process_options(Opts, [], length(Opts), Map, Env).
+
+process_options([{K0,V} = E|T], S, Counter, OptionsMap0, Env) ->
     K = maybe_map_key_internal(K0),
     case check_dependencies(K, OptionsMap0, Env) of
         true ->
             OptionsMap = handle_option(K, V, OptionsMap0, Env),
-            process_options({T, S, Counter}, OptionsMap, Env);
+            process_options(T, S, Counter, OptionsMap, Env);
         false ->
             %% Skip option for next pass
-            process_options({T, [E|S], Counter}, OptionsMap0, Env)
+            process_options(T, [E|S], Counter, OptionsMap0, Env)
+    end;
+process_options([], [], _, OptionsMap, _Env) ->
+    OptionsMap;
+process_options([], Skipped, Counter, OptionsMap, Env) ->
+    case length(Skipped) < Counter of
+        true ->
+            %% Continue handling options if current pass was successful
+            process_options(Skipped, [], length(Skipped), OptionsMap, Env);
+        false ->
+            throw({error, faulty_configuration})
     end.
 
 handle_option(anti_replay = Option, unbound, OptionsMap, #{rules := Rules}) ->
@@ -1975,28 +2081,19 @@ dependecies_already_defined(L, OptionsMap) ->
     lists:all(Fun, L).
 
 
-expand_options(Opts0, Rules) ->
+split_options(Opts0, Rules) ->
     Opts1 = proplists:expand([{binary, [{mode, binary}]},
-                      {list, [{mode, list}]}], Opts0),
+                              {list, [{mode, list}]}], Opts0),
     Opts2 = handle_option_format(Opts1, []),
-
     %% Remove deprecated ssl_imp option
     Opts = proplists:delete(ssl_imp, Opts2),
-    AllOpts = maps:keys(Rules),
-    SockOpts = lists:foldl(fun(Key, PropList) -> proplists:delete(Key, PropList) end,
-                           Opts,
-                           AllOpts ++
-                               [ssl_imp,                          %% TODO: remove ssl_imp
-                                cb_info,
-                                client_preferred_next_protocols,  %% next_protocol_selector
-                                log_alert]),                      %% obsoleted by log_level
-    
-    SslOpts0 = Opts -- SockOpts,
-    SslOpts = {SslOpts0, [], length(SslOpts0)},
-    {SslOpts, SockOpts}.
 
+    DeleteSSLOpts = fun(Key, PropList) -> proplists:delete(Key, PropList) end,
+    AllOpts = [cb_info, client_preferred_next_protocols] ++ maps:keys(Rules),
+    SockOpts = lists:foldl(DeleteSSLOpts, Opts, AllOpts),
+    {Opts -- SockOpts, SockOpts}.
 
-add_missing_options({L0, S, _C}, Rules) ->
+add_missing_options(L0, Rules) ->
     Fun = fun(K0, Acc) ->
                   K = maybe_map_key_external(K0),
                   case proplists:is_defined(K, Acc) of
@@ -2008,8 +2105,7 @@ add_missing_options({L0, S, _C}, Rules) ->
                   end
           end,
     AllOpts = maps:keys(Rules),
-    L = lists:foldl(Fun, L0, AllOpts),
-    {L, S, length(L)}.
+    lists:foldl(Fun, L0, AllOpts).
 
 default_value(Key, Rules) ->
     {Default, _} = maps:get(Key, Rules, {undefined, []}),
@@ -2450,7 +2546,7 @@ validate_option(verify_fun, {Fun, _} = Value, _) when is_function(Fun) ->
 validate_option(versions, Versions, _)  ->
     validate_versions(Versions, Versions);
 validate_option(Opt, undefined = Value, _) ->
-    AllOpts = maps:keys(?RULES),
+    AllOpts = maps:keys(option_rules()),
     case lists:member(Opt, AllOpts) of
         true ->
             Value;
diff --git a/lib/ssl/src/ssl_gen_statem.erl b/lib/ssl/src/ssl_gen_statem.erl
index 0b4d032f780a..82fed511b5fe 100644
--- a/lib/ssl/src/ssl_gen_statem.erl
+++ b/lib/ssl/src/ssl_gen_statem.erl
@@ -546,7 +546,7 @@ initial_hello({call, From}, {start, {Opts, EmOpts}, Timeout},
             ssl_options = OrigSSLOptions,
             socket_options = SockOpts} = State0) ->
     try
-        SslOpts = ssl:handle_options(Opts, Role, OrigSSLOptions),
+        SslOpts = ssl:update_options(Opts, Role, OrigSSLOptions),
 	State = ssl_config(SslOpts, Role, State0),
 	initial_hello({call, From}, {start, Timeout},
 	     State#state{ssl_options = SslOpts,
@@ -1325,7 +1325,7 @@ update_ssl_options_from_sni(#{sni_fun := SNIFun,
         _ ->
             VersionsOpt = proplists:get_value(versions, SSLOptions, []),
             FallBackOptions = filter_for_versions(VersionsOpt, OrigSSLOptions),
-            ssl:handle_options(SSLOptions, server, FallBackOptions)
+            ssl:update_options(SSLOptions, server, FallBackOptions)
     end.
 
 filter_for_versions([], OrigSSLOptions) ->
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index 93d7c2456e52..11b3cd199a9f 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -117,109 +117,6 @@
 
 -define(DEFAULT_MAX_EARLY_DATA_SIZE, 16384).
 
-%% This map stores all supported options with default values and
-%% list of dependencies:
-%%   #{<option> => {<default_value>, [<option>]},
-%%     ...}
--define(RULES,
-        #{
-          alpn_advertised_protocols  => {undefined, [versions]},
-          alpn_preferred_protocols   => {undefined, [versions]},
-          anti_replay                => {undefined, [versions, session_tickets]},
-          beast_mitigation           => {one_n_minus_one, [versions]},
-          cacertfile                 => {undefined, [versions,
-                                                     verify_fun,
-                                                     cacerts]},
-          cacerts                    => {undefined, [versions]},
-          cert                       => {undefined, [versions]},
-          certs_keys                 => {undefined, [versions]},
-          certfile                   => {<<>>,      [versions]},
-          certificate_authorities    => {false,     [versions]},
-          ciphers                    => {[],        [versions]},
-          client_renegotiation       => {undefined, [versions]},
-          cookie                     => {true,      [versions]},
-          crl_cache                  => {{ssl_crl_cache, {internal, []}}, [versions]},
-          crl_check                  => {false,     [versions]},
-          customize_hostname_check   => {[],        [versions]},
-          depth                      => {10,         [versions]},
-          dh                         => {undefined, [versions]},
-          dhfile                     => {undefined, [versions]},
-          early_data                 => {undefined, [versions,
-                                                     session_tickets,
-                                                     use_ticket]},
-          eccs                       => {undefined, [versions]},
-          erl_dist                   => {false,     [versions]},
-          fail_if_no_peer_cert       => {false,     [versions]},
-          fallback                   => {false,     [versions]},
-          handshake                  => {full,      [versions]},
-          hibernate_after            => {infinity,  [versions]},
-          honor_cipher_order         => {false,     [versions]},
-          honor_ecc_order            => {undefined, [versions]},
-          keep_secrets               => {false,     [versions]},
-          key                        => {undefined, [versions]},
-          keyfile                    => {undefined, [versions,
-                                                     certfile]},
-          key_update_at              => {?KEY_USAGE_LIMIT_AES_GCM, [versions]},
-          log_level                  => {notice,    [versions]},
-          max_handshake_size         => {?DEFAULT_MAX_HANDSHAKE_SIZE, [versions]},
-          middlebox_comp_mode        => {true, [versions]},
-          max_fragment_length        => {undefined, [versions]},
-          next_protocol_selector     => {undefined, [versions]},
-          next_protocols_advertised  => {undefined, [versions]},
-          %% If enable OCSP stapling
-          ocsp_stapling              => {false, [versions]},
-          %% Optional arg, if give suggestion of OCSP responders
-          ocsp_responder_certs       => {[], [versions,
-                                              ocsp_stapling]},
-          %% Optional arg, if add nonce extension in request
-          ocsp_nonce                 => {true, [versions,
-                                                ocsp_stapling]},
-          padding_check              => {true,      [versions]},
-          partial_chain              => {fun(_) -> unknown_ca end, [versions]},
-          password                   => {"",        [versions]},
-          protocol                   => {tls,       []},
-          psk_identity               => {undefined, [versions]},
-          receiver_spawn_opts        => {[],        [versions]},
-          renegotiate_at             => {?DEFAULT_RENEGOTIATE_AT, [versions]},
-          reuse_session              => {undefined, [versions]},
-          reuse_sessions             => {true,      [versions]},
-          secure_renegotiate         => {true,      [versions]},
-          sender_spawn_opts          => {[],        [versions]},
-          server_name_indication     => {undefined, [versions]},
-          session_tickets            => {disabled,     [versions]},
-          signature_algs             => {undefined, [versions]},
-          signature_algs_cert        => {undefined, [versions]},
-          sni_fun                    => {undefined, [versions,
-                                                     sni_hosts]},
-          sni_hosts                  => {[],        [versions]},
-          srp_identity               => {undefined, [versions]},
-          supported_groups           => {undefined, [versions]},
-          use_ticket                 => {undefined, [versions]},
-          user_lookup_fun            => {undefined, [versions]},
-          verify                     => {verify_none, [versions,
-                                                       fail_if_no_peer_cert,
-                                                       partial_chain]},
-          verify_fun                 =>
-              {
-               {fun(_, {bad_cert, _}, UserState) ->
-                        {valid, UserState};
-                   (_, {extension, #'Extension'{critical = true}}, UserState) ->
-                        %% This extension is marked as critical, so
-                        %% certificate verification should fail if we don't
-                        %% understand the extension.  However, this is
-                        %% `verify_none', so let's accept it anyway.
-                        {valid, UserState};
-                   (_, {extension, _}, UserState) ->
-                        {unknown, UserState};
-                   (_, valid, UserState) ->
-                        {valid, UserState};
-                   (_, valid_peer, UserState) ->
-                        {valid, UserState}
-                end, []},
-               [versions, verify]},
-          versions                   => {[], [protocol]}
-         }).
-
 -define('TLS-1_3_ONLY_OPTIONS', [anti_replay, cookie, early_data, key_update_at, middlebox_comp_mode, session_tickets, supported_groups, use_ticket]).
 -define('FROM_TLS-1_2_ONLY_OPTIONS', [signature_algs, signature_algs_cert]).
 -define('PRE_TLS-1_3_ONLY_OPTIONS', [client_renegotiation, secure_renegotiate]).
diff --git a/lib/ssl/src/tls_connection_1_3.erl b/lib/ssl/src/tls_connection_1_3.erl
index 90eb9f2474bf..50a5ed8ad839 100644
--- a/lib/ssl/src/tls_connection_1_3.erl
+++ b/lib/ssl/src/tls_connection_1_3.erl
@@ -240,7 +240,7 @@ user_hello({call, From}, {handshake_continue, NewOptions, Timeout},
            #state{static_env = #static_env{role = client = Role},
                   handshake_env = HSEnv,
                   ssl_options = Options0} = State0) ->
-    Options = ssl:handle_options(NewOptions, Role, Options0),
+    Options = ssl:update_options(NewOptions, Role, Options0),
     State = ssl_gen_statem:ssl_config(Options, Role, State0),
     {next_state, wait_sh, State#state{start_or_recv_from = From,
                                       handshake_env = HSEnv#handshake_env{continue_status = continue}},
@@ -249,7 +249,7 @@ user_hello({call, From}, {handshake_continue, NewOptions, Timeout},
            #state{static_env = #static_env{role = server = Role},
                   handshake_env = #handshake_env{continue_status = {pause, ClientVersions}} = HSEnv,
                   ssl_options = Options0} = State0) ->
-    Options = #{versions := Versions} = ssl:handle_options(NewOptions, Role, Options0),
+    Options = #{versions := Versions} = ssl:update_options(NewOptions, Role, Options0),
     State = ssl_gen_statem:ssl_config(Options, Role, State0),
     case ssl_handshake:select_supported_version(ClientVersions, Versions) of
         {3,4} ->
diff --git a/lib/ssl/src/tls_dtls_connection.erl b/lib/ssl/src/tls_dtls_connection.erl
index 5f27d944c77e..096975276bf9 100644
--- a/lib/ssl/src/tls_dtls_connection.erl
+++ b/lib/ssl/src/tls_dtls_connection.erl
@@ -171,7 +171,7 @@ user_hello({call, From}, {handshake_continue, NewOptions, Timeout},
            #state{static_env = #static_env{role = Role},
                   handshake_env = HSEnv,
                   ssl_options = Options0} = State0) ->
-    Options = ssl:handle_options(NewOptions, Role, Options0),
+    Options = ssl:update_options(NewOptions, Role, Options0),
     State = ssl_gen_statem:ssl_config(Options, Role, State0),
     {next_state, hello, State#state{start_or_recv_from = From,
                                     handshake_env = HSEnv#handshake_env{continue_status = continue}
diff --git a/lib/ssl/test/ssl_api_SUITE.erl b/lib/ssl/test/ssl_api_SUITE.erl
index dac6a30bee15..5d0686559bc6 100644
--- a/lib/ssl/test/ssl_api_SUITE.erl
+++ b/lib/ssl/test/ssl_api_SUITE.erl
@@ -25,6 +25,7 @@
 
 -include_lib("common_test/include/ct.hrl").
 -include_lib("ssl/src/ssl_api.hrl").
+-include_lib("ssl/src/ssl_internal.hrl").
 -include_lib("public_key/include/public_key.hrl").
 
 %% Common test
@@ -133,6 +134,7 @@
          options_not_proplist/1,
          invalid_options/0,
          invalid_options/1,
+         options_whitebox/0, options_whitebox/1,
          cb_info/0,
          cb_info/1,
          log_alert/0,
@@ -231,7 +233,7 @@ all() ->
      {group, 'tlsv1'},
      {group, 'dtlsv1.2'},
      {group, 'dtlsv1'}
-    ].
+    ] ++ simple_api_tests().
 
 groups() ->
     [
@@ -247,13 +249,9 @@ groups() ->
      {'tlsv1.2', [],  gen_api_tests() ++ since_1_2() ++ handshake_paus_tests() ++ pre_1_3()},
      {'tlsv1.1', [],  gen_api_tests() ++ handshake_paus_tests() ++ pre_1_3()},
      {'tlsv1', [],  gen_api_tests() ++ handshake_paus_tests() ++ pre_1_3() ++ beast_mitigation_test()},
-     {'dtlsv1.2', [], (gen_api_tests() --
-                           [invalid_keyfile, invalid_certfile, invalid_cacertfile,
-                            invalid_options, new_options_in_handshake])  ++
+     {'dtlsv1.2', [], gen_api_tests() ++
           handshake_paus_tests() -- [handshake_continue_tls13_client] ++ pre_1_3()},
-     {'dtlsv1', [],  (gen_api_tests() --
-                          [invalid_keyfile, invalid_certfile, invalid_cacertfile,
-                           invalid_options, new_options_in_handshake]) ++
+     {'dtlsv1', [],  gen_api_tests() ++
           handshake_paus_tests() -- [handshake_continue_tls13_client] ++ pre_1_3()}
     ].
 
@@ -271,6 +269,18 @@ pre_1_3() ->
      prf
     ].
 
+simple_api_tests() ->
+    [
+     invalid_keyfile,
+     invalid_certfile,
+     invalid_cacertfile,
+     invalid_options,
+     new_options_in_handshake,
+     options_not_proplist,
+     options_whitebox
+    ].
+
+
 gen_api_tests() ->
     [
      peercert,
@@ -305,13 +315,7 @@ gen_api_tests() ->
      honor_client_cipher_order,
      ipv6,
      der_input,
-     new_options_in_handshake,
      max_handshake_size,
-     invalid_certfile,
-     invalid_cacertfile,
-     invalid_keyfile,
-     options_not_proplist,
-     invalid_options,
      cb_info,
      log_alert,
      getstat,
@@ -2166,6 +2170,804 @@ invalid_options(Config) when is_list(Config) ->
      end || {TestOpt, ErrorMsg} <- TestOpts2],
     ok.
 
+options_whitebox() ->
+    [{doc,"Whitebox tests of option handling"}].
+
+
+-define(T(EXP, Test),
+        fun() ->
+                try Test of
+                    {ok, #config{ssl=EXP}} -> ok;
+                    Other -> error({unexpected, Other})
+                catch
+                    throw:{error, {options, EXP}} -> ok;
+                    throw:{error, EXP} -> ok; %% FIXME
+                    error:EXP -> ok;  %% FIXME
+                    C:Other:ST -> error({unexpected, C, Other,ST})
+                end
+        end()).
+
+options_whitebox(Config) when is_list(Config) ->
+    Cert = proplists:get_value(cert, ssl_test_lib:ssl_options(server_rsa_der_opts, Config)),
+    true = is_binary(Cert),
+    ?T(#{}, ssl:handle_options([], client, "dummy.host.org")),
+
+    begin %% protocol
+        ?T(#{protocol := tls},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{protocol := tls},
+           ssl:handle_options([{protocol, tls}], client, "dummy.host.org")),
+        ?T(#{protocol := dtls},
+           ssl:handle_options([{protocol, dtls}], client, "dummy.host.org")),
+
+        %% Errors
+        ?T({protocol, foo},
+           ssl:handle_options([{protocol, 'foo'}], client, "dummy.host.org"))
+    end,
+
+    begin %% version
+        ?T(#{versions := [{3,4},{3,3}]},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{versions := [{3,4},{3,3},{3,2},{3,1}]},
+           ssl:handle_options([{versions, ['tlsv1','tlsv1.1','tlsv1.2','tlsv1.3']}],
+                              client, "dummy.host.org")),
+        ?T(#{versions := [{3,4}]},
+           ssl:handle_options([{versions, ['tlsv1.3']}], client, "dummy.host.org")),
+
+        ?T(#{versions := [{254,253},{254,255}]},
+           ssl:handle_options([{protocol, dtls}, {versions, ['dtlsv1', 'dtlsv1.2']}],
+                              client, "dummy.host.org")),
+        ?T(#{versions := [{254,253}]},
+           ssl:handle_options([{protocol, dtls}, {versions, ['dtlsv1.2']}],
+                              client, "dummy.host.org")),
+
+
+        %% Errors
+        %% ?T(#{versions := [{3,4},{3,3}]},  %% FIXME Hangs :-/
+        %%    ssl:handle_options([{versions, []}], client, "dummy.host.org")),
+        %% ?T(#{versions := [{3,4},{3,3}]},  %% FIXME Hangs :-/
+        %%    ssl:handle_options([{protocol, dtls}, {versions, []}], client, "dummy.host.org")),
+
+        ?T({'tlsv1.4',{versions, ['tlsv1.4']}},
+           ssl:handle_options([{versions, ['tlsv1.4']}], client, "dummy.host.org")),
+        ?T(function_clause,  %% FIXME
+           ssl:handle_options([{versions, ['dtlsv1', 'dtlsv1.2']}], client, "dummy.host.org")),
+
+        ?T(function_clause,  %% FIXME
+           ssl:handle_options([{protocol, dtls}, {versions, ['tlsv1','tlsv1.1','tlsv1.2','tlsv1.3']}],
+                              client, "dummy.host.org")),
+        ?T({'dtlsv1.3',{versions, ['dtlsv1.3']}},
+           ssl:handle_options([{protocol, dtls}, {versions, ['dtlsv1.3']}],
+                              client, "dummy.host.org")),
+        ?T({options,missing_version,{'tlsv1.2',_}},
+           ssl:handle_options([{versions, ['tlsv1.1','tlsv1.3']}],
+                              client, "dummy.host.org"))
+    end,
+
+    begin %% alpn & next_protocols 
+        Http = <<"HTTP/2">>,
+        ?T(#{alpn_advertised_protocols := undefined, alpn_preferred_protocols := undefined,
+             next_protocol_selector := undefined, next_protocols_advertised := undefined},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{alpn_advertised_protocols := undefined, alpn_preferred_protocols := undefined,
+             next_protocol_selector := undefined, next_protocols_advertised := undefined},
+           ssl:handle_options([], server, "dummy.host.org")),
+
+        ?T(#{alpn_advertised_protocols := undefined, alpn_preferred_protocols := [Http],
+             next_protocol_selector := undefined, next_protocols_advertised := undefined},
+           ssl:handle_options([{alpn_preferred_protocols, [Http]}], server, "dummy.host.org")),
+        ?T(#{alpn_advertised_protocols := [Http], alpn_preferred_protocols := undefined,
+             next_protocol_selector := undefined, next_protocols_advertised := undefined},
+           ssl:handle_options([{alpn_advertised_protocols, [Http]}], client, "dummy.host.org")),
+
+        %% Note names have been swapped in client/server variants
+
+        ?T(#{alpn_advertised_protocols := undefined, alpn_preferred_protocols := undefined,
+             next_protocol_selector := undefined, next_protocols_advertised := [Http]},
+           ssl:handle_options([{next_protocols_advertised, [Http]}], server, "dummy.host.org")),
+        ?T(#{alpn_advertised_protocols := undefined, alpn_preferred_protocols := undefined,
+             next_protocol_selector := _, next_protocols_advertised := undefined},
+           ssl:handle_options([{client_preferred_next_protocols, {server,[Http], Http}}],
+                              client, "dummy.host.org")),
+
+        %% Breaking specs should be errors?
+        ?T(#{alpn_advertised_protocols := undefined, alpn_preferred_protocols := undefined},
+           ssl:handle_options([{alpn_preferred_protocols, undefined}], server, "dummy.host.org")),
+        ?T(#{alpn_advertised_protocols := undefined, alpn_preferred_protocols := undefined},
+           ssl:handle_options([{alpn_advertised_protocols, undefined}], client, "dummy.host.org")),
+
+        %% Should be Errors  setting client/server options on server/client
+        ?T(#{alpn_advertised_protocols := undefined, alpn_preferred_protocols := [Http]},
+           ssl:handle_options([{alpn_preferred_protocols, [Http]}], client, "dummy.host.org")),
+        ?T(#{alpn_advertised_protocols := [Http], alpn_preferred_protocols := undefined},
+           ssl:handle_options([{alpn_advertised_protocols, [Http]}], server, "dummy.host.org")),
+
+        %% Errors
+        ?T({alpn_preferred_protocols, {invalid_protocol, <<>>}},
+           ssl:handle_options([{alpn_preferred_protocols, [Http, <<>>]}], server, "dummy.host.org")),
+        ?T({alpn_advertised_protocols, Http},
+           ssl:handle_options([{alpn_advertised_protocols, Http}], client, "dummy.host.org"))
+    end,
+
+    begin %% anti_replay
+        ?T(#{anti_replay := undefined},
+           ssl:handle_options([], server, "dummy.host.org")),
+        ?T(#{anti_replay := {_,_,_}},
+           ssl:handle_options([{anti_replay, '10k'}, {session_tickets, stateless}],
+                              server, "dummy.host.org")),
+        ?T(#{anti_replay := {_,_,_}},
+           ssl:handle_options([{anti_replay, {42,4711,21}}, {session_tickets, stateless}],
+                              server, "dummy.host.org")),
+
+
+        %% Errors
+        ?T({options, role, {session_tickets, {stateless, _}}},
+           ssl:handle_options([{anti_replay, '10k'}, {session_tickets, stateless}],
+                              client, "dummy.host.org")),
+        ?T({options, dependency, {anti_replay, {session_tickets, _}}},
+           ssl:handle_options([{anti_replay, '10k'}],
+                              server, "dummy.host.org")),
+
+        ?T({anti_replay, '1k'},
+           ssl:handle_options([{anti_replay, '1k'}, {session_tickets, stateless}],
+                              server, "dummy.host.org")),
+        ?T({anti_replay, _},
+           ssl:handle_options([{anti_replay, {1,1,1,1}}, {session_tickets, stateless}],
+                              server, "dummy.host.org"))
+    end,
+
+    begin %% Beast mitigation
+        ?T(#{beast_mitigation := one_n_minus_one},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{beast_mitigation := disabled},
+           ssl:handle_options([{beast_mitigation, disabled}, {versions, [tlsv1]}], client, "dummy.host.org")),
+        ?T(#{beast_mitigation := zero_n},
+           ssl:handle_options([{beast_mitigation, zero_n}, {versions, [tlsv1]}], client, "dummy.host.org")),
+
+        %% Errors
+        ?T({beast_mitigation, enabled},
+           ssl:handle_options([{beast_mitigation, enabled}, {versions, [tlsv1]}], client, "dummy.host.org")),
+        ?T({options, dependency, {beast_mitigation, {versions, _}}}, %% ok?
+           ssl:handle_options([{beast_mitigation, disabled}], client, "dummy.host.org"))
+    end,
+
+    begin %% cacert[s]file
+        ?T(#{cacerts := undefined, cacertfile := <<>>},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{cacerts := undefined, cacertfile := <<"/tmp/foo">>},
+           ssl:handle_options([{cacertfile, <<"/tmp/foo">>}], client, "dummy.host.org")),
+        ?T(#{cacerts := [Cert], cacertfile := <<>>},
+           ssl:handle_options([{cacerts, [Cert]}, {verify, verify_peer}], client, "dummy.host.org")),
+        ?T(#{cacerts := [#cert{}], cacertfile := <<>>},
+           ssl:handle_options([{cacerts, [#cert{der=Cert, otp=dummy}]}], client, "dummy.host.org")),
+        ?T(#{cacerts := [Cert], cacertfile := <<"/tmp/foo">>},
+           ssl:handle_options([{cacerts, [Cert]}, {cacertfile, "/tmp/foo"}], client, "dummy.host.org")),
+
+        %% Errors
+        ?T({cacertfile, []},
+           ssl:handle_options([{verify, verify_peer}], server, "dummy.host.org")),
+        ?T({cacerts, Cert},
+           ssl:handle_options([{cacerts, Cert}], client, "dummy.host.org")),
+        ?T({cacertfile, cert},
+           ssl:handle_options([{cacertfile, cert}], client, "dummy.host.org"))
+    end,
+
+    begin %% cert[file] cert_keys keys password
+        {ok, #config{ssl = DefMap}} = ssl:handle_options([], client, "dummy.host.org"),
+        false = maps:is_key(certs_keys, DefMap),  %% ??
+
+        ?T(#{cert := undefined, certfile := <<>>, key := undefined, keyfile := <<>>, password := ""},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{cert := [Cert], certfile := <<>>, key := undefined, keyfile := <<>>, password := ""},
+           ssl:handle_options([{cert,Cert}], client, "dummy.host.org")),
+        ?T(#{cert := [Cert], certfile := <<>>, key := undefined, keyfile := <<>>},
+           ssl:handle_options([{cert,[Cert]}], client, "dummy.host.org")),
+        ?T(#{cert := undefined, certfile := <<"/tmp/foo">>, key := undefined, keyfile := <<"/tmp/foo">>},
+           ssl:handle_options([{certfile, <<"/tmp/foo">>}], client, "dummy.host.org")),
+
+        ?T(#{cert := undefined, certfile := <<>>, certs_keys := undefined, key := undefined, keyfile := <<>>},
+           ssl:handle_options([{certs_keys, undefined}], client, "dummy.host.org")),
+        ?T(#{cert := undefined, certfile := <<>>, certs_keys := [#{}], key := undefined, keyfile := <<>>},
+           ssl:handle_options([{certs_keys, [#{}]}], client, "dummy.host.org")),
+
+        ?T(#{cert := undefined, certfile := <<>>, key := {rsa, <<>>}, keyfile := <<>>},
+           ssl:handle_options([{key, {rsa, <<>>}}], client, "dummy.host.org")),
+        ?T(#{cert := undefined, certfile := <<>>, key := #{}, keyfile := <<>>},
+           ssl:handle_options([{key, #{algorithm => foo}}], client, "dummy.host.org")),
+
+        ?T(#{key := undefined, keyfile := <<>>, password := "foobar"},
+           ssl:handle_options([{password, "foobar"}], client, "dummy.host.org")),
+        ?T(#{key := undefined, keyfile := <<>>, password := <<"foobar">>},
+           ssl:handle_options([{password, <<"foobar">>}], client, "dummy.host.org")),
+        Pwd = fun() -> "foobar" end,
+        ?T(#{key := undefined, keyfile := <<>>, password := Pwd},
+           ssl:handle_options([{password, Pwd}], client, "dummy.host.org")),
+
+        ?T(#{cert := undefined, certfile := <<"/tmp/foo">>, key := undefined, keyfile := <<"/tmp/baz">>},
+           ssl:handle_options([{certfile, <<"/tmp/foo">>}, {keyfile, "/tmp/baz"}], client, "dummy.host.org")),
+
+        ?T(#{cert := [Cert], certfile := <<"/tmp/foo">>, certs_keys := [#{}],
+             key := undefined, keyfile := <<"/tmp/foo">>},
+           ssl:handle_options([{cert, Cert}, {certfile, "/tmp/foo"}, {certs_keys, [#{}]}],
+                              client, "dummy.host.org")),
+
+        %% Errors
+        ?T({cert, #{}},
+           ssl:handle_options([{cert, #{}}], client, "dummy.host.org")),
+        ?T({certfile, cert},
+           ssl:handle_options([{certfile, cert}], client, "dummy.host.org")),
+        ?T({certs_keys, #{}},
+           ssl:handle_options([{certs_keys, #{}}], client, "dummy.host.org")),
+        ?T({keyfile, #{}},
+           ssl:handle_options([{keyfile, #{}}], client, "dummy.host.org")),
+        ?T({key, <<>>},
+           ssl:handle_options([{key, <<>>}], client, "dummy.host.org")),
+        ?T({password, _},
+           ssl:handle_options([{password, fun(Arg) -> Arg end}], client, "dummy.host.org"))
+    end,
+
+    begin %% certificate_authorities
+        ?T(#{certificate_authorities := false},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{certificate_authorities := true},
+           ssl:handle_options([{certificate_authorities, true}], client, "dummy.host.org")),
+
+        ?T(#{certificate_authorities := undefined},  %% FIXME bug
+           ssl:handle_options([{certificate_authorities, undefined}], server, "dummy.host.org")),
+
+        %% Errors
+        ?T({certificate_authorities, []},
+           ssl:handle_options([{certificate_authorities,  []}], client, "dummy.host.org")),
+        ?T({option, client_only, certificate_authorities},
+           ssl:handle_options([{certificate_authorities, true}], server, "dummy.host.org")),
+        ?T({options, dependency, {certificate_authorities, {versions, _}}},
+           ssl:handle_options([{certificate_authorities, true}, {versions, ['tlsv1.2']}],
+                              client, "dummy.host.org"))
+    end,
+
+    begin %% ciphers
+        CipherSuite = ssl_test_lib:ecdh_dh_anonymous_suites({3,3}),
+        ?T(#{ciphers := [_|_]},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{ciphers := [_|_]},
+           ssl:handle_options([{ciphers, CipherSuite}], client, "dummy.host.org")),
+        ?T(#{ciphers := [_|_]},
+           ssl:handle_options([{ciphers, "RC4-SHA:RC4-MD5"}], client, "dummy.host.org")),
+        ?T(#{ciphers := [_|_]},
+           ssl:handle_options([{ciphers, ["RC4-SHA", "RC4-MD5"]}], client, "dummy.host.org"))
+        %% FIXME extend this
+    end,
+
+    begin %% client_renegotiation
+        ?T(#{client_renegotiation := true},
+           ssl:handle_options([], server, "dummy.host.org")),
+        ?T(#{client_renegotiation := false},
+           ssl:handle_options([{client_renegotiation, false}], server, "dummy.host.org")),
+
+        %% Errors
+        ?T({client_renegotiation, []},
+           ssl:handle_options([{client_renegotiation,  []}], server, "dummy.host.org")),
+        ?T({option, server_only, client_renegotiation},
+           ssl:handle_options([{client_renegotiation, true}], client, "dummy.host.org")),
+        ?T({options, dependency, {client_renegotiation, {versions, _}}},
+           ssl:handle_options([{client_renegotiation, true}, {versions, ['tlsv1.3']}],
+                              server, "dummy.host.org"))
+    end,
+
+    begin %% cookie
+        ?T(#{cookie := true},
+           ssl:handle_options([], server, "dummy.host.org")),
+        ?T(#{cookie := false},
+           ssl:handle_options([{cookie, false}], server, "dummy.host.org")),
+
+        %% Errors
+        ?T({cookie, []},
+           ssl:handle_options([{cookie,  []}], server, "dummy.host.org")),
+        ?T({option, server_only, cookie},
+           ssl:handle_options([{cookie, true}], client, "dummy.host.org")),
+        ?T({options, dependency, {cookie, {versions, _}}},
+           ssl:handle_options([{cookie, true}, {versions, ['tlsv1.2']}],
+                              server, "dummy.host.org"))
+    end,
+
+    begin %% crl options
+        ?T(#{crl_cache := {ssl_crl_cache, _}, crl_check := false},
+           ssl:handle_options([], server, "dummy.host.org")),
+        ?T(#{crl_cache := {ssl_crl_cache, _}, crl_check := true},
+           ssl:handle_options([{crl_check, true}], server, "dummy.host.org")),
+        ?T(#{crl_cache := {ssl_crl_hash_dir, {_,_}}, crl_check := true},
+           ssl:handle_options([{crl_check, true},
+                               {crl_cache, {ssl_crl_hash_dir, {internal, [{dir, "/tmp"}]}}}],
+                              server, "dummy.host.org")),
+        ?T(#{crl_cache := {ssl_crl_cache, {_,_}}, crl_check := true},
+           ssl:handle_options([{crl_check, true},
+                               {crl_cache, {ssl_crl_cache, {internal, [{http, 5000}]}}}],
+                              server, "dummy.host.org")),
+        %% Errors
+        ?T({crl_check, foo},
+           ssl:handle_options([{crl_check, foo}], server, "dummy.host.org")),
+        ?T({crl_cache, {a,b,c}},
+           ssl:handle_options([{crl_cache, {a,b,c}}], server, "dummy.host.org"))
+    end,
+
+    begin %% hostname_check
+        ?T(#{customize_hostname_check := []},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{customize_hostname_check := [{match_fun, _}]},
+           ssl:handle_options([{customize_hostname_check, [{match_fun, fun() -> ok end}]}],
+                              client, "dummy.host.org")),
+        %% Error
+        ?T({customize_hostname_check, _},
+           ssl:handle_options([{customize_hostname_check, {match_fun, pb_fun}}], client, "dummy.host.org"))
+    end,
+
+    begin %% depth
+        ?T(#{depth := 10},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{depth := 5},
+           ssl:handle_options([{depth, 5}], client, "dummy.host.org")),
+        %% Error
+        ?T({depth, not_an_int},
+           ssl:handle_options([{depth, not_an_int}], client, "dummy.host.org"))
+    end,
+
+    begin %% dh dhfile
+        ?T(#{dh := undefined, dhfile := undefined},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{dh := <<>>, dhfile := undefined},
+           ssl:handle_options([{dh, <<>>}], client, "dummy.host.org")),
+        ?T(#{dh := undefined, dhfile := <<"/tmp/foo">>},
+           ssl:handle_options([{dhfile, <<"/tmp/foo">>}], client, "dummy.host.org")),
+        ?T(#{dh := <<>>, dhfile := <<"/tmp/foo">>},
+           ssl:handle_options([{dh, <<>>}, {dhfile, <<"/tmp/foo">>}], client, "dummy.host.org")),
+        %% Error
+        ?T({dh, not_a_bin},
+           ssl:handle_options([{dh, not_a_bin}], client, "dummy.host.org")),
+        ?T({dhfile, not_a_filename},
+           ssl:handle_options([{dhfile, not_a_filename}], client, "dummy.host.org"))
+    end,
+
+    begin %% early_data, session_tickets and use_ticket
+        ?T(#{early_data := undefined, session_tickets := disabled},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{early_data := undefined, session_tickets := disabled},
+           ssl:handle_options([], server, "dummy.host.org")),
+
+        ?T(#{early_data := <<>>, session_tickets := auto},
+           ssl:handle_options([{early_data, <<>>}, {session_tickets, auto}], client, "dummy.host.org")),
+        ?T(#{early_data := <<>>, session_tickets := manual, use_ticket := []},
+           ssl:handle_options([{early_data, <<>>}, {session_tickets, manual}, {use_ticket, []}],
+                              client, "dummy.host.org")),
+
+        ?T(#{early_data := enabled},
+           ssl:handle_options([{early_data, enabled}, {session_tickets, stateless}], server, "dummy.host.org")),
+
+        %% FIXME should be ok
+        ?T({options, dependency, {early_data, _}},
+           ssl:handle_options([{early_data, disabled}], server, "dummy.host.org")),
+        ?T({options, dependency, {early_data, _}},
+           ssl:handle_options([{early_data, disabled}], client, "dummy.host.org")),
+        ?T(#{use_ticket := []},  %% client option only
+           ssl:handle_options([{use_ticket, []}], server, "dummy.host.org")),
+        ?T(#{use_ticket := []},  %% requires session_tickets manual
+           ssl:handle_options([{use_ticket, []}], client, "dummy.host.org")),
+
+        %% Errors
+        ?T({options, role, {session_tickets, {foo, _}}},
+           ssl:handle_options([{session_tickets, foo}], server, "dummy.host.org")),
+        ?T({options, role, {session_tickets, {manual, _}}},
+           ssl:handle_options([{session_tickets, manual}], server, "dummy.host.org")),
+        ?T({options, role, {session_tickets, {stateful, _}}},
+           ssl:handle_options([{session_tickets, stateful}], client, "dummy.host.org")),
+        ?T({options, dependency, {session_tickets, {versions, _}}},
+           ssl:handle_options([{session_tickets, stateful}, {versions, ['tlsv1.2']}], server, "dummy.host.org")),
+
+        ?T({use_ticket, foo},
+           ssl:handle_options([{use_ticket, foo}, {session_tickets, manual}], client, "dummy.host.org")),
+
+        ?T({options, dependency, {early_data, {session_tickets, _}}},
+           ssl:handle_options([{early_data, <<>>}], client, "dummy.host.org")),
+        ?T({options, type, {early_data, {enabled, _}}},
+           ssl:handle_options([{early_data, enabled}, {session_tickets, auto}], client, "dummy.host.org")),
+        ?T({options, dependency, {early_data, use_ticket}},
+           ssl:handle_options([{early_data, enabled}, {session_tickets, manual}], client, "dummy.host.org")),
+
+        ?T({options, dependency, {early_data, {session_tickets, _}}},
+           ssl:handle_options([{early_data, enabled}], server, "dummy.host.org")),
+        ?T({options, role, {early_data, {<<>>, {server, _}}}},
+           ssl:handle_options([{early_data, <<>>}, {session_tickets, stateless}], server, "dummy.host.org"))
+    end,
+
+    begin %% eccs
+        ?T(#{eccs := {elliptic_curves, [_|_]}},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{eccs := {elliptic_curves, [_|_]}},
+           ssl:handle_options([{eccs, [sect571r1, sect571k1]}], client, "dummy.host.org")),
+
+        %% Should be errors?
+        ?T(#{eccs := {elliptic_curves, []}},   %% FIXME Is this ok?
+           ssl:handle_options([{eccs, []}], client, "dummy.host.org")),
+        ?T(#{eccs := {elliptic_curves, []}},   %% FIXME Is this ok, unreachable error case?
+           ssl:handle_options([{eccs, [foo]}], client, "dummy.host.org")),
+
+        %% Errors
+        ?T(function_clause,
+           ssl:handle_options([{eccs, not_a_list}], client, "dummy.host.org"))
+    end,
+
+    begin %% erl_dist
+        ?T(#{erl_dist := false},
+             ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{erl_dist := true},
+             ssl:handle_options([{erl_dist, true}], client, "dummy.host.org"))
+    end,
+
+    begin %% fail_if_no_peer_cert, verify, verify_fun, partial_chain
+        ?T(#{fail_if_no_peer_cert := false, verify := verify_none, verify_fun := {_, []}, partial_chain := _},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{fail_if_no_peer_cert := false, verify := verify_none, verify_fun := {_, []}, partial_chain := _},
+           ssl:handle_options([], server, "dummy.host.org")),
+        ?T(#{fail_if_no_peer_cert := true, verify := verify_peer, verify_fun := undefined, partial_chain := _},
+           ssl:handle_options([{fail_if_no_peer_cert, true}, {verify, verify_peer}, {cacerts, [Cert]}],
+                              server, "dummy.host.org")),
+        ?T(#{fail_if_no_peer_cert := false, verify := verify_none, verify_fun := {_, []}, partial_chain := _},
+           ssl:handle_options([{verify, verify_none}], client, "dummy.host.org")),
+        ?T(#{fail_if_no_peer_cert := false, verify := verify_peer, verify_fun := undefined, partial_chain := _},
+           ssl:handle_options([{verify, verify_peer}, {cacerts, [Cert]}], server, "dummy.host.org")),
+        ?T(#{fail_if_no_peer_cert := false, verify := verify_none, verify_fun := {_, []}, partial_chain := _},
+           ssl:handle_options([{partial_chain, fun() -> ok end}], client, "dummy.host.org")),
+
+        F = fun(_) -> ok end,
+        ?T(#{fail_if_no_peer_cert := false, verify := verify_none, verify_fun := {_, F}, partial_chain := _},
+           ssl:handle_options([{verify_fun, F}], client, "dummy.host.org")),
+        ?T(#{fail_if_no_peer_cert := false, verify := verify_none, verify_fun := {F, foo}, partial_chain := _},
+           ssl:handle_options([{verify_fun, {F, foo}}], client, "dummy.host.org")),
+        ?T(#{fail_if_no_peer_cert := false, verify := verify_peer, verify_fun := {F, foo}, partial_chain := _},
+           ssl:handle_options([{verify_fun, {F, foo}}, {verify, verify_peer}, {cacerts, [Cert]}],
+                               server, "dummy.host.org")),
+
+        %% Should fail
+        ?T(#{fail_if_no_peer_cert := true}, %% server option according to specs/docs
+           ssl:handle_options([{fail_if_no_peer_cert, true}, {verify, verify_peer}, {cacerts, [Cert]}],
+                              client, "dummy.host.org")),
+        ?T(#{partial_chain := undefined},   %% Can it be undefined?
+           ssl:handle_options([{partial_chain, undefined}], client, "dummy.host.org")),
+
+        %% Errors
+        ?T({options, incompatible, {verify, verify_none}, {fail_if_no_peer_cert, true}},
+           ssl:handle_options([{fail_if_no_peer_cert, true}], client, "dummy.host.org")),
+        ?T({verify, verify},
+           ssl:handle_options([{verify, verify}], client, "dummy.host.org")),
+        ?T({cacertfile, []},
+           ssl:handle_options([{verify, verify_peer}], server, "dummy.host.org")),
+        ?T({partial_chain, not_a_fun},
+           ssl:handle_options([{partial_chain, not_a_fun}], client, "dummy.host.org")),
+        ?T({verify_fun, not_a_fun},
+           ssl:handle_options([{verify_fun, not_a_fun}], client, "dummy.host.org"))
+    end,
+
+    begin %% fallback
+        ?T(#{fallback := false},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{fallback := true},
+           ssl:handle_options([{fallback, true}], client, "dummy.host.org")),
+
+        %% Errors
+        ?T({option, client_only, fallback},
+           ssl:handle_options([{fallback, true}], server, "dummy.host.org")),
+        ?T({fallback, []},
+           ssl:handle_options([{fallback, []}], client, "dummy.host.org"))
+    end,
+
+    begin %% handshake
+        ?T(#{handshake := full, max_handshake_size := 262144},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{handshake := hello, max_handshake_size := 123800},
+           ssl:handle_options([{handshake, hello}, {max_handshake_size, 123800}], client, "dummy.host.org")),
+
+        ?T(#{handshake := hello, max_handshake_size := -1},  %% Hmm FIXME
+           ssl:handle_options([{handshake, hello}, {max_handshake_size, -1}], client, "dummy.host.org")),
+
+        %% Errors
+        ?T({handshake, []},
+           ssl:handle_options([{handshake, []}], server, "dummy.host.org")),
+        ?T({max_handshake_size, 8388608},
+           ssl:handle_options([{max_handshake_size, 8388608}], server, "dummy.host.org"))
+    end,
+
+    begin % hibernate_after, spawn_opts
+        ?T(#{hibernate_after := infinity, receiver_spawn_opts := [], sender_spawn_opts := []},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{hibernate_after := 10000, receiver_spawn_opts := [foo], sender_spawn_opts := [bar]},
+           ssl:handle_options([{hibernate_after, 10000},
+                               {receiver_spawn_opts, [foo]},
+                               {sender_spawn_opts, [bar]}],
+                              client, "dummy.host.org")),
+        %% Errors
+        ?T({hibernate_after, -1},
+           ssl:handle_options([{hibernate_after, -1}], server, "dummy.host.org")),
+        ?T({receiver_spawn_opts, not_a_list},
+           ssl:handle_options([{receiver_spawn_opts, not_a_list}], server, "dummy.host.org")),
+        ?T({sender_spawn_opts, not_a_list},
+           ssl:handle_options([{sender_spawn_opts, not_a_list}], server, "dummy.host.org"))
+    end,
+
+    begin %% honor_cipher_order & honor_ecc_order
+        ?T(#{honor_cipher_order := false, honor_ecc_order := false},
+           ssl:handle_options([], server, "dummy.host.org")),
+        ?T(#{honor_cipher_order := true, honor_ecc_order := true},
+           ssl:handle_options([{honor_cipher_order, true}, {honor_ecc_order, true}],
+                              server, "dummy.host.org")),
+        %% Errors
+        ?T({option, server_only, honor_cipher_order},  %% FIXME looks different
+           ssl:handle_options([{honor_cipher_order, true}], client, "dummy.host.org")),
+        ?T({option, server_only, honor_ecc_order},
+           ssl:handle_options([{honor_ecc_order, true}], client, "dummy.host.org")),
+        ?T({honor_ecc_order, foo},
+           ssl:handle_options([{honor_ecc_order, foo}], server, "dummy.host.org"))
+    end,
+
+    begin %% debug  log_level keep_secrets
+        ?T(#{log_level := notice, keep_secrets := false},
+           ssl:handle_options([], server, "dummy.host.org")),
+        ?T(#{log_level := debug, keep_secrets := true},
+           ssl:handle_options([{log_level, debug}, {keep_secrets, true}], server, "dummy.host.org")),
+        %% Errors
+        ?T({log_level, foo},
+           ssl:handle_options([{log_level, foo}], server, "dummy.host.org")),
+        ?T({keep_secrets, foo},
+           ssl:handle_options([{keep_secrets, foo}], server, "dummy.host.org"))
+    end,
+
+    begin %% key_update_at   renegotiate_at  secure_renegotiate
+        ?T(#{key_update_at := ?KEY_USAGE_LIMIT_AES_GCM, renegotiate_at := 268435456, secure_renegotiate := true},
+           ssl:handle_options([], server, "dummy.host.org")),
+        ?T(#{key_update_at := 123456, renegotiate_at := 64000, secure_renegotiate := false},
+           ssl:handle_options([{key_update_at, 123456}, {renegotiate_at, 64000}, {secure_renegotiate, false}],
+                              server, "dummy.host.org")),
+
+        ?T(#{renegotiate_at := -1},  %% FIXME?  Also renegotiate_at is undocumented
+           ssl:handle_options([{renegotiate_at, -1}], server, "dummy.host.org")),
+
+        %% Errors
+        ?T({options, dependency, {key_update_at, {versions, _}}},
+           ssl:handle_options([{key_update_at, 123456}, {versions, ['tlsv1.2']}], server, "dummy.host.org")),
+        ?T({options, dependency, {secure_renegotiate, {versions, _}}},
+           ssl:handle_options([{secure_renegotiate, true}, {versions, ['tlsv1.3']}], server, "dummy.host.org")),
+
+        ?T({key_update_at, -1},
+           ssl:handle_options([{key_update_at, -1}], server, "dummy.host.org")),
+        ?T({renegotiate_at, not_a_int},
+           ssl:handle_options([{renegotiate_at, not_a_int}], server, "dummy.host.org"))
+    end,
+
+    begin %% middlebox_comp_mode
+        ?T(#{middlebox_comp_mode := true},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{middlebox_comp_mode := false},
+           ssl:handle_options([{middlebox_comp_mode, false}], client, "dummy.host.org")),
+
+        %% Should fail ?
+        ?T(#{middlebox_comp_mode := false},  %% tlsv1.3 option FIXME
+           ssl:handle_options([{middlebox_comp_mode, false}, {versions, ['tlsv1.2']}], server, "dummy.host.org")),
+
+        %% Errors
+        ?T({middlebox_comp_mode, foo},
+           ssl:handle_options([{middlebox_comp_mode, foo}], server, "dummy.host.org"))
+    end,
+
+    begin %% max_fragment_length
+        ?T(#{max_fragment_length := undefined},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{max_fragment_length := 2048},
+           ssl:handle_options([{max_fragment_length, 2048}], client, "dummy.host.org")),
+
+        %% Should fail?
+        ?T(#{max_fragment_length := 2048},  %% client option
+           ssl:handle_options([{max_fragment_length, 2048}], server, "dummy.host.org")),
+
+        %% Errors
+        ?T({max_fragment_length,2000},
+           ssl:handle_options([{max_fragment_length, 2000}], client, "dummy.host.org"))
+    end,
+
+    begin %% oscp
+        ?T(#{ocsp_stapling := false, ocsp_nonce := true, ocsp_responder_certs := []},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{ocsp_stapling := true},
+           ssl:handle_options([{ocsp_stapling, true}], client, "dummy.host.org")),
+        ?T(#{ocsp_stapling := true, ocsp_nonce := false, ocsp_responder_certs := [_,_]},
+           ssl:handle_options([{ocsp_stapling, true}, {ocsp_nonce, false}, {ocsp_responder_certs, [Cert,Cert]}],
+                              client, "dummy.host.org")),
+        %% Should error, or turn on stapling?
+        ?T(#{ocsp_stapling := false, ocsp_nonce := false},
+           ssl:handle_options([{ocsp_nonce, false}], client, "dummy.host.org")),
+        ?T(#{ocsp_stapling := false, ocsp_responder_certs := [_]},
+           ssl:handle_options([{ocsp_responder_certs, [Cert]}], server, "dummy.host.org")),
+        ?T(#{ocsp_stapling := true, ocsp_responder_certs := []},
+           ssl:handle_options([{ocsp_stapling, true}, {ocsp_responder_certs, ['NOT A BINARY']}],
+                              client, "dummy.host.org")),
+        %% Errors
+        ?T({ocsp_stapling, foo},
+           ssl:handle_options([{ocsp_stapling, 'foo'}], client, "dummy.host.org")),
+        ?T({ocsp_nonce, foo},
+           ssl:handle_options([{ocsp_nonce, 'foo'}], client, "dummy.host.org")),
+        ?T({ocsp_responder_certs, foo},
+           ssl:handle_options([{ocsp_responder_certs, 'foo'}], client, "dummy.host.org"))
+    end,
+
+    begin
+        ?T(#{padding_check := true},
+           ssl:handle_options([], server, "dummy.host.org")),
+        ?T(#{padding_check := false},
+           ssl:handle_options([{padding_check, false}, {versions, [tlsv1]}], server, "dummy.host.org")),
+        %% Errors
+        ?T({padding_check, foo},
+           ssl:handle_options([{padding_check, foo}, {versions, [tlsv1]}], server, "dummy.host.org")),
+        ?T({options, dependency, {padding_check, {versions, _}}},
+           ssl:handle_options([{padding_check, false}], server, "dummy.host.org"))
+    end,
+
+    begin %% psk_identity  srp_identity and user_lookup_fun
+        ?T(#{psk_identity := undefined, srp_identity := undefined, user_lookup_fun := undefined},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{psk_identity := <<"foobar">>, srp_identity := undefined, user_lookup_fun := undefined},
+           ssl:handle_options([{psk_identity, "foobar"}], server, "dummy.host.org")),
+        ?T(#{psk_identity := undefined, srp_identity := {<<"user">>, <<"pwd">>}, user_lookup_fun := undefined},
+           ssl:handle_options([{srp_identity, {"user", "pwd"}}], client, "dummy.host.org")),
+        ?T(#{psk_identity := undefined, srp_identity := undefined, user_lookup_fun := {_, args}},
+           ssl:handle_options([{user_lookup_fun, {fun(_,_,_) -> ok end, args}}], client, "dummy.host.org")),
+
+        %% Should fail client option only
+        ?T(#{psk_identity := undefined, srp_identity := {<<"user">>, <<"pwd">>}, user_lookup_fun := undefined},
+           ssl:handle_options([{srp_identity, {"user", "pwd"}}], server, "dummy.host.org")),
+
+        %% Errors
+        ?T({srp_identity, {_,_}},  %% FIXME doesn't like binary strings
+           ssl:handle_options([{srp_identity, {<<"user">>, <<"pwd">>}}], client, "dummy.host.org")),
+        ?T({psk_identity, _},  %% FIXME doesn't like binary strings
+           ssl:handle_options([{psk_identity, <<"user">>}], client, "dummy.host.org")),
+        ?T({srp_identity, _},
+           ssl:handle_options([{srp_identity, "user"}], client, "dummy.host.org")),
+        ?T({user_lookup_fun, _},
+           ssl:handle_options([{user_lookup_fun, {fun(_,_) -> ok end, args}}],
+                              client, "dummy.host.org")),
+
+        ?T({options, dependency, {psk_identity, _}},
+           ssl:handle_options([{psk_identity, "foobar"},{versions, ['tlsv1.3']}],
+                              server, "dummy.host.org")),
+        ?T({options, dependency, {srp_identity, _}},
+           ssl:handle_options([{srp_identity, {"user", "pwd"}},{versions, ['tlsv1.3']}],
+                              client, "dummy.host.org")),
+        ?T({options, dependency, {user_lookup_fun, _}},
+           ssl:handle_options([{user_lookup_fun, {fun(_,_) -> ok end, args}}, {versions, ['tlsv1.3']}],
+                              client, "dummy.host.org"))
+    end,
+
+    begin % reuse_session[s]
+        ?T(#{reuse_session := undefined, reuse_sessions := true},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{reuse_session := _fun, reuse_sessions := true},
+           ssl:handle_options([], server, "dummy.host.org")),
+
+        ?T(#{reuse_session := <<>>, reuse_sessions := save},
+           ssl:handle_options([{reuse_session, <<>>}, {reuse_sessions, save}], client, "dummy.host.org")),
+        ?T(#{reuse_session := {<<>>, <<>>}, reuse_sessions := false},
+           ssl:handle_options([{reuse_session, {<<>>, <<>>}}, {reuse_sessions, false}], client, "dummy.host.org")),
+
+        RS_F = fun() -> ok end,
+        ?T(#{reuse_session := RS_F, reuse_sessions := false},
+           ssl:handle_options([{reuse_session, RS_F}, {reuse_sessions, false}],
+                              server, "dummy.host.org")),
+
+        %% Should be errors
+        ?T(#{reuse_sessions := save},   %% FIXME client only save
+           ssl:handle_options([{reuse_sessions, save}], server, "dummy.host.org")),
+        ?T(#{reuse_session := <<>>},    %% FIXME binary not allowed on server
+           ssl:handle_options([{reuse_session, <<>>}], server, "dummy.host.org")),
+        ?T(#{reuse_session := RS_F, reuse_sessions := false},  %% Fun as server option
+           ssl:handle_options([{reuse_session, RS_F}, {reuse_sessions, false}],
+                              client, "dummy.host.org")),
+
+        %% Errors
+        ?T({options, dependency, {reuse_session, _}},
+           ssl:handle_options([{reuse_session, RS_F}, {versions, ['tlsv1.3']}],
+                              server, "dummy.host.org")),
+        ?T({options, dependency, {reuse_sessions, _}},
+           ssl:handle_options([{reuse_sessions, true}, {versions, ['tlsv1.3']}],
+                              server, "dummy.host.org")),
+        ?T({reuse_sessions, foo},
+           ssl:handle_options([{reuse_sessions, foo}], server, "dummy.host.org")),
+        ?T({reuse_session, foo},
+           ssl:handle_options([{reuse_session, foo}], server, "dummy.host.org"))
+    end,
+
+    begin %% server_name_indication
+        ?T(#{server_name_indication := "dummy.host.org", sni_fun := undefined, sni_hosts := []},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{server_name_indication := disable, sni_fun := undefined, sni_hosts := []},
+           ssl:handle_options([{server_name_indication, disable}], client, "dummy.host.org")),
+        ?T(#{server_name_indication := "dummy.org", sni_fun := undefined, sni_hosts := []},
+           ssl:handle_options([{server_name_indication, "dummy.org"}], client, "dummy.host.org")),
+
+        ?T(#{sni_fun := undefined, sni_hosts := [{[],[]}]},
+           ssl:handle_options([{sni_hosts, [{"", []}]}], server, "dummy.host.org")),
+        SNI_F = fun() -> sni end,
+        ?T(#{sni_fun := SNI_F, sni_hosts := []},
+           ssl:handle_options([{sni_fun, SNI_F}], server, "dummy.host.org")),
+
+        %% Should be error
+        ?T(#{server_name_indication := "dummy.org", sni_fun := undefined, sni_hosts := []},
+           ssl:handle_options([{server_name_indication, "dummy.org"}], server, "dummy.host.org")),
+        ?T(#{sni_fun := undefined, sni_hosts := [{[],[]}]},
+           ssl:handle_options([{sni_hosts, [{"", []}]}], client, "dummy.host.org")),
+
+        %% Errors
+        ?T({server_name_indication, foo},
+           ssl:handle_options([{server_name_indication, foo}], client, "dummy.host.org")),
+        ?T({sni_hosts, foo},
+           ssl:handle_options([{sni_hosts, foo}], server, "dummy.host.org")),
+        ?T({sni_fun, foo},
+           ssl:handle_options([{sni_fun, foo}], server, "dummy.host.org")),
+
+        ?T({conflict_options, _},
+           ssl:handle_options([{sni_fun, SNI_F}, {sni_hosts, [{"", []}]}], server, "dummy.host.org"))
+    end,
+
+    begin %% signature_algs[_cert]
+        ?T(#{signature_algs := [_|_], signature_algs_cert := undefined},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{signature_algs := [rsa_pss_rsae_sha512,{sha512,rsa}], signature_algs_cert := undefined},
+           ssl:handle_options([{signature_algs, [rsa_pss_rsae_sha512,{sha512,rsa}]}], client, "dummy.host.org")),
+        ?T(#{signature_algs := [_|_], signature_algs_cert := [eddsa_ed25519, rsa_pss_rsae_sha512]},
+           ssl:handle_options([{signature_algs_cert, [eddsa_ed25519, rsa_pss_rsae_sha512]}],
+                              client, "dummy.host.org")),
+
+        ?T(#{signature_algs := undefined, signature_algs_cert := undefined},
+           ssl:handle_options([{signature_algs_cert, [eddsa_ed25519, rsa_pss_rsae_sha512]},
+                               {versions, ['tlsv1.1']}],
+                              client, "dummy.host.org")),
+        %% Should fail FIXME
+        ?T(#{signature_algs := undefined},
+           ssl:handle_options([{signature_algs, not_a_list}], client, "dummy.host.org")),
+
+        ?T(#{signature_algs_cert := undefined},
+           ssl:handle_options([{signature_algs_cert, not_a_list}], client, "dummy.host.org")),
+
+        %% Errors
+        ?T(function_clause,
+           ssl:handle_options([{signature_algs, [foobar]}], client, "dummy.host.org")),
+        ?T({options,no_supported_signature_schemes, {signature_algs,[]}},
+           ssl:handle_options([{signature_algs, []}], client, "dummy.host.org")),
+        ?T({options,no_supported_signature_schemes, {signature_algs_cert,[]}},
+           ssl:handle_options([{signature_algs_cert, []}],
+                              client, "dummy.host.org"))
+    end,
+
+    begin %% supported_groups
+        %% FIXME group() type doesn't cover the values below
+        %% Also why is there a record for supported_groups?
+        ?T(#{supported_groups := {supported_groups, [x25519,x448,secp256r1,secp384r1]}},
+           ssl:handle_options([], client, "dummy.host.org")),
+        ?T(#{supported_groups := {supported_groups, [secp521r1, ffdhe2048]}},
+           ssl:handle_options([{supported_groups, [secp521r1, ffdhe2048]}], client, "dummy.host.org")),
+
+        ?T(#{supported_groups := {supported_groups, []}},  %% FIXME is this allowed?
+           ssl:handle_options([{supported_groups, []}], client, "dummy.host.org")),
+        ?T(#{supported_groups := {supported_groups, []}},  %% FIXME is this allowed?
+           ssl:handle_options([{supported_groups, [foo]}], client, "dummy.host.org")),
+
+
+        %% ERRORs
+        ?T({{'tlvs1.2'},{versions,[{'tlvs1.2'}]}},
+           ssl:handle_options([{supported_groups, []}, {versions, [{'tlvs1.2'}]}], client, "dummy.host.org")),
+        ?T(function_clause,
+           ssl:handle_options([{supported_groups, not_a_list}], client, "dummy.host.org"))
+    end,
+    ok.
+
+
+
 %%-------------------------------------------------------------------
 
 default_reject_anonymous()->
diff --git a/lib/ssl/test/ssl_handshake_SUITE.erl b/lib/ssl/test/ssl_handshake_SUITE.erl
index 1bde66a80b53..20e5619f1388 100644
--- a/lib/ssl/test/ssl_handshake_SUITE.erl
+++ b/lib/ssl/test/ssl_handshake_SUITE.erl
@@ -283,4 +283,4 @@ is_supported(Hash) ->
 
 default_options_map() ->
     Fun = fun (_Key, {Default, _}) -> Default end,
-    maps:map(Fun, ?RULES).
+    maps:map(Fun, ssl:option_rules()).
diff --git a/lib/ssl/test/ssl_npn_hello_SUITE.erl b/lib/ssl/test/ssl_npn_hello_SUITE.erl
index ee8825a7248e..d3e2883acfd1 100644
--- a/lib/ssl/test/ssl_npn_hello_SUITE.erl
+++ b/lib/ssl/test/ssl_npn_hello_SUITE.erl
@@ -172,4 +172,4 @@ create_connection_states() ->
 
 default_options_map() ->
     Fun = fun (_Key, {Default, _}) -> Default end,
-    maps:map(Fun, ?RULES).
+    maps:map(Fun, ssl:option_rules()).