diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
index e8dd859..8415592 100755
--- a/third_party/tlslite/tlslite/tlsconnection.py
+++ b/third_party/tlslite/tlslite/tlsconnection.py
@@ -965,7 +965,8 @@ class TLSConnection(TLSRecordLayer):
sessionCache=None, settings=None, checker=None,
reqCAs = None,
tacks=None, activationFlags=0,
- nextProtos=None, anon=False):
+ nextProtos=None, anon=False,
+ tlsIntolerant=None):
"""Perform a handshake in the role of server.
This function performs an SSL or TLS handshake. Depending on
@@ -1034,6 +1035,11 @@ class TLSConnection(TLSRecordLayer):
clients through the Next-Protocol Negotiation Extension,
if they support it.
+ @type tlsIntolerant: (int, int) or None
+ @param tlsIntolerant: If tlsIntolerant is not None, the server will
+ simulate TLS version intolerance by returning a fatal handshake_failure
+ alert to all TLS versions tlsIntolerant or higher.
+
@raise socket.error: If a socket error occurs.
@raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
without a preceding alert.
@@ -1045,7 +1051,7 @@ class TLSConnection(TLSRecordLayer):
certChain, privateKey, reqCert, sessionCache, settings,
checker, reqCAs,
tacks=tacks, activationFlags=activationFlags,
- nextProtos=nextProtos, anon=anon):
+ nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant):
pass
@@ -1054,7 +1060,8 @@ class TLSConnection(TLSRecordLayer):
sessionCache=None, settings=None, checker=None,
reqCAs=None,
tacks=None, activationFlags=0,
- nextProtos=None, anon=False
+ nextProtos=None, anon=False,
+ tlsIntolerant=None
):
"""Start a server handshake operation on the TLS connection.
@@ -1073,7 +1080,8 @@ class TLSConnection(TLSRecordLayer):
sessionCache=sessionCache, settings=settings,
reqCAs=reqCAs,
tacks=tacks, activationFlags=activationFlags,
- nextProtos=nextProtos, anon=anon)
+ nextProtos=nextProtos, anon=anon,
+ tlsIntolerant=tlsIntolerant)
for result in self._handshakeWrapperAsync(handshaker, checker):
yield result
@@ -1082,7 +1090,8 @@ class TLSConnection(TLSRecordLayer):
certChain, privateKey, reqCert, sessionCache,
settings, reqCAs,
tacks, activationFlags,
- nextProtos, anon):
+ nextProtos, anon,
+ tlsIntolerant):
self._handshakeStart(client=False)
@@ -1114,7 +1123,7 @@ class TLSConnection(TLSRecordLayer):
# Handle ClientHello and resumption
for result in self._serverGetClientHello(settings, certChain,\
verifierDB, sessionCache,
- anon):
+ anon, tlsIntolerant):
if result in (0,1): yield result
elif result == None:
self._handshakeDone(resumed=True)
@@ -1211,7 +1220,7 @@ class TLSConnection(TLSRecordLayer):
def _serverGetClientHello(self, settings, certChain, verifierDB,
- sessionCache, anon):
+ sessionCache, anon, tlsIntolerant):
#Initialize acceptable cipher suites
cipherSuites = []
if verifierDB:
@@ -1246,6 +1255,13 @@ class TLSConnection(TLSRecordLayer):
"Too old version: %s" % str(clientHello.client_version)):
yield result
+ #If simulating TLS intolerance, reject certain TLS versions.
+ elif (tlsIntolerant is not None and
+ clientHello.client_version >= tlsIntolerant):
+ for result in self._sendError(\
+ AlertDescription.handshake_failure):
+ yield result
+
#If client's version is too high, propose my highest version
elif clientHello.client_version > settings.maxVersion:
self.version = settings.maxVersion