| diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py |
| index e7c6834..0e78753 100644 |
| --- a/third_party/tlslite/tlslite/tlsconnection.py |
| +++ b/third_party/tlslite/tlslite/tlsconnection.py |
| @@ -968,7 +968,8 @@ class TLSConnection(TLSRecordLayer): |
| sessionCache=None, settings=None, checker=None, |
| reqCAs = None, |
| tacks=None, activationFlags=0, |
| - nextProtos=None, anon=False): |
| + nextProtos=None, anon=False, |
| + tlsIntolerant=None): |
| """Perform a handshake in the role of server. |
| |
| This function performs an SSL or TLS handshake. Depending on |
| @@ -1037,6 +1038,11 @@ class TLSConnection(TLSRecordLayer): |
| clients through the Next-Protocol Negotiation Extension, |
| if they support it. |
| |
| + @type tlsIntolerant: (int, int) or None |
| + @param tlsIntolerant: If tlsIntolerant is not None, the server will |
| + simulate TLS version intolerance by returning a fatal handshake_failure |
| + alert to all TLS versions tlsIntolerant or higher. |
| + |
| @raise socket.error: If a socket error occurs. |
| @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
| without a preceding alert. |
| @@ -1048,7 +1054,7 @@ class TLSConnection(TLSRecordLayer): |
| certChain, privateKey, reqCert, sessionCache, settings, |
| checker, reqCAs, |
| tacks=tacks, activationFlags=activationFlags, |
| - nextProtos=nextProtos, anon=anon): |
| + nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant): |
| pass |
| |
| |
| @@ -1057,7 +1063,8 @@ class TLSConnection(TLSRecordLayer): |
| sessionCache=None, settings=None, checker=None, |
| reqCAs=None, |
| tacks=None, activationFlags=0, |
| - nextProtos=None, anon=False |
| + nextProtos=None, anon=False, |
| + tlsIntolerant=None |
| ): |
| """Start a server handshake operation on the TLS connection. |
| |
| @@ -1076,7 +1083,8 @@ class TLSConnection(TLSRecordLayer): |
| sessionCache=sessionCache, settings=settings, |
| reqCAs=reqCAs, |
| tacks=tacks, activationFlags=activationFlags, |
| - nextProtos=nextProtos, anon=anon) |
| + nextProtos=nextProtos, anon=anon, |
| + tlsIntolerant=tlsIntolerant) |
| for result in self._handshakeWrapperAsync(handshaker, checker): |
| yield result |
| |
| @@ -1085,7 +1093,8 @@ class TLSConnection(TLSRecordLayer): |
| certChain, privateKey, reqCert, sessionCache, |
| settings, reqCAs, |
| tacks, activationFlags, |
| - nextProtos, anon): |
| + nextProtos, anon, |
| + tlsIntolerant): |
| |
| self._handshakeStart(client=False) |
| |
| @@ -1117,7 +1126,7 @@ class TLSConnection(TLSRecordLayer): |
| # Handle ClientHello and resumption |
| for result in self._serverGetClientHello(settings, certChain,\ |
| verifierDB, sessionCache, |
| - anon): |
| + anon, tlsIntolerant): |
| if result in (0,1): yield result |
| elif result == None: |
| self._handshakeDone(resumed=True) |
| @@ -1214,7 +1223,7 @@ class TLSConnection(TLSRecordLayer): |
| |
| |
| def _serverGetClientHello(self, settings, certChain, verifierDB, |
| - sessionCache, anon): |
| + sessionCache, anon, tlsIntolerant): |
| #Initialize acceptable cipher suites |
| cipherSuites = [] |
| if verifierDB: |
| @@ -1249,6 +1258,13 @@ class TLSConnection(TLSRecordLayer): |
| "Too old version: %s" % str(clientHello.client_version)): |
| yield result |
| |
| + #If simulating TLS intolerance, reject certain TLS versions. |
| + elif (tlsIntolerant is not None and |
| + clientHello.client_version >= tlsIntolerant): |
| + for result in self._sendError(\ |
| + AlertDescription.handshake_failure): |
| + yield result |
| + |
| #If client's version is too high, propose my highest version |
| elif clientHello.client_version > settings.maxVersion: |
| self.version = settings.maxVersion |
