Remove third_party/tlslite and SpawnedTestServer::TYPE_HTTPS

SpawnedTestServer::TYPE_HTTPS is now unused and completely migrated
to EmbeddedTestServer. That, in turn, means tlslite is also unused
because SpawnedTestServer::TYPE_WSS uses the built-in Python ssl module.

(SpawnedTestServer is now just TYPE_HTTP, only used by policy_testserver,
and the WebSockets modes because we lack an embedded WebSockets test
server.)

Bug: 492672, 1250903
Change-Id: If221c09671c09495bc5d7b086d0751b639515763
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3286767
Commit-Queue: David Benjamin <davidben@chromium.org>
Reviewed-by: Andrey Kosyakov <caseq@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Lei Zhang <thestig@chromium.org>
Reviewed-by: Dirk Pranke <dpranke@google.com>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Reviewed-by: Colin Blundell <blundell@chromium.org>
Reviewed-by: Sami Kyöstilä <skyostil@chromium.org>
Reviewed-by: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#944238}
diff --git a/build/util/lib/common/chrome_test_server_spawner.py b/build/util/lib/common/chrome_test_server_spawner.py
index 61ab9fa..b9d7222 100644
--- a/build/util/lib/common/chrome_test_server_spawner.py
+++ b/build/util/lib/common/chrome_test_server_spawner.py
@@ -38,10 +38,9 @@
 
 
 # Path that are needed to import necessary modules when launching a testserver.
-os.environ['PYTHONPATH'] = os.environ.get('PYTHONPATH', '') + (':%s:%s:%s'
-    % (os.path.join(_DIR_SOURCE_ROOT, 'third_party'),
-       os.path.join(_DIR_SOURCE_ROOT, 'third_party', 'tlslite'),
-       os.path.join(_DIR_SOURCE_ROOT, 'net', 'tools', 'testserver')))
+os.environ['PYTHONPATH'] = os.environ.get('PYTHONPATH', '') + (
+    ':%s:%s' % (os.path.join(_DIR_SOURCE_ROOT, 'third_party'),
+                os.path.join(_DIR_SOURCE_ROOT, 'net', 'tools', 'testserver')))
 
 
 def _GetServerTypeCommandLine(server_type):
diff --git a/chrome/credential_provider/test/BUILD.gn b/chrome/credential_provider/test/BUILD.gn
index ec588ce..0ed87ec 100644
--- a/chrome/credential_provider/test/BUILD.gn
+++ b/chrome/credential_provider/test/BUILD.gn
@@ -69,6 +69,5 @@
   data = [
     "//net/tools/testserver/",
     "//third_party/pywebsocket3/src/mod_pywebsocket/",
-    "//third_party/tlslite/",
   ]
 }
diff --git a/chrome/test/BUILD.gn b/chrome/test/BUILD.gn
index 7ac3a1d..b5d8638 100644
--- a/chrome/test/BUILD.gn
+++ b/chrome/test/BUILD.gn
@@ -1418,7 +1418,6 @@
       "//third_party/polymer/v1_0/components-chromium/iron-test-helpers/mock-interactions.js",
       "//third_party/pywebsocket3/src/mod_pywebsocket/",
       "//third_party/simplejson/",
-      "//third_party/tlslite/",
       "//ui/webui/resources/",
     ]
     data += js2gtest_js_libraries
@@ -5204,7 +5203,6 @@
     "//google_apis/test/data/",
     "//net/tools/testserver/",
     "//third_party/pywebsocket3/src/mod_pywebsocket/",
-    "//third_party/tlslite/",
     "//tools/metrics/histograms/enums.xml",
   ]
 
@@ -8399,7 +8397,6 @@
       "//third_party/mocha/mocha.js",
       "//third_party/polymer/v1_0/components-chromium/iron-test-helpers/mock-interactions.js",
       "//third_party/pywebsocket3/src/mod_pywebsocket/",
-      "//third_party/tlslite/",
       "//tools/metrics/histograms/enums.xml",
       "//ui/webui/resources/html/test_loader.html",
       "//ui/webui/resources/js/",
@@ -9090,7 +9087,6 @@
       "//chrome/test/data/banners/",
       "//net/tools/testserver/",
       "//third_party/pywebsocket3/src/mod_pywebsocket/",
-      "//third_party/tlslite/",
     ]
 
     # TODO(phajdan.jr): Only temporary, to make transition easier.
diff --git a/components/policy/test_support/bootstrap_deps b/components/policy/test_support/bootstrap_deps
index c9dacaa..09d9245 100644
--- a/components/policy/test_support/bootstrap_deps
+++ b/components/policy/test_support/bootstrap_deps
@@ -7,8 +7,6 @@
         "https://src.chromium.org/chrome/trunk/src/components/policy/test_support",
     "src/net/tools/testserver":
         "https://src.chromium.org/chrome/trunk/src/net/tools/testserver",
-    "src/third_party/tlslite/tlslite":
-        "https://src.chromium.org/chrome/trunk/src/third_party/tlslite/tlslite",
     "src/third_party/protobuf/python/google":
         "https://src.chromium.org/chrome/trunk/src/third_party/protobuf/python/google",
     "src/tools/telemetry":
diff --git a/content/test/BUILD.gn b/content/test/BUILD.gn
index aa30679..82a89fe 100644
--- a/content/test/BUILD.gn
+++ b/content/test/BUILD.gn
@@ -1558,7 +1558,6 @@
       "//ppapi/tests/test_page.css",
       "//ppapi/tests/test_url_loader_data/",
       "//third_party/pywebsocket3/src/mod_pywebsocket/",
-      "//third_party/tlslite/",
     ]
   }
 
diff --git a/extensions/BUILD.gn b/extensions/BUILD.gn
index b15b5cca..367ad32 100644
--- a/extensions/BUILD.gn
+++ b/extensions/BUILD.gn
@@ -277,7 +277,6 @@
     "//extensions/test/data/",
     "//net/tools/testserver/",
     "//third_party/pywebsocket3/src/mod_pywebsocket/",
-    "//third_party/tlslite/",
     "$root_out_dir/extensions_shell_and_test.pak",
   ]
 
diff --git a/headless/BUILD.gn b/headless/BUILD.gn
index fb0093ed..deb4224 100644
--- a/headless/BUILD.gn
+++ b/headless/BUILD.gn
@@ -767,7 +767,6 @@
     "//net/tools/testserver/",
     "//third_party/blink/web_tests/http/tests/inspector-protocol/",
     "//third_party/pywebsocket3/",
-    "//third_party/tlslite/",
   ]
 
   if (is_fuchsia) {
diff --git a/net/BUILD.gn b/net/BUILD.gn
index 59354b6..035c14b9 100644
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -4569,18 +4569,11 @@
   ]
 
   if (is_linux || is_chromeos || is_mac || is_win || is_fuchsia) {
-    deps += [
-      "//third_party/pywebsocket3/",
-      "//third_party/tlslite/",
-    ]
-    data_deps += [
-      "//third_party/pywebsocket3/",
-      "//third_party/tlslite/",
-    ]
+    deps += [ "//third_party/pywebsocket3/" ]
+    data_deps += [ "//third_party/pywebsocket3/" ]
     data += [
       "tools/testserver/",
       "//third_party/pywebsocket3/src/mod_pywebsocket/",
-      "//third_party/tlslite/",
     ]
   }
 
diff --git a/net/test/spawned_test_server/base_test_server.cc b/net/test/spawned_test_server/base_test_server.cc
index 04fcd16..c1bfd46f 100644
--- a/net/test/spawned_test_server/base_test_server.cc
+++ b/net/test/spawned_test_server/base_test_server.cc
@@ -148,8 +148,6 @@
   switch (type_) {
     case TYPE_HTTP:
       return "http";
-    case TYPE_HTTPS:
-      return "https";
     case TYPE_WS:
       return "ws";
     case TYPE_WSS:
@@ -435,10 +433,6 @@
     }
   }
 
-  if (type_ == TYPE_HTTPS) {
-    arguments->SetKey("https", base::Value());
-  }
-
   return GenerateAdditionalArguments(arguments);
 }
 
diff --git a/net/test/spawned_test_server/base_test_server.h b/net/test/spawned_test_server/base_test_server.h
index f9db4c9..0ddb207 100644
--- a/net/test/spawned_test_server/base_test_server.h
+++ b/net/test/spawned_test_server/base_test_server.h
@@ -40,7 +40,6 @@
   enum Type {
     TYPE_BASIC_AUTH_PROXY,
     TYPE_HTTP,
-    TYPE_HTTPS,
     TYPE_WS,
     TYPE_WSS,
     TYPE_PROXY,
@@ -167,10 +166,7 @@
       const std::vector<StringPair>& text_to_replace,
       std::string* replacement_path);
 
-  static bool UsingSSL(Type type) {
-    return type == BaseTestServer::TYPE_HTTPS ||
-           type == BaseTestServer::TYPE_WSS;
-  }
+  static bool UsingSSL(Type type) { return type == BaseTestServer::TYPE_WSS; }
 
   // Enable HTTP basic authentication. Currently this only works for TYPE_WS and
   // TYPE_WSS.
diff --git a/net/test/spawned_test_server/local_test_server.cc b/net/test/spawned_test_server/local_test_server.cc
index cb87253b..6c039ee 100644
--- a/net/test/spawned_test_server/local_test_server.cc
+++ b/net/test/spawned_test_server/local_test_server.cc
@@ -174,7 +174,6 @@
   third_party_dir = third_party_dir.AppendASCII("third_party");
 
   std::vector<base::FilePath> ret = {
-      third_party_dir.AppendASCII("tlslite"),
       third_party_dir.AppendASCII("pywebsocket3").AppendASCII("src"),
   };
 
@@ -219,9 +218,6 @@
   switch (type()) {
     case TYPE_HTTP:  // The default type is HTTP, no argument required.
       break;
-    case TYPE_HTTPS:
-      command_line->AppendArg("--https");
-      break;
     case TYPE_WS:
     case TYPE_WSS:
       command_line->AppendArg("--websocket");
diff --git a/net/test/spawned_test_server/remote_test_server.cc b/net/test/spawned_test_server/remote_test_server.cc
index 9891783..597a752 100644
--- a/net/test/spawned_test_server/remote_test_server.cc
+++ b/net/test/spawned_test_server/remote_test_server.cc
@@ -37,7 +37,6 @@
 std::string GetServerTypeString(BaseTestServer::Type type) {
   switch (type) {
     case BaseTestServer::TYPE_HTTP:
-    case BaseTestServer::TYPE_HTTPS:
       return "http";
     case BaseTestServer::TYPE_WS:
     case BaseTestServer::TYPE_WSS:
diff --git a/net/tools/testserver/run_testserver.cc b/net/tools/testserver/run_testserver.cc
index c3ea0e3d..3bfabcf 100644
--- a/net/tools/testserver/run_testserver.cc
+++ b/net/tools/testserver/run_testserver.cc
@@ -52,14 +52,13 @@
   }
 
   // If populated, EmbeddedTestServer is used instead of the SpawnedTestServer.
-  absl::optional<net::test_server::EmbeddedTestServer::Type>
-      embedded_test_server_type;
+  absl::optional<net::EmbeddedTestServer::Type> embedded_test_server_type;
 
   net::SpawnedTestServer::Type server_type;
   if (command_line->HasSwitch("http")) {
-    embedded_test_server_type = net::test_server::EmbeddedTestServer::TYPE_HTTP;
+    embedded_test_server_type = net::EmbeddedTestServer::TYPE_HTTP;
   } else if (command_line->HasSwitch("https")) {
-    server_type = net::SpawnedTestServer::TYPE_HTTPS;
+    embedded_test_server_type = net::EmbeddedTestServer::TYPE_HTTPS;
   } else if (command_line->HasSwitch("ws")) {
     server_type = net::SpawnedTestServer::TYPE_WS;
   } else if (command_line->HasSwitch("wss")) {
@@ -68,17 +67,19 @@
     // If no scheme switch is specified, select http or https scheme.
     // TODO(toyoshim): Remove this estimation.
     if (command_line->HasSwitch("ssl-cert")) {
-      server_type = net::SpawnedTestServer::TYPE_HTTPS;
+      embedded_test_server_type = net::EmbeddedTestServer::TYPE_HTTPS;
     } else {
-      embedded_test_server_type =
-          net::test_server::EmbeddedTestServer::TYPE_HTTP;
+      embedded_test_server_type = net::EmbeddedTestServer::TYPE_HTTP;
     }
   }
 
   net::SpawnedTestServer::SSLOptions ssl_options;
+  net::EmbeddedTestServer::ServerCertificate server_certificate;
   if (command_line->HasSwitch("ssl-cert")) {
-    if (!net::SpawnedTestServer::UsingSSL(server_type) ||
-        embedded_test_server_type.has_value()) {
+    if ((embedded_test_server_type.has_value() &&
+         *embedded_test_server_type != net::EmbeddedTestServer::TYPE_HTTPS) ||
+        (!embedded_test_server_type.has_value() &&
+         !net::SpawnedTestServer::UsingSSL(server_type))) {
       printf("Error: --ssl-cert is specified on non-secure scheme\n");
       PrintUsage();
       return -1;
@@ -87,12 +88,15 @@
     if (cert_option == "ok") {
       ssl_options.server_certificate =
           net::SpawnedTestServer::SSLOptions::CERT_OK;
+      server_certificate = net::EmbeddedTestServer::CERT_OK;
     } else if (cert_option == "mismatched-name") {
       ssl_options.server_certificate =
           net::SpawnedTestServer::SSLOptions::CERT_MISMATCHED_NAME;
+      server_certificate = net::EmbeddedTestServer::CERT_MISMATCHED_NAME;
     } else if (cert_option == "expired") {
       ssl_options.server_certificate =
           net::SpawnedTestServer::SSLOptions::CERT_EXPIRED;
+      server_certificate = net::EmbeddedTestServer::CERT_EXPIRED;
     } else {
       printf("Error: --ssl-cert has invalid value %s\n", cert_option.c_str());
       PrintUsage();
@@ -118,8 +122,11 @@
 
   // Use EmbeddedTestServer, if it supports the provided configuration.
   if (embedded_test_server_type.has_value()) {
-    net::test_server::EmbeddedTestServer embedded_test_server(
-        *embedded_test_server_type);
+    net::EmbeddedTestServer embedded_test_server(*embedded_test_server_type);
+    if (*embedded_test_server_type == net::EmbeddedTestServer::TYPE_HTTPS) {
+      embedded_test_server.SetSSLConfig(server_certificate);
+    }
+
     embedded_test_server.AddDefaultHandlers(doc_root);
     if (!embedded_test_server.Start()) {
       printf("Error: failed to start embedded test server. Exiting.\n");
diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py
index 594c0f3d..ef1b78c 100755
--- a/net/tools/testserver/testserver.py
+++ b/net/tools/testserver/testserver.py
@@ -10,8 +10,6 @@
 By default, it listens on an ephemeral port and sends the port number back to
 the originating process over a pipe. The originating process can specify an
 explicit port if necessary.
-It can use https if you specify the flag --https=CERT where CERT is the path
-to a pem file containing the certificate and private key that should be used.
 """
 
 from __future__ import print_function
@@ -33,16 +31,12 @@
 # unconditionally (since they contain modifications from anything that might be
 # obtained from e.g. PyPi).
 sys.path.insert(0, os.path.join(ROOT_DIR, 'third_party', 'pywebsocket3', 'src'))
-sys.path.insert(0, os.path.join(ROOT_DIR, 'third_party', 'tlslite'))
 
 import mod_pywebsocket.standalone
 from mod_pywebsocket.standalone import WebSocketServer
 # import manually
 mod_pywebsocket.standalone.ssl = ssl
 
-import tlslite
-import tlslite.api
-
 import testserver_base
 
 SERVER_HTTP = 0
@@ -93,64 +87,6 @@
   pass
 
 
-class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
-                  testserver_base.ClientRestrictingServerMixIn,
-                  testserver_base.BrokenPipeHandlerMixIn,
-                  testserver_base.StoppableHTTPServer):
-  """This is a specialization of StoppableHTTPServer that add https support and
-  client verification."""
-
-  def __init__(self, server_address, request_hander_class, pem_cert_and_key,
-               ssl_client_auth, ssl_client_cas):
-    self.cert_chain = tlslite.api.X509CertChain()
-    self.cert_chain.parsePemList(pem_cert_and_key)
-    # Force using only python implementation - otherwise behavior is different
-    # depending on whether m2crypto Python module is present (error is thrown
-    # when it is). m2crypto uses a C (based on OpenSSL) implementation under
-    # the hood.
-    self.private_key = tlslite.api.parsePEMKey(pem_cert_and_key,
-                                               private=True,
-                                               implementations=['python'])
-    self.ssl_client_auth = ssl_client_auth
-    self.ssl_client_cas = []
-
-    if ssl_client_auth:
-      for ca_file in ssl_client_cas:
-        s = open(ca_file).read()
-        x509 = tlslite.api.X509()
-        x509.parse(s)
-        self.ssl_client_cas.append(x509.subject)
-
-    self.ssl_handshake_settings = tlslite.api.HandshakeSettings()
-    # Enable SSLv3 for testing purposes.
-    self.ssl_handshake_settings.minVersion = (3, 0)
-
-    self.session_cache = tlslite.api.SessionCache()
-    testserver_base.StoppableHTTPServer.__init__(self,
-                                                 server_address,
-                                                 request_hander_class)
-
-  def handshake(self, tlsConnection):
-    """Creates the SSL connection."""
-
-    try:
-      self.tlsConnection = tlsConnection
-      tlsConnection.handshakeServer(certChain=self.cert_chain,
-                                    privateKey=self.private_key,
-                                    sessionCache=self.session_cache,
-                                    reqCert=self.ssl_client_auth,
-                                    settings=self.ssl_handshake_settings,
-                                    reqCAs=self.ssl_client_cas)
-      tlsConnection.ignoreAbruptClose = True
-      return True
-    except tlslite.api.TLSAbruptCloseError:
-      # Ignore abrupt close.
-      return True
-    except tlslite.api.TLSError as error:
-      print("Handshake failure:", str(error))
-      return False
-
-
 class TestPageHandler(testserver_base.BasePageHandler):
   def __init__(self, request, client_address, socket_server):
     connect_handlers = [self.DefaultConnectResponseHandler]
@@ -372,30 +308,9 @@
       dns_sans = [host]
 
     if self.options.server_type == SERVER_HTTP:
-      if self.options.https:
-        if not self.options.cert_and_key_file:
-          raise testserver_base.OptionError('server cert file not specified')
-        if not os.path.isfile(self.options.cert_and_key_file):
-          raise testserver_base.OptionError(
-              'specified server cert file not found: ' +
-              self.options.cert_and_key_file + ' exiting...')
-        pem_cert_and_key = open(self.options.cert_and_key_file, 'r').read()
-
-        for ca_cert in self.options.ssl_client_ca:
-          if not os.path.isfile(ca_cert):
-            raise testserver_base.OptionError(
-                'specified trusted client CA file not found: ' + ca_cert +
-                ' exiting...')
-
-        server = HTTPSServer((host, port), TestPageHandler, pem_cert_and_key,
-                             self.options.ssl_client_auth,
-                             self.options.ssl_client_ca)
-        print('HTTPS server started on https://%s:%d...' %
-              (host, server.server_port))
-      else:
-        server = HTTPServer((host, port), TestPageHandler)
-        print('HTTP server started on http://%s:%d...' %
-              (host, server.server_port))
+      server = HTTPServer((host, port), TestPageHandler)
+      print('HTTP server started on http://%s:%d...' %
+            (host, server.server_port))
 
       server.data_dir = self.__make_data_dir()
       server.file_root_url = self.options.file_root_url
@@ -468,9 +383,6 @@
                                   const=SERVER_WEBSOCKET, default=SERVER_HTTP,
                                   dest='server_type',
                                   help='start up a WebSocket server.')
-    self.option_parser.add_option('--https', action='store_true',
-                                  dest='https', help='Specify that https '
-                                  'should be used.')
     self.option_parser.add_option('--cert-and-key-file',
                                   dest='cert_and_key_file', help='specify the '
                                   'path to the file containing the certificate '
diff --git a/net/tools/testserver/testserver.pydeps b/net/tools/testserver/testserver.pydeps
index 013a778c..a4deed6 100644
--- a/net/tools/testserver/testserver.pydeps
+++ b/net/tools/testserver/testserver.pydeps
@@ -1,5 +1,5 @@
 # Generated by running:
-#   build/print_python_deps.py --root net/tools/testserver --output net/tools/testserver/testserver.pydeps --allowlist third_party/tlslite/tlslite/utils net/tools/testserver/testserver.py
+#   build/print_python_deps.py --root net/tools/testserver --output net/tools/testserver/testserver.pydeps net/tools/testserver/testserver.py
 ../../../third_party/pywebsocket3/src/mod_pywebsocket/__init__.py
 ../../../third_party/pywebsocket3/src/mod_pywebsocket/_stream_exceptions.py
 ../../../third_party/pywebsocket3/src/mod_pywebsocket/common.py
@@ -17,62 +17,5 @@
 ../../../third_party/pywebsocket3/src/mod_pywebsocket/stream.py
 ../../../third_party/pywebsocket3/src/mod_pywebsocket/util.py
 ../../../third_party/pywebsocket3/src/mod_pywebsocket/websocket_server.py
-../../../third_party/tlslite/tlslite/__init__.py
-../../../third_party/tlslite/tlslite/api.py
-../../../third_party/tlslite/tlslite/basedb.py
-../../../third_party/tlslite/tlslite/checker.py
-../../../third_party/tlslite/tlslite/constants.py
-../../../third_party/tlslite/tlslite/errors.py
-../../../third_party/tlslite/tlslite/handshakesettings.py
-../../../third_party/tlslite/tlslite/integration/__init__.py
-../../../third_party/tlslite/tlslite/integration/asyncstatemachine.py
-../../../third_party/tlslite/tlslite/integration/clienthelper.py
-../../../third_party/tlslite/tlslite/integration/httptlsconnection.py
-../../../third_party/tlslite/tlslite/integration/imap4_tls.py
-../../../third_party/tlslite/tlslite/integration/pop3_tls.py
-../../../third_party/tlslite/tlslite/integration/smtp_tls.py
-../../../third_party/tlslite/tlslite/integration/tlsasyncdispatchermixin.py
-../../../third_party/tlslite/tlslite/integration/tlssocketservermixin.py
-../../../third_party/tlslite/tlslite/integration/xmlrpcserver.py
-../../../third_party/tlslite/tlslite/integration/xmlrpctransport.py
-../../../third_party/tlslite/tlslite/mathtls.py
-../../../third_party/tlslite/tlslite/messages.py
-../../../third_party/tlslite/tlslite/session.py
-../../../third_party/tlslite/tlslite/sessioncache.py
-../../../third_party/tlslite/tlslite/tlsconnection.py
-../../../third_party/tlslite/tlslite/tlsrecordlayer.py
-../../../third_party/tlslite/tlslite/utils/__init__.py
-../../../third_party/tlslite/tlslite/utils/aes.py
-../../../third_party/tlslite/tlslite/utils/aesgcm.py
-../../../third_party/tlslite/tlslite/utils/asn1parser.py
-../../../third_party/tlslite/tlslite/utils/cipherfactory.py
-../../../third_party/tlslite/tlslite/utils/codec.py
-../../../third_party/tlslite/tlslite/utils/compat.py
-../../../third_party/tlslite/tlslite/utils/cryptomath.py
-../../../third_party/tlslite/tlslite/utils/datefuncs.py
-../../../third_party/tlslite/tlslite/utils/keyfactory.py
-../../../third_party/tlslite/tlslite/utils/openssl_aes.py
-../../../third_party/tlslite/tlslite/utils/openssl_rc4.py
-../../../third_party/tlslite/tlslite/utils/openssl_rsakey.py
-../../../third_party/tlslite/tlslite/utils/openssl_tripledes.py
-../../../third_party/tlslite/tlslite/utils/p256.py
-../../../third_party/tlslite/tlslite/utils/pem.py
-../../../third_party/tlslite/tlslite/utils/pycrypto_aes.py
-../../../third_party/tlslite/tlslite/utils/pycrypto_aesgcm.py
-../../../third_party/tlslite/tlslite/utils/pycrypto_rc4.py
-../../../third_party/tlslite/tlslite/utils/pycrypto_rsakey.py
-../../../third_party/tlslite/tlslite/utils/pycrypto_tripledes.py
-../../../third_party/tlslite/tlslite/utils/python_aes.py
-../../../third_party/tlslite/tlslite/utils/python_aesgcm.py
-../../../third_party/tlslite/tlslite/utils/python_rc4.py
-../../../third_party/tlslite/tlslite/utils/python_rsakey.py
-../../../third_party/tlslite/tlslite/utils/rc4.py
-../../../third_party/tlslite/tlslite/utils/rijndael.py
-../../../third_party/tlslite/tlslite/utils/rsakey.py
-../../../third_party/tlslite/tlslite/utils/tackwrapper.py
-../../../third_party/tlslite/tlslite/utils/tripledes.py
-../../../third_party/tlslite/tlslite/verifierdb.py
-../../../third_party/tlslite/tlslite/x509.py
-../../../third_party/tlslite/tlslite/x509certchain.py
 testserver.py
 testserver_base.py
diff --git a/net/tools/testserver/testserver_base.py b/net/tools/testserver/testserver_base.py
index 25cb7af..319afd4e 100644
--- a/net/tools/testserver/testserver_base.py
+++ b/net/tools/testserver/testserver_base.py
@@ -14,8 +14,6 @@
 import sys
 import warnings
 
-import tlslite.errors
-
 # Ignore deprecation warnings, they make our output more cluttered.
 warnings.filterwarnings("ignore", category=DeprecationWarning)
 
@@ -73,9 +71,6 @@
 
   def handle_error(self, request, client_address):
     value = sys.exc_info()[1]
-    if isinstance(value, tlslite.errors.TLSClosedConnectionError):
-      print("testserver.py: Closed connection")
-      return
     if isinstance(value, socket.error):
       err = value.args[0]
       if sys.platform in ('win32', 'cygwin'):
diff --git a/services/network/BUILD.gn b/services/network/BUILD.gn
index a0c95bb..bf42c74 100644
--- a/services/network/BUILD.gn
+++ b/services/network/BUILD.gn
@@ -406,7 +406,6 @@
       "//net/tools/testserver/",
       "//services/test/data",
       "//third_party/pywebsocket3/src/mod_pywebsocket/",
-      "//third_party/tlslite/",
     ]
   }
 
diff --git a/third_party/tlslite/BUILD.gn b/third_party/tlslite/BUILD.gn
deleted file mode 100644
index 0b13774..0000000
--- a/third_party/tlslite/BUILD.gn
+++ /dev/null
@@ -1,10 +0,0 @@
-# Copyright 2015 The Chromium Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-# Tlslite is a Python program. Depend on this to get the data deps necessary
-# to run tlslite in the test environment.
-group("tlslite") {
-  # For now, depend on the entire directory.
-  data = [ "//third_party/tlslite/" ]
-}
diff --git a/third_party/tlslite/DIR_METADATA b/third_party/tlslite/DIR_METADATA
deleted file mode 100644
index ca543b8..0000000
--- a/third_party/tlslite/DIR_METADATA
+++ /dev/null
@@ -1,4 +0,0 @@
-monorail: {
-  component: "Internals>Network>SSL"
-}
-team_email: "trusty-transport@chromium.org"
diff --git a/third_party/tlslite/LICENSE b/third_party/tlslite/LICENSE
deleted file mode 100644
index 7e71620..0000000
--- a/third_party/tlslite/LICENSE
+++ /dev/null
@@ -1,67 +0,0 @@
-
-TLS Lite includes code from different sources. All code is either dedicated to
-the public domain by its authors, or available under a BSD-style license. In
-particular:
-
-- 
-
-Code written by Trevor Perrin, Kees Bos, Sam Rushing, Dimitris Moraitis,
-Marcelo Fernandez, Martin von Loewis, Dave Baggett, and Yngve Pettersen is 
-available under the following terms:
-
-This is free and unencumbered software released into the public domain.
-
-Anyone is free to copy, modify, publish, use, compile, sell, or distribute
-this software, either in source code form or as a compiled binary, for any
-purpose, commercial or non-commercial, and by any means.
-
-In jurisdictions that recognize copyright laws, the author or authors of this
-software dedicate any and all copyright interest in the software to the public
-domain. We make this dedication for the benefit of the public at large and to
-the detriment of our heirs and successors. We intend this dedication to be an
-overt act of relinquishment in perpetuity of all present and future rights to
-this software under copyright law.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
-ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
--
-
-Code written by Bram Cohen (rijndael.py) was dedicated to the public domain by
-its author. See rijndael.py for details.
-
--
-
-Code written by Google is available under the following terms:
-
-Copyright (c) 2008, The Chromium Authors 
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
- * Redistributions of source code must retain the above copyright notice, this
-   list of conditions and the following disclaimer.
-
- * Redistributions in binary form must reproduce the above copyright notice,
-   this list of conditions and the following disclaimer in the documentation
-   and/or other materials provided with the distribution.
-
- * Neither the name of the Google Inc. nor the names of its contributors may
-   be used to endorse or promote products derived from this software without
-   specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/third_party/tlslite/MANIFEST.in b/third_party/tlslite/MANIFEST.in
deleted file mode 100644
index 340da6966..0000000
--- a/third_party/tlslite/MANIFEST.in
+++ /dev/null
@@ -1,6 +0,0 @@
-recursive-include tests *
-recursive-include docs *
-include LICENSE
-include README
-include Makefile
-include MANIFEST.in
\ No newline at end of file
diff --git a/third_party/tlslite/Makefile b/third_party/tlslite/Makefile
deleted file mode 100644
index 871125e6a..0000000
--- a/third_party/tlslite/Makefile
+++ /dev/null
@@ -1,35 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Hubert Kario - test and test-dev
-#
-.PHONY : default
-default:
-	@echo To install tlslite run \"./setup.py install\" or \"make install\"
-
-.PHONY: install
-install:
-	./setup.py install
-
-.PHONY : clean
-clean:
-	rm -rf tlslite/*.pyc
-	rm -rf tlslite/utils/*.pyc
-	rm -rf tlslite/integration/*.pyc	
-	rm -rf dist
-	rm -rf docs
-	rm -rf build
-	rm -f MANIFEST
-
-docs:
-	epydoc --html -v --introspect-only -o docs tlslite
-
-dist: docs
-	./setup.py sdist
-
-test:
-	cd tests/ && python ./tlstest.py server localhost:4433 . & sleep 1
-	cd tests/ && python ./tlstest.py client localhost:4433 .
-
-test-dev:
-	cd tests/ && PYTHONPATH=.. python ./tlstest.py server localhost:4433 . & sleep 1
-	cd tests/ && PYTHONPATH=.. python ./tlstest.py client localhost:4433 .
diff --git a/third_party/tlslite/OWNERS b/third_party/tlslite/OWNERS
deleted file mode 100644
index 42d0d3b..0000000
--- a/third_party/tlslite/OWNERS
+++ /dev/null
@@ -1,3 +0,0 @@
-agl@chromium.org
-davidben@chromium.org
-rsleevi@chromium.org
diff --git a/third_party/tlslite/PKG-INFO b/third_party/tlslite/PKG-INFO
deleted file mode 100644
index 0b6bbd1..0000000
--- a/third_party/tlslite/PKG-INFO
+++ /dev/null
@@ -1,10 +0,0 @@
-Metadata-Version: 1.0
-Name: tlslite
-Version: 0.4.8
-Summary: tlslite implements SSL and TLS.
-Home-page: http://trevp.net/tlslite/
-Author: Trevor Perrin
-Author-email: tlslite@trevp.net
-License: public domain and BSD
-Description: UNKNOWN
-Platform: UNKNOWN
diff --git a/third_party/tlslite/README b/third_party/tlslite/README
deleted file mode 100644
index 97c57e17..0000000
--- a/third_party/tlslite/README
+++ /dev/null
@@ -1,663 +0,0 @@
-
-tlslite version 0.4.8                                            Nov 12 2014
-Trevor Perrin <tlslite at trevp.net>
-http://trevp.net/tlslite/
-============================================================================
-
-
-Table of Contents
-==================
-1  Introduction
-2  License/Acknowledgements
-3  Installation
-4  Getting Started with the Command-Line Tools
-5  Getting Started with the Library
-6  Using TLS Lite with httplib
-7  Using TLS Lite with poplib or imaplib
-8  Using TLS Lite with smtplib
-9 Using TLS Lite with SocketServer
-10 Using TLS Lite with asyncore
-11 SECURITY CONSIDERATIONS
-12 History
-
-
-1 Introduction 
-=============== 
-TLS Lite is an open source python library that implements SSL and TLS. TLS
-Lite supports RSA and SRP ciphersuites. TLS Lite is pure python, however it
-can use other libraries for faster crypto operations. TLS Lite integrates with
-several stdlib neworking libraries.
-
-API documentation is available in the 'docs' directory.
-
-If you have questions or feedback, feel free to contact me.  For discussing
-improvements to tlslite, also see 'tlslite-dev@googlegroups.com'.
-
-
-2 Licenses/Acknowledgements
-============================
-TLS Lite is written (mostly) by Trevor Perrin. It includes code from Bram
-Cohen, Google, Kees Bos, Sam Rushing, Dimitris Moraitis, Marcelo Fernandez,
-Martin von Loewis, Dave Baggett, and Yngve N. Pettersen (ported by Paul 
-Sokolovsky).
-
-All code in TLS Lite has either been dedicated to the public domain by its
-authors, or placed under a BSD-style license. See the LICENSE file for
-details.
-
-Thanks to Edward Loper for Epydoc, which generated the API docs.
-
-3 Installation
-===============
-Requirements:
-  Python 2.6 or higher is required. Python 3 is supported.
-
-Options:
-  - If you have the M2Crypto interface to OpenSSL, this will be used for fast
-    RSA operations and fast ciphers.
-
-  - If you have pycrypto this will be used for fast RSA operations and fast
-    ciphers.
-
-  - If you have the GMPY interface to GMP, this will be used for fast RSA and
-    SRP operations.
-
-  - These modules don't need to be present at installation - you can install
-    them any time.
-
-Run 'python setup.py install'
-
-Test the Installation:
-  - From the distribution's ./tests subdirectory, run:
-      ./tlstest.py server localhost:4443 .
-  - While the test server is waiting, run:
-      ./tlstest.py client localhost:4443 .
-
-  If both say "Test succeeded" at the end, you're ready to go.
-
-
-4 Getting Started with the Command-Line Tools
-==============================================
-tlslite installs two command-line scripts: 'tlsdb.py' and 'tls.py'.
-
-'tls.py' lets you run test clients and servers. It can be used for testing
-other TLS implementations, or as example code. Note that 'tls.py server' runs
-an HTTPS server which will serve files rooted at the current directory by
-default, so be careful.
-
-'tlsdb.py' lets you manage SRP verifier databases. These databases are used by
-a TLS server when authenticating clients with SRP.
-
-X.509
-------
-To run an X.509 server, go to the ./tests directory and do:
-
-  tls.py server -k serverX509Key.pem -c serverX509Cert.pem localhost:4443
-
-Try connecting to the server with a web browser, or with:
-
-  tls.py client localhost:4443
-
-X.509 with TACK
-----------------
-To run an X.509 server using a TACK, install TACKpy, then run the same server
-command as above with added arguments:
-
- ... -t TACK1.pem localhost:4443
-
-SRP
-----
-To run an SRP server, try something like:
-
-  tlsdb.py createsrp verifierDB
-  tlsdb.py add verifierDB alice abra123cadabra 1024
-  tlsdb.py add verifierDB bob swordfish 2048
-
-  tls.py server -v verifierDB localhost:4443
-
-Then try connecting to the server with:
-
-  tls.py client localhost:4443 alice abra123cadabra
-
-HTTPS
-------
-To run an HTTPS server with less typing, run ./tests/httpsserver.sh.
-
-To run an HTTPS client, run ./tests/httpsclient.py.
-
-
-5 Getting Started with the Library
-===================================
-Whether you're writing a client or server, there are six steps:
-
-1) Create a socket and connect it to the other party.
-2) Construct a TLSConnection instance with the socket.
-3) Call a handshake function on TLSConnection to perform the TLS handshake.
-4) Check the results to make sure you're talking to the right party.
-5) Use the TLSConnection to exchange data.
-6) Call close() on the TLSConnection when you're done.
-
-TLS Lite also integrates with several stdlib python libraries. See the
-sections following this one for details.
-
-5 Step 1 - create a socket
----------------------------
-Below demonstrates a socket connection to Amazon's secure site.
-
-  from socket import *
-  sock = socket(AF_INET, SOCK_STREAM)
-  sock.connect( ("www.amazon.com", 443) )
-
-5 Step 2 - construct a TLSConnection
--------------------------------------
-You can import tlslite objects individually, such as:
-  from tlslite import TLSConnection
-
-Or import the most useful objects through:
-  from tlslite.api import *
-
-Then do:
-  connection = TLSConnection(sock)
-
-5 Step 3 - call a handshake function (client)
-----------------------------------------------
-If you're a client, there's two different handshake functions you can call,
-depending on how you want to authenticate:
-
-  connection.handshakeClientCert()
-  connection.handshakeClientCert(certChain, privateKey)
-
-  connection.handshakeClientSRP("alice", "abra123cadabra")
-
-The ClientCert function without arguments is used when connecting to a site
-like Amazon, which doesn't require client authentication, but which will
-authenticate itself using an X.509 certificate chain.
-
-The ClientCert function can also be used to do client authentication with an
-X.509 certificate chain and corresponding private key. To use X.509 chains,
-you'll need some way of creating these, such as OpenSSL (see
-http://www.openssl.org/docs/HOWTO/ for details).
-
-Below is an example of loading an X.509 chain and private key:
-  
-  from tlslite import X509, X509CertChain, parsePEMKey
-  s = open("./test/clientX509Cert.pem").read()
-  x509 = X509()
-  x509.parse(s)
-  certChain = X509CertChain([x509])
-  s = open("./test/clientX509Key.pem").read()
-  privateKey = parsePEMKey(s, private=True)
-
-The SRP function does mutual authentication with a username and password - see
-RFC 5054 for details.
-
-If you want more control over the handshake, you can pass in a
-HandshakeSettings instance. For example, if you're performing SRP, but you
-only want to use SRP parameters of at least 2048 bits, and you only want to
-use the AES-256 cipher, and you only want to allow TLS (version 3.1), not SSL
-(version 3.0), you can do:
-
-  settings = HandshakeSettings()
-  settings.minKeySize = 2048
-  settings.cipherNames = ["aes256"]
-  settings.minVersion = (3,1)
-  settings.useExperimentalTACKExtension = True  # Needed for TACK support
-
-  connection.handshakeClientSRP("alice", "abra123cadabra", settings=settings)
-
-If you want to check the server's certificate using TACK, you should set the
-"useExperiementalTACKExtension" value in HandshakeSettings. (Eventually, TACK
-support will be enabled by default, but for now it is an experimental feature
-which relies on a temporary TLS Extension number, and should not be used for
-production software.) This will cause the client to request the server to send
-you a TACK (and/or any TACK Break Signatures):
-
-Finally, every TLSConnection has a session object. You can try to resume a
-previous session by passing in the session object from the old session. If the
-server remembers this old session and supports resumption, the handshake will
-finish more quickly. Otherwise, the full handshake will be done. For example:
-
-  connection.handshakeClientSRP("alice", "abra123cadabra")
-  .
-  .
-  oldSession = connection.session
-  connection2.handshakeClientSRP("alice", "abra123cadabra", session=
-  oldSession)
-
-5 Step 3 - call a handshake function (server)
-----------------------------------------------
-If you're a server, there's only one handshake function, but you can pass it
-several different parameters, depending on which types of authentication
-you're willing to perform.
-
-To perform SRP authentication, you have to pass in a database of password
-verifiers.  The VerifierDB class manages an in-memory or on-disk verifier
-database.
-
-  verifierDB = VerifierDB("./test/verifierDB")
-  verifierDB.open()
-  connection.handshakeServer(verifierDB=verifierDB)
-
-To perform authentication with a certificate and private key, the server must
-load these as described in the previous section, then pass them in.  If the
-server sets the reqCert boolean to True, a certificate chain will be requested
-from the client.
-
-  connection.handshakeServer(certChain=certChain, privateKey=privateKey,
-                             reqCert=True)
-
-You can pass in a verifier database and/or a certificate chain+private key.
-The client will use one or both to authenticate the server.
-
-You can also pass in a HandshakeSettings object, as described in the last
-section, for finer control over handshaking details.
-
-If you are passing in a certificate chain+private key, you may additionally
-provide a TACK to assist the client in authenticating your certificate chain.
-This requires the TACKpy library. Load a TACKpy.TACK object, then do:
-
-  settings = HandshakeSettings()
-  settings.useExperimentalTACKExtension = True  # Needed for TACK support
-
-  connection.handshakeServer(certChain=certChain, privateKey=privateKey,
-                             tack=tack, settings=settings)
-
-Finally, the server can maintain a SessionCache, which will allow clients to
-use session resumption:
-
-  sessionCache = SessionCache()
-  connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
-
-It should be noted that the session cache, and the verifier databases, are all
-thread-safe.
-
-5 Step 4 - check the results
------------------------------
-If the handshake completes without raising an exception, authentication
-results will be stored in the connection's session object.  The following
-variables will be populated if applicable, or else set to None:
-
-  connection.session.srpUsername       # string
-  connection.session.clientCertChain   # X509CertChain
-  connection.session.serverCertChain   # X509CertChain
-  connection.session.tackExt           # TACKpy.TACK_Extension
-
-X.509 chain objects return the end-entity fingerprint via getFingerprint(),
-and ignore the other certificates.
-
-TACK objects return the (validated) TACK ID via getTACKID().
-
-To save yourself the trouble of inspecting certificates after the handshake,
-you can pass a Checker object into the handshake function. The checker will be
-called if the handshake completes successfully. If the other party isn't
-approved by the checker, a subclass of TLSAuthenticationError will be raised.
-
-If the handshake fails for any reason, including a Checker error, an exception
-will be raised and the socket will be closed. If the socket timed out or was
-unexpectedly closed, a socket.error or TLSAbruptCloseError will be raised.
-
-Otherwise, either a TLSLocalAlert or TLSRemoteAlert will be raised, depending
-on whether the local or remote implementation signalled the error. The
-exception object has a 'description' member which identifies the error based
-on the codes in RFC 2246. A TLSLocalAlert also has a 'message' string that may
-have more details.
-
-Example of handling a remote alert:
-
-  try:
-      [...]
-  except TLSRemoteAlert as alert:
-      if alert.description == AlertDescription.unknown_psk_identity:
-          print "Unknown user."
-  [...]
-
-Below are some common alerts and their probable causes, and whether they are
-signalled by the client or server.
-
-Client handshake_failure:
- - SRP parameters are not recognized by client
- - Server's TACK was unrelated to its certificate chain
-
-Client insufficient_security:
- - SRP parameters are too small
-
-Client protocol_version:
- - Client doesn't support the server's protocol version
-
-Server protocol_version:
- - Server doesn't support the client's protocol version
-
-Server bad_record_mac:
- - bad SRP username or password
-
-Server unknown_psk_identity
- - bad SRP username (bad_record_mac could be used for the same thing)
-
-Server handshake_failure:
- - no matching cipher suites
-
-5 Step 5 - exchange data
--------------------------
-Now that you have a connection, you can call read() and write() as if it were
-a socket.SSL object. You can also call send(), sendall(), recv(), and
-makefile() as if it were a socket. These calls may raise TLSLocalAlert,
-TLSRemoteAlert, socket.error, or TLSAbruptCloseError, just like the handshake
-functions.
-
-Once the TLS connection is closed by the other side, calls to read() or recv()
-will return an empty string. If the socket is closed by the other side without
-first closing the TLS connection, calls to read() or recv() will return a
-TLSAbruptCloseError, and calls to write() or send() will return a
-socket.error.
-
-5 Step 6 - close the connection
---------------------------------
-When you're finished sending data, you should call close() to close the
-connection and socket. When the connection is closed properly, the session
-object can be used for session resumption.
-
-If an exception is raised the connection will be automatically closed; you
-don't need to call close(). Furthermore, you will probably not be able to
-re-use the socket, the connection object, or the session object, and you
-shouldn't even try.
-
-By default, calling close() will close the underlying socket. If you set the
-connection's closeSocket flag to False, the socket will remain open after
-close. (NOTE: some TLS implementations will not respond properly to the
-close_notify alert that close() generates, so the connection will hang if
-closeSocket is set to True.)
-
-
-6 Using TLS Lite with httplib
-==============================
-TLS Lite comes with an HTTPTLSConnection class that extends httplib to work
-over SSL/TLS connections.  Depending on how you construct it, it will do
-different types of authentication.
-
-  #No authentication whatsoever
-  h = HTTPTLSConnection("www.amazon.com", 443)
-  h.request("GET", "")
-  r = h.getresponse()
-  [...]
-
-  #Authenticate server based on its TACK ID
-  h = HTTPTLSConnection("localhost", 4443,
-          tackID="B3ARS.EQ61B.F34EL.9KKLN.3WEW5", hardTack=False)
-  [...]
-
-  #Mutually authenticate with SRP
-  h = HTTPTLSConnection("localhost", 443,
-          username="alice", password="abra123cadabra")
-  [...]
-
-
-7 Using TLS Lite with poplib or imaplib
-========================================
-TLS Lite comes with POP3_TLS and IMAP4_TLS classes that extend poplib and
-imaplib to work over SSL/TLS connections.  These classes can be constructed
-with the same parameters as HTTPTLSConnection (see previous section), and 
-behave similarly.
-
-  #To connect to a POP3 server over SSL and display its fingerprint:
-  from tlslite.api import *
-  p = POP3_TLS("---------.net", port=995)
-  print p.sock.session.serverCertChain.getFingerprint()
-  [...]
-
-  #To connect to an IMAP server once you know its fingerprint:
-  from tlslite.api import *
-  i = IMAP4_TLS("cyrus.andrew.cmu.edu",
-          x509Fingerprint="00c14371227b3b677ddb9c4901e6f2aee18d3e45")
-  [...]  
-  
-
-8 Using TLS Lite with smtplib
-==============================
-TLS Lite comes with an SMTP_TLS class that extends smtplib to work
-over SSL/TLS connections.  This class accepts the same parameters as
-HTTPTLSConnection (see previous section), and behaves similarly.  Depending 
-on how you call starttls(), it will do different types of authentication.
-
-  #To connect to an SMTP server once you know its fingerprint:
-  from tlslite.api import *
-  s = SMTP_TLS("----------.net", port=587)
-  s.ehlo()
-  s.starttls(x509Fingerprint="7e39be84a2e3a7ad071752e3001d931bf82c32dc")
-  [...]
-
-
-9 Using TLS Lite with SocketServer
-====================================
-You can use TLS Lite to implement servers using Python's SocketServer
-framework.  TLS Lite comes with a TLSSocketServerMixIn class.  You can combine
-this with a TCPServer such as HTTPServer.  To combine them, define a new class
-that inherits from both of them (with the mix-in first). Then implement the
-handshake() method, doing some sort of server handshake on the connection
-argument.  If the handshake method returns True, the RequestHandler will be
-triggered.  See the tests/httpsserver.py example.
-
-
-10 Using TLS Lite with asyncore
-================================
-TLS Lite can be used with subclasses of asyncore.dispatcher.  See the comments
-in TLSAsyncDispatcherMixIn.py for details.  This is still experimental, and
-may not work with all asyncore.dispatcher subclasses.
-
-
-11 Security Considerations
-===========================
-TLS Lite is beta-quality code. It hasn't received much security analysis. Use
-at your own risk.
-
-TLS Lite does NOT verify certificates by default.
-
-TLS Lite's pure-python ciphers are probably vulnerable to timing attacks.
-
-TLS Lite is probably vulnerable to the "Lucky 13" timing attack if AES or 3DES
-are used, or the weak cipher RC4 otherwise.  This unhappy situation will remain
-until TLS Lite implements authenticated-encryption ciphersuites (like GCM), or
-RFC 7366.
-
-
-12 History
-===========
-0.4.8 - 11/12/2014
- - Added more acknowledgements and security considerations
-0.4.7 - 11/12/2014
- - Added TLS 1.2 support (Yngve Pettersen and Paul Sokolovsky)
- - Don't offer SSLv3 by default (e.g. POODLE)
- - Fixed bug with PyCrypto_RSA integration
- - Fixed harmless bug that added non-prime into sieves list
- - Added "make test" and "make test-dev" targets (Hubert Kario)
-0.4.5 - 3/20/2013
- - **API CHANGE**: TLSClosedConnectionError instead of ValueError when writing
-   to a closed connection.  This inherits from socket.error, so should 
-   interact better with SocketServer (see http://bugs.python.org/issue14574)
-   and other things expecting a socket.error in this situation.
- - Added support for RC4-MD5 ciphersuite (if enabled in settings)
-   - This is allegedly necessary to connect to some Internet servers.
- - Added TLSConnection.unread() function 
- - Switched to New-style classes (inherit from 'object')
- - Minor cleanups
-0.4.4 - 2/25/2013
- - Added Python 3 support (Martin von Loewis)
- - Added NPN client support (Marcelo Fernandez)
- - Switched to RC4 as preferred cipher
-   - faster in Python, avoids "Lucky 13" timing attacks
- - Fixed bug when specifying ciphers for anon ciphersuites
- - Made RSA hashAndVerify() tolerant of sigs w/o encoded NULL AlgorithmParam
-   - (this function is not used for TLS currently, and this tolerance may
-      not even be necessary)
-0.4.3 - 9/27/2012
- - Minor bugfix (0.4.2 doesn't load tackpy)
-0.4.2 - 9/25/2012
- - Updated TACK (compatible with tackpy 0.9.9)
-0.4.1 - 5/22/2012
- - Fixed RSA padding bugs (w/help from John Randolph)
- - Updated TACK (compatible with tackpy 0.9.7)
- - Added SNI
- - Added NPN server support (Sam Rushing/Google)
- - Added AnonDH (Dimitris Moraitis)
- - Added X509CertChain.parsePemList
- - Improved XML-RPC (Kees Bos)
-
-0.4.0 - 2/11/2012
- - Fixed pycrypto support
- - Fixed python 2.6 problems
- 
-0.3.9.x - 2/7/2012
-
-Much code cleanup, in particular decomposing the handshake functions so they
-are readable. The main new feature is support for TACK, an experimental
-authentication method that provides a new way to pin server certificates (See
-https://github.com/moxie0/Convergence/wiki/TACK ).
-
-Also:
-
- - Security Fixes
-   - Sends SCSV ciphersuite as per RFC 5746, to signal non-renegotiated
-     Client Hello.  Does not support renegotiation (never has).
-   - Change from e=3 to e=65537 for generated RSA keys, not strictly 
-     necessary but mitigates risk of sloppy verifier.
-   - 1/(n-1) countermeasure for BEAST.
-
- - Behavior changes:
-   - Split cmdline into tls.py and tlstest.py, improved options.
-   - Formalized LICENSE.
-   - Defaults to closing socket after sending close_notify, fixes hanging.
-     problem that would occur sometime when waiting for other party's    
-     close_notify.
-   - Update SRP to RFC 5054 compliance.
-   - Removed client handshake "callbacks", no longer support the SRP 
-     re-handshake idiom within a single handshake function.
-
- - Bugfixes
-   - Added hashlib support, removes Deprecation Warning due to sha and md5.
-   - Handled GeneratorExit exceptions that are a new Python feature, and
-     interfere with the async code if not handled.
- 
- - Removed:
-   - Shared keys (it was based on an ancient I-D, not TLS-PSK).
-   - cryptlib support, it wasn't used much, we have enough other options.
-   - cryptoIDs (TACK is better).
-   - win32prng extension module, as os.urandom is now available.
-   - Twisted integration (unused?, slowed down loading).
-   - Jython code (ancient, didn't work).
-   - Compat support for python versions < 2.7.
-
- - Additions
-   - Support for TACK via TACKpy.
-   - Support for CertificateRequest.certificate_authorities ("reqCAs")
-   - Added TLSConnection.shutdown() to better mimic socket.
-   - Enabled Session resumption for XMLRPCTransport.
-
-0.3.8 - 2/21/2005
- - Added support for poplib, imaplib, and smtplib
- - Added python 2.4 windows installer
- - Fixed occassional timing problems with test suite
-0.3.7 - 10/05/2004
- - Added support for Python 2.2
- - Cleaned up compatibility code, and docs, a bit
-0.3.6 - 9/28/2004
- - Fixed script installation on UNIX
- - Give better error message on old Python versions
-0.3.5 - 9/16/2004
- - TLS 1.1 support
- - os.urandom() support
- - Fixed win32prng on some systems
-0.3.4 - 9/12/2004
- - Updated for TLS/SRP draft 8
- - Bugfix: was setting _versioncheck on SRP 1st hello, causing problems
-   with GnuTLS (which was offering TLS 1.1)
- - Removed _versioncheck checking, since it could cause interop problems
- - Minor bugfix: when cryptlib_py and and cryptoIDlib present, cryptlib
-   was complaining about being initialized twice
-0.3.3 - 6/10/2004
- - Updated for TLS/SRP draft 7
- - Updated test cryptoID cert chains for cryptoIDlib 0.3.1
-0.3.2 - 5/21/2004
- - fixed bug when handling multiple handshake messages per record (e.g. IIS)
-0.3.1 - 4/21/2004
- - added xmlrpclib integration
- - fixed hanging bug in Twisted integration
- - fixed win32prng to work on a wider range of win32 sytems
- - fixed import problem with cryptoIDlib
- - fixed port allocation problem when test scripts are run on some UNIXes
- - made tolerant of buggy IE sending wrong version in premaster secret
-0.3.0 - 3/20/2004
- - added API docs thanks to epydoc
- - added X.509 path validation via cryptlib
- - much cleaning/tweaking/re-factoring/minor fixes
-0.2.7 - 3/12/2004
- - changed Twisted error handling to use connectionLost()
- - added ignoreAbruptClose
-0.2.6 - 3/11/2004
- - added Twisted errorHandler
- - added TLSAbruptCloseError
- - added 'integration' subdirectory
-0.2.5 - 3/10/2004
- - improved asynchronous support a bit
- - added first-draft of Twisted support
-0.2.4 - 3/5/2004
- - cleaned up asyncore support
- - added proof-of-concept for Twisted
-0.2.3 - 3/4/2004
- - added pycrypto RSA support
- - added asyncore support
-0.2.2 - 3/1/2004
- - added GMPY support
- - added pycrypto support
- - added support for PEM-encoded private keys, in pure python
-0.2.1 - 2/23/2004
- - improved PRNG use (cryptlib, or /dev/random, or CryptoAPI)
- - added RSA blinding, to avoid timing attacks
- - don't install local copy of M2Crypto, too problematic
-0.2.0 - 2/19/2004
- - changed VerifierDB to take per-user parameters
- - renamed tls_lite -> tlslite
-0.1.9 - 2/16/2004
- - added post-handshake 'Checker'
- - made compatible with Python 2.2
- - made more forgiving of abrupt closure, since everyone does it:
-   if the socket is closed while sending/recv'ing close_notify,
-   just ignore it.
-0.1.8 - 2/12/2004
- - TLSConnections now emulate sockets, including makefile()
- - HTTPTLSConnection and TLSMixIn simplified as a result
-0.1.7 - 2/11/2004
- - fixed httplib.HTTPTLSConnection with multiple requests
- - fixed SocketServer to handle close_notify
- - changed handshakeClientNoAuth() to ignore CertificateRequests
- - changed handshakeClient() to ignore non-resumable session arguments
-0.1.6 - 2/10/2004
- - fixed httplib support
-0.1.5 - 2/09/2004
- - added support for httplib and SocketServer
- - added support for SSLv3
- - added support for 3DES
- - cleaned up read()/write() behavior
- - improved HMAC speed
-0.1.4 - 2/06/2004
- - fixed dumb bug in tls.py
-0.1.3 - 2/05/2004
- - change read() to only return requested number of bytes
- - added support for shared-key and in-memory databases
- - added support for PEM-encoded X.509 certificates
- - added support for SSLv2 ClientHello
- - fixed shutdown/re-handshaking behavior
- - cleaned up handling of missing_srp_username
- - renamed readString()/writeString() -> read()/write()
- - added documentation
-0.1.2 - 2/04/2004
- - added clienttest/servertest functions
- - improved OpenSSL cipher wrappers speed
- - fixed server when it has a key, but client selects plain SRP
- - fixed server to postpone errors until it has read client's messages
- - fixed ServerHello to only include extension data if necessary
-0.1.1 - 2/02/2004
- - fixed close_notify behavior
- - fixed handling of empty application data packets
- - fixed socket reads to not consume extra bytes
- - added testing functions to tls.py
-0.1.0 - 2/01/2004
- - first release
diff --git a/third_party/tlslite/README.chromium b/third_party/tlslite/README.chromium
deleted file mode 100644
index 1cd7d32..0000000
--- a/third_party/tlslite/README.chromium
+++ /dev/null
@@ -1,67 +0,0 @@
-Name: tlslite
-URL: http://trevp.net/tlslite/
-Version: 0.4.8
-CPEPrefix: cpe:/a:tlslite_project:tlslite:0.4.8::~~~python~~
-Security Critical: No
-License: Public domain and BSD
-
-Description: Python TLS implementation for use with test server.
-
-Source: https://pypi.python.org/packages/source/t/tlslite/tlslite-0.4.8.tar.gz
-MD5: 36c13858ea63f262c4e4291c2f9ae38f
-SHA-512: bdb42d005b7444667badc6febd38f5b74878c09218b418844c255920f0e6272f
-         55f62b4ea21953953935f73e02657fce9874b44f73499267cf713ddbcd3d6a44
-
-Local Modifications:
-- Drop docs/ directory.
-- patches/tls_intolerant.patch: allow TLSLite to simulate a TLS-intolerant server.
-- patches/channel_id.patch: add basic ChannelID support. (Signatures are not
-  checked.)
-- patches/signed_certificate_timestamps.patch: add support for sending Signed
-  Certificate Timestamps over a TLS extension.
-- patches/fallback_scsv.patch: add support for TLS_FALLBACK_SCSV. See
-  https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01
-- patches/status_request.patch: add support for sending stapled OCSP responses.
-- patches/ssl3_padding.patch: SSL3 requires minimal padding in CBC mode.
-- patches/fix_test_file.patch: Fix #! line in random test file to appease our
-  presubmit checks.
-- patches/dhe_rsa.patch: Implement DHE_RSA-based cipher suites on the server.
-- patches/req_cert_types.patch: Add a reqCertTypes parameter to populate the
-  certificate_types field of CertificateRequest. Also fixes type errors.
-- patches/ignore_write_failure.patch: Don't invalidate sessions on write
-  failures.
-- patches/intolerance_options.patch: Add an option to further control
-  simulated TLS version intolerance.
-- patches/save_client_hello.patch: Save the parsed ClientHello on TLSConnection
-  so tests can query it.
-- patches/certificate_request.patch: Fix client auth for TLS 1.2.
-- patches/aes_gcm.patch: Implement AES-GCM and never select TLS 1.2 ciphers
-  unless >= TLS 1.2 is negotiated.
-- patches/alert_after_handshake.patch: Add an option to send a fatal alert
-  immediately after the handshake completes.
-- patches/ecdhe_rsa.patch: Implement ECDHE_RSA-based ciper suites on the server.
-- patches/extended_master_secret.patch: Add server support for extended
-  master secret.
-- patches/token_binding_negotiation.patch: Add server support for token
-  binding negotiation TLS extension (draft-ietf-tokbind-negotiation-02).
-- patches/disable_channel_id.patch: Add flag to HandshakeSettings to allow
-  for disabling channel id.
-- patches/exported_keying_material.patch: Add method to Session to get
-  exported keying material (RFC 5705) for use in e.g. Token Binding.
-- patches/token_binding_resumption.patch: Fix token binding negotiation
-  extension to work on session resumption.
-- patches/extension_number_update.patch: Update TLS extension numbers.
-- patches/save_randoms.patch: Save client and server randoms when resuming
-  sessions.
-- patches/alpn.path: Implement Application-Layer Protocol Negotiation Extension.
-- patches/token_binding_version.patch: Update the Token Binding version number.
-- patches/renegotiation_indication.patch: Implement the renegotiation
-  indication extension (RFC 5746) without supporting renegotiation.
-- patches/tls13_intolerance.patch: Extend the intolerance simulation to TLS 1.3.
-- patches/simulate_tls13_downgrade.patch: Add an option to simulate the TLS 1.3
-  downgrade signal.
-- patches/thread_safe_python_rsa_key.patch: Make Python_RSAKey thread safe,
-  inspired by tlslite-ng implementation.
-- patches/signature_algorithms.patch: Add basic signature algorithms
-  negotiation.
-- patches/python3.patch: Fix with Python 3.
diff --git a/third_party/tlslite/patches/aes_gcm.patch b/third_party/tlslite/patches/aes_gcm.patch
deleted file mode 100644
index 9d4768dd..0000000
--- a/third_party/tlslite/patches/aes_gcm.patch
+++ /dev/null
@@ -1,770 +0,0 @@
-diff --git a/third_party/tlslite/tests/tlstest.py b/third_party/tlslite/tests/tlstest.py
-index fa1b13f..7985d23 100755
---- a/third_party/tlslite/tests/tlstest.py
-+++ b/third_party/tlslite/tests/tlstest.py
-@@ -318,9 +318,11 @@ def clientTestCmd(argv):
- 
-     print("Test 23 - throughput test")
-     for implementation in implementations:
--        for cipher in ["aes128", "aes256", "3des", "rc4"]:
-+        for cipher in ["aes128gcm", "aes128", "aes256", "3des", "rc4"]:
-             if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
-                 continue
-+            if cipher == "aes128gcm" and implementation not in ("pycrypto", "python"):
-+                continue
- 
-             print("Test 23:", end=' ')
-             connection = connect()
-@@ -678,9 +680,11 @@ def serverTestCmd(argv):
- 
-     print("Test 23 - throughput test")
-     for implementation in implementations:
--        for cipher in ["aes128", "aes256", "3des", "rc4"]:
-+        for cipher in ["aes128gcm", "aes128", "aes256", "3des", "rc4"]:
-             if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
-                 continue
-+            if cipher == "aes128gcm" and implementation not in ("pycrypto", "python"):
-+                continue
- 
-             print("Test 23:", end=' ')
-             connection = connect()
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index 7ee70be..e5b88af 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -175,6 +175,9 @@ class CipherSuite:
-     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067
-     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B
- 
-+    TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C
-+    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E
-+
-     tripleDESSuites = []
-     tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
-     tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)
-@@ -199,6 +202,10 @@ class CipherSuite:
-     aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256)
-     aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)
- 
-+    aes128GcmSuites = []
-+    aes128GcmSuites.append(TLS_RSA_WITH_AES_128_GCM_SHA256)
-+    aes128GcmSuites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
-+
-     rc4Suites = []
-     rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA)
-     rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5)
-@@ -225,25 +232,35 @@ class CipherSuite:
-     sha256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256)
-     sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256)
-     sha256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)
-+    sha256Suites.append(TLS_RSA_WITH_AES_128_GCM_SHA256)
-+    sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
-+
-+    aeadSuites = aes128GcmSuites
- 
- 
-     md5Suites = []
-     md5Suites.append(TLS_RSA_WITH_RC4_128_MD5)
- 
-     @staticmethod
--    def _filterSuites(suites, settings):
-+    def _filterSuites(suites, settings, version=None):
-+        if version is None:
-+            version = settings.maxVersion
-         macNames = settings.macNames
-         cipherNames = settings.cipherNames
-         keyExchangeNames = settings.keyExchangeNames
-         macSuites = []
-         if "sha" in macNames:
-             macSuites += CipherSuite.shaSuites
--        if "sha256" in macNames:
-+        if "sha256" in macNames and version >= (3,3):
-             macSuites += CipherSuite.sha256Suites
-         if "md5" in macNames:
-             macSuites += CipherSuite.md5Suites
-+        if "aead" in macNames and version >= (3,3):
-+            macSuites += CipherSuite.aeadSuites
- 
-         cipherSuites = []
-+        if "aes128gcm" in cipherNames and version >= (3,3):
-+            cipherSuites += CipherSuite.aes128GcmSuites
-         if "aes128" in cipherNames:
-             cipherSuites += CipherSuite.aes128Suites
-         if "aes256" in cipherNames:
-@@ -274,8 +291,8 @@ class CipherSuite:
-     srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
-     
-     @staticmethod
--    def getSrpSuites(settings):
--        return CipherSuite._filterSuites(CipherSuite.srpSuites, settings)
-+    def getSrpSuites(settings, version=None):
-+        return CipherSuite._filterSuites(CipherSuite.srpSuites, settings, version)
- 
-     srpCertSuites = []
-     srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA)
-@@ -283,16 +300,17 @@ class CipherSuite:
-     srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)
-     
-     @staticmethod
--    def getSrpCertSuites(settings):
--        return CipherSuite._filterSuites(CipherSuite.srpCertSuites, settings)
-+    def getSrpCertSuites(settings, version=None):
-+        return CipherSuite._filterSuites(CipherSuite.srpCertSuites, settings, version)
- 
-     srpAllSuites = srpSuites + srpCertSuites
- 
-     @staticmethod
--    def getSrpAllSuites(settings):
--        return CipherSuite._filterSuites(CipherSuite.srpAllSuites, settings)
-+    def getSrpAllSuites(settings, version=None):
-+        return CipherSuite._filterSuites(CipherSuite.srpAllSuites, settings, version)
- 
-     certSuites = []
-+    certSuites.append(TLS_RSA_WITH_AES_128_GCM_SHA256)
-     certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA256)
-     certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA256)
-     certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA)
-@@ -302,10 +320,11 @@ class CipherSuite:
-     certSuites.append(TLS_RSA_WITH_RC4_128_MD5)
-     
-     @staticmethod
--    def getCertSuites(settings):
--        return CipherSuite._filterSuites(CipherSuite.certSuites, settings)
-+    def getCertSuites(settings, version=None):
-+        return CipherSuite._filterSuites(CipherSuite.certSuites, settings, version)
- 
-     dheCertSuites = []
-+    dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
-     dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)
-     dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256)
-     dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
-@@ -313,8 +332,8 @@ class CipherSuite:
-     dheCertSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
- 
-     @staticmethod
--    def getDheCertSuites(settings):
--        return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings)
-+    def getDheCertSuites(settings, version=None):
-+        return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings, version)
- 
-     certAllSuites = srpCertSuites + certSuites + dheCertSuites
- 
-@@ -323,8 +342,8 @@ class CipherSuite:
-     anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
-     
-     @staticmethod
--    def getAnonSuites(settings):
--        return CipherSuite._filterSuites(CipherSuite.anonSuites, settings)
-+    def getAnonSuites(settings, version=None):
-+        return CipherSuite._filterSuites(CipherSuite.anonSuites, settings, version)
- 
-     dhAllSuites = dheCertSuites + anonSuites
- 
-diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
-index 2e9e06d..2f11aaa 100644
---- a/third_party/tlslite/tlslite/handshakesettings.py
-+++ b/third_party/tlslite/tlslite/handshakesettings.py
-@@ -11,11 +11,9 @@ from .constants import CertificateType
- from .utils import cryptomath
- from .utils import cipherfactory
- 
--# RC4 is preferred as faster in Python, works in SSL3, and immune to CBC
--# issues such as timing attacks
--CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"]
--MAC_NAMES = ["sha", "sha256"] # Don't allow "md5" by default.
--ALL_MAC_NAMES = ["sha", "sha256", "md5"]
-+CIPHER_NAMES = ["aes128gcm", "rc4", "aes256", "aes128", "3des"]
-+MAC_NAMES = ["sha", "sha256", "aead"] # Don't allow "md5" by default.
-+ALL_MAC_NAMES = MAC_NAMES + ["md5"]
- KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"]
- CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"]
- CERTIFICATE_TYPES = ["x509"]
-@@ -42,7 +40,7 @@ class HandshakeSettings(object):
-     The default is 8193.
- 
-     @type cipherNames: list
--    @ivar cipherNames: The allowed ciphers, in order of preference.
-+    @ivar cipherNames: The allowed ciphers.
- 
-     The allowed values in this list are 'aes256', 'aes128', '3des', and
-     'rc4'.  If these settings are used with a client handshake, they
-@@ -68,8 +66,7 @@ class HandshakeSettings(object):
- 
- 
-     @type certificateTypes: list
--    @ivar certificateTypes: The allowed certificate types, in order of
--    preference.
-+    @ivar certificateTypes: The allowed certificate types.
- 
-     The only allowed certificate type is 'x509'.  This list is only used with a
-     client handshake.  The client will advertise to the server which certificate
-@@ -197,10 +194,6 @@ class HandshakeSettings(object):
-         if not other.maxVersion in ((3,0), (3,1), (3,2), (3,3)):
-             raise ValueError("maxVersion set incorrectly")
- 
--        if other.maxVersion < (3,3):
--            # No sha256 pre TLS 1.2
--            other.macNames = [e for e in self.macNames if e != "sha256"]
--
-         return other
- 
-     def _getCertificateTypes(self):
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 3d97e97..0e13a78 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -1385,21 +1385,6 @@ class TLSConnection(TLSRecordLayer):
- 
-     def _serverGetClientHello(self, settings, certChain, verifierDB,
-                                 sessionCache, anon, fallbackSCSV):
--        #Initialize acceptable cipher suites
--        cipherSuites = []
--        if verifierDB:
--            if certChain:
--                cipherSuites += \
--                    CipherSuite.getSrpCertSuites(settings)
--            cipherSuites += CipherSuite.getSrpSuites(settings)
--        elif certChain:
--            cipherSuites += CipherSuite.getDheCertSuites(settings)
--            cipherSuites += CipherSuite.getCertSuites(settings)
--        elif anon:
--            cipherSuites += CipherSuite.getAnonSuites(settings)
--        else:
--            assert(False)
--
-         #Tentatively set version to most-desirable version, so if an error
-         #occurs parsing the ClientHello, this is what we'll use for the
-         #error alert
-@@ -1451,7 +1436,22 @@ class TLSConnection(TLSRecordLayer):
- 
-         else:
-             #Set the version to the client's version
--            self.version = clientHello.client_version  
-+            self.version = clientHello.client_version
-+
-+        #Initialize acceptable cipher suites
-+        cipherSuites = []
-+        if verifierDB:
-+            if certChain:
-+                cipherSuites += \
-+                    CipherSuite.getSrpCertSuites(settings, self.version)
-+            cipherSuites += CipherSuite.getSrpSuites(settings, self.version)
-+        elif certChain:
-+            cipherSuites += CipherSuite.getDheCertSuites(settings, self.version)
-+            cipherSuites += CipherSuite.getCertSuites(settings, self.version)
-+        elif anon:
-+            cipherSuites += CipherSuite.getAnonSuites(settings, self.version)
-+        else:
-+            assert(False)
- 
-         #If resumption was requested and we have a session cache...
-         if clientHello.session_id and sessionCache:
-diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
-index a09499d..c3bcd8c 100644
---- a/third_party/tlslite/tlslite/tlsrecordlayer.py
-+++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
-@@ -11,7 +11,8 @@ from __future__ import generators
- 
- from .utils.compat import *
- from .utils.cryptomath import *
--from .utils.cipherfactory import createAES, createRC4, createTripleDES
-+from .utils.cipherfactory import createAESGCM, createAES, createRC4, \
-+     createTripleDES
- from .utils.codec import *
- from .errors import *
- from .messages import *
-@@ -592,10 +593,30 @@ class TLSRecordLayer(object):
-             if self.fault == Fault.badMAC:
-                 macBytes[0] = (macBytes[0]+1) % 256
- 
--        #Encrypt for Block or Stream Cipher
-+        #Encrypt for non-NULL cipher.
-         if self._writeState.encContext:
-+            #Seal (for AEAD)
-+            if self._writeState.encContext.isAEAD:
-+                #Assemble the authenticated data.
-+                seqNumBytes = self._writeState.getSeqNumBytes()
-+                authData = seqNumBytes + bytearray([contentType,
-+                                                    self.version[0],
-+                                                    self.version[1],
-+                                                    len(b)//256,
-+                                                    len(b)%256])
-+
-+                #The nonce is always the fixed nonce and the sequence number.
-+                nonce = self._writeState.fixedNonce + seqNumBytes
-+                assert len(nonce) == self._writeState.encContext.nonceLength
-+
-+                b = self._writeState.encContext.seal(nonce, b, authData)
-+
-+                #The only AEAD supported, AES-GCM, has an explicit variable
-+                #nonce.
-+                b = seqNumBytes + b
-+
-             #Add padding and encrypt (for Block Cipher):
--            if self._writeState.encContext.isBlockCipher:
-+            elif self._writeState.encContext.isBlockCipher:
- 
-                 #Add TLS 1.1 fixed block
-                 if self.version >= (3,2):
-@@ -967,6 +988,43 @@ class TLSRecordLayer(object):
- 
-     def _decryptRecord(self, recordType, b):
-         if self._readState.encContext:
-+            #Open if it's an AEAD.
-+            if self._readState.encContext.isAEAD:
-+                #The only AEAD supported, AES-GCM, has an explicit variable
-+                #nonce.
-+                explicitNonceLength = 8
-+                if explicitNonceLength > len(b):
-+                    #Publicly invalid.
-+                    for result in self._sendError(
-+                            AlertDescription.bad_record_mac,
-+                            "MAC failure (or padding failure)"):
-+                        yield result
-+                nonce = self._readState.fixedNonce + b[:explicitNonceLength]
-+                b = b[8:]
-+
-+                if self._readState.encContext.tagLength > len(b):
-+                    #Publicly invalid.
-+                    for result in self._sendError(
-+                            AlertDescription.bad_record_mac,
-+                            "MAC failure (or padding failure)"):
-+                        yield result
-+
-+                #Assemble the authenticated data.
-+                seqnumBytes = self._readState.getSeqNumBytes()
-+                plaintextLen = len(b) - self._readState.encContext.tagLength
-+                authData = seqnumBytes + bytearray([recordType, self.version[0],
-+                                                    self.version[1],
-+                                                    plaintextLen//256,
-+                                                    plaintextLen%256])
-+
-+                b = self._readState.encContext.open(nonce, b, authData)
-+                if b is None:
-+                    for result in self._sendError(
-+                            AlertDescription.bad_record_mac,
-+                            "MAC failure (or padding failure)"):
-+                        yield result
-+                yield b
-+                return
- 
-             #Decrypt if it's a block cipher
-             if self._readState.encContext.isBlockCipher:
-@@ -1064,7 +1122,11 @@ class TLSRecordLayer(object):
- 
-     def _calcPendingStates(self, cipherSuite, masterSecret,
-             clientRandom, serverRandom, implementations):
--        if cipherSuite in CipherSuite.aes128Suites:
-+        if cipherSuite in CipherSuite.aes128GcmSuites:
-+            keyLength = 16
-+            ivLength = 4
-+            createCipherFunc = createAESGCM
-+        elif cipherSuite in CipherSuite.aes128Suites:
-             keyLength = 16
-             ivLength = 16
-             createCipherFunc = createAES
-@@ -1083,7 +1145,10 @@ class TLSRecordLayer(object):
-         else:
-             raise AssertionError()
-             
--        if cipherSuite in CipherSuite.shaSuites:
-+        if cipherSuite in CipherSuite.aeadSuites:
-+            macLength = 0
-+            digestmod = None
-+        elif cipherSuite in CipherSuite.shaSuites:
-             macLength = 20
-             digestmod = hashlib.sha1        
-         elif cipherSuite in CipherSuite.sha256Suites:
-@@ -1092,8 +1157,12 @@ class TLSRecordLayer(object):
-         elif cipherSuite in CipherSuite.md5Suites:
-             macLength = 16
-             digestmod = hashlib.md5
-+        else:
-+            raise AssertionError()
- 
--        if self.version == (3,0):
-+        if not digestmod:
-+            createMACFunc = None
-+        elif self.version == (3,0):
-             createMACFunc = createMAC_SSL
-         elif self.version in ((3,1), (3,2), (3,3)):
-             createMACFunc = createHMAC
-@@ -1128,16 +1197,28 @@ class TLSRecordLayer(object):
-         serverKeyBlock = p.getFixBytes(keyLength)
-         clientIVBlock  = p.getFixBytes(ivLength)
-         serverIVBlock  = p.getFixBytes(ivLength)
--        clientPendingState.macContext = createMACFunc(
--            compatHMAC(clientMACBlock), digestmod=digestmod)
--        serverPendingState.macContext = createMACFunc(
--            compatHMAC(serverMACBlock), digestmod=digestmod)
--        clientPendingState.encContext = createCipherFunc(clientKeyBlock,
--                                                         clientIVBlock,
--                                                         implementations)
--        serverPendingState.encContext = createCipherFunc(serverKeyBlock,
--                                                         serverIVBlock,
--                                                         implementations)
-+        if digestmod:
-+            # Legacy cipher.
-+            clientPendingState.macContext = createMACFunc(
-+                compatHMAC(clientMACBlock), digestmod=digestmod)
-+            serverPendingState.macContext = createMACFunc(
-+                compatHMAC(serverMACBlock), digestmod=digestmod)
-+            clientPendingState.encContext = createCipherFunc(clientKeyBlock,
-+                                                             clientIVBlock,
-+                                                             implementations)
-+            serverPendingState.encContext = createCipherFunc(serverKeyBlock,
-+                                                             serverIVBlock,
-+                                                             implementations)
-+        else:
-+            # AEAD.
-+            clientPendingState.macContext = None
-+            serverPendingState.macContext = None
-+            clientPendingState.encContext = createCipherFunc(clientKeyBlock,
-+                                                             implementations)
-+            serverPendingState.encContext = createCipherFunc(serverKeyBlock,
-+                                                             implementations)
-+            clientPendingState.fixedNonce = clientIVBlock
-+            serverPendingState.fixedNonce = serverIVBlock
- 
-         #Assign new connection states to pending states
-         if self._client:
-diff --git a/third_party/tlslite/tlslite/utils/aes.py b/third_party/tlslite/tlslite/utils/aes.py
-index 95afaa3..5a038fb 100644
---- a/third_party/tlslite/tlslite/utils/aes.py
-+++ b/third_party/tlslite/tlslite/utils/aes.py
-@@ -12,6 +12,7 @@ class AES(object):
-         if len(IV) != 16:
-             raise AssertionError()
-         self.isBlockCipher = True
-+        self.isAEAD = False
-         self.block_size = 16
-         self.implementation = implementation
-         if len(key)==16:
-@@ -31,4 +32,4 @@ class AES(object):
-     #CBC-Mode decryption, returns plaintext
-     #WARNING: *MAY* modify the input as well
-     def decrypt(self, ciphertext):
--        assert(len(ciphertext) % 16 == 0)
-\ No newline at end of file
-+        assert(len(ciphertext) % 16 == 0)
-diff --git a/third_party/tlslite/tlslite/utils/aesgcm.py b/third_party/tlslite/tlslite/utils/aesgcm.py
-new file mode 100644
-index 0000000..7319c26
---- /dev/null
-+++ b/third_party/tlslite/tlslite/utils/aesgcm.py
-@@ -0,0 +1,193 @@
-+# Author: Google
-+# See the LICENSE file for legal information regarding use of this file.
-+
-+# GCM derived from Go's implementation in crypto/cipher.
-+#
-+# https://golang.org/src/crypto/cipher/gcm.go
-+
-+# GCM works over elements of the field GF(2^128), each of which is a 128-bit
-+# polynomial. Throughout this implementation, polynomials are represented as
-+# Python integers with the low-order terms at the most significant bits. So a
-+# 128-bit polynomial is an integer from 0 to 2^128-1 with the most significant
-+# bit representing the x^0 term and the least significant bit representing the
-+# x^127 term. This bit reversal also applies to polynomials used as indices in a
-+# look-up table.
-+
-+from .cryptomath import bytesToNumber, numberToByteArray
-+
-+class AESGCM(object):
-+    """
-+    AES-GCM implementation. Note: this implementation does not attempt
-+    to be side-channel resistant. It's also rather slow.
-+    """
-+
-+    def __init__(self, key, implementation, rawAesEncrypt):
-+        self.isBlockCipher = False
-+        self.isAEAD = True
-+        self.nonceLength = 12
-+        self.tagLength = 16
-+        self.implementation = implementation
-+        if len(key) == 16:
-+            self.name = "aes128gcm"
-+        elif len(key) == 32:
-+            self.name = "aes256gcm"
-+        else:
-+            raise AssertionError()
-+
-+        self._rawAesEncrypt = rawAesEncrypt
-+
-+        # The GCM key is AES(0).
-+        h = bytesToNumber(self._rawAesEncrypt(bytearray(16)))
-+
-+        # Pre-compute all 4-bit multiples of h. Note that bits are reversed
-+        # because our polynomial representation places low-order terms at the
-+        # most significant bit. Thus x^0 * h = h is at index 0b1000 = 8 and
-+        # x^1 * h is at index 0b0100 = 4.
-+        self._productTable = [0] * 16
-+        self._productTable[_reverseBits(1)] = h
-+        for i in range(2, 16, 2):
-+            self._productTable[_reverseBits(i)] = \
-+                _gcmShift(self._productTable[_reverseBits(i/2)])
-+            self._productTable[_reverseBits(i+1)] = \
-+                _gcmAdd(self._productTable[_reverseBits(i)], h)
-+
-+    def _rawAesCtrEncrypt(self, counter, inp):
-+        """
-+        Encrypts (or decrypts) plaintext with AES-CTR. counter is modified.
-+        """
-+        out = bytearray(len(inp))
-+        for i in range(0, len(out), 16):
-+            mask = self._rawAesEncrypt(counter)
-+            for j in range(i, min(len(out), i + 16)):
-+                out[j] = inp[j] ^ mask[j-i]
-+            _inc32(counter)
-+        return out
-+
-+    def _auth(self, ciphertext, ad, tagMask):
-+        y = 0
-+        y = self._update(y, ad)
-+        y = self._update(y, ciphertext)
-+        y ^= (len(ad) << (3 + 64)) | (len(ciphertext) << 3)
-+        y = self._mul(y)
-+        y ^= bytesToNumber(tagMask)
-+        return numberToByteArray(y, 16)
-+
-+    def _update(self, y, data):
-+        for i in range(0, len(data) // 16):
-+            y ^= bytesToNumber(data[16*i:16*i+16])
-+            y = self._mul(y)
-+        extra = len(data) % 16
-+        if extra != 0:
-+            block = bytearray(16)
-+            block[:extra] = data[-extra:]
-+            y ^= bytesToNumber(block)
-+            y = self._mul(y)
-+        return y
-+
-+    def _mul(self, y):
-+        """ Returns y*H, where H is the GCM key. """
-+        ret = 0
-+        # Multiply H by y 4 bits at a time, starting with the highest power
-+        # terms.
-+        for i in range(0, 128, 4):
-+            # Multiply by x^4. The reduction for the top four terms is
-+            # precomputed.
-+            retHigh = ret & 0xf
-+            ret >>= 4
-+            ret ^= (_gcmReductionTable[retHigh] << (128-16))
-+
-+            # Add in y' * H where y' are the next four terms of y, shifted down
-+            # to the x^0..x^4. This is one of the pre-computed multiples of
-+            # H. The multiplication by x^4 shifts them back into place.
-+            ret ^= self._productTable[y & 0xf]
-+            y >>= 4
-+        assert y == 0
-+        return ret
-+
-+    def seal(self, nonce, plaintext, data):
-+        """
-+        Encrypts and authenticates plaintext using nonce and data. Returns the
-+        ciphertext, consisting of the encrypted plaintext and tag concatenated.
-+        """
-+
-+        if len(nonce) != 12:
-+            raise ValueError("Bad nonce length")
-+
-+        # The initial counter value is the nonce, followed by a 32-bit counter
-+        # that starts at 1. It's used to compute the tag mask.
-+        counter = bytearray(16)
-+        counter[:12] = nonce
-+        counter[-1] = 1
-+        tagMask = self._rawAesEncrypt(counter)
-+
-+        # The counter starts at 2 for the actual encryption.
-+        counter[-1] = 2
-+        ciphertext = self._rawAesCtrEncrypt(counter, plaintext)
-+
-+        tag = self._auth(ciphertext, data, tagMask)
-+
-+        return ciphertext + tag
-+
-+    def open(self, nonce, ciphertext, data):
-+        """
-+        Decrypts and authenticates ciphertext using nonce and data. If the
-+        tag is valid, the plaintext is returned. If the tag is invalid,
-+        returns None.
-+        """
-+
-+        if len(nonce) != 12:
-+            raise ValueError("Bad nonce length")
-+        if len(ciphertext) < 16:
-+            return None
-+
-+        tag = ciphertext[-16:]
-+        ciphertext = ciphertext[:-16]
-+
-+        # The initial counter value is the nonce, followed by a 32-bit counter
-+        # that starts at 1. It's used to compute the tag mask.
-+        counter = bytearray(16)
-+        counter[:12] = nonce
-+        counter[-1] = 1
-+        tagMask = self._rawAesEncrypt(counter)
-+
-+        if tag != self._auth(ciphertext, data, tagMask):
-+            return None
-+
-+        # The counter starts at 2 for the actual decryption.
-+        counter[-1] = 2
-+        return self._rawAesCtrEncrypt(counter, ciphertext)
-+
-+def _reverseBits(i):
-+    assert i < 16
-+    i = ((i << 2) & 0xc) | ((i >> 2) & 0x3)
-+    i = ((i << 1) & 0xa) | ((i >> 1) & 0x5)
-+    return i
-+
-+def _gcmAdd(x, y):
-+    return x ^ y
-+
-+def _gcmShift(x):
-+    # Multiplying by x is a right shift, due to bit order.
-+    highTermSet = x & 1
-+    x >>= 1
-+    if highTermSet:
-+        # The x^127 term was shifted up to x^128, so subtract a 1+x+x^2+x^7
-+        # term. This is 0b11100001 or 0xe1 when represented as an 8-bit
-+        # polynomial.
-+        x ^= 0xe1 << (128-8)
-+    return x
-+
-+def _inc32(counter):
-+    for i in range(len(counter)-1, len(counter)-5, -1):
-+        counter[i] = (counter[i] + 1) % 256
-+        if counter[i] != 0:
-+            break
-+    return counter
-+
-+# _gcmReductionTable[i] is i * (1+x+x^2+x^7) for all 4-bit polynomials i. The
-+# result is stored as a 16-bit polynomial. This is used in the reduction step to
-+# multiply elements of GF(2^128) by x^4.
-+_gcmReductionTable = [
-+    0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0,
-+    0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0,
-+]
-diff --git a/third_party/tlslite/tlslite/utils/cipherfactory.py b/third_party/tlslite/tlslite/utils/cipherfactory.py
-index 20e20f1..d525644 100644
---- a/third_party/tlslite/tlslite/utils/cipherfactory.py
-+++ b/third_party/tlslite/tlslite/utils/cipherfactory.py
-@@ -6,6 +6,7 @@
- import os
- 
- from tlslite.utils import python_aes
-+from tlslite.utils import python_aesgcm
- from tlslite.utils import python_rc4
- 
- from tlslite.utils import cryptomath
-@@ -20,6 +21,7 @@ if cryptomath.m2cryptoLoaded:
- 
- if cryptomath.pycryptoLoaded:
-     from tlslite.utils import pycrypto_aes
-+    from tlslite.utils import pycrypto_aesgcm
-     from tlslite.utils import pycrypto_rc4
-     from tlslite.utils import pycrypto_tripledes
-     tripleDESPresent = True
-@@ -52,6 +54,25 @@ def createAES(key, IV, implList=None):
-             return python_aes.new(key, 2, IV)
-     raise NotImplementedError()
- 
-+def createAESGCM(key, implList=None):
-+    """Create a new AESGCM object.
-+
-+    @type key: bytearray
-+    @param key: A 16 or 32 byte byte array.
-+
-+    @rtype: L{tlslite.utils.AESGCM}
-+    @return: An AESGCM object.
-+    """
-+    if implList == None:
-+        implList = ["pycrypto", "python"]
-+
-+    for impl in implList:
-+        if impl == "pycrypto" and cryptomath.pycryptoLoaded:
-+            return pycrypto_aesgcm.new(key)
-+        if impl == "python":
-+            return python_aesgcm.new(key)
-+    raise NotImplementedError()
-+
- def createRC4(key, IV, implList=None):
-     """Create a new RC4 object.
- 
-@@ -99,4 +120,4 @@ def createTripleDES(key, IV, implList=None):
-             return openssl_tripledes.new(key, 2, IV)
-         elif impl == "pycrypto" and cryptomath.pycryptoLoaded:
-             return pycrypto_tripledes.new(key, 2, IV)
--    raise NotImplementedError()
-\ No newline at end of file
-+    raise NotImplementedError()
-diff --git a/third_party/tlslite/tlslite/utils/pycrypto_aesgcm.py b/third_party/tlslite/tlslite/utils/pycrypto_aesgcm.py
-new file mode 100644
-index 0000000..ee187ee
---- /dev/null
-+++ b/third_party/tlslite/tlslite/utils/pycrypto_aesgcm.py
-@@ -0,0 +1,16 @@
-+# Author: Google
-+# See the LICENSE file for legal information regarding use of this file.
-+
-+"""PyCrypto AES-GCM implementation."""
-+
-+from .cryptomath import *
-+from .aesgcm import AESGCM
-+
-+if pycryptoLoaded:
-+    import Crypto.Cipher.AES
-+
-+    def new(key):
-+        cipher = Crypto.Cipher.AES.new(bytes(key))
-+        def encrypt(plaintext):
-+            return bytearray(cipher.encrypt(bytes(plaintext)))
-+        return AESGCM(key, "pycrypto", encrypt)
-diff --git a/third_party/tlslite/tlslite/utils/python_aesgcm.py b/third_party/tlslite/tlslite/utils/python_aesgcm.py
-new file mode 100644
-index 0000000..80a5fd5
---- /dev/null
-+++ b/third_party/tlslite/tlslite/utils/python_aesgcm.py
-@@ -0,0 +1,10 @@
-+# Author: Google
-+# See the LICENSE file for legal information regarding use of this file.
-+
-+"""Pure-Python AES-GCM implementation."""
-+
-+from .aesgcm import AESGCM
-+from .rijndael import rijndael
-+
-+def new(key):
-+    return AESGCM(key, "python", rijndael(key, 16).encrypt)
-diff --git a/third_party/tlslite/tlslite/utils/rc4.py b/third_party/tlslite/tlslite/utils/rc4.py
-index 809026a..3853f5b 100644
---- a/third_party/tlslite/tlslite/utils/rc4.py
-+++ b/third_party/tlslite/tlslite/utils/rc4.py
-@@ -9,6 +9,7 @@ class RC4(object):
-         if len(keyBytes) < 16 or len(keyBytes) > 256:
-             raise ValueError()
-         self.isBlockCipher = False
-+        self.isAEAD = False
-         self.name = "rc4"
-         self.implementation = implementation
- 
-@@ -16,4 +17,4 @@ class RC4(object):
-         raise NotImplementedError()
- 
-     def decrypt(self, ciphertext):
--        raise NotImplementedError()
-\ No newline at end of file
-+        raise NotImplementedError()
-diff --git a/third_party/tlslite/tlslite/utils/tripledes.py b/third_party/tlslite/tlslite/utils/tripledes.py
-index 0b4d075..ddcdcad 100644
---- a/third_party/tlslite/tlslite/utils/tripledes.py
-+++ b/third_party/tlslite/tlslite/utils/tripledes.py
-@@ -12,6 +12,7 @@ class TripleDES(object):
-         if len(IV) != 8:
-             raise ValueError()
-         self.isBlockCipher = True
-+        self.isAEAD = False
-         self.block_size = 8
-         self.implementation = implementation
-         self.name = "3des"
diff --git a/third_party/tlslite/patches/alert_after_handshake.patch b/third_party/tlslite/patches/alert_after_handshake.patch
deleted file mode 100644
index c0650b1..0000000
--- a/third_party/tlslite/patches/alert_after_handshake.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
-index 2f11aaa..e752834 100644
---- a/third_party/tlslite/tlslite/handshakesettings.py
-+++ b/third_party/tlslite/tlslite/handshakesettings.py
-@@ -107,6 +107,10 @@ class HandshakeSettings(object):
-     
-     @type useExperimentalTackExtension: bool
-     @ivar useExperimentalTackExtension: Whether to enabled TACK support.
-+
-+    @type alertAfterHandshake: bool
-+    @ivar alertAfterHandshake: If true, the server will send a fatal
-+    alert immediately after the handshake completes.
-     
-     Note that TACK support is not standardized by IETF and uses a temporary
-     TLS Extension number, so should NOT be used in production software.
-@@ -124,6 +128,7 @@ class HandshakeSettings(object):
-         self.tlsIntolerant = None
-         self.tlsIntoleranceType = 'alert'
-         self.useExperimentalTackExtension = False
-+        self.alertAfterHandshake = False
- 
-     # Validates the min/max fields, and certificateTypes
-     # Filters out unsupported cipherNames and cipherImplementations
-@@ -140,6 +145,7 @@ class HandshakeSettings(object):
-         other.maxVersion = self.maxVersion
-         other.tlsIntolerant = self.tlsIntolerant
-         other.tlsIntoleranceType = self.tlsIntoleranceType
-+        other.alertAfterHandshake = self.alertAfterHandshake
- 
-         if not cipherfactory.tripleDESPresent:
-             other.cipherNames = [e for e in self.cipherNames if e != "3des"]
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 0e13a78..eb850e9 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -1221,6 +1221,10 @@ class TLSConnection(TLSRecordLayer):
-             ocspResponse=ocspResponse)
-         for result in self._handshakeWrapperAsync(handshaker, checker):
-             yield result
-+        if settings and settings.alertAfterHandshake:
-+            for result in self._sendError(AlertDescription.internal_error,
-+                                          "Spurious alert"):
-+                yield result
- 
- 
-     def _handshakeServerAsyncHelper(self, verifierDB,
diff --git a/third_party/tlslite/patches/alpn.patch b/third_party/tlslite/patches/alpn.patch
deleted file mode 100644
index 33d47d6..0000000
--- a/third_party/tlslite/patches/alpn.patch
+++ /dev/null
@@ -1,331 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index 715def9..e9743e4 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -54,6 +54,7 @@ class ExtensionType:    # RFC 6066 / 4366
-     status_request = 5  # RFC 6066 / 4366
-     srp = 12            # RFC 5054  
-     cert_type = 9       # RFC 6091
-+    alpn = 16           # RFC 7301
-     signed_cert_timestamps = 18  # RFC 6962
-     extended_master_secret = 23  # RFC 7627
-     token_binding = 24           # draft-ietf-tokbind-negotiation
-diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
-index d7be5b3..69fc6f4 100644
---- a/third_party/tlslite/tlslite/handshakesettings.py
-+++ b/third_party/tlslite/tlslite/handshakesettings.py
-@@ -128,6 +128,12 @@ class HandshakeSettings(object):
-     
-     Note that TACK support is not standardized by IETF and uses a temporary
-     TLS Extension number, so should NOT be used in production software.
-+
-+    @type alpnProtos: list of strings.
-+    @param alpnProtos: A list of supported upper layer protocols to use in the
-+    Application-Layer Protocol Negotiation Extension (RFC 7301).  For the
-+    client, the order does not matter.  For the server, the list is in
-+    decreasing order of preference.
-     """
-     def __init__(self):
-         self.minKeySize = 1023
-@@ -146,6 +152,7 @@ class HandshakeSettings(object):
-         self.enableChannelID = True
-         self.enableExtendedMasterSecret = True
-         self.supportedTokenBindingParams = []
-+        self.alpnProtos = None
- 
-     # Validates the min/max fields, and certificateTypes
-     # Filters out unsupported cipherNames and cipherImplementations
-@@ -166,6 +173,7 @@ class HandshakeSettings(object):
-         other.enableChannelID = self.enableChannelID
-         other.enableExtendedMasterSecret = self.enableExtendedMasterSecret
-         other.supportedTokenBindingParams = self.supportedTokenBindingParams
-+        other.alpnProtos = self.alpnProtos;
- 
-         if not cipherfactory.tripleDESPresent:
-             other.cipherNames = [e for e in self.cipherNames if e != "3des"]
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index 5762ac6..1ce9320 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -18,6 +18,27 @@ from .x509 import X509
- from .x509certchain import X509CertChain
- from .utils.tackwrapper import *
- 
-+def parse_next_protos(b):
-+    protos = []
-+    while True:
-+        if len(b) == 0:
-+            break
-+        l = b[0]
-+        b = b[1:]
-+        if len(b) < l:
-+            raise BadNextProtos(len(b))
-+        protos.append(b[:l])
-+        b = b[l:]
-+    return protos
-+
-+def next_protos_encoded(protocol_list):
-+    b = bytearray()
-+    for e in protocol_list:
-+        if len(e) > 255 or len(e) == 0:
-+            raise BadNextProtos(len(e))
-+        b += bytearray( [len(e)] ) + bytearray(e)
-+    return b
-+
- class RecordHeader3(object):
-     def __init__(self):
-         self.type = 0
-@@ -111,6 +132,7 @@ class ClientHello(HandshakeMsg):
-         self.compression_methods = []   # a list of 8-bit values
-         self.srp_username = None        # a string
-         self.tack = False
-+        self.alpn_protos_advertised = None
-         self.supports_npn = False
-         self.server_name = bytearray(0)
-         self.channel_id = False
-@@ -121,7 +143,8 @@ class ClientHello(HandshakeMsg):
- 
-     def create(self, version, random, session_id, cipher_suites,
-                certificate_types=None, srpUsername=None,
--               tack=False, supports_npn=False, serverName=None):
-+               tack=False, alpn_protos_advertised=None,
-+               supports_npn=False, serverName=None):
-         self.client_version = version
-         self.random = random
-         self.session_id = session_id
-@@ -131,6 +154,7 @@ class ClientHello(HandshakeMsg):
-         if srpUsername:
-             self.srp_username = bytearray(srpUsername, "utf-8")
-         self.tack = tack
-+        self.alpn_protos_advertised = alpn_protos_advertised
-         self.supports_npn = supports_npn
-         if serverName:
-             self.server_name = bytearray(serverName, "utf-8")
-@@ -171,6 +195,11 @@ class ClientHello(HandshakeMsg):
-                         self.certificate_types = p.getVarList(1, 1)
-                     elif extType == ExtensionType.tack:
-                         self.tack = True
-+                    elif extType == ExtensionType.alpn:
-+                        structLength = p.get(2)
-+                        if structLength + 2 != extLength:
-+                            raise SyntaxError()
-+                        self.alpn_protos_advertised = parse_next_protos(p.getFixBytes(structLength))
-                     elif extType == ExtensionType.supports_npn:
-                         self.supports_npn = True
-                     elif extType == ExtensionType.server_name:
-@@ -243,6 +272,12 @@ class ClientHello(HandshakeMsg):
-             w2.add(ExtensionType.srp, 2)
-             w2.add(len(self.srp_username)+1, 2)
-             w2.addVarSeq(self.srp_username, 1, 1)
-+        if self.alpn_protos_advertised is not None:
-+            encoded_alpn_protos_advertised = next_protos_encoded(self.alpn_protos_advertised)
-+            w2.add(ExtensionType.alpn, 2)
-+            w2.add(len(encoded_alpn_protos_advertised) + 2, 2)
-+            w2.add(len(encoded_alpn_protos_advertised), 2)
-+            w2.addFixSeq(encoded_alpn_protos_advertised, 1)
-         if self.supports_npn:
-             w2.add(ExtensionType.supports_npn, 2)
-             w2.add(0, 2)
-@@ -267,6 +302,13 @@ class BadNextProtos(Exception):
-     def __str__(self):
-         return 'Cannot encode a list of next protocols because it contains an element with invalid length %d. Element lengths must be 0 < x < 256' % self.length
- 
-+class InvalidALPNResponse(Exception):
-+    def __init__(self, l):
-+        self.length = l
-+
-+    def __str__(self):
-+        return 'ALPN server response protocol list has invalid length %d.  It must be of length one.' % self.length
-+
- class ServerHello(HandshakeMsg):
-     def __init__(self):
-         HandshakeMsg.__init__(self, HandshakeType.server_hello)
-@@ -277,6 +319,7 @@ class ServerHello(HandshakeMsg):
-         self.certificate_type = CertificateType.x509
-         self.compression_method = 0
-         self.tackExt = None
-+        self.alpn_proto_selected = None
-         self.next_protos_advertised = None
-         self.next_protos = None
-         self.channel_id = False
-@@ -286,7 +329,8 @@ class ServerHello(HandshakeMsg):
-         self.status_request = False
- 
-     def create(self, version, random, session_id, cipher_suite,
--               certificate_type, tackExt, next_protos_advertised):
-+               certificate_type, tackExt, alpn_proto_selected,
-+               next_protos_advertised):
-         self.server_version = version
-         self.random = random
-         self.session_id = session_id
-@@ -294,6 +338,7 @@ class ServerHello(HandshakeMsg):
-         self.certificate_type = certificate_type
-         self.compression_method = 0
-         self.tackExt = tackExt
-+        self.alpn_proto_selected = alpn_proto_selected
-         self.next_protos_advertised = next_protos_advertised
-         return self
- 
-@@ -316,35 +361,22 @@ class ServerHello(HandshakeMsg):
-                     self.certificate_type = p.get(1)
-                 elif extType == ExtensionType.tack and tackpyLoaded:
-                     self.tackExt = TackExtension(p.getFixBytes(extLength))
-+                elif extType == ExtensionType.alpn:
-+                    structLength = p.get(2)
-+                    if structLength + 2 != extLength:
-+                        raise SyntaxError()
-+                    alpn_protos = parse_next_protos(p.getFixBytes(structLength))
-+                    if len(alpn_protos) != 1:
-+                        raise InvalidALPNResponse(len(alpn_protos));
-+                    self.alpn_proto_selected = alpn_protos[0]
-                 elif extType == ExtensionType.supports_npn:
--                    self.next_protos = self.__parse_next_protos(p.getFixBytes(extLength))
-+                    self.next_protos = parse_next_protos(p.getFixBytes(extLength))
-                 else:
-                     p.getFixBytes(extLength)
-                 soFar += 4 + extLength
-         p.stopLengthCheck()
-         return self
- 
--    def __parse_next_protos(self, b):
--        protos = []
--        while True:
--            if len(b) == 0:
--                break
--            l = b[0]
--            b = b[1:]
--            if len(b) < l:
--                raise BadNextProtos(len(b))
--            protos.append(b[:l])
--            b = b[l:]
--        return protos
--
--    def __next_protos_encoded(self):
--        b = bytearray()
--        for e in self.next_protos_advertised:
--            if len(e) > 255 or len(e) == 0:
--                raise BadNextProtos(len(e))
--            b += bytearray( [len(e)] ) + bytearray(e)
--        return b
--
-     def write(self):
-         w = Writer()
-         w.add(self.server_version[0], 1)
-@@ -365,8 +397,15 @@ class ServerHello(HandshakeMsg):
-             w2.add(ExtensionType.tack, 2)
-             w2.add(len(b), 2)
-             w2.bytes += b
-+        if self.alpn_proto_selected is not None:
-+            alpn_protos_single_element_list = [self.alpn_proto_selected]
-+            encoded_alpn_protos_advertised = next_protos_encoded(alpn_protos_single_element_list)
-+            w2.add(ExtensionType.alpn, 2)
-+            w2.add(len(encoded_alpn_protos_advertised) + 2, 2)
-+            w2.add(len(encoded_alpn_protos_advertised), 2)
-+            w2.addFixSeq(encoded_alpn_protos_advertised, 1)
-         if self.next_protos_advertised is not None:
--            encoded_next_protos_advertised = self.__next_protos_encoded()
-+            encoded_next_protos_advertised = next_protos_encoded(self.next_protos_advertised)
-             w2.add(ExtensionType.supports_npn, 2)
-             w2.add(len(encoded_next_protos_advertised), 2)
-             w2.addFixSeq(encoded_next_protos_advertised, 1)
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 41aab85..de5d580 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -495,6 +495,10 @@ class TLSConnection(TLSRecordLayer):
-             settings = HandshakeSettings()
-         settings = settings._filter()
- 
-+        if settings.alpnProtos is not None:
-+            if len(settings.alpnProtos) == 0:
-+                raise ValueError("Caller passed no alpnProtos")
-+
-         if clientCertChain:
-             if not isinstance(clientCertChain, X509CertChain):
-                 raise ValueError("Unrecognized certificate type")
-@@ -651,7 +655,8 @@ class TLSConnection(TLSRecordLayer):
-                                    session.sessionID, cipherSuites,
-                                    certificateTypes, 
-                                    session.srpUsername,
--                                   reqTack, nextProtos is not None,
-+                                   reqTack, settings.alpnProtos,
-+                                   nextProtos is not None,
-                                    session.serverName)
- 
-         #Or send ClientHello (without)
-@@ -661,7 +666,8 @@ class TLSConnection(TLSRecordLayer):
-                                bytearray(0), cipherSuites,
-                                certificateTypes, 
-                                srpUsername,
--                               reqTack, nextProtos is not None, 
-+                               reqTack, settings.alpnProtos,
-+                               nextProtos is not None,
-                                serverName)
-         for result in self._sendMsg(clientHello):
-             yield result
-@@ -714,6 +720,16 @@ class TLSConnection(TLSRecordLayer):
-                     AlertDescription.illegal_parameter,
-                     "Server responded with unrequested Tack Extension"):
-                     yield result
-+        if serverHello.alpn_proto_selected and not clientHello.alpn_protos_advertised:
-+            for result in self._sendError(\
-+                AlertDescription.illegal_parameter,
-+                "Server responded with unrequested ALPN Extension"):
-+                yield result
-+        if serverHello.alpn_proto_selected and serverHello.next_protos:
-+            for result in self._sendError(\
-+                AlertDescription.illegal_parameter,
-+                "Server responded with both ALPN and NPN extension"):
-+                yield result
-         if serverHello.next_protos and not clientHello.supports_npn:
-             for result in self._sendError(\
-                 AlertDescription.illegal_parameter,
-@@ -1315,6 +1331,15 @@ class TLSConnection(TLSRecordLayer):
-         else:
-             sessionID = bytearray(0)
-         
-+        alpn_proto_selected = None
-+        if (clientHello.alpn_protos_advertised is not None
-+                and settings.alpnProtos is not None):
-+            for proto in settings.alpnProtos:
-+                if proto in clientHello.alpn_protos_advertised:
-+                    alpn_proto_selected = proto
-+                    nextProtos = None
-+                    break;
-+
-         if not clientHello.supports_npn:
-             nextProtos = None
- 
-@@ -1330,6 +1355,7 @@ class TLSConnection(TLSRecordLayer):
-         serverHello = ServerHello()
-         serverHello.create(self.version, getRandomBytes(32), sessionID, \
-                             cipherSuite, CertificateType.x509, tackExt,
-+                            alpn_proto_selected,
-                             nextProtos)
-         serverHello.channel_id = \
-             clientHello.channel_id and settings.enableChannelID
-@@ -1500,6 +1526,14 @@ class TLSConnection(TLSRecordLayer):
-         else:
-             assert(False)
- 
-+        alpn_proto_selected = None
-+        if (clientHello.alpn_protos_advertised is not None
-+                and settings.alpnProtos is not None):
-+            for proto in settings.alpnProtos:
-+                if proto in clientHello.alpn_protos_advertised:
-+                    alpn_proto_selected = proto
-+                    break;
-+
-         #If resumption was requested and we have a session cache...
-         if clientHello.session_id and sessionCache:
-             session = None
-@@ -1540,7 +1574,8 @@ class TLSConnection(TLSRecordLayer):
-                 serverHello = ServerHello()
-                 serverHello.create(self.version, getRandomBytes(32),
-                                    session.sessionID, session.cipherSuite,
--                                   CertificateType.x509, None, None)
-+                                   CertificateType.x509, None,
-+                                   alpn_proto_selected, None)
-                 serverHello.extended_master_secret = \
-                     clientHello.extended_master_secret and \
-                     settings.enableExtendedMasterSecret
diff --git a/third_party/tlslite/patches/certificate_request.patch b/third_party/tlslite/patches/certificate_request.patch
deleted file mode 100644
index cdfa72b..0000000
--- a/third_party/tlslite/patches/certificate_request.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index e1be195..f2e2cfc 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -460,7 +460,7 @@ class CertificateRequest(HandshakeMsg):
-         self.version = version
-         self.supported_signature_algs = []
- 
--    def create(self, certificate_types, certificate_authorities, sig_algs=()):
-+    def create(self, certificate_types, certificate_authorities, sig_algs):
-         self.certificate_types = certificate_types
-         self.certificate_authorities = certificate_authorities
-         self.supported_signature_algs = sig_algs
-@@ -470,7 +470,8 @@ class CertificateRequest(HandshakeMsg):
-         p.startLengthCheck(3)
-         self.certificate_types = p.getVarList(1, 1)
-         if self.version >= (3,3):
--            self.supported_signature_algs = p.getVarList(2, 2)
-+            self.supported_signature_algs = \
-+                [(b >> 8, b & 0xff) for b in p.getVarList(2, 2)]
-         ca_list_length = p.get(2)
-         index = 0
-         self.certificate_authorities = []
-@@ -485,7 +486,10 @@ class CertificateRequest(HandshakeMsg):
-         w = Writer()
-         w.addVarSeq(self.certificate_types, 1, 1)
-         if self.version >= (3,3):
--            w.addVarSeq(self.supported_signature_algs, 2, 2)
-+            w.add(2 * len(self.supported_signature_algs), 2)
-+            for (hash, signature) in self.supported_signature_algs:
-+                w.add(hash, 1)
-+                w.add(signature, 1)
-         caLength = 0
-         #determine length
-         for ca_dn in self.certificate_authorities:
-@@ -646,22 +650,30 @@ class ClientKeyExchange(HandshakeMsg):
-         return self.postWrite(w)
- 
- class CertificateVerify(HandshakeMsg):
--    def __init__(self):
-+    def __init__(self, version):
-         HandshakeMsg.__init__(self, HandshakeType.certificate_verify)
-+        self.version = version
-+        self.signature_algorithm = None
-         self.signature = bytearray(0)
- 
--    def create(self, signature):
-+    def create(self, signature_algorithm, signature):
-+        self.signature_algorithm = signature_algorithm
-         self.signature = signature
-         return self
- 
-     def parse(self, p):
-         p.startLengthCheck(3)
-+        if self.version >= (3,3):
-+            self.signature_algorithm = (p.get(1), p.get(1))
-         self.signature = p.getVarBytes(2)
-         p.stopLengthCheck()
-         return self
- 
-     def write(self):
-         w = Writer()
-+        if self.version >= (3,3):
-+            w.add(self.signature_algorithm[0], 1)
-+            w.add(self.signature_algorithm[1], 1)
-         w.addVarSeq(self.signature, 1, 2)
-         return self.postWrite(w)
- 
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index cb743fe..3d97e97 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -956,6 +956,7 @@ class TLSConnection(TLSRecordLayer):
-         #If client authentication was requested and we have a
-         #private key, send CertificateVerify
-         if certificateRequest and privateKey:
-+            signatureAlgorithm = None
-             if self.version == (3,0):
-                 masterSecret = calcMasterSecret(self.version,
-                                          premasterSecret,
-@@ -966,12 +967,15 @@ class TLSConnection(TLSRecordLayer):
-                 verifyBytes = self._handshake_md5.digest() + \
-                                 self._handshake_sha.digest()
-             elif self.version == (3,3):
--                verifyBytes = self._handshake_sha256.digest()
-+                # TODO: Signature algorithm negotiation not supported.
-+                signatureAlgorithm = (HashAlgorithm.sha1, SignatureAlgorithm.rsa)
-+                verifyBytes = self._handshake_sha.digest()
-+                verifyBytes = RSAKey.addPKCS1SHA1Prefix(verifyBytes)
-             if self.fault == Fault.badVerifyMessage:
-                 verifyBytes[0] = ((verifyBytes[0]+1) % 256)
-             signedBytes = privateKey.sign(verifyBytes)
--            certificateVerify = CertificateVerify()
--            certificateVerify.create(signedBytes)
-+            certificateVerify = CertificateVerify(self.version)
-+            certificateVerify.create(signatureAlgorithm, signedBytes)
-             for result in self._sendMsg(certificateVerify):
-                 yield result
-         yield (premasterSecret, serverCertChain, clientCertChain, tackExt)
-@@ -1640,8 +1644,11 @@ class TLSConnection(TLSRecordLayer):
-             #Apple's Secure Transport library rejects empty certificate_types,
-             #so default to rsa_sign.
-             reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign]
-+            #Only SHA-1 + RSA is supported.
-+            sigAlgs = [(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
-             msgs.append(CertificateRequest(self.version).create(reqCertTypes,
--                                                                reqCAs))
-+                                                                reqCAs,
-+                                                                sigAlgs))
-         msgs.append(ServerHelloDone())
-         for result in self._sendMsgs(msgs):
-             yield result
-@@ -1713,7 +1720,8 @@ class TLSConnection(TLSRecordLayer):
-                 verifyBytes = self._handshake_md5.digest() + \
-                                 self._handshake_sha.digest()
-             elif self.version == (3,3):
--                verifyBytes = self._handshake_sha256.digest()
-+                verifyBytes = self._handshake_sha.digest()
-+                verifyBytes = RSAKey.addPKCS1SHA1Prefix(verifyBytes)
-             for result in self._getMsg(ContentType.handshake,
-                                       HandshakeType.certificate_verify):
-                 if result in (0,1): yield result
-diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
-index eda11e6..a09499d 100644
---- a/third_party/tlslite/tlslite/tlsrecordlayer.py
-+++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
-@@ -804,7 +804,7 @@ class TLSRecordLayer(object):
-                 elif subType == HandshakeType.certificate_request:
-                     yield CertificateRequest(self.version).parse(p)
-                 elif subType == HandshakeType.certificate_verify:
--                    yield CertificateVerify().parse(p)
-+                    yield CertificateVerify(self.version).parse(p)
-                 elif subType == HandshakeType.server_key_exchange:
-                     yield ServerKeyExchange(constructorType,
-                                             self.version).parse(p)
diff --git a/third_party/tlslite/patches/channel_id.patch b/third_party/tlslite/patches/channel_id.patch
deleted file mode 100644
index 1ba9287..0000000
--- a/third_party/tlslite/patches/channel_id.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index 4165de0..6429c66 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -32,6 +32,7 @@ class HandshakeType:
-     client_key_exchange = 16
-     finished = 20
-     next_protocol = 67
-+    encrypted_extensions = 203
- 
- class ContentType:
-     change_cipher_spec = 20
-@@ -46,6 +47,7 @@ class ExtensionType:    # RFC 6066 / 4366
-     cert_type = 9       # RFC 6091
-     tack = 0xF300
-     supports_npn = 13172
-+    channel_id = 30032
-     
- class NameType:
-     host_name = 0
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index 2b3e518..4fa9d96 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -113,6 +113,7 @@ class ClientHello(HandshakeMsg):
-         self.tack = False
-         self.supports_npn = False
-         self.server_name = bytearray(0)
-+        self.channel_id = False
- 
-     def create(self, version, random, session_id, cipher_suites,
-                certificate_types=None, srpUsername=None,
-@@ -180,6 +181,8 @@ class ClientHello(HandshakeMsg):
-                             if name_type == NameType.host_name:
-                                 self.server_name = hostNameBytes
-                                 break
-+                    elif extType == ExtensionType.channel_id:
-+                        self.channel_id = True
-                     else:
-                         _ = p.getFixBytes(extLength)
-                     index2 = p.index
-@@ -244,6 +247,7 @@ class ServerHello(HandshakeMsg):
-         self.tackExt = None
-         self.next_protos_advertised = None
-         self.next_protos = None
-+        self.channel_id = False
- 
-     def create(self, version, random, session_id, cipher_suite,
-                certificate_type, tackExt, next_protos_advertised):
-@@ -330,6 +334,9 @@ class ServerHello(HandshakeMsg):
-             w2.add(ExtensionType.supports_npn, 2)
-             w2.add(len(encoded_next_protos_advertised), 2)
-             w2.addFixSeq(encoded_next_protos_advertised, 1)
-+        if self.channel_id:
-+            w2.add(ExtensionType.channel_id, 2)
-+            w2.add(0, 2)
-         if len(w2.bytes):
-             w.add(len(w2.bytes), 2)
-             w.bytes += w2.bytes        
-@@ -665,6 +672,28 @@ class Finished(HandshakeMsg):
-         w.addFixSeq(self.verify_data, 1)
-         return self.postWrite(w)
- 
-+class EncryptedExtensions(HandshakeMsg):
-+    def __init__(self):
-+        self.channel_id_key = None
-+        self.channel_id_proof = None
-+
-+    def parse(self, p):
-+        p.startLengthCheck(3)
-+        soFar = 0
-+        while soFar != p.lengthCheck:
-+            extType = p.get(2)
-+            extLength = p.get(2)
-+            if extType == ExtensionType.channel_id:
-+                if extLength != 32*4:
-+                    raise SyntaxError()
-+                self.channel_id_key = p.getFixBytes(64)
-+                self.channel_id_proof = p.getFixBytes(64)
-+            else:
-+                p.getFixBytes(extLength)
-+            soFar += 4 + extLength
-+        p.stopLengthCheck()
-+        return self
-+
- class ApplicationData(object):
-     def __init__(self):
-         self.contentType = ContentType.application_data
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 0e78753..b0400f8 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -1158,6 +1158,7 @@ class TLSConnection(TLSRecordLayer):
-         serverHello.create(self.version, getRandomBytes(32), sessionID, \
-                             cipherSuite, CertificateType.x509, tackExt,
-                             nextProtos)
-+        serverHello.channel_id = clientHello.channel_id
- 
-         # Perform the SRP key exchange
-         clientCertChain = None
-@@ -1194,7 +1195,7 @@ class TLSConnection(TLSRecordLayer):
-         for result in self._serverFinished(premasterSecret, 
-                                 clientHello.random, serverHello.random,
-                                 cipherSuite, settings.cipherImplementations,
--                                nextProtos):
-+                                nextProtos, clientHello.channel_id):
-                 if result in (0,1): yield result
-                 else: break
-         masterSecret = result
-@@ -1614,7 +1615,8 @@ class TLSConnection(TLSRecordLayer):
- 
- 
-     def _serverFinished(self,  premasterSecret, clientRandom, serverRandom,
--                        cipherSuite, cipherImplementations, nextProtos):
-+                        cipherSuite, cipherImplementations, nextProtos,
-+                        doingChannelID):
-         masterSecret = calcMasterSecret(self.version, premasterSecret,
-                                       clientRandom, serverRandom)
-         
-@@ -1625,7 +1627,8 @@ class TLSConnection(TLSRecordLayer):
- 
-         #Exchange ChangeCipherSpec and Finished messages
-         for result in self._getFinished(masterSecret, 
--                        expect_next_protocol=nextProtos is not None):
-+                        expect_next_protocol=nextProtos is not None,
-+                        expect_channel_id=doingChannelID):
-             yield result
- 
-         for result in self._sendFinished(masterSecret):
-@@ -1662,7 +1665,8 @@ class TLSConnection(TLSRecordLayer):
-         for result in self._sendMsg(finished):
-             yield result
- 
--    def _getFinished(self, masterSecret, expect_next_protocol=False, nextProto=None):
-+    def _getFinished(self, masterSecret, expect_next_protocol=False, nextProto=None,
-+                     expect_channel_id=False):
-         #Get and check ChangeCipherSpec
-         for result in self._getMsg(ContentType.change_cipher_spec):
-             if result in (0,1):
-@@ -1695,6 +1699,20 @@ class TLSConnection(TLSRecordLayer):
-         if nextProto:
-             self.next_proto = nextProto
- 
-+        #Server Finish - Are we waiting for a EncryptedExtensions?
-+        if expect_channel_id:
-+            for result in self._getMsg(ContentType.handshake, HandshakeType.encrypted_extensions):
-+                if result in (0,1):
-+                    yield result
-+            if result is None:
-+                for result in self._sendError(AlertDescription.unexpected_message,
-+                                             "Didn't get EncryptedExtensions message"):
-+                    yield result
-+            encrypted_extensions = result
-+            self.channel_id = result.channel_id_key
-+        else:
-+            self.channel_id = None
-+
-         #Calculate verification data
-         verifyData = self._calcFinished(masterSecret, False)
- 
-diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
-index 5fe7410..f18fcf5 100644
---- a/third_party/tlslite/tlslite/tlsrecordlayer.py
-+++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
-@@ -806,6 +806,8 @@ class TLSRecordLayer(object):
-                     yield Finished(self.version).parse(p)
-                 elif subType == HandshakeType.next_protocol:
-                     yield NextProtocol().parse(p)
-+                elif subType == HandshakeType.encrypted_extensions:
-+                    yield EncryptedExtensions().parse(p)
-                 else:
-                     raise AssertionError()
- 
diff --git a/third_party/tlslite/patches/dhe_rsa.patch b/third_party/tlslite/patches/dhe_rsa.patch
deleted file mode 100644
index 5bb12f0..0000000
--- a/third_party/tlslite/patches/dhe_rsa.patch
+++ /dev/null
@@ -1,561 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index 1a1ace9..d2d50c5 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -54,6 +54,20 @@ class ExtensionType:    # RFC 6066 / 4366
-     tack = 0xF300
-     supports_npn = 13172
-     channel_id = 30032
-+
-+class HashAlgorithm:
-+    none = 0
-+    md5 = 1
-+    sha1 = 2
-+    sha224 = 3
-+    sha256 = 4
-+    sha384 = 5
-+
-+class SignatureAlgorithm:
-+    anonymous = 0
-+    rsa = 1
-+    dsa = 2
-+    ecdsa = 3
-     
- class NameType:
-     host_name = 0
-@@ -144,30 +158,42 @@ class CipherSuite:
-     
-     TLS_RSA_WITH_RC4_128_MD5 = 0x0004
- 
-+    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016
-+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033
-+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039
-+
-     TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034
-     TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A
- 
-     TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C
-     TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D
- 
-+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067
-+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B
-+
-     tripleDESSuites = []
-     tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
-     tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)
-     tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
-+    tripleDESSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
- 
-     aes128Suites = []
-     aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA)
-     aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA)
-     aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA)
-+    aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
-     aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
-     aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256)
-+    aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256)
- 
-     aes256Suites = []
-     aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA)
-     aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA)
-     aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA)
-     aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA)
-+    aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
-     aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256)
-+    aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)
- 
-     rc4Suites = []
-     rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA)
-@@ -184,12 +210,18 @@ class CipherSuite:
-     shaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA)
-     shaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA)
-     shaSuites.append(TLS_RSA_WITH_RC4_128_SHA)
-+    shaSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
-+    shaSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
-+    shaSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
-     shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
-     shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA)
-     
-     sha256Suites = []
-     sha256Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256)
-     sha256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256)
-+    sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256)
-+    sha256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)
-+
- 
-     md5Suites = []
-     md5Suites.append(TLS_RSA_WITH_RC4_128_MD5)
-@@ -198,6 +230,7 @@ class CipherSuite:
-     def _filterSuites(suites, settings):
-         macNames = settings.macNames
-         cipherNames = settings.cipherNames
-+        keyExchangeNames = settings.keyExchangeNames
-         macSuites = []
-         if "sha" in macNames:
-             macSuites += CipherSuite.shaSuites
-@@ -216,7 +249,20 @@ class CipherSuite:
-         if "rc4" in cipherNames:
-             cipherSuites += CipherSuite.rc4Suites
- 
--        return [s for s in suites if s in macSuites and s in cipherSuites]
-+        keyExchangeSuites = []
-+        if "rsa" in keyExchangeNames:
-+            keyExchangeSuites += CipherSuite.certSuites
-+        if "dhe_rsa" in keyExchangeNames:
-+            keyExchangeSuites += CipherSuite.dheCertSuites
-+        if "srp_sha" in keyExchangeNames:
-+            keyExchangeSuites += CipherSuite.srpSuites
-+        if "srp_sha_rsa" in keyExchangeNames:
-+            keyExchangeSuites += CipherSuite.srpCertSuites
-+        if "dh_anon" in keyExchangeNames:
-+            keyExchangeSuites += CipherSuite.anonSuites
-+
-+        return [s for s in suites if s in macSuites and
-+                s in cipherSuites and s in keyExchangeSuites]
- 
-     srpSuites = []
-     srpSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA)
-@@ -250,12 +296,24 @@ class CipherSuite:
-     certSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
-     certSuites.append(TLS_RSA_WITH_RC4_128_SHA)
-     certSuites.append(TLS_RSA_WITH_RC4_128_MD5)
--    certAllSuites = srpCertSuites + certSuites
-     
-     @staticmethod
-     def getCertSuites(settings):
-         return CipherSuite._filterSuites(CipherSuite.certSuites, settings)
- 
-+    dheCertSuites = []
-+    dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)
-+    dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256)
-+    dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
-+    dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
-+    dheCertSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
-+
-+    @staticmethod
-+    def getDheCertSuites(settings):
-+        return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings)
-+
-+    certAllSuites = srpCertSuites + certSuites + dheCertSuites
-+
-     anonSuites = []
-     anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA)
-     anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
-@@ -264,6 +322,8 @@ class CipherSuite:
-     def getAnonSuites(settings):
-         return CipherSuite._filterSuites(CipherSuite.anonSuites, settings)
- 
-+    dhAllSuites = dheCertSuites + anonSuites
-+
-     @staticmethod
-     def canonicalCipherName(ciphersuite):
-         "Return the canonical name of the cipher whose number is provided."
-diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
-index ee37c30..7998e2e 100644
---- a/third_party/tlslite/tlslite/handshakesettings.py
-+++ b/third_party/tlslite/tlslite/handshakesettings.py
-@@ -14,7 +14,9 @@ from .utils import cipherfactory
- # RC4 is preferred as faster in Python, works in SSL3, and immune to CBC
- # issues such as timing attacks
- CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"]
--MAC_NAMES = ["sha", "sha256"] # "md5" is allowed
-+MAC_NAMES = ["sha", "sha256"] # Don't allow "md5" by default.
-+ALL_MAC_NAMES = ["sha", "sha256", "md5"]
-+KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"]
- CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"]
- CERTIFICATE_TYPES = ["x509"]
- 
-@@ -101,6 +103,7 @@ class HandshakeSettings(object):
-         self.maxKeySize = 8193
-         self.cipherNames = CIPHER_NAMES
-         self.macNames = MAC_NAMES
-+        self.keyExchangeNames = KEY_EXCHANGE_NAMES
-         self.cipherImplementations = CIPHER_IMPLEMENTATIONS
-         self.certificateTypes = CERTIFICATE_TYPES
-         self.minVersion = (3,1)
-@@ -115,6 +118,7 @@ class HandshakeSettings(object):
-         other.maxKeySize = self.maxKeySize
-         other.cipherNames = self.cipherNames
-         other.macNames = self.macNames
-+        other.keyExchangeNames = self.keyExchangeNames
-         other.cipherImplementations = self.cipherImplementations
-         other.certificateTypes = self.certificateTypes
-         other.minVersion = self.minVersion
-@@ -147,6 +151,12 @@ class HandshakeSettings(object):
-         for s in other.cipherNames:
-             if s not in CIPHER_NAMES:
-                 raise ValueError("Unknown cipher name: '%s'" % s)
-+        for s in other.macNames:
-+            if s not in ALL_MAC_NAMES:
-+                raise ValueError("Unknown MAC name: '%s'" % s)
-+        for s in other.keyExchangeNames:
-+            if s not in KEY_EXCHANGE_NAMES:
-+                raise ValueError("Unknown key exchange name: '%s'" % s)
-         for s in other.cipherImplementations:
-             if s not in CIPHER_IMPLEMENTATIONS:
-                 raise ValueError("Unknown cipher implementation: '%s'" % s)
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index 9a8e5f6..8b77ee6 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -500,9 +500,10 @@ class CertificateRequest(HandshakeMsg):
-         return self.postWrite(w)
- 
- class ServerKeyExchange(HandshakeMsg):
--    def __init__(self, cipherSuite):
-+    def __init__(self, cipherSuite, version):
-         HandshakeMsg.__init__(self, HandshakeType.server_key_exchange)
-         self.cipherSuite = cipherSuite
-+        self.version = version
-         self.srp_N = 0
-         self.srp_g = 0
-         self.srp_s = bytearray(0)
-@@ -542,31 +543,38 @@ class ServerKeyExchange(HandshakeMsg):
-         p.stopLengthCheck()
-         return self
- 
--    def write(self):
-+    def write_params(self):
-         w = Writer()
-         if self.cipherSuite in CipherSuite.srpAllSuites:
-             w.addVarSeq(numberToByteArray(self.srp_N), 1, 2)
-             w.addVarSeq(numberToByteArray(self.srp_g), 1, 2)
-             w.addVarSeq(self.srp_s, 1, 1)
-             w.addVarSeq(numberToByteArray(self.srp_B), 1, 2)
--            if self.cipherSuite in CipherSuite.srpCertSuites:
--                w.addVarSeq(self.signature, 1, 2)
--        elif self.cipherSuite in CipherSuite.anonSuites:
-+        elif self.cipherSuite in CipherSuite.dhAllSuites:
-             w.addVarSeq(numberToByteArray(self.dh_p), 1, 2)
-             w.addVarSeq(numberToByteArray(self.dh_g), 1, 2)
-             w.addVarSeq(numberToByteArray(self.dh_Ys), 1, 2)
--            if self.cipherSuite in []: # TODO support for signed_params
--                w.addVarSeq(self.signature, 1, 2)
-+        else:
-+            assert(False)
-+        return w.bytes
-+
-+    def write(self):
-+        w = Writer()
-+        w.bytes += self.write_params()
-+        if self.cipherSuite in CipherSuite.certAllSuites:
-+            if self.version >= (3,3):
-+                # TODO: Signature algorithm negotiation not supported.
-+                w.add(HashAlgorithm.sha1, 1)
-+                w.add(SignatureAlgorithm.rsa, 1)
-+            w.addVarSeq(self.signature, 1, 2)
-         return self.postWrite(w)
- 
-     def hash(self, clientRandom, serverRandom):
--        oldCipherSuite = self.cipherSuite
--        self.cipherSuite = None
--        try:
--            bytes = clientRandom + serverRandom + self.write()[4:]
--            return MD5(bytes) + SHA1(bytes)
--        finally:
--            self.cipherSuite = oldCipherSuite
-+        bytes = clientRandom + serverRandom + self.write_params()
-+        if self.version >= (3,3):
-+            # TODO: Signature algorithm negotiation not supported.
-+            return SHA1(bytes)
-+        return MD5(bytes) + SHA1(bytes)
- 
- class ServerHelloDone(HandshakeMsg):
-     def __init__(self):
-@@ -616,7 +624,7 @@ class ClientKeyExchange(HandshakeMsg):
-                     p.getFixBytes(len(p.bytes)-p.index)
-             else:
-                 raise AssertionError()
--        elif self.cipherSuite in CipherSuite.anonSuites:
-+        elif self.cipherSuite in CipherSuite.dhAllSuites:
-             self.dh_Yc = bytesToNumber(p.getVarBytes(2))            
-         else:
-             raise AssertionError()
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 5d508ed..f6d13d4 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -23,7 +23,109 @@ from .messages import *
- from .mathtls import *
- from .handshakesettings import HandshakeSettings
- from .utils.tackwrapper import *
-+from .utils.rsakey import RSAKey
- 
-+class KeyExchange(object):
-+    def __init__(self, cipherSuite, clientHello, serverHello, privateKey):
-+        """
-+        Initializes the KeyExchange. privateKey is the signing private key.
-+        """
-+        self.cipherSuite = cipherSuite
-+        self.clientHello = clientHello
-+        self.serverHello = serverHello
-+        self.privateKey = privateKey
-+
-+    def makeServerKeyExchange():
-+        """
-+        Returns a ServerKeyExchange object for the server's initial leg in the
-+        handshake. If the key exchange method does not send ServerKeyExchange
-+        (e.g. RSA), it returns None.
-+        """
-+        raise NotImplementedError()
-+
-+    def processClientKeyExchange(clientKeyExchange):
-+        """
-+        Processes the client's ClientKeyExchange message and returns the
-+        premaster secret. Raises TLSLocalAlert on error.
-+        """
-+        raise NotImplementedError()
-+
-+class RSAKeyExchange(KeyExchange):
-+    def makeServerKeyExchange(self):
-+        return None
-+
-+    def processClientKeyExchange(self, clientKeyExchange):
-+        premasterSecret = self.privateKey.decrypt(\
-+            clientKeyExchange.encryptedPreMasterSecret)
-+
-+        # On decryption failure randomize premaster secret to avoid
-+        # Bleichenbacher's "million message" attack
-+        randomPreMasterSecret = getRandomBytes(48)
-+        if not premasterSecret:
-+            premasterSecret = randomPreMasterSecret
-+        elif len(premasterSecret)!=48:
-+            premasterSecret = randomPreMasterSecret
-+        else:
-+            versionCheck = (premasterSecret[0], premasterSecret[1])
-+            if versionCheck != self.clientHello.client_version:
-+                #Tolerate buggy IE clients
-+                if versionCheck != self.serverHello.server_version:
-+                    premasterSecret = randomPreMasterSecret
-+        return premasterSecret
-+
-+def _hexStringToNumber(s):
-+    s = s.replace(" ", "").replace("\n", "")
-+    if len(s) % 2 != 0:
-+        raise ValueError("Length is not even")
-+    return bytesToNumber(bytearray.fromhex(s))
-+
-+class DHE_RSAKeyExchange(KeyExchange):
-+    # 2048-bit MODP Group (RFC 3526, Section 3)
-+    dh_p = _hexStringToNumber("""
-+FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
-+29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
-+EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
-+E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
-+EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
-+C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
-+83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
-+670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
-+E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
-+DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
-+15728E5A 8AACAA68 FFFFFFFF FFFFFFFF""")
-+    dh_g = 2
-+
-+    # RFC 3526, Section 8.
-+    strength = 160
-+
-+    def makeServerKeyExchange(self):
-+        # Per RFC 3526, Section 1, the exponent should have double the entropy
-+        # of the strength of the curve.
-+        self.dh_Xs = bytesToNumber(getRandomBytes(self.strength * 2 / 8))
-+        dh_Ys = powMod(self.dh_g, self.dh_Xs, self.dh_p)
-+
-+        version = self.serverHello.server_version
-+        serverKeyExchange = ServerKeyExchange(self.cipherSuite, version)
-+        serverKeyExchange.createDH(self.dh_p, self.dh_g, dh_Ys)
-+        hashBytes = serverKeyExchange.hash(self.clientHello.random,
-+                                           self.serverHello.random)
-+        if version >= (3,3):
-+            # TODO: Signature algorithm negotiation not supported.
-+            hashBytes = RSAKey.addPKCS1SHA1Prefix(hashBytes)
-+        serverKeyExchange.signature = self.privateKey.sign(hashBytes)
-+        return serverKeyExchange
-+
-+    def processClientKeyExchange(self, clientKeyExchange):
-+        dh_Yc = clientKeyExchange.dh_Yc
-+
-+        # First half of RFC 2631, Section 2.1.5. Validate the client's public
-+        # key.
-+        if not 2 <= dh_Yc <= self.dh_p - 1:
-+            raise TLSLocalAlert(AlertDescription.illegal_parameter,
-+                                "Invalid dh_Yc value")
-+
-+        S = powMod(dh_Yc, self.dh_Xs, self.dh_p)
-+        return numberToByteArray(S)
- 
- class TLSConnection(TLSRecordLayer):
-     """
-@@ -500,6 +602,8 @@ class TLSConnection(TLSRecordLayer):
-         if srpParams:
-             cipherSuites += CipherSuite.getSrpAllSuites(settings)
-         elif certParams:
-+            # TODO: Client DHE_RSA not supported.
-+            # cipherSuites += CipherSuite.getDheCertSuites(settings)
-             cipherSuites += CipherSuite.getCertSuites(settings)
-         elif anonParams:
-             cipherSuites += CipherSuite.getAnonSuites(settings)
-@@ -1207,10 +1311,23 @@ class TLSConnection(TLSRecordLayer):
-                 else: break
-             premasterSecret = result
- 
--        # Perform the RSA key exchange
--        elif cipherSuite in CipherSuite.certSuites:
-+        # Perform the RSA or DHE_RSA key exchange
-+        elif (cipherSuite in CipherSuite.certSuites or
-+              cipherSuite in CipherSuite.dheCertSuites):
-+            if cipherSuite in CipherSuite.certSuites:
-+                keyExchange = RSAKeyExchange(cipherSuite,
-+                                             clientHello,
-+                                             serverHello,
-+                                             privateKey)
-+            elif cipherSuite in CipherSuite.dheCertSuites:
-+                keyExchange = DHE_RSAKeyExchange(cipherSuite,
-+                                                 clientHello,
-+                                                 serverHello,
-+                                                 privateKey)
-+            else:
-+                assert(False)
-             for result in self._serverCertKeyExchange(clientHello, serverHello, 
--                                        certChain, privateKey,
-+                                        certChain, keyExchange,
-                                         reqCert, reqCAs, cipherSuite,
-                                         settings, ocspResponse):
-                 if result in (0,1): yield result
-@@ -1270,6 +1387,7 @@ class TLSConnection(TLSRecordLayer):
-                     CipherSuite.getSrpCertSuites(settings)
-             cipherSuites += CipherSuite.getSrpSuites(settings)
-         elif certChain:
-+            cipherSuites += CipherSuite.getDheCertSuites(settings)
-             cipherSuites += CipherSuite.getCertSuites(settings)
-         elif anon:
-             cipherSuites += CipherSuite.getAnonSuites(settings)
-@@ -1440,7 +1558,7 @@ class TLSConnection(TLSRecordLayer):
-         B = (powMod(g, b, N) + (k*v)) % N
- 
-         #Create ServerKeyExchange, signing it if necessary
--        serverKeyExchange = ServerKeyExchange(cipherSuite)
-+        serverKeyExchange = ServerKeyExchange(cipherSuite, self.version)
-         serverKeyExchange.createSRP(N, g, s, B)
-         if cipherSuite in CipherSuite.srpCertSuites:
-             hashBytes = serverKeyExchange.hash(clientHello.random,
-@@ -1488,11 +1606,11 @@ class TLSConnection(TLSRecordLayer):
- 
- 
-     def _serverCertKeyExchange(self, clientHello, serverHello, 
--                                serverCertChain, privateKey,
-+                                serverCertChain, keyExchange,
-                                 reqCert, reqCAs, cipherSuite,
-                                 settings, ocspResponse):
--        #Send ServerHello, Certificate[, CertificateRequest],
--        #ServerHelloDone
-+        #Send ServerHello, Certificate[, ServerKeyExchange]
-+        #[, CertificateRequest], ServerHelloDone
-         msgs = []
- 
-         # If we verify a client cert chain, return it
-@@ -1502,6 +1620,9 @@ class TLSConnection(TLSRecordLayer):
-         msgs.append(Certificate(CertificateType.x509).create(serverCertChain))
-         if serverHello.status_request:
-             msgs.append(CertificateStatus().create(ocspResponse))
-+        serverKeyExchange = keyExchange.makeServerKeyExchange()
-+        if serverKeyExchange is not None:
-+            msgs.append(serverKeyExchange)
-         if reqCert and reqCAs:
-             msgs.append(CertificateRequest().create(\
-                 [ClientCertificateType.rsa_sign], reqCAs))
-@@ -1560,21 +1681,13 @@ class TLSConnection(TLSRecordLayer):
-             else: break
-         clientKeyExchange = result
- 
--        #Decrypt ClientKeyExchange
--        premasterSecret = privateKey.decrypt(\
--            clientKeyExchange.encryptedPreMasterSecret)
--
--        # On decryption failure randomize premaster secret to avoid
--        # Bleichenbacher's "million message" attack
--        randomPreMasterSecret = getRandomBytes(48)
--        versionCheck = (premasterSecret[0], premasterSecret[1])
--        if not premasterSecret:
--            premasterSecret = randomPreMasterSecret
--        elif len(premasterSecret)!=48:
--            premasterSecret = randomPreMasterSecret
--        elif versionCheck != clientHello.client_version:
--            if versionCheck != self.version: #Tolerate buggy IE clients
--                premasterSecret = randomPreMasterSecret
-+        #Process ClientKeyExchange
-+        try:
-+            premasterSecret = \
-+                keyExchange.processClientKeyExchange(clientKeyExchange)
-+        except alert as TLSLocalAlert:
-+            for result in self._sendError(alert.description, alert.message):
-+                yield result
- 
-         #Get and check CertificateVerify, if relevant
-         if clientCertChain:
-@@ -1622,7 +1735,7 @@ class TLSConnection(TLSRecordLayer):
-         dh_Ys = powMod(dh_g, dh_Xs, dh_p)
- 
-         #Create ServerKeyExchange
--        serverKeyExchange = ServerKeyExchange(cipherSuite)
-+        serverKeyExchange = ServerKeyExchange(cipherSuite, self.version)
-         serverKeyExchange.createDH(dh_p, dh_g, dh_Ys)
-         
-         #Send ServerHello[, Certificate], ServerKeyExchange,
-diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
-index 01ff3e9..6ef3895 100644
---- a/third_party/tlslite/tlslite/tlsrecordlayer.py
-+++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
-@@ -796,7 +796,8 @@ class TLSRecordLayer(object):
-                 elif subType == HandshakeType.certificate_verify:
-                     yield CertificateVerify().parse(p)
-                 elif subType == HandshakeType.server_key_exchange:
--                    yield ServerKeyExchange(constructorType).parse(p)
-+                    yield ServerKeyExchange(constructorType,
-+                                            self.version).parse(p)
-                 elif subType == HandshakeType.server_hello_done:
-                     yield ServerHelloDone().parse(p)
-                 elif subType == HandshakeType.client_key_exchange:
-diff --git a/third_party/tlslite/tlslite/utils/rsakey.py b/third_party/tlslite/tlslite/utils/rsakey.py
-index 3f2100e..fb022cc 100644
---- a/third_party/tlslite/tlslite/utils/rsakey.py
-+++ b/third_party/tlslite/tlslite/utils/rsakey.py
-@@ -60,7 +60,7 @@ class RSAKey(object):
-         @return: A PKCS1-SHA1 signature on the passed-in data.
-         """
-         hashBytes = SHA1(bytearray(bytes))
--        prefixedHashBytes = self._addPKCS1SHA1Prefix(hashBytes)
-+        prefixedHashBytes = self.addPKCS1SHA1Prefix(hashBytes)
-         sigBytes = self.sign(prefixedHashBytes)
-         return sigBytes
- 
-@@ -81,8 +81,8 @@ class RSAKey(object):
-         hashBytes = SHA1(bytearray(bytes))
-         
-         # Try it with/without the embedded NULL
--        prefixedHashBytes1 = self._addPKCS1SHA1Prefix(hashBytes, False)
--        prefixedHashBytes2 = self._addPKCS1SHA1Prefix(hashBytes, True)
-+        prefixedHashBytes1 = self.addPKCS1SHA1Prefix(hashBytes, False)
-+        prefixedHashBytes2 = self.addPKCS1SHA1Prefix(hashBytes, True)
-         result1 = self.verify(sigBytes, prefixedHashBytes1)
-         result2 = self.verify(sigBytes, prefixedHashBytes2)
-         return (result1 or result2)
-@@ -221,7 +221,8 @@ class RSAKey(object):
-     # Helper Functions for RSA Keys
-     # **************************************************************************
- 
--    def _addPKCS1SHA1Prefix(self, bytes, withNULL=True):
-+    @staticmethod
-+    def addPKCS1SHA1Prefix(bytes, withNULL=True):
-         # There is a long history of confusion over whether the SHA1 
-         # algorithmIdentifier should be encoded with a NULL parameter or 
-         # with the parameter omitted.  While the original intention was 
-@@ -229,8 +230,7 @@ class RSAKey(object):
-         # specifies the NULL should be included, and this behavior is also
-         # mandated in recent versions of PKCS #1, and is what tlslite has
-         # always implemented.  Anyways, verification code should probably 
--        # accept both.  However, nothing uses this code yet, so this is 
--        # all fairly moot.
-+        # accept both.
-         if not withNULL:
-             prefixBytes = bytearray(\
-             [0x30,0x1f,0x30,0x07,0x06,0x05,0x2b,0x0e,0x03,0x02,0x1a,0x04,0x14])            
diff --git a/third_party/tlslite/patches/disable_channel_id.patch b/third_party/tlslite/patches/disable_channel_id.patch
deleted file mode 100644
index 339cdd9..0000000
--- a/third_party/tlslite/patches/disable_channel_id.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
-index 8f25f62..d7be5b3 100644
---- a/third_party/tlslite/tlslite/handshakesettings.py
-+++ b/third_party/tlslite/tlslite/handshakesettings.py
-@@ -112,6 +112,9 @@ class HandshakeSettings(object):
-     @ivar alertAfterHandshake: If true, the server will send a fatal
-     alert immediately after the handshake completes.
- 
-+    @type enableChannelID: bool
-+    @ivar enableChannelID: If true, the server supports channel ID.
-+
-     @type enableExtendedMasterSecret: bool
-     @ivar enableExtendedMasterSecret: If true, the server supports the extended
-     master secret TLS extension and will negotiated it with supporting clients.
-@@ -140,6 +143,7 @@ class HandshakeSettings(object):
-         self.tlsIntoleranceType = 'alert'
-         self.useExperimentalTackExtension = False
-         self.alertAfterHandshake = False
-+        self.enableChannelID = True
-         self.enableExtendedMasterSecret = True
-         self.supportedTokenBindingParams = []
- 
-@@ -159,6 +163,7 @@ class HandshakeSettings(object):
-         other.tlsIntolerant = self.tlsIntolerant
-         other.tlsIntoleranceType = self.tlsIntoleranceType
-         other.alertAfterHandshake = self.alertAfterHandshake
-+        other.enableChannelID = self.enableChannelID
-         other.enableExtendedMasterSecret = self.enableExtendedMasterSecret
-         other.supportedTokenBindingParams = self.supportedTokenBindingParams
- 
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 06404fe..7363a30 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -1326,7 +1326,8 @@ class TLSConnection(TLSRecordLayer):
-         serverHello.create(self.version, getRandomBytes(32), sessionID, \
-                             cipherSuite, CertificateType.x509, tackExt,
-                             nextProtos)
--        serverHello.channel_id = clientHello.channel_id
-+        serverHello.channel_id = \
-+            clientHello.channel_id and settings.enableChannelID
-         serverHello.extended_master_secret = \
-             clientHello.extended_master_secret and \
-             settings.enableExtendedMasterSecret
-@@ -1391,7 +1392,7 @@ class TLSConnection(TLSRecordLayer):
-         for result in self._serverFinished(premasterSecret, 
-                                 clientHello.random, serverHello.random,
-                                 cipherSuite, settings.cipherImplementations,
--                                nextProtos, clientHello.channel_id,
-+                                nextProtos, serverHello.channel_id,
-                                 serverHello.extended_master_secret):
-                 if result in (0,1): yield result
-                 else: break
diff --git a/third_party/tlslite/patches/ecdhe_rsa.patch b/third_party/tlslite/patches/ecdhe_rsa.patch
deleted file mode 100644
index 054a07a0..0000000
--- a/third_party/tlslite/patches/ecdhe_rsa.patch
+++ /dev/null
@@ -1,428 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index e5b88af..6d78a20 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -76,6 +76,14 @@ class SignatureAlgorithm:
- class NameType:
-     host_name = 0
- 
-+class ECCurveType:
-+    explicit_prime = 1
-+    explicit_char2 = 2
-+    named_curve = 3
-+
-+class NamedCurve:
-+    secp256r1 = 23
-+
- class AlertLevel:
-     warning = 1
-     fatal = 2
-@@ -178,11 +186,19 @@ class CipherSuite:
-     TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C
-     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E
- 
-+    TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xc011
-+    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xc012
-+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xc013
-+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xc014
-+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027
-+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02f
-+
-     tripleDESSuites = []
-     tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
-     tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)
-     tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
-     tripleDESSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
-+    tripleDESSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
- 
-     aes128Suites = []
-     aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA)
-@@ -192,6 +208,8 @@ class CipherSuite:
-     aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
-     aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256)
-     aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256)
-+    aes128Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
-+    aes128Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
- 
-     aes256Suites = []
-     aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA)
-@@ -201,14 +219,17 @@ class CipherSuite:
-     aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
-     aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256)
-     aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)
-+    aes256Suites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
- 
-     aes128GcmSuites = []
-     aes128GcmSuites.append(TLS_RSA_WITH_AES_128_GCM_SHA256)
-     aes128GcmSuites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
-+    aes128GcmSuites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
- 
-     rc4Suites = []
-     rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA)
-     rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5)
-+    rc4Suites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA)
-     
-     shaSuites = []
-     shaSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
-@@ -226,6 +247,10 @@ class CipherSuite:
-     shaSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
-     shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
-     shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA)
-+    shaSuites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA)
-+    shaSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
-+    shaSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
-+    shaSuites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
-     
-     sha256Suites = []
-     sha256Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256)
-@@ -234,6 +259,9 @@ class CipherSuite:
-     sha256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)
-     sha256Suites.append(TLS_RSA_WITH_AES_128_GCM_SHA256)
-     sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
-+    sha256Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
-+    sha256Suites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
-+
- 
-     aeadSuites = aes128GcmSuites
- 
-@@ -275,6 +303,8 @@ class CipherSuite:
-             keyExchangeSuites += CipherSuite.certSuites
-         if "dhe_rsa" in keyExchangeNames:
-             keyExchangeSuites += CipherSuite.dheCertSuites
-+        if "ecdhe_rsa" in keyExchangeNames:
-+            keyExchangeSuites += CipherSuite.ecdheCertSuites
-         if "srp_sha" in keyExchangeNames:
-             keyExchangeSuites += CipherSuite.srpSuites
-         if "srp_sha_rsa" in keyExchangeNames:
-@@ -335,7 +365,19 @@ class CipherSuite:
-     def getDheCertSuites(settings, version=None):
-         return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings, version)
- 
--    certAllSuites = srpCertSuites + certSuites + dheCertSuites
-+    ecdheCertSuites = []
-+    ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
-+    ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
-+    ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
-+    ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
-+    ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
-+    ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA)
-+
-+    @staticmethod
-+    def getEcdheCertSuites(settings, version=None):
-+        return CipherSuite._filterSuites(CipherSuite.ecdheCertSuites, settings, version)
-+
-+    certAllSuites = srpCertSuites + certSuites + dheCertSuites + ecdheCertSuites
- 
-     anonSuites = []
-     anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA)
-@@ -346,6 +388,7 @@ class CipherSuite:
-         return CipherSuite._filterSuites(CipherSuite.anonSuites, settings, version)
- 
-     dhAllSuites = dheCertSuites + anonSuites
-+    ecdhAllSuites = ecdheCertSuites
- 
-     @staticmethod
-     def canonicalCipherName(ciphersuite):
-diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
-index e752834..605ed42 100644
---- a/third_party/tlslite/tlslite/handshakesettings.py
-+++ b/third_party/tlslite/tlslite/handshakesettings.py
-@@ -14,7 +14,7 @@ from .utils import cipherfactory
- CIPHER_NAMES = ["aes128gcm", "rc4", "aes256", "aes128", "3des"]
- MAC_NAMES = ["sha", "sha256", "aead"] # Don't allow "md5" by default.
- ALL_MAC_NAMES = MAC_NAMES + ["md5"]
--KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"]
-+KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "ecdhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"]
- CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"]
- CERTIFICATE_TYPES = ["x509"]
- TLS_INTOLERANCE_TYPES = ["alert", "close", "reset"]
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index f2e2cfc..9aeff6d 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -509,10 +509,13 @@ class ServerKeyExchange(HandshakeMsg):
-         self.srp_g = 0
-         self.srp_s = bytearray(0)
-         self.srp_B = 0
--        # Anon DH params:
-+        # DH params:
-         self.dh_p = 0
-         self.dh_g = 0
-         self.dh_Ys = 0
-+        # ECDH params:
-+        self.ecdhCurve = 0
-+        self.ecdhPublic = bytearray(0)
-         self.signature = bytearray(0)
- 
-     def createSRP(self, srp_N, srp_g, srp_s, srp_B):
-@@ -528,6 +531,11 @@ class ServerKeyExchange(HandshakeMsg):
-         self.dh_Ys = dh_Ys
-         return self
- 
-+    def createECDH(self, ecdhCurve, ecdhPublic):
-+        self.ecdhCurve = ecdhCurve
-+        self.ecdhPublic = ecdhPublic
-+        return self
-+
-     def parse(self, p):
-         p.startLengthCheck(3)
-         if self.cipherSuite in CipherSuite.srpAllSuites:
-@@ -555,6 +563,10 @@ class ServerKeyExchange(HandshakeMsg):
-             w.addVarSeq(numberToByteArray(self.dh_p), 1, 2)
-             w.addVarSeq(numberToByteArray(self.dh_g), 1, 2)
-             w.addVarSeq(numberToByteArray(self.dh_Ys), 1, 2)
-+        elif self.cipherSuite in CipherSuite.ecdhAllSuites:
-+            w.add(ECCurveType.named_curve, 1)
-+            w.add(self.ecdhCurve, 2)
-+            w.addVarSeq(self.ecdhPublic, 1, 1)
-         else:
-             assert(False)
-         return w.bytes
-@@ -626,7 +638,9 @@ class ClientKeyExchange(HandshakeMsg):
-             else:
-                 raise AssertionError()
-         elif self.cipherSuite in CipherSuite.dhAllSuites:
--            self.dh_Yc = bytesToNumber(p.getVarBytes(2))            
-+            self.dh_Yc = bytesToNumber(p.getVarBytes(2))
-+        elif self.cipherSuite in CipherSuite.ecdhAllSuites:
-+            self.ecdh_Yc = p.getVarBytes(1)
-         else:
-             raise AssertionError()
-         p.stopLengthCheck()
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 0a85d3c..dfac274 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -24,6 +24,7 @@ from .mathtls import *
- from .handshakesettings import HandshakeSettings
- from .utils.tackwrapper import *
- from .utils.rsakey import RSAKey
-+from .utils import p256
- 
- class KeyExchange(object):
-     def __init__(self, cipherSuite, clientHello, serverHello, privateKey):
-@@ -127,6 +128,25 @@ DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
-         S = powMod(dh_Yc, self.dh_Xs, self.dh_p)
-         return numberToByteArray(S)
- 
-+class ECDHE_RSAKeyExchange(KeyExchange):
-+    def makeServerKeyExchange(self):
-+        public, self.private = p256.generatePublicPrivate()
-+
-+        version = self.serverHello.server_version
-+        serverKeyExchange = ServerKeyExchange(self.cipherSuite, version)
-+        serverKeyExchange.createECDH(NamedCurve.secp256r1, bytearray(public))
-+        hashBytes = serverKeyExchange.hash(self.clientHello.random,
-+                                           self.serverHello.random)
-+        if version >= (3,3):
-+            # TODO: Signature algorithm negotiation not supported.
-+            hashBytes = RSAKey.addPKCS1SHA1Prefix(hashBytes)
-+        serverKeyExchange.signature = self.privateKey.sign(hashBytes)
-+        return serverKeyExchange
-+
-+    def processClientKeyExchange(self, clientKeyExchange):
-+        ecdh_Yc = clientKeyExchange.ecdh_Yc
-+        return bytearray(p256.generateSharedValue(bytes(ecdh_Yc), self.private))
-+
- class TLSConnection(TLSRecordLayer):
-     """
-     This class wraps a socket and provides TLS handshaking and data
-@@ -1321,9 +1341,8 @@ class TLSConnection(TLSRecordLayer):
-                 else: break
-             premasterSecret = result
- 
--        # Perform the RSA or DHE_RSA key exchange
--        elif (cipherSuite in CipherSuite.certSuites or
--              cipherSuite in CipherSuite.dheCertSuites):
-+        # Perform a certificate-based key exchange
-+        elif cipherSuite in CipherSuite.certAllSuites:
-             if cipherSuite in CipherSuite.certSuites:
-                 keyExchange = RSAKeyExchange(cipherSuite,
-                                              clientHello,
-@@ -1334,6 +1353,11 @@ class TLSConnection(TLSRecordLayer):
-                                                  clientHello,
-                                                  serverHello,
-                                                  privateKey)
-+            elif cipherSuite in CipherSuite.ecdheCertSuites:
-+                keyExchange = ECDHE_RSAKeyExchange(cipherSuite,
-+                                                   clientHello,
-+                                                   serverHello,
-+                                                   privateKey)
-             else:
-                 assert(False)
-             for result in self._serverCertKeyExchange(clientHello, serverHello, 
-@@ -1450,6 +1474,7 @@ class TLSConnection(TLSRecordLayer):
-                     CipherSuite.getSrpCertSuites(settings, self.version)
-             cipherSuites += CipherSuite.getSrpSuites(settings, self.version)
-         elif certChain:
-+            cipherSuites += CipherSuite.getEcdheCertSuites(settings, self.version)
-             cipherSuites += CipherSuite.getDheCertSuites(settings, self.version)
-             cipherSuites += CipherSuite.getCertSuites(settings, self.version)
-         elif anon:
-diff --git a/third_party/tlslite/tlslite/utils/p256.py b/third_party/tlslite/tlslite/utils/p256.py
-index e69de29..6eb9a77 100644
---- a/third_party/tlslite/tlslite/utils/p256.py
-+++ b/third_party/tlslite/tlslite/utils/p256.py
-@@ -0,0 +1,162 @@
-+# Author: Google
-+# See the LICENSE file for legal information regarding use of this file.
-+
-+import os
-+
-+p = (
-+    115792089210356248762697446949407573530086143415290314195533631308867097853951)
-+order = (
-+    115792089210356248762697446949407573529996955224135760342422259061068512044369)
-+p256B = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
-+
-+baseX = 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296
-+baseY = 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5
-+basePoint = (baseX, baseY)
-+
-+
-+def _pointAdd(a, b):
-+    Z1Z1 = (a[2] * a[2]) % p
-+    Z2Z2 = (b[2] * b[2]) % p
-+    U1 = (a[0] * Z2Z2) % p
-+    U2 = (b[0] * Z1Z1) % p
-+    S1 = (a[1] * b[2] * Z2Z2) % p
-+    S2 = (b[1] * a[2] * Z1Z1) % p
-+    if U1 == U2 and S1 == S2:
-+        return pointDouble(a)
-+    H = (U2 - U1) % p
-+    I = (4 * H * H) % p
-+    J = (H * I) % p
-+    r = (2 * (S2 - S1)) % p
-+    V = (U1 * I) % p
-+    X3 = (r * r - J - 2 * V) % p
-+    Y3 = (r * (V - X3) - 2 * S1 * J) % p
-+    Z3 = (((a[2] + b[2]) * (a[2] + b[2]) - Z1Z1 - Z2Z2) * H) % p
-+
-+    return (X3, Y3, Z3)
-+
-+
-+def _pointDouble(a):
-+    delta = (a[2] * a[2]) % p
-+    gamma = (a[1] * a[1]) % p
-+    beta = (a[0] * gamma) % p
-+    alpha = (3 * (a[0] - delta) * (a[0] + delta)) % p
-+    X3 = (alpha * alpha - 8 * beta) % p
-+    Z3 = ((a[1] + a[2]) * (a[1] + a[2]) - gamma - delta) % p
-+    Y3 = (alpha * (4 * beta - X3) - 8 * gamma * gamma) % p
-+
-+    return (X3, Y3, Z3)
-+
-+
-+def _square(n):
-+    return (n * n)
-+
-+
-+def _modpow(a, n, p):
-+    if n == 0:
-+        return 1
-+    if n == 1:
-+        return a
-+    r = _square(_modpow(a, n >> 1, p)) % p
-+    if n & 1 == 1:
-+        r = (r * a) % p
-+    return r
-+
-+
-+def _scalarMult(k, point):
-+    accum = (0, 0, 0)
-+    accumIsInfinity = True
-+    jacobianPoint = (point[0], point[1], 1)
-+
-+    for bit in range(255, -1, -1):
-+        if not accumIsInfinity:
-+            accum = _pointDouble(accum)
-+
-+        if (k >> bit) & 1 == 1:
-+            if accumIsInfinity:
-+                accum = jacobianPoint
-+                accumIsInfinity = False
-+            else:
-+                accum = _pointAdd(accum, jacobianPoint)
-+
-+    if accumIsInfinity:
-+        return (0, 0)
-+
-+    zInv = _modpow(accum[2], p - 2, p)
-+    return ((accum[0] * zInv * zInv) % p, (accum[1] * zInv * zInv * zInv) % p)
-+
-+
-+def _scalarBaseMult(k):
-+    return _scalarMult(k, basePoint)
-+
-+
-+def _decodeBigEndian(b):
-+    return sum([ord(b[len(b) - i - 1]) << 8 * i for i in range(len(b))])
-+
-+
-+def _encodeBigEndian(n):
-+    b = []
-+    while n != 0:
-+        b.append(chr(n & 0xff))
-+        n >>= 8
-+
-+    if len(b) == 0:
-+        b.append(0)
-+    b.reverse()
-+
-+    return "".join(b)
-+
-+
-+def _zeroPad(b, length):
-+    if len(b) < length:
-+        return ("\x00" * (length - len(b))) + b
-+    return b
-+
-+
-+def _encodePoint(point):
-+    x = point[0]
-+    y = point[1]
-+    if (y * y) % p != (x * x * x - 3 * x + p256B) % p:
-+        raise "point not on curve"
-+    return "\x04" + _zeroPad(_encodeBigEndian(point[0]), 32) + _zeroPad(
-+        _encodeBigEndian(point[1]), 32)
-+
-+
-+def _decodePoint(b):
-+    if len(b) != 1 + 32 + 32 or ord(b[0]) != 4:
-+        raise "invalid encoded ec point"
-+    x = _decodeBigEndian(b[1:33])
-+    y = _decodeBigEndian(b[33:65])
-+    if (y * y) % p != (x * x * x - 3 * x + p256B) % p:
-+        raise "point not on curve"
-+    return (x, y)
-+
-+
-+def generatePublicPrivate():
-+    """generatePublicPrivate returns a tuple of (X9.62 encoded public point,
-+    private value), where the private value is generated from os.urandom."""
-+    private = _decodeBigEndian(os.urandom(40)) % order
-+    return _encodePoint(_scalarBaseMult(private)), private
-+
-+
-+def generateSharedValue(theirPublic, private):
-+    """generateSharedValue returns the encoded x-coordinate of the
-+    multiplication of a peer's X9.62 encoded point and a private value."""
-+    return _zeroPad(
-+        _encodeBigEndian(_scalarMult(private, _decodePoint(theirPublic))[0]),
-+        32)
-+
-+if __name__ == "__main__":
-+    alice, alicePrivate = generatePublicPrivate()
-+    bob, bobPrivate = generatePublicPrivate()
-+
-+    if generateSharedValue(alice, bobPrivate) != generateSharedValue(
-+        bob, alicePrivate):
-+        raise "simple DH test failed"
-+
-+    (x, _) = _scalarBaseMult(1)
-+
-+    for i in range(1000):
-+        (x, _) = _scalarBaseMult(x)
-+
-+    if x != 2428281965257598569040586318034812501729437946720808289049534492833635302706:
-+        raise "loop test failed"
diff --git a/third_party/tlslite/patches/exported_keying_material.patch b/third_party/tlslite/patches/exported_keying_material.patch
deleted file mode 100644
index 9d4ed9c..0000000
--- a/third_party/tlslite/patches/exported_keying_material.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 7363a30..e42b362 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -181,6 +181,8 @@ class TLSConnection(TLSRecordLayer):
-         @type sock: L{socket.socket}
-         """
-         TLSRecordLayer.__init__(self, sock)
-+        self.clientRandom = b""
-+        self.serverRandom = b""
- 
-     #*********************************************************
-     # Client Handshake Functions
-@@ -606,6 +608,9 @@ class TLSConnection(TLSRecordLayer):
-                 else: break
-         masterSecret = result
-         
-+        self.clientRandom = clientHello.random
-+        self.serverRandom = serverHello.random
-+
-         # Create the session object which is used for resumptions
-         self.session = Session()
-         self.session.create(masterSecret, serverHello.session_id, cipherSuite,
-@@ -1398,6 +1403,9 @@ class TLSConnection(TLSRecordLayer):
-                 else: break
-         masterSecret = result
- 
-+        self.clientRandom = clientHello.random
-+        self.serverRandom = serverHello.random
-+
-         #Create the session object
-         self.session = Session()
-         if cipherSuite in CipherSuite.certAllSuites:        
-@@ -2013,3 +2025,22 @@ class TLSConnection(TLSRecordLayer):
-             except:
-                 self._shutdown(False)
-                 raise
-+
-+
-+    def exportKeyingMaterial(self, label, context, use_context, length):
-+        """Returns the exported keying material as defined in RFC 5705."""
-+
-+        seed = self.clientRandom + self.serverRandom
-+        if use_context:
-+            if len(context) > 65535:
-+                raise ValueError("Context is too long")
-+            seed += bytearray(2)
-+            seed[len(seed) - 2] = len(context) >> 8
-+            seed[len(seed) - 1] = len(context) & 0xFF
-+            seed += context
-+        if self.version in ((3,1), (3,2)):
-+            return PRF(self.session.masterSecret, label, seed, length)
-+        elif self.version == (3,3):
-+            return PRF_1_2(self.session.masterSecret, label, seed, length)
-+        else:
-+            raise AssertionError()
diff --git a/third_party/tlslite/patches/extended_master_secret.patch b/third_party/tlslite/patches/extended_master_secret.patch
deleted file mode 100644
index b6ad58dd..0000000
--- a/third_party/tlslite/patches/extended_master_secret.patch
+++ /dev/null
@@ -1,230 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index 6d78a20..f9c8676 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -55,6 +55,7 @@ class ExtensionType:    # RFC 6066 / 4366
-     srp = 12            # RFC 5054  
-     cert_type = 9       # RFC 6091
-     signed_cert_timestamps = 18  # RFC 6962
-+    extended_master_secret = 23  # draft-ietf-tls-session-hash-06
-     tack = 0xF300
-     supports_npn = 13172
-     channel_id = 30032
-diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
-index 605ed42..a7b6ab9 100644
---- a/third_party/tlslite/tlslite/handshakesettings.py
-+++ b/third_party/tlslite/tlslite/handshakesettings.py
-@@ -111,6 +111,10 @@ class HandshakeSettings(object):
-     @type alertAfterHandshake: bool
-     @ivar alertAfterHandshake: If true, the server will send a fatal
-     alert immediately after the handshake completes.
-+
-+    @type enableExtendedMasterSecret: bool
-+    @ivar enableExtendedMasterSecret: If true, the server supports the extended
-+    master secret TLS extension and will negotiated it with supporting clients.
-     
-     Note that TACK support is not standardized by IETF and uses a temporary
-     TLS Extension number, so should NOT be used in production software.
-@@ -129,6 +133,7 @@ class HandshakeSettings(object):
-         self.tlsIntoleranceType = 'alert'
-         self.useExperimentalTackExtension = False
-         self.alertAfterHandshake = False
-+        self.enableExtendedMasterSecret = True
- 
-     # Validates the min/max fields, and certificateTypes
-     # Filters out unsupported cipherNames and cipherImplementations
-@@ -146,6 +151,7 @@ class HandshakeSettings(object):
-         other.tlsIntolerant = self.tlsIntolerant
-         other.tlsIntoleranceType = self.tlsIntoleranceType
-         other.alertAfterHandshake = self.alertAfterHandshake
-+        other.enableExtendedMasterSecret = self.enableExtendedMasterSecret
- 
-         if not cipherfactory.tripleDESPresent:
-             other.cipherNames = [e for e in self.cipherNames if e != "3des"]
-diff --git a/third_party/tlslite/tlslite/mathtls.py b/third_party/tlslite/tlslite/mathtls.py
-index 60a331a..0a23fe1 100644
---- a/third_party/tlslite/tlslite/mathtls.py
-+++ b/third_party/tlslite/tlslite/mathtls.py
-@@ -67,16 +67,20 @@ def PRF_SSL(secret, seed, length):
-             index += 1
-     return bytes
- 
--def calcMasterSecret(version, premasterSecret, clientRandom, serverRandom):
-+def calcMasterSecret(version, premasterSecret, clientRandom, serverRandom,
-+                     handshakeHash, useExtendedMasterSecret):
-+    label = b"master secret"
-+    seed = clientRandom + serverRandom
-+    if useExtendedMasterSecret:
-+        label = b"extended master secret"
-+        seed = handshakeHash
-+
-     if version == (3,0):
--        masterSecret = PRF_SSL(premasterSecret,
--                            clientRandom + serverRandom, 48)
-+        masterSecret = PRF_SSL(premasterSecret, seed, 48)
-     elif version in ((3,1), (3,2)):
--        masterSecret = PRF(premasterSecret, b"master secret",
--                            clientRandom + serverRandom, 48)
-+        masterSecret = PRF(premasterSecret, label, seed, 48)
-     elif version == (3,3):
--        masterSecret = PRF_1_2(premasterSecret, b"master secret",
--                            clientRandom + serverRandom, 48)
-+        masterSecret = PRF_1_2(premasterSecret, label, seed, 48)
-     else:
-         raise AssertionError()
-     return masterSecret
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index 9aeff6d..9b553ce 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -114,6 +114,7 @@ class ClientHello(HandshakeMsg):
-         self.supports_npn = False
-         self.server_name = bytearray(0)
-         self.channel_id = False
-+        self.extended_master_secret = False
-         self.support_signed_cert_timestamps = False
-         self.status_request = False
- 
-@@ -185,6 +186,8 @@ class ClientHello(HandshakeMsg):
-                                 break
-                     elif extType == ExtensionType.channel_id:
-                         self.channel_id = True
-+                    elif extType == ExtensionType.extended_master_secret:
-+                        self.extended_master_secret = True
-                     elif extType == ExtensionType.signed_cert_timestamps:
-                         if extLength:
-                             raise SyntaxError()
-@@ -267,6 +270,7 @@ class ServerHello(HandshakeMsg):
-         self.next_protos_advertised = None
-         self.next_protos = None
-         self.channel_id = False
-+        self.extended_master_secret = False
-         self.signed_cert_timestamps = None
-         self.status_request = False
- 
-@@ -358,6 +362,9 @@ class ServerHello(HandshakeMsg):
-         if self.channel_id:
-             w2.add(ExtensionType.channel_id, 2)
-             w2.add(0, 2)
-+        if self.extended_master_secret:
-+            w2.add(ExtensionType.extended_master_secret, 2)
-+            w2.add(0, 2)
-         if self.signed_cert_timestamps:
-             w2.add(ExtensionType.signed_cert_timestamps, 2)
-             w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2)
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index dfac274..04161513 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -981,7 +981,8 @@ class TLSConnection(TLSRecordLayer):
-                 masterSecret = calcMasterSecret(self.version,
-                                          premasterSecret,
-                                          clientRandom,
--                                         serverRandom)
-+                                         serverRandom,
-+                                         b"", False)
-                 verifyBytes = self._calcSSLHandshakeHash(masterSecret, b"")
-             elif self.version in ((3,1), (3,2)):
-                 verifyBytes = self._handshake_md5.digest() + \
-@@ -1036,7 +1037,7 @@ class TLSConnection(TLSRecordLayer):
-                         cipherSuite, cipherImplementations, nextProto):
- 
-         masterSecret = calcMasterSecret(self.version, premasterSecret,
--                            clientRandom, serverRandom)
-+                            clientRandom, serverRandom, b"", False)
-         self._calcPendingStates(cipherSuite, masterSecret, 
-                                 clientRandom, serverRandom, 
-                                 cipherImplementations)
-@@ -1326,6 +1327,9 @@ class TLSConnection(TLSRecordLayer):
-                             cipherSuite, CertificateType.x509, tackExt,
-                             nextProtos)
-         serverHello.channel_id = clientHello.channel_id
-+        serverHello.extended_master_secret = \
-+            clientHello.extended_master_secret and \
-+            settings.enableExtendedMasterSecret
-         if clientHello.support_signed_cert_timestamps:
-             serverHello.signed_cert_timestamps = signedCertTimestamps
-         if clientHello.status_request:
-@@ -1383,7 +1387,8 @@ class TLSConnection(TLSRecordLayer):
-         for result in self._serverFinished(premasterSecret, 
-                                 clientHello.random, serverHello.random,
-                                 cipherSuite, settings.cipherImplementations,
--                                nextProtos, clientHello.channel_id):
-+                                nextProtos, clientHello.channel_id,
-+                                serverHello.extended_master_secret):
-                 if result in (0,1): yield result
-                 else: break
-         masterSecret = result
-@@ -1523,6 +1528,9 @@ class TLSConnection(TLSRecordLayer):
-                 serverHello.create(self.version, getRandomBytes(32),
-                                    session.sessionID, session.cipherSuite,
-                                    CertificateType.x509, None, None)
-+                serverHello.extended_master_secret = \
-+                    clientHello.extended_master_secret and \
-+                    settings.enableExtendedMasterSecret
-                 for result in self._sendMsg(serverHello):
-                     yield result
- 
-@@ -1743,7 +1751,8 @@ class TLSConnection(TLSRecordLayer):
-         if clientCertChain:
-             if self.version == (3,0):
-                 masterSecret = calcMasterSecret(self.version, premasterSecret,
--                                         clientHello.random, serverHello.random)
-+                                         clientHello.random, serverHello.random,
-+                                         b"", False)
-                 verifyBytes = self._calcSSLHandshakeHash(masterSecret, b"")
-             elif self.version in ((3,1), (3,2)):
-                 verifyBytes = self._handshake_md5.digest() + \
-@@ -1827,9 +1836,11 @@ class TLSConnection(TLSRecordLayer):
- 
-     def _serverFinished(self,  premasterSecret, clientRandom, serverRandom,
-                         cipherSuite, cipherImplementations, nextProtos,
--                        doingChannelID):
-+                        doingChannelID, useExtendedMasterSecret):
-         masterSecret = calcMasterSecret(self.version, premasterSecret,
--                                      clientRandom, serverRandom)
-+                                      clientRandom, serverRandom,
-+                                      self._ems_handshake_hash,
-+                                      useExtendedMasterSecret)
-         
-         #Calculate pending connection states
-         self._calcPendingStates(cipherSuite, masterSecret, 
-diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
-index c3bcd8c..d2320b8 100644
---- a/third_party/tlslite/tlslite/tlsrecordlayer.py
-+++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
-@@ -119,6 +119,7 @@ class TLSRecordLayer(object):
-         self._handshake_md5 = hashlib.md5()
-         self._handshake_sha = hashlib.sha1()
-         self._handshake_sha256 = hashlib.sha256()
-+        self._ems_handshake_hash = b""
- 
-         #TLS Protocol Version
-         self.version = (0,0) #read-only
-@@ -814,6 +815,8 @@ class TLSRecordLayer(object):
-                 self._handshake_md5.update(compat26Str(p.bytes))
-                 self._handshake_sha.update(compat26Str(p.bytes))
-                 self._handshake_sha256.update(compat26Str(p.bytes))
-+                if subType == HandshakeType.client_key_exchange:
-+                    self._ems_handshake_hash = self._getHandshakeHash()
- 
-                 #Parse based on handshake type
-                 if subType == HandshakeType.client_hello:
-@@ -1112,6 +1115,7 @@ class TLSRecordLayer(object):
-         self._handshake_md5 = hashlib.md5()
-         self._handshake_sha = hashlib.sha1()
-         self._handshake_sha256 = hashlib.sha256()
-+        self._ems_handshake_hash = b""
-         self._handshakeBuffer = []
-         self.allegedSrpUsername = None
-         self._refCount = 1
-@@ -1256,3 +1260,9 @@ class TLSRecordLayer(object):
- 
-         return md5Bytes + shaBytes
- 
-+    def _getHandshakeHash(self):
-+        if self.version in ((3,1), (3,2)):
-+            return self._handshake_md5.digest() + \
-+                self._handshake_sha.digest()
-+        elif self.version == (3,3):
-+            return self._handshake_sha256.digest()
diff --git a/third_party/tlslite/patches/extension_number_update.patch b/third_party/tlslite/patches/extension_number_update.patch
deleted file mode 100644
index 024d7c9..0000000
--- a/third_party/tlslite/patches/extension_number_update.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index 84bb703..715def9 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -55,11 +55,11 @@ class ExtensionType:    # RFC 6066 / 4366
-     srp = 12            # RFC 5054  
-     cert_type = 9       # RFC 6091
-     signed_cert_timestamps = 18  # RFC 6962
--    extended_master_secret = 23  # draft-ietf-tls-session-hash-06
-+    extended_master_secret = 23  # RFC 7627
-+    token_binding = 24           # draft-ietf-tokbind-negotiation
-     tack = 0xF300
-     supports_npn = 13172
-     channel_id = 30032
--    token_binding = 30033
- 
- class HashAlgorithm:
-     none = 0
diff --git a/third_party/tlslite/patches/fallback_scsv.patch b/third_party/tlslite/patches/fallback_scsv.patch
deleted file mode 100644
index 460468b..0000000
--- a/third_party/tlslite/patches/fallback_scsv.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index 8720de6..69e6067 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -107,6 +107,7 @@ class AlertDescription:
-     protocol_version = 70
-     insufficient_security = 71
-     internal_error = 80
-+    inappropriate_fallback = 86
-     user_canceled = 90
-     no_renegotiation = 100
-     unknown_psk_identity = 115
-@@ -118,6 +119,9 @@ class CipherSuite:
-     # We actually don't do any renegotiation, but this
-     # prevents renegotiation attacks
-     TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF
-+
-+    # draft-ietf-tls-downgrade-scsv-03
-+    TLS_FALLBACK_SCSV = 0x5600
-     
-     TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA  = 0xC01A
-     TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D
-diff --git a/third_party/tlslite/tlslite/errors.py b/third_party/tlslite/tlslite/errors.py
-index 22c298c..001ef33 100644
---- a/third_party/tlslite/tlslite/errors.py
-+++ b/third_party/tlslite/tlslite/errors.py
-@@ -63,6 +63,7 @@ class TLSAlert(TLSError):
-         AlertDescription.protocol_version: "protocol_version",\
-         AlertDescription.insufficient_security: "insufficient_security",\
-         AlertDescription.internal_error: "internal_error",\
-+        AlertDescription.inappropriate_fallback: "inappropriate_fallback",\
-         AlertDescription.user_canceled: "user_canceled",\
-         AlertDescription.no_renegotiation: "no_renegotiation",\
-         AlertDescription.unknown_psk_identity: "unknown_psk_identity"}
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 4dedc5f..0563fb5f 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -969,7 +969,8 @@ class TLSConnection(TLSRecordLayer):
-                         reqCAs = None, 
-                         tacks=None, activationFlags=0,
-                         nextProtos=None, anon=False,
--                        tlsIntolerant=None, signedCertTimestamps=None):
-+                        tlsIntolerant=None, signedCertTimestamps=None,
-+                        fallbackSCSV=False):
-         """Perform a handshake in the role of server.
- 
-         This function performs an SSL or TLS handshake.  Depending on
-@@ -1048,6 +1049,11 @@ class TLSConnection(TLSRecordLayer):
-         binary 8-bit string) that will be sent as a TLS extension whenever
-         the client announces support for the extension.
- 
-+        @type fallbackSCSV: bool
-+        @param fallbackSCSV: if true, the server will implement
-+        TLS_FALLBACK_SCSV and thus reject connections using less than the
-+        server's maximum TLS version that include this cipher suite.
-+
-         @raise socket.error: If a socket error occurs.
-         @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
-         without a preceding alert.
-@@ -1060,7 +1066,8 @@ class TLSConnection(TLSRecordLayer):
-                 checker, reqCAs, 
-                 tacks=tacks, activationFlags=activationFlags, 
-                 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
--                signedCertTimestamps=signedCertTimestamps):
-+                signedCertTimestamps=signedCertTimestamps,
-+                fallbackSCSV=fallbackSCSV):
-             pass
- 
- 
-@@ -1071,7 +1078,8 @@ class TLSConnection(TLSRecordLayer):
-                              tacks=None, activationFlags=0,
-                              nextProtos=None, anon=False,
-                              tlsIntolerant=None,
--                             signedCertTimestamps=None
-+                             signedCertTimestamps=None,
-+                             fallbackSCSV=False
-                              ):
-         """Start a server handshake operation on the TLS connection.
- 
-@@ -1092,7 +1100,8 @@ class TLSConnection(TLSRecordLayer):
-             tacks=tacks, activationFlags=activationFlags, 
-             nextProtos=nextProtos, anon=anon,
-             tlsIntolerant=tlsIntolerant,
--            signedCertTimestamps=signedCertTimestamps)
-+            signedCertTimestamps=signedCertTimestamps,
-+            fallbackSCSV=fallbackSCSV)
-         for result in self._handshakeWrapperAsync(handshaker, checker):
-             yield result
- 
-@@ -1102,7 +1111,7 @@ class TLSConnection(TLSRecordLayer):
-                              settings, reqCAs, 
-                              tacks, activationFlags, 
-                              nextProtos, anon,
--                             tlsIntolerant, signedCertTimestamps):
-+                             tlsIntolerant, signedCertTimestamps, fallbackSCSV):
- 
-         self._handshakeStart(client=False)
- 
-@@ -1137,7 +1146,7 @@ class TLSConnection(TLSRecordLayer):
-         # Handle ClientHello and resumption
-         for result in self._serverGetClientHello(settings, certChain,\
-                                             verifierDB, sessionCache,
--                                            anon, tlsIntolerant):
-+                                            anon, tlsIntolerant, fallbackSCSV):
-             if result in (0,1): yield result
-             elif result == None:
-                 self._handshakeDone(resumed=True)                
-@@ -1237,7 +1246,7 @@ class TLSConnection(TLSRecordLayer):
- 
- 
-     def _serverGetClientHello(self, settings, certChain, verifierDB,
--                                sessionCache, anon, tlsIntolerant):
-+                                sessionCache, anon, tlsIntolerant, fallbackSCSV):
-         #Initialize acceptable cipher suites
-         cipherSuites = []
-         if verifierDB:
-@@ -1283,6 +1292,14 @@ class TLSConnection(TLSRecordLayer):
-         elif clientHello.client_version > settings.maxVersion:
-             self.version = settings.maxVersion
- 
-+        #Detect if the client performed an inappropriate fallback.
-+        elif fallbackSCSV and clientHello.client_version < settings.maxVersion:
-+            self.version = clientHello.client_version
-+            if CipherSuite.TLS_FALLBACK_SCSV in clientHello.cipher_suites:
-+                for result in self._sendError(\
-+                        AlertDescription.inappropriate_fallback):
-+                    yield result
-+
-         else:
-             #Set the version to the client's version
-             self.version = clientHello.client_version  
diff --git a/third_party/tlslite/patches/fix_test_file.patch b/third_party/tlslite/patches/fix_test_file.patch
deleted file mode 100644
index 891b556..0000000
--- a/third_party/tlslite/patches/fix_test_file.patch
+++ /dev/null
@@ -1,8 +0,0 @@
-diff --git a/third_party/tlslite/tests/httpsserver.sh b/third_party/tlslite/tests/httpsserver.sh
-index 046eb2e..7449ad7 100755
---- a/third_party/tlslite/tests/httpsserver.sh
-+++ b/third_party/tlslite/tests/httpsserver.sh
-@@ -1,2 +1,2 @@
--# /bin/sh
-+#!/bin/sh
- python ../scripts/tls.py server -k serverX509Key.pem -c serverX509Cert.pem -t TACK1.pem localhost:4443
diff --git a/third_party/tlslite/patches/ignore_write_failure.patch b/third_party/tlslite/patches/ignore_write_failure.patch
deleted file mode 100644
index 0a5e960..0000000
--- a/third_party/tlslite/patches/ignore_write_failure.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
-index 6ef3895..3584726 100644
---- a/third_party/tlslite/tlslite/tlsrecordlayer.py
-+++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
-@@ -288,7 +288,9 @@ class TLSRecordLayer(object):
-         except GeneratorExit:
-             raise
-         except Exception:
--            self._shutdown(False)
-+            # Don't invalidate the session on write failure if abrupt closes are
-+            # okay.
-+            self._shutdown(self.ignoreAbruptClose)
-             raise
- 
-     def close(self):
diff --git a/third_party/tlslite/patches/intolerance_options.patch b/third_party/tlslite/patches/intolerance_options.patch
deleted file mode 100644
index 2aee3c6..0000000
--- a/third_party/tlslite/patches/intolerance_options.patch
+++ /dev/null
@@ -1,192 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
-index 7998e2e..2e9e06d 100644
---- a/third_party/tlslite/tlslite/handshakesettings.py
-+++ b/third_party/tlslite/tlslite/handshakesettings.py
-@@ -19,6 +19,7 @@ ALL_MAC_NAMES = ["sha", "sha256", "md5"]
- KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"]
- CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"]
- CERTIFICATE_TYPES = ["x509"]
-+TLS_INTOLERANCE_TYPES = ["alert", "close", "reset"]
- 
- class HandshakeSettings(object):
-     """This class encapsulates various parameters that can be used with
-@@ -91,6 +92,21 @@ class HandshakeSettings(object):
-     version, a protocol_version alert will be signalled.  The default is (3,3).
-     (WARNING: Some servers may (improperly) reject clients which offer support
-     for TLS 1.1.  In this case, try lowering maxVersion to (3,1)).
-+
-+    @type tlsIntolerant: tuple
-+    @ivar tlsIntolerant: The TLS ClientHello version which the server
-+    simulates intolerance of.
-+
-+    If tlsIntolerant is not None, the server will simulate TLS version
-+    intolerance by aborting the handshake in response to all TLS versions
-+    tlsIntolerant or higher.
-+
-+    @type tlsIntoleranceType: str
-+    @ivar tlsIntoleranceType: How the server should react when simulating TLS
-+    intolerance.
-+
-+    The allowed values are "alert" (return a fatal handshake_failure alert),
-+    "close" (abruptly close the connection), and "reset" (send a TCP reset).
-     
-     @type useExperimentalTackExtension: bool
-     @ivar useExperimentalTackExtension: Whether to enabled TACK support.
-@@ -108,6 +124,8 @@ class HandshakeSettings(object):
-         self.certificateTypes = CERTIFICATE_TYPES
-         self.minVersion = (3,1)
-         self.maxVersion = (3,3)
-+        self.tlsIntolerant = None
-+        self.tlsIntoleranceType = 'alert'
-         self.useExperimentalTackExtension = False
- 
-     # Validates the min/max fields, and certificateTypes
-@@ -123,6 +141,8 @@ class HandshakeSettings(object):
-         other.certificateTypes = self.certificateTypes
-         other.minVersion = self.minVersion
-         other.maxVersion = self.maxVersion
-+        other.tlsIntolerant = self.tlsIntolerant
-+        other.tlsIntoleranceType = self.tlsIntoleranceType
- 
-         if not cipherfactory.tripleDESPresent:
-             other.cipherNames = [e for e in self.cipherNames if e != "3des"]
-@@ -164,6 +184,10 @@ class HandshakeSettings(object):
-             if s not in CERTIFICATE_TYPES:
-                 raise ValueError("Unknown certificate type: '%s'" % s)
- 
-+        if other.tlsIntoleranceType not in TLS_INTOLERANCE_TYPES:
-+            raise ValueError(
-+                "Unknown TLS intolerance type: '%s'" % other.tlsIntoleranceType)
-+
-         if other.minVersion > other.maxVersion:
-             raise ValueError("Versions set incorrectly")
- 
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index f8547d5..4f3ba1c 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -1073,7 +1073,7 @@ class TLSConnection(TLSRecordLayer):
-                         reqCAs = None, reqCertTypes = None,
-                         tacks=None, activationFlags=0,
-                         nextProtos=None, anon=False,
--                        tlsIntolerant=None, signedCertTimestamps=None,
-+                        signedCertTimestamps=None,
-                         fallbackSCSV=False, ocspResponse=None):
-         """Perform a handshake in the role of server.
- 
-@@ -1147,11 +1147,6 @@ class TLSConnection(TLSRecordLayer):
-         clients through the Next-Protocol Negotiation Extension, 
-         if they support it.
- 
--        @type tlsIntolerant: (int, int) or None
--        @param tlsIntolerant: If tlsIntolerant is not None, the server will
--        simulate TLS version intolerance by returning a fatal handshake_failure
--        alert to all TLS versions tlsIntolerant or higher.
--
-         @type signedCertTimestamps: str
-         @param signedCertTimestamps: A SignedCertificateTimestampList (as a
-         binary 8-bit string) that will be sent as a TLS extension whenever
-@@ -1183,7 +1178,7 @@ class TLSConnection(TLSRecordLayer):
-                 certChain, privateKey, reqCert, sessionCache, settings,
-                 checker, reqCAs, reqCertTypes,
-                 tacks=tacks, activationFlags=activationFlags, 
--                nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
-+                nextProtos=nextProtos, anon=anon,
-                 signedCertTimestamps=signedCertTimestamps,
-                 fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse):
-             pass
-@@ -1195,7 +1190,6 @@ class TLSConnection(TLSRecordLayer):
-                              reqCAs=None, reqCertTypes=None,
-                              tacks=None, activationFlags=0,
-                              nextProtos=None, anon=False,
--                             tlsIntolerant=None,
-                              signedCertTimestamps=None,
-                              fallbackSCSV=False,
-                              ocspResponse=None
-@@ -1218,7 +1212,6 @@ class TLSConnection(TLSRecordLayer):
-             reqCAs=reqCAs, reqCertTypes=reqCertTypes,
-             tacks=tacks, activationFlags=activationFlags, 
-             nextProtos=nextProtos, anon=anon,
--            tlsIntolerant=tlsIntolerant,
-             signedCertTimestamps=signedCertTimestamps,
-             fallbackSCSV=fallbackSCSV,
-             ocspResponse=ocspResponse)
-@@ -1231,7 +1224,7 @@ class TLSConnection(TLSRecordLayer):
-                              settings, reqCAs, reqCertTypes,
-                              tacks, activationFlags, 
-                              nextProtos, anon,
--                             tlsIntolerant, signedCertTimestamps, fallbackSCSV,
-+                             signedCertTimestamps, fallbackSCSV,
-                              ocspResponse):
- 
-         self._handshakeStart(client=False)
-@@ -1269,7 +1262,7 @@ class TLSConnection(TLSRecordLayer):
-         # Handle ClientHello and resumption
-         for result in self._serverGetClientHello(settings, certChain,\
-                                             verifierDB, sessionCache,
--                                            anon, tlsIntolerant, fallbackSCSV):
-+                                            anon, fallbackSCSV):
-             if result in (0,1): yield result
-             elif result == None:
-                 self._handshakeDone(resumed=True)                
-@@ -1384,7 +1377,7 @@ class TLSConnection(TLSRecordLayer):
- 
- 
-     def _serverGetClientHello(self, settings, certChain, verifierDB,
--                                sessionCache, anon, tlsIntolerant, fallbackSCSV):
-+                                sessionCache, anon, fallbackSCSV):
-         #Initialize acceptable cipher suites
-         cipherSuites = []
-         if verifierDB:
-@@ -1421,11 +1414,21 @@ class TLSConnection(TLSRecordLayer):
-                 yield result
- 
-         #If simulating TLS intolerance, reject certain TLS versions.
--        elif (tlsIntolerant is not None and
--            clientHello.client_version >= tlsIntolerant):
--            for result in self._sendError(\
-+        elif (settings.tlsIntolerant is not None and
-+              clientHello.client_version >= settings.tlsIntolerant):
-+            if settings.tlsIntoleranceType == "alert":
-+                for result in self._sendError(\
-                     AlertDescription.handshake_failure):
--                yield result
-+                    yield result
-+            elif settings.tlsIntoleranceType == "close":
-+                self._abruptClose()
-+                raise TLSUnsupportedError("Simulating version intolerance")
-+            elif settings.tlsIntoleranceType == "reset":
-+                self._abruptClose(reset=True)
-+                raise TLSUnsupportedError("Simulating version intolerance")
-+            else:
-+                raise ValueError("Unknown intolerance type: '%s'" %
-+                                 settings.tlsIntoleranceType)
- 
-         #If client's version is too high, propose my highest version
-         elif clientHello.client_version > settings.maxVersion:
-diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
-index 3584726..eda11e6 100644
---- a/third_party/tlslite/tlslite/tlsrecordlayer.py
-+++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
-@@ -20,6 +20,7 @@ from .constants import *
- from .utils.cryptomath import getRandomBytes
- 
- import socket
-+import struct
- import errno
- import traceback
- 
-@@ -527,6 +528,13 @@ class TLSRecordLayer(object):
-         self._shutdown(False)
-         raise TLSLocalAlert(alert, errorStr)
- 
-+    def _abruptClose(self, reset=False):
-+        if reset:
-+            #Set an SO_LINGER timeout of 0 to send a TCP RST.
-+            self.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER,
-+                            struct.pack('ii', 1, 0))
-+        self._shutdown(False)
-+
-     def _sendMsgs(self, msgs):
-         randomizeFirstBlock = True
-         for msg in msgs:
diff --git a/third_party/tlslite/patches/python3.patch b/third_party/tlslite/patches/python3.patch
deleted file mode 100644
index 12cffa1f..0000000
--- a/third_party/tlslite/patches/python3.patch
+++ /dev/null
@@ -1,272 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/integration/asyncstatemachine.py b/third_party/tlslite/tlslite/integration/asyncstatemachine.py
-index 50a6f4a355c14..9faf84f966a31 100644
---- a/third_party/tlslite/tlslite/integration/asyncstatemachine.py
-+++ b/third_party/tlslite/tlslite/integration/asyncstatemachine.py
-@@ -192,7 +192,7 @@ class AsyncStateMachine:
-         @type handshaker: generator
-         @param handshaker: A generator created by using one of the
-         asynchronous handshake functions (i.e. handshakeServerAsync, or
--        handshakeClientxxx(..., async=True).
-+        handshakeClientxxx(..., is_async=True).
-         """
-         try:
-             self._checkAssert(0)
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index ce4f1a6e15eb2..5df50d34cd3ad 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -9,6 +9,8 @@
- 
- """Classes representing TLS messages."""
- 
-+from __future__ import division
-+
- from .utils.compat import *
- from .utils.cryptomath import *
- from .errors import *
-@@ -262,7 +264,7 @@ class ClientHello(HandshakeMsg):
-                         numBytes = p.get(2)
-                         if numBytes + 2 != extLength or numBytes % 2 != 0:
-                             raise SyntaxError()
--                        for _ in range(numBytes / 2):
-+                        for _ in range(numBytes // 2):
-                             hashAlg = p.get(1)
-                             sigAlg = p.get(1)
-                             self.signature_algorithms.append((hashAlg, sigAlg))
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 6d7c859884a41..f64c848a511c0 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -202,7 +202,7 @@ class TLSConnection(TLSRecordLayer):
- 
-     def handshakeClientAnonymous(self, session=None, settings=None, 
-                                 checker=None, serverName="",
--                                async=False):
-+                                is_async=False):
-         """Perform an anonymous handshake in the role of client.
- 
-         This function performs an SSL or TLS handshake using an
-@@ -236,8 +236,8 @@ class TLSConnection(TLSRecordLayer):
-         @type serverName: string
-         @param serverName: The ServerNameIndication TLS Extension.
- 
--        @type async: bool
--        @param async: If False, this function will block until the
-+        @type is_async: bool
-+        @param is_async: If False, this function will block until the
-         handshake is completed.  If True, this function will return a
-         generator.  Successive invocations of the generator will
-         return 0 if it is waiting to read from the socket, 1 if it is
-@@ -245,7 +245,7 @@ class TLSConnection(TLSRecordLayer):
-         the handshake operation is completed.
- 
-         @rtype: None or an iterable
--        @return: If 'async' is True, a generator object will be
-+        @return: If 'is_async' is True, a generator object will be
-         returned.
- 
-         @raise socket.error: If a socket error occurs.
-@@ -260,7 +260,7 @@ class TLSConnection(TLSRecordLayer):
-                                                 settings=settings,
-                                                 checker=checker,
-                                                 serverName=serverName)
--        if async:
-+        if is_async:
-             return handshaker
-         for result in handshaker:
-             pass
-@@ -268,7 +268,7 @@ class TLSConnection(TLSRecordLayer):
-     def handshakeClientSRP(self, username, password, session=None,
-                            settings=None, checker=None, 
-                            reqTack=True, serverName="",
--                           async=False):
-+                           is_async=False):
-         """Perform an SRP handshake in the role of client.
- 
-         This function performs a TLS/SRP handshake.  SRP mutually
-@@ -313,8 +313,8 @@ class TLSConnection(TLSRecordLayer):
-         @type serverName: string
-         @param serverName: The ServerNameIndication TLS Extension.
- 
--        @type async: bool
--        @param async: If False, this function will block until the
-+        @type is_async: bool
-+        @param is_async: If False, this function will block until the
-         handshake is completed.  If True, this function will return a
-         generator.  Successive invocations of the generator will
-         return 0 if it is waiting to read from the socket, 1 if it is
-@@ -322,7 +322,7 @@ class TLSConnection(TLSRecordLayer):
-         the handshake operation is completed.
- 
-         @rtype: None or an iterable
--        @return: If 'async' is True, a generator object will be
-+        @return: If 'is_async' is True, a generator object will be
-         returned.
- 
-         @raise socket.error: If a socket error occurs.
-@@ -340,9 +340,9 @@ class TLSConnection(TLSRecordLayer):
-         # fashion, returning 1 when it is waiting to able to write, 0 when
-         # it is waiting to read.
-         #
--        # If 'async' is True, the generator is returned to the caller, 
--        # otherwise it is executed to completion here.  
--        if async:
-+        # If 'is_async' is True, the generator is returned to the caller,
-+        # otherwise it is executed to completion here.
-+        if is_async:
-             return handshaker
-         for result in handshaker:
-             pass
-@@ -350,7 +350,7 @@ class TLSConnection(TLSRecordLayer):
-     def handshakeClientCert(self, certChain=None, privateKey=None,
-                             session=None, settings=None, checker=None,
-                             nextProtos=None, reqTack=True, serverName="",
--                            async=False):
-+                            is_async=False):
-         """Perform a certificate-based handshake in the role of client.
- 
-         This function performs an SSL or TLS handshake.  The server
-@@ -407,8 +407,8 @@ class TLSConnection(TLSRecordLayer):
-         @type serverName: string
-         @param serverName: The ServerNameIndication TLS Extension.
- 
--        @type async: bool
--        @param async: If False, this function will block until the
-+        @type is_async: bool
-+        @param is_async: If False, this function will block until the
-         handshake is completed.  If True, this function will return a
-         generator.  Successive invocations of the generator will
-         return 0 if it is waiting to read from the socket, 1 if it is
-@@ -416,7 +416,7 @@ class TLSConnection(TLSRecordLayer):
-         the handshake operation is completed.
- 
-         @rtype: None or an iterable
--        @return: If 'async' is True, a generator object will be
-+        @return: If 'is_async' is True, a generator object will be
-         returned.
- 
-         @raise socket.error: If a socket error occurs.
-@@ -435,9 +435,9 @@ class TLSConnection(TLSRecordLayer):
-         # fashion, returning 1 when it is waiting to able to write, 0 when
-         # it is waiting to read.
-         #
--        # If 'async' is True, the generator is returned to the caller, 
--        # otherwise it is executed to completion here.                        
--        if async:
-+        # If 'is_async' is True, the generator is returned to the caller,
-+        # otherwise it is executed to completion here.
-+        if is_async:
-             return handshaker
-         for result in handshaker:
-             pass
-@@ -1368,10 +1368,10 @@ class TLSConnection(TLSRecordLayer):
-         # See https://tools.ietf.org/html/rfc8446#section-4.1.3
-         if settings.simulateTLS13Downgrade:
-             serverRandom = serverRandom[:24] + \
--                bytearray("\x44\x4f\x57\x4e\x47\x52\x44\x01")
-+                bytearray(b"\x44\x4f\x57\x4e\x47\x52\x44\x01")
-         elif settings.simulateTLS12Downgrade:
-             serverRandom = serverRandom[:24] + \
--                bytearray("\x44\x4f\x57\x4e\x47\x52\x44\x00")
-+                bytearray(b"\x44\x4f\x57\x4e\x47\x52\x44\x00")
-         serverHello = ServerHello()
-         serverHello.create(self.version, serverRandom, sessionID, \
-                             cipherSuite, CertificateType.x509, tackExt,
-diff --git a/third_party/tlslite/tlslite/utils/aesgcm.py b/third_party/tlslite/tlslite/utils/aesgcm.py
-index 7319c268536a3..c887f2f518e77 100644
---- a/third_party/tlslite/tlslite/utils/aesgcm.py
-+++ b/third_party/tlslite/tlslite/utils/aesgcm.py
-@@ -13,6 +13,8 @@
- # x^127 term. This bit reversal also applies to polynomials used as indices in a
- # look-up table.
- 
-+from __future__ import division
-+
- from .cryptomath import bytesToNumber, numberToByteArray
- 
- class AESGCM(object):
-@@ -47,7 +49,7 @@ class AESGCM(object):
-         self._productTable[_reverseBits(1)] = h
-         for i in range(2, 16, 2):
-             self._productTable[_reverseBits(i)] = \
--                _gcmShift(self._productTable[_reverseBits(i/2)])
-+                _gcmShift(self._productTable[_reverseBits(i//2)])
-             self._productTable[_reverseBits(i+1)] = \
-                 _gcmAdd(self._productTable[_reverseBits(i)], h)
- 
-diff --git a/third_party/tlslite/tlslite/utils/p256.py b/third_party/tlslite/tlslite/utils/p256.py
-index 6eb9a7799accc..45159000fa499 100644
---- a/third_party/tlslite/tlslite/utils/p256.py
-+++ b/third_party/tlslite/tlslite/utils/p256.py
-@@ -2,6 +2,7 @@
- # See the LICENSE file for legal information regarding use of this file.
- 
- import os
-+import six
- 
- p = (
-     115792089210356248762697446949407573530086143415290314195533631308867097853951)
-@@ -90,25 +91,27 @@ def _scalarBaseMult(k):
- 
- 
- def _decodeBigEndian(b):
--    return sum([ord(b[len(b) - i - 1]) << 8 * i for i in range(len(b))])
-+    # TODO(davidben): Replace with int.from_bytes when removing Python 2.
-+    return sum([six.indexbytes(b, len(b) - i - 1) << 8 * i
-+                for i in range(len(b))])
- 
- 
- def _encodeBigEndian(n):
--    b = []
-+    b = bytearray()
-     while n != 0:
--        b.append(chr(n & 0xff))
-+        b.append(n & 0xff)
-         n >>= 8
- 
-     if len(b) == 0:
-         b.append(0)
-     b.reverse()
- 
--    return "".join(b)
-+    return bytes(b)
- 
- 
- def _zeroPad(b, length):
-     if len(b) < length:
--        return ("\x00" * (length - len(b))) + b
-+        return (b"\x00" * (length - len(b))) + b
-     return b
- 
- 
-@@ -117,12 +120,12 @@ def _encodePoint(point):
-     y = point[1]
-     if (y * y) % p != (x * x * x - 3 * x + p256B) % p:
-         raise "point not on curve"
--    return "\x04" + _zeroPad(_encodeBigEndian(point[0]), 32) + _zeroPad(
-+    return b"\x04" + _zeroPad(_encodeBigEndian(point[0]), 32) + _zeroPad(
-         _encodeBigEndian(point[1]), 32)
- 
- 
- def _decodePoint(b):
--    if len(b) != 1 + 32 + 32 or ord(b[0]) != 4:
-+    if len(b) != 1 + 32 + 32 or six.indexbytes(b, 0) != 4:
-         raise "invalid encoded ec point"
-     x = _decodeBigEndian(b[1:33])
-     y = _decodeBigEndian(b[33:65])
-diff --git a/third_party/tlslite/tlslite/utils/pycrypto_rsakey.py b/third_party/tlslite/tlslite/utils/pycrypto_rsakey.py
-index d76ea2d1b13a6..453785664565c 100644
---- a/third_party/tlslite/tlslite/utils/pycrypto_rsakey.py
-+++ b/third_party/tlslite/tlslite/utils/pycrypto_rsakey.py
-@@ -15,9 +15,9 @@ if pycryptoLoaded:
-     class PyCrypto_RSAKey(RSAKey):
-         def __init__(self, n=0, e=0, d=0, p=0, q=0, dP=0, dQ=0, qInv=0):
-             if not d:
--                self.rsa = RSA.construct( (long(n), long(e)) )
-+                self.rsa = RSA.construct( (n, e) )
-             else:
--                self.rsa = RSA.construct( (long(n), long(e), long(d), long(p), long(q)) )
-+                self.rsa = RSA.construct( (n, e, d, p, q) )
- 
-         def __getattr__(self, name):
-             return getattr(self.rsa, name)
diff --git a/third_party/tlslite/patches/renegotiation_indication.patch b/third_party/tlslite/patches/renegotiation_indication.patch
deleted file mode 100644
index 69a1d7b5..0000000
--- a/third_party/tlslite/patches/renegotiation_indication.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index e9743e4..82e8c07 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -61,6 +61,7 @@ class ExtensionType:    # RFC 6066 / 4366
-     tack = 0xF300
-     supports_npn = 13172
-     channel_id = 30032
-+    renegotiation_info = 0xFF01 # RFC 5746
- 
- class HashAlgorithm:
-     none = 0
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index 1ce9320..ac7e563 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg):
-         self.tb_client_params = []
-         self.support_signed_cert_timestamps = False
-         self.status_request = False
-+        self.ri = False
- 
-     def create(self, version, random, session_id, cipher_suites,
-                certificate_types=None, srpUsername=None,
-@@ -244,12 +245,20 @@ class ClientHello(HandshakeMsg):
-                         # request_extensions in the OCSP request.
-                         p.getFixBytes(extLength)
-                         self.status_request = True
-+                    elif extType == ExtensionType.renegotiation_info:
-+                        # We don't support renegotiation, so if we receive this
-+                        # extension, it should contain a single null byte.
-+                        if extLength != 1 or p.getFixBytes(extLength)[0] != 0:
-+                            raise SyntaxError()
-+                        self.ri = True
-                     else:
-                         _ = p.getFixBytes(extLength)
-                     index2 = p.index
-                     if index2 - index1 != extLength:
-                         raise SyntaxError("Bad length for extension_data")
-                     soFar += 4 + extLength
-+            if CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV in self.cipher_suites:
-+                self.ri = True
-             p.stopLengthCheck()
-         return self
- 
-@@ -327,6 +336,7 @@ class ServerHello(HandshakeMsg):
-         self.tb_params = None
-         self.signed_cert_timestamps = None
-         self.status_request = False
-+        self.send_ri = False
- 
-     def create(self, version, random, session_id, cipher_suite,
-                certificate_type, tackExt, alpn_proto_selected,
-@@ -432,6 +442,10 @@ class ServerHello(HandshakeMsg):
-         if self.status_request:
-             w2.add(ExtensionType.status_request, 2)
-             w2.add(0, 2)
-+        if self.send_ri:
-+            w2.add(ExtensionType.renegotiation_info, 2)
-+            w2.add(1, 2)
-+            w2.add(0, 1)
-         if len(w2.bytes):
-             w.add(len(w2.bytes), 2)
-             w.bytes += w2.bytes        
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index de5d580..8ba1c6e 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -1370,6 +1370,8 @@ class TLSConnection(TLSRecordLayer):
-             serverHello.signed_cert_timestamps = signedCertTimestamps
-         if clientHello.status_request:
-             serverHello.status_request = ocspResponse
-+        if clientHello.ri:
-+            serverHello.send_ri = True
- 
-         # Perform the SRP key exchange
-         clientCertChain = None
-@@ -1583,6 +1585,8 @@ class TLSConnection(TLSRecordLayer):
-                     if param in settings.supportedTokenBindingParams:
-                           serverHello.tb_params = param
-                           break
-+                if clientHello.ri:
-+                    serverHello.send_ri = True
-                 for result in self._sendMsg(serverHello):
-                     yield result
- 
diff --git a/third_party/tlslite/patches/req_cert_types.patch b/third_party/tlslite/patches/req_cert_types.patch
deleted file mode 100644
index 4e69003..0000000
--- a/third_party/tlslite/patches/req_cert_types.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/api.py b/third_party/tlslite/tlslite/api.py
-index fa6a18c..aabcc14 100644
---- a/third_party/tlslite/tlslite/api.py
-+++ b/third_party/tlslite/tlslite/api.py
-@@ -2,7 +2,8 @@
- # See the LICENSE file for legal information regarding use of this file.
- 
- __version__ = "0.4.8"
--from .constants import AlertLevel, AlertDescription, Fault
-+from .constants import AlertLevel, AlertDescription, ClientCertificateType, \
-+                       Fault
- from .errors import *
- from .checker import Checker
- from .handshakesettings import HandshakeSettings
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index d2d50c5..7ee70be 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -15,10 +15,14 @@ class CertificateType:
-     openpgp = 1
- 
- class ClientCertificateType:
-+    # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2
-     rsa_sign = 1
-     dss_sign = 2
-     rsa_fixed_dh = 3
-     dss_fixed_dh = 4
-+    ecdsa_sign = 64
-+    rsa_fixed_ecdh = 65
-+    ecdsa_fixed_ecdh = 66
-  
- class HandshakeType:
-     hello_request = 0
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index 8b77ee6..e1be195 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -455,17 +455,14 @@ class CertificateStatus(HandshakeMsg):
- class CertificateRequest(HandshakeMsg):
-     def __init__(self, version):
-         HandshakeMsg.__init__(self, HandshakeType.certificate_request)
--        #Apple's Secure Transport library rejects empty certificate_types, so
--        #default to rsa_sign.
--        self.certificate_types = [ClientCertificateType.rsa_sign]
-+        self.certificate_types = []
-         self.certificate_authorities = []
-         self.version = version
-         self.supported_signature_algs = []
- 
--    def create(self, certificate_types, certificate_authorities, sig_algs=(), version=(3,0)):
-+    def create(self, certificate_types, certificate_authorities, sig_algs=()):
-         self.certificate_types = certificate_types
-         self.certificate_authorities = certificate_authorities
--        self.version = version
-         self.supported_signature_algs = sig_algs
-         return self
- 
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index f6d13d4..f8547d5 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -1070,7 +1070,7 @@ class TLSConnection(TLSRecordLayer):
-     def handshakeServer(self, verifierDB=None,
-                         certChain=None, privateKey=None, reqCert=False,
-                         sessionCache=None, settings=None, checker=None,
--                        reqCAs = None, 
-+                        reqCAs = None, reqCertTypes = None,
-                         tacks=None, activationFlags=0,
-                         nextProtos=None, anon=False,
-                         tlsIntolerant=None, signedCertTimestamps=None,
-@@ -1138,6 +1138,10 @@ class TLSConnection(TLSRecordLayer):
-         will be sent along with a certificate request. This does not affect
-         verification.        
- 
-+        @type reqCertTypes: list of int
-+        @param reqCertTypes: A list of certificate_type values to be sent
-+        along with a certificate request. This does not affect verification.
-+
-         @type nextProtos: list of strings.
-         @param nextProtos: A list of upper layer protocols to expose to the
-         clients through the Next-Protocol Negotiation Extension, 
-@@ -1177,7 +1181,7 @@ class TLSConnection(TLSRecordLayer):
-         """
-         for result in self.handshakeServerAsync(verifierDB,
-                 certChain, privateKey, reqCert, sessionCache, settings,
--                checker, reqCAs, 
-+                checker, reqCAs, reqCertTypes,
-                 tacks=tacks, activationFlags=activationFlags, 
-                 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
-                 signedCertTimestamps=signedCertTimestamps,
-@@ -1188,7 +1192,7 @@ class TLSConnection(TLSRecordLayer):
-     def handshakeServerAsync(self, verifierDB=None,
-                              certChain=None, privateKey=None, reqCert=False,
-                              sessionCache=None, settings=None, checker=None,
--                             reqCAs=None, 
-+                             reqCAs=None, reqCertTypes=None,
-                              tacks=None, activationFlags=0,
-                              nextProtos=None, anon=False,
-                              tlsIntolerant=None,
-@@ -1211,7 +1215,7 @@ class TLSConnection(TLSRecordLayer):
-             verifierDB=verifierDB, certChain=certChain,
-             privateKey=privateKey, reqCert=reqCert,
-             sessionCache=sessionCache, settings=settings, 
--            reqCAs=reqCAs, 
-+            reqCAs=reqCAs, reqCertTypes=reqCertTypes,
-             tacks=tacks, activationFlags=activationFlags, 
-             nextProtos=nextProtos, anon=anon,
-             tlsIntolerant=tlsIntolerant,
-@@ -1224,7 +1228,7 @@ class TLSConnection(TLSRecordLayer):
- 
-     def _handshakeServerAsyncHelper(self, verifierDB,
-                              certChain, privateKey, reqCert, sessionCache,
--                             settings, reqCAs, 
-+                             settings, reqCAs, reqCertTypes,
-                              tacks, activationFlags, 
-                              nextProtos, anon,
-                              tlsIntolerant, signedCertTimestamps, fallbackSCSV,
-@@ -1240,6 +1244,8 @@ class TLSConnection(TLSRecordLayer):
-             raise ValueError("Caller passed a privateKey but no certChain")
-         if reqCAs and not reqCert:
-             raise ValueError("Caller passed reqCAs but not reqCert")            
-+        if reqCertTypes and not reqCert:
-+            raise ValueError("Caller passed reqCertTypes but not reqCert")
-         if certChain and not isinstance(certChain, X509CertChain):
-             raise ValueError("Unrecognized certificate type")
-         if activationFlags and not tacks:
-@@ -1328,7 +1334,7 @@ class TLSConnection(TLSRecordLayer):
-                 assert(False)
-             for result in self._serverCertKeyExchange(clientHello, serverHello, 
-                                         certChain, keyExchange,
--                                        reqCert, reqCAs, cipherSuite,
-+                                        reqCert, reqCAs, reqCertTypes, cipherSuite,
-                                         settings, ocspResponse):
-                 if result in (0,1): yield result
-                 else: break
-@@ -1607,7 +1613,7 @@ class TLSConnection(TLSRecordLayer):
- 
-     def _serverCertKeyExchange(self, clientHello, serverHello, 
-                                 serverCertChain, keyExchange,
--                                reqCert, reqCAs, cipherSuite,
-+                                reqCert, reqCAs, reqCertTypes, cipherSuite,
-                                 settings, ocspResponse):
-         #Send ServerHello, Certificate[, ServerKeyExchange]
-         #[, CertificateRequest], ServerHelloDone
-@@ -1623,11 +1629,13 @@ class TLSConnection(TLSRecordLayer):
-         serverKeyExchange = keyExchange.makeServerKeyExchange()
-         if serverKeyExchange is not None:
-             msgs.append(serverKeyExchange)
--        if reqCert and reqCAs:
--            msgs.append(CertificateRequest().create(\
--                [ClientCertificateType.rsa_sign], reqCAs))
--        elif reqCert:
--            msgs.append(CertificateRequest(self.version))
-+        if reqCert:
-+            reqCAs = reqCAs or []
-+            #Apple's Secure Transport library rejects empty certificate_types,
-+            #so default to rsa_sign.
-+            reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign]
-+            msgs.append(CertificateRequest(self.version).create(reqCertTypes,
-+                                                                reqCAs))
-         msgs.append(ServerHelloDone())
-         for result in self._sendMsgs(msgs):
-             yield result
diff --git a/third_party/tlslite/patches/save_client_hello.patch b/third_party/tlslite/patches/save_client_hello.patch
deleted file mode 100644
index ee445b5c..0000000
--- a/third_party/tlslite/patches/save_client_hello.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 4f3ba1c..cb743fe 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -1269,6 +1269,9 @@ class TLSConnection(TLSRecordLayer):
-                 return # Handshake was resumed, we're done 
-             else: break
-         (clientHello, cipherSuite) = result
-+
-+        # Save the ClientHello for external code to query.
-+        self.clientHello = clientHello
-         
-         #If not a resumption...
- 
diff --git a/third_party/tlslite/patches/save_randoms.patch b/third_party/tlslite/patches/save_randoms.patch
deleted file mode 100644
index ceb4697..0000000
--- a/third_party/tlslite/patches/save_randoms.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index e42b362..41aab85 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -1570,6 +1570,8 @@ class TLSConnection(TLSRecordLayer):
-                 #Set the session
-                 self.session = session
-                     
-+                self.clientRandom = clientHello.random
-+                self.serverRandom = serverHello.random
-                 yield None # Handshake done!
- 
-         #Calculate the first cipher suite intersection.
diff --git a/third_party/tlslite/patches/signature_algorithms.patch b/third_party/tlslite/patches/signature_algorithms.patch
deleted file mode 100644
index 9e8beb9..0000000
--- a/third_party/tlslite/patches/signature_algorithms.patch
+++ /dev/null
@@ -1,175 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index bac05c2f70cf..3f994e7e6f60 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -52,8 +52,9 @@ class CertificateStatusType:
- class ExtensionType:    # RFC 6066 / 4366
-     server_name = 0     # RFC 6066 / 4366
-     status_request = 5  # RFC 6066 / 4366
--    srp = 12            # RFC 5054  
-+    srp = 12            # RFC 5054
-     cert_type = 9       # RFC 6091
-+    signature_algorithms = 13 # RFC 5246
-     alpn = 16           # RFC 7301
-     signed_cert_timestamps = 18  # RFC 6962
-     extended_master_secret = 23  # RFC 7627
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index 90a3cec9f54e..ce4f1a6e15eb 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -142,6 +142,7 @@ class ClientHello(HandshakeMsg):
-         self.status_request = False
-         self.has_supported_versions = False
-         self.ri = False
-+        self.signature_algorithms = []
- 
-     def create(self, version, random, session_id, cipher_suites,
-                certificate_types=None, srpUsername=None,
-@@ -257,6 +258,14 @@ class ClientHello(HandshakeMsg):
-                         # intolerance simulation.
-                         self.has_supported_versions = True
-                         _ = p.getFixBytes(extLength)
-+                    elif extType == ExtensionType.signature_algorithms:
-+                        numBytes = p.get(2)
-+                        if numBytes + 2 != extLength or numBytes % 2 != 0:
-+                            raise SyntaxError()
-+                        for _ in range(numBytes / 2):
-+                            hashAlg = p.get(1)
-+                            sigAlg = p.get(1)
-+                            self.signature_algorithms.append((hashAlg, sigAlg))
-                     else:
-                         _ = p.getFixBytes(extLength)
-                     index2 = p.index
-@@ -605,6 +614,7 @@ class ServerKeyExchange(HandshakeMsg):
-         self.ecdhCurve = 0
-         self.ecdhPublic = bytearray(0)
-         self.signature = bytearray(0)
-+        self.signature_algorithm = None
- 
-     def createSRP(self, srp_N, srp_g, srp_s, srp_B):
-         self.srp_N = srp_N
-@@ -664,18 +674,13 @@ class ServerKeyExchange(HandshakeMsg):
-         w.bytes += self.write_params()
-         if self.cipherSuite in CipherSuite.certAllSuites:
-             if self.version >= (3,3):
--                # TODO: Signature algorithm negotiation not supported.
--                w.add(HashAlgorithm.sha1, 1)
--                w.add(SignatureAlgorithm.rsa, 1)
-+                w.add(self.signature_algorithm[0], 1)
-+                w.add(self.signature_algorithm[1], 1)
-             w.addVarSeq(self.signature, 1, 2)
-         return self.postWrite(w)
- 
--    def hash(self, clientRandom, serverRandom):
--        bytes = clientRandom + serverRandom + self.write_params()
--        if self.version >= (3,3):
--            # TODO: Signature algorithm negotiation not supported.
--            return SHA1(bytes)
--        return MD5(bytes) + SHA1(bytes)
-+    def signingPayload(self, clientRandom, serverRandom):
-+        return clientRandom + serverRandom + self.write_params()
- 
- class ServerHelloDone(HandshakeMsg):
-     def __init__(self):
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index efe2b9fefaa0..6d7c859884a4 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -17,7 +17,7 @@ from .utils.compat import formatExceptionTrace
- from .tlsrecordlayer import TLSRecordLayer
- from .session import Session
- from .constants import *
--from .utils.cryptomath import getRandomBytes
-+from .utils.cryptomath import getRandomBytes, MD5, SHA1, SHA256
- from .errors import *
- from .messages import *
- from .mathtls import *
-@@ -51,6 +51,24 @@ class KeyExchange(object):
-         """
-         raise NotImplementedError()
- 
-+    def sign(self, inpBytes):
-+        algorithm = None
-+        if self.serverHello.server_version >= (3, 3):
-+            # Negotiate a signature algorithm.
-+            peerPrefs = self.clientHello.signature_algorithms
-+            if (HashAlgorithm.sha256, SignatureAlgorithm.rsa) in peerPrefs:
-+                algorithm = (HashAlgorithm.sha256, SignatureAlgorithm.rsa)
-+                inpBytes = RSAKey.addPKCS1SHA256Prefix(SHA256(inpBytes))
-+            elif (HashAlgorithm.sha1, SignatureAlgorithm.rsa) in peerPrefs:
-+                algorithm = (HashAlgorithm.sha1, SignatureAlgorithm.rsa)
-+                inpBytes = RSAKey.addPKCS1SHA1Prefix(SHA1(inpBytes))
-+            else:
-+                raise TLSLocalAlert(AlertDescription.handshake_failure,
-+                                   "no common signature algorithms")
-+        else:
-+            inpBytes = MD5(inpBytes) + SHA1(inpBytes)
-+        return algorithm, self.privateKey.sign(inpBytes)
-+
- class RSAKeyExchange(KeyExchange):
-     def makeServerKeyExchange(self):
-         return None
-@@ -108,12 +126,9 @@ DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
-         version = self.serverHello.server_version
-         serverKeyExchange = ServerKeyExchange(self.cipherSuite, version)
-         serverKeyExchange.createDH(self.dh_p, self.dh_g, dh_Ys)
--        hashBytes = serverKeyExchange.hash(self.clientHello.random,
--                                           self.serverHello.random)
--        if version >= (3,3):
--            # TODO: Signature algorithm negotiation not supported.
--            hashBytes = RSAKey.addPKCS1SHA1Prefix(hashBytes)
--        serverKeyExchange.signature = self.privateKey.sign(hashBytes)
-+        serverKeyExchange.signature_algorithm, serverKeyExchange.signature = \
-+            self.sign(serverKeyExchange.signingPayload(self.clientHello.random,
-+                                                       self.serverHello.random))
-         return serverKeyExchange
- 
-     def processClientKeyExchange(self, clientKeyExchange):
-@@ -135,12 +150,9 @@ class ECDHE_RSAKeyExchange(KeyExchange):
-         version = self.serverHello.server_version
-         serverKeyExchange = ServerKeyExchange(self.cipherSuite, version)
-         serverKeyExchange.createECDH(NamedCurve.secp256r1, bytearray(public))
--        hashBytes = serverKeyExchange.hash(self.clientHello.random,
--                                           self.serverHello.random)
--        if version >= (3,3):
--            # TODO: Signature algorithm negotiation not supported.
--            hashBytes = RSAKey.addPKCS1SHA1Prefix(hashBytes)
--        serverKeyExchange.signature = self.privateKey.sign(hashBytes)
-+        serverKeyExchange.signature_algorithm, serverKeyExchange.signature = \
-+            self.sign(serverKeyExchange.signingPayload(self.clientHello.random,
-+                                                       self.serverHello.random))
-         return serverKeyExchange
- 
-     def processClientKeyExchange(self, clientKeyExchange):
-diff --git a/third_party/tlslite/tlslite/utils/cryptomath.py b/third_party/tlslite/tlslite/utils/cryptomath.py
-index 61fd1432d566..f7142c06ba23 100644
---- a/third_party/tlslite/tlslite/utils/cryptomath.py
-+++ b/third_party/tlslite/tlslite/utils/cryptomath.py
-@@ -73,6 +73,9 @@ def MD5(b):
- def SHA1(b):
-     return bytearray(hashlib.sha1(compat26Str(b)).digest())
- 
-+def SHA256(b):
-+    return bytearray(hashlib.sha256(compat26Str(b)).digest())
-+
- def HMAC_MD5(k, b):
-     k = compatHMAC(k)
-     b = compatHMAC(b)
-diff --git a/third_party/tlslite/tlslite/utils/rsakey.py b/third_party/tlslite/tlslite/utils/rsakey.py
-index fb022cc6445d..7e3f97881a10 100644
---- a/third_party/tlslite/tlslite/utils/rsakey.py
-+++ b/third_party/tlslite/tlslite/utils/rsakey.py
-@@ -240,6 +240,13 @@ class RSAKey(object):
-         prefixedBytes = prefixBytes + bytes
-         return prefixedBytes
- 
-+    @staticmethod
-+    def addPKCS1SHA256Prefix(bytes):
-+        prefixBytes = bytearray([
-+            0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
-+            0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20])
-+        return prefixBytes + bytes
-+
-     def _addPKCS1Padding(self, bytes, blockType):
-         padLength = (numBytes(self.n) - (len(bytes)+3))
-         if blockType == 1: #Signature padding
diff --git a/third_party/tlslite/patches/signed_certificate_timestamps.patch b/third_party/tlslite/patches/signed_certificate_timestamps.patch
deleted file mode 100644
index 91bc06c..0000000
--- a/third_party/tlslite/patches/signed_certificate_timestamps.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index 6429c66..8720de6 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -45,6 +45,7 @@ class ExtensionType:    # RFC 6066 / 4366
-     server_name = 0     # RFC 6066 / 4366
-     srp = 12            # RFC 5054  
-     cert_type = 9       # RFC 6091
-+    signed_cert_timestamps = 18  # RFC 6962
-     tack = 0xF300
-     supports_npn = 13172
-     channel_id = 30032
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index 4fa9d96..876b033 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -114,6 +114,7 @@ class ClientHello(HandshakeMsg):
-         self.supports_npn = False
-         self.server_name = bytearray(0)
-         self.channel_id = False
-+        self.support_signed_cert_timestamps = False
- 
-     def create(self, version, random, session_id, cipher_suites,
-                certificate_types=None, srpUsername=None,
-@@ -183,6 +184,10 @@ class ClientHello(HandshakeMsg):
-                                 break
-                     elif extType == ExtensionType.channel_id:
-                         self.channel_id = True
-+                    elif extType == ExtensionType.signed_cert_timestamps:
-+                        if extLength:
-+                            raise SyntaxError()
-+                        self.support_signed_cert_timestamps = True
-                     else:
-                         _ = p.getFixBytes(extLength)
-                     index2 = p.index
-@@ -248,6 +253,7 @@ class ServerHello(HandshakeMsg):
-         self.next_protos_advertised = None
-         self.next_protos = None
-         self.channel_id = False
-+        self.signed_cert_timestamps = None
- 
-     def create(self, version, random, session_id, cipher_suite,
-                certificate_type, tackExt, next_protos_advertised):
-@@ -337,6 +343,9 @@ class ServerHello(HandshakeMsg):
-         if self.channel_id:
-             w2.add(ExtensionType.channel_id, 2)
-             w2.add(0, 2)
-+        if self.signed_cert_timestamps:
-+            w2.add(ExtensionType.signed_cert_timestamps, 2)
-+            w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2)
-         if len(w2.bytes):
-             w.add(len(w2.bytes), 2)
-             w.bytes += w2.bytes        
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index b0400f8..4dedc5f 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -969,7 +969,7 @@ class TLSConnection(TLSRecordLayer):
-                         reqCAs = None, 
-                         tacks=None, activationFlags=0,
-                         nextProtos=None, anon=False,
--                        tlsIntolerant=None):
-+                        tlsIntolerant=None, signedCertTimestamps=None):
-         """Perform a handshake in the role of server.
- 
-         This function performs an SSL or TLS handshake.  Depending on
-@@ -1043,6 +1043,11 @@ class TLSConnection(TLSRecordLayer):
-         simulate TLS version intolerance by returning a fatal handshake_failure
-         alert to all TLS versions tlsIntolerant or higher.
- 
-+        @type signedCertTimestamps: str
-+        @param signedCertTimestamps: A SignedCertificateTimestampList (as a
-+        binary 8-bit string) that will be sent as a TLS extension whenever
-+        the client announces support for the extension.
-+
-         @raise socket.error: If a socket error occurs.
-         @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
-         without a preceding alert.
-@@ -1054,7 +1059,8 @@ class TLSConnection(TLSRecordLayer):
-                 certChain, privateKey, reqCert, sessionCache, settings,
-                 checker, reqCAs, 
-                 tacks=tacks, activationFlags=activationFlags, 
--                nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant):
-+                nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
-+                signedCertTimestamps=signedCertTimestamps):
-             pass
- 
- 
-@@ -1064,7 +1070,8 @@ class TLSConnection(TLSRecordLayer):
-                              reqCAs=None, 
-                              tacks=None, activationFlags=0,
-                              nextProtos=None, anon=False,
--                             tlsIntolerant=None
-+                             tlsIntolerant=None,
-+                             signedCertTimestamps=None
-                              ):
-         """Start a server handshake operation on the TLS connection.
- 
-@@ -1084,7 +1091,8 @@ class TLSConnection(TLSRecordLayer):
-             reqCAs=reqCAs, 
-             tacks=tacks, activationFlags=activationFlags, 
-             nextProtos=nextProtos, anon=anon,
--            tlsIntolerant=tlsIntolerant)
-+            tlsIntolerant=tlsIntolerant,
-+            signedCertTimestamps=signedCertTimestamps)
-         for result in self._handshakeWrapperAsync(handshaker, checker):
-             yield result
- 
-@@ -1094,7 +1102,7 @@ class TLSConnection(TLSRecordLayer):
-                              settings, reqCAs, 
-                              tacks, activationFlags, 
-                              nextProtos, anon,
--                             tlsIntolerant):
-+                             tlsIntolerant, signedCertTimestamps):
- 
-         self._handshakeStart(client=False)
- 
-@@ -1115,6 +1123,9 @@ class TLSConnection(TLSRecordLayer):
-                 raise ValueError("tackpy is not loaded")
-             if not settings or not settings.useExperimentalTackExtension:
-                 raise ValueError("useExperimentalTackExtension not enabled")
-+        if signedCertTimestamps and not certChain:
-+            raise ValueError("Caller passed signedCertTimestamps but no "
-+                             "certChain")
- 
-         if not settings:
-             settings = HandshakeSettings()
-@@ -1159,6 +1170,8 @@ class TLSConnection(TLSRecordLayer):
-                             cipherSuite, CertificateType.x509, tackExt,
-                             nextProtos)
-         serverHello.channel_id = clientHello.channel_id
-+        if clientHello.support_signed_cert_timestamps:
-+            serverHello.signed_cert_timestamps = signedCertTimestamps
- 
-         # Perform the SRP key exchange
-         clientCertChain = None
diff --git a/third_party/tlslite/patches/simulate_tls13_downgrade.patch b/third_party/tlslite/patches/simulate_tls13_downgrade.patch
deleted file mode 100644
index 775e079..0000000
--- a/third_party/tlslite/patches/simulate_tls13_downgrade.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
-index 69fc6f455e10..a647af53c13e 100644
---- a/third_party/tlslite/tlslite/handshakesettings.py
-+++ b/third_party/tlslite/tlslite/handshakesettings.py
-@@ -125,7 +125,15 @@ class HandshakeSettings(object):
-     corresponding to the TokenBindingKeyParameters enum in the Token Binding
-     Negotiation spec (draft-ietf-tokbind-negotiation-00). Values are in server's
-     preference order, with most preferred params first.
--    
-+
-+    @type simulateTLS13Downgrade: bool
-+    @ivar simulateTLS13Downgrade: If true, the server will simulate a TLS 1.3
-+    to TLS 1.2 downgrade in the ServerHello random.
-+
-+    @type simulateTLS12Downgrade: bool
-+    @ivar simulateTLS12Downgrade: If true, the server will simulate a TLS 1.2
-+    to TLS 1.1 downgrade in the ServerHello random.
-+
-     Note that TACK support is not standardized by IETF and uses a temporary
-     TLS Extension number, so should NOT be used in production software.
- 
-@@ -153,6 +161,8 @@ class HandshakeSettings(object):
-         self.enableExtendedMasterSecret = True
-         self.supportedTokenBindingParams = []
-         self.alpnProtos = None
-+        self.simulateTLS13Downgrade = False
-+        self.simulateTLS12Downgrade = False
- 
-     # Validates the min/max fields, and certificateTypes
-     # Filters out unsupported cipherNames and cipherImplementations
-@@ -174,6 +184,8 @@ class HandshakeSettings(object):
-         other.enableExtendedMasterSecret = self.enableExtendedMasterSecret
-         other.supportedTokenBindingParams = self.supportedTokenBindingParams
-         other.alpnProtos = self.alpnProtos;
-+        other.simulateTLS13Downgrade = self.simulateTLS13Downgrade
-+        other.simulateTLS12Downgrade = self.simulateTLS12Downgrade
- 
-         if not cipherfactory.tripleDESPresent:
-             other.cipherNames = [e for e in self.cipherNames if e != "3des"]
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 2309d4fa8f3a..cb7160f25cc9 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -1352,8 +1352,16 @@ class TLSConnection(TLSRecordLayer):
-             tackExt = TackExtension.create(tacks, activationFlags)
-         else:
-             tackExt = None
-+        serverRandom = getRandomBytes(32)
-+        # See https://tools.ietf.org/html/rfc8446#section-4.1.3
-+        if settings.simulateTLS13Downgrade:
-+            serverRandom = serverRandom[:24] + \
-+                bytearray("\x44\x4f\x57\x4e\x47\x52\x44\x01")
-+        elif settings.simulateTLS12Downgrade:
-+            serverRandom = serverRandom[:24] + \
-+                bytearray("\x44\x4f\x57\x4e\x47\x52\x44\x00")
-         serverHello = ServerHello()
--        serverHello.create(self.version, getRandomBytes(32), sessionID, \
-+        serverHello.create(self.version, serverRandom, sessionID, \
-                             cipherSuite, CertificateType.x509, tackExt,
-                             alpn_proto_selected,
-                             nextProtos)
diff --git a/third_party/tlslite/patches/ssl3_padding.patch b/third_party/tlslite/patches/ssl3_padding.patch
deleted file mode 100644
index 6f720ac..0000000
--- a/third_party/tlslite/patches/ssl3_padding.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
-index f18fcf5..01ff3e9 100644
---- a/third_party/tlslite/tlslite/tlsrecordlayer.py
-+++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
-@@ -592,9 +592,9 @@ class TLSRecordLayer(object):
-                     b = self.fixedIVBlock + b
- 
-                 #Add padding: b = b+ (macBytes + paddingBytes)
--                currentLength = len(b) + len(macBytes) + 1
-+                currentLength = len(b) + len(macBytes)
-                 blockLength = self._writeState.encContext.block_size
--                paddingLength = blockLength-(currentLength % blockLength)
-+                paddingLength = blockLength - 1 - (currentLength % blockLength)
- 
-                 paddingBytes = bytearray([paddingLength] * (paddingLength+1))
-                 if self.fault == Fault.badPadding:
diff --git a/third_party/tlslite/patches/status_request.patch b/third_party/tlslite/patches/status_request.patch
deleted file mode 100644
index b6de396..0000000
--- a/third_party/tlslite/patches/status_request.patch
+++ /dev/null
@@ -1,218 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index 69e6067..1a1ace9 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -31,6 +31,7 @@ class HandshakeType:
-     certificate_verify = 15
-     client_key_exchange = 16
-     finished = 20
-+    certificate_status = 22
-     next_protocol = 67
-     encrypted_extensions = 203
- 
-@@ -41,8 +42,12 @@ class ContentType:
-     application_data = 23
-     all = (20,21,22,23)
- 
-+class CertificateStatusType:
-+    ocsp = 1
-+
- class ExtensionType:    # RFC 6066 / 4366
-     server_name = 0     # RFC 6066 / 4366
-+    status_request = 5  # RFC 6066 / 4366
-     srp = 12            # RFC 5054  
-     cert_type = 9       # RFC 6091
-     signed_cert_timestamps = 18  # RFC 6962
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index 876b033..9a8e5f6 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -115,6 +115,7 @@ class ClientHello(HandshakeMsg):
-         self.server_name = bytearray(0)
-         self.channel_id = False
-         self.support_signed_cert_timestamps = False
-+        self.status_request = False
- 
-     def create(self, version, random, session_id, cipher_suites,
-                certificate_types=None, srpUsername=None,
-@@ -188,6 +189,19 @@ class ClientHello(HandshakeMsg):
-                         if extLength:
-                             raise SyntaxError()
-                         self.support_signed_cert_timestamps = True
-+                    elif extType == ExtensionType.status_request:
-+                        # Extension contents are currently ignored.
-+                        # According to RFC 6066, this is not strictly forbidden
-+                        # (although it is suboptimal):
-+                        # Servers that receive a client hello containing the
-+                        # "status_request" extension MAY return a suitable
-+                        # certificate status response to the client along with
-+                        # their certificate.  If OCSP is requested, they
-+                        # SHOULD use the information contained in the extension
-+                        # when selecting an OCSP responder and SHOULD include
-+                        # request_extensions in the OCSP request.
-+                        p.getFixBytes(extLength)
-+                        self.status_request = True
-                     else:
-                         _ = p.getFixBytes(extLength)
-                     index2 = p.index
-@@ -254,6 +268,7 @@ class ServerHello(HandshakeMsg):
-         self.next_protos = None
-         self.channel_id = False
-         self.signed_cert_timestamps = None
-+        self.status_request = False
- 
-     def create(self, version, random, session_id, cipher_suite,
-                certificate_type, tackExt, next_protos_advertised):
-@@ -346,6 +361,9 @@ class ServerHello(HandshakeMsg):
-         if self.signed_cert_timestamps:
-             w2.add(ExtensionType.signed_cert_timestamps, 2)
-             w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2)
-+        if self.status_request:
-+            w2.add(ExtensionType.status_request, 2)
-+            w2.add(0, 2)
-         if len(w2.bytes):
-             w.add(len(w2.bytes), 2)
-             w.bytes += w2.bytes        
-@@ -403,6 +421,37 @@ class Certificate(HandshakeMsg):
-             raise AssertionError()
-         return self.postWrite(w)
- 
-+class CertificateStatus(HandshakeMsg):
-+    def __init__(self):
-+        HandshakeMsg.__init__(self, HandshakeType.certificate_status)
-+
-+    def create(self, ocsp_response):
-+        self.ocsp_response = ocsp_response
-+        return self
-+
-+    # Defined for the sake of completeness, even though we currently only
-+    # support sending the status message (server-side), not requesting
-+    # or receiving it (client-side).
-+    def parse(self, p):
-+        p.startLengthCheck(3)
-+        status_type = p.get(1)
-+        # Only one type is specified, so hardwire it.
-+        if status_type != CertificateStatusType.ocsp:
-+            raise SyntaxError()
-+        ocsp_response = p.getVarBytes(3)
-+        if not ocsp_response:
-+            # Can't be empty
-+            raise SyntaxError()
-+        self.ocsp_response = ocsp_response
-+        p.stopLengthCheck()
-+        return self
-+
-+    def write(self):
-+        w = Writer()
-+        w.add(CertificateStatusType.ocsp, 1)
-+        w.addVarSeq(bytearray(self.ocsp_response), 1, 3)
-+        return self.postWrite(w)
-+
- class CertificateRequest(HandshakeMsg):
-     def __init__(self, version):
-         HandshakeMsg.__init__(self, HandshakeType.certificate_request)
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 0563fb5f..5d508ed 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -970,7 +970,7 @@ class TLSConnection(TLSRecordLayer):
-                         tacks=None, activationFlags=0,
-                         nextProtos=None, anon=False,
-                         tlsIntolerant=None, signedCertTimestamps=None,
--                        fallbackSCSV=False):
-+                        fallbackSCSV=False, ocspResponse=None):
-         """Perform a handshake in the role of server.
- 
-         This function performs an SSL or TLS handshake.  Depending on
-@@ -1054,6 +1054,16 @@ class TLSConnection(TLSRecordLayer):
-         TLS_FALLBACK_SCSV and thus reject connections using less than the
-         server's maximum TLS version that include this cipher suite.
- 
-+        @type ocspResponse: str
-+        @param ocspResponse: An OCSP response (as a binary 8-bit string) that
-+        will be sent stapled in the handshake whenever the client announces
-+        support for the status_request extension.
-+        Note that the response is sent independent of the ClientHello
-+        status_request extension contents, and is thus only meant for testing
-+        environments. Real OCSP stapling is more complicated as it requires
-+        choosing a suitable response based on the ClientHello status_request
-+        extension contents.
-+
-         @raise socket.error: If a socket error occurs.
-         @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
-         without a preceding alert.
-@@ -1067,7 +1077,7 @@ class TLSConnection(TLSRecordLayer):
-                 tacks=tacks, activationFlags=activationFlags, 
-                 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
-                 signedCertTimestamps=signedCertTimestamps,
--                fallbackSCSV=fallbackSCSV):
-+                fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse):
-             pass
- 
- 
-@@ -1079,7 +1089,8 @@ class TLSConnection(TLSRecordLayer):
-                              nextProtos=None, anon=False,
-                              tlsIntolerant=None,
-                              signedCertTimestamps=None,
--                             fallbackSCSV=False
-+                             fallbackSCSV=False,
-+                             ocspResponse=None
-                              ):
-         """Start a server handshake operation on the TLS connection.
- 
-@@ -1101,7 +1112,8 @@ class TLSConnection(TLSRecordLayer):
-             nextProtos=nextProtos, anon=anon,
-             tlsIntolerant=tlsIntolerant,
-             signedCertTimestamps=signedCertTimestamps,
--            fallbackSCSV=fallbackSCSV)
-+            fallbackSCSV=fallbackSCSV,
-+            ocspResponse=ocspResponse)
-         for result in self._handshakeWrapperAsync(handshaker, checker):
-             yield result
- 
-@@ -1111,7 +1123,8 @@ class TLSConnection(TLSRecordLayer):
-                              settings, reqCAs, 
-                              tacks, activationFlags, 
-                              nextProtos, anon,
--                             tlsIntolerant, signedCertTimestamps, fallbackSCSV):
-+                             tlsIntolerant, signedCertTimestamps, fallbackSCSV,
-+                             ocspResponse):
- 
-         self._handshakeStart(client=False)
- 
-@@ -1181,6 +1194,8 @@ class TLSConnection(TLSRecordLayer):
-         serverHello.channel_id = clientHello.channel_id
-         if clientHello.support_signed_cert_timestamps:
-             serverHello.signed_cert_timestamps = signedCertTimestamps
-+        if clientHello.status_request:
-+            serverHello.status_request = ocspResponse
- 
-         # Perform the SRP key exchange
-         clientCertChain = None
-@@ -1197,7 +1212,7 @@ class TLSConnection(TLSRecordLayer):
-             for result in self._serverCertKeyExchange(clientHello, serverHello, 
-                                         certChain, privateKey,
-                                         reqCert, reqCAs, cipherSuite,
--                                        settings):
-+                                        settings, ocspResponse):
-                 if result in (0,1): yield result
-                 else: break
-             (premasterSecret, clientCertChain) = result
-@@ -1475,7 +1490,7 @@ class TLSConnection(TLSRecordLayer):
-     def _serverCertKeyExchange(self, clientHello, serverHello, 
-                                 serverCertChain, privateKey,
-                                 reqCert, reqCAs, cipherSuite,
--                                settings):
-+                                settings, ocspResponse):
-         #Send ServerHello, Certificate[, CertificateRequest],
-         #ServerHelloDone
-         msgs = []
-@@ -1485,6 +1500,8 @@ class TLSConnection(TLSRecordLayer):
- 
-         msgs.append(serverHello)
-         msgs.append(Certificate(CertificateType.x509).create(serverCertChain))
-+        if serverHello.status_request:
-+            msgs.append(CertificateStatus().create(ocspResponse))
-         if reqCert and reqCAs:
-             msgs.append(CertificateRequest().create(\
-                 [ClientCertificateType.rsa_sign], reqCAs))
diff --git a/third_party/tlslite/patches/thread_safe_python_rsa_key.patch b/third_party/tlslite/patches/thread_safe_python_rsa_key.patch
deleted file mode 100644
index fe68d88..0000000
--- a/third_party/tlslite/patches/thread_safe_python_rsa_key.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/utils/python_rsakey.py b/third_party/tlslite/tlslite/utils/python_rsakey.py
-index 1281f1dc899c..a62fc68b4701 100644
---- a/third_party/tlslite/tlslite/utils/python_rsakey.py
-+++ b/third_party/tlslite/tlslite/utils/python_rsakey.py
-@@ -2,7 +2,7 @@
- # See the LICENSE file for legal information regarding use of this file.
- 
- """Pure-Python RSA implementation."""
--
-+import threading
- from .cryptomath import *
- from .asn1parser import ASN1Parser
- from .rsakey import *
-@@ -22,33 +22,36 @@ class Python_RSAKey(RSAKey):
-         self.qInv = qInv
-         self.blinder = 0
-         self.unblinder = 0
-+        self._lock = threading.Lock()
- 
-     def hasPrivateKey(self):
-         return self.d != 0
- 
--    def _rawPrivateKeyOp(self, m):
--        #Create blinding values, on the first pass:
--        if not self.blinder:
--            self.unblinder = getRandomNumber(2, self.n)
--            self.blinder = powMod(invMod(self.unblinder, self.n), self.e,
--                                  self.n)
--
--        #Blind the input
--        m = (m * self.blinder) % self.n
-+    def _rawPrivateKeyOp(self, message):
-+        with self._lock:
-+            # Create blinding values, on the first pass:
-+            if not self.blinder:
-+                self.unblinder = getRandomNumber(2, self.n)
-+                self.blinder = powMod(invMod(self.unblinder, self.n), self.e,
-+                                      self.n)
-+            unblinder = self.unblinder
-+            blinder = self.blinder
- 
--        #Perform the RSA operation
--        c = self._rawPrivateKeyOpHelper(m)
-+            # Update blinding values
-+            self.blinder = (self.blinder * self.blinder) % self.n
-+            self.unblinder = (self.unblinder * self.unblinder) % self.n
- 
--        #Unblind the output
--        c = (c * self.unblinder) % self.n
-+        # Blind the input
-+        message = (message * blinder) % self.n
- 
--        #Update blinding values
--        self.blinder = (self.blinder * self.blinder) % self.n
--        self.unblinder = (self.unblinder * self.unblinder) % self.n
-+        # Perform the RSA operation
-+        cipher = self._rawPrivateKeyOpHelper(message)
- 
--        #Return the output
--        return c
-+        # Unblind the output
-+        cipher = (cipher * unblinder) % self.n
- 
-+        # Return the output
-+        return cipher
- 
-     def _rawPrivateKeyOpHelper(self, m):
-         #Non-CRT version
diff --git a/third_party/tlslite/patches/tls13_intolerance.patch b/third_party/tlslite/patches/tls13_intolerance.patch
deleted file mode 100644
index ef50fed..0000000
--- a/third_party/tlslite/patches/tls13_intolerance.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index 82e8c075fe2a..8fb75d0948e4 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -58,6 +58,7 @@ class ExtensionType:    # RFC 6066 / 4366
-     signed_cert_timestamps = 18  # RFC 6962
-     extended_master_secret = 23  # RFC 7627
-     token_binding = 24           # draft-ietf-tokbind-negotiation
-+    supported_versions = 43      # RFC 8446
-     tack = 0xF300
-     supports_npn = 13172
-     channel_id = 30032
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index ac7e563021d9..b29db939c2a8 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg):
-         self.tb_client_params = []
-         self.support_signed_cert_timestamps = False
-         self.status_request = False
-+        self.has_supported_versions = False
-         self.ri = False
- 
-     def create(self, version, random, session_id, cipher_suites,
-@@ -251,6 +252,11 @@ class ClientHello(HandshakeMsg):
-                         if extLength != 1 or p.getFixBytes(extLength)[0] != 0:
-                             raise SyntaxError()
-                         self.ri = True
-+                    elif extType == ExtensionType.supported_versions:
-+                        # Ignore the extension, but make a note of it for
-+                        # intolerance simulation.
-+                        self.has_supported_versions = True
-+                        _ = p.getFixBytes(extLength)
-                     else:
-                         _ = p.getFixBytes(extLength)
-                     index2 = p.index
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 8ba1c6e636ab..2309d4fa8f3a 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -1457,6 +1457,15 @@ class TLSConnection(TLSRecordLayer):
-         self._handshakeDone(resumed=False)
- 
- 
-+    def _isIntolerant(self, settings, clientHello):
-+        if settings.tlsIntolerant is None:
-+            return False
-+        clientVersion = clientHello.client_version
-+        if clientHello.has_supported_versions:
-+            clientVersion = (3, 4)
-+        return clientVersion >= settings.tlsIntolerant
-+
-+
-     def _serverGetClientHello(self, settings, certChain, verifierDB,
-                                 sessionCache, anon, fallbackSCSV):
-         #Tentatively set version to most-desirable version, so if an error
-@@ -1480,8 +1489,7 @@ class TLSConnection(TLSRecordLayer):
-                 yield result
- 
-         #If simulating TLS intolerance, reject certain TLS versions.
--        elif (settings.tlsIntolerant is not None and
--              clientHello.client_version >= settings.tlsIntolerant):
-+        elif self._isIntolerant(settings, clientHello):
-             if settings.tlsIntoleranceType == "alert":
-                 for result in self._sendError(\
-                     AlertDescription.handshake_failure):
diff --git a/third_party/tlslite/patches/tls_intolerant.patch b/third_party/tlslite/patches/tls_intolerant.patch
deleted file mode 100644
index f9c82676..0000000
--- a/third_party/tlslite/patches/tls_intolerant.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index e7c6834..0e78753 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -968,7 +968,8 @@ class TLSConnection(TLSRecordLayer):
-                         sessionCache=None, settings=None, checker=None,
-                         reqCAs = None, 
-                         tacks=None, activationFlags=0,
--                        nextProtos=None, anon=False):
-+                        nextProtos=None, anon=False,
-+                        tlsIntolerant=None):
-         """Perform a handshake in the role of server.
- 
-         This function performs an SSL or TLS handshake.  Depending on
-@@ -1037,6 +1038,11 @@ class TLSConnection(TLSRecordLayer):
-         clients through the Next-Protocol Negotiation Extension, 
-         if they support it.
- 
-+        @type tlsIntolerant: (int, int) or None
-+        @param tlsIntolerant: If tlsIntolerant is not None, the server will
-+        simulate TLS version intolerance by returning a fatal handshake_failure
-+        alert to all TLS versions tlsIntolerant or higher.
-+
-         @raise socket.error: If a socket error occurs.
-         @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
-         without a preceding alert.
-@@ -1048,7 +1054,7 @@ class TLSConnection(TLSRecordLayer):
-                 certChain, privateKey, reqCert, sessionCache, settings,
-                 checker, reqCAs, 
-                 tacks=tacks, activationFlags=activationFlags, 
--                nextProtos=nextProtos, anon=anon):
-+                nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant):
-             pass
- 
- 
-@@ -1057,7 +1063,8 @@ class TLSConnection(TLSRecordLayer):
-                              sessionCache=None, settings=None, checker=None,
-                              reqCAs=None, 
-                              tacks=None, activationFlags=0,
--                             nextProtos=None, anon=False
-+                             nextProtos=None, anon=False,
-+                             tlsIntolerant=None
-                              ):
-         """Start a server handshake operation on the TLS connection.
- 
-@@ -1076,7 +1083,8 @@ class TLSConnection(TLSRecordLayer):
-             sessionCache=sessionCache, settings=settings, 
-             reqCAs=reqCAs, 
-             tacks=tacks, activationFlags=activationFlags, 
--            nextProtos=nextProtos, anon=anon)
-+            nextProtos=nextProtos, anon=anon,
-+            tlsIntolerant=tlsIntolerant)
-         for result in self._handshakeWrapperAsync(handshaker, checker):
-             yield result
- 
-@@ -1085,7 +1093,8 @@ class TLSConnection(TLSRecordLayer):
-                              certChain, privateKey, reqCert, sessionCache,
-                              settings, reqCAs, 
-                              tacks, activationFlags, 
--                             nextProtos, anon):
-+                             nextProtos, anon,
-+                             tlsIntolerant):
- 
-         self._handshakeStart(client=False)
- 
-@@ -1117,7 +1126,7 @@ class TLSConnection(TLSRecordLayer):
-         # Handle ClientHello and resumption
-         for result in self._serverGetClientHello(settings, certChain,\
-                                             verifierDB, sessionCache,
--                                            anon):
-+                                            anon, tlsIntolerant):
-             if result in (0,1): yield result
-             elif result == None:
-                 self._handshakeDone(resumed=True)                
-@@ -1214,7 +1223,7 @@ class TLSConnection(TLSRecordLayer):
- 
- 
-     def _serverGetClientHello(self, settings, certChain, verifierDB,
--                                sessionCache, anon):
-+                                sessionCache, anon, tlsIntolerant):
-         #Initialize acceptable cipher suites
-         cipherSuites = []
-         if verifierDB:
-@@ -1249,6 +1258,13 @@ class TLSConnection(TLSRecordLayer):
-                   "Too old version: %s" % str(clientHello.client_version)):
-                 yield result
- 
-+        #If simulating TLS intolerance, reject certain TLS versions.
-+        elif (tlsIntolerant is not None and
-+            clientHello.client_version >= tlsIntolerant):
-+            for result in self._sendError(\
-+                    AlertDescription.handshake_failure):
-+                yield result
-+
-         #If client's version is too high, propose my highest version
-         elif clientHello.client_version > settings.maxVersion:
-             self.version = settings.maxVersion
diff --git a/third_party/tlslite/patches/token_binding_negotiation.patch b/third_party/tlslite/patches/token_binding_negotiation.patch
deleted file mode 100644
index ed1775d..0000000
--- a/third_party/tlslite/patches/token_binding_negotiation.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index f9c8676..84bb703 100644
---- a/third_party/tlslite/tlslite/constants.py
-+++ b/third_party/tlslite/tlslite/constants.py
-@@ -59,6 +59,7 @@ class ExtensionType:    # RFC 6066 / 4366
-     tack = 0xF300
-     supports_npn = 13172
-     channel_id = 30032
-+    token_binding = 30033
- 
- class HashAlgorithm:
-     none = 0
-diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
-index a7b6ab9..8f25f62 100644
---- a/third_party/tlslite/tlslite/handshakesettings.py
-+++ b/third_party/tlslite/tlslite/handshakesettings.py
-@@ -115,6 +115,13 @@ class HandshakeSettings(object):
-     @type enableExtendedMasterSecret: bool
-     @ivar enableExtendedMasterSecret: If true, the server supports the extended
-     master secret TLS extension and will negotiated it with supporting clients.
-+
-+    @type supportedTokenBindingParams: list
-+    @ivar supportedTokenBindingParams: A list of token binding parameters that
-+    the server supports when negotiating token binding. List values are integers
-+    corresponding to the TokenBindingKeyParameters enum in the Token Binding
-+    Negotiation spec (draft-ietf-tokbind-negotiation-00). Values are in server's
-+    preference order, with most preferred params first.
-     
-     Note that TACK support is not standardized by IETF and uses a temporary
-     TLS Extension number, so should NOT be used in production software.
-@@ -134,6 +141,7 @@ class HandshakeSettings(object):
-         self.useExperimentalTackExtension = False
-         self.alertAfterHandshake = False
-         self.enableExtendedMasterSecret = True
-+        self.supportedTokenBindingParams = []
- 
-     # Validates the min/max fields, and certificateTypes
-     # Filters out unsupported cipherNames and cipherImplementations
-@@ -152,6 +160,7 @@ class HandshakeSettings(object):
-         other.tlsIntoleranceType = self.tlsIntoleranceType
-         other.alertAfterHandshake = self.alertAfterHandshake
-         other.enableExtendedMasterSecret = self.enableExtendedMasterSecret
-+        other.supportedTokenBindingParams = self.supportedTokenBindingParams
- 
-         if not cipherfactory.tripleDESPresent:
-             other.cipherNames = [e for e in self.cipherNames if e != "3des"]
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index 9b553ce..ab2be57 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -115,6 +115,7 @@ class ClientHello(HandshakeMsg):
-         self.server_name = bytearray(0)
-         self.channel_id = False
-         self.extended_master_secret = False
-+        self.tb_client_params = []
-         self.support_signed_cert_timestamps = False
-         self.status_request = False
- 
-@@ -188,6 +189,15 @@ class ClientHello(HandshakeMsg):
-                         self.channel_id = True
-                     elif extType == ExtensionType.extended_master_secret:
-                         self.extended_master_secret = True
-+                    elif extType == ExtensionType.token_binding:
-+                        tokenBindingBytes = p.getFixBytes(extLength)
-+                        p2 = Parser(tokenBindingBytes)
-+                        ver_minor = p2.get(1)
-+                        ver_major = p2.get(1)
-+                        if (ver_major, ver_minor) >= (0, 6):
-+                            p2.startLengthCheck(1)
-+                            while not p2.atLengthCheck():
-+                                self.tb_client_params.append(p2.get(1))
-                     elif extType == ExtensionType.signed_cert_timestamps:
-                         if extLength:
-                             raise SyntaxError()
-@@ -271,6 +281,7 @@ class ServerHello(HandshakeMsg):
-         self.next_protos = None
-         self.channel_id = False
-         self.extended_master_secret = False
-+        self.tb_params = None
-         self.signed_cert_timestamps = None
-         self.status_request = False
- 
-@@ -365,6 +376,17 @@ class ServerHello(HandshakeMsg):
-         if self.extended_master_secret:
-             w2.add(ExtensionType.extended_master_secret, 2)
-             w2.add(0, 2)
-+        if self.tb_params:
-+            w2.add(ExtensionType.token_binding, 2)
-+            # length of extension
-+            w2.add(4, 2)
-+            # version
-+            w2.add(0, 1)
-+            w2.add(6, 1)
-+            # length of params (defined as variable length <1..2^8-1>, but in
-+            # this context the server can only send a single value.
-+            w2.add(1, 1)
-+            w2.add(self.tb_params, 1)
-         if self.signed_cert_timestamps:
-             w2.add(ExtensionType.signed_cert_timestamps, 2)
-             w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2)
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 04161513..06404fe 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -1330,6 +1330,10 @@ class TLSConnection(TLSRecordLayer):
-         serverHello.extended_master_secret = \
-             clientHello.extended_master_secret and \
-             settings.enableExtendedMasterSecret
-+        for param in clientHello.tb_client_params:
-+            if param in settings.supportedTokenBindingParams:
-+                serverHello.tb_params = param
-+                break
-         if clientHello.support_signed_cert_timestamps:
-             serverHello.signed_cert_timestamps = signedCertTimestamps
-         if clientHello.status_request:
diff --git a/third_party/tlslite/patches/token_binding_resumption.patch b/third_party/tlslite/patches/token_binding_resumption.patch
deleted file mode 100644
index 5d856b2a..0000000
--- a/third_party/tlslite/patches/token_binding_resumption.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
-index 6a53282..6e26fdd 100644
---- a/third_party/tlslite/tlslite/tlsconnection.py
-+++ b/third_party/tlslite/tlslite/tlsconnection.py
-@@ -1536,6 +1536,10 @@ class TLSConnection(TLSRecordLayer):
-                 serverHello.extended_master_secret = \
-                     clientHello.extended_master_secret and \
-                     settings.enableExtendedMasterSecret
-+                for param in clientHello.tb_client_params:
-+                    if param in settings.supportedTokenBindingParams:
-+                          serverHello.tb_params = param
-+                          break
-                 for result in self._sendMsg(serverHello):
-                     yield result
- 
diff --git a/third_party/tlslite/patches/token_binding_version.patch b/third_party/tlslite/patches/token_binding_version.patch
deleted file mode 100644
index 226672a1..0000000
--- a/third_party/tlslite/patches/token_binding_version.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index 1ce9320..ac7e563 100644
---- a/third_party/tlslite/tlslite/messages.py
-+++ b/third_party/tlslite/tlslite/messages.py
-@@ -223,7 +224,7 @@ class ClientHello(HandshakeMsg):
-                         p2 = Parser(tokenBindingBytes)
-                         ver_minor = p2.get(1)
-                         ver_major = p2.get(1)
--                        if (ver_major, ver_minor) >= (0, 6):
-+                        if (ver_major, ver_minor) >= (0, 13):
-                             p2.startLengthCheck(1)
-                             while not p2.atLengthCheck():
-                                 self.tb_client_params.append(p2.get(1))
-@@ -421,7 +431,7 @@ class ServerHello(HandshakeMsg):
-             w2.add(4, 2)
-             # version
-             w2.add(0, 1)
--            w2.add(6, 1)
-+            w2.add(13, 1)
-             # length of params (defined as variable length <1..2^8-1>, but in
-             # this context the server can only send a single value.
-             w2.add(1, 1)
diff --git a/third_party/tlslite/scripts/tls.py b/third_party/tlslite/scripts/tls.py
deleted file mode 100755
index 48035ce..0000000
--- a/third_party/tlslite/scripts/tls.py
+++ /dev/null
@@ -1,336 +0,0 @@
-#!/usr/bin/env python
-
-# Authors: 
-#   Trevor Perrin
-#   Marcelo Fernandez - bugfix and NPN support
-#   Martin von Loewis - python 3 port
-#
-# See the LICENSE file for legal information regarding use of this file.
-from __future__ import print_function
-import sys
-import os
-import os.path
-import socket
-import time
-import getopt
-try:
-    import httplib
-    from SocketServer import *
-    from BaseHTTPServer import *
-    from SimpleHTTPServer import *
-except ImportError:
-    # Python 3.x
-    from http import client as httplib
-    from socketserver import *
-    from http.server import *
-
-if __name__ != "__main__":
-    raise "This must be run as a command, not used as a module!"
-
-from tlslite.api import *
-from tlslite import __version__
-
-try:
-    from tack.structures.Tack import Tack
-
-except ImportError:
-    pass
-
-def printUsage(s=None):
-    if s:
-        print("ERROR: %s" % s)
-
-    print("")
-    print("Version: %s" % __version__)
-    print("")
-    print("RNG: %s" % prngName)
-    print("")
-    print("Modules:")
-    if tackpyLoaded:
-        print("  tackpy      : Loaded")
-    else:
-        print("  tackpy      : Not Loaded")            
-    if m2cryptoLoaded:
-        print("  M2Crypto    : Loaded")
-    else:
-        print("  M2Crypto    : Not Loaded")
-    if pycryptoLoaded:
-        print("  pycrypto    : Loaded")
-    else:
-        print("  pycrypto    : Not Loaded")
-    if gmpyLoaded:
-        print("  GMPY        : Loaded")
-    else:
-        print("  GMPY        : Not Loaded")
-    
-    print("")
-    print("""Commands:
-
-  server  
-    [-k KEY] [-c CERT] [-t TACK] [-v VERIFIERDB] [-d DIR]
-    [--reqcert] HOST:PORT
-
-  client
-    [-k KEY] [-c CERT] [-u USER] [-p PASS]
-    HOST:PORT
-""")
-    sys.exit(-1)
-
-def printError(s):
-    """Print error message and exit"""
-    sys.stderr.write("ERROR: %s\n" % s)
-    sys.exit(-1)
-
-
-def handleArgs(argv, argString, flagsList=[]):
-    # Convert to getopt argstring format:
-    # Add ":" after each arg, ie "abc" -> "a:b:c:"
-    getOptArgString = ":".join(argString) + ":"
-    try:
-        opts, argv = getopt.getopt(argv, getOptArgString, flagsList)
-    except getopt.GetoptError as e:
-        printError(e) 
-    # Default values if arg not present  
-    privateKey = None
-    certChain = None
-    username = None
-    password = None
-    tacks = None
-    verifierDB = None
-    reqCert = False
-    directory = None
-    
-    for opt, arg in opts:
-        if opt == "-k":
-            s = open(arg, "rb").read()
-            privateKey = parsePEMKey(s, private=True)            
-        elif opt == "-c":
-            s = open(arg, "rb").read()
-            x509 = X509()
-            x509.parse(s)
-            certChain = X509CertChain([x509])
-        elif opt == "-u":
-            username = arg
-        elif opt == "-p":
-            password = arg
-        elif opt == "-t":
-            if tackpyLoaded:
-                s = open(arg, "rU").read()
-                tacks = Tack.createFromPemList(s)
-        elif opt == "-v":
-            verifierDB = VerifierDB(arg)
-            verifierDB.open()
-        elif opt == "-d":
-            directory = arg
-        elif opt == "--reqcert":
-            reqCert = True
-        else:
-            assert(False)
-            
-    if not argv:
-        printError("Missing address")
-    if len(argv)>1:
-        printError("Too many arguments")
-    #Split address into hostname/port tuple
-    address = argv[0]
-    address = address.split(":")
-    if len(address) != 2:
-        raise SyntaxError("Must specify <host>:<port>")
-    address = ( address[0], int(address[1]) )
-
-    # Populate the return list
-    retList = [address]
-    if "k" in argString:
-        retList.append(privateKey)
-    if "c" in argString:
-        retList.append(certChain)
-    if "u" in argString:
-        retList.append(username)
-    if "p" in argString:
-        retList.append(password)
-    if "t" in argString:
-        retList.append(tacks)
-    if "v" in argString:
-        retList.append(verifierDB)
-    if "d" in argString:
-        retList.append(directory)
-    if "reqcert" in flagsList:
-        retList.append(reqCert)
-    return retList
-
-
-def printGoodConnection(connection, seconds):
-    print("  Handshake time: %.3f seconds" % seconds)
-    print("  Version: %s" % connection.getVersionName())
-    print("  Cipher: %s %s" % (connection.getCipherName(), 
-        connection.getCipherImplementation()))
-    if connection.session.srpUsername:
-        print("  Client SRP username: %s" % connection.session.srpUsername)
-    if connection.session.clientCertChain:
-        print("  Client X.509 SHA1 fingerprint: %s" % 
-            connection.session.clientCertChain.getFingerprint())
-    if connection.session.serverCertChain:
-        print("  Server X.509 SHA1 fingerprint: %s" % 
-            connection.session.serverCertChain.getFingerprint())
-    if connection.session.serverName:
-        print("  SNI: %s" % connection.session.serverName)
-    if connection.session.tackExt:   
-        if connection.session.tackInHelloExt:
-            emptyStr = "\n  (via TLS Extension)"
-        else:
-            emptyStr = "\n  (via TACK Certificate)" 
-        print("  TACK: %s" % emptyStr)
-        print(str(connection.session.tackExt))
-    print("  Next-Protocol Negotiated: %s" % connection.next_proto) 
-    
-
-def clientCmd(argv):
-    (address, privateKey, certChain, username, password) = \
-        handleArgs(argv, "kcup")
-        
-    if (certChain and not privateKey) or (not certChain and privateKey):
-        raise SyntaxError("Must specify CERT and KEY together")
-    if (username and not password) or (not username and password):
-        raise SyntaxError("Must specify USER with PASS")
-    if certChain and username:
-        raise SyntaxError("Can use SRP or client cert for auth, not both")
-
-    #Connect to server
-    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    sock.settimeout(5)
-    sock.connect(address)
-    connection = TLSConnection(sock)
-    
-    settings = HandshakeSettings()
-    settings.useExperimentalTackExtension = True
-    
-    try:
-        start = time.clock()
-        if username and password:
-            connection.handshakeClientSRP(username, password, 
-                settings=settings, serverName=address[0])
-        else:
-            connection.handshakeClientCert(certChain, privateKey,
-                settings=settings, serverName=address[0])
-        stop = time.clock()        
-        print("Handshake success")        
-    except TLSLocalAlert as a:
-        if a.description == AlertDescription.user_canceled:
-            print(str(a))
-        else:
-            raise
-        sys.exit(-1)
-    except TLSRemoteAlert as a:
-        if a.description == AlertDescription.unknown_psk_identity:
-            if username:
-                print("Unknown username")
-            else:
-                raise
-        elif a.description == AlertDescription.bad_record_mac:
-            if username:
-                print("Bad username or password")
-            else:
-                raise
-        elif a.description == AlertDescription.handshake_failure:
-            print("Unable to negotiate mutually acceptable parameters")
-        else:
-            raise
-        sys.exit(-1)
-    printGoodConnection(connection, stop-start)
-    connection.close()
-
-
-def serverCmd(argv):
-    (address, privateKey, certChain, tacks, 
-        verifierDB, directory, reqCert) = handleArgs(argv, "kctbvd", ["reqcert"])
-
-
-    if (certChain and not privateKey) or (not certChain and privateKey):
-        raise SyntaxError("Must specify CERT and KEY together")
-    if tacks and not certChain:
-        raise SyntaxError("Must specify CERT with Tacks")
-    
-    print("I am an HTTPS test server, I will listen on %s:%d" % 
-            (address[0], address[1]))    
-    if directory:
-        os.chdir(directory)
-    print("Serving files from %s" % os.getcwd())
-    
-    if certChain and privateKey:
-        print("Using certificate and private key...")
-    if verifierDB:
-        print("Using verifier DB...")
-    if tacks:
-        print("Using Tacks...")
-        
-    #############
-    sessionCache = SessionCache()
-
-    class MyHTTPServer(ThreadingMixIn, TLSSocketServerMixIn, HTTPServer):
-        def handshake(self, connection):
-            print("About to handshake...")
-            activationFlags = 0
-            if tacks:
-                if len(tacks) == 1:
-                    activationFlags = 1
-                elif len(tacks) == 2:
-                    activationFlags = 3
-
-            try:
-                start = time.clock()
-                settings = HandshakeSettings()
-                settings.useExperimentalTackExtension=True
-                connection.handshakeServer(certChain=certChain,
-                                              privateKey=privateKey,
-                                              verifierDB=verifierDB,
-                                              tacks=tacks,
-                                              activationFlags=activationFlags,
-                                              sessionCache=sessionCache,
-                                              settings=settings,
-                                              nextProtos=[b"http/1.1"])
-                                              # As an example (does not work here):
-                                              #nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
-                stop = time.clock()
-            except TLSRemoteAlert as a:
-                if a.description == AlertDescription.user_canceled:
-                    print(str(a))
-                    return False
-                else:
-                    raise
-            except TLSLocalAlert as a:
-                if a.description == AlertDescription.unknown_psk_identity:
-                    if username:
-                        print("Unknown username")
-                        return False
-                    else:
-                        raise
-                elif a.description == AlertDescription.bad_record_mac:
-                    if username:
-                        print("Bad username or password")
-                        return False
-                    else:
-                        raise
-                elif a.description == AlertDescription.handshake_failure:
-                    print("Unable to negotiate mutually acceptable parameters")
-                    return False
-                else:
-                    raise
-                
-            connection.ignoreAbruptClose = True
-            printGoodConnection(connection, stop-start)
-            return True
-
-    httpd = MyHTTPServer(address, SimpleHTTPRequestHandler)
-    httpd.serve_forever()
-
-
-if __name__ == '__main__':
-    if len(sys.argv) < 2:
-        printUsage("Missing command")
-    elif sys.argv[1] == "client"[:len(sys.argv[1])]:
-        clientCmd(sys.argv[2:])
-    elif sys.argv[1] == "server"[:len(sys.argv[1])]:
-        serverCmd(sys.argv[2:])
-    else:
-        printUsage("Unknown command: %s" % sys.argv[1])
-
diff --git a/third_party/tlslite/scripts/tlsdb.py b/third_party/tlslite/scripts/tlsdb.py
deleted file mode 100755
index 476d618..0000000
--- a/third_party/tlslite/scripts/tlsdb.py
+++ /dev/null
@@ -1,150 +0,0 @@
-#!/usr/bin/env python
-
-# Authors: 
-#   Trevor Perrin
-#   Martin von Loewis - python 3 port
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-from __future__ import print_function
-import sys
-import os
-import socket
-import math
-
-if __name__ != "__main__":
-    raise "This must be run as a command, not used as a module!"
-
-
-from tlslite import *
-from tlslite import __version__
-
-if len(sys.argv) == 1 or (len(sys.argv)==2 and sys.argv[1].lower().endswith("help")):
-    print("")
-    print("Version: %s" % __version__)
-    print("")
-    print("RNG: %s" % prngName)
-    print("")
-    print("Modules:")
-    if m2cryptoLoaded:
-        print("  M2Crypto    : Loaded")
-    else:
-        print("  M2Crypto    : Not Loaded")
-    if pycryptoLoaded:
-        print("  pycrypto    : Loaded")
-    else:
-        print("  pycrypto    : Not Loaded")
-    if gmpyLoaded:
-        print("  GMPY        : Loaded")
-    else:
-        print("  GMPY        : Not Loaded")
-    print("")
-    print("Commands:")
-    print("")
-    print("  createsrp       <db>")
-    print("")
-    print("  add    <db> <user> <pass> [<bits>]")
-    print("  del    <db> <user>")
-    print("  check  <db> <user> [<pass>]")
-    print("  list   <db>")
-    sys.exit()
-
-cmd = sys.argv[1].lower()
-
-class Args:
-    def __init__(self, argv):
-        self.argv = argv
-    def get(self, index):
-        if len(self.argv)<=index:
-            raise SyntaxError("Not enough arguments")
-        return self.argv[index]
-    def getLast(self, index):
-        if len(self.argv)>index+1:
-            raise SyntaxError("Too many arguments")
-        return self.get(index)
-
-args = Args(sys.argv)
-
-def reformatDocString(s):
-    lines = s.splitlines()
-    newLines = []
-    for line in lines:
-        newLines.append("  " + line.strip())
-    return "\n".join(newLines)
-
-try:
-    if cmd == "help":
-        command = args.getLast(2).lower()
-        if command == "valid":
-            print("")
-        else:
-            print("Bad command: '%s'" % command)
-
-    elif cmd == "createsrp":
-        dbName = args.get(2)
-
-        db = VerifierDB(dbName)
-        db.create()
-
-    elif cmd == "add":
-        dbName = args.get(2)
-        username = args.get(3)
-        password = args.get(4)
-
-        db = VerifierDB(dbName)
-        db.open()
-        if username in db:
-            print("User already in database!")
-            sys.exit()
-        bits = int(args.getLast(5))
-        N, g, salt, verifier = VerifierDB.makeVerifier(username, password, bits)
-        db[username] = N, g, salt, verifier
-
-    elif cmd == "del":
-        dbName = args.get(2)
-        username = args.getLast(3)
-        db = VerifierDB(dbName)
-        db.open()
-        del(db[username])
-
-    elif cmd == "check":
-        dbName = args.get(2)
-        username = args.get(3)
-        if len(sys.argv)>=5:
-            password = args.getLast(4)
-        else:
-            password = None
-
-        db = VerifierDB(dbName)
-        db.open()
-
-        try:
-            db[username]
-            print("Username exists")
-
-            if password:
-                if db.check(username, password):
-                    print("Password is correct")
-                else:
-                    print("Password is wrong")
-        except KeyError:
-            print("Username does not exist")
-            sys.exit()
-
-    elif cmd == "list":
-        dbName = args.get(2)
-        db = VerifierDB(dbName)
-        db.open()
-
-        print("Verifier Database")
-        def numBits(n):
-            if n==0:
-                return 0
-            return int(math.floor(math.log(n, 2))+1)
-        for username in db.keys():
-            N, g, s, v = db[username]
-            print(numBits(N), username)
-    else:
-        print("Bad command: '%s'" % cmd)
-except:
-    raise
diff --git a/third_party/tlslite/setup.py b/third_party/tlslite/setup.py
deleted file mode 100755
index 3ce281a..0000000
--- a/third_party/tlslite/setup.py
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/usr/bin/env python
-
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-from distutils.core import setup
-
-setup(name="tlslite",
-      version="0.4.8",
-      author="Trevor Perrin",
-      author_email="tlslite@trevp.net",
-      url="http://trevp.net/tlslite/",
-      description="tlslite implements SSL and TLS.",
-      license="public domain and BSD",
-      scripts=["scripts/tls.py", "scripts/tlsdb.py"],
-      packages=["tlslite", "tlslite.utils", "tlslite.integration"],)
diff --git a/third_party/tlslite/tests/TACK1.pem b/third_party/tlslite/tests/TACK1.pem
deleted file mode 100644
index 039d848..0000000
--- a/third_party/tlslite/tests/TACK1.pem
+++ /dev/null
@@ -1,8 +0,0 @@
-Created by TACK.py 0.9.6
-Created at 2012-05-08T15:53:56Z
------BEGIN TACK-----
-lJ7JcxIC9y6i/jTkTh+MXf0aO23J58PjUQCAI4vCMINlcMGSC8Vyq9On51hk5zAz
-DlIdXzC7zcUC7AN7/alXYwAAAkJ0Bb8+RaM9YEywaJEGViKJJmpYG/gJHgfGaefI
-9kKbXSDmXHI2tbZPnCxzR4ZXz21HxFm1SPYijTKm4zm5dAzXzvneOTRf/SFbY0dZ
-s7UpHKK4yOhREoGH8z8kxxD5/BXb5A==
------END TACK-----
diff --git a/third_party/tlslite/tests/TACK2.pem b/third_party/tlslite/tests/TACK2.pem
deleted file mode 100644
index e037af9f..0000000
--- a/third_party/tlslite/tests/TACK2.pem
+++ /dev/null
@@ -1,8 +0,0 @@
-Created by tack.py 0.9.7
-Created at 2012-08-31T19:15:38Z
------BEGIN TACK-----
-x7MspJSqsflA4qZ6qG8r8Hd5AB0+BB09n96vuF5Z1ayBeGzrny90WeCu3E3G2d8Y
-620TVYfnALIaMg//MZ8ovQAAAkMcxb8+RaM9YEywaJEGViKJJmpYG/gJHgfGaefI
-9kKbXSDmq3tmkncGftPeMAUh3T2vcXNiRnRqyFArnCKr2gCSj2vsCiS3F+qVhaUv
-OyxAcIhminamGruajdPSXMtlCCwWag==
------END TACK-----
diff --git a/third_party/tlslite/tests/TACK_Key1.pem b/third_party/tlslite/tests/TACK_Key1.pem
deleted file mode 100644
index 1ce731c..0000000
--- a/third_party/tlslite/tests/TACK_Key1.pem
+++ /dev/null
@@ -1,8 +0,0 @@
-Created by TACK.py 0.9.6
-Created at 2012-05-08T15:53:52Z
------BEGIN TACK PRIVATE KEY-----
-AQAAIAA/48N0HFypVQPPrRP2xcMlomOznNFbI+Svx5TNjOD84sUAV/i0wvhAwz3q
-yyoVeSOUnslzEgL3LqL+NOROH4xd/Ro7bcnnw+NRAIAji8Iwg2VwwZILxXKr06fn
-WGTnMDMOUh1fMLvNxQLsA3v9qVdjES84mJMzUffdoSIMdXcMr6BP+8qqz7MaygMd
-u5jvi1o=
------END TACK PRIVATE KEY-----
diff --git a/third_party/tlslite/tests/TACK_Key2.pem b/third_party/tlslite/tests/TACK_Key2.pem
deleted file mode 100644
index f1f1e06..0000000
--- a/third_party/tlslite/tests/TACK_Key2.pem
+++ /dev/null
@@ -1,8 +0,0 @@
-Created by tack.py 0.9.7
-Created at 2012-08-31T19:14:51Z
------BEGIN TACK PRIVATE KEY-----
-AQAAIABLL9BmznVXdNdz10CZz8Eyt3EDka+1c7By4eCOLpgBnk+50urYJhoR+k7b
-XeOB02DHsyyklKqx+UDipnqobyvwd3kAHT4EHT2f3q+4XlnVrIF4bOufL3RZ4K7c
-TcbZ3xjrbRNVh+cAshoyD/8xnyi9aSBVcOukGlmuX11I/dEAUwikVX0/LywYqgUn
-cBFiH1Y=
------END TACK PRIVATE KEY-----
diff --git a/third_party/tlslite/tests/TACKs.pem b/third_party/tlslite/tests/TACKs.pem
deleted file mode 100644
index 11965555..0000000
--- a/third_party/tlslite/tests/TACKs.pem
+++ /dev/null
@@ -1,16 +0,0 @@
-Created by TACK.py 0.9.6
-Created at 2012-05-08T15:53:56Z
------BEGIN TACK-----
-lJ7JcxIC9y6i/jTkTh+MXf0aO23J58PjUQCAI4vCMINlcMGSC8Vyq9On51hk5zAz
-DlIdXzC7zcUC7AN7/alXYwAAAkJ0Bb8+RaM9YEywaJEGViKJJmpYG/gJHgfGaefI
-9kKbXSDmXHI2tbZPnCxzR4ZXz21HxFm1SPYijTKm4zm5dAzXzvneOTRf/SFbY0dZ
-s7UpHKK4yOhREoGH8z8kxxD5/BXb5A==
------END TACK-----
-Created by tack.py 0.9.7
-Created at 2012-08-31T19:15:38Z
------BEGIN TACK-----
-x7MspJSqsflA4qZ6qG8r8Hd5AB0+BB09n96vuF5Z1ayBeGzrny90WeCu3E3G2d8Y
-620TVYfnALIaMg//MZ8ovQAAAkMcxb8+RaM9YEywaJEGViKJJmpYG/gJHgfGaefI
-9kKbXSDmq3tmkncGftPeMAUh3T2vcXNiRnRqyFArnCKr2gCSj2vsCiS3F+qVhaUv
-OyxAcIhminamGruajdPSXMtlCCwWag==
------END TACK-----
diff --git a/third_party/tlslite/tests/TACKunrelated.pem b/third_party/tlslite/tests/TACKunrelated.pem
deleted file mode 100644
index daf0c63..0000000
--- a/third_party/tlslite/tests/TACKunrelated.pem
+++ /dev/null
@@ -1,8 +0,0 @@
-Created by TACK.py 0.9.6
-Created at 2012-05-08T17:12:57Z
------BEGIN TACK-----
-lJ7JcxIC9y6i/jTkTh+MXf0aO23J58PjUQCAI4vCMINlcMGSC8Vyq9On51hk5zAz
-DlIdXzC7zcUC7AN7/alXYwMFAchwkzK2S2ZyeiBj5AZvO5WMsKruV2pezv2VM5m7
-iHRzHZWHnUVusrs/d04QnVS2Btmt5hECAKdcWK0qZHnMxhZhom9DExiqLQW0A05E
-xHvWKhN8y6J9UATLvGjjm3U7oyNxzQ==
------END TACK-----
diff --git a/third_party/tlslite/tests/clientX509Cert.pem b/third_party/tlslite/tests/clientX509Cert.pem
deleted file mode 100644
index f2cfa36..0000000
--- a/third_party/tlslite/tests/clientX509Cert.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICfjCCAecCCQDgdeCLz7d92jANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMC
-VVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdPYWtsYW5kMQ8wDQYDVQQKEwZUcmV2
-Q28xCzAJBgNVBAsTAkNBMRIwEAYDVQQDEwlUcmV2Q28gQ0ExIDAeBgkqhkiG9w0B
-CQEWEXRsc2xpdGVAdHJldnAubmV0MB4XDTEyMDIwNjAxMDMxMVoXDTQyMDEyOTAx
-MDMxMVowgYUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHT2Fr
-bGFuZDEPMA0GA1UEChMGVHJldkNvMQwwCgYDVQQLFANSJkQxFjAUBgNVBAMTDVRy
-ZXZvciBQZXJyaW4xIDAeBgkqhkiG9w0BCQEWEXRsc2xpdGVAdHJldnAubmV0MIGf
-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrncYzz0HWlT3ELBTZ1Jt/ZDFWlHW9
-SrhlwR5Pd8bEonXCxhomAssz4SkJMaByGFyAUAT4bqf41PV50y5lkYVfgUIy8qQS
-Gd/qJrNuFa6odWt3MExQdVCXKTOdjYQmhwvXo6zlf7u/Sj5NICAWmXRHZFBljqG8
-QasxPrLSbWUtWQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJRqUTQ6pZ71rm46+qXo
-Sqc5tnj42uIn1eIfnm5pbPxXFvuP3RbuHVO140+LQL844c2JCOKeu9dQPKxoRNU7
-sQLdo8+o+KboiYif6m9Ial4ss0I5MhPPVi9heguRbcFHx+87q8xdN7vd6Wn2gw/l
-IV+b9EUQMWYFBCokR8o7o+IV
------END CERTIFICATE-----
diff --git a/third_party/tlslite/tests/clientX509Key.pem b/third_party/tlslite/tests/clientX509Key.pem
deleted file mode 100644
index e728c69..0000000
--- a/third_party/tlslite/tests/clientX509Key.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXwIBAAKBgQCrncYzz0HWlT3ELBTZ1Jt/ZDFWlHW9SrhlwR5Pd8bEonXCxhom
-Assz4SkJMaByGFyAUAT4bqf41PV50y5lkYVfgUIy8qQSGd/qJrNuFa6odWt3MExQ
-dVCXKTOdjYQmhwvXo6zlf7u/Sj5NICAWmXRHZFBljqG8QasxPrLSbWUtWQIDAQAB
-AoGBAIo99cMWWTq5zZ+QwtsV4Iyl8PiFbrKk1hVhk0EAgyUymRnk6ntkFLwdzCiT
-yWMfLKRP0TEuMjDHm1YfP2ih6ITMh83SLF4og0dDzU+tn3PX/XWaoYZr8HsFTDMi
-FhrWXXBX8ST3F2aEyOxXZj8SGFu5YIJ8iemztANzZVSvYkWBAkEA2EbI6rnpXc5t
-fKhdkXa0c8l+Uyn/8JadHJ8sobzNhZ/CeC0a9PwhZLQvsRgNXXjYUFJ7N2igoIrk
-y0e8f+iD/QJBAMsjFrsrhmXcksf4RX6ZAg1rcJS115JjH2EnbbWd2nBLHUBwywGh
-VJhNyQRWBNlVGMrYWCQwHcZNOdUsvmLX140CQQC5v2GDpxQ0irwh2gAylH67CwzB
-pEq6eMCK+nI8nojtAJ7m0+ZZDcooUVC8imnAI6+0nIJSvjtmZqPFquDMAgiJAkEA
-ox/mXR+yqZHbfSHuDJ+qekRQ/9qW5kMbK9WR0EqW454uO1VYcFKxsCymxAiflDc1
-1Y6uGUFaZ6gUTQ/FQ3K48QJBAIlPKkD8VfNg/3B6wq7gmqRIy9MblLLZo2Qh4nZA
-4icCv/vpHH+o6Ccxad03LQKsTNJl3z52G4sKgASudWiBbLs=
------END RSA PRIVATE KEY-----
diff --git a/third_party/tlslite/tests/httpsclient.py b/third_party/tlslite/tests/httpsclient.py
deleted file mode 100755
index 1a764d7..0000000
--- a/third_party/tlslite/tests/httpsclient.py
+++ /dev/null
@@ -1,11 +0,0 @@
-#!/usr/bin/env python
-from __future__ import print_function
-from tlslite import HTTPTLSConnection, HandshakeSettings
-
-settings = HandshakeSettings()
-settings.useExperimentalTackExtension = True
-
-h = HTTPTLSConnection("localhost", 4443, settings=settings)    
-h.request("GET", "/index.html")
-r = h.getresponse()
-print(r.read())
diff --git a/third_party/tlslite/tests/httpsserver.sh b/third_party/tlslite/tests/httpsserver.sh
deleted file mode 100755
index 7449ad72..0000000
--- a/third_party/tlslite/tests/httpsserver.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-python ../scripts/tls.py server -k serverX509Key.pem -c serverX509Cert.pem -t TACK1.pem localhost:4443
diff --git a/third_party/tlslite/tests/index.html b/third_party/tlslite/tests/index.html
deleted file mode 100644
index 8cc93d31..0000000
--- a/third_party/tlslite/tests/index.html
+++ /dev/null
@@ -1,9 +0,0 @@
-<html>
-<head>
-<title>TLS Lite test server</title>
-</head>
-<body>
-<H1>TLS Lite test server</H1>
-<b>I am a TLS Lite HTTPS test server<br>
-</body>
-</html>
diff --git a/third_party/tlslite/tests/serverX509Cert.pem b/third_party/tlslite/tests/serverX509Cert.pem
deleted file mode 100644
index f3c86e4e..0000000
--- a/third_party/tlslite/tests/serverX509Cert.pem
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICfzCCAegCCQDgdeCLz7d93DANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMC
-VVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQHEwdPYWtsYW5kMQ8wDQYDVQQKEwZUcmV2
-Q28xCzAJBgNVBAsTAkNBMRIwEAYDVQQDEwlUcmV2Q28gQ0ExIDAeBgkqhkiG9w0B
-CQEWEXRsc2xpdGVAdHJldnAubmV0MB4XDTEyMDIwNjAxMDg0OFoXDTQyMDEyOTAx
-MDg0OFowgYYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEBxMHT2Fr
-bGFuZDEPMA0GA1UEChMGVHJldkNvMQwwCgYDVQQLFANSJkQxFzAVBgNVBAMTDnRl
-c3QudHJldnAubmV0MSAwHgYJKoZIhvcNAQkBFhF0bHNsaXRlQHRyZXZwLm5ldDCB
-nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqcLSY6l8mJQgMcSp6Vj0EohRlYEC
-5cj4xcMvkQ+tKEJpAs2r//4Xyn5vQrv2GHOgOTOCKa87tcAWGWrsbGYiRETBCz8k
-/1uf6FPTPN+FSOkuylPzNcuGk1bo+d9l3nyeNkDjem0SqZfmOwZc2h9+yLB8J4iU
-lt1Sv9IZfcioQ/cCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCz201zjXEC2yTuJBN3
-XT3Q/HXxPOnwkyU3+gKCGJmXeGoVoFDD23RbJ0Nabux1vnQHC4YsHNXPN1b++UOo
-NcewUzJbrg9R7VP1teQsLEfaj26oeJkp2yls0b1PrWu/4aTpG7VORdPBeiCn7Alu
-+3uDeYqQxcaaRGK2rWBJ3OeQkg==
------END CERTIFICATE-----
diff --git a/third_party/tlslite/tests/serverX509Key.pem b/third_party/tlslite/tests/serverX509Key.pem
deleted file mode 100644
index b1f74839..0000000
--- a/third_party/tlslite/tests/serverX509Key.pem
+++ /dev/null
@@ -1,15 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCpwtJjqXyYlCAxxKnpWPQSiFGVgQLlyPjFwy+RD60oQmkCzav/
-/hfKfm9Cu/YYc6A5M4Iprzu1wBYZauxsZiJERMELPyT/W5/oU9M834VI6S7KU/M1
-y4aTVuj532XefJ42QON6bRKpl+Y7BlzaH37IsHwniJSW3VK/0hl9yKhD9wIDAQAB
-AoGAf7+yX3ld39woVgtu6cEc+w1Gh8EsEwun2frGQt2PKuq+53Mq6lumP6XhyFB2
-I3RvsFwIqaHKxz0j5EDIZdJ+GbPwDIcgDONamVIpT8OZcEgBBDjLByfeGzCikCMI
-rBOVh5qRfpfJjs5tDzyceYHs7Yc3/Jh0AuRCZvprXp1rLnECQQDTuE0FyCGmykiy
-m/qYUI6ere9zRJLprUx8BLwhIGl1a32PJjKLQIyRVvf7wigIeRsaY/Q/nZ6ByKRz
-u9bXmQzrAkEAzUP/tIRI8OpczKYydlUL12f4F61sABrE0lP5cdvG6rky2AAR7BkG
-7Ftto4wuevFf3mz6PF5ifMD/l/NmwiqyJQJBAMgq4h9KRI6Vhz/eeoFRAFYDqnS3
-a5KkdsB2FYvYQfxywQX7HiRLxdqPd+s9eG3yWe6Me9s9YSPhF6IYAJpbqDsCQQCh
-zIbj+R4x4NrTafH++pzB569UopuuHWulyxGmITJT1TXxs2RtMXEWoB71Ostsl5UV
-E9vP+Coz4kHWucL3LIaNAkBvxJvpFwOENSKCoGaflkl6K1Rta3IQJzrb6cRpfGmR
-wT8Zbt5J8toXmGVqYnOnLfgJpVaCROe4CxOUL30FDuAl
------END RSA PRIVATE KEY-----
diff --git a/third_party/tlslite/tests/tlstest.py b/third_party/tlslite/tests/tlstest.py
deleted file mode 100755
index 7985d23..0000000
--- a/third_party/tlslite/tests/tlstest.py
+++ /dev/null
@@ -1,797 +0,0 @@
-#!/usr/bin/env python
-
-# Authors: 
-#   Trevor Perrin
-#   Kees Bos - Added tests for XML-RPC
-#   Dimitris Moraitis - Anon ciphersuites
-#   Marcelo Fernandez - Added test for NPN
-#   Martin von Loewis - python 3 port
-
-#
-# See the LICENSE file for legal information regarding use of this file.
-from __future__ import print_function
-import sys
-import os
-import os.path
-import socket
-import time
-import getopt
-try:
-    from BaseHTTPServer import HTTPServer
-    from SimpleHTTPServer import SimpleHTTPRequestHandler
-except ImportError:
-    from http.server import HTTPServer, SimpleHTTPRequestHandler
-
-from tlslite import TLSConnection, Fault, HandshakeSettings, \
-    X509, X509CertChain, IMAP4_TLS, VerifierDB, Session, SessionCache, \
-    parsePEMKey, constants, \
-    AlertDescription, HTTPTLSConnection, TLSSocketServerMixIn, \
-    POP3_TLS, m2cryptoLoaded, pycryptoLoaded, gmpyLoaded, tackpyLoaded, \
-    Checker, __version__
-
-from tlslite.errors import *
-from tlslite.utils.cryptomath import prngName
-try:
-    import xmlrpclib
-except ImportError:
-    # Python 3
-    from xmlrpc import client as xmlrpclib
-from tlslite import *
-
-try:
-    from tack.structures.Tack import Tack
-    
-except ImportError:
-    pass
-
-def printUsage(s=None):
-    if m2cryptoLoaded:
-        crypto = "M2Crypto/OpenSSL"
-    else:
-        crypto = "Python crypto"        
-    if s:
-        print("ERROR: %s" % s)
-    print("""\ntls.py version %s (using %s)  
-
-Commands:
-  server HOST:PORT DIRECTORY
-
-  client HOST:PORT DIRECTORY
-""" % (__version__, crypto))
-    sys.exit(-1)
-    
-
-def testConnClient(conn):
-    b1 = os.urandom(1)
-    b10 = os.urandom(10)
-    b100 = os.urandom(100)
-    b1000 = os.urandom(1000)
-    conn.write(b1)
-    conn.write(b10)
-    conn.write(b100)
-    conn.write(b1000)
-    assert(conn.read(min=1, max=1) == b1)
-    assert(conn.read(min=10, max=10) == b10)
-    assert(conn.read(min=100, max=100) == b100)
-    assert(conn.read(min=1000, max=1000) == b1000)
-
-def clientTestCmd(argv):
-    
-    address = argv[0]
-    dir = argv[1]    
-
-    #Split address into hostname/port tuple
-    address = address.split(":")
-    address = ( address[0], int(address[1]) )
-
-    def connect():
-        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        if hasattr(sock, 'settimeout'): #It's a python 2.3 feature
-            sock.settimeout(5)
-        sock.connect(address)
-        c = TLSConnection(sock)
-        return c
-
-    test = 0
-
-    badFault = False
-
-    print("Test 0 - anonymous handshake")
-    connection = connect()
-    connection.handshakeClientAnonymous()
-    testConnClient(connection)
-    connection.close()
-        
-    print("Test 1 - good X509 (plus SNI)")
-    connection = connect()
-    connection.handshakeClientCert(serverName=address[0])
-    testConnClient(connection)
-    assert(isinstance(connection.session.serverCertChain, X509CertChain))
-    assert(connection.session.serverName == address[0])
-    connection.close()
-
-    print("Test 1.a - good X509, SSLv3")
-    connection = connect()
-    settings = HandshakeSettings()
-    settings.minVersion = (3,0)
-    settings.maxVersion = (3,0)
-    connection.handshakeClientCert(settings=settings)
-    testConnClient(connection)    
-    assert(isinstance(connection.session.serverCertChain, X509CertChain))
-    connection.close()    
-
-    print("Test 1.b - good X509, RC4-MD5")
-    connection = connect()
-    settings = HandshakeSettings()
-    settings.macNames = ["md5"]
-    connection.handshakeClientCert(settings=settings)
-    testConnClient(connection)    
-    assert(isinstance(connection.session.serverCertChain, X509CertChain))
-    assert(connection.session.cipherSuite == constants.CipherSuite.TLS_RSA_WITH_RC4_128_MD5)
-    connection.close()
-
-    if tackpyLoaded:
-                    
-        settings = HandshakeSettings()
-        settings.useExperimentalTackExtension = True
-
-        print("Test 2.a - good X.509, TACK")
-        connection = connect()
-        connection.handshakeClientCert(settings=settings)
-        assert(connection.session.tackExt.tacks[0].getTackId() == "rrted.ptvtl.d2uiq.ox2xe.w4ss3")
-        assert(connection.session.tackExt.activation_flags == 1)        
-        testConnClient(connection)    
-        connection.close()    
-
-        print("Test 2.b - good X.509, TACK unrelated to cert chain")
-        connection = connect()
-        try:
-            connection.handshakeClientCert(settings=settings)
-            assert(False)
-        except TLSLocalAlert as alert:
-            if alert.description != AlertDescription.illegal_parameter:
-                raise        
-        connection.close()
-
-    print("Test 3 - good SRP")
-    connection = connect()
-    connection.handshakeClientSRP("test", "password")
-    testConnClient(connection)
-    connection.close()
-
-    print("Test 4 - SRP faults")
-    for fault in Fault.clientSrpFaults + Fault.genericFaults:
-        connection = connect()
-        connection.fault = fault
-        try:
-            connection.handshakeClientSRP("test", "password")
-            print("  Good Fault %s" % (Fault.faultNames[fault]))
-        except TLSFaultError as e:
-            print("  BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
-            badFault = True
-
-    print("Test 6 - good SRP: with X.509 certificate, TLSv1.0")
-    settings = HandshakeSettings()
-    settings.minVersion = (3,1)
-    settings.maxVersion = (3,1)    
-    connection = connect()
-    connection.handshakeClientSRP("test", "password", settings=settings)
-    assert(isinstance(connection.session.serverCertChain, X509CertChain))
-    testConnClient(connection)
-    connection.close()
-
-    print("Test 7 - X.509 with SRP faults")
-    for fault in Fault.clientSrpFaults + Fault.genericFaults:
-        connection = connect()
-        connection.fault = fault
-        try:
-            connection.handshakeClientSRP("test", "password")
-            print("  Good Fault %s" % (Fault.faultNames[fault]))
-        except TLSFaultError as e:
-            print("  BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
-            badFault = True
-
-    print("Test 11 - X.509 faults")
-    for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
-        connection = connect()
-        connection.fault = fault
-        try:
-            connection.handshakeClientCert()
-            print("  Good Fault %s" % (Fault.faultNames[fault]))
-        except TLSFaultError as e:
-            print("  BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
-            badFault = True
-
-    print("Test 14 - good mutual X509")
-    x509Cert = X509().parse(open(os.path.join(dir, "clientX509Cert.pem")).read())
-    x509Chain = X509CertChain([x509Cert])
-    s = open(os.path.join(dir, "clientX509Key.pem")).read()
-    x509Key = parsePEMKey(s, private=True)
-
-    connection = connect()
-    connection.handshakeClientCert(x509Chain, x509Key)
-    testConnClient(connection)
-    assert(isinstance(connection.session.serverCertChain, X509CertChain))
-    connection.close()
-
-    print("Test 14.a - good mutual X509, SSLv3")
-    connection = connect()
-    settings = HandshakeSettings()
-    settings.minVersion = (3,0)
-    settings.maxVersion = (3,0)
-    connection.handshakeClientCert(x509Chain, x509Key, settings=settings)
-    testConnClient(connection)
-    assert(isinstance(connection.session.serverCertChain, X509CertChain))
-    connection.close()
-
-    print("Test 15 - mutual X.509 faults")
-    for fault in Fault.clientCertFaults + Fault.genericFaults:
-        connection = connect()
-        connection.fault = fault
-        try:
-            connection.handshakeClientCert(x509Chain, x509Key)
-            print("  Good Fault %s" % (Fault.faultNames[fault]))
-        except TLSFaultError as e:
-            print("  BAD FAULT %s: %s" % (Fault.faultNames[fault], str(e)))
-            badFault = True
-
-    print("Test 18 - good SRP, prepare to resume... (plus SNI)")
-    connection = connect()
-    connection.handshakeClientSRP("test", "password", serverName=address[0])
-    testConnClient(connection)
-    connection.close()
-    session = connection.session
-
-    print("Test 19 - resumption (plus SNI)")
-    connection = connect()
-    connection.handshakeClientSRP("test", "garbage", serverName=address[0], 
-                                    session=session)
-    testConnClient(connection)
-    #Don't close! -- see below
-
-    print("Test 20 - invalidated resumption (plus SNI)")
-    connection.sock.close() #Close the socket without a close_notify!
-    connection = connect()
-    try:
-        connection.handshakeClientSRP("test", "garbage", 
-                        serverName=address[0], session=session)
-        assert(False)
-    except TLSRemoteAlert as alert:
-        if alert.description != AlertDescription.bad_record_mac:
-            raise
-    connection.close()
-    
-    print("Test 21 - HTTPS test X.509")
-    address = address[0], address[1]+1
-    if hasattr(socket, "timeout"):
-        timeoutEx = socket.timeout
-    else:
-        timeoutEx = socket.error
-    while 1:
-        try:
-            time.sleep(2)
-            htmlBody = bytearray(open(os.path.join(dir, "index.html")).read(), "utf-8")
-            fingerprint = None
-            for y in range(2):
-                checker =Checker(x509Fingerprint=fingerprint)
-                h = HTTPTLSConnection(\
-                        address[0], address[1], checker=checker)
-                for x in range(3):
-                    h.request("GET", "/index.html")
-                    r = h.getresponse()
-                    assert(r.status == 200)
-                    b = bytearray(r.read())
-                    assert(b == htmlBody)
-                fingerprint = h.tlsSession.serverCertChain.getFingerprint()
-                assert(fingerprint)
-            time.sleep(2)
-            break
-        except timeoutEx:
-            print("timeout, retrying...")
-            pass
-
-    address = address[0], address[1]+1
-
-    implementations = []
-    if m2cryptoLoaded:
-        implementations.append("openssl")
-    if pycryptoLoaded:
-        implementations.append("pycrypto")
-    implementations.append("python")
-
-    print("Test 22 - different ciphers, TLSv1.0")
-    for implementation in implementations:
-        for cipher in ["aes128", "aes256", "rc4"]:
-
-            print("Test 22:", end=' ')
-            connection = connect()
-
-            settings = HandshakeSettings()
-            settings.cipherNames = [cipher]
-            settings.cipherImplementations = [implementation, "python"]
-            settings.minVersion = (3,1)
-            settings.maxVersion = (3,1)            
-            connection.handshakeClientCert(settings=settings)
-            testConnClient(connection)
-            print("%s %s" % (connection.getCipherName(), connection.getCipherImplementation()))
-            connection.close()
-
-    print("Test 23 - throughput test")
-    for implementation in implementations:
-        for cipher in ["aes128gcm", "aes128", "aes256", "3des", "rc4"]:
-            if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
-                continue
-            if cipher == "aes128gcm" and implementation not in ("pycrypto", "python"):
-                continue
-
-            print("Test 23:", end=' ')
-            connection = connect()
-
-            settings = HandshakeSettings()
-            settings.cipherNames = [cipher]
-            settings.cipherImplementations = [implementation, "python"]
-            connection.handshakeClientCert(settings=settings)
-            print("%s %s:" % (connection.getCipherName(), connection.getCipherImplementation()), end=' ')
-
-            startTime = time.clock()
-            connection.write(b"hello"*10000)
-            h = connection.read(min=50000, max=50000)
-            stopTime = time.clock()
-            if stopTime-startTime:
-                print("100K exchanged at rate of %d bytes/sec" % int(100000/(stopTime-startTime)))
-            else:
-                print("100K exchanged very fast")
-
-            assert(h == b"hello"*10000)
-            connection.close()
-    
-    print("Test 24.a - Next-Protocol Client Negotiation")
-    connection = connect()
-    connection.handshakeClientCert(nextProtos=[b"http/1.1"])
-    #print("  Next-Protocol Negotiated: %s" % connection.next_proto)
-    assert(connection.next_proto == b'http/1.1')
-    connection.close()
-
-    print("Test 24.b - Next-Protocol Client Negotiation")
-    connection = connect()
-    connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
-    #print("  Next-Protocol Negotiated: %s" % connection.next_proto)
-    assert(connection.next_proto == b'spdy/2')
-    connection.close()
-    
-    print("Test 24.c - Next-Protocol Client Negotiation")
-    connection = connect()
-    connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
-    #print("  Next-Protocol Negotiated: %s" % connection.next_proto)
-    assert(connection.next_proto == b'spdy/2')
-    connection.close()
-    
-    print("Test 24.d - Next-Protocol Client Negotiation")
-    connection = connect()
-    connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
-    #print("  Next-Protocol Negotiated: %s" % connection.next_proto)
-    assert(connection.next_proto == b'spdy/2')
-    connection.close()
-    
-    print("Test 24.e - Next-Protocol Client Negotiation")
-    connection = connect()
-    connection.handshakeClientCert(nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
-    #print("  Next-Protocol Negotiated: %s" % connection.next_proto)
-    assert(connection.next_proto == b'spdy/3')
-    connection.close()
-
-    print("Test 24.f - Next-Protocol Client Negotiation")
-    connection = connect()
-    connection.handshakeClientCert(nextProtos=[b"http/1.1"])
-    #print("  Next-Protocol Negotiated: %s" % connection.next_proto)
-    assert(connection.next_proto == b'http/1.1')
-    connection.close()
-
-    print("Test 24.g - Next-Protocol Client Negotiation")
-    connection = connect()
-    connection.handshakeClientCert(nextProtos=[b"spdy/2", b"http/1.1"])
-    #print("  Next-Protocol Negotiated: %s" % connection.next_proto)
-    assert(connection.next_proto == b'spdy/2')
-    connection.close()
-    
-    print('Test 25 - good standard XMLRPC https client')
-    time.sleep(2) # Hack for lack of ability to set timeout here
-    address = address[0], address[1]+1
-    server = xmlrpclib.Server('https://%s:%s' % address)
-    assert server.add(1,2) == 3
-    assert server.pow(2,4) == 16
-
-    print('Test 26 - good tlslite XMLRPC client')
-    transport = XMLRPCTransport(ignoreAbruptClose=True)
-    server = xmlrpclib.Server('https://%s:%s' % address, transport)
-    assert server.add(1,2) == 3
-    assert server.pow(2,4) == 16
-
-    print('Test 27 - good XMLRPC ignored protocol')
-    server = xmlrpclib.Server('http://%s:%s' % address, transport)
-    assert server.add(1,2) == 3
-    assert server.pow(2,4) == 16
-        
-    print("Test 28 - Internet servers test")
-    try:
-        i = IMAP4_TLS("cyrus.andrew.cmu.edu")
-        i.login("anonymous", "anonymous@anonymous.net")
-        i.logout()
-        print("Test 28: IMAP4 good")
-        p = POP3_TLS("pop.gmail.com")
-        p.quit()
-        print("Test 29: POP3 good")
-    except socket.error as e:
-        print("Non-critical error: socket error trying to reach internet server: ", e)   
-
-    if not badFault:
-        print("Test succeeded")
-    else:
-        print("Test failed")
-
-
-
-def testConnServer(connection):
-    count = 0
-    while 1:
-        s = connection.read()
-        count += len(s)
-        if len(s) == 0:
-            break
-        connection.write(s)
-        if count == 1111:
-            break
-
-def serverTestCmd(argv):
-
-    address = argv[0]
-    dir = argv[1]
-    
-    #Split address into hostname/port tuple
-    address = address.split(":")
-    address = ( address[0], int(address[1]) )
-
-    #Connect to server
-    lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    lsock.bind(address)
-    lsock.listen(5)
-
-    def connect():
-        return TLSConnection(lsock.accept()[0])
-
-    x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
-    x509Chain = X509CertChain([x509Cert])
-    s = open(os.path.join(dir, "serverX509Key.pem")).read()
-    x509Key = parsePEMKey(s, private=True)
-
-    print("Test 0 - Anonymous server handshake")
-    connection = connect()
-    connection.handshakeServer(anon=True)
-    testConnServer(connection)    
-    connection.close() 
-    
-    print("Test 1 - good X.509")
-    connection = connect()
-    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
-    assert(connection.session.serverName == address[0])    
-    testConnServer(connection)    
-    connection.close()
-
-    print("Test 1.a - good X.509, SSL v3")
-    connection = connect()
-    settings = HandshakeSettings()
-    settings.minVersion = (3,0)
-    settings.maxVersion = (3,0)
-    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
-    testConnServer(connection)
-    connection.close()            
-
-    print("Test 1.b - good X.509, RC4-MD5")
-    connection = connect()
-    settings = HandshakeSettings()
-    settings.macNames = ["sha", "md5"]
-    settings.cipherNames = ["rc4"]
-    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, settings=settings)
-    testConnServer(connection)
-    connection.close()            
-    
-    if tackpyLoaded:
-        tack = Tack.createFromPem(open("./TACK1.pem", "rU").read())
-        tackUnrelated = Tack.createFromPem(open("./TACKunrelated.pem", "rU").read())    
-            
-        settings = HandshakeSettings()
-        settings.useExperimentalTackExtension = True
-
-        print("Test 2.a - good X.509, TACK")
-        connection = connect()
-        connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
-            tacks=[tack], activationFlags=1, settings=settings)
-        testConnServer(connection)    
-        connection.close()        
-
-        print("Test 2.b - good X.509, TACK unrelated to cert chain")
-        connection = connect()
-        try:
-            connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
-                tacks=[tackUnrelated], settings=settings)
-            assert(False)
-        except TLSRemoteAlert as alert:
-            if alert.description != AlertDescription.illegal_parameter:
-                raise        
-    
-    print("Test 3 - good SRP")
-    verifierDB = VerifierDB()
-    verifierDB.create()
-    entry = VerifierDB.makeVerifier("test", "password", 1536)
-    verifierDB["test"] = entry
-
-    connection = connect()
-    connection.handshakeServer(verifierDB=verifierDB)
-    testConnServer(connection)
-    connection.close()
-
-    print("Test 4 - SRP faults")
-    for fault in Fault.clientSrpFaults + Fault.genericFaults:
-        connection = connect()
-        connection.fault = fault
-        try:
-            connection.handshakeServer(verifierDB=verifierDB)
-            assert()
-        except:
-            pass
-        connection.close()
-
-    print("Test 6 - good SRP: with X.509 cert")
-    connection = connect()
-    connection.handshakeServer(verifierDB=verifierDB, \
-                               certChain=x509Chain, privateKey=x509Key)
-    testConnServer(connection)    
-    connection.close()
-
-    print("Test 7 - X.509 with SRP faults")
-    for fault in Fault.clientSrpFaults + Fault.genericFaults:
-        connection = connect()
-        connection.fault = fault
-        try:
-            connection.handshakeServer(verifierDB=verifierDB, \
-                                       certChain=x509Chain, privateKey=x509Key)
-            assert()
-        except:
-            pass
-        connection.close()
-
-    print("Test 11 - X.509 faults")
-    for fault in Fault.clientNoAuthFaults + Fault.genericFaults:
-        connection = connect()
-        connection.fault = fault
-        try:
-            connection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
-            assert()
-        except:
-            pass
-        connection.close()
-
-    print("Test 14 - good mutual X.509")
-    connection = connect()
-    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
-    testConnServer(connection)
-    assert(isinstance(connection.session.serverCertChain, X509CertChain))
-    connection.close()
-
-    print("Test 14a - good mutual X.509, SSLv3")
-    connection = connect()
-    settings = HandshakeSettings()
-    settings.minVersion = (3,0)
-    settings.maxVersion = (3,0)
-    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True, settings=settings)
-    testConnServer(connection)
-    assert(isinstance(connection.session.serverCertChain, X509CertChain))
-    connection.close()
-
-    print("Test 15 - mutual X.509 faults")
-    for fault in Fault.clientCertFaults + Fault.genericFaults:
-        connection = connect()
-        connection.fault = fault
-        try:
-            connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, reqCert=True)
-            assert()
-        except:
-            pass
-        connection.close()
-
-    print("Test 18 - good SRP, prepare to resume")
-    sessionCache = SessionCache()
-    connection = connect()
-    connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
-    assert(connection.session.serverName == address[0])    
-    testConnServer(connection)
-    connection.close()
-
-    print("Test 19 - resumption")
-    connection = connect()
-    connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
-    assert(connection.session.serverName == address[0])
-    testConnServer(connection)    
-    #Don't close! -- see next test
-
-    print("Test 20 - invalidated resumption")
-    try:
-        connection.read(min=1, max=1)
-        assert() #Client is going to close the socket without a close_notify
-    except TLSAbruptCloseError as e:
-        pass
-    connection = connect()
-    try:
-        connection.handshakeServer(verifierDB=verifierDB, sessionCache=sessionCache)
-    except TLSLocalAlert as alert:
-        if alert.description != AlertDescription.bad_record_mac:
-            raise
-    connection.close()
-
-    print("Test 21 - HTTPS test X.509")
-
-    #Close the current listening socket
-    lsock.close()
-
-    #Create and run an HTTP Server using TLSSocketServerMixIn
-    class MyHTTPServer(TLSSocketServerMixIn,
-                       HTTPServer):
-        def handshake(self, tlsConnection):
-                tlsConnection.handshakeServer(certChain=x509Chain, privateKey=x509Key)
-                return True
-    cd = os.getcwd()
-    os.chdir(dir)
-    address = address[0], address[1]+1
-    httpd = MyHTTPServer(address, SimpleHTTPRequestHandler)
-    for x in range(6):
-        httpd.handle_request()
-    httpd.server_close()
-    cd = os.chdir(cd)
-
-    #Re-connect the listening socket
-    lsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    address = address[0], address[1]+1
-    lsock.bind(address)
-    lsock.listen(5)
-
-    implementations = []
-    if m2cryptoLoaded:
-        implementations.append("openssl")
-    if pycryptoLoaded:
-        implementations.append("pycrypto")
-    implementations.append("python")
-
-    print("Test 22 - different ciphers")
-    for implementation in ["python"] * len(implementations):
-        for cipher in ["aes128", "aes256", "rc4"]:
-
-            print("Test 22:", end=' ')
-            connection = connect()
-
-            settings = HandshakeSettings()
-            settings.cipherNames = [cipher]
-            settings.cipherImplementations = [implementation, "python"]
-
-            connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
-                                        settings=settings)
-            print(connection.getCipherName(), connection.getCipherImplementation())
-            testConnServer(connection)
-            connection.close()
-
-    print("Test 23 - throughput test")
-    for implementation in implementations:
-        for cipher in ["aes128gcm", "aes128", "aes256", "3des", "rc4"]:
-            if cipher == "3des" and implementation not in ("openssl", "pycrypto"):
-                continue
-            if cipher == "aes128gcm" and implementation not in ("pycrypto", "python"):
-                continue
-
-            print("Test 23:", end=' ')
-            connection = connect()
-
-            settings = HandshakeSettings()
-            settings.cipherNames = [cipher]
-            settings.cipherImplementations = [implementation, "python"]
-
-            connection.handshakeServer(certChain=x509Chain, privateKey=x509Key,
-                                        settings=settings)
-            print(connection.getCipherName(), connection.getCipherImplementation())
-            h = connection.read(min=50000, max=50000)
-            assert(h == b"hello"*10000)
-            connection.write(h)
-            connection.close()
-
-    print("Test 24.a - Next-Protocol Server Negotiation")
-    connection = connect()
-    settings = HandshakeSettings()
-    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, 
-                               settings=settings, nextProtos=[b"http/1.1"])
-    testConnServer(connection)
-    connection.close()
-
-    print("Test 24.b - Next-Protocol Server Negotiation")
-    connection = connect()
-    settings = HandshakeSettings()
-    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, 
-                               settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
-    testConnServer(connection)
-    connection.close()
-    
-    print("Test 24.c - Next-Protocol Server Negotiation")
-    connection = connect()
-    settings = HandshakeSettings()
-    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, 
-                               settings=settings, nextProtos=[b"http/1.1", b"spdy/2"])
-    testConnServer(connection)
-    connection.close()
-
-    print("Test 24.d - Next-Protocol Server Negotiation")
-    connection = connect()
-    settings = HandshakeSettings()
-    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, 
-                               settings=settings, nextProtos=[b"spdy/2", b"http/1.1"])
-    testConnServer(connection)
-    connection.close()
-    
-    print("Test 24.e - Next-Protocol Server Negotiation")
-    connection = connect()
-    settings = HandshakeSettings()
-    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, 
-                               settings=settings, nextProtos=[b"http/1.1", b"spdy/2", b"spdy/3"])
-    testConnServer(connection)
-    connection.close()
-    
-    print("Test 24.f - Next-Protocol Server Negotiation")
-    connection = connect()
-    settings = HandshakeSettings()
-    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, 
-                               settings=settings, nextProtos=[b"spdy/3", b"spdy/2"])
-    testConnServer(connection)
-    connection.close()
-    
-    print("Test 24.g - Next-Protocol Server Negotiation")
-    connection = connect()
-    settings = HandshakeSettings()
-    connection.handshakeServer(certChain=x509Chain, privateKey=x509Key, 
-                               settings=settings, nextProtos=[])
-    testConnServer(connection)
-    connection.close()
-
-    print("Tests 25-27 - XMLRPXC server")
-    address = address[0], address[1]+1
-    class Server(TLSXMLRPCServer):
-
-        def handshake(self, tlsConnection):
-          try:
-              tlsConnection.handshakeServer(certChain=x509Chain,
-                                            privateKey=x509Key,
-                                            sessionCache=sessionCache)
-              tlsConnection.ignoreAbruptClose = True
-              return True
-          except TLSError as error:
-              print("Handshake failure:", str(error))
-              return False
-
-    class MyFuncs:
-        def pow(self, x, y): return pow(x, y)
-        def add(self, x, y): return x + y
-
-    server = Server(address)
-    server.register_instance(MyFuncs())
-    #sa = server.socket.getsockname()
-    #print "Serving HTTPS on", sa[0], "port", sa[1]
-    for i in range(6):
-        server.handle_request()
-
-    print("Test succeeded")
-
-
-if __name__ == '__main__':
-    if len(sys.argv) < 2:
-        printUsage("Missing command")
-    elif sys.argv[1] == "client"[:len(sys.argv[1])]:
-        clientTestCmd(sys.argv[2:])
-    elif sys.argv[1] == "server"[:len(sys.argv[1])]:
-        serverTestCmd(sys.argv[2:])
-    else:
-        printUsage("Unknown command: %s" % sys.argv[1])
diff --git a/third_party/tlslite/tests/verifierDB b/third_party/tlslite/tests/verifierDB
deleted file mode 100644
index 8e23c9d..0000000
--- a/third_party/tlslite/tests/verifierDB
+++ /dev/null
Binary files differ
diff --git a/third_party/tlslite/tlslite/__init__.py b/third_party/tlslite/tlslite/__init__.py
deleted file mode 100644
index acb5d3a..0000000
--- a/third_party/tlslite/tlslite/__init__.py
+++ /dev/null
@@ -1,28 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""TLS Lite is a free python library that implements SSL and TLS. TLS Lite
-supports RSA and SRP ciphersuites. TLS Lite is pure python, however it can use
-other libraries for faster crypto operations. TLS Lite integrates with several
-stdlib neworking libraries.
-
-API documentation is available in the 'docs' directory.
-
-If you have questions or feedback, feel free to contact me.
-
-To use, do::
-
-    from tlslite import TLSConnection, ...
-    
-If you want to import the most useful objects, the cleanest way is:
-
-    from tlslite.api import *
-
-Then use the L{tlslite.TLSConnection.TLSConnection} class with a socket.
-(Or, use one of the integration classes in L{tlslite.integration}).
-
-@version: 0.4.8
-"""
-
-from tlslite.api import *
-from tlslite.api import __version__ # Unsure why this is needed, but it is
diff --git a/third_party/tlslite/tlslite/api.py b/third_party/tlslite/tlslite/api.py
deleted file mode 100644
index aabcc14..0000000
--- a/third_party/tlslite/tlslite/api.py
+++ /dev/null
@@ -1,32 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-__version__ = "0.4.8"
-from .constants import AlertLevel, AlertDescription, ClientCertificateType, \
-                       Fault
-from .errors import *
-from .checker import Checker
-from .handshakesettings import HandshakeSettings
-from .session import Session
-from .sessioncache import SessionCache
-from .tlsconnection import TLSConnection
-from .verifierdb import VerifierDB
-from .x509 import X509
-from .x509certchain import X509CertChain
-
-from .integration.httptlsconnection import HTTPTLSConnection
-from .integration.tlssocketservermixin import TLSSocketServerMixIn
-from .integration.tlsasyncdispatchermixin import TLSAsyncDispatcherMixIn
-from .integration.pop3_tls import POP3_TLS
-from .integration.imap4_tls import IMAP4_TLS
-from .integration.smtp_tls import SMTP_TLS
-from .integration.xmlrpctransport import XMLRPCTransport
-from .integration.xmlrpcserver import TLSXMLRPCRequestHandler, \
-                                      TLSXMLRPCServer, \
-                                      MultiPathTLSXMLRPCServer
-
-from .utils.cryptomath import m2cryptoLoaded, gmpyLoaded, \
-                             pycryptoLoaded, prngName
-from .utils.keyfactory import generateRSAKey, parsePEMKey, \
-                             parseAsPublicKey, parsePrivateKey
-from .utils.tackwrapper import tackpyLoaded
diff --git a/third_party/tlslite/tlslite/basedb.py b/third_party/tlslite/tlslite/basedb.py
deleted file mode 100644
index e6b7944..0000000
--- a/third_party/tlslite/tlslite/basedb.py
+++ /dev/null
@@ -1,130 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Martin von Loewis - python 3 port
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Base class for SharedKeyDB and VerifierDB."""
-
-try:
-    import anydbm
-except ImportError:
-    # Python 3
-    import dbm as anydbm
-import threading
-
-class BaseDB(object):
-    def __init__(self, filename, type):
-        self.type = type
-        self.filename = filename
-        if self.filename:
-            self.db = None
-        else:
-            self.db = {}
-        self.lock = threading.Lock()
-
-    def create(self):
-        """Create a new on-disk database.
-
-        @raise anydbm.error: If there's a problem creating the database.
-        """
-        if self.filename:
-            self.db = anydbm.open(self.filename, "n") #raises anydbm.error
-            self.db["--Reserved--type"] = self.type
-            self.db.sync()
-        else:
-            self.db = {}
-
-    def open(self):
-        """Open a pre-existing on-disk database.
-
-        @raise anydbm.error: If there's a problem opening the database.
-        @raise ValueError: If the database is not of the right type.
-        """
-        if not self.filename:
-            raise ValueError("Can only open on-disk databases")
-        self.db = anydbm.open(self.filename, "w") #raises anydbm.error
-        try:
-            if self.db["--Reserved--type"] != self.type:
-                raise ValueError("Not a %s database" % self.type)
-        except KeyError:
-            raise ValueError("Not a recognized database")
-
-    def __getitem__(self, username):
-        if self.db == None:
-            raise AssertionError("DB not open")
-
-        self.lock.acquire()
-        try:
-            valueStr = self.db[username]
-        finally:
-            self.lock.release()
-
-        return self._getItem(username, valueStr)
-
-    def __setitem__(self, username, value):
-        if self.db == None:
-            raise AssertionError("DB not open")
-
-        valueStr = self._setItem(username, value)
-
-        self.lock.acquire()
-        try:
-            self.db[username] = valueStr
-            if self.filename:
-                self.db.sync()
-        finally:
-            self.lock.release()
-
-    def __delitem__(self, username):
-        if self.db == None:
-            raise AssertionError("DB not open")
-
-        self.lock.acquire()
-        try:
-            del(self.db[username])
-            if self.filename:
-                self.db.sync()
-        finally:
-            self.lock.release()
-
-    def __contains__(self, username):
-        """Check if the database contains the specified username.
-
-        @type username: str
-        @param username: The username to check for.
-
-        @rtype: bool
-        @return: True if the database contains the username, False
-        otherwise.
-
-        """
-        if self.db == None:
-            raise AssertionError("DB not open")
-
-        self.lock.acquire()
-        try:
-            return self.db.has_key(username)
-        finally:
-            self.lock.release()
-
-    def check(self, username, param):
-        value = self.__getitem__(username)
-        return self._checkItem(value, username, param)
-
-    def keys(self):
-        """Return a list of usernames in the database.
-
-        @rtype: list
-        @return: The usernames in the database.
-        """
-        if self.db == None:
-            raise AssertionError("DB not open")
-
-        self.lock.acquire()
-        try:
-            usernames = self.db.keys()
-        finally:
-            self.lock.release()
-        usernames = [u for u in usernames if not u.startswith("--Reserved--")]
-        return usernames
diff --git a/third_party/tlslite/tlslite/checker.py b/third_party/tlslite/tlslite/checker.py
deleted file mode 100644
index 4f2ee82..0000000
--- a/third_party/tlslite/tlslite/checker.py
+++ /dev/null
@@ -1,77 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Class for post-handshake certificate checking."""
-
-from .x509 import X509
-from .x509certchain import X509CertChain
-from .errors import *
-
-
-class Checker(object):
-    """This class is passed to a handshake function to check the other
-    party's certificate chain.
-
-    If a handshake function completes successfully, but the Checker
-    judges the other party's certificate chain to be missing or
-    inadequate, a subclass of
-    L{tlslite.errors.TLSAuthenticationError} will be raised.
-
-    Currently, the Checker can check an X.509 chain.
-    """
-
-    def __init__(self, 
-                 x509Fingerprint=None,
-                 checkResumedSession=False):
-        """Create a new Checker instance.
-
-        You must pass in one of these argument combinations:
-         - x509Fingerprint
-
-        @type x509Fingerprint: str
-        @param x509Fingerprint: A hex-encoded X.509 end-entity
-        fingerprint which the other party's end-entity certificate must
-        match.
-
-        @type checkResumedSession: bool
-        @param checkResumedSession: If resumed sessions should be
-        checked.  This defaults to False, on the theory that if the
-        session was checked once, we don't need to bother
-        re-checking it.
-        """
-
-        self.x509Fingerprint = x509Fingerprint
-        self.checkResumedSession = checkResumedSession
-
-    def __call__(self, connection):
-        """Check a TLSConnection.
-
-        When a Checker is passed to a handshake function, this will
-        be called at the end of the function.
-
-        @type connection: L{tlslite.tlsconnection.TLSConnection}
-        @param connection: The TLSConnection to examine.
-
-        @raise tlslite.errors.TLSAuthenticationError: If the other
-        party's certificate chain is missing or bad.
-        """
-        if not self.checkResumedSession and connection.resumed:
-            return
-
-        if self.x509Fingerprint:
-            if connection._client:
-                chain = connection.session.serverCertChain
-            else:
-                chain = connection.session.clientCertChain
-
-            if self.x509Fingerprint:
-                if isinstance(chain, X509CertChain):
-                    if self.x509Fingerprint:
-                        if chain.getFingerprint() != self.x509Fingerprint:
-                            raise TLSFingerprintError(\
-                                "X.509 fingerprint mismatch: %s, %s" % \
-                                (chain.getFingerprint(), self.x509Fingerprint))
-                elif chain:
-                    raise TLSAuthenticationTypeError()
-                else:
-                    raise TLSNoAuthenticationError()
\ No newline at end of file
diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
deleted file mode 100644
index 3f994e7..0000000
--- a/third_party/tlslite/tlslite/constants.py
+++ /dev/null
@@ -1,471 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Google - defining ClientCertificateType
-#   Google (adapted by Sam Rushing) - NPN support
-#   Dimitris Moraitis - Anon ciphersuites
-#   Dave Baggett (Arcode Corporation) - canonicalCipherName
-#   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Constants used in various places."""
-
-class CertificateType:
-    x509 = 0
-    openpgp = 1
-
-class ClientCertificateType:
-    # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2
-    rsa_sign = 1
-    dss_sign = 2
-    rsa_fixed_dh = 3
-    dss_fixed_dh = 4
-    ecdsa_sign = 64
-    rsa_fixed_ecdh = 65
-    ecdsa_fixed_ecdh = 66
- 
-class HandshakeType:
-    hello_request = 0
-    client_hello = 1
-    server_hello = 2
-    certificate = 11
-    server_key_exchange = 12
-    certificate_request = 13
-    server_hello_done = 14
-    certificate_verify = 15
-    client_key_exchange = 16
-    finished = 20
-    certificate_status = 22
-    next_protocol = 67
-    encrypted_extensions = 203
-
-class ContentType:
-    change_cipher_spec = 20
-    alert = 21
-    handshake = 22
-    application_data = 23
-    all = (20,21,22,23)
-
-class CertificateStatusType:
-    ocsp = 1
-
-class ExtensionType:    # RFC 6066 / 4366
-    server_name = 0     # RFC 6066 / 4366
-    status_request = 5  # RFC 6066 / 4366
-    srp = 12            # RFC 5054
-    cert_type = 9       # RFC 6091
-    signature_algorithms = 13 # RFC 5246
-    alpn = 16           # RFC 7301
-    signed_cert_timestamps = 18  # RFC 6962
-    extended_master_secret = 23  # RFC 7627
-    token_binding = 24           # draft-ietf-tokbind-negotiation
-    supported_versions = 43      # RFC 8446
-    tack = 0xF300
-    supports_npn = 13172
-    channel_id = 30032
-    renegotiation_info = 0xFF01 # RFC 5746
-
-class HashAlgorithm:
-    none = 0
-    md5 = 1
-    sha1 = 2
-    sha224 = 3
-    sha256 = 4
-    sha384 = 5
-
-class SignatureAlgorithm:
-    anonymous = 0
-    rsa = 1
-    dsa = 2
-    ecdsa = 3
-    
-class NameType:
-    host_name = 0
-
-class ECCurveType:
-    explicit_prime = 1
-    explicit_char2 = 2
-    named_curve = 3
-
-class NamedCurve:
-    secp256r1 = 23
-
-class AlertLevel:
-    warning = 1
-    fatal = 2
-
-class AlertDescription:
-    """
-    @cvar bad_record_mac: A TLS record failed to decrypt properly.
-
-    If this occurs during a SRP handshake it most likely
-    indicates a bad password.  It may also indicate an implementation
-    error, or some tampering with the data in transit.
-
-    This alert will be signalled by the server if the SRP password is bad.  It
-    may also be signalled by the server if the SRP username is unknown to the
-    server, but it doesn't wish to reveal that fact.
-
-
-    @cvar handshake_failure: A problem occurred while handshaking.
-
-    This typically indicates a lack of common ciphersuites between client and
-    server, or some other disagreement (about SRP parameters or key sizes,
-    for example).
-
-    @cvar protocol_version: The other party's SSL/TLS version was unacceptable.
-
-    This indicates that the client and server couldn't agree on which version
-    of SSL or TLS to use.
-
-    @cvar user_canceled: The handshake is being cancelled for some reason.
-
-    """
-
-    close_notify = 0
-    unexpected_message = 10
-    bad_record_mac = 20
-    decryption_failed = 21
-    record_overflow = 22
-    decompression_failure = 30
-    handshake_failure = 40
-    no_certificate = 41 #SSLv3
-    bad_certificate = 42
-    unsupported_certificate = 43
-    certificate_revoked = 44
-    certificate_expired = 45
-    certificate_unknown = 46
-    illegal_parameter = 47
-    unknown_ca = 48
-    access_denied = 49
-    decode_error = 50
-    decrypt_error = 51
-    export_restriction = 60
-    protocol_version = 70
-    insufficient_security = 71
-    internal_error = 80
-    inappropriate_fallback = 86
-    user_canceled = 90
-    no_renegotiation = 100
-    unknown_psk_identity = 115
-
-
-class CipherSuite:
-    # Weird pseudo-ciphersuite from RFC 5746
-    # Signals that "secure renegotiation" is supported
-    # We actually don't do any renegotiation, but this
-    # prevents renegotiation attacks
-    TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF
-
-    # draft-ietf-tls-downgrade-scsv-03
-    TLS_FALLBACK_SCSV = 0x5600
-    
-    TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA  = 0xC01A
-    TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D
-    TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020
-
-    TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B
-    TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E
-    TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021
-
-
-    TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A
-    TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F
-    TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035
-    TLS_RSA_WITH_RC4_128_SHA = 0x0005
-    
-    TLS_RSA_WITH_RC4_128_MD5 = 0x0004
-
-    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016
-    TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033
-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039
-
-    TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034
-    TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A
-
-    TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C
-    TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D
-
-    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067
-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B
-
-    TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C
-    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E
-
-    TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xc011
-    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xc012
-    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xc013
-    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xc014
-    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027
-    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02f
-
-    tripleDESSuites = []
-    tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
-    tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)
-    tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
-    tripleDESSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
-    tripleDESSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
-
-    aes128Suites = []
-    aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA)
-    aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA)
-    aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA)
-    aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
-    aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
-    aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256)
-    aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256)
-    aes128Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
-    aes128Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
-
-    aes256Suites = []
-    aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA)
-    aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA)
-    aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA)
-    aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA)
-    aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
-    aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256)
-    aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)
-    aes256Suites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
-
-    aes128GcmSuites = []
-    aes128GcmSuites.append(TLS_RSA_WITH_AES_128_GCM_SHA256)
-    aes128GcmSuites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
-    aes128GcmSuites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
-
-    rc4Suites = []
-    rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA)
-    rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5)
-    rc4Suites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA)
-    
-    shaSuites = []
-    shaSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
-    shaSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA)
-    shaSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA)
-    shaSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)
-    shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA)
-    shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA)
-    shaSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
-    shaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA)
-    shaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA)
-    shaSuites.append(TLS_RSA_WITH_RC4_128_SHA)
-    shaSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
-    shaSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
-    shaSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
-    shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
-    shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA)
-    shaSuites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA)
-    shaSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
-    shaSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
-    shaSuites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
-    
-    sha256Suites = []
-    sha256Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256)
-    sha256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256)
-    sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256)
-    sha256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)
-    sha256Suites.append(TLS_RSA_WITH_AES_128_GCM_SHA256)
-    sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
-    sha256Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
-    sha256Suites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
-
-
-    aeadSuites = aes128GcmSuites
-
-
-    md5Suites = []
-    md5Suites.append(TLS_RSA_WITH_RC4_128_MD5)
-
-    @staticmethod
-    def _filterSuites(suites, settings, version=None):
-        if version is None:
-            version = settings.maxVersion
-        macNames = settings.macNames
-        cipherNames = settings.cipherNames
-        keyExchangeNames = settings.keyExchangeNames
-        macSuites = []
-        if "sha" in macNames:
-            macSuites += CipherSuite.shaSuites
-        if "sha256" in macNames and version >= (3,3):
-            macSuites += CipherSuite.sha256Suites
-        if "md5" in macNames:
-            macSuites += CipherSuite.md5Suites
-        if "aead" in macNames and version >= (3,3):
-            macSuites += CipherSuite.aeadSuites
-
-        cipherSuites = []
-        if "aes128gcm" in cipherNames and version >= (3,3):
-            cipherSuites += CipherSuite.aes128GcmSuites
-        if "aes128" in cipherNames:
-            cipherSuites += CipherSuite.aes128Suites
-        if "aes256" in cipherNames:
-            cipherSuites += CipherSuite.aes256Suites
-        if "3des" in cipherNames:
-            cipherSuites += CipherSuite.tripleDESSuites
-        if "rc4" in cipherNames:
-            cipherSuites += CipherSuite.rc4Suites
-
-        keyExchangeSuites = []
-        if "rsa" in keyExchangeNames:
-            keyExchangeSuites += CipherSuite.certSuites
-        if "dhe_rsa" in keyExchangeNames:
-            keyExchangeSuites += CipherSuite.dheCertSuites
-        if "ecdhe_rsa" in keyExchangeNames:
-            keyExchangeSuites += CipherSuite.ecdheCertSuites
-        if "srp_sha" in keyExchangeNames:
-            keyExchangeSuites += CipherSuite.srpSuites
-        if "srp_sha_rsa" in keyExchangeNames:
-            keyExchangeSuites += CipherSuite.srpCertSuites
-        if "dh_anon" in keyExchangeNames:
-            keyExchangeSuites += CipherSuite.anonSuites
-
-        return [s for s in suites if s in macSuites and
-                s in cipherSuites and s in keyExchangeSuites]
-
-    srpSuites = []
-    srpSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA)
-    srpSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA)
-    srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
-    
-    @staticmethod
-    def getSrpSuites(settings, version=None):
-        return CipherSuite._filterSuites(CipherSuite.srpSuites, settings, version)
-
-    srpCertSuites = []
-    srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA)
-    srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA)
-    srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)
-    
-    @staticmethod
-    def getSrpCertSuites(settings, version=None):
-        return CipherSuite._filterSuites(CipherSuite.srpCertSuites, settings, version)
-
-    srpAllSuites = srpSuites + srpCertSuites
-
-    @staticmethod
-    def getSrpAllSuites(settings, version=None):
-        return CipherSuite._filterSuites(CipherSuite.srpAllSuites, settings, version)
-
-    certSuites = []
-    certSuites.append(TLS_RSA_WITH_AES_128_GCM_SHA256)
-    certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA256)
-    certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA256)
-    certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA)
-    certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA)
-    certSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
-    certSuites.append(TLS_RSA_WITH_RC4_128_SHA)
-    certSuites.append(TLS_RSA_WITH_RC4_128_MD5)
-    
-    @staticmethod
-    def getCertSuites(settings, version=None):
-        return CipherSuite._filterSuites(CipherSuite.certSuites, settings, version)
-
-    dheCertSuites = []
-    dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256)
-    dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256)
-    dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256)
-    dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
-    dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
-    dheCertSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
-
-    @staticmethod
-    def getDheCertSuites(settings, version=None):
-        return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings, version)
-
-    ecdheCertSuites = []
-    ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
-    ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
-    ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
-    ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
-    ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
-    ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA)
-
-    @staticmethod
-    def getEcdheCertSuites(settings, version=None):
-        return CipherSuite._filterSuites(CipherSuite.ecdheCertSuites, settings, version)
-
-    certAllSuites = srpCertSuites + certSuites + dheCertSuites + ecdheCertSuites
-
-    anonSuites = []
-    anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA)
-    anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
-    
-    @staticmethod
-    def getAnonSuites(settings, version=None):
-        return CipherSuite._filterSuites(CipherSuite.anonSuites, settings, version)
-
-    dhAllSuites = dheCertSuites + anonSuites
-    ecdhAllSuites = ecdheCertSuites
-
-    @staticmethod
-    def canonicalCipherName(ciphersuite):
-        "Return the canonical name of the cipher whose number is provided."
-        if ciphersuite in CipherSuite.aes128Suites:
-            return "aes128"
-        elif ciphersuite in CipherSuite.aes256Suites:
-            return "aes256"
-        elif ciphersuite in CipherSuite.rc4Suites:
-            return "rc4"
-        elif ciphersuite in CipherSuite.tripleDESSuites:
-            return "3des"
-        else:
-            return None
-
-    @staticmethod
-    def canonicalMacName(ciphersuite):
-        "Return the canonical name of the MAC whose number is provided."
-        if ciphersuite in CipherSuite.shaSuites:
-            return "sha"
-        elif ciphersuite in CipherSuite.md5Suites:
-            return "md5"
-        else:
-            return None
-
-
-# The following faults are induced as part of testing.  The faultAlerts
-# dictionary describes the allowed alerts that may be triggered by these
-# faults.
-class Fault:
-    badUsername = 101
-    badPassword = 102
-    badA = 103
-    clientSrpFaults = list(range(101,104))
-
-    badVerifyMessage = 601
-    clientCertFaults = list(range(601,602))
-
-    badPremasterPadding = 501
-    shortPremasterSecret = 502
-    clientNoAuthFaults = list(range(501,503))
-
-    badB = 201
-    serverFaults = list(range(201,202))
-
-    badFinished = 300
-    badMAC = 301
-    badPadding = 302
-    genericFaults = list(range(300,303))
-
-    faultAlerts = {\
-        badUsername: (AlertDescription.unknown_psk_identity, \
-                      AlertDescription.bad_record_mac),\
-        badPassword: (AlertDescription.bad_record_mac,),\
-        badA: (AlertDescription.illegal_parameter,),\
-        badPremasterPadding: (AlertDescription.bad_record_mac,),\
-        shortPremasterSecret: (AlertDescription.bad_record_mac,),\
-        badVerifyMessage: (AlertDescription.decrypt_error,),\
-        badFinished: (AlertDescription.decrypt_error,),\
-        badMAC: (AlertDescription.bad_record_mac,),\
-        badPadding: (AlertDescription.bad_record_mac,)
-        }
-
-    faultNames = {\
-        badUsername: "bad username",\
-        badPassword: "bad password",\
-        badA: "bad A",\
-        badPremasterPadding: "bad premaster padding",\
-        shortPremasterSecret: "short premaster secret",\
-        badVerifyMessage: "bad verify message",\
-        badFinished: "bad finished message",\
-        badMAC: "bad MAC",\
-        badPadding: "bad padding"
-        }
diff --git a/third_party/tlslite/tlslite/errors.py b/third_party/tlslite/tlslite/errors.py
deleted file mode 100644
index 001ef33e..0000000
--- a/third_party/tlslite/tlslite/errors.py
+++ /dev/null
@@ -1,173 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Dave Baggett (Arcode Corporation) - Added TLSUnsupportedError.
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Exception classes.
-@sort: TLSError, TLSAbruptCloseError, TLSAlert, TLSLocalAlert, TLSRemoteAlert,
-TLSAuthenticationError, TLSNoAuthenticationError, TLSAuthenticationTypeError,
-TLSFingerprintError, TLSAuthorizationError, TLSValidationError, TLSFaultError,
-TLSUnsupportedError
-"""
-import socket
-
-from .constants import AlertDescription, AlertLevel
-
-class TLSError(Exception):
-    """Base class for all TLS Lite exceptions."""
-    
-    def __str__(self):
-        """"At least print out the Exception time for str(...)."""
-        return repr(self)    
-
-class TLSClosedConnectionError(TLSError, socket.error):
-    """An attempt was made to use the connection after it was closed."""
-    pass
-
-class TLSAbruptCloseError(TLSError):
-    """The socket was closed without a proper TLS shutdown.
-
-    The TLS specification mandates that an alert of some sort
-    must be sent before the underlying socket is closed.  If the socket
-    is closed without this, it could signify that an attacker is trying
-    to truncate the connection.  It could also signify a misbehaving
-    TLS implementation, or a random network failure.
-    """
-    pass
-
-class TLSAlert(TLSError):
-    """A TLS alert has been signalled."""
-    pass
-
-    _descriptionStr = {\
-        AlertDescription.close_notify: "close_notify",\
-        AlertDescription.unexpected_message: "unexpected_message",\
-        AlertDescription.bad_record_mac: "bad_record_mac",\
-        AlertDescription.decryption_failed: "decryption_failed",\
-        AlertDescription.record_overflow: "record_overflow",\
-        AlertDescription.decompression_failure: "decompression_failure",\
-        AlertDescription.handshake_failure: "handshake_failure",\
-        AlertDescription.no_certificate: "no certificate",\
-        AlertDescription.bad_certificate: "bad_certificate",\
-        AlertDescription.unsupported_certificate: "unsupported_certificate",\
-        AlertDescription.certificate_revoked: "certificate_revoked",\
-        AlertDescription.certificate_expired: "certificate_expired",\
-        AlertDescription.certificate_unknown: "certificate_unknown",\
-        AlertDescription.illegal_parameter: "illegal_parameter",\
-        AlertDescription.unknown_ca: "unknown_ca",\
-        AlertDescription.access_denied: "access_denied",\
-        AlertDescription.decode_error: "decode_error",\
-        AlertDescription.decrypt_error: "decrypt_error",\
-        AlertDescription.export_restriction: "export_restriction",\
-        AlertDescription.protocol_version: "protocol_version",\
-        AlertDescription.insufficient_security: "insufficient_security",\
-        AlertDescription.internal_error: "internal_error",\
-        AlertDescription.inappropriate_fallback: "inappropriate_fallback",\
-        AlertDescription.user_canceled: "user_canceled",\
-        AlertDescription.no_renegotiation: "no_renegotiation",\
-        AlertDescription.unknown_psk_identity: "unknown_psk_identity"}
-
-class TLSLocalAlert(TLSAlert):
-    """A TLS alert has been signalled by the local implementation.
-
-    @type description: int
-    @ivar description: Set to one of the constants in
-    L{tlslite.constants.AlertDescription}
-
-    @type level: int
-    @ivar level: Set to one of the constants in
-    L{tlslite.constants.AlertLevel}
-
-    @type message: str
-    @ivar message: Description of what went wrong.
-    """
-    def __init__(self, alert, message=None):
-        self.description = alert.description
-        self.level = alert.level
-        self.message = message
-
-    def __str__(self):
-        alertStr = TLSAlert._descriptionStr.get(self.description)
-        if alertStr == None:
-            alertStr = str(self.description)
-        if self.message:
-            return alertStr + ": " + self.message
-        else:
-            return alertStr
-
-class TLSRemoteAlert(TLSAlert):
-    """A TLS alert has been signalled by the remote implementation.
-
-    @type description: int
-    @ivar description: Set to one of the constants in
-    L{tlslite.constants.AlertDescription}
-
-    @type level: int
-    @ivar level: Set to one of the constants in
-    L{tlslite.constants.AlertLevel}
-    """
-    def __init__(self, alert):
-        self.description = alert.description
-        self.level = alert.level
-
-    def __str__(self):
-        alertStr = TLSAlert._descriptionStr.get(self.description)
-        if alertStr == None:
-            alertStr = str(self.description)
-        return alertStr
-
-class TLSAuthenticationError(TLSError):
-    """The handshake succeeded, but the other party's authentication
-    was inadequate.
-
-    This exception will only be raised when a
-    L{tlslite.Checker.Checker} has been passed to a handshake function.
-    The Checker will be invoked once the handshake completes, and if
-    the Checker objects to how the other party authenticated, a
-    subclass of this exception will be raised.
-    """
-    pass
-
-class TLSNoAuthenticationError(TLSAuthenticationError):
-    """The Checker was expecting the other party to authenticate with a
-    certificate chain, but this did not occur."""
-    pass
-
-class TLSAuthenticationTypeError(TLSAuthenticationError):
-    """The Checker was expecting the other party to authenticate with a
-    different type of certificate chain."""
-    pass
-
-class TLSFingerprintError(TLSAuthenticationError):
-    """The Checker was expecting the other party to authenticate with a
-    certificate chain that matches a different fingerprint."""
-    pass
-
-class TLSAuthorizationError(TLSAuthenticationError):
-    """The Checker was expecting the other party to authenticate with a
-    certificate chain that has a different authorization."""
-    pass
-
-class TLSValidationError(TLSAuthenticationError):
-    """The Checker has determined that the other party's certificate
-    chain is invalid."""
-    def __init__(self, msg, info=None):
-        # Include a dict containing info about this validation failure
-        TLSAuthenticationError.__init__(self, msg)
-        self.info = info
-
-class TLSFaultError(TLSError):
-    """The other party responded incorrectly to an induced fault.
-
-    This exception will only occur during fault testing, when a
-    TLSConnection's fault variable is set to induce some sort of
-    faulty behavior, and the other party doesn't respond appropriately.
-    """
-    pass
-
-
-class TLSUnsupportedError(TLSError):
-    """The implementation doesn't support the requested (or required)
-    capabilities."""
-    pass
diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
deleted file mode 100644
index a647af5..0000000
--- a/third_party/tlslite/tlslite/handshakesettings.py
+++ /dev/null
@@ -1,252 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Dave Baggett (Arcode Corporation) - cleanup handling of constants
-#   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Class for setting handshake parameters."""
-
-from .constants import CertificateType
-from .utils import cryptomath
-from .utils import cipherfactory
-
-CIPHER_NAMES = ["aes128gcm", "rc4", "aes256", "aes128", "3des"]
-MAC_NAMES = ["sha", "sha256", "aead"] # Don't allow "md5" by default.
-ALL_MAC_NAMES = MAC_NAMES + ["md5"]
-KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "ecdhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"]
-CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"]
-CERTIFICATE_TYPES = ["x509"]
-TLS_INTOLERANCE_TYPES = ["alert", "close", "reset"]
-
-class HandshakeSettings(object):
-    """This class encapsulates various parameters that can be used with
-    a TLS handshake.
-    @sort: minKeySize, maxKeySize, cipherNames, macNames, certificateTypes,
-    minVersion, maxVersion
-
-    @type minKeySize: int
-    @ivar minKeySize: The minimum bit length for asymmetric keys.
-
-    If the other party tries to use SRP, RSA, or Diffie-Hellman
-    parameters smaller than this length, an alert will be
-    signalled.  The default is 1023.
-
-    @type maxKeySize: int
-    @ivar maxKeySize: The maximum bit length for asymmetric keys.
-
-    If the other party tries to use SRP, RSA, or Diffie-Hellman
-    parameters larger than this length, an alert will be signalled.
-    The default is 8193.
-
-    @type cipherNames: list
-    @ivar cipherNames: The allowed ciphers.
-
-    The allowed values in this list are 'aes256', 'aes128', '3des', and
-    'rc4'.  If these settings are used with a client handshake, they
-    determine the order of the ciphersuites offered in the ClientHello
-    message.
-
-    If these settings are used with a server handshake, the server will
-    choose whichever ciphersuite matches the earliest entry in this
-    list.
-
-    NOTE:  If '3des' is used in this list, but TLS Lite can't find an
-    add-on library that supports 3DES, then '3des' will be silently
-    removed.
-
-    The default value is ['rc4', 'aes256', 'aes128', '3des'].
-
-    @type macNames: list
-    @ivar macNames: The allowed MAC algorithms.
-    
-    The allowed values in this list are 'sha' and 'md5'.
-    
-    The default value is ['sha'].
-
-
-    @type certificateTypes: list
-    @ivar certificateTypes: The allowed certificate types.
-
-    The only allowed certificate type is 'x509'.  This list is only used with a
-    client handshake.  The client will advertise to the server which certificate
-    types are supported, and will check that the server uses one of the
-    appropriate types.
-
-
-    @type minVersion: tuple
-    @ivar minVersion: The minimum allowed SSL/TLS version.
-
-    This variable can be set to (3,0) for SSL 3.0, (3,1) for TLS 1.0, (3,2) for
-    TLS 1.1, or (3,3) for TLS 1.2.  If the other party wishes to use a lower
-    version, a protocol_version alert will be signalled.  The default is (3,1).
-
-    @type maxVersion: tuple
-    @ivar maxVersion: The maximum allowed SSL/TLS version.
-
-    This variable can be set to (3,0) for SSL 3.0, (3,1) for TLS 1.0, (3,2) for
-    TLS 1.1, or (3,3) for TLS 1.2.  If the other party wishes to use a higher
-    version, a protocol_version alert will be signalled.  The default is (3,3).
-    (WARNING: Some servers may (improperly) reject clients which offer support
-    for TLS 1.1.  In this case, try lowering maxVersion to (3,1)).
-
-    @type tlsIntolerant: tuple
-    @ivar tlsIntolerant: The TLS ClientHello version which the server
-    simulates intolerance of.
-
-    If tlsIntolerant is not None, the server will simulate TLS version
-    intolerance by aborting the handshake in response to all TLS versions
-    tlsIntolerant or higher.
-
-    @type tlsIntoleranceType: str
-    @ivar tlsIntoleranceType: How the server should react when simulating TLS
-    intolerance.
-
-    The allowed values are "alert" (return a fatal handshake_failure alert),
-    "close" (abruptly close the connection), and "reset" (send a TCP reset).
-    
-    @type useExperimentalTackExtension: bool
-    @ivar useExperimentalTackExtension: Whether to enabled TACK support.
-
-    @type alertAfterHandshake: bool
-    @ivar alertAfterHandshake: If true, the server will send a fatal
-    alert immediately after the handshake completes.
-
-    @type enableChannelID: bool
-    @ivar enableChannelID: If true, the server supports channel ID.
-
-    @type enableExtendedMasterSecret: bool
-    @ivar enableExtendedMasterSecret: If true, the server supports the extended
-    master secret TLS extension and will negotiated it with supporting clients.
-
-    @type supportedTokenBindingParams: list
-    @ivar supportedTokenBindingParams: A list of token binding parameters that
-    the server supports when negotiating token binding. List values are integers
-    corresponding to the TokenBindingKeyParameters enum in the Token Binding
-    Negotiation spec (draft-ietf-tokbind-negotiation-00). Values are in server's
-    preference order, with most preferred params first.
-
-    @type simulateTLS13Downgrade: bool
-    @ivar simulateTLS13Downgrade: If true, the server will simulate a TLS 1.3
-    to TLS 1.2 downgrade in the ServerHello random.
-
-    @type simulateTLS12Downgrade: bool
-    @ivar simulateTLS12Downgrade: If true, the server will simulate a TLS 1.2
-    to TLS 1.1 downgrade in the ServerHello random.
-
-    Note that TACK support is not standardized by IETF and uses a temporary
-    TLS Extension number, so should NOT be used in production software.
-
-    @type alpnProtos: list of strings.
-    @param alpnProtos: A list of supported upper layer protocols to use in the
-    Application-Layer Protocol Negotiation Extension (RFC 7301).  For the
-    client, the order does not matter.  For the server, the list is in
-    decreasing order of preference.
-    """
-    def __init__(self):
-        self.minKeySize = 1023
-        self.maxKeySize = 8193
-        self.cipherNames = CIPHER_NAMES
-        self.macNames = MAC_NAMES
-        self.keyExchangeNames = KEY_EXCHANGE_NAMES
-        self.cipherImplementations = CIPHER_IMPLEMENTATIONS
-        self.certificateTypes = CERTIFICATE_TYPES
-        self.minVersion = (3,1)
-        self.maxVersion = (3,3)
-        self.tlsIntolerant = None
-        self.tlsIntoleranceType = 'alert'
-        self.useExperimentalTackExtension = False
-        self.alertAfterHandshake = False
-        self.enableChannelID = True
-        self.enableExtendedMasterSecret = True
-        self.supportedTokenBindingParams = []
-        self.alpnProtos = None
-        self.simulateTLS13Downgrade = False
-        self.simulateTLS12Downgrade = False
-
-    # Validates the min/max fields, and certificateTypes
-    # Filters out unsupported cipherNames and cipherImplementations
-    def _filter(self):
-        other = HandshakeSettings()
-        other.minKeySize = self.minKeySize
-        other.maxKeySize = self.maxKeySize
-        other.cipherNames = self.cipherNames
-        other.macNames = self.macNames
-        other.keyExchangeNames = self.keyExchangeNames
-        other.cipherImplementations = self.cipherImplementations
-        other.certificateTypes = self.certificateTypes
-        other.minVersion = self.minVersion
-        other.maxVersion = self.maxVersion
-        other.tlsIntolerant = self.tlsIntolerant
-        other.tlsIntoleranceType = self.tlsIntoleranceType
-        other.alertAfterHandshake = self.alertAfterHandshake
-        other.enableChannelID = self.enableChannelID
-        other.enableExtendedMasterSecret = self.enableExtendedMasterSecret
-        other.supportedTokenBindingParams = self.supportedTokenBindingParams
-        other.alpnProtos = self.alpnProtos;
-        other.simulateTLS13Downgrade = self.simulateTLS13Downgrade
-        other.simulateTLS12Downgrade = self.simulateTLS12Downgrade
-
-        if not cipherfactory.tripleDESPresent:
-            other.cipherNames = [e for e in self.cipherNames if e != "3des"]
-        if len(other.cipherNames)==0:
-            raise ValueError("No supported ciphers")
-        if len(other.certificateTypes)==0:
-            raise ValueError("No supported certificate types")
-
-        if not cryptomath.m2cryptoLoaded:
-            other.cipherImplementations = \
-                [e for e in other.cipherImplementations if e != "openssl"]
-        if not cryptomath.pycryptoLoaded:
-            other.cipherImplementations = \
-                [e for e in other.cipherImplementations if e != "pycrypto"]
-        if len(other.cipherImplementations)==0:
-            raise ValueError("No supported cipher implementations")
-
-        if other.minKeySize<512:
-            raise ValueError("minKeySize too small")
-        if other.minKeySize>16384:
-            raise ValueError("minKeySize too large")
-        if other.maxKeySize<512:
-            raise ValueError("maxKeySize too small")
-        if other.maxKeySize>16384:
-            raise ValueError("maxKeySize too large")
-        for s in other.cipherNames:
-            if s not in CIPHER_NAMES:
-                raise ValueError("Unknown cipher name: '%s'" % s)
-        for s in other.macNames:
-            if s not in ALL_MAC_NAMES:
-                raise ValueError("Unknown MAC name: '%s'" % s)
-        for s in other.keyExchangeNames:
-            if s not in KEY_EXCHANGE_NAMES:
-                raise ValueError("Unknown key exchange name: '%s'" % s)
-        for s in other.cipherImplementations:
-            if s not in CIPHER_IMPLEMENTATIONS:
-                raise ValueError("Unknown cipher implementation: '%s'" % s)
-        for s in other.certificateTypes:
-            if s not in CERTIFICATE_TYPES:
-                raise ValueError("Unknown certificate type: '%s'" % s)
-
-        if other.tlsIntoleranceType not in TLS_INTOLERANCE_TYPES:
-            raise ValueError(
-                "Unknown TLS intolerance type: '%s'" % other.tlsIntoleranceType)
-
-        if other.minVersion > other.maxVersion:
-            raise ValueError("Versions set incorrectly")
-
-        if not other.minVersion in ((3,0), (3,1), (3,2), (3,3)):
-            raise ValueError("minVersion set incorrectly")
-
-        if not other.maxVersion in ((3,0), (3,1), (3,2), (3,3)):
-            raise ValueError("maxVersion set incorrectly")
-
-        return other
-
-    def _getCertificateTypes(self):
-        l = []
-        for ct in self.certificateTypes:
-            if ct == "x509":
-                l.append(CertificateType.x509)
-            else:
-                raise AssertionError()
-        return l
diff --git a/third_party/tlslite/tlslite/integration/__init__.py b/third_party/tlslite/tlslite/integration/__init__.py
deleted file mode 100644
index 663dfb6..0000000
--- a/third_party/tlslite/tlslite/integration/__init__.py
+++ /dev/null
@@ -1,13 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Classes for integrating TLS Lite with other packages."""
-
-__all__ = ["asyncstatemachine",
-           "httptlsconnection",
-           "pop3_tls",
-           "imap4_tls",
-           "smtp_tls",
-           "xmlrpctransport",
-           "tlssocketservermixin",
-           "tlsasyncdispatchermixin"]
diff --git a/third_party/tlslite/tlslite/integration/asyncstatemachine.py b/third_party/tlslite/tlslite/integration/asyncstatemachine.py
deleted file mode 100644
index 9faf84f9..0000000
--- a/third_party/tlslite/tlslite/integration/asyncstatemachine.py
+++ /dev/null
@@ -1,238 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""
-A state machine for using TLS Lite with asynchronous I/O.
-"""
-
-class AsyncStateMachine:
-    """
-    This is an abstract class that's used to integrate TLS Lite with
-    asyncore and Twisted.
-
-    This class signals wantsReadsEvent() and wantsWriteEvent().  When
-    the underlying socket has become readable or writeable, the event
-    should be passed to this class by calling inReadEvent() or
-    inWriteEvent().  This class will then try to read or write through
-    the socket, and will update its state appropriately.
-
-    This class will forward higher-level events to its subclass.  For
-    example, when a complete TLS record has been received,
-    outReadEvent() will be called with the decrypted data.
-    """
-
-    def __init__(self):
-        self._clear()
-
-    def _clear(self):
-        #These store the various asynchronous operations (i.e.
-        #generators).  Only one of them, at most, is ever active at a
-        #time.
-        self.handshaker = None
-        self.closer = None
-        self.reader = None
-        self.writer = None
-
-        #This stores the result from the last call to the
-        #currently active operation.  If 0 it indicates that the
-        #operation wants to read, if 1 it indicates that the
-        #operation wants to write.  If None, there is no active
-        #operation.
-        self.result = None
-
-    def _checkAssert(self, maxActive=1):
-        #This checks that only one operation, at most, is
-        #active, and that self.result is set appropriately.
-        activeOps = 0
-        if self.handshaker:
-            activeOps += 1
-        if self.closer:
-            activeOps += 1
-        if self.reader:
-            activeOps += 1
-        if self.writer:
-            activeOps += 1
-
-        if self.result == None:
-            if activeOps != 0:
-                raise AssertionError()
-        elif self.result in (0,1):
-            if activeOps != 1:
-                raise AssertionError()
-        else:
-            raise AssertionError()
-        if activeOps > maxActive:
-            raise AssertionError()
-
-    def wantsReadEvent(self):
-        """If the state machine wants to read.
-
-        If an operation is active, this returns whether or not the
-        operation wants to read from the socket.  If an operation is
-        not active, this returns None.
-
-        @rtype: bool or None
-        @return: If the state machine wants to read.
-        """
-        if self.result != None:
-            return self.result == 0
-        return None
-
-    def wantsWriteEvent(self):
-        """If the state machine wants to write.
-
-        If an operation is active, this returns whether or not the
-        operation wants to write to the socket.  If an operation is
-        not active, this returns None.
-
-        @rtype: bool or None
-        @return: If the state machine wants to write.
-        """
-        if self.result != None:
-            return self.result == 1
-        return None
-
-    def outConnectEvent(self):
-        """Called when a handshake operation completes.
-
-        May be overridden in subclass.
-        """
-        pass
-
-    def outCloseEvent(self):
-        """Called when a close operation completes.
-
-        May be overridden in subclass.
-        """
-        pass
-
-    def outReadEvent(self, readBuffer):
-        """Called when a read operation completes.
-
-        May be overridden in subclass."""
-        pass
-
-    def outWriteEvent(self):
-        """Called when a write operation completes.
-
-        May be overridden in subclass."""
-        pass
-
-    def inReadEvent(self):
-        """Tell the state machine it can read from the socket."""
-        try:
-            self._checkAssert()
-            if self.handshaker:
-                self._doHandshakeOp()
-            elif self.closer:
-                self._doCloseOp()
-            elif self.reader:
-                self._doReadOp()
-            elif self.writer:
-                self._doWriteOp()
-            else:
-                self.reader = self.tlsConnection.readAsync(16384)
-                self._doReadOp()
-        except:
-            self._clear()
-            raise
-
-    def inWriteEvent(self):
-        """Tell the state machine it can write to the socket."""
-        try:
-            self._checkAssert()
-            if self.handshaker:
-                self._doHandshakeOp()
-            elif self.closer:
-                self._doCloseOp()
-            elif self.reader:
-                self._doReadOp()
-            elif self.writer:
-                self._doWriteOp()
-            else:
-                self.outWriteEvent()
-        except:
-            self._clear()
-            raise
-
-    def _doHandshakeOp(self):
-        try:
-            self.result = self.handshaker.next()
-        except StopIteration:
-            self.handshaker = None
-            self.result = None
-            self.outConnectEvent()
-
-    def _doCloseOp(self):
-        try:
-            self.result = self.closer.next()
-        except StopIteration:
-            self.closer = None
-            self.result = None
-            self.outCloseEvent()
-
-    def _doReadOp(self):
-        self.result = self.reader.next()
-        if not self.result in (0,1):
-            readBuffer = self.result
-            self.reader = None
-            self.result = None
-            self.outReadEvent(readBuffer)
-
-    def _doWriteOp(self):
-        try:
-            self.result = self.writer.next()
-        except StopIteration:
-            self.writer = None
-            self.result = None
-
-    def setHandshakeOp(self, handshaker):
-        """Start a handshake operation.
-
-        @type handshaker: generator
-        @param handshaker: A generator created by using one of the
-        asynchronous handshake functions (i.e. handshakeServerAsync, or
-        handshakeClientxxx(..., is_async=True).
-        """
-        try:
-            self._checkAssert(0)
-            self.handshaker = handshaker
-            self._doHandshakeOp()
-        except:
-            self._clear()
-            raise
-
-    def setServerHandshakeOp(self, **args):
-        """Start a handshake operation.
-
-        The arguments passed to this function will be forwarded to
-        L{tlslite.tlsconnection.TLSConnection.handshakeServerAsync}.
-        """
-        handshaker = self.tlsConnection.handshakeServerAsync(**args)
-        self.setHandshakeOp(handshaker)
-
-    def setCloseOp(self):
-        """Start a close operation.
-        """
-        try:
-            self._checkAssert(0)
-            self.closer = self.tlsConnection.closeAsync()
-            self._doCloseOp()
-        except:
-            self._clear()
-            raise
-
-    def setWriteOp(self, writeBuffer):
-        """Start a write operation.
-
-        @type writeBuffer: str
-        @param writeBuffer: The string to transmit.
-        """
-        try:
-            self._checkAssert(0)
-            self.writer = self.tlsConnection.writeAsync(writeBuffer)
-            self._doWriteOp()
-        except:
-            self._clear()
-            raise
-
diff --git a/third_party/tlslite/tlslite/integration/clienthelper.py b/third_party/tlslite/tlslite/integration/clienthelper.py
deleted file mode 100644
index 62e5961..0000000
--- a/third_party/tlslite/tlslite/integration/clienthelper.py
+++ /dev/null
@@ -1,122 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Dimitris Moraitis - Anon ciphersuites
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""
-A helper class for using TLS Lite with stdlib clients
-(httplib, xmlrpclib, imaplib, poplib).
-"""
-
-from tlslite.checker import Checker
-
-class ClientHelper(object):
-    """This is a helper class used to integrate TLS Lite with various
-    TLS clients (e.g. poplib, smtplib, httplib, etc.)"""
-
-    def __init__(self,
-              username=None, password=None,
-              certChain=None, privateKey=None,
-              checker=None,
-              settings = None, 
-              anon = False):
-        """
-        For client authentication, use one of these argument
-        combinations:
-         - username, password (SRP)
-         - certChain, privateKey (certificate)
-
-        For server authentication, you can either rely on the
-        implicit mutual authentication performed by SRP,
-        or you can do certificate-based server
-        authentication with one of these argument combinations:
-         - x509Fingerprint
-
-        Certificate-based server authentication is compatible with
-        SRP or certificate-based client authentication.
-
-        The constructor does not perform the TLS handshake itself, but
-        simply stores these arguments for later.  The handshake is
-        performed only when this class needs to connect with the
-        server.  Then you should be prepared to handle TLS-specific
-        exceptions.  See the client handshake functions in
-        L{tlslite.TLSConnection.TLSConnection} for details on which
-        exceptions might be raised.
-
-        @type username: str
-        @param username: SRP username.  Requires the
-        'password' argument.
-
-        @type password: str
-        @param password: SRP password for mutual authentication.
-        Requires the 'username' argument.
-
-        @type certChain: L{tlslite.x509certchain.X509CertChain}
-        @param certChain: Certificate chain for client authentication.
-        Requires the 'privateKey' argument.  Excludes the SRP arguments.
-
-        @type privateKey: L{tlslite.utils.rsakey.RSAKey}
-        @param privateKey: Private key for client authentication.
-        Requires the 'certChain' argument.  Excludes the SRP arguments.
-
-        @type checker: L{tlslite.checker.Checker}
-        @param checker: Callable object called after handshaking to 
-        evaluate the connection and raise an Exception if necessary.
-
-        @type settings: L{tlslite.handshakesettings.HandshakeSettings}
-        @param settings: Various settings which can be used to control
-        the ciphersuites, certificate types, and SSL/TLS versions
-        offered by the client.
-        """
-
-        self.username = None
-        self.password = None
-        self.certChain = None
-        self.privateKey = None
-        self.checker = None
-        self.anon = anon
-
-        #SRP Authentication
-        if username and password and not \
-                (certChain or privateKey):
-            self.username = username
-            self.password = password
-
-        #Certificate Chain Authentication
-        elif certChain and privateKey and not \
-                (username or password):
-            self.certChain = certChain
-            self.privateKey = privateKey
-
-        #No Authentication
-        elif not password and not username and not \
-                certChain and not privateKey:
-            pass
-
-        else:
-            raise ValueError("Bad parameters")
-
-        self.checker = checker
-        self.settings = settings
-
-        self.tlsSession = None
-
-    def _handshake(self, tlsConnection):
-        if self.username and self.password:
-            tlsConnection.handshakeClientSRP(username=self.username,
-                                             password=self.password,
-                                             checker=self.checker,
-                                             settings=self.settings,
-                                             session=self.tlsSession)
-        elif self.anon:
-            tlsConnection.handshakeClientAnonymous(session=self.tlsSession,
-                                                settings=self.settings,
-                                                checker=self.checker)
-        else:
-            tlsConnection.handshakeClientCert(certChain=self.certChain,
-                                              privateKey=self.privateKey,
-                                              checker=self.checker,
-                                              settings=self.settings,
-                                              session=self.tlsSession)
-        self.tlsSession = tlsConnection.session
\ No newline at end of file
diff --git a/third_party/tlslite/tlslite/integration/httptlsconnection.py b/third_party/tlslite/tlslite/integration/httptlsconnection.py
deleted file mode 100644
index d8a002f..0000000
--- a/third_party/tlslite/tlslite/integration/httptlsconnection.py
+++ /dev/null
@@ -1,112 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Kees Bos - Added ignoreAbruptClose parameter
-#   Dimitris Moraitis - Anon ciphersuites
-#   Martin von Loewis - python 3 port
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""TLS Lite + httplib."""
-
-import socket
-try:
-    import httplib
-except ImportError:
-    # Python 3
-    from http import client as httplib
-from tlslite.tlsconnection import TLSConnection
-from tlslite.integration.clienthelper import ClientHelper
-
-
-class HTTPTLSConnection(httplib.HTTPConnection, ClientHelper):
-    """This class extends L{httplib.HTTPConnection} to support TLS."""
-
-    def __init__(self, host, port=None, strict=None, 
-                timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
-                source_address=None,
-                username=None, password=None,
-                certChain=None, privateKey=None,
-                checker=None,
-                settings=None,
-                ignoreAbruptClose=False, 
-                anon=False):
-        """Create a new HTTPTLSConnection.
-
-        For client authentication, use one of these argument
-        combinations:
-         - username, password (SRP)
-         - certChain, privateKey (certificate)
-
-        For server authentication, you can either rely on the
-        implicit mutual authentication performed by SRP
-        or you can do certificate-based server
-        authentication with one of these argument combinations:
-         - x509Fingerprint
-
-        Certificate-based server authentication is compatible with
-        SRP or certificate-based client authentication.
-
-        The constructor does not perform the TLS handshake itself, but
-        simply stores these arguments for later.  The handshake is
-        performed only when this class needs to connect with the
-        server.  Thus you should be prepared to handle TLS-specific
-        exceptions when calling methods inherited from
-        L{httplib.HTTPConnection} such as request(), connect(), and
-        send().  See the client handshake functions in
-        L{tlslite.TLSConnection.TLSConnection} for details on which
-        exceptions might be raised.
-
-        @type host: str
-        @param host: Server to connect to.
-
-        @type port: int
-        @param port: Port to connect to.
-
-        @type username: str
-        @param username: SRP username.  Requires the
-        'password' argument.
-
-        @type password: str
-        @param password: SRP password for mutual authentication.
-        Requires the 'username' argument.
-
-        @type certChain: L{tlslite.x509certchain.X509CertChain} or
-        @param certChain: Certificate chain for client authentication.
-        Requires the 'privateKey' argument.  Excludes the SRP arguments.
-        
-        @type privateKey: L{tlslite.utils.rsakey.RSAKey}
-        @param privateKey: Private key for client authentication.
-        Requires the 'certChain' argument.  Excludes the SRP arguments. 
-        
-        @type checker: L{tlslite.checker.Checker}
-        @param checker: Callable object called after handshaking to 
-        evaluate the connection and raise an Exception if necessary.          
-
-        @type settings: L{tlslite.handshakesettings.HandshakeSettings}
-        @param settings: Various settings which can be used to control
-        the ciphersuites, certificate types, and SSL/TLS versions
-        offered by the client.
-
-        @type ignoreAbruptClose: bool
-        @param ignoreAbruptClose: ignore the TLSAbruptCloseError on 
-        unexpected hangup.
-        """
-        if source_address:
-            httplib.HTTPConnection.__init__(self, host, port, strict,
-                                            timeout, source_address)
-        if not source_address:
-            httplib.HTTPConnection.__init__(self, host, port, strict,
-                                            timeout)
-        self.ignoreAbruptClose = ignoreAbruptClose
-        ClientHelper.__init__(self,
-                 username, password, 
-                 certChain, privateKey,
-                 checker,
-                 settings, 
-                 anon)
-
-    def connect(self):
-        httplib.HTTPConnection.connect(self)
-        self.sock = TLSConnection(self.sock)
-        self.sock.ignoreAbruptClose = self.ignoreAbruptClose
-        ClientHelper._handshake(self, self.sock)
diff --git a/third_party/tlslite/tlslite/integration/imap4_tls.py b/third_party/tlslite/tlslite/integration/imap4_tls.py
deleted file mode 100644
index 4703a31..0000000
--- a/third_party/tlslite/tlslite/integration/imap4_tls.py
+++ /dev/null
@@ -1,96 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""TLS Lite + imaplib."""
-
-import socket
-from imaplib import IMAP4
-from tlslite.tlsconnection import TLSConnection
-from tlslite.integration.clienthelper import ClientHelper
-
-# IMAP TLS PORT
-IMAP4_TLS_PORT = 993
-
-class IMAP4_TLS(IMAP4, ClientHelper):
-    """This class extends L{imaplib.IMAP4} with TLS support."""
-
-    def __init__(self, host = '', port = IMAP4_TLS_PORT,
-                 username=None, password=None,
-                 certChain=None, privateKey=None,
-                 checker=None,
-                 settings=None):
-        """Create a new IMAP4_TLS.
-
-        For client authentication, use one of these argument
-        combinations:
-         - username, password (SRP)
-         - certChain, privateKey (certificate)
-
-        For server authentication, you can either rely on the
-        implicit mutual authentication performed by SRP
-        or you can do certificate-based server
-        authentication with one of these argument combinations:
-         - x509Fingerprint
-
-        Certificate-based server authentication is compatible with
-        SRP or certificate-based client authentication.
-
-        The caller should be prepared to handle TLS-specific
-        exceptions.  See the client handshake functions in
-        L{tlslite.TLSConnection.TLSConnection} for details on which
-        exceptions might be raised.
-
-        @type host: str
-        @param host: Server to connect to.
-
-        @type port: int
-        @param port: Port to connect to.
-
-        @type username: str
-        @param username: SRP username.  Requires the
-        'password' argument.
-
-        @type password: str
-        @param password: SRP password for mutual authentication.
-        Requires the 'username' argument.
-
-        @type certChain: L{tlslite.x509certchain.X509CertChain}
-        @param certChain: Certificate chain for client authentication.
-        Requires the 'privateKey' argument.  Excludes the SRP arguments.
-
-        @type privateKey: L{tlslite.utils.rsakey.RSAKey}
-        @param privateKey: Private key for client authentication.
-        Requires the 'certChain' argument.  Excludes the SRP arguments.
-        
-        @type checker: L{tlslite.checker.Checker}
-        @param checker: Callable object called after handshaking to 
-        evaluate the connection and raise an Exception if necessary.
-
-        @type settings: L{tlslite.handshakesettings.HandshakeSettings}
-        @param settings: Various settings which can be used to control
-        the ciphersuites, certificate types, and SSL/TLS versions
-        offered by the client.
-        """
-
-        ClientHelper.__init__(self,
-                 username, password,
-                 certChain, privateKey,
-                 checker,
-                 settings)
-
-        IMAP4.__init__(self, host, port)
-
-
-    def open(self, host = '', port = IMAP4_TLS_PORT):
-        """Setup connection to remote server on "host:port".
-
-        This connection will be used by the routines:
-        read, readline, send, shutdown.
-        """
-        self.host = host
-        self.port = port
-        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-        self.sock.connect((host, port))
-        self.sock = TLSConnection(self.sock)
-        ClientHelper._handshake(self, self.sock)
-        self.file = self.sock.makefile('rb')
\ No newline at end of file
diff --git a/third_party/tlslite/tlslite/integration/pop3_tls.py b/third_party/tlslite/tlslite/integration/pop3_tls.py
deleted file mode 100644
index 64f6124e..0000000
--- a/third_party/tlslite/tlslite/integration/pop3_tls.py
+++ /dev/null
@@ -1,84 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""TLS Lite + poplib."""
-
-import socket
-from poplib import POP3, POP3_SSL_PORT
-from tlslite.tlsconnection import TLSConnection
-from tlslite.integration.clienthelper import ClientHelper
-
-class POP3_TLS(POP3, ClientHelper):
-    """This class extends L{poplib.POP3} with TLS support."""
-
-    def __init__(self, host, port = POP3_SSL_PORT,
-                 timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
-                 username=None, password=None,
-                 certChain=None, privateKey=None,
-                 checker=None,
-                 settings=None):
-        """Create a new POP3_TLS.
-
-        For client authentication, use one of these argument
-        combinations:
-         - username, password (SRP)
-         - certChain, privateKey (certificate)
-
-        For server authentication, you can either rely on the
-        implicit mutual authentication performed by SRP or
-        you can do certificate-based server
-        authentication with one of these argument combinations:
-         - x509Fingerprint
-
-        Certificate-based server authentication is compatible with
-        SRP or certificate-based client authentication.
-
-        The caller should be prepared to handle TLS-specific
-        exceptions.  See the client handshake functions in
-        L{tlslite.TLSConnection.TLSConnection} for details on which
-        exceptions might be raised.
-
-        @type host: str
-        @param host: Server to connect to.
-
-        @type port: int
-        @param port: Port to connect to.
-
-        @type username: str
-        @param username: SRP username.
-        
-        @type password: str
-        @param password: SRP password for mutual authentication.
-        Requires the 'username' argument.
-
-        @type certChain: L{tlslite.x509certchain.X509CertChain}
-        @param certChain: Certificate chain for client authentication.
-        Requires the 'privateKey' argument.  Excludes the SRP argument.
-
-        @type privateKey: L{tlslite.utils.rsakey.RSAKey}
-        @param privateKey: Private key for client authentication.
-        Requires the 'certChain' argument.  Excludes the SRP argument.
-
-        @type checker: L{tlslite.checker.Checker}
-        @param checker: Callable object called after handshaking to 
-        evaluate the connection and raise an Exception if necessary.
-
-        @type settings: L{tlslite.handshakesettings.HandshakeSettings}
-        @param settings: Various settings which can be used to control
-        the ciphersuites, certificate types, and SSL/TLS versions
-        offered by the client.
-        """
-        self.host = host
-        self.port = port
-        sock = socket.create_connection((host, port), timeout)
-        ClientHelper.__init__(self,
-                 username, password,
-                 certChain, privateKey,
-                 checker,
-                 settings)
-        connection = TLSConnection(sock) 
-        ClientHelper._handshake(self, connection)
-        self.sock = connection
-        self.file = self.sock.makefile('rb')
-        self._debugging = 0
-        self.welcome = self._getresp()
\ No newline at end of file
diff --git a/third_party/tlslite/tlslite/integration/smtp_tls.py b/third_party/tlslite/tlslite/integration/smtp_tls.py
deleted file mode 100644
index d4214732..0000000
--- a/third_party/tlslite/tlslite/integration/smtp_tls.py
+++ /dev/null
@@ -1,78 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""TLS Lite + smtplib."""
-
-from smtplib import SMTP
-from tlslite.tlsconnection import TLSConnection
-from tlslite.integration.clienthelper import ClientHelper
-
-class SMTP_TLS(SMTP):
-    """This class extends L{smtplib.SMTP} with TLS support."""
-
-    def starttls(self,
-                 username=None, password=None,
-                 certChain=None, privateKey=None,
-                 checker=None,
-                 settings=None):
-        """Puts the connection to the SMTP server into TLS mode.
-
-        If the server supports TLS, this will encrypt the rest of the SMTP
-        session.
-
-        For client authentication, use one of these argument
-        combinations:
-         - username, password (SRP)
-         - certChain, privateKey (certificate)
-
-        For server authentication, you can either rely on the
-        implicit mutual authentication performed by SRP or
-        you can do certificate-based server
-        authentication with one of these argument combinations:
-         - x509Fingerprint
-
-        Certificate-based server authentication is compatible with
-        SRP or certificate-based client authentication.
-
-        The caller should be prepared to handle TLS-specific
-        exceptions.  See the client handshake functions in
-        L{tlslite.TLSConnection.TLSConnection} for details on which
-        exceptions might be raised.
-
-        @type username: str
-        @param username: SRP username.  Requires the
-        'password' argument.
-
-        @type password: str
-        @param password: SRP password for mutual authentication.
-        Requires the 'username' argument.
-
-        @type certChain: L{tlslite.x509certchain.X509CertChain}
-        @param certChain: Certificate chain for client authentication.
-        Requires the 'privateKey' argument.  Excludes the SRP arguments.
-
-        @type privateKey: L{tlslite.utils.rsakey.RSAKey}
-        @param privateKey: Private key for client authentication.
-        Requires the 'certChain' argument.  Excludes the SRP arguments.
-
-        @type checker: L{tlslite.checker.Checker}
-        @param checker: Callable object called after handshaking to 
-        evaluate the connection and raise an Exception if necessary.
-
-        @type settings: L{tlslite.handshakesettings.HandshakeSettings}
-        @param settings: Various settings which can be used to control
-        the ciphersuites, certificate types, and SSL/TLS versions
-        offered by the client.
-        """
-        (resp, reply) = self.docmd("STARTTLS")
-        if resp == 220:
-            helper = ClientHelper(
-                     username, password, 
-                     certChain, privateKey,
-                     checker,
-                     settings)
-            conn = TLSConnection(self.sock)
-            helper._handshake(conn)
-            self.sock = conn
-            self.file = conn.makefile('rb')
-        return (resp, reply)
\ No newline at end of file
diff --git a/third_party/tlslite/tlslite/integration/tlsasyncdispatchermixin.py b/third_party/tlslite/tlslite/integration/tlsasyncdispatchermixin.py
deleted file mode 100644
index dc32596..0000000
--- a/third_party/tlslite/tlslite/integration/tlsasyncdispatchermixin.py
+++ /dev/null
@@ -1,145 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Martin von Loewis - python 3 port
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""TLS Lite + asyncore."""
-
-
-import asyncore
-from tlslite.tlsconnection import TLSConnection
-from .asyncstatemachine import AsyncStateMachine
-
-
-class TLSAsyncDispatcherMixIn(AsyncStateMachine):
-    """This class can be "mixed in" with an
-    L{asyncore.dispatcher} to add TLS support.
-
-    This class essentially sits between the dispatcher and the select
-    loop, intercepting events and only calling the dispatcher when
-    applicable.
-
-    In the case of handle_read(), a read operation will be activated,
-    and when it completes, the bytes will be placed in a buffer where
-    the dispatcher can retrieve them by calling recv(), and the
-    dispatcher's handle_read() will be called.
-
-    In the case of handle_write(), the dispatcher's handle_write() will
-    be called, and when it calls send(), a write operation will be
-    activated.
-
-    To use this class, you must combine it with an asyncore.dispatcher,
-    and pass in a handshake operation with setServerHandshakeOp().
-
-    Below is an example of using this class with medusa.  This class is
-    mixed in with http_channel to create http_tls_channel.  Note:
-     1. the mix-in is listed first in the inheritance list
-
-     2. the input buffer size must be at least 16K, otherwise the
-       dispatcher might not read all the bytes from the TLS layer,
-       leaving some bytes in limbo.
-
-     3. IE seems to have a problem receiving a whole HTTP response in a
-     single TLS record, so HTML pages containing '\\r\\n\\r\\n' won't
-     be displayed on IE.
-
-    Add the following text into 'start_medusa.py', in the 'HTTP Server'
-    section::
-
-        from tlslite import *
-        s = open("./serverX509Cert.pem").read()
-        x509 = X509()
-        x509.parse(s)
-        certChain = X509CertChain([x509])
-
-        s = open("./serverX509Key.pem").read()
-        privateKey = parsePEMKey(s, private=True)
-
-        class http_tls_channel(TLSAsyncDispatcherMixIn,
-                               http_server.http_channel):
-            ac_in_buffer_size = 16384
-
-            def __init__ (self, server, conn, addr):
-                http_server.http_channel.__init__(self, server, conn, addr)
-                TLSAsyncDispatcherMixIn.__init__(self, conn)
-                self.tlsConnection.ignoreAbruptClose = True
-                self.setServerHandshakeOp(certChain=certChain,
-                                          privateKey=privateKey)
-
-        hs.channel_class = http_tls_channel
-
-    If the TLS layer raises an exception, the exception will be caught
-    in asyncore.dispatcher, which will call close() on this class.  The
-    TLS layer always closes the TLS connection before raising an
-    exception, so the close operation will complete right away, causing
-    asyncore.dispatcher.close() to be called, which closes the socket
-    and removes this instance from the asyncore loop.
-
-    """
-
-
-    def __init__(self, sock=None):
-        AsyncStateMachine.__init__(self)
-
-        if sock:
-            self.tlsConnection = TLSConnection(sock)
-
-        #Calculate the sibling I'm being mixed in with.
-        #This is necessary since we override functions
-        #like readable(), handle_read(), etc., but we
-        #also want to call the sibling's versions.
-        for cl in self.__class__.__bases__:
-            if cl != TLSAsyncDispatcherMixIn and cl != AsyncStateMachine:
-                self.siblingClass = cl
-                break
-        else:
-            raise AssertionError()
-
-    def readable(self):
-        result = self.wantsReadEvent()
-        if result != None:
-            return result
-        return self.siblingClass.readable(self)
-
-    def writable(self):
-        result = self.wantsWriteEvent()
-        if result != None:
-            return result
-        return self.siblingClass.writable(self)
-
-    def handle_read(self):
-        self.inReadEvent()
-
-    def handle_write(self):
-        self.inWriteEvent()
-
-    def outConnectEvent(self):
-        self.siblingClass.handle_connect(self)
-
-    def outCloseEvent(self):
-        asyncore.dispatcher.close(self)
-
-    def outReadEvent(self, readBuffer):
-        self.readBuffer = readBuffer
-        self.siblingClass.handle_read(self)
-
-    def outWriteEvent(self):
-        self.siblingClass.handle_write(self)
-
-    def recv(self, bufferSize=16384):
-        if bufferSize < 16384 or self.readBuffer == None:
-            raise AssertionError()
-        returnValue = self.readBuffer
-        self.readBuffer = None
-        return returnValue
-
-    def send(self, writeBuffer):
-        self.setWriteOp(writeBuffer)
-        return len(writeBuffer)
-
-    def close(self):
-        if hasattr(self, "tlsConnection"):
-            self.setCloseOp()
-        else:
-            asyncore.dispatcher.close(self)
diff --git a/third_party/tlslite/tlslite/integration/tlssocketservermixin.py b/third_party/tlslite/tlslite/integration/tlssocketservermixin.py
deleted file mode 100644
index 8e2182f..0000000
--- a/third_party/tlslite/tlslite/integration/tlssocketservermixin.py
+++ /dev/null
@@ -1,62 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""TLS Lite + SocketServer."""
-
-from tlslite.tlsconnection import TLSConnection
-
-class TLSSocketServerMixIn:
-    """
-    This class can be mixed in with any L{SocketServer.TCPServer} to
-    add TLS support.
-
-    To use this class, define a new class that inherits from it and
-    some L{SocketServer.TCPServer} (with the mix-in first). Then
-    implement the handshake() method, doing some sort of server
-    handshake on the connection argument.  If the handshake method
-    returns True, the RequestHandler will be triggered.  Below is a
-    complete example of a threaded HTTPS server::
-
-        from SocketServer import *
-        from BaseHTTPServer import *
-        from SimpleHTTPServer import *
-        from tlslite import *
-
-        s = open("./serverX509Cert.pem").read()
-        x509 = X509()
-        x509.parse(s)
-        certChain = X509CertChain([x509])
-
-        s = open("./serverX509Key.pem").read()
-        privateKey = parsePEMKey(s, private=True)
-
-        sessionCache = SessionCache()
-
-        class MyHTTPServer(ThreadingMixIn, TLSSocketServerMixIn,
-                           HTTPServer):
-          def handshake(self, tlsConnection):
-              try:
-                  tlsConnection.handshakeServer(certChain=certChain,
-                                                privateKey=privateKey,
-                                                sessionCache=sessionCache)
-                  tlsConnection.ignoreAbruptClose = True
-                  return True
-              except TLSError, error:
-                  print "Handshake failure:", str(error)
-                  return False
-
-        httpd = MyHTTPServer(('localhost', 443), SimpleHTTPRequestHandler)
-        httpd.serve_forever()
-    """
-
-
-    def finish_request(self, sock, client_address):
-        tlsConnection = TLSConnection(sock)
-        if self.handshake(tlsConnection) == True:
-            self.RequestHandlerClass(tlsConnection, client_address, self)
-            tlsConnection.close()
-
-    #Implement this method to do some form of handshaking.  Return True
-    #if the handshake finishes properly and the request is authorized.
-    def handshake(self, tlsConnection):
-        raise NotImplementedError()
\ No newline at end of file
diff --git a/third_party/tlslite/tlslite/integration/xmlrpcserver.py b/third_party/tlslite/tlslite/integration/xmlrpcserver.py
deleted file mode 100644
index c4f40cd9..0000000
--- a/third_party/tlslite/tlslite/integration/xmlrpcserver.py
+++ /dev/null
@@ -1,55 +0,0 @@
-# Authors:
-#   Kees Bos
-#   Martin von Loewis - python 3 port
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""xmlrpcserver.py - simple XML RPC server supporting TLS"""
-try:
-    from SimpleXMLRPCServer import SimpleXMLRPCServer, SimpleXMLRPCRequestHandler
-except ImportError:
-    # Python 3
-    from xmlrpc.server import SimpleXMLRPCServer, SimpleXMLRPCRequestHandler
-from .tlssocketservermixin import TLSSocketServerMixIn
-
-
-class TLSXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
-    """XMLRPCRequestHandler using TLS"""
-    
-    # Redefine the setup method (see SocketServer.StreamRequestHandler)
-    def setup(self):
-        self.connection = self.request
-        if getattr(self, 'timeout', None) is not None:
-            # Python 2.7
-            self.connection.settimeout(self.timeout)
-        self.rfile = self.connection.makefile('rb', self.rbufsize)
-        self.wfile = self.connection.makefile('wb', self.wbufsize)
-        
-    def do_POST(self):
-        """Handles the HTTPS POST request."""
-        SimpleXMLRPCRequestHandler.do_POST(self)
-        try:
-            # shut down the connection
-            self.connection.shutdown()
-        except:
-            pass
-
-
-class TLSXMLRPCServer(TLSSocketServerMixIn,
-                      SimpleXMLRPCServer):
-    """Simple XML-RPC server using TLS""" 
-
-    def __init__(self, addr, *args, **kwargs):
-        if not args and not 'requestHandler' in kwargs:
-            kwargs['requestHandler'] = TLSXMLRPCRequestHandler
-        SimpleXMLRPCServer.__init__(self, addr, *args, **kwargs)
-
-
-class MultiPathTLSXMLRPCServer(TLSXMLRPCServer):
-    """Multipath XML-RPC Server using TLS"""
-
-    def __init__(self, addr, *args, **kwargs):
-        TLSXMLRPCServer.__init__(addr, *args, **kwargs)
-        self.dispatchers = {}
-        self.allow_none = allow_none
-        self.encoding = encoding
diff --git a/third_party/tlslite/tlslite/integration/xmlrpctransport.py b/third_party/tlslite/tlslite/integration/xmlrpctransport.py
deleted file mode 100644
index de7fc5a..0000000
--- a/third_party/tlslite/tlslite/integration/xmlrpctransport.py
+++ /dev/null
@@ -1,133 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Kees Bos - Fixes for compatibility with different Python versions
-#   Martin von Loewis - python 3 port
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-
-"""TLS Lite + xmlrpclib."""
-
-try:
-    import xmlrpclib
-    import httplib
-except ImportError:
-    # Python 3
-    from xmlrpc import client as xmlrpclib
-    from http import client as httplib
-from tlslite.integration.httptlsconnection import HTTPTLSConnection
-from tlslite.integration.clienthelper import ClientHelper
-import tlslite.errors
-
-
-class XMLRPCTransport(xmlrpclib.Transport, ClientHelper):
-    """Handles an HTTPS transaction to an XML-RPC server."""
-
-    # Pre python 2.7, the make_connection returns a HTTP class
-    transport = xmlrpclib.Transport()
-    conn_class_is_http = not hasattr(transport, '_connection')
-    del(transport)
-
-    def __init__(self, use_datetime=0,
-                 username=None, password=None,
-                 certChain=None, privateKey=None,
-                 checker=None,
-                 settings=None,
-                 ignoreAbruptClose=False):
-        """Create a new XMLRPCTransport.
-
-        An instance of this class can be passed to L{xmlrpclib.ServerProxy}
-        to use TLS with XML-RPC calls::
-
-            from tlslite import XMLRPCTransport
-            from xmlrpclib import ServerProxy
-
-            transport = XMLRPCTransport(user="alice", password="abra123")
-            server = ServerProxy("https://localhost", transport)
-
-        For client authentication, use one of these argument
-        combinations:
-         - username, password (SRP)
-         - certChain, privateKey (certificate)
-
-        For server authentication, you can either rely on the
-        implicit mutual authentication performed by SRP or
-        you can do certificate-based server
-        authentication with one of these argument combinations:
-         - x509Fingerprint
-
-        Certificate-based server authentication is compatible with
-        SRP or certificate-based client authentication.
-
-        The constructor does not perform the TLS handshake itself, but
-        simply stores these arguments for later.  The handshake is
-        performed only when this class needs to connect with the
-        server.  Thus you should be prepared to handle TLS-specific
-        exceptions when calling methods of L{xmlrpclib.ServerProxy}.  See the
-        client handshake functions in
-        L{tlslite.TLSConnection.TLSConnection} for details on which
-        exceptions might be raised.
-
-        @type username: str
-        @param username: SRP username.  Requires the
-        'password' argument.
-
-        @type password: str
-        @param password: SRP password for mutual authentication.
-        Requires the 'username' argument.
-
-        @type certChain: L{tlslite.x509certchain.X509CertChain}
-        @param certChain: Certificate chain for client authentication.
-        Requires the 'privateKey' argument.  Excludes the SRP arguments.
-
-        @type privateKey: L{tlslite.utils.rsakey.RSAKey}
-        @param privateKey: Private key for client authentication.
-        Requires the 'certChain' argument.  Excludes the SRP arguments.
-
-        @type checker: L{tlslite.checker.Checker}
-        @param checker: Callable object called after handshaking to 
-        evaluate the connection and raise an Exception if necessary.
-
-        @type settings: L{tlslite.handshakesettings.HandshakeSettings}
-        @param settings: Various settings which can be used to control
-        the ciphersuites, certificate types, and SSL/TLS versions
-        offered by the client.
-
-        @type ignoreAbruptClose: bool
-        @param ignoreAbruptClose: ignore the TLSAbruptCloseError on 
-        unexpected hangup.
-        """
-
-        # self._connection is new in python 2.7, since we're using it here,
-        # we'll add this ourselves too, just in case we're pre-2.7
-        self._connection = (None, None)
-        xmlrpclib.Transport.__init__(self, use_datetime)
-        self.ignoreAbruptClose = ignoreAbruptClose
-        ClientHelper.__init__(self,
-                 username, password, 
-                 certChain, privateKey,
-                 checker,
-                 settings)
-
-    def make_connection(self, host):
-        # return an existing connection if possible.  This allows
-        # HTTP/1.1 keep-alive.
-        if self._connection and host == self._connection[0]:
-            http = self._connection[1]
-        else:
-            # create a HTTPS connection object from a host descriptor
-            chost, extra_headers, x509 = self.get_host_info(host)
-
-            http = HTTPTLSConnection(chost, None,
-                                     username=self.username, password=self.password,
-                                     certChain=self.certChain, privateKey=self.privateKey,
-                                     checker=self.checker,
-                                     settings=self.settings,
-                                     ignoreAbruptClose=self.ignoreAbruptClose)
-            # store the host argument along with the connection object
-            self._connection = host, http
-        if not self.conn_class_is_http:
-            return http
-        http2 = httplib.HTTP()
-        http2._setup(http)
-        return http2
diff --git a/third_party/tlslite/tlslite/mathtls.py b/third_party/tlslite/tlslite/mathtls.py
deleted file mode 100644
index 0a23fe19..0000000
--- a/third_party/tlslite/tlslite/mathtls.py
+++ /dev/null
@@ -1,155 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Dave Baggett (Arcode Corporation) - MD5 support for MAC_SSL
-#   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Miscellaneous helper functions."""
-
-from .utils.compat import *
-from .utils.cryptomath import *
-
-import hmac
-
-#1024, 1536, 2048, 3072, 4096, 6144, and 8192 bit groups]
-goodGroupParameters = [(2,0xEEAF0AB9ADB38DD69C33F80AFA8FC5E86072618775FF3C0B9EA2314C9C256576D674DF7496EA81D3383B4813D692C6E0E0D5D8E250B98BE48E495C1D6089DAD15DC7D7B46154D6B6CE8EF4AD69B15D4982559B297BCF1885C529F566660E57EC68EDBC3C05726CC02FD4CBF4976EAA9AFD5138FE8376435B9FC61D2FC0EB06E3),\
-                       (2,0x9DEF3CAFB939277AB1F12A8617A47BBBDBA51DF499AC4C80BEEEA9614B19CC4D5F4F5F556E27CBDE51C6A94BE4607A291558903BA0D0F84380B655BB9A22E8DCDF028A7CEC67F0D08134B1C8B97989149B609E0BE3BAB63D47548381DBC5B1FC764E3F4B53DD9DA1158BFD3E2B9C8CF56EDF019539349627DB2FD53D24B7C48665772E437D6C7F8CE442734AF7CCB7AE837C264AE3A9BEB87F8A2FE9B8B5292E5A021FFF5E91479E8CE7A28C2442C6F315180F93499A234DCF76E3FED135F9BB),\
-                       (2,0xAC6BDB41324A9A9BF166DE5E1389582FAF72B6651987EE07FC3192943DB56050A37329CBB4A099ED8193E0757767A13DD52312AB4B03310DCD7F48A9DA04FD50E8083969EDB767B0CF6095179A163AB3661A05FBD5FAAAE82918A9962F0B93B855F97993EC975EEAA80D740ADBF4FF747359D041D5C33EA71D281E446B14773BCA97B43A23FB801676BD207A436C6481F1D2B9078717461A5B9D32E688F87748544523B524B0D57D5EA77A2775D2ECFA032CFBDBF52FB3786160279004E57AE6AF874E7303CE53299CCC041C7BC308D82A5698F3A8D0C38271AE35F8E9DBFBB694B5C803D89F7AE435DE236D525F54759B65E372FCD68EF20FA7111F9E4AFF73),\
-                       (2,0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF),\
-                       (5,0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF),\
-                       (5,0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DCC4024FFFFFFFFFFFFFFFF),\
-                       (5,0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E438777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300741FA7BF8AFC47ED2576F6936BA424663AAB639C5AE4F5683423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD922222E04A4037C0713EB57A81A23F0C73473FC646CEA306B4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A062B3CF5B3A278A66D2A13F83F44F82DDF310EE074AB6A364597E899A0255DC164F31CC50846851DF9AB48195DED7EA1B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F924009438B481C6CD7889A002ED5EE382BC9190DA6FC026E479558E4475677E9AA9E3050E2765694DFC81F56E880B96E7160C980DD98EDD3DFFFFFFFFFFFFFFFFF)]
-
-def P_hash(macFunc, secret, seed, length):
-    bytes = bytearray(length)
-    A = seed
-    index = 0
-    while 1:
-        A = macFunc(secret, A)
-        output = macFunc(secret, A + seed)
-        for c in output:
-            if index >= length:
-                return bytes
-            bytes[index] = c
-            index += 1
-    return bytes
-
-def PRF(secret, label, seed, length):
-    #Split the secret into left and right halves
-    # which may share a byte if len is odd
-    S1 = secret[ : int(math.ceil(len(secret)/2.0))]
-    S2 = secret[ int(math.floor(len(secret)/2.0)) : ]
-
-    #Run the left half through P_MD5 and the right half through P_SHA1
-    p_md5 = P_hash(HMAC_MD5, S1, label + seed, length)
-    p_sha1 = P_hash(HMAC_SHA1, S2, label + seed, length)
-
-    #XOR the output values and return the result
-    for x in range(length):
-        p_md5[x] ^= p_sha1[x]
-    return p_md5
-
-def PRF_1_2(secret, label, seed, length):
-    return P_hash(HMAC_SHA256, secret, label + seed, length)
-
-def PRF_SSL(secret, seed, length):
-    bytes = bytearray(length)
-    index = 0
-    for x in range(26):
-        A = bytearray([ord('A')+x] * (x+1)) # 'A', 'BB', 'CCC', etc..
-        input = secret + SHA1(A + secret + seed)
-        output = MD5(input)
-        for c in output:
-            if index >= length:
-                return bytes
-            bytes[index] = c
-            index += 1
-    return bytes
-
-def calcMasterSecret(version, premasterSecret, clientRandom, serverRandom,
-                     handshakeHash, useExtendedMasterSecret):
-    label = b"master secret"
-    seed = clientRandom + serverRandom
-    if useExtendedMasterSecret:
-        label = b"extended master secret"
-        seed = handshakeHash
-
-    if version == (3,0):
-        masterSecret = PRF_SSL(premasterSecret, seed, 48)
-    elif version in ((3,1), (3,2)):
-        masterSecret = PRF(premasterSecret, label, seed, 48)
-    elif version == (3,3):
-        masterSecret = PRF_1_2(premasterSecret, label, seed, 48)
-    else:
-        raise AssertionError()
-    return masterSecret
-
-
-def makeX(salt, username, password):
-    if len(username)>=256:
-        raise ValueError("username too long")
-    if len(salt)>=256:
-        raise ValueError("salt too long")
-    innerHashResult = SHA1(username + bytearray(b":") + password)
-    outerHashResult = SHA1(salt + innerHashResult)
-    return bytesToNumber(outerHashResult)
-
-#This function is used by VerifierDB.makeVerifier
-def makeVerifier(username, password, bits):
-    bitsIndex = {1024:0, 1536:1, 2048:2, 3072:3, 4096:4, 6144:5, 8192:6}[bits]
-    g,N = goodGroupParameters[bitsIndex]
-    salt = getRandomBytes(16)
-    x = makeX(salt, username, password)
-    verifier = powMod(g, x, N)
-    return N, g, salt, verifier
-
-def PAD(n, x):
-    nLength = len(numberToByteArray(n))
-    b = numberToByteArray(x)
-    if len(b) < nLength:
-        b = (b"\0" * (nLength-len(b))) + b
-    return b
-
-def makeU(N, A, B):
-  return bytesToNumber(SHA1(PAD(N, A) + PAD(N, B)))
-
-def makeK(N, g):
-  return bytesToNumber(SHA1(numberToByteArray(N) + PAD(N, g)))
-
-def createHMAC(k, digestmod=hashlib.sha1):
-    return hmac.HMAC(k, digestmod=digestmod)
-
-def createMAC_SSL(k, digestmod=None):
-    mac = MAC_SSL()
-    mac.create(k, digestmod=digestmod)
-    return mac
-
-
-class MAC_SSL(object):
-    def create(self, k, digestmod=None):
-        self.digestmod = digestmod or hashlib.sha1
-        # Repeat pad bytes 48 times for MD5; 40 times for other hash functions.
-        self.digest_size = 16 if (self.digestmod is hashlib.md5) else 20
-        repeat = 40 if self.digest_size == 20 else 48
-        opad = b"\x5C" * repeat
-        ipad = b"\x36" * repeat
-
-        self.ohash = self.digestmod(k + opad)
-        self.ihash = self.digestmod(k + ipad)
-
-    def update(self, m):
-        self.ihash.update(m)
-
-    def copy(self):
-        new = MAC_SSL()
-        new.ihash = self.ihash.copy()
-        new.ohash = self.ohash.copy()
-        new.digestmod = self.digestmod
-        new.digest_size = self.digest_size
-        return new
-
-    def digest(self):
-        ohash2 = self.ohash.copy()
-        ohash2.update(self.ihash.digest())
-        return bytearray(ohash2.digest())
diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
deleted file mode 100644
index 5df50d3..0000000
--- a/third_party/tlslite/tlslite/messages.py
+++ /dev/null
@@ -1,900 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Google - handling CertificateRequest.certificate_types
-#   Google (adapted by Sam Rushing and Marcelo Fernandez) - NPN support
-#   Dimitris Moraitis - Anon ciphersuites
-#   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Classes representing TLS messages."""
-
-from __future__ import division
-
-from .utils.compat import *
-from .utils.cryptomath import *
-from .errors import *
-from .utils.codec import *
-from .constants import *
-from .x509 import X509
-from .x509certchain import X509CertChain
-from .utils.tackwrapper import *
-
-def parse_next_protos(b):
-    protos = []
-    while True:
-        if len(b) == 0:
-            break
-        l = b[0]
-        b = b[1:]
-        if len(b) < l:
-            raise BadNextProtos(len(b))
-        protos.append(b[:l])
-        b = b[l:]
-    return protos
-
-def next_protos_encoded(protocol_list):
-    b = bytearray()
-    for e in protocol_list:
-        if len(e) > 255 or len(e) == 0:
-            raise BadNextProtos(len(e))
-        b += bytearray( [len(e)] ) + bytearray(e)
-    return b
-
-class RecordHeader3(object):
-    def __init__(self):
-        self.type = 0
-        self.version = (0,0)
-        self.length = 0
-        self.ssl2 = False
-
-    def create(self, version, type, length):
-        self.type = type
-        self.version = version
-        self.length = length
-        return self
-
-    def write(self):
-        w = Writer()
-        w.add(self.type, 1)
-        w.add(self.version[0], 1)
-        w.add(self.version[1], 1)
-        w.add(self.length, 2)
-        return w.bytes
-
-    def parse(self, p):
-        self.type = p.get(1)
-        self.version = (p.get(1), p.get(1))
-        self.length = p.get(2)
-        self.ssl2 = False
-        return self
-
-class RecordHeader2(object):
-    def __init__(self):
-        self.type = 0
-        self.version = (0,0)
-        self.length = 0
-        self.ssl2 = True
-
-    def parse(self, p):
-        if p.get(1)!=128:
-            raise SyntaxError()
-        self.type = ContentType.handshake
-        self.version = (2,0)
-        #We don't support 2-byte-length-headers; could be a problem
-        self.length = p.get(1)
-        return self
-
-
-class Alert(object):
-    def __init__(self):
-        self.contentType = ContentType.alert
-        self.level = 0
-        self.description = 0
-
-    def create(self, description, level=AlertLevel.fatal):
-        self.level = level
-        self.description = description
-        return self
-
-    def parse(self, p):
-        p.setLengthCheck(2)
-        self.level = p.get(1)
-        self.description = p.get(1)
-        p.stopLengthCheck()
-        return self
-
-    def write(self):
-        w = Writer()
-        w.add(self.level, 1)
-        w.add(self.description, 1)
-        return w.bytes
-
-
-class HandshakeMsg(object):
-    def __init__(self, handshakeType):
-        self.contentType = ContentType.handshake
-        self.handshakeType = handshakeType
-    
-    def postWrite(self, w):
-        headerWriter = Writer()
-        headerWriter.add(self.handshakeType, 1)
-        headerWriter.add(len(w.bytes), 3)
-        return headerWriter.bytes + w.bytes
-
-class ClientHello(HandshakeMsg):
-    def __init__(self, ssl2=False):
-        HandshakeMsg.__init__(self, HandshakeType.client_hello)
-        self.ssl2 = ssl2
-        self.client_version = (0,0)
-        self.random = bytearray(32)
-        self.session_id = bytearray(0)
-        self.cipher_suites = []         # a list of 16-bit values
-        self.certificate_types = [CertificateType.x509]
-        self.compression_methods = []   # a list of 8-bit values
-        self.srp_username = None        # a string
-        self.tack = False
-        self.alpn_protos_advertised = None
-        self.supports_npn = False
-        self.server_name = bytearray(0)
-        self.channel_id = False
-        self.extended_master_secret = False
-        self.tb_client_params = []
-        self.support_signed_cert_timestamps = False
-        self.status_request = False
-        self.has_supported_versions = False
-        self.ri = False
-        self.signature_algorithms = []
-
-    def create(self, version, random, session_id, cipher_suites,
-               certificate_types=None, srpUsername=None,
-               tack=False, alpn_protos_advertised=None,
-               supports_npn=False, serverName=None):
-        self.client_version = version
-        self.random = random
-        self.session_id = session_id
-        self.cipher_suites = cipher_suites
-        self.certificate_types = certificate_types
-        self.compression_methods = [0]
-        if srpUsername:
-            self.srp_username = bytearray(srpUsername, "utf-8")
-        self.tack = tack
-        self.alpn_protos_advertised = alpn_protos_advertised
-        self.supports_npn = supports_npn
-        if serverName:
-            self.server_name = bytearray(serverName, "utf-8")
-        return self
-
-    def parse(self, p):
-        if self.ssl2:
-            self.client_version = (p.get(1), p.get(1))
-            cipherSpecsLength = p.get(2)
-            sessionIDLength = p.get(2)
-            randomLength = p.get(2)
-            self.cipher_suites = p.getFixList(3, cipherSpecsLength//3)
-            self.session_id = p.getFixBytes(sessionIDLength)
-            self.random = p.getFixBytes(randomLength)
-            if len(self.random) < 32:
-                zeroBytes = 32-len(self.random)
-                self.random = bytearray(zeroBytes) + self.random
-            self.compression_methods = [0]#Fake this value
-
-            #We're not doing a stopLengthCheck() for SSLv2, oh well..
-        else:
-            p.startLengthCheck(3)
-            self.client_version = (p.get(1), p.get(1))
-            self.random = p.getFixBytes(32)
-            self.session_id = p.getVarBytes(1)
-            self.cipher_suites = p.getVarList(2, 2)
-            self.compression_methods = p.getVarList(1, 1)
-            if not p.atLengthCheck():
-                totalExtLength = p.get(2)
-                soFar = 0
-                while soFar != totalExtLength:
-                    extType = p.get(2)
-                    extLength = p.get(2)
-                    index1 = p.index
-                    if extType == ExtensionType.srp:
-                        self.srp_username = p.getVarBytes(1)
-                    elif extType == ExtensionType.cert_type:
-                        self.certificate_types = p.getVarList(1, 1)
-                    elif extType == ExtensionType.tack:
-                        self.tack = True
-                    elif extType == ExtensionType.alpn:
-                        structLength = p.get(2)
-                        if structLength + 2 != extLength:
-                            raise SyntaxError()
-                        self.alpn_protos_advertised = parse_next_protos(p.getFixBytes(structLength))
-                    elif extType == ExtensionType.supports_npn:
-                        self.supports_npn = True
-                    elif extType == ExtensionType.server_name:
-                        serverNameListBytes = p.getFixBytes(extLength)
-                        p2 = Parser(serverNameListBytes)
-                        p2.startLengthCheck(2)
-                        while 1:
-                            if p2.atLengthCheck():
-                                break # no host_name, oh well
-                            name_type = p2.get(1)
-                            hostNameBytes = p2.getVarBytes(2)
-                            if name_type == NameType.host_name:
-                                self.server_name = hostNameBytes
-                                break
-                    elif extType == ExtensionType.channel_id:
-                        self.channel_id = True
-                    elif extType == ExtensionType.extended_master_secret:
-                        self.extended_master_secret = True
-                    elif extType == ExtensionType.token_binding:
-                        tokenBindingBytes = p.getFixBytes(extLength)
-                        p2 = Parser(tokenBindingBytes)
-                        ver_minor = p2.get(1)
-                        ver_major = p2.get(1)
-                        if (ver_major, ver_minor) >= (0, 13):
-                            p2.startLengthCheck(1)
-                            while not p2.atLengthCheck():
-                                self.tb_client_params.append(p2.get(1))
-                    elif extType == ExtensionType.signed_cert_timestamps:
-                        if extLength:
-                            raise SyntaxError()
-                        self.support_signed_cert_timestamps = True
-                    elif extType == ExtensionType.status_request:
-                        # Extension contents are currently ignored.
-                        # According to RFC 6066, this is not strictly forbidden
-                        # (although it is suboptimal):
-                        # Servers that receive a client hello containing the
-                        # "status_request" extension MAY return a suitable
-                        # certificate status response to the client along with
-                        # their certificate.  If OCSP is requested, they
-                        # SHOULD use the information contained in the extension
-                        # when selecting an OCSP responder and SHOULD include
-                        # request_extensions in the OCSP request.
-                        p.getFixBytes(extLength)
-                        self.status_request = True
-                    elif extType == ExtensionType.renegotiation_info:
-                        # We don't support renegotiation, so if we receive this
-                        # extension, it should contain a single null byte.
-                        if extLength != 1 or p.getFixBytes(extLength)[0] != 0:
-                            raise SyntaxError()
-                        self.ri = True
-                    elif extType == ExtensionType.supported_versions:
-                        # Ignore the extension, but make a note of it for
-                        # intolerance simulation.
-                        self.has_supported_versions = True
-                        _ = p.getFixBytes(extLength)
-                    elif extType == ExtensionType.signature_algorithms:
-                        numBytes = p.get(2)
-                        if numBytes + 2 != extLength or numBytes % 2 != 0:
-                            raise SyntaxError()
-                        for _ in range(numBytes // 2):
-                            hashAlg = p.get(1)
-                            sigAlg = p.get(1)
-                            self.signature_algorithms.append((hashAlg, sigAlg))
-                    else:
-                        _ = p.getFixBytes(extLength)
-                    index2 = p.index
-                    if index2 - index1 != extLength:
-                        raise SyntaxError("Bad length for extension_data")
-                    soFar += 4 + extLength
-            if CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV in self.cipher_suites:
-                self.ri = True
-            p.stopLengthCheck()
-        return self
-
-    def write(self):
-        w = Writer()
-        w.add(self.client_version[0], 1)
-        w.add(self.client_version[1], 1)
-        w.addFixSeq(self.random, 1)
-        w.addVarSeq(self.session_id, 1, 1)
-        w.addVarSeq(self.cipher_suites, 2, 2)
-        w.addVarSeq(self.compression_methods, 1, 1)
-
-        w2 = Writer() # For Extensions
-        if self.certificate_types and self.certificate_types != \
-                [CertificateType.x509]:
-            w2.add(ExtensionType.cert_type, 2)
-            w2.add(len(self.certificate_types)+1, 2)
-            w2.addVarSeq(self.certificate_types, 1, 1)
-        if self.srp_username:
-            w2.add(ExtensionType.srp, 2)
-            w2.add(len(self.srp_username)+1, 2)
-            w2.addVarSeq(self.srp_username, 1, 1)
-        if self.alpn_protos_advertised is not None:
-            encoded_alpn_protos_advertised = next_protos_encoded(self.alpn_protos_advertised)
-            w2.add(ExtensionType.alpn, 2)
-            w2.add(len(encoded_alpn_protos_advertised) + 2, 2)
-            w2.add(len(encoded_alpn_protos_advertised), 2)
-            w2.addFixSeq(encoded_alpn_protos_advertised, 1)
-        if self.supports_npn:
-            w2.add(ExtensionType.supports_npn, 2)
-            w2.add(0, 2)
-        if self.server_name:
-            w2.add(ExtensionType.server_name, 2)
-            w2.add(len(self.server_name)+5, 2)
-            w2.add(len(self.server_name)+3, 2)            
-            w2.add(NameType.host_name, 1)
-            w2.addVarSeq(self.server_name, 1, 2) 
-        if self.tack:
-            w2.add(ExtensionType.tack, 2)
-            w2.add(0, 2)
-        if len(w2.bytes):
-            w.add(len(w2.bytes), 2)
-            w.bytes += w2.bytes
-        return self.postWrite(w)
-
-class BadNextProtos(Exception):
-    def __init__(self, l):
-        self.length = l
-
-    def __str__(self):
-        return 'Cannot encode a list of next protocols because it contains an element with invalid length %d. Element lengths must be 0 < x < 256' % self.length
-
-class InvalidALPNResponse(Exception):
-    def __init__(self, l):
-        self.length = l
-
-    def __str__(self):
-        return 'ALPN server response protocol list has invalid length %d.  It must be of length one.' % self.length
-
-class ServerHello(HandshakeMsg):
-    def __init__(self):
-        HandshakeMsg.__init__(self, HandshakeType.server_hello)
-        self.server_version = (0,0)
-        self.random = bytearray(32)
-        self.session_id = bytearray(0)
-        self.cipher_suite = 0
-        self.certificate_type = CertificateType.x509
-        self.compression_method = 0
-        self.tackExt = None
-        self.alpn_proto_selected = None
-        self.next_protos_advertised = None
-        self.next_protos = None
-        self.channel_id = False
-        self.extended_master_secret = False
-        self.tb_params = None
-        self.signed_cert_timestamps = None
-        self.status_request = False
-        self.send_ri = False
-
-    def create(self, version, random, session_id, cipher_suite,
-               certificate_type, tackExt, alpn_proto_selected,
-               next_protos_advertised):
-        self.server_version = version
-        self.random = random
-        self.session_id = session_id
-        self.cipher_suite = cipher_suite
-        self.certificate_type = certificate_type
-        self.compression_method = 0
-        self.tackExt = tackExt
-        self.alpn_proto_selected = alpn_proto_selected
-        self.next_protos_advertised = next_protos_advertised
-        return self
-
-    def parse(self, p):
-        p.startLengthCheck(3)
-        self.server_version = (p.get(1), p.get(1))
-        self.random = p.getFixBytes(32)
-        self.session_id = p.getVarBytes(1)
-        self.cipher_suite = p.get(2)
-        self.compression_method = p.get(1)
-        if not p.atLengthCheck():
-            totalExtLength = p.get(2)
-            soFar = 0
-            while soFar != totalExtLength:
-                extType = p.get(2)
-                extLength = p.get(2)
-                if extType == ExtensionType.cert_type:
-                    if extLength != 1:
-                        raise SyntaxError()
-                    self.certificate_type = p.get(1)
-                elif extType == ExtensionType.tack and tackpyLoaded:
-                    self.tackExt = TackExtension(p.getFixBytes(extLength))
-                elif extType == ExtensionType.alpn:
-                    structLength = p.get(2)
-                    if structLength + 2 != extLength:
-                        raise SyntaxError()
-                    alpn_protos = parse_next_protos(p.getFixBytes(structLength))
-                    if len(alpn_protos) != 1:
-                        raise InvalidALPNResponse(len(alpn_protos));
-                    self.alpn_proto_selected = alpn_protos[0]
-                elif extType == ExtensionType.supports_npn:
-                    self.next_protos = parse_next_protos(p.getFixBytes(extLength))
-                else:
-                    p.getFixBytes(extLength)
-                soFar += 4 + extLength
-        p.stopLengthCheck()
-        return self
-
-    def write(self):
-        w = Writer()
-        w.add(self.server_version[0], 1)
-        w.add(self.server_version[1], 1)
-        w.addFixSeq(self.random, 1)
-        w.addVarSeq(self.session_id, 1, 1)
-        w.add(self.cipher_suite, 2)
-        w.add(self.compression_method, 1)
-
-        w2 = Writer() # For Extensions
-        if self.certificate_type and self.certificate_type != \
-                CertificateType.x509:
-            w2.add(ExtensionType.cert_type, 2)
-            w2.add(1, 2)
-            w2.add(self.certificate_type, 1)
-        if self.tackExt:
-            b = self.tackExt.serialize()
-            w2.add(ExtensionType.tack, 2)
-            w2.add(len(b), 2)
-            w2.bytes += b
-        if self.alpn_proto_selected is not None:
-            alpn_protos_single_element_list = [self.alpn_proto_selected]
-            encoded_alpn_protos_advertised = next_protos_encoded(alpn_protos_single_element_list)
-            w2.add(ExtensionType.alpn, 2)
-            w2.add(len(encoded_alpn_protos_advertised) + 2, 2)
-            w2.add(len(encoded_alpn_protos_advertised), 2)
-            w2.addFixSeq(encoded_alpn_protos_advertised, 1)
-        if self.next_protos_advertised is not None:
-            encoded_next_protos_advertised = next_protos_encoded(self.next_protos_advertised)
-            w2.add(ExtensionType.supports_npn, 2)
-            w2.add(len(encoded_next_protos_advertised), 2)
-            w2.addFixSeq(encoded_next_protos_advertised, 1)
-        if self.channel_id:
-            w2.add(ExtensionType.channel_id, 2)
-            w2.add(0, 2)
-        if self.extended_master_secret:
-            w2.add(ExtensionType.extended_master_secret, 2)
-            w2.add(0, 2)
-        if self.tb_params:
-            w2.add(ExtensionType.token_binding, 2)
-            # length of extension
-            w2.add(4, 2)
-            # version
-            w2.add(0, 1)
-            w2.add(13, 1)
-            # length of params (defined as variable length <1..2^8-1>, but in
-            # this context the server can only send a single value.
-            w2.add(1, 1)
-            w2.add(self.tb_params, 1)
-        if self.signed_cert_timestamps:
-            w2.add(ExtensionType.signed_cert_timestamps, 2)
-            w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2)
-        if self.status_request:
-            w2.add(ExtensionType.status_request, 2)
-            w2.add(0, 2)
-        if self.send_ri:
-            w2.add(ExtensionType.renegotiation_info, 2)
-            w2.add(1, 2)
-            w2.add(0, 1)
-        if len(w2.bytes):
-            w.add(len(w2.bytes), 2)
-            w.bytes += w2.bytes        
-        return self.postWrite(w)
-
-
-class Certificate(HandshakeMsg):
-    def __init__(self, certificateType):
-        HandshakeMsg.__init__(self, HandshakeType.certificate)
-        self.certificateType = certificateType
-        self.certChain = None
-
-    def create(self, certChain):
-        self.certChain = certChain
-        return self
-
-    def parse(self, p):
-        p.startLengthCheck(3)
-        if self.certificateType == CertificateType.x509:
-            chainLength = p.get(3)
-            index = 0
-            certificate_list = []
-            while index != chainLength:
-                certBytes = p.getVarBytes(3)
-                x509 = X509()
-                x509.parseBinary(certBytes)
-                certificate_list.append(x509)
-                index += len(certBytes)+3
-            if certificate_list:
-                self.certChain = X509CertChain(certificate_list)
-        else:
-            raise AssertionError()
-
-        p.stopLengthCheck()
-        return self
-
-    def write(self):
-        w = Writer()
-        if self.certificateType == CertificateType.x509:
-            chainLength = 0
-            if self.certChain:
-                certificate_list = self.certChain.x509List
-            else:
-                certificate_list = []
-            #determine length
-            for cert in certificate_list:
-                bytes = cert.writeBytes()
-                chainLength += len(bytes)+3
-            #add bytes
-            w.add(chainLength, 3)
-            for cert in certificate_list:
-                bytes = cert.writeBytes()
-                w.addVarSeq(bytes, 1, 3)
-        else:
-            raise AssertionError()
-        return self.postWrite(w)
-
-class CertificateStatus(HandshakeMsg):
-    def __init__(self):
-        HandshakeMsg.__init__(self, HandshakeType.certificate_status)
-
-    def create(self, ocsp_response):
-        self.ocsp_response = ocsp_response
-        return self
-
-    # Defined for the sake of completeness, even though we currently only
-    # support sending the status message (server-side), not requesting
-    # or receiving it (client-side).
-    def parse(self, p):
-        p.startLengthCheck(3)
-        status_type = p.get(1)
-        # Only one type is specified, so hardwire it.
-        if status_type != CertificateStatusType.ocsp:
-            raise SyntaxError()
-        ocsp_response = p.getVarBytes(3)
-        if not ocsp_response:
-            # Can't be empty
-            raise SyntaxError()
-        self.ocsp_response = ocsp_response
-        p.stopLengthCheck()
-        return self
-
-    def write(self):
-        w = Writer()
-        w.add(CertificateStatusType.ocsp, 1)
-        w.addVarSeq(bytearray(self.ocsp_response), 1, 3)
-        return self.postWrite(w)
-
-class CertificateRequest(HandshakeMsg):
-    def __init__(self, version):
-        HandshakeMsg.__init__(self, HandshakeType.certificate_request)
-        self.certificate_types = []
-        self.certificate_authorities = []
-        self.version = version
-        self.supported_signature_algs = []
-
-    def create(self, certificate_types, certificate_authorities, sig_algs):
-        self.certificate_types = certificate_types
-        self.certificate_authorities = certificate_authorities
-        self.supported_signature_algs = sig_algs
-        return self
-
-    def parse(self, p):
-        p.startLengthCheck(3)
-        self.certificate_types = p.getVarList(1, 1)
-        if self.version >= (3,3):
-            self.supported_signature_algs = \
-                [(b >> 8, b & 0xff) for b in p.getVarList(2, 2)]
-        ca_list_length = p.get(2)
-        index = 0
-        self.certificate_authorities = []
-        while index != ca_list_length:
-          ca_bytes = p.getVarBytes(2)
-          self.certificate_authorities.append(ca_bytes)
-          index += len(ca_bytes)+2
-        p.stopLengthCheck()
-        return self
-
-    def write(self):
-        w = Writer()
-        w.addVarSeq(self.certificate_types, 1, 1)
-        if self.version >= (3,3):
-            w.add(2 * len(self.supported_signature_algs), 2)
-            for (hash, signature) in self.supported_signature_algs:
-                w.add(hash, 1)
-                w.add(signature, 1)
-        caLength = 0
-        #determine length
-        for ca_dn in self.certificate_authorities:
-            caLength += len(ca_dn)+2
-        w.add(caLength, 2)
-        #add bytes
-        for ca_dn in self.certificate_authorities:
-            w.addVarSeq(ca_dn, 1, 2)
-        return self.postWrite(w)
-
-class ServerKeyExchange(HandshakeMsg):
-    def __init__(self, cipherSuite, version):
-        HandshakeMsg.__init__(self, HandshakeType.server_key_exchange)
-        self.cipherSuite = cipherSuite
-        self.version = version
-        self.srp_N = 0
-        self.srp_g = 0
-        self.srp_s = bytearray(0)
-        self.srp_B = 0
-        # DH params:
-        self.dh_p = 0
-        self.dh_g = 0
-        self.dh_Ys = 0
-        # ECDH params:
-        self.ecdhCurve = 0
-        self.ecdhPublic = bytearray(0)
-        self.signature = bytearray(0)
-        self.signature_algorithm = None
-
-    def createSRP(self, srp_N, srp_g, srp_s, srp_B):
-        self.srp_N = srp_N
-        self.srp_g = srp_g
-        self.srp_s = srp_s
-        self.srp_B = srp_B
-        return self
-    
-    def createDH(self, dh_p, dh_g, dh_Ys):
-        self.dh_p = dh_p
-        self.dh_g = dh_g
-        self.dh_Ys = dh_Ys
-        return self
-
-    def createECDH(self, ecdhCurve, ecdhPublic):
-        self.ecdhCurve = ecdhCurve
-        self.ecdhPublic = ecdhPublic
-        return self
-
-    def parse(self, p):
-        p.startLengthCheck(3)
-        if self.cipherSuite in CipherSuite.srpAllSuites:
-            self.srp_N = bytesToNumber(p.getVarBytes(2))
-            self.srp_g = bytesToNumber(p.getVarBytes(2))
-            self.srp_s = p.getVarBytes(1)
-            self.srp_B = bytesToNumber(p.getVarBytes(2))
-            if self.cipherSuite in CipherSuite.srpCertSuites:
-                self.signature = p.getVarBytes(2)
-        elif self.cipherSuite in CipherSuite.anonSuites:
-            self.dh_p = bytesToNumber(p.getVarBytes(2))
-            self.dh_g = bytesToNumber(p.getVarBytes(2))
-            self.dh_Ys = bytesToNumber(p.getVarBytes(2))
-        p.stopLengthCheck()
-        return self
-
-    def write_params(self):
-        w = Writer()
-        if self.cipherSuite in CipherSuite.srpAllSuites:
-            w.addVarSeq(numberToByteArray(self.srp_N), 1, 2)
-            w.addVarSeq(numberToByteArray(self.srp_g), 1, 2)
-            w.addVarSeq(self.srp_s, 1, 1)
-            w.addVarSeq(numberToByteArray(self.srp_B), 1, 2)
-        elif self.cipherSuite in CipherSuite.dhAllSuites:
-            w.addVarSeq(numberToByteArray(self.dh_p), 1, 2)
-            w.addVarSeq(numberToByteArray(self.dh_g), 1, 2)
-            w.addVarSeq(numberToByteArray(self.dh_Ys), 1, 2)
-        elif self.cipherSuite in CipherSuite.ecdhAllSuites:
-            w.add(ECCurveType.named_curve, 1)
-            w.add(self.ecdhCurve, 2)
-            w.addVarSeq(self.ecdhPublic, 1, 1)
-        else:
-            assert(False)
-        return w.bytes
-
-    def write(self):
-        w = Writer()
-        w.bytes += self.write_params()
-        if self.cipherSuite in CipherSuite.certAllSuites:
-            if self.version >= (3,3):
-                w.add(self.signature_algorithm[0], 1)
-                w.add(self.signature_algorithm[1], 1)
-            w.addVarSeq(self.signature, 1, 2)
-        return self.postWrite(w)
-
-    def signingPayload(self, clientRandom, serverRandom):
-        return clientRandom + serverRandom + self.write_params()
-
-class ServerHelloDone(HandshakeMsg):
-    def __init__(self):
-        HandshakeMsg.__init__(self, HandshakeType.server_hello_done)
-
-    def create(self):
-        return self
-
-    def parse(self, p):
-        p.startLengthCheck(3)
-        p.stopLengthCheck()
-        return self
-
-    def write(self):
-        w = Writer()
-        return self.postWrite(w)
-
-class ClientKeyExchange(HandshakeMsg):
-    def __init__(self, cipherSuite, version=None):
-        HandshakeMsg.__init__(self, HandshakeType.client_key_exchange)
-        self.cipherSuite = cipherSuite
-        self.version = version
-        self.srp_A = 0
-        self.encryptedPreMasterSecret = bytearray(0)
-
-    def createSRP(self, srp_A):
-        self.srp_A = srp_A
-        return self
-
-    def createRSA(self, encryptedPreMasterSecret):
-        self.encryptedPreMasterSecret = encryptedPreMasterSecret
-        return self
-    
-    def createDH(self, dh_Yc):
-        self.dh_Yc = dh_Yc
-        return self
-    
-    def parse(self, p):
-        p.startLengthCheck(3)
-        if self.cipherSuite in CipherSuite.srpAllSuites:
-            self.srp_A = bytesToNumber(p.getVarBytes(2))
-        elif self.cipherSuite in CipherSuite.certSuites:
-            if self.version in ((3,1), (3,2), (3,3)):
-                self.encryptedPreMasterSecret = p.getVarBytes(2)
-            elif self.version == (3,0):
-                self.encryptedPreMasterSecret = \
-                    p.getFixBytes(len(p.bytes)-p.index)
-            else:
-                raise AssertionError()
-        elif self.cipherSuite in CipherSuite.dhAllSuites:
-            self.dh_Yc = bytesToNumber(p.getVarBytes(2))
-        elif self.cipherSuite in CipherSuite.ecdhAllSuites:
-            self.ecdh_Yc = p.getVarBytes(1)
-        else:
-            raise AssertionError()
-        p.stopLengthCheck()
-        return self
-
-    def write(self):
-        w = Writer()
-        if self.cipherSuite in CipherSuite.srpAllSuites:
-            w.addVarSeq(numberToByteArray(self.srp_A), 1, 2)
-        elif self.cipherSuite in CipherSuite.certSuites:
-            if self.version in ((3,1), (3,2), (3,3)):
-                w.addVarSeq(self.encryptedPreMasterSecret, 1, 2)
-            elif self.version == (3,0):
-                w.addFixSeq(self.encryptedPreMasterSecret, 1)
-            else:
-                raise AssertionError()
-        elif self.cipherSuite in CipherSuite.anonSuites:
-            w.addVarSeq(numberToByteArray(self.dh_Yc), 1, 2)            
-        else:
-            raise AssertionError()
-        return self.postWrite(w)
-
-class CertificateVerify(HandshakeMsg):
-    def __init__(self, version):
-        HandshakeMsg.__init__(self, HandshakeType.certificate_verify)
-        self.version = version
-        self.signature_algorithm = None
-        self.signature = bytearray(0)
-
-    def create(self, signature_algorithm, signature):
-        self.signature_algorithm = signature_algorithm
-        self.signature = signature
-        return self
-
-    def parse(self, p):
-        p.startLengthCheck(3)
-        if self.version >= (3,3):
-            self.signature_algorithm = (p.get(1), p.get(1))
-        self.signature = p.getVarBytes(2)
-        p.stopLengthCheck()
-        return self
-
-    def write(self):
-        w = Writer()
-        if self.version >= (3,3):
-            w.add(self.signature_algorithm[0], 1)
-            w.add(self.signature_algorithm[1], 1)
-        w.addVarSeq(self.signature, 1, 2)
-        return self.postWrite(w)
-
-class ChangeCipherSpec(object):
-    def __init__(self):
-        self.contentType = ContentType.change_cipher_spec
-        self.type = 1
-
-    def create(self):
-        self.type = 1
-        return self
-
-    def parse(self, p):
-        p.setLengthCheck(1)
-        self.type = p.get(1)
-        p.stopLengthCheck()
-        return self
-
-    def write(self):
-        w = Writer()
-        w.add(self.type,1)
-        return w.bytes
-
-
-class NextProtocol(HandshakeMsg):
-    def __init__(self):
-        HandshakeMsg.__init__(self, HandshakeType.next_protocol)
-        self.next_proto = None
-
-    def create(self, next_proto):
-        self.next_proto = next_proto
-        return self
-
-    def parse(self, p):
-        p.startLengthCheck(3)
-        self.next_proto = p.getVarBytes(1)
-        _ = p.getVarBytes(1)
-        p.stopLengthCheck()
-        return self
-
-    def write(self, trial=False):
-        w = Writer()
-        w.addVarSeq(self.next_proto, 1, 1)
-        paddingLen = 32 - ((len(self.next_proto) + 2) % 32)
-        w.addVarSeq(bytearray(paddingLen), 1, 1)
-        return self.postWrite(w)
-
-class Finished(HandshakeMsg):
-    def __init__(self, version):
-        HandshakeMsg.__init__(self, HandshakeType.finished)
-        self.version = version
-        self.verify_data = bytearray(0)
-
-    def create(self, verify_data):
-        self.verify_data = verify_data
-        return self
-
-    def parse(self, p):
-        p.startLengthCheck(3)
-        if self.version == (3,0):
-            self.verify_data = p.getFixBytes(36)
-        elif self.version in ((3,1), (3,2), (3,3)):
-            self.verify_data = p.getFixBytes(12)
-        else:
-            raise AssertionError()
-        p.stopLengthCheck()
-        return self
-
-    def write(self):
-        w = Writer()
-        w.addFixSeq(self.verify_data, 1)
-        return self.postWrite(w)
-
-class EncryptedExtensions(HandshakeMsg):
-    def __init__(self):
-        self.channel_id_key = None
-        self.channel_id_proof = None
-
-    def parse(self, p):
-        p.startLengthCheck(3)
-        soFar = 0
-        while soFar != p.lengthCheck:
-            extType = p.get(2)
-            extLength = p.get(2)
-            if extType == ExtensionType.channel_id:
-                if extLength != 32*4:
-                    raise SyntaxError()
-                self.channel_id_key = p.getFixBytes(64)
-                self.channel_id_proof = p.getFixBytes(64)
-            else:
-                p.getFixBytes(extLength)
-            soFar += 4 + extLength
-        p.stopLengthCheck()
-        return self
-
-class ApplicationData(object):
-    def __init__(self):
-        self.contentType = ContentType.application_data
-        self.bytes = bytearray(0)
-
-    def create(self, bytes):
-        self.bytes = bytes
-        return self
-        
-    def splitFirstByte(self):
-        newMsg = ApplicationData().create(self.bytes[:1])
-        self.bytes = self.bytes[1:]
-        return newMsg
-
-    def parse(self, p):
-        self.bytes = p.bytes
-        return self
-
-    def write(self):
-        return self.bytes
diff --git a/third_party/tlslite/tlslite/session.py b/third_party/tlslite/tlslite/session.py
deleted file mode 100644
index 6aadf58e..0000000
--- a/third_party/tlslite/tlslite/session.py
+++ /dev/null
@@ -1,126 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Dave Baggett (Arcode Corporation) - canonicalCipherName
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Class representing a TLS session."""
-
-from .utils.compat import *
-from .mathtls import *
-from .constants import *
-
-class Session(object):
-    """
-    This class represents a TLS session.
-
-    TLS distinguishes between connections and sessions.  A new
-    handshake creates both a connection and a session.  Data is
-    transmitted over the connection.
-
-    The session contains a more permanent record of the handshake.  The
-    session can be inspected to determine handshake results.  The
-    session can also be used to create a new connection through
-    "session resumption". If the client and server both support this,
-    they can create a new connection based on an old session without
-    the overhead of a full handshake.
-
-    The session for a L{tlslite.TLSConnection.TLSConnection} can be
-    retrieved from the connection's 'session' attribute.
-
-    @type srpUsername: str
-    @ivar srpUsername: The client's SRP username (or None).
-
-    @type clientCertChain: L{tlslite.x509certchain.X509CertChain}
-    @ivar clientCertChain: The client's certificate chain (or None).
-
-    @type serverCertChain: L{tlslite.x509certchain.X509CertChain}
-    @ivar serverCertChain: The server's certificate chain (or None).
-
-    @type tackExt: L{tack.structures.TackExtension.TackExtension}
-    @ivar tackExt: The server's TackExtension (or None).
-
-    @type tackInHelloExt: L{bool}
-    @ivar tackInHelloExt: True if a TACK was presented via TLS Extension.
-    """
-
-    def __init__(self):
-        self.masterSecret = bytearray(0)
-        self.sessionID = bytearray(0)
-        self.cipherSuite = 0
-        self.srpUsername = ""
-        self.clientCertChain = None
-        self.serverCertChain = None
-        self.tackExt = None
-        self.tackInHelloExt = False
-        self.serverName = ""
-        self.resumable = False
-
-    def create(self, masterSecret, sessionID, cipherSuite,
-            srpUsername, clientCertChain, serverCertChain, 
-            tackExt, tackInHelloExt, serverName, resumable=True):
-        self.masterSecret = masterSecret
-        self.sessionID = sessionID
-        self.cipherSuite = cipherSuite
-        self.srpUsername = srpUsername
-        self.clientCertChain = clientCertChain
-        self.serverCertChain = serverCertChain
-        self.tackExt = tackExt
-        self.tackInHelloExt = tackInHelloExt  
-        self.serverName = serverName
-        self.resumable = resumable
-
-    def _clone(self):
-        other = Session()
-        other.masterSecret = self.masterSecret
-        other.sessionID = self.sessionID
-        other.cipherSuite = self.cipherSuite
-        other.srpUsername = self.srpUsername
-        other.clientCertChain = self.clientCertChain
-        other.serverCertChain = self.serverCertChain
-        other.tackExt = self.tackExt
-        other.tackInHelloExt = self.tackInHelloExt
-        other.serverName = self.serverName
-        other.resumable = self.resumable
-        return other
-
-    def valid(self):
-        """If this session can be used for session resumption.
-
-        @rtype: bool
-        @return: If this session can be used for session resumption.
-        """
-        return self.resumable and self.sessionID
-
-    def _setResumable(self, boolean):
-        #Only let it be set to True if the sessionID is non-null
-        if (not boolean) or (boolean and self.sessionID):
-            self.resumable = boolean
-
-    def getTackId(self):
-        if self.tackExt and self.tackExt.tack:
-            return self.tackExt.tack.getTackId()
-        else:
-            return None
-        
-    def getBreakSigs(self):
-        if self.tackExt and self.tackExt.break_sigs:
-            return self.tackExt.break_sigs
-        else:
-            return None
-
-    def getCipherName(self):
-        """Get the name of the cipher used with this connection.
-
-        @rtype: str
-        @return: The name of the cipher used with this connection.
-        """
-        return CipherSuite.canonicalCipherName(self.cipherSuite)
-        
-    def getMacName(self):
-        """Get the name of the HMAC hash algo used with this connection.
-
-        @rtype: str
-        @return: The name of the HMAC hash algo used with this connection.
-        """
-        return CipherSuite.canonicalMacName(self.cipherSuite)
diff --git a/third_party/tlslite/tlslite/sessioncache.py b/third_party/tlslite/tlslite/sessioncache.py
deleted file mode 100644
index 7071d10..0000000
--- a/third_party/tlslite/tlslite/sessioncache.py
+++ /dev/null
@@ -1,109 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Martin von Loewis - python 3 port
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Class for caching TLS sessions."""
-
-import threading
-import time
-
-class SessionCache(object):
-    """This class is used by the server to cache TLS sessions.
-
-    Caching sessions allows the client to use TLS session resumption
-    and avoid the expense of a full handshake.  To use this class,
-    simply pass a SessionCache instance into the server handshake
-    function.
-
-    This class is thread-safe.
-    """
-
-    #References to these instances
-    #are also held by the caller, who may change the 'resumable'
-    #flag, so the SessionCache must return the same instances
-    #it was passed in.
-
-    def __init__(self, maxEntries=10000, maxAge=14400):
-        """Create a new SessionCache.
-
-        @type maxEntries: int
-        @param maxEntries: The maximum size of the cache.  When this
-        limit is reached, the oldest sessions will be deleted as
-        necessary to make room for new ones.  The default is 10000.
-
-        @type maxAge: int
-        @param maxAge:  The number of seconds before a session expires
-        from the cache.  The default is 14400 (i.e. 4 hours)."""
-
-        self.lock = threading.Lock()
-
-        # Maps sessionIDs to sessions
-        self.entriesDict = {}
-
-        #Circular list of (sessionID, timestamp) pairs
-        self.entriesList = [(None,None)] * maxEntries
-
-        self.firstIndex = 0
-        self.lastIndex = 0
-        self.maxAge = maxAge
-
-    def __getitem__(self, sessionID):
-        self.lock.acquire()
-        try:
-            self._purge() #Delete old items, so we're assured of a new one
-            session = self.entriesDict[bytes(sessionID)]
-
-            #When we add sessions they're resumable, but it's possible
-            #for the session to be invalidated later on (if a fatal alert
-            #is returned), so we have to check for resumability before
-            #returning the session.
-
-            if session.valid():
-                return session
-            else:
-                raise KeyError()
-        finally:
-            self.lock.release()
-
-
-    def __setitem__(self, sessionID, session):
-        self.lock.acquire()
-        try:
-            #Add the new element
-            self.entriesDict[bytes(sessionID)] = session
-            self.entriesList[self.lastIndex] = (sessionID, time.time())
-            self.lastIndex = (self.lastIndex+1) % len(self.entriesList)
-
-            #If the cache is full, we delete the oldest element to make an
-            #empty space
-            if self.lastIndex == self.firstIndex:
-                del(self.entriesDict[self.entriesList[self.firstIndex][0]])
-                self.firstIndex = (self.firstIndex+1) % len(self.entriesList)
-        finally:
-            self.lock.release()
-
-    #Delete expired items
-    def _purge(self):
-        currentTime = time.time()
-
-        #Search through the circular list, deleting expired elements until
-        #we reach a non-expired element.  Since elements in list are
-        #ordered in time, we can break once we reach the first non-expired
-        #element
-        index = self.firstIndex
-        while index != self.lastIndex:
-            if currentTime - self.entriesList[index][1] > self.maxAge:
-                del(self.entriesDict[self.entriesList[index][0]])
-                index = (index+1) % len(self.entriesList)
-            else:
-                break
-        self.firstIndex = index
-
-def _test():
-    import doctest, SessionCache
-    return doctest.testmod(SessionCache)
-
-if __name__ == "__main__":
-    _test()
diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
deleted file mode 100644
index f64c848a..0000000
--- a/third_party/tlslite/tlslite/tlsconnection.py
+++ /dev/null
@@ -1,2115 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Google - added reqCAs parameter
-#   Google (adapted by Sam Rushing and Marcelo Fernandez) - NPN support
-#   Dimitris Moraitis - Anon ciphersuites
-#   Martin von Loewis - python 3 port
-#   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""
-MAIN CLASS FOR TLS LITE (START HERE!).
-"""
-
-import socket
-from .utils.compat import formatExceptionTrace
-from .tlsrecordlayer import TLSRecordLayer
-from .session import Session
-from .constants import *
-from .utils.cryptomath import getRandomBytes, MD5, SHA1, SHA256
-from .errors import *
-from .messages import *
-from .mathtls import *
-from .handshakesettings import HandshakeSettings
-from .utils.tackwrapper import *
-from .utils.rsakey import RSAKey
-from .utils import p256
-
-class KeyExchange(object):
-    def __init__(self, cipherSuite, clientHello, serverHello, privateKey):
-        """
-        Initializes the KeyExchange. privateKey is the signing private key.
-        """
-        self.cipherSuite = cipherSuite
-        self.clientHello = clientHello
-        self.serverHello = serverHello
-        self.privateKey = privateKey
-
-    def makeServerKeyExchange():
-        """
-        Returns a ServerKeyExchange object for the server's initial leg in the
-        handshake. If the key exchange method does not send ServerKeyExchange
-        (e.g. RSA), it returns None.
-        """
-        raise NotImplementedError()
-
-    def processClientKeyExchange(clientKeyExchange):
-        """
-        Processes the client's ClientKeyExchange message and returns the
-        premaster secret. Raises TLSLocalAlert on error.
-        """
-        raise NotImplementedError()
-
-    def sign(self, inpBytes):
-        algorithm = None
-        if self.serverHello.server_version >= (3, 3):
-            # Negotiate a signature algorithm.
-            peerPrefs = self.clientHello.signature_algorithms
-            if (HashAlgorithm.sha256, SignatureAlgorithm.rsa) in peerPrefs:
-                algorithm = (HashAlgorithm.sha256, SignatureAlgorithm.rsa)
-                inpBytes = RSAKey.addPKCS1SHA256Prefix(SHA256(inpBytes))
-            elif (HashAlgorithm.sha1, SignatureAlgorithm.rsa) in peerPrefs:
-                algorithm = (HashAlgorithm.sha1, SignatureAlgorithm.rsa)
-                inpBytes = RSAKey.addPKCS1SHA1Prefix(SHA1(inpBytes))
-            else:
-                raise TLSLocalAlert(AlertDescription.handshake_failure,
-                                   "no common signature algorithms")
-        else:
-            inpBytes = MD5(inpBytes) + SHA1(inpBytes)
-        return algorithm, self.privateKey.sign(inpBytes)
-
-class RSAKeyExchange(KeyExchange):
-    def makeServerKeyExchange(self):
-        return None
-
-    def processClientKeyExchange(self, clientKeyExchange):
-        premasterSecret = self.privateKey.decrypt(\
-            clientKeyExchange.encryptedPreMasterSecret)
-
-        # On decryption failure randomize premaster secret to avoid
-        # Bleichenbacher's "million message" attack
-        randomPreMasterSecret = getRandomBytes(48)
-        if not premasterSecret:
-            premasterSecret = randomPreMasterSecret
-        elif len(premasterSecret)!=48:
-            premasterSecret = randomPreMasterSecret
-        else:
-            versionCheck = (premasterSecret[0], premasterSecret[1])
-            if versionCheck != self.clientHello.client_version:
-                #Tolerate buggy IE clients
-                if versionCheck != self.serverHello.server_version:
-                    premasterSecret = randomPreMasterSecret
-        return premasterSecret
-
-def _hexStringToNumber(s):
-    s = s.replace(" ", "").replace("\n", "")
-    if len(s) % 2 != 0:
-        raise ValueError("Length is not even")
-    return bytesToNumber(bytearray.fromhex(s))
-
-class DHE_RSAKeyExchange(KeyExchange):
-    # 2048-bit MODP Group (RFC 3526, Section 3)
-    dh_p = _hexStringToNumber("""
-FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
-29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
-EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
-E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
-EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
-C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
-83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
-670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
-E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
-DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
-15728E5A 8AACAA68 FFFFFFFF FFFFFFFF""")
-    dh_g = 2
-
-    # RFC 3526, Section 8.
-    strength = 160
-
-    def makeServerKeyExchange(self):
-        # Per RFC 3526, Section 1, the exponent should have double the entropy
-        # of the strength of the curve.
-        self.dh_Xs = bytesToNumber(getRandomBytes(self.strength * 2 / 8))
-        dh_Ys = powMod(self.dh_g, self.dh_Xs, self.dh_p)
-
-        version = self.serverHello.server_version
-        serverKeyExchange = ServerKeyExchange(self.cipherSuite, version)
-        serverKeyExchange.createDH(self.dh_p, self.dh_g, dh_Ys)
-        serverKeyExchange.signature_algorithm, serverKeyExchange.signature = \
-            self.sign(serverKeyExchange.signingPayload(self.clientHello.random,
-                                                       self.serverHello.random))
-        return serverKeyExchange
-
-    def processClientKeyExchange(self, clientKeyExchange):
-        dh_Yc = clientKeyExchange.dh_Yc
-
-        # First half of RFC 2631, Section 2.1.5. Validate the client's public
-        # key.
-        if not 2 <= dh_Yc <= self.dh_p - 1:
-            raise TLSLocalAlert(AlertDescription.illegal_parameter,
-                                "Invalid dh_Yc value")
-
-        S = powMod(dh_Yc, self.dh_Xs, self.dh_p)
-        return numberToByteArray(S)
-
-class ECDHE_RSAKeyExchange(KeyExchange):
-    def makeServerKeyExchange(self):
-        public, self.private = p256.generatePublicPrivate()
-
-        version = self.serverHello.server_version
-        serverKeyExchange = ServerKeyExchange(self.cipherSuite, version)
-        serverKeyExchange.createECDH(NamedCurve.secp256r1, bytearray(public))
-        serverKeyExchange.signature_algorithm, serverKeyExchange.signature = \
-            self.sign(serverKeyExchange.signingPayload(self.clientHello.random,
-                                                       self.serverHello.random))
-        return serverKeyExchange
-
-    def processClientKeyExchange(self, clientKeyExchange):
-        ecdh_Yc = clientKeyExchange.ecdh_Yc
-        return bytearray(p256.generateSharedValue(bytes(ecdh_Yc), self.private))
-
-class TLSConnection(TLSRecordLayer):
-    """
-    This class wraps a socket and provides TLS handshaking and data
-    transfer.
-
-    To use this class, create a new instance, passing a connected
-    socket into the constructor.  Then call some handshake function.
-    If the handshake completes without raising an exception, then a TLS
-    connection has been negotiated.  You can transfer data over this
-    connection as if it were a socket.
-
-    This class provides both synchronous and asynchronous versions of
-    its key functions.  The synchronous versions should be used when
-    writing single-or multi-threaded code using blocking sockets.  The
-    asynchronous versions should be used when performing asynchronous,
-    event-based I/O with non-blocking sockets.
-
-    Asynchronous I/O is a complicated subject; typically, you should
-    not use the asynchronous functions directly, but should use some
-    framework like asyncore or Twisted which TLS Lite integrates with
-    (see
-    L{tlslite.integration.tlsasyncdispatchermixin.TLSAsyncDispatcherMixIn}).
-    """
-
-    def __init__(self, sock):
-        """Create a new TLSConnection instance.
-
-        @param sock: The socket data will be transmitted on.  The
-        socket should already be connected.  It may be in blocking or
-        non-blocking mode.
-
-        @type sock: L{socket.socket}
-        """
-        TLSRecordLayer.__init__(self, sock)
-        self.clientRandom = b""
-        self.serverRandom = b""
-
-    #*********************************************************
-    # Client Handshake Functions
-    #*********************************************************
-
-    def handshakeClientAnonymous(self, session=None, settings=None, 
-                                checker=None, serverName="",
-                                is_async=False):
-        """Perform an anonymous handshake in the role of client.
-
-        This function performs an SSL or TLS handshake using an
-        anonymous Diffie Hellman ciphersuite.
-        
-        Like any handshake function, this can be called on a closed
-        TLS connection, or on a TLS connection that is already open.
-        If called on an open connection it performs a re-handshake.
-
-        If the function completes without raising an exception, the
-        TLS connection will be open and available for data transfer.
-
-        If an exception is raised, the connection will have been
-        automatically closed (if it was ever open).
-
-        @type session: L{tlslite.Session.Session}
-        @param session: A TLS session to attempt to resume.  If the
-        resumption does not succeed, a full handshake will be
-        performed.
-
-        @type settings: L{tlslite.HandshakeSettings.HandshakeSettings}
-        @param settings: Various settings which can be used to control
-        the ciphersuites, certificate types, and SSL/TLS versions
-        offered by the client.
-
-        @type checker: L{tlslite.Checker.Checker}
-        @param checker: A Checker instance.  This instance will be
-        invoked to examine the other party's authentication
-        credentials, if the handshake completes succesfully.
-        
-        @type serverName: string
-        @param serverName: The ServerNameIndication TLS Extension.
-
-        @type is_async: bool
-        @param is_async: If False, this function will block until the
-        handshake is completed.  If True, this function will return a
-        generator.  Successive invocations of the generator will
-        return 0 if it is waiting to read from the socket, 1 if it is
-        waiting to write to the socket, or will raise StopIteration if
-        the handshake operation is completed.
-
-        @rtype: None or an iterable
-        @return: If 'is_async' is True, a generator object will be
-        returned.
-
-        @raise socket.error: If a socket error occurs.
-        @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
-        without a preceding alert.
-        @raise tlslite.errors.TLSAlert: If a TLS alert is signalled.
-        @raise tlslite.errors.TLSAuthenticationError: If the checker
-        doesn't like the other party's authentication credentials.
-        """
-        handshaker = self._handshakeClientAsync(anonParams=(True),
-                                                session=session,
-                                                settings=settings,
-                                                checker=checker,
-                                                serverName=serverName)
-        if is_async:
-            return handshaker
-        for result in handshaker:
-            pass
-
-    def handshakeClientSRP(self, username, password, session=None,
-                           settings=None, checker=None, 
-                           reqTack=True, serverName="",
-                           is_async=False):
-        """Perform an SRP handshake in the role of client.
-
-        This function performs a TLS/SRP handshake.  SRP mutually
-        authenticates both parties to each other using only a
-        username and password.  This function may also perform a
-        combined SRP and server-certificate handshake, if the server
-        chooses to authenticate itself with a certificate chain in
-        addition to doing SRP.
-
-        If the function completes without raising an exception, the
-        TLS connection will be open and available for data transfer.
-
-        If an exception is raised, the connection will have been
-        automatically closed (if it was ever open).
-
-        @type username: str
-        @param username: The SRP username.
-
-        @type password: str
-        @param password: The SRP password.
-
-        @type session: L{tlslite.session.Session}
-        @param session: A TLS session to attempt to resume.  This
-        session must be an SRP session performed with the same username
-        and password as were passed in.  If the resumption does not
-        succeed, a full SRP handshake will be performed.
-
-        @type settings: L{tlslite.handshakesettings.HandshakeSettings}
-        @param settings: Various settings which can be used to control
-        the ciphersuites, certificate types, and SSL/TLS versions
-        offered by the client.
-
-        @type checker: L{tlslite.checker.Checker}
-        @param checker: A Checker instance.  This instance will be
-        invoked to examine the other party's authentication
-        credentials, if the handshake completes succesfully.
-
-        @type reqTack: bool
-        @param reqTack: Whether or not to send a "tack" TLS Extension, 
-        requesting the server return a TackExtension if it has one.
-
-        @type serverName: string
-        @param serverName: The ServerNameIndication TLS Extension.
-
-        @type is_async: bool
-        @param is_async: If False, this function will block until the
-        handshake is completed.  If True, this function will return a
-        generator.  Successive invocations of the generator will
-        return 0 if it is waiting to read from the socket, 1 if it is
-        waiting to write to the socket, or will raise StopIteration if
-        the handshake operation is completed.
-
-        @rtype: None or an iterable
-        @return: If 'is_async' is True, a generator object will be
-        returned.
-
-        @raise socket.error: If a socket error occurs.
-        @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
-        without a preceding alert.
-        @raise tlslite.errors.TLSAlert: If a TLS alert is signalled.
-        @raise tlslite.errors.TLSAuthenticationError: If the checker
-        doesn't like the other party's authentication credentials.
-        """
-        handshaker = self._handshakeClientAsync(srpParams=(username, password),
-                        session=session, settings=settings, checker=checker,
-                        reqTack=reqTack, serverName=serverName)
-        # The handshaker is a Python Generator which executes the handshake.
-        # It allows the handshake to be run in a "piecewise", asynchronous
-        # fashion, returning 1 when it is waiting to able to write, 0 when
-        # it is waiting to read.
-        #
-        # If 'is_async' is True, the generator is returned to the caller,
-        # otherwise it is executed to completion here.
-        if is_async:
-            return handshaker
-        for result in handshaker:
-            pass
-
-    def handshakeClientCert(self, certChain=None, privateKey=None,
-                            session=None, settings=None, checker=None,
-                            nextProtos=None, reqTack=True, serverName="",
-                            is_async=False):
-        """Perform a certificate-based handshake in the role of client.
-
-        This function performs an SSL or TLS handshake.  The server
-        will authenticate itself using an X.509 certificate
-        chain.  If the handshake succeeds, the server's certificate
-        chain will be stored in the session's serverCertChain attribute.
-        Unless a checker object is passed in, this function does no
-        validation or checking of the server's certificate chain.
-
-        If the server requests client authentication, the
-        client will send the passed-in certificate chain, and use the
-        passed-in private key to authenticate itself.  If no
-        certificate chain and private key were passed in, the client
-        will attempt to proceed without client authentication.  The
-        server may or may not allow this.
-
-        If the function completes without raising an exception, the
-        TLS connection will be open and available for data transfer.
-
-        If an exception is raised, the connection will have been
-        automatically closed (if it was ever open).
-
-        @type certChain: L{tlslite.x509certchain.X509CertChain}
-        @param certChain: The certificate chain to be used if the
-        server requests client authentication.
-
-        @type privateKey: L{tlslite.utils.rsakey.RSAKey}
-        @param privateKey: The private key to be used if the server
-        requests client authentication.
-
-        @type session: L{tlslite.session.Session}
-        @param session: A TLS session to attempt to resume.  If the
-        resumption does not succeed, a full handshake will be
-        performed.
-
-        @type settings: L{tlslite.handshakesettings.HandshakeSettings}
-        @param settings: Various settings which can be used to control
-        the ciphersuites, certificate types, and SSL/TLS versions
-        offered by the client.
-
-        @type checker: L{tlslite.checker.Checker}
-        @param checker: A Checker instance.  This instance will be
-        invoked to examine the other party's authentication
-        credentials, if the handshake completes succesfully.
-        
-        @type nextProtos: list of strings.
-        @param nextProtos: A list of upper layer protocols ordered by
-        preference, to use in the Next-Protocol Negotiation Extension.
-        
-        @type reqTack: bool
-        @param reqTack: Whether or not to send a "tack" TLS Extension, 
-        requesting the server return a TackExtension if it has one.        
-
-        @type serverName: string
-        @param serverName: The ServerNameIndication TLS Extension.
-
-        @type is_async: bool
-        @param is_async: If False, this function will block until the
-        handshake is completed.  If True, this function will return a
-        generator.  Successive invocations of the generator will
-        return 0 if it is waiting to read from the socket, 1 if it is
-        waiting to write to the socket, or will raise StopIteration if
-        the handshake operation is completed.
-
-        @rtype: None or an iterable
-        @return: If 'is_async' is True, a generator object will be
-        returned.
-
-        @raise socket.error: If a socket error occurs.
-        @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
-        without a preceding alert.
-        @raise tlslite.errors.TLSAlert: If a TLS alert is signalled.
-        @raise tlslite.errors.TLSAuthenticationError: If the checker
-        doesn't like the other party's authentication credentials.
-        """
-        handshaker = self._handshakeClientAsync(certParams=(certChain,
-                        privateKey), session=session, settings=settings,
-                        checker=checker, serverName=serverName, 
-                        nextProtos=nextProtos, reqTack=reqTack)
-        # The handshaker is a Python Generator which executes the handshake.
-        # It allows the handshake to be run in a "piecewise", asynchronous
-        # fashion, returning 1 when it is waiting to able to write, 0 when
-        # it is waiting to read.
-        #
-        # If 'is_async' is True, the generator is returned to the caller,
-        # otherwise it is executed to completion here.
-        if is_async:
-            return handshaker
-        for result in handshaker:
-            pass
-
-
-    def _handshakeClientAsync(self, srpParams=(), certParams=(), anonParams=(),
-                             session=None, settings=None, checker=None,
-                             nextProtos=None, serverName="", reqTack=True):
-
-        handshaker = self._handshakeClientAsyncHelper(srpParams=srpParams,
-                certParams=certParams,
-                anonParams=anonParams,
-                session=session,
-                settings=settings,
-                serverName=serverName,
-                nextProtos=nextProtos,
-                reqTack=reqTack)
-        for result in self._handshakeWrapperAsync(handshaker, checker):
-            yield result
-
-
-    def _handshakeClientAsyncHelper(self, srpParams, certParams, anonParams,
-                               session, settings, serverName, nextProtos, reqTack):
-        
-        self._handshakeStart(client=True)
-
-        #Unpack parameters
-        srpUsername = None      # srpParams[0]
-        password = None         # srpParams[1]
-        clientCertChain = None  # certParams[0]
-        privateKey = None       # certParams[1]
-
-        # Allow only one of (srpParams, certParams, anonParams)
-        if srpParams:
-            assert(not certParams)
-            assert(not anonParams)
-            srpUsername, password = srpParams
-        if certParams:
-            assert(not srpParams)
-            assert(not anonParams)            
-            clientCertChain, privateKey = certParams
-        if anonParams:
-            assert(not srpParams)         
-            assert(not certParams)
-
-        #Validate parameters
-        if srpUsername and not password:
-            raise ValueError("Caller passed a username but no password")
-        if password and not srpUsername:
-            raise ValueError("Caller passed a password but no username")
-        if clientCertChain and not privateKey:
-            raise ValueError("Caller passed a certChain but no privateKey")
-        if privateKey and not clientCertChain:
-            raise ValueError("Caller passed a privateKey but no certChain")
-        if reqTack:
-            if not tackpyLoaded:
-                reqTack = False
-            if not settings or not settings.useExperimentalTackExtension:
-                reqTack = False
-        if nextProtos is not None:
-            if len(nextProtos) == 0:
-                raise ValueError("Caller passed no nextProtos")
-        
-        # Validates the settings and filters out any unsupported ciphers
-        # or crypto libraries that were requested        
-        if not settings:
-            settings = HandshakeSettings()
-        settings = settings._filter()
-
-        if settings.alpnProtos is not None:
-            if len(settings.alpnProtos) == 0:
-                raise ValueError("Caller passed no alpnProtos")
-
-        if clientCertChain:
-            if not isinstance(clientCertChain, X509CertChain):
-                raise ValueError("Unrecognized certificate type")
-            if "x509" not in settings.certificateTypes:
-                raise ValueError("Client certificate doesn't match "\
-                                 "Handshake Settings")
-                                  
-        if session:
-            # session.valid() ensures session is resumable and has 
-            # non-empty sessionID
-            if not session.valid():
-                session = None #ignore non-resumable sessions...
-            elif session.resumable: 
-                if session.srpUsername != srpUsername:
-                    raise ValueError("Session username doesn't match")
-                if session.serverName != serverName:
-                    raise ValueError("Session servername doesn't match")
-
-        #Add Faults to parameters
-        if srpUsername and self.fault == Fault.badUsername:
-            srpUsername += "GARBAGE"
-        if password and self.fault == Fault.badPassword:
-            password += "GARBAGE"
-
-        #Tentatively set the version to the client's minimum version.
-        #We'll use this for the ClientHello, and if an error occurs
-        #parsing the Server Hello, we'll use this version for the response
-        self.version = settings.maxVersion
-        
-        # OK Start sending messages!
-        # *****************************
-
-        # Send the ClientHello.
-        for result in self._clientSendClientHello(settings, session, 
-                                        srpUsername, srpParams, certParams,
-                                        anonParams, serverName, nextProtos,
-                                        reqTack):
-            if result in (0,1): yield result
-            else: break
-        clientHello = result
-        
-        #Get the ServerHello.
-        for result in self._clientGetServerHello(settings, clientHello):
-            if result in (0,1): yield result
-            else: break
-        serverHello = result
-        cipherSuite = serverHello.cipher_suite
-        
-        # Choose a matching Next Protocol from server list against ours
-        # (string or None)
-        nextProto = self._clientSelectNextProto(nextProtos, serverHello)
-
-        #If the server elected to resume the session, it is handled here.
-        for result in self._clientResume(session, serverHello, 
-                        clientHello.random, 
-                        settings.cipherImplementations,
-                        nextProto):
-            if result in (0,1): yield result
-            else: break
-        if result == "resumed_and_finished":
-            self._handshakeDone(resumed=True)
-            return
-
-        #If the server selected an SRP ciphersuite, the client finishes
-        #reading the post-ServerHello messages, then derives a
-        #premasterSecret and sends a corresponding ClientKeyExchange.
-        if cipherSuite in CipherSuite.srpAllSuites:
-            for result in self._clientSRPKeyExchange(\
-                    settings, cipherSuite, serverHello.certificate_type, 
-                    srpUsername, password,
-                    clientHello.random, serverHello.random, 
-                    serverHello.tackExt):                
-                if result in (0,1): yield result
-                else: break                
-            (premasterSecret, serverCertChain, tackExt) = result
-
-        #If the server selected an anonymous ciphersuite, the client
-        #finishes reading the post-ServerHello messages.
-        elif cipherSuite in CipherSuite.anonSuites:
-            for result in self._clientAnonKeyExchange(settings, cipherSuite,
-                                    clientHello.random, serverHello.random):
-                if result in (0,1): yield result
-                else: break
-            (premasterSecret, serverCertChain, tackExt) = result     
-               
-        #If the server selected a certificate-based RSA ciphersuite,
-        #the client finishes reading the post-ServerHello messages. If 
-        #a CertificateRequest message was sent, the client responds with
-        #a Certificate message containing its certificate chain (if any),
-        #and also produces a CertificateVerify message that signs the 
-        #ClientKeyExchange.
-        else:
-            for result in self._clientRSAKeyExchange(settings, cipherSuite,
-                                    clientCertChain, privateKey,
-                                    serverHello.certificate_type,
-                                    clientHello.random, serverHello.random,
-                                    serverHello.tackExt):
-                if result in (0,1): yield result
-                else: break
-            (premasterSecret, serverCertChain, clientCertChain, 
-             tackExt) = result
-                        
-        #After having previously sent a ClientKeyExchange, the client now
-        #initiates an exchange of Finished messages.
-        for result in self._clientFinished(premasterSecret,
-                            clientHello.random, 
-                            serverHello.random,
-                            cipherSuite, settings.cipherImplementations,
-                            nextProto):
-                if result in (0,1): yield result
-                else: break
-        masterSecret = result
-        
-        self.clientRandom = clientHello.random
-        self.serverRandom = serverHello.random
-
-        # Create the session object which is used for resumptions
-        self.session = Session()
-        self.session.create(masterSecret, serverHello.session_id, cipherSuite,
-            srpUsername, clientCertChain, serverCertChain,
-            tackExt, serverHello.tackExt!=None, serverName)
-        self._handshakeDone(resumed=False)
-
-
-    def _clientSendClientHello(self, settings, session, srpUsername,
-                                srpParams, certParams, anonParams, 
-                                serverName, nextProtos, reqTack):
-        #Initialize acceptable ciphersuites
-        cipherSuites = [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
-        if srpParams:
-            cipherSuites += CipherSuite.getSrpAllSuites(settings)
-        elif certParams:
-            # TODO: Client DHE_RSA not supported.
-            # cipherSuites += CipherSuite.getDheCertSuites(settings)
-            cipherSuites += CipherSuite.getCertSuites(settings)
-        elif anonParams:
-            cipherSuites += CipherSuite.getAnonSuites(settings)
-        else:
-            assert(False)
-
-        #Initialize acceptable certificate types
-        certificateTypes = settings._getCertificateTypes()
-            
-        #Either send ClientHello (with a resumable session)...
-        if session and session.sessionID:
-            #If it's resumable, then its
-            #ciphersuite must be one of the acceptable ciphersuites
-            if session.cipherSuite not in cipherSuites:
-                raise ValueError("Session's cipher suite not consistent "\
-                                 "with parameters")
-            else:
-                clientHello = ClientHello()
-                clientHello.create(settings.maxVersion, getRandomBytes(32),
-                                   session.sessionID, cipherSuites,
-                                   certificateTypes, 
-                                   session.srpUsername,
-                                   reqTack, settings.alpnProtos,
-                                   nextProtos is not None,
-                                   session.serverName)
-
-        #Or send ClientHello (without)
-        else:
-            clientHello = ClientHello()
-            clientHello.create(settings.maxVersion, getRandomBytes(32),
-                               bytearray(0), cipherSuites,
-                               certificateTypes, 
-                               srpUsername,
-                               reqTack, settings.alpnProtos,
-                               nextProtos is not None,
-                               serverName)
-        for result in self._sendMsg(clientHello):
-            yield result
-        yield clientHello
-
-
-    def _clientGetServerHello(self, settings, clientHello):
-        for result in self._getMsg(ContentType.handshake,
-                                  HandshakeType.server_hello):
-            if result in (0,1): yield result
-            else: break
-        serverHello = result
-
-        #Get the server version.  Do this before anything else, so any
-        #error alerts will use the server's version
-        self.version = serverHello.server_version
-
-        #Future responses from server must use this version
-        self._versionCheck = True
-
-        #Check ServerHello
-        if serverHello.server_version < settings.minVersion:
-            for result in self._sendError(\
-                AlertDescription.protocol_version,
-                "Too old version: %s" % str(serverHello.server_version)):
-                yield result
-        if serverHello.server_version > settings.maxVersion:
-            for result in self._sendError(\
-                AlertDescription.protocol_version,
-                "Too new version: %s" % str(serverHello.server_version)):
-                yield result
-        if serverHello.cipher_suite not in clientHello.cipher_suites:
-            for result in self._sendError(\
-                AlertDescription.illegal_parameter,
-                "Server responded with incorrect ciphersuite"):
-                yield result
-        if serverHello.certificate_type not in clientHello.certificate_types:
-            for result in self._sendError(\
-                AlertDescription.illegal_parameter,
-                "Server responded with incorrect certificate type"):
-                yield result
-        if serverHello.compression_method != 0:
-            for result in self._sendError(\
-                AlertDescription.illegal_parameter,
-                "Server responded with incorrect compression method"):
-                yield result
-        if serverHello.tackExt:            
-            if not clientHello.tack:
-                for result in self._sendError(\
-                    AlertDescription.illegal_parameter,
-                    "Server responded with unrequested Tack Extension"):
-                    yield result
-        if serverHello.alpn_proto_selected and not clientHello.alpn_protos_advertised:
-            for result in self._sendError(\
-                AlertDescription.illegal_parameter,
-                "Server responded with unrequested ALPN Extension"):
-                yield result
-        if serverHello.alpn_proto_selected and serverHello.next_protos:
-            for result in self._sendError(\
-                AlertDescription.illegal_parameter,
-                "Server responded with both ALPN and NPN extension"):
-                yield result
-        if serverHello.next_protos and not clientHello.supports_npn:
-            for result in self._sendError(\
-                AlertDescription.illegal_parameter,
-                "Server responded with unrequested NPN Extension"):
-                yield result
-            if not serverHello.tackExt.verifySignatures():
-                for result in self._sendError(\
-                    AlertDescription.decrypt_error,
-                    "TackExtension contains an invalid signature"):
-                    yield result
-        yield serverHello
-
-    def _clientSelectNextProto(self, nextProtos, serverHello):
-        # nextProtos is None or non-empty list of strings
-        # serverHello.next_protos is None or possibly-empty list of strings
-        #
-        # !!! We assume the client may have specified nextProtos as a list of
-        # strings so we convert them to bytearrays (it's awkward to require
-        # the user to specify a list of bytearrays or "bytes", and in 
-        # Python 2.6 bytes() is just an alias for str() anyways...
-        if nextProtos is not None and serverHello.next_protos is not None:
-            for p in nextProtos:
-                if bytearray(p) in serverHello.next_protos:
-                    return bytearray(p)
-            else:
-                # If the client doesn't support any of server's protocols,
-                # or the server doesn't advertise any (next_protos == [])
-                # the client SHOULD select the first protocol it supports.
-                return bytearray(nextProtos[0])
-        return None
- 
-    def _clientResume(self, session, serverHello, clientRandom, 
-                      cipherImplementations, nextProto):
-        #If the server agrees to resume
-        if session and session.sessionID and \
-            serverHello.session_id == session.sessionID:
-
-            if serverHello.cipher_suite != session.cipherSuite:
-                for result in self._sendError(\
-                    AlertDescription.illegal_parameter,\
-                    "Server's ciphersuite doesn't match session"):
-                    yield result
-
-            #Calculate pending connection states
-            self._calcPendingStates(session.cipherSuite, 
-                                    session.masterSecret, 
-                                    clientRandom, serverHello.random, 
-                                    cipherImplementations)                                   
-
-            #Exchange ChangeCipherSpec and Finished messages
-            for result in self._getFinished(session.masterSecret):
-                yield result
-            for result in self._sendFinished(session.masterSecret, nextProto):
-                yield result
-
-            #Set the session for this connection
-            self.session = session
-            yield "resumed_and_finished"        
-            
-    def _clientSRPKeyExchange(self, settings, cipherSuite, certificateType, 
-            srpUsername, password,
-            clientRandom, serverRandom, tackExt):
-
-        #If the server chose an SRP+RSA suite...
-        if cipherSuite in CipherSuite.srpCertSuites:
-            #Get Certificate, ServerKeyExchange, ServerHelloDone
-            for result in self._getMsg(ContentType.handshake,
-                    HandshakeType.certificate, certificateType):
-                if result in (0,1): yield result
-                else: break
-            serverCertificate = result
-        else:
-            serverCertificate = None
-
-        for result in self._getMsg(ContentType.handshake,
-                HandshakeType.server_key_exchange, cipherSuite):
-            if result in (0,1): yield result
-            else: break
-        serverKeyExchange = result
-
-        for result in self._getMsg(ContentType.handshake,
-                HandshakeType.server_hello_done):
-            if result in (0,1): yield result
-            else: break
-        serverHelloDone = result
-            
-        #Calculate SRP premaster secret
-        #Get and check the server's group parameters and B value
-        N = serverKeyExchange.srp_N
-        g = serverKeyExchange.srp_g
-        s = serverKeyExchange.srp_s
-        B = serverKeyExchange.srp_B
-
-        if (g,N) not in goodGroupParameters:
-            for result in self._sendError(\
-                    AlertDescription.insufficient_security,
-                    "Unknown group parameters"):
-                yield result
-        if numBits(N) < settings.minKeySize:
-            for result in self._sendError(\
-                    AlertDescription.insufficient_security,
-                    "N value is too small: %d" % numBits(N)):
-                yield result
-        if numBits(N) > settings.maxKeySize:
-            for result in self._sendError(\
-                    AlertDescription.insufficient_security,
-                    "N value is too large: %d" % numBits(N)):
-                yield result
-        if B % N == 0:
-            for result in self._sendError(\
-                    AlertDescription.illegal_parameter,
-                    "Suspicious B value"):
-                yield result
-
-        #Check the server's signature, if server chose an
-        #SRP+RSA suite
-        serverCertChain = None
-        if cipherSuite in CipherSuite.srpCertSuites:
-            #Hash ServerKeyExchange/ServerSRPParams
-            hashBytes = serverKeyExchange.hash(clientRandom, serverRandom)
-
-            #Extract signature bytes from ServerKeyExchange
-            sigBytes = serverKeyExchange.signature
-            if len(sigBytes) == 0:
-                for result in self._sendError(\
-                        AlertDescription.illegal_parameter,
-                        "Server sent an SRP ServerKeyExchange "\
-                        "message without a signature"):
-                    yield result
-
-            # Get server's public key from the Certificate message
-            # Also validate the chain against the ServerHello's TACKext (if any)
-            # If none, and a TACK cert is present, return its TACKext  
-            for result in self._clientGetKeyFromChain(serverCertificate,
-                                               settings, tackExt):
-                if result in (0,1): yield result
-                else: break
-            publicKey, serverCertChain, tackExt = result
-
-            #Verify signature
-            if not publicKey.verify(sigBytes, hashBytes):
-                for result in self._sendError(\
-                        AlertDescription.decrypt_error,
-                        "Signature failed to verify"):
-                    yield result
-
-        #Calculate client's ephemeral DH values (a, A)
-        a = bytesToNumber(getRandomBytes(32))
-        A = powMod(g, a, N)
-
-        #Calculate client's static DH values (x, v)
-        x = makeX(s, bytearray(srpUsername, "utf-8"),
-                    bytearray(password, "utf-8"))
-        v = powMod(g, x, N)
-
-        #Calculate u
-        u = makeU(N, A, B)
-
-        #Calculate premaster secret
-        k = makeK(N, g)
-        S = powMod((B - (k*v)) % N, a+(u*x), N)
-
-        if self.fault == Fault.badA:
-            A = N
-            S = 0
-            
-        premasterSecret = numberToByteArray(S)
-
-        #Send ClientKeyExchange
-        for result in self._sendMsg(\
-                ClientKeyExchange(cipherSuite).createSRP(A)):
-            yield result
-        yield (premasterSecret, serverCertChain, tackExt)
-                   
-
-    def _clientRSAKeyExchange(self, settings, cipherSuite, 
-                                clientCertChain, privateKey,
-                                certificateType,
-                                clientRandom, serverRandom,
-                                tackExt):
-
-        #Get Certificate[, CertificateRequest], ServerHelloDone
-        for result in self._getMsg(ContentType.handshake,
-                HandshakeType.certificate, certificateType):
-            if result in (0,1): yield result
-            else: break
-        serverCertificate = result
-
-        # Get CertificateRequest or ServerHelloDone
-        for result in self._getMsg(ContentType.handshake,
-                (HandshakeType.server_hello_done,
-                HandshakeType.certificate_request)):
-            if result in (0,1): yield result
-            else: break
-        msg = result
-        certificateRequest = None
-        if isinstance(msg, CertificateRequest):
-            certificateRequest = msg
-            # We got CertificateRequest, so this must be ServerHelloDone
-            for result in self._getMsg(ContentType.handshake,
-                    HandshakeType.server_hello_done):
-                if result in (0,1): yield result
-                else: break
-            serverHelloDone = result
-        elif isinstance(msg, ServerHelloDone):
-            serverHelloDone = msg
-
-        # Get server's public key from the Certificate message
-        # Also validate the chain against the ServerHello's TACKext (if any)
-        # If none, and a TACK cert is present, return its TACKext  
-        for result in self._clientGetKeyFromChain(serverCertificate,
-                                           settings, tackExt):
-            if result in (0,1): yield result
-            else: break
-        publicKey, serverCertChain, tackExt = result
-
-        #Calculate premaster secret
-        premasterSecret = getRandomBytes(48)
-        premasterSecret[0] = settings.maxVersion[0]
-        premasterSecret[1] = settings.maxVersion[1]
-
-        if self.fault == Fault.badPremasterPadding:
-            premasterSecret[0] = 5
-        if self.fault == Fault.shortPremasterSecret:
-            premasterSecret = premasterSecret[:-1]
-
-        #Encrypt premaster secret to server's public key
-        encryptedPreMasterSecret = publicKey.encrypt(premasterSecret)
-
-        #If client authentication was requested, send Certificate
-        #message, either with certificates or empty
-        if certificateRequest:
-            clientCertificate = Certificate(certificateType)
-
-            if clientCertChain:
-                #Check to make sure we have the same type of
-                #certificates the server requested
-                wrongType = False
-                if certificateType == CertificateType.x509:
-                    if not isinstance(clientCertChain, X509CertChain):
-                        wrongType = True
-                if wrongType:
-                    for result in self._sendError(\
-                            AlertDescription.handshake_failure,
-                            "Client certificate is of wrong type"):
-                        yield result
-
-                clientCertificate.create(clientCertChain)
-            for result in self._sendMsg(clientCertificate):
-                yield result
-        else:
-            #The server didn't request client auth, so we
-            #zeroize these so the clientCertChain won't be
-            #stored in the session.
-            privateKey = None
-            clientCertChain = None
-
-        #Send ClientKeyExchange
-        clientKeyExchange = ClientKeyExchange(cipherSuite,
-                                              self.version)
-        clientKeyExchange.createRSA(encryptedPreMasterSecret)
-        for result in self._sendMsg(clientKeyExchange):
-            yield result
-
-        #If client authentication was requested and we have a
-        #private key, send CertificateVerify
-        if certificateRequest and privateKey:
-            signatureAlgorithm = None
-            if self.version == (3,0):
-                masterSecret = calcMasterSecret(self.version,
-                                         premasterSecret,
-                                         clientRandom,
-                                         serverRandom,
-                                         b"", False)
-                verifyBytes = self._calcSSLHandshakeHash(masterSecret, b"")
-            elif self.version in ((3,1), (3,2)):
-                verifyBytes = self._handshake_md5.digest() + \
-                                self._handshake_sha.digest()
-            elif self.version == (3,3):
-                # TODO: Signature algorithm negotiation not supported.
-                signatureAlgorithm = (HashAlgorithm.sha1, SignatureAlgorithm.rsa)
-                verifyBytes = self._handshake_sha.digest()
-                verifyBytes = RSAKey.addPKCS1SHA1Prefix(verifyBytes)
-            if self.fault == Fault.badVerifyMessage:
-                verifyBytes[0] = ((verifyBytes[0]+1) % 256)
-            signedBytes = privateKey.sign(verifyBytes)
-            certificateVerify = CertificateVerify(self.version)
-            certificateVerify.create(signatureAlgorithm, signedBytes)
-            for result in self._sendMsg(certificateVerify):
-                yield result
-        yield (premasterSecret, serverCertChain, clientCertChain, tackExt)
-
-    def _clientAnonKeyExchange(self, settings, cipherSuite, clientRandom, 
-                               serverRandom):
-        for result in self._getMsg(ContentType.handshake,
-                HandshakeType.server_key_exchange, cipherSuite):
-            if result in (0,1): yield result
-            else: break
-        serverKeyExchange = result
-
-        for result in self._getMsg(ContentType.handshake,
-                HandshakeType.server_hello_done):
-            if result in (0,1): yield result
-            else: break
-        serverHelloDone = result
-            
-        #calculate Yc
-        dh_p = serverKeyExchange.dh_p
-        dh_g = serverKeyExchange.dh_g
-        dh_Xc = bytesToNumber(getRandomBytes(32))
-        dh_Ys = serverKeyExchange.dh_Ys
-        dh_Yc = powMod(dh_g, dh_Xc, dh_p)
-        
-        #Send ClientKeyExchange
-        for result in self._sendMsg(\
-                ClientKeyExchange(cipherSuite, self.version).createDH(dh_Yc)):
-            yield result
-            
-        #Calculate premaster secret
-        S = powMod(dh_Ys, dh_Xc, dh_p)
-        premasterSecret = numberToByteArray(S)
-                     
-        yield (premasterSecret, None, None)
-        
-    def _clientFinished(self, premasterSecret, clientRandom, serverRandom,
-                        cipherSuite, cipherImplementations, nextProto):
-
-        masterSecret = calcMasterSecret(self.version, premasterSecret,
-                            clientRandom, serverRandom, b"", False)
-        self._calcPendingStates(cipherSuite, masterSecret, 
-                                clientRandom, serverRandom, 
-                                cipherImplementations)
-
-        #Exchange ChangeCipherSpec and Finished messages
-        for result in self._sendFinished(masterSecret, nextProto):
-            yield result
-        for result in self._getFinished(masterSecret, nextProto=nextProto):
-            yield result
-        yield masterSecret
-
-    def _clientGetKeyFromChain(self, certificate, settings, tackExt=None):
-        #Get and check cert chain from the Certificate message
-        certChain = certificate.certChain
-        if not certChain or certChain.getNumCerts() == 0:
-            for result in self._sendError(AlertDescription.illegal_parameter,
-                    "Other party sent a Certificate message without "\
-                    "certificates"):
-                yield result
-
-        #Get and check public key from the cert chain
-        publicKey = certChain.getEndEntityPublicKey()
-        if len(publicKey) < settings.minKeySize:
-            for result in self._sendError(AlertDescription.handshake_failure,
-                    "Other party's public key too small: %d" % len(publicKey)):
-                yield result
-        if len(publicKey) > settings.maxKeySize:
-            for result in self._sendError(AlertDescription.handshake_failure,
-                    "Other party's public key too large: %d" % len(publicKey)):
-                yield result
-        
-        # If there's no TLS Extension, look for a TACK cert
-        if tackpyLoaded:
-            if not tackExt:
-                tackExt = certChain.getTackExt()
-         
-            # If there's a TACK (whether via TLS or TACK Cert), check that it
-            # matches the cert chain   
-            if tackExt and tackExt.tacks:
-                for tack in tackExt.tacks: 
-                    if not certChain.checkTack(tack):
-                        for result in self._sendError(  
-                                AlertDescription.illegal_parameter,
-                                "Other party's TACK doesn't match their public key"):
-                                yield result
-
-        yield publicKey, certChain, tackExt
-
-
-    #*********************************************************
-    # Server Handshake Functions
-    #*********************************************************
-
-
-    def handshakeServer(self, verifierDB=None,
-                        certChain=None, privateKey=None, reqCert=False,
-                        sessionCache=None, settings=None, checker=None,
-                        reqCAs = None, reqCertTypes = None,
-                        tacks=None, activationFlags=0,
-                        nextProtos=None, anon=False,
-                        signedCertTimestamps=None,
-                        fallbackSCSV=False, ocspResponse=None):
-        """Perform a handshake in the role of server.
-
-        This function performs an SSL or TLS handshake.  Depending on
-        the arguments and the behavior of the client, this function can
-        perform an SRP, or certificate-based handshake.  It
-        can also perform a combined SRP and server-certificate
-        handshake.
-
-        Like any handshake function, this can be called on a closed
-        TLS connection, or on a TLS connection that is already open.
-        If called on an open connection it performs a re-handshake.
-        This function does not send a Hello Request message before
-        performing the handshake, so if re-handshaking is required,
-        the server must signal the client to begin the re-handshake
-        through some other means.
-
-        If the function completes without raising an exception, the
-        TLS connection will be open and available for data transfer.
-
-        If an exception is raised, the connection will have been
-        automatically closed (if it was ever open).
-
-        @type verifierDB: L{tlslite.verifierdb.VerifierDB}
-        @param verifierDB: A database of SRP password verifiers
-        associated with usernames.  If the client performs an SRP
-        handshake, the session's srpUsername attribute will be set.
-
-        @type certChain: L{tlslite.x509certchain.X509CertChain}
-        @param certChain: The certificate chain to be used if the
-        client requests server certificate authentication.
-
-        @type privateKey: L{tlslite.utils.rsakey.RSAKey}
-        @param privateKey: The private key to be used if the client
-        requests server certificate authentication.
-
-        @type reqCert: bool
-        @param reqCert: Whether to request client certificate
-        authentication.  This only applies if the client chooses server
-        certificate authentication; if the client chooses SRP
-        authentication, this will be ignored.  If the client
-        performs a client certificate authentication, the sessions's
-        clientCertChain attribute will be set.
-
-        @type sessionCache: L{tlslite.sessioncache.SessionCache}
-        @param sessionCache: An in-memory cache of resumable sessions.
-        The client can resume sessions from this cache.  Alternatively,
-        if the client performs a full handshake, a new session will be
-        added to the cache.
-
-        @type settings: L{tlslite.handshakesettings.HandshakeSettings}
-        @param settings: Various settings which can be used to control
-        the ciphersuites and SSL/TLS version chosen by the server.
-
-        @type checker: L{tlslite.checker.Checker}
-        @param checker: A Checker instance.  This instance will be
-        invoked to examine the other party's authentication
-        credentials, if the handshake completes succesfully.
-        
-        @type reqCAs: list of L{bytearray} of unsigned bytes
-        @param reqCAs: A collection of DER-encoded DistinguishedNames that
-        will be sent along with a certificate request. This does not affect
-        verification.        
-
-        @type reqCertTypes: list of int
-        @param reqCertTypes: A list of certificate_type values to be sent
-        along with a certificate request. This does not affect verification.
-
-        @type nextProtos: list of strings.
-        @param nextProtos: A list of upper layer protocols to expose to the
-        clients through the Next-Protocol Negotiation Extension, 
-        if they support it.
-
-        @type signedCertTimestamps: str
-        @param signedCertTimestamps: A SignedCertificateTimestampList (as a
-        binary 8-bit string) that will be sent as a TLS extension whenever
-        the client announces support for the extension.
-
-        @type fallbackSCSV: bool
-        @param fallbackSCSV: if true, the server will implement
-        TLS_FALLBACK_SCSV and thus reject connections using less than the
-        server's maximum TLS version that include this cipher suite.
-
-        @type ocspResponse: str
-        @param ocspResponse: An OCSP response (as a binary 8-bit string) that
-        will be sent stapled in the handshake whenever the client announces
-        support for the status_request extension.
-        Note that the response is sent independent of the ClientHello
-        status_request extension contents, and is thus only meant for testing
-        environments. Real OCSP stapling is more complicated as it requires
-        choosing a suitable response based on the ClientHello status_request
-        extension contents.
-
-        @raise socket.error: If a socket error occurs.
-        @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
-        without a preceding alert.
-        @raise tlslite.errors.TLSAlert: If a TLS alert is signalled.
-        @raise tlslite.errors.TLSAuthenticationError: If the checker
-        doesn't like the other party's authentication credentials.
-        """
-        for result in self.handshakeServerAsync(verifierDB,
-                certChain, privateKey, reqCert, sessionCache, settings,
-                checker, reqCAs, reqCertTypes,
-                tacks=tacks, activationFlags=activationFlags, 
-                nextProtos=nextProtos, anon=anon,
-                signedCertTimestamps=signedCertTimestamps,
-                fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse):
-            pass
-
-
-    def handshakeServerAsync(self, verifierDB=None,
-                             certChain=None, privateKey=None, reqCert=False,
-                             sessionCache=None, settings=None, checker=None,
-                             reqCAs=None, reqCertTypes=None,
-                             tacks=None, activationFlags=0,
-                             nextProtos=None, anon=False,
-                             signedCertTimestamps=None,
-                             fallbackSCSV=False,
-                             ocspResponse=None
-                             ):
-        """Start a server handshake operation on the TLS connection.
-
-        This function returns a generator which behaves similarly to
-        handshakeServer().  Successive invocations of the generator
-        will return 0 if it is waiting to read from the socket, 1 if it is
-        waiting to write to the socket, or it will raise StopIteration
-        if the handshake operation is complete.
-
-        @rtype: iterable
-        @return: A generator; see above for details.
-        """
-        handshaker = self._handshakeServerAsyncHelper(\
-            verifierDB=verifierDB, certChain=certChain,
-            privateKey=privateKey, reqCert=reqCert,
-            sessionCache=sessionCache, settings=settings, 
-            reqCAs=reqCAs, reqCertTypes=reqCertTypes,
-            tacks=tacks, activationFlags=activationFlags, 
-            nextProtos=nextProtos, anon=anon,
-            signedCertTimestamps=signedCertTimestamps,
-            fallbackSCSV=fallbackSCSV,
-            ocspResponse=ocspResponse)
-        for result in self._handshakeWrapperAsync(handshaker, checker):
-            yield result
-        if settings and settings.alertAfterHandshake:
-            for result in self._sendError(AlertDescription.internal_error,
-                                          "Spurious alert"):
-                yield result
-
-
-    def _handshakeServerAsyncHelper(self, verifierDB,
-                             certChain, privateKey, reqCert, sessionCache,
-                             settings, reqCAs, reqCertTypes,
-                             tacks, activationFlags, 
-                             nextProtos, anon,
-                             signedCertTimestamps, fallbackSCSV,
-                             ocspResponse):
-
-        self._handshakeStart(client=False)
-
-        if (not verifierDB) and (not certChain) and not anon:
-            raise ValueError("Caller passed no authentication credentials")
-        if certChain and not privateKey:
-            raise ValueError("Caller passed a certChain but no privateKey")
-        if privateKey and not certChain:
-            raise ValueError("Caller passed a privateKey but no certChain")
-        if reqCAs and not reqCert:
-            raise ValueError("Caller passed reqCAs but not reqCert")            
-        if reqCertTypes and not reqCert:
-            raise ValueError("Caller passed reqCertTypes but not reqCert")
-        if certChain and not isinstance(certChain, X509CertChain):
-            raise ValueError("Unrecognized certificate type")
-        if activationFlags and not tacks:
-            raise ValueError("Nonzero activationFlags requires tacks")
-        if tacks:
-            if not tackpyLoaded:
-                raise ValueError("tackpy is not loaded")
-            if not settings or not settings.useExperimentalTackExtension:
-                raise ValueError("useExperimentalTackExtension not enabled")
-        if signedCertTimestamps and not certChain:
-            raise ValueError("Caller passed signedCertTimestamps but no "
-                             "certChain")
-
-        if not settings:
-            settings = HandshakeSettings()
-        settings = settings._filter()
-        
-        # OK Start exchanging messages
-        # ******************************
-        
-        # Handle ClientHello and resumption
-        for result in self._serverGetClientHello(settings, certChain,\
-                                            verifierDB, sessionCache,
-                                            anon, fallbackSCSV):
-            if result in (0,1): yield result
-            elif result == None:
-                self._handshakeDone(resumed=True)                
-                return # Handshake was resumed, we're done 
-            else: break
-        (clientHello, cipherSuite) = result
-
-        # Save the ClientHello for external code to query.
-        self.clientHello = clientHello
-        
-        #If not a resumption...
-
-        # Create the ServerHello message
-        if sessionCache:
-            sessionID = getRandomBytes(32)
-        else:
-            sessionID = bytearray(0)
-        
-        alpn_proto_selected = None
-        if (clientHello.alpn_protos_advertised is not None
-                and settings.alpnProtos is not None):
-            for proto in settings.alpnProtos:
-                if proto in clientHello.alpn_protos_advertised:
-                    alpn_proto_selected = proto
-                    nextProtos = None
-                    break;
-
-        if not clientHello.supports_npn:
-            nextProtos = None
-
-        # If not doing a certificate-based suite, discard the TACK
-        if not cipherSuite in CipherSuite.certAllSuites:
-            tacks = None
-
-        # Prepare a TACK Extension if requested
-        if clientHello.tack:
-            tackExt = TackExtension.create(tacks, activationFlags)
-        else:
-            tackExt = None
-        serverRandom = getRandomBytes(32)
-        # See https://tools.ietf.org/html/rfc8446#section-4.1.3
-        if settings.simulateTLS13Downgrade:
-            serverRandom = serverRandom[:24] + \
-                bytearray(b"\x44\x4f\x57\x4e\x47\x52\x44\x01")
-        elif settings.simulateTLS12Downgrade:
-            serverRandom = serverRandom[:24] + \
-                bytearray(b"\x44\x4f\x57\x4e\x47\x52\x44\x00")
-        serverHello = ServerHello()
-        serverHello.create(self.version, serverRandom, sessionID, \
-                            cipherSuite, CertificateType.x509, tackExt,
-                            alpn_proto_selected,
-                            nextProtos)
-        serverHello.channel_id = \
-            clientHello.channel_id and settings.enableChannelID
-        serverHello.extended_master_secret = \
-            clientHello.extended_master_secret and \
-            settings.enableExtendedMasterSecret
-        for param in clientHello.tb_client_params:
-            if param in settings.supportedTokenBindingParams:
-                serverHello.tb_params = param
-                break
-        if clientHello.support_signed_cert_timestamps:
-            serverHello.signed_cert_timestamps = signedCertTimestamps
-        if clientHello.status_request:
-            serverHello.status_request = ocspResponse
-        if clientHello.ri:
-            serverHello.send_ri = True
-
-        # Perform the SRP key exchange
-        clientCertChain = None
-        if cipherSuite in CipherSuite.srpAllSuites:
-            for result in self._serverSRPKeyExchange(clientHello, serverHello, 
-                                    verifierDB, cipherSuite, 
-                                    privateKey, certChain):
-                if result in (0,1): yield result
-                else: break
-            premasterSecret = result
-
-        # Perform a certificate-based key exchange
-        elif cipherSuite in CipherSuite.certAllSuites:
-            if cipherSuite in CipherSuite.certSuites:
-                keyExchange = RSAKeyExchange(cipherSuite,
-                                             clientHello,
-                                             serverHello,
-                                             privateKey)
-            elif cipherSuite in CipherSuite.dheCertSuites:
-                keyExchange = DHE_RSAKeyExchange(cipherSuite,
-                                                 clientHello,
-                                                 serverHello,
-                                                 privateKey)
-            elif cipherSuite in CipherSuite.ecdheCertSuites:
-                keyExchange = ECDHE_RSAKeyExchange(cipherSuite,
-                                                   clientHello,
-                                                   serverHello,
-                                                   privateKey)
-            else:
-                assert(False)
-            for result in self._serverCertKeyExchange(clientHello, serverHello, 
-                                        certChain, keyExchange,
-                                        reqCert, reqCAs, reqCertTypes, cipherSuite,
-                                        settings, ocspResponse):
-                if result in (0,1): yield result
-                else: break
-            (premasterSecret, clientCertChain) = result
-
-        # Perform anonymous Diffie Hellman key exchange
-        elif cipherSuite in CipherSuite.anonSuites:
-            for result in self._serverAnonKeyExchange(clientHello, serverHello, 
-                                        cipherSuite, settings):
-                if result in (0,1): yield result
-                else: break
-            premasterSecret = result
-        
-        else:
-            assert(False)
-                        
-        # Exchange Finished messages      
-        for result in self._serverFinished(premasterSecret, 
-                                clientHello.random, serverHello.random,
-                                cipherSuite, settings.cipherImplementations,
-                                nextProtos, serverHello.channel_id,
-                                serverHello.extended_master_secret):
-                if result in (0,1): yield result
-                else: break
-        masterSecret = result
-
-        self.clientRandom = clientHello.random
-        self.serverRandom = serverHello.random
-
-        #Create the session object
-        self.session = Session()
-        if cipherSuite in CipherSuite.certAllSuites:        
-            serverCertChain = certChain
-        else:
-            serverCertChain = None
-        srpUsername = None
-        serverName = None
-        if clientHello.srp_username:
-            srpUsername = clientHello.srp_username.decode("utf-8")
-        if clientHello.server_name:
-            serverName = clientHello.server_name.decode("utf-8")
-        self.session.create(masterSecret, serverHello.session_id, cipherSuite,
-            srpUsername, clientCertChain, serverCertChain,
-            tackExt, serverHello.tackExt!=None, serverName)
-            
-        #Add the session object to the session cache
-        if sessionCache and sessionID:
-            sessionCache[sessionID] = self.session
-
-        self._handshakeDone(resumed=False)
-
-
-    def _isIntolerant(self, settings, clientHello):
-        if settings.tlsIntolerant is None:
-            return False
-        clientVersion = clientHello.client_version
-        if clientHello.has_supported_versions:
-            clientVersion = (3, 4)
-        return clientVersion >= settings.tlsIntolerant
-
-
-    def _serverGetClientHello(self, settings, certChain, verifierDB,
-                                sessionCache, anon, fallbackSCSV):
-        #Tentatively set version to most-desirable version, so if an error
-        #occurs parsing the ClientHello, this is what we'll use for the
-        #error alert
-        self.version = settings.maxVersion
-
-        #Get ClientHello
-        for result in self._getMsg(ContentType.handshake,
-                                   HandshakeType.client_hello):
-            if result in (0,1): yield result
-            else: break
-        clientHello = result
-
-        #If client's version is too low, reject it
-        if clientHello.client_version < settings.minVersion:
-            self.version = settings.minVersion
-            for result in self._sendError(\
-                  AlertDescription.protocol_version,
-                  "Too old version: %s" % str(clientHello.client_version)):
-                yield result
-
-        #If simulating TLS intolerance, reject certain TLS versions.
-        elif self._isIntolerant(settings, clientHello):
-            if settings.tlsIntoleranceType == "alert":
-                for result in self._sendError(\
-                    AlertDescription.handshake_failure):
-                    yield result
-            elif settings.tlsIntoleranceType == "close":
-                self._abruptClose()
-                raise TLSUnsupportedError("Simulating version intolerance")
-            elif settings.tlsIntoleranceType == "reset":
-                self._abruptClose(reset=True)
-                raise TLSUnsupportedError("Simulating version intolerance")
-            else:
-                raise ValueError("Unknown intolerance type: '%s'" %
-                                 settings.tlsIntoleranceType)
-
-        #If client's version is too high, propose my highest version
-        elif clientHello.client_version > settings.maxVersion:
-            self.version = settings.maxVersion
-
-        #Detect if the client performed an inappropriate fallback.
-        elif fallbackSCSV and clientHello.client_version < settings.maxVersion:
-            self.version = clientHello.client_version
-            if CipherSuite.TLS_FALLBACK_SCSV in clientHello.cipher_suites:
-                for result in self._sendError(\
-                        AlertDescription.inappropriate_fallback):
-                    yield result
-
-        else:
-            #Set the version to the client's version
-            self.version = clientHello.client_version
-
-        #Initialize acceptable cipher suites
-        cipherSuites = []
-        if verifierDB:
-            if certChain:
-                cipherSuites += \
-                    CipherSuite.getSrpCertSuites(settings, self.version)
-            cipherSuites += CipherSuite.getSrpSuites(settings, self.version)
-        elif certChain:
-            cipherSuites += CipherSuite.getEcdheCertSuites(settings, self.version)
-            cipherSuites += CipherSuite.getDheCertSuites(settings, self.version)
-            cipherSuites += CipherSuite.getCertSuites(settings, self.version)
-        elif anon:
-            cipherSuites += CipherSuite.getAnonSuites(settings, self.version)
-        else:
-            assert(False)
-
-        alpn_proto_selected = None
-        if (clientHello.alpn_protos_advertised is not None
-                and settings.alpnProtos is not None):
-            for proto in settings.alpnProtos:
-                if proto in clientHello.alpn_protos_advertised:
-                    alpn_proto_selected = proto
-                    break;
-
-        #If resumption was requested and we have a session cache...
-        if clientHello.session_id and sessionCache:
-            session = None
-
-            #Check in the session cache
-            if sessionCache and not session:
-                try:
-                    session = sessionCache[clientHello.session_id]
-                    if not session.resumable:
-                        raise AssertionError()
-                    #Check for consistency with ClientHello
-                    if session.cipherSuite not in cipherSuites:
-                        for result in self._sendError(\
-                                AlertDescription.handshake_failure):
-                            yield result
-                    if session.cipherSuite not in clientHello.cipher_suites:
-                        for result in self._sendError(\
-                                AlertDescription.handshake_failure):
-                            yield result
-                    if clientHello.srp_username:
-                        if not session.srpUsername or \
-                            clientHello.srp_username != bytearray(session.srpUsername, "utf-8"):
-                            for result in self._sendError(\
-                                    AlertDescription.handshake_failure):
-                                yield result
-                    if clientHello.server_name:
-                        if not session.serverName or \
-                            clientHello.server_name != bytearray(session.serverName, "utf-8"):
-                            for result in self._sendError(\
-                                    AlertDescription.handshake_failure):
-                                yield result                    
-                except KeyError:
-                    pass
-
-            #If a session is found..
-            if session:
-                #Send ServerHello
-                serverHello = ServerHello()
-                serverHello.create(self.version, getRandomBytes(32),
-                                   session.sessionID, session.cipherSuite,
-                                   CertificateType.x509, None,
-                                   alpn_proto_selected, None)
-                serverHello.extended_master_secret = \
-                    clientHello.extended_master_secret and \
-                    settings.enableExtendedMasterSecret
-                for param in clientHello.tb_client_params:
-                    if param in settings.supportedTokenBindingParams:
-                          serverHello.tb_params = param
-                          break
-                if clientHello.ri:
-                    serverHello.send_ri = True
-                for result in self._sendMsg(serverHello):
-                    yield result
-
-                #From here on, the client's messages must have right version
-                self._versionCheck = True
-
-                #Calculate pending connection states
-                self._calcPendingStates(session.cipherSuite, 
-                                        session.masterSecret,
-                                        clientHello.random, 
-                                        serverHello.random,
-                                        settings.cipherImplementations)
-
-                #Exchange ChangeCipherSpec and Finished messages
-                for result in self._sendFinished(session.masterSecret):
-                    yield result
-                for result in self._getFinished(session.masterSecret):
-                    yield result
-
-                #Set the session
-                self.session = session
-                    
-                self.clientRandom = clientHello.random
-                self.serverRandom = serverHello.random
-                yield None # Handshake done!
-
-        #Calculate the first cipher suite intersection.
-        #This is the 'privileged' ciphersuite.  We'll use it if we're
-        #doing a new negotiation.  In fact,
-        #the only time we won't use it is if we're resuming a
-        #session, in which case we use the ciphersuite from the session.
-        #
-        #Given the current ciphersuite ordering, this means we prefer SRP
-        #over non-SRP.
-        for cipherSuite in cipherSuites:
-            if cipherSuite in clientHello.cipher_suites:
-                break
-        else:
-            for result in self._sendError(\
-                    AlertDescription.handshake_failure,
-                    "No mutual ciphersuite"):
-                yield result
-        if cipherSuite in CipherSuite.srpAllSuites and \
-                            not clientHello.srp_username:
-            for result in self._sendError(\
-                    AlertDescription.unknown_psk_identity,
-                    "Client sent a hello, but without the SRP username"):
-                yield result
-           
-        #If an RSA suite is chosen, check for certificate type intersection
-        if cipherSuite in CipherSuite.certAllSuites and CertificateType.x509 \
-                                not in clientHello.certificate_types:
-            for result in self._sendError(\
-                    AlertDescription.handshake_failure,
-                    "the client doesn't support my certificate type"):
-                yield result
-
-        # If resumption was not requested, or
-        # we have no session cache, or
-        # the client's session_id was not found in cache:
-        yield (clientHello, cipherSuite)
-
-    def _serverSRPKeyExchange(self, clientHello, serverHello, verifierDB, 
-                                cipherSuite, privateKey, serverCertChain):
-
-        srpUsername = clientHello.srp_username.decode("utf-8")
-        self.allegedSrpUsername = srpUsername
-        #Get parameters from username
-        try:
-            entry = verifierDB[srpUsername]
-        except KeyError:
-            for result in self._sendError(\
-                    AlertDescription.unknown_psk_identity):
-                yield result
-        (N, g, s, v) = entry
-
-        #Calculate server's ephemeral DH values (b, B)
-        b = bytesToNumber(getRandomBytes(32))
-        k = makeK(N, g)
-        B = (powMod(g, b, N) + (k*v)) % N
-
-        #Create ServerKeyExchange, signing it if necessary
-        serverKeyExchange = ServerKeyExchange(cipherSuite, self.version)
-        serverKeyExchange.createSRP(N, g, s, B)
-        if cipherSuite in CipherSuite.srpCertSuites:
-            hashBytes = serverKeyExchange.hash(clientHello.random,
-                                               serverHello.random)
-            serverKeyExchange.signature = privateKey.sign(hashBytes)
-
-        #Send ServerHello[, Certificate], ServerKeyExchange,
-        #ServerHelloDone
-        msgs = []
-        msgs.append(serverHello)
-        if cipherSuite in CipherSuite.srpCertSuites:
-            certificateMsg = Certificate(CertificateType.x509)
-            certificateMsg.create(serverCertChain)
-            msgs.append(certificateMsg)
-        msgs.append(serverKeyExchange)
-        msgs.append(ServerHelloDone())
-        for result in self._sendMsgs(msgs):
-            yield result
-
-        #From here on, the client's messages must have the right version
-        self._versionCheck = True
-
-        #Get and check ClientKeyExchange
-        for result in self._getMsg(ContentType.handshake,
-                                  HandshakeType.client_key_exchange,
-                                  cipherSuite):
-            if result in (0,1): yield result
-            else: break
-        clientKeyExchange = result
-        A = clientKeyExchange.srp_A
-        if A % N == 0:
-            for result in self._sendError(AlertDescription.illegal_parameter,
-                    "Suspicious A value"):
-                yield result
-            assert(False) # Just to ensure we don't fall through somehow
-
-        #Calculate u
-        u = makeU(N, A, B)
-
-        #Calculate premaster secret
-        S = powMod((A * powMod(v,u,N)) % N, b, N)
-        premasterSecret = numberToByteArray(S)
-        
-        yield premasterSecret
-
-
-    def _serverCertKeyExchange(self, clientHello, serverHello, 
-                                serverCertChain, keyExchange,
-                                reqCert, reqCAs, reqCertTypes, cipherSuite,
-                                settings, ocspResponse):
-        #Send ServerHello, Certificate[, ServerKeyExchange]
-        #[, CertificateRequest], ServerHelloDone
-        msgs = []
-
-        # If we verify a client cert chain, return it
-        clientCertChain = None
-
-        msgs.append(serverHello)
-        msgs.append(Certificate(CertificateType.x509).create(serverCertChain))
-        if serverHello.status_request:
-            msgs.append(CertificateStatus().create(ocspResponse))
-        serverKeyExchange = keyExchange.makeServerKeyExchange()
-        if serverKeyExchange is not None:
-            msgs.append(serverKeyExchange)
-        if reqCert:
-            reqCAs = reqCAs or []
-            #Apple's Secure Transport library rejects empty certificate_types,
-            #so default to rsa_sign.
-            reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign]
-            #Only SHA-1 + RSA is supported.
-            sigAlgs = [(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
-            msgs.append(CertificateRequest(self.version).create(reqCertTypes,
-                                                                reqCAs,
-                                                                sigAlgs))
-        msgs.append(ServerHelloDone())
-        for result in self._sendMsgs(msgs):
-            yield result
-
-        #From here on, the client's messages must have the right version
-        self._versionCheck = True
-
-        #Get [Certificate,] (if was requested)
-        if reqCert:
-            if self.version == (3,0):
-                for result in self._getMsg((ContentType.handshake,
-                                           ContentType.alert),
-                                           HandshakeType.certificate,
-                                           CertificateType.x509):
-                    if result in (0,1): yield result
-                    else: break
-                msg = result
-
-                if isinstance(msg, Alert):
-                    #If it's not a no_certificate alert, re-raise
-                    alert = msg
-                    if alert.description != \
-                            AlertDescription.no_certificate:
-                        self._shutdown(False)
-                        raise TLSRemoteAlert(alert)
-                elif isinstance(msg, Certificate):
-                    clientCertificate = msg
-                    if clientCertificate.certChain and \
-                            clientCertificate.certChain.getNumCerts()!=0:
-                        clientCertChain = clientCertificate.certChain
-                else:
-                    raise AssertionError()
-            elif self.version in ((3,1), (3,2), (3,3)):
-                for result in self._getMsg(ContentType.handshake,
-                                          HandshakeType.certificate,
-                                          CertificateType.x509):
-                    if result in (0,1): yield result
-                    else: break
-                clientCertificate = result
-                if clientCertificate.certChain and \
-                        clientCertificate.certChain.getNumCerts()!=0:
-                    clientCertChain = clientCertificate.certChain
-            else:
-                raise AssertionError()
-
-        #Get ClientKeyExchange
-        for result in self._getMsg(ContentType.handshake,
-                                  HandshakeType.client_key_exchange,
-                                  cipherSuite):
-            if result in (0,1): yield result
-            else: break
-        clientKeyExchange = result
-
-        #Process ClientKeyExchange
-        try:
-            premasterSecret = \
-                keyExchange.processClientKeyExchange(clientKeyExchange)
-        except alert as TLSLocalAlert:
-            for result in self._sendError(alert.description, alert.message):
-                yield result
-
-        #Get and check CertificateVerify, if relevant
-        if clientCertChain:
-            if self.version == (3,0):
-                masterSecret = calcMasterSecret(self.version, premasterSecret,
-                                         clientHello.random, serverHello.random,
-                                         b"", False)
-                verifyBytes = self._calcSSLHandshakeHash(masterSecret, b"")
-            elif self.version in ((3,1), (3,2)):
-                verifyBytes = self._handshake_md5.digest() + \
-                                self._handshake_sha.digest()
-            elif self.version == (3,3):
-                verifyBytes = self._handshake_sha.digest()
-                verifyBytes = RSAKey.addPKCS1SHA1Prefix(verifyBytes)
-            for result in self._getMsg(ContentType.handshake,
-                                      HandshakeType.certificate_verify):
-                if result in (0,1): yield result
-                else: break
-            certificateVerify = result
-            publicKey = clientCertChain.getEndEntityPublicKey()
-            if len(publicKey) < settings.minKeySize:
-                for result in self._sendError(\
-                        AlertDescription.handshake_failure,
-                        "Client's public key too small: %d" % len(publicKey)):
-                    yield result
-
-            if len(publicKey) > settings.maxKeySize:
-                for result in self._sendError(\
-                        AlertDescription.handshake_failure,
-                        "Client's public key too large: %d" % len(publicKey)):
-                    yield result
-
-            if not publicKey.verify(certificateVerify.signature, verifyBytes):
-                for result in self._sendError(\
-                        AlertDescription.decrypt_error,
-                        "Signature failed to verify"):
-                    yield result
-        yield (premasterSecret, clientCertChain)
-
-
-    def _serverAnonKeyExchange(self, clientHello, serverHello, cipherSuite, 
-                               settings):
-        # Calculate DH p, g, Xs, Ys
-        dh_p = getRandomSafePrime(32, False)
-        dh_g = getRandomNumber(2, dh_p)        
-        dh_Xs = bytesToNumber(getRandomBytes(32))        
-        dh_Ys = powMod(dh_g, dh_Xs, dh_p)
-
-        #Create ServerKeyExchange
-        serverKeyExchange = ServerKeyExchange(cipherSuite, self.version)
-        serverKeyExchange.createDH(dh_p, dh_g, dh_Ys)
-        
-        #Send ServerHello[, Certificate], ServerKeyExchange,
-        #ServerHelloDone  
-        msgs = []
-        msgs.append(serverHello)
-        msgs.append(serverKeyExchange)
-        msgs.append(ServerHelloDone())
-        for result in self._sendMsgs(msgs):
-            yield result
-        
-        #From here on, the client's messages must have the right version
-        self._versionCheck = True
-        
-        #Get and check ClientKeyExchange
-        for result in self._getMsg(ContentType.handshake,
-                                   HandshakeType.client_key_exchange,
-                                   cipherSuite):
-            if result in (0,1):
-                yield result 
-            else:
-                break
-        clientKeyExchange = result
-        dh_Yc = clientKeyExchange.dh_Yc
-        
-        if dh_Yc % dh_p == 0:
-            for result in self._sendError(AlertDescription.illegal_parameter,
-                    "Suspicious dh_Yc value"):
-                yield result
-            assert(False) # Just to ensure we don't fall through somehow            
-
-        #Calculate premaster secre
-        S = powMod(dh_Yc,dh_Xs,dh_p)
-        premasterSecret = numberToByteArray(S)
-        
-        yield premasterSecret
-
-
-    def _serverFinished(self,  premasterSecret, clientRandom, serverRandom,
-                        cipherSuite, cipherImplementations, nextProtos,
-                        doingChannelID, useExtendedMasterSecret):
-        masterSecret = calcMasterSecret(self.version, premasterSecret,
-                                      clientRandom, serverRandom,
-                                      self._ems_handshake_hash,
-                                      useExtendedMasterSecret)
-        
-        #Calculate pending connection states
-        self._calcPendingStates(cipherSuite, masterSecret, 
-                                clientRandom, serverRandom,
-                                cipherImplementations)
-
-        #Exchange ChangeCipherSpec and Finished messages
-        for result in self._getFinished(masterSecret, 
-                        expect_next_protocol=nextProtos is not None,
-                        expect_channel_id=doingChannelID):
-            yield result
-
-        for result in self._sendFinished(masterSecret):
-            yield result
-        
-        yield masterSecret        
-
-
-    #*********************************************************
-    # Shared Handshake Functions
-    #*********************************************************
-
-
-    def _sendFinished(self, masterSecret, nextProto=None):
-        #Send ChangeCipherSpec
-        for result in self._sendMsg(ChangeCipherSpec()):
-            yield result
-
-        #Switch to pending write state
-        self._changeWriteState()
-
-        if nextProto is not None:
-            nextProtoMsg = NextProtocol().create(nextProto)
-            for result in self._sendMsg(nextProtoMsg):
-                yield result
-
-        #Calculate verification data
-        verifyData = self._calcFinished(masterSecret, True)
-        if self.fault == Fault.badFinished:
-            verifyData[0] = (verifyData[0]+1)%256
-
-        #Send Finished message under new state
-        finished = Finished(self.version).create(verifyData)
-        for result in self._sendMsg(finished):
-            yield result
-
-    def _getFinished(self, masterSecret, expect_next_protocol=False, nextProto=None,
-                     expect_channel_id=False):
-        #Get and check ChangeCipherSpec
-        for result in self._getMsg(ContentType.change_cipher_spec):
-            if result in (0,1):
-                yield result
-        changeCipherSpec = result
-
-        if changeCipherSpec.type != 1:
-            for result in self._sendError(AlertDescription.illegal_parameter,
-                                         "ChangeCipherSpec type incorrect"):
-                yield result
-
-        #Switch to pending read state
-        self._changeReadState()
-
-        #Server Finish - Are we waiting for a next protocol echo? 
-        if expect_next_protocol:
-            for result in self._getMsg(ContentType.handshake, HandshakeType.next_protocol):
-                if result in (0,1):
-                    yield result
-            if result is None:
-                for result in self._sendError(AlertDescription.unexpected_message,
-                                             "Didn't get NextProtocol message"):
-                    yield result
-
-            self.next_proto = result.next_proto
-        else:
-            self.next_proto = None
-
-        #Client Finish - Only set the next_protocol selected in the connection
-        if nextProto:
-            self.next_proto = nextProto
-
-        #Server Finish - Are we waiting for a EncryptedExtensions?
-        if expect_channel_id:
-            for result in self._getMsg(ContentType.handshake, HandshakeType.encrypted_extensions):
-                if result in (0,1):
-                    yield result
-            if result is None:
-                for result in self._sendError(AlertDescription.unexpected_message,
-                                             "Didn't get EncryptedExtensions message"):
-                    yield result
-            encrypted_extensions = result
-            self.channel_id = result.channel_id_key
-        else:
-            self.channel_id = None
-
-        #Calculate verification data
-        verifyData = self._calcFinished(masterSecret, False)
-
-        #Get and check Finished message under new state
-        for result in self._getMsg(ContentType.handshake,
-                                  HandshakeType.finished):
-            if result in (0,1):
-                yield result
-        finished = result
-        if finished.verify_data != verifyData:
-            for result in self._sendError(AlertDescription.decrypt_error,
-                                         "Finished message is incorrect"):
-                yield result
-
-    def _calcFinished(self, masterSecret, send=True):
-        if self.version == (3,0):
-            if (self._client and send) or (not self._client and not send):
-                senderStr = b"\x43\x4C\x4E\x54"
-            else:
-                senderStr = b"\x53\x52\x56\x52"
-
-            verifyData = self._calcSSLHandshakeHash(masterSecret, senderStr)
-            return verifyData
-
-        elif self.version in ((3,1), (3,2)):
-            if (self._client and send) or (not self._client and not send):
-                label = b"client finished"
-            else:
-                label = b"server finished"
-
-            handshakeHashes = self._handshake_md5.digest() + \
-                                self._handshake_sha.digest()
-            verifyData = PRF(masterSecret, label, handshakeHashes, 12)
-            return verifyData
-        elif self.version == (3,3):
-            if (self._client and send) or (not self._client and not send):
-                label = b"client finished"
-            else:
-                label = b"server finished"
-
-            handshakeHashes = self._handshake_sha256.digest()
-            verifyData = PRF_1_2(masterSecret, label, handshakeHashes, 12)
-            return verifyData
-        else:
-            raise AssertionError()
-
-
-    def _handshakeWrapperAsync(self, handshaker, checker):
-        if not self.fault:
-            try:
-                for result in handshaker:
-                    yield result
-                if checker:
-                    try:
-                        checker(self)
-                    except TLSAuthenticationError:
-                        alert = Alert().create(AlertDescription.close_notify,
-                                               AlertLevel.fatal)
-                        for result in self._sendMsg(alert):
-                            yield result
-                        raise
-            except GeneratorExit:
-                raise
-            except TLSAlert as alert:
-                if not self.fault:
-                    raise
-                if alert.description not in Fault.faultAlerts[self.fault]:
-                    raise TLSFaultError(str(alert))
-                else:
-                    pass
-            except:
-                self._shutdown(False)
-                raise
-
-
-    def exportKeyingMaterial(self, label, context, use_context, length):
-        """Returns the exported keying material as defined in RFC 5705."""
-
-        seed = self.clientRandom + self.serverRandom
-        if use_context:
-            if len(context) > 65535:
-                raise ValueError("Context is too long")
-            seed += bytearray(2)
-            seed[len(seed) - 2] = len(context) >> 8
-            seed[len(seed) - 1] = len(context) & 0xFF
-            seed += context
-        if self.version in ((3,1), (3,2)):
-            return PRF(self.session.masterSecret, label, seed, length)
-        elif self.version == (3,3):
-            return PRF_1_2(self.session.masterSecret, label, seed, length)
-        else:
-            raise AssertionError()
diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
deleted file mode 100644
index d2320b8..0000000
--- a/third_party/tlslite/tlslite/tlsrecordlayer.py
+++ /dev/null
@@ -1,1268 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Google (adapted by Sam Rushing) - NPN support
-#   Martin von Loewis - python 3 port
-#   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Helper class for TLSConnection."""
-from __future__ import generators
-
-from .utils.compat import *
-from .utils.cryptomath import *
-from .utils.cipherfactory import createAESGCM, createAES, createRC4, \
-     createTripleDES
-from .utils.codec import *
-from .errors import *
-from .messages import *
-from .mathtls import *
-from .constants import *
-from .utils.cryptomath import getRandomBytes
-
-import socket
-import struct
-import errno
-import traceback
-
-class _ConnectionState(object):
-    def __init__(self):
-        self.macContext = None
-        self.encContext = None
-        self.seqnum = 0
-
-    def getSeqNumBytes(self):
-        w = Writer()
-        w.add(self.seqnum, 8)
-        self.seqnum += 1
-        return w.bytes
-
-
-class TLSRecordLayer(object):
-    """
-    This class handles data transmission for a TLS connection.
-
-    Its only subclass is L{tlslite.TLSConnection.TLSConnection}.  We've
-    separated the code in this class from TLSConnection to make things
-    more readable.
-
-
-    @type sock: socket.socket
-    @ivar sock: The underlying socket object.
-
-    @type session: L{tlslite.Session.Session}
-    @ivar session: The session corresponding to this connection.
-
-    Due to TLS session resumption, multiple connections can correspond
-    to the same underlying session.
-
-    @type version: tuple
-    @ivar version: The TLS version being used for this connection.
-
-    (3,0) means SSL 3.0, and (3,1) means TLS 1.0.
-
-    @type closed: bool
-    @ivar closed: If this connection is closed.
-
-    @type resumed: bool
-    @ivar resumed: If this connection is based on a resumed session.
-
-    @type allegedSrpUsername: str or None
-    @ivar allegedSrpUsername:  This is set to the SRP username
-    asserted by the client, whether the handshake succeeded or not.
-    If the handshake fails, this can be inspected to determine
-    if a guessing attack is in progress against a particular user
-    account.
-
-    @type closeSocket: bool
-    @ivar closeSocket: If the socket should be closed when the
-    connection is closed, defaults to True (writable).
-
-    If you set this to True, TLS Lite will assume the responsibility of
-    closing the socket when the TLS Connection is shutdown (either
-    through an error or through the user calling close()).  The default
-    is False.
-
-    @type ignoreAbruptClose: bool
-    @ivar ignoreAbruptClose: If an abrupt close of the socket should
-    raise an error (writable).
-
-    If you set this to True, TLS Lite will not raise a
-    L{tlslite.errors.TLSAbruptCloseError} exception if the underlying
-    socket is unexpectedly closed.  Such an unexpected closure could be
-    caused by an attacker.  However, it also occurs with some incorrect
-    TLS implementations.
-
-    You should set this to True only if you're not worried about an
-    attacker truncating the connection, and only if necessary to avoid
-    spurious errors.  The default is False.
-
-    @sort: __init__, read, readAsync, write, writeAsync, close, closeAsync,
-    getCipherImplementation, getCipherName
-    """
-
-    def __init__(self, sock):
-        self.sock = sock
-
-        #My session object (Session instance; read-only)
-        self.session = None
-
-        #Am I a client or server?
-        self._client = None
-
-        #Buffers for processing messages
-        self._handshakeBuffer = []
-        self.clearReadBuffer()
-        self.clearWriteBuffer()
-
-        #Handshake digests
-        self._handshake_md5 = hashlib.md5()
-        self._handshake_sha = hashlib.sha1()
-        self._handshake_sha256 = hashlib.sha256()
-        self._ems_handshake_hash = b""
-
-        #TLS Protocol Version
-        self.version = (0,0) #read-only
-        self._versionCheck = False #Once we choose a version, this is True
-
-        #Current and Pending connection states
-        self._writeState = _ConnectionState()
-        self._readState = _ConnectionState()
-        self._pendingWriteState = _ConnectionState()
-        self._pendingReadState = _ConnectionState()
-
-        #Is the connection open?
-        self.closed = True #read-only
-        self._refCount = 0 #Used to trigger closure
-
-        #Is this a resumed session?
-        self.resumed = False #read-only
-
-        #What username did the client claim in his handshake?
-        self.allegedSrpUsername = None
-
-        #On a call to close(), do we close the socket? (writeable)
-        self.closeSocket = True
-
-        #If the socket is abruptly closed, do we ignore it
-        #and pretend the connection was shut down properly? (writeable)
-        self.ignoreAbruptClose = False
-
-        #Fault we will induce, for testing purposes
-        self.fault = None
-
-    def clearReadBuffer(self):
-        self._readBuffer = b''
-
-    def clearWriteBuffer(self):
-        self._send_writer = None
-
-
-    #*********************************************************
-    # Public Functions START
-    #*********************************************************
-
-    def read(self, max=None, min=1):
-        """Read some data from the TLS connection.
-
-        This function will block until at least 'min' bytes are
-        available (or the connection is closed).
-
-        If an exception is raised, the connection will have been
-        automatically closed.
-
-        @type max: int
-        @param max: The maximum number of bytes to return.
-
-        @type min: int
-        @param min: The minimum number of bytes to return
-
-        @rtype: str
-        @return: A string of no more than 'max' bytes, and no fewer
-        than 'min' (unless the connection has been closed, in which
-        case fewer than 'min' bytes may be returned).
-
-        @raise socket.error: If a socket error occurs.
-        @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
-        without a preceding alert.
-        @raise tlslite.errors.TLSAlert: If a TLS alert is signalled.
-        """
-        for result in self.readAsync(max, min):
-            pass
-        return result
-
-    def readAsync(self, max=None, min=1):
-        """Start a read operation on the TLS connection.
-
-        This function returns a generator which behaves similarly to
-        read().  Successive invocations of the generator will return 0
-        if it is waiting to read from the socket, 1 if it is waiting
-        to write to the socket, or a string if the read operation has
-        completed.
-
-        @rtype: iterable
-        @return: A generator; see above for details.
-        """
-        try:
-            while len(self._readBuffer)<min and not self.closed:
-                try:
-                    for result in self._getMsg(ContentType.application_data):
-                        if result in (0,1):
-                            yield result
-                    applicationData = result
-                    self._readBuffer += applicationData.write()
-                except TLSRemoteAlert as alert:
-                    if alert.description != AlertDescription.close_notify:
-                        raise
-                except TLSAbruptCloseError:
-                    if not self.ignoreAbruptClose:
-                        raise
-                    else:
-                        self._shutdown(True)
-
-            if max == None:
-                max = len(self._readBuffer)
-
-            returnBytes = self._readBuffer[:max]
-            self._readBuffer = self._readBuffer[max:]
-            yield bytes(returnBytes)
-        except GeneratorExit:
-            raise
-        except:
-            self._shutdown(False)
-            raise
-
-    def unread(self, b):
-        """Add bytes to the front of the socket read buffer for future
-        reading. Be careful using this in the context of select(...): if you
-        unread the last data from a socket, that won't wake up selected waiters,
-        and those waiters may hang forever.
-        """
-        self._readBuffer = b + self._readBuffer
-
-    def write(self, s):
-        """Write some data to the TLS connection.
-
-        This function will block until all the data has been sent.
-
-        If an exception is raised, the connection will have been
-        automatically closed.
-
-        @type s: str
-        @param s: The data to transmit to the other party.
-
-        @raise socket.error: If a socket error occurs.
-        """
-        for result in self.writeAsync(s):
-            pass
-
-    def writeAsync(self, s):
-        """Start a write operation on the TLS connection.
-
-        This function returns a generator which behaves similarly to
-        write().  Successive invocations of the generator will return
-        1 if it is waiting to write to the socket, or will raise
-        StopIteration if the write operation has completed.
-
-        @rtype: iterable
-        @return: A generator; see above for details.
-        """
-        try:
-            if self.closed:
-                raise TLSClosedConnectionError("attempt to write to closed connection")
-
-            index = 0
-            blockSize = 16384
-            randomizeFirstBlock = True
-            while 1:
-                startIndex = index * blockSize
-                endIndex = startIndex + blockSize
-                if startIndex >= len(s):
-                    break
-                if endIndex > len(s):
-                    endIndex = len(s)
-                block = bytearray(s[startIndex : endIndex])
-                applicationData = ApplicationData().create(block)
-                for result in self._sendMsg(applicationData, \
-                                            randomizeFirstBlock):
-                    yield result
-                randomizeFirstBlock = False #only on 1st message
-                index += 1
-        except GeneratorExit:
-            raise
-        except Exception:
-            # Don't invalidate the session on write failure if abrupt closes are
-            # okay.
-            self._shutdown(self.ignoreAbruptClose)
-            raise
-
-    def close(self):
-        """Close the TLS connection.
-
-        This function will block until it has exchanged close_notify
-        alerts with the other party.  After doing so, it will shut down the
-        TLS connection.  Further attempts to read through this connection
-        will return "".  Further attempts to write through this connection
-        will raise ValueError.
-
-        If makefile() has been called on this connection, the connection
-        will be not be closed until the connection object and all file
-        objects have been closed.
-
-        Even if an exception is raised, the connection will have been
-        closed.
-
-        @raise socket.error: If a socket error occurs.
-        @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
-        without a preceding alert.
-        @raise tlslite.errors.TLSAlert: If a TLS alert is signalled.
-        """
-        if not self.closed:
-            for result in self._decrefAsync():
-                pass
-
-    # Python 3 callback
-    _decref_socketios = close
-
-    def closeAsync(self):
-        """Start a close operation on the TLS connection.
-
-        This function returns a generator which behaves similarly to
-        close().  Successive invocations of the generator will return 0
-        if it is waiting to read from the socket, 1 if it is waiting
-        to write to the socket, or will raise StopIteration if the
-        close operation has completed.
-
-        @rtype: iterable
-        @return: A generator; see above for details.
-        """
-        if not self.closed:
-            for result in self._decrefAsync():
-                yield result
-
-    def _decrefAsync(self):
-        self._refCount -= 1
-        if self._refCount == 0 and not self.closed:
-            try:
-                for result in self._sendMsg(Alert().create(\
-                        AlertDescription.close_notify, AlertLevel.warning)):
-                    yield result
-                alert = None
-                # By default close the socket, since it's been observed
-                # that some other libraries will not respond to the 
-                # close_notify alert, thus leaving us hanging if we're
-                # expecting it
-                if self.closeSocket:
-                    self._shutdown(True)
-                else:
-                    while not alert:
-                        for result in self._getMsg((ContentType.alert, \
-                                                  ContentType.application_data)):
-                            if result in (0,1):
-                                yield result
-                        if result.contentType == ContentType.alert:
-                            alert = result
-                    if alert.description == AlertDescription.close_notify:
-                        self._shutdown(True)
-                    else:
-                        raise TLSRemoteAlert(alert)
-            except (socket.error, TLSAbruptCloseError):
-                #If the other side closes the socket, that's okay
-                self._shutdown(True)
-            except GeneratorExit:
-                raise
-            except:
-                self._shutdown(False)
-                raise
-
-    def getVersionName(self):
-        """Get the name of this TLS version.
-
-        @rtype: str
-        @return: The name of the TLS version used with this connection.
-        Either None, 'SSL 3.0', 'TLS 1.0', 'TLS 1.1', or 'TLS 1.2'.
-        """
-        if self.version == (3,0):
-            return "SSL 3.0"
-        elif self.version == (3,1):
-            return "TLS 1.0"
-        elif self.version == (3,2):
-            return "TLS 1.1"
-        elif self.version == (3,3):
-            return "TLS 1.2"
-        else:
-            return None
-        
-    def getCipherName(self):
-        """Get the name of the cipher used with this connection.
-
-        @rtype: str
-        @return: The name of the cipher used with this connection.
-        Either 'aes128', 'aes256', 'rc4', or '3des'.
-        """
-        if not self._writeState.encContext:
-            return None
-        return self._writeState.encContext.name
-
-    def getCipherImplementation(self):
-        """Get the name of the cipher implementation used with
-        this connection.
-
-        @rtype: str
-        @return: The name of the cipher implementation used with
-        this connection.  Either 'python', 'openssl', or 'pycrypto'.
-        """
-        if not self._writeState.encContext:
-            return None
-        return self._writeState.encContext.implementation
-
-
-
-    #Emulate a socket, somewhat -
-    def send(self, s):
-        """Send data to the TLS connection (socket emulation).
-
-        @raise socket.error: If a socket error occurs.
-        """
-        self.write(s)
-        return len(s)
-
-    def sendall(self, s):
-        """Send data to the TLS connection (socket emulation).
-
-        @raise socket.error: If a socket error occurs.
-        """
-        self.write(s)
-
-    def recv(self, bufsize):
-        """Get some data from the TLS connection (socket emulation).
-
-        @raise socket.error: If a socket error occurs.
-        @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
-        without a preceding alert.
-        @raise tlslite.errors.TLSAlert: If a TLS alert is signalled.
-        """
-        return self.read(bufsize)
-
-    def recv_into(self, b):
-        # XXX doc string
-        data = self.read(len(b))
-        if not data:
-            return None
-        b[:len(data)] = data
-        return len(data)
-
-    def makefile(self, mode='r', bufsize=-1):
-        """Create a file object for the TLS connection (socket emulation).
-
-        @rtype: L{socket._fileobject}
-        """
-        self._refCount += 1
-        # So, it is pretty fragile to be using Python internal objects
-        # like this, but it is probably the best/easiest way to provide
-        # matching behavior for socket emulation purposes.  The 'close'
-        # argument is nice, its apparently a recent addition to this
-        # class, so that when fileobject.close() gets called, it will
-        # close() us, causing the refcount to be decremented (decrefAsync).
-        #
-        # If this is the last close() on the outstanding fileobjects / 
-        # TLSConnection, then the "actual" close alerts will be sent,
-        # socket closed, etc.
-        if sys.version_info < (3,):
-            return socket._fileobject(self, mode, bufsize, close=True)
-        else:
-            # XXX need to wrap this further if buffering is requested
-            return socket.SocketIO(self, mode)
-
-    def getsockname(self):
-        """Return the socket's own address (socket emulation)."""
-        return self.sock.getsockname()
-
-    def getpeername(self):
-        """Return the remote address to which the socket is connected
-        (socket emulation)."""
-        return self.sock.getpeername()
-
-    def settimeout(self, value):
-        """Set a timeout on blocking socket operations (socket emulation)."""
-        return self.sock.settimeout(value)
-
-    def gettimeout(self):
-        """Return the timeout associated with socket operations (socket
-        emulation)."""
-        return self.sock.gettimeout()
-
-    def setsockopt(self, level, optname, value):
-        """Set the value of the given socket option (socket emulation)."""
-        return self.sock.setsockopt(level, optname, value)
-
-    def shutdown(self, how):
-        """Shutdown the underlying socket."""
-        return self.sock.shutdown(how)
-    	
-    def fileno(self):
-        """Not implement in TLS Lite."""
-        raise NotImplementedError()
-    	
-
-     #*********************************************************
-     # Public Functions END
-     #*********************************************************
-
-    def _shutdown(self, resumable):
-        self._writeState = _ConnectionState()
-        self._readState = _ConnectionState()
-        self.version = (0,0)
-        self._versionCheck = False
-        self.closed = True
-        if self.closeSocket:
-            self.sock.close()
-
-        #Even if resumable is False, we'll never toggle this on
-        if not resumable and self.session:
-            self.session.resumable = False
-
-
-    def _sendError(self, alertDescription, errorStr=None):
-        alert = Alert().create(alertDescription, AlertLevel.fatal)
-        for result in self._sendMsg(alert):
-            yield result
-        self._shutdown(False)
-        raise TLSLocalAlert(alert, errorStr)
-
-    def _abruptClose(self, reset=False):
-        if reset:
-            #Set an SO_LINGER timeout of 0 to send a TCP RST.
-            self.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER,
-                            struct.pack('ii', 1, 0))
-        self._shutdown(False)
-
-    def _sendMsgs(self, msgs):
-        randomizeFirstBlock = True
-        for msg in msgs:
-            for result in self._sendMsg(msg, randomizeFirstBlock):
-                yield result
-            randomizeFirstBlock = True
-
-    def _sendMsg(self, msg, randomizeFirstBlock = True):
-        #Whenever we're connected and asked to send an app data message,
-        #we first send the first byte of the message.  This prevents
-        #an attacker from launching a chosen-plaintext attack based on
-        #knowing the next IV (a la BEAST).
-        if not self.closed and randomizeFirstBlock and self.version <= (3,1) \
-                and self._writeState.encContext \
-                and self._writeState.encContext.isBlockCipher \
-                and isinstance(msg, ApplicationData):
-            msgFirstByte = msg.splitFirstByte()
-            for result in self._sendMsg(msgFirstByte,
-                                       randomizeFirstBlock = False):
-                yield result                                            
-
-        b = msg.write()
-        
-        # If a 1-byte message was passed in, and we "split" the 
-        # first(only) byte off above, we may have a 0-length msg:
-        if len(b) == 0:
-            return
-            
-        contentType = msg.contentType
-
-        #Update handshake hashes
-        if contentType == ContentType.handshake:
-            self._handshake_md5.update(compat26Str(b))
-            self._handshake_sha.update(compat26Str(b))
-            self._handshake_sha256.update(compat26Str(b))
-
-        #Calculate MAC
-        if self._writeState.macContext:
-            seqnumBytes = self._writeState.getSeqNumBytes()
-            mac = self._writeState.macContext.copy()
-            mac.update(compatHMAC(seqnumBytes))
-            mac.update(compatHMAC(bytearray([contentType])))
-            if self.version == (3,0):
-                mac.update( compatHMAC( bytearray([len(b)//256] )))
-                mac.update( compatHMAC( bytearray([len(b)%256] )))
-            elif self.version in ((3,1), (3,2), (3,3)):
-                mac.update(compatHMAC( bytearray([self.version[0]] )))
-                mac.update(compatHMAC( bytearray([self.version[1]] )))
-                mac.update( compatHMAC( bytearray([len(b)//256] )))
-                mac.update( compatHMAC( bytearray([len(b)%256] )))
-            else:
-                raise AssertionError()
-            mac.update(compatHMAC(b))
-            macBytes = bytearray(mac.digest())
-            if self.fault == Fault.badMAC:
-                macBytes[0] = (macBytes[0]+1) % 256
-
-        #Encrypt for non-NULL cipher.
-        if self._writeState.encContext:
-            #Seal (for AEAD)
-            if self._writeState.encContext.isAEAD:
-                #Assemble the authenticated data.
-                seqNumBytes = self._writeState.getSeqNumBytes()
-                authData = seqNumBytes + bytearray([contentType,
-                                                    self.version[0],
-                                                    self.version[1],
-                                                    len(b)//256,
-                                                    len(b)%256])
-
-                #The nonce is always the fixed nonce and the sequence number.
-                nonce = self._writeState.fixedNonce + seqNumBytes
-                assert len(nonce) == self._writeState.encContext.nonceLength
-
-                b = self._writeState.encContext.seal(nonce, b, authData)
-
-                #The only AEAD supported, AES-GCM, has an explicit variable
-                #nonce.
-                b = seqNumBytes + b
-
-            #Add padding and encrypt (for Block Cipher):
-            elif self._writeState.encContext.isBlockCipher:
-
-                #Add TLS 1.1 fixed block
-                if self.version >= (3,2):
-                    b = self.fixedIVBlock + b
-
-                #Add padding: b = b+ (macBytes + paddingBytes)
-                currentLength = len(b) + len(macBytes)
-                blockLength = self._writeState.encContext.block_size
-                paddingLength = blockLength - 1 - (currentLength % blockLength)
-
-                paddingBytes = bytearray([paddingLength] * (paddingLength+1))
-                if self.fault == Fault.badPadding:
-                    paddingBytes[0] = (paddingBytes[0]+1) % 256
-                endBytes = macBytes + paddingBytes
-                b += endBytes
-                #Encrypt
-                b = self._writeState.encContext.encrypt(b)
-
-            #Encrypt (for Stream Cipher)
-            else:
-                b += macBytes
-                b = self._writeState.encContext.encrypt(b)
-
-        #Add record header and send
-        r = RecordHeader3().create(self.version, contentType, len(b))
-        s = r.write() + b
-        while 1:
-            try:
-                bytesSent = self.sock.send(s) #Might raise socket.error
-            except socket.error as why:
-                if why.args[0] in (errno.EWOULDBLOCK, errno.EAGAIN):
-                    yield 1
-                    continue
-                else:
-                    # The socket was unexpectedly closed.  The tricky part
-                    # is that there may be an alert sent by the other party
-                    # sitting in the read buffer.  So, if we get here after
-                    # handshaking, we will just raise the error and let the
-                    # caller read more data if it would like, thus stumbling
-                    # upon the error.
-                    #
-                    # However, if we get here DURING handshaking, we take
-                    # it upon ourselves to see if the next message is an 
-                    # Alert.
-                    if contentType == ContentType.handshake:
-                        
-                        # See if there's an alert record
-                        # Could raise socket.error or TLSAbruptCloseError
-                        for result in self._getNextRecord():
-                            if result in (0,1):
-                                yield result
-                                
-                        # Closes the socket
-                        self._shutdown(False)
-                        
-                        # If we got an alert, raise it        
-                        recordHeader, p = result                        
-                        if recordHeader.type == ContentType.alert:
-                            alert = Alert().parse(p)
-                            raise TLSRemoteAlert(alert)
-                    else:
-                        # If we got some other message who know what
-                        # the remote side is doing, just go ahead and
-                        # raise the socket.error
-                        raise
-            if bytesSent == len(s):
-                return
-            s = s[bytesSent:]
-            yield 1
-
-
-    def _getMsg(self, expectedType, secondaryType=None, constructorType=None):
-        try:
-            if not isinstance(expectedType, tuple):
-                expectedType = (expectedType,)
-
-            #Spin in a loop, until we've got a non-empty record of a type we
-            #expect.  The loop will be repeated if:
-            #  - we receive a renegotiation attempt; we send no_renegotiation,
-            #    then try again
-            #  - we receive an empty application-data fragment; we try again
-            while 1:
-                for result in self._getNextRecord():
-                    if result in (0,1):
-                        yield result
-                recordHeader, p = result
-
-                #If this is an empty application-data fragment, try again
-                if recordHeader.type == ContentType.application_data:
-                    if p.index == len(p.bytes):
-                        continue
-
-                #If we received an unexpected record type...
-                if recordHeader.type not in expectedType:
-
-                    #If we received an alert...
-                    if recordHeader.type == ContentType.alert:
-                        alert = Alert().parse(p)
-
-                        #We either received a fatal error, a warning, or a
-                        #close_notify.  In any case, we're going to close the
-                        #connection.  In the latter two cases we respond with
-                        #a close_notify, but ignore any socket errors, since
-                        #the other side might have already closed the socket.
-                        if alert.level == AlertLevel.warning or \
-                           alert.description == AlertDescription.close_notify:
-
-                            #If the sendMsg() call fails because the socket has
-                            #already been closed, we will be forgiving and not
-                            #report the error nor invalidate the "resumability"
-                            #of the session.
-                            try:
-                                alertMsg = Alert()
-                                alertMsg.create(AlertDescription.close_notify,
-                                                AlertLevel.warning)
-                                for result in self._sendMsg(alertMsg):
-                                    yield result
-                            except socket.error:
-                                pass
-
-                            if alert.description == \
-                                   AlertDescription.close_notify:
-                                self._shutdown(True)
-                            elif alert.level == AlertLevel.warning:
-                                self._shutdown(False)
-
-                        else: #Fatal alert:
-                            self._shutdown(False)
-
-                        #Raise the alert as an exception
-                        raise TLSRemoteAlert(alert)
-
-                    #If we received a renegotiation attempt...
-                    if recordHeader.type == ContentType.handshake:
-                        subType = p.get(1)
-                        reneg = False
-                        if self._client:
-                            if subType == HandshakeType.hello_request:
-                                reneg = True
-                        else:
-                            if subType == HandshakeType.client_hello:
-                                reneg = True
-                        #Send no_renegotiation, then try again
-                        if reneg:
-                            alertMsg = Alert()
-                            alertMsg.create(AlertDescription.no_renegotiation,
-                                            AlertLevel.warning)
-                            for result in self._sendMsg(alertMsg):
-                                yield result
-                            continue
-
-                    #Otherwise: this is an unexpected record, but neither an
-                    #alert nor renegotiation
-                    for result in self._sendError(\
-                            AlertDescription.unexpected_message,
-                            "received type=%d" % recordHeader.type):
-                        yield result
-
-                break
-
-            #Parse based on content_type
-            if recordHeader.type == ContentType.change_cipher_spec:
-                yield ChangeCipherSpec().parse(p)
-            elif recordHeader.type == ContentType.alert:
-                yield Alert().parse(p)
-            elif recordHeader.type == ContentType.application_data:
-                yield ApplicationData().parse(p)
-            elif recordHeader.type == ContentType.handshake:
-                #Convert secondaryType to tuple, if it isn't already
-                if not isinstance(secondaryType, tuple):
-                    secondaryType = (secondaryType,)
-
-                #If it's a handshake message, check handshake header
-                if recordHeader.ssl2:
-                    subType = p.get(1)
-                    if subType != HandshakeType.client_hello:
-                        for result in self._sendError(\
-                                AlertDescription.unexpected_message,
-                                "Can only handle SSLv2 ClientHello messages"):
-                            yield result
-                    if HandshakeType.client_hello not in secondaryType:
-                        for result in self._sendError(\
-                                AlertDescription.unexpected_message):
-                            yield result
-                    subType = HandshakeType.client_hello
-                else:
-                    subType = p.get(1)
-                    if subType not in secondaryType:
-                        for result in self._sendError(\
-                                AlertDescription.unexpected_message,
-                                "Expecting %s, got %s" % (str(secondaryType), subType)):
-                            yield result
-
-                #Update handshake hashes
-                self._handshake_md5.update(compat26Str(p.bytes))
-                self._handshake_sha.update(compat26Str(p.bytes))
-                self._handshake_sha256.update(compat26Str(p.bytes))
-                if subType == HandshakeType.client_key_exchange:
-                    self._ems_handshake_hash = self._getHandshakeHash()
-
-                #Parse based on handshake type
-                if subType == HandshakeType.client_hello:
-                    yield ClientHello(recordHeader.ssl2).parse(p)
-                elif subType == HandshakeType.server_hello:
-                    yield ServerHello().parse(p)
-                elif subType == HandshakeType.certificate:
-                    yield Certificate(constructorType).parse(p)
-                elif subType == HandshakeType.certificate_request:
-                    yield CertificateRequest(self.version).parse(p)
-                elif subType == HandshakeType.certificate_verify:
-                    yield CertificateVerify(self.version).parse(p)
-                elif subType == HandshakeType.server_key_exchange:
-                    yield ServerKeyExchange(constructorType,
-                                            self.version).parse(p)
-                elif subType == HandshakeType.server_hello_done:
-                    yield ServerHelloDone().parse(p)
-                elif subType == HandshakeType.client_key_exchange:
-                    yield ClientKeyExchange(constructorType, \
-                                            self.version).parse(p)
-                elif subType == HandshakeType.finished:
-                    yield Finished(self.version).parse(p)
-                elif subType == HandshakeType.next_protocol:
-                    yield NextProtocol().parse(p)
-                elif subType == HandshakeType.encrypted_extensions:
-                    yield EncryptedExtensions().parse(p)
-                else:
-                    raise AssertionError()
-
-        #If an exception was raised by a Parser or Message instance:
-        except SyntaxError as e:
-            for result in self._sendError(AlertDescription.decode_error,
-                                         formatExceptionTrace(e)):
-                yield result
-
-
-    #Returns next record or next handshake message
-    def _getNextRecord(self):
-
-        #If there's a handshake message waiting, return it
-        if self._handshakeBuffer:
-            recordHeader, b = self._handshakeBuffer[0]
-            self._handshakeBuffer = self._handshakeBuffer[1:]
-            yield (recordHeader, Parser(b))
-            return
-
-        #Otherwise...
-        #Read the next record header
-        b = bytearray(0)
-        recordHeaderLength = 1
-        ssl2 = False
-        while 1:
-            try:
-                s = self.sock.recv(recordHeaderLength-len(b))
-            except socket.error as why:
-                if why.args[0] in (errno.EWOULDBLOCK, errno.EAGAIN):
-                    yield 0
-                    continue
-                else:
-                    raise
-
-            #If the connection was abruptly closed, raise an error
-            if len(s)==0:
-                raise TLSAbruptCloseError()
-
-            b += bytearray(s)
-            if len(b)==1:
-                if b[0] in ContentType.all:
-                    ssl2 = False
-                    recordHeaderLength = 5
-                elif b[0] == 128:
-                    ssl2 = True
-                    recordHeaderLength = 2
-                else:
-                    raise SyntaxError()
-            if len(b) == recordHeaderLength:
-                break
-
-        #Parse the record header
-        if ssl2:
-            r = RecordHeader2().parse(Parser(b))
-        else:
-            r = RecordHeader3().parse(Parser(b))
-
-        #Check the record header fields
-        if r.length > 18432:
-            for result in self._sendError(AlertDescription.record_overflow):
-                yield result
-
-        #Read the record contents
-        b = bytearray(0)
-        while 1:
-            try:
-                s = self.sock.recv(r.length - len(b))
-            except socket.error as why:
-                if why.args[0] in (errno.EWOULDBLOCK, errno.EAGAIN):
-                    yield 0
-                    continue
-                else:
-                    raise
-
-            #If the connection is closed, raise a socket error
-            if len(s)==0:
-                    raise TLSAbruptCloseError()
-
-            b += bytearray(s)
-            if len(b) == r.length:
-                break
-
-        #Check the record header fields (2)
-        #We do this after reading the contents from the socket, so that
-        #if there's an error, we at least don't leave extra bytes in the
-        #socket..
-        #
-        # THIS CHECK HAS NO SECURITY RELEVANCE (?), BUT COULD HURT INTEROP.
-        # SO WE LEAVE IT OUT FOR NOW.
-        #
-        #if self._versionCheck and r.version != self.version:
-        #    for result in self._sendError(AlertDescription.protocol_version,
-        #            "Version in header field: %s, should be %s" % (str(r.version),
-        #                                                       str(self.version))):
-        #        yield result
-
-        #Decrypt the record
-        for result in self._decryptRecord(r.type, b):
-            if result in (0,1): yield result
-            else: break
-        b = result
-        p = Parser(b)
-
-        #If it doesn't contain handshake messages, we can just return it
-        if r.type != ContentType.handshake:
-            yield (r, p)
-        #If it's an SSLv2 ClientHello, we can return it as well
-        elif r.ssl2:
-            yield (r, p)
-        else:
-            #Otherwise, we loop through and add the handshake messages to the
-            #handshake buffer
-            while 1:
-                if p.index == len(b): #If we're at the end
-                    if not self._handshakeBuffer:
-                        for result in self._sendError(\
-                                AlertDescription.decode_error, \
-                                "Received empty handshake record"):
-                            yield result
-                    break
-                #There needs to be at least 4 bytes to get a header
-                if p.index+4 > len(b):
-                    for result in self._sendError(\
-                            AlertDescription.decode_error,
-                            "A record has a partial handshake message (1)"):
-                        yield result
-                p.get(1) # skip handshake type
-                msgLength = p.get(3)
-                if p.index+msgLength > len(b):
-                    for result in self._sendError(\
-                            AlertDescription.decode_error,
-                            "A record has a partial handshake message (2)"):
-                        yield result
-
-                handshakePair = (r, b[p.index-4 : p.index+msgLength])
-                self._handshakeBuffer.append(handshakePair)
-                p.index += msgLength
-
-            #We've moved at least one handshake message into the
-            #handshakeBuffer, return the first one
-            recordHeader, b = self._handshakeBuffer[0]
-            self._handshakeBuffer = self._handshakeBuffer[1:]
-            yield (recordHeader, Parser(b))
-
-
-    def _decryptRecord(self, recordType, b):
-        if self._readState.encContext:
-            #Open if it's an AEAD.
-            if self._readState.encContext.isAEAD:
-                #The only AEAD supported, AES-GCM, has an explicit variable
-                #nonce.
-                explicitNonceLength = 8
-                if explicitNonceLength > len(b):
-                    #Publicly invalid.
-                    for result in self._sendError(
-                            AlertDescription.bad_record_mac,
-                            "MAC failure (or padding failure)"):
-                        yield result
-                nonce = self._readState.fixedNonce + b[:explicitNonceLength]
-                b = b[8:]
-
-                if self._readState.encContext.tagLength > len(b):
-                    #Publicly invalid.
-                    for result in self._sendError(
-                            AlertDescription.bad_record_mac,
-                            "MAC failure (or padding failure)"):
-                        yield result
-
-                #Assemble the authenticated data.
-                seqnumBytes = self._readState.getSeqNumBytes()
-                plaintextLen = len(b) - self._readState.encContext.tagLength
-                authData = seqnumBytes + bytearray([recordType, self.version[0],
-                                                    self.version[1],
-                                                    plaintextLen//256,
-                                                    plaintextLen%256])
-
-                b = self._readState.encContext.open(nonce, b, authData)
-                if b is None:
-                    for result in self._sendError(
-                            AlertDescription.bad_record_mac,
-                            "MAC failure (or padding failure)"):
-                        yield result
-                yield b
-                return
-
-            #Decrypt if it's a block cipher
-            if self._readState.encContext.isBlockCipher:
-                blockLength = self._readState.encContext.block_size
-                if len(b) % blockLength != 0:
-                    for result in self._sendError(\
-                            AlertDescription.decryption_failed,
-                            "Encrypted data not a multiple of blocksize"):
-                        yield result
-                b = self._readState.encContext.decrypt(b)
-                if self.version >= (3,2): #For TLS 1.1, remove explicit IV
-                    b = b[self._readState.encContext.block_size : ]
-
-                #Check padding
-                paddingGood = True
-                paddingLength = b[-1]
-                if (paddingLength+1) > len(b):
-                    paddingGood=False
-                    totalPaddingLength = 0
-                else:
-                    if self.version == (3,0):
-                        totalPaddingLength = paddingLength+1
-                    elif self.version in ((3,1), (3,2), (3,3)):
-                        totalPaddingLength = paddingLength+1
-                        paddingBytes = b[-totalPaddingLength:-1]
-                        for byte in paddingBytes:
-                            if byte != paddingLength:
-                                paddingGood = False
-                                totalPaddingLength = 0
-                    else:
-                        raise AssertionError()
-
-            #Decrypt if it's a stream cipher
-            else:
-                paddingGood = True
-                b = self._readState.encContext.decrypt(b)
-                totalPaddingLength = 0
-
-            #Check MAC
-            macGood = True
-            macLength = self._readState.macContext.digest_size
-            endLength = macLength + totalPaddingLength
-            if endLength > len(b):
-                macGood = False
-            else:
-                #Read MAC
-                startIndex = len(b) - endLength
-                endIndex = startIndex + macLength
-                checkBytes = b[startIndex : endIndex]
-
-                #Calculate MAC
-                seqnumBytes = self._readState.getSeqNumBytes()
-                b = b[:-endLength]
-                mac = self._readState.macContext.copy()
-                mac.update(compatHMAC(seqnumBytes))
-                mac.update(compatHMAC(bytearray([recordType])))
-                if self.version == (3,0):
-                    mac.update( compatHMAC(bytearray( [len(b)//256] ) ))
-                    mac.update( compatHMAC(bytearray( [len(b)%256] ) ))
-                elif self.version in ((3,1), (3,2), (3,3)):
-                    mac.update(compatHMAC(bytearray( [self.version[0]] ) ))
-                    mac.update(compatHMAC(bytearray( [self.version[1]] ) ))
-                    mac.update(compatHMAC(bytearray( [len(b)//256] ) ))
-                    mac.update(compatHMAC(bytearray( [len(b)%256] ) ))
-                else:
-                    raise AssertionError()
-                mac.update(compatHMAC(b))
-                macBytes = bytearray(mac.digest())
-
-                #Compare MACs
-                if macBytes != checkBytes:
-                    macGood = False
-
-            if not (paddingGood and macGood):
-                for result in self._sendError(AlertDescription.bad_record_mac,
-                                          "MAC failure (or padding failure)"):
-                    yield result
-
-        yield b
-
-    def _handshakeStart(self, client):
-        if not self.closed:
-            raise ValueError("Renegotiation disallowed for security reasons")
-        self._client = client
-        self._handshake_md5 = hashlib.md5()
-        self._handshake_sha = hashlib.sha1()
-        self._handshake_sha256 = hashlib.sha256()
-        self._ems_handshake_hash = b""
-        self._handshakeBuffer = []
-        self.allegedSrpUsername = None
-        self._refCount = 1
-
-    def _handshakeDone(self, resumed):
-        self.resumed = resumed
-        self.closed = False
-
-    def _calcPendingStates(self, cipherSuite, masterSecret,
-            clientRandom, serverRandom, implementations):
-        if cipherSuite in CipherSuite.aes128GcmSuites:
-            keyLength = 16
-            ivLength = 4
-            createCipherFunc = createAESGCM
-        elif cipherSuite in CipherSuite.aes128Suites:
-            keyLength = 16
-            ivLength = 16
-            createCipherFunc = createAES
-        elif cipherSuite in CipherSuite.aes256Suites:
-            keyLength = 32
-            ivLength = 16
-            createCipherFunc = createAES
-        elif cipherSuite in CipherSuite.rc4Suites:
-            keyLength = 16
-            ivLength = 0
-            createCipherFunc = createRC4
-        elif cipherSuite in CipherSuite.tripleDESSuites:
-            keyLength = 24
-            ivLength = 8
-            createCipherFunc = createTripleDES
-        else:
-            raise AssertionError()
-            
-        if cipherSuite in CipherSuite.aeadSuites:
-            macLength = 0
-            digestmod = None
-        elif cipherSuite in CipherSuite.shaSuites:
-            macLength = 20
-            digestmod = hashlib.sha1        
-        elif cipherSuite in CipherSuite.sha256Suites:
-            macLength = 32
-            digestmod = hashlib.sha256
-        elif cipherSuite in CipherSuite.md5Suites:
-            macLength = 16
-            digestmod = hashlib.md5
-        else:
-            raise AssertionError()
-
-        if not digestmod:
-            createMACFunc = None
-        elif self.version == (3,0):
-            createMACFunc = createMAC_SSL
-        elif self.version in ((3,1), (3,2), (3,3)):
-            createMACFunc = createHMAC
-
-        outputLength = (macLength*2) + (keyLength*2) + (ivLength*2)
-
-        #Calculate Keying Material from Master Secret
-        if self.version == (3,0):
-            keyBlock = PRF_SSL(masterSecret,
-                               serverRandom + clientRandom,
-                               outputLength)
-        elif self.version in ((3,1), (3,2)):
-            keyBlock = PRF(masterSecret,
-                           b"key expansion",
-                           serverRandom + clientRandom,
-                           outputLength)
-        elif self.version == (3,3):
-            keyBlock = PRF_1_2(masterSecret,
-                           b"key expansion",
-                           serverRandom + clientRandom,
-                           outputLength)
-        else:
-            raise AssertionError()
-
-        #Slice up Keying Material
-        clientPendingState = _ConnectionState()
-        serverPendingState = _ConnectionState()
-        p = Parser(keyBlock)
-        clientMACBlock = p.getFixBytes(macLength)
-        serverMACBlock = p.getFixBytes(macLength)
-        clientKeyBlock = p.getFixBytes(keyLength)
-        serverKeyBlock = p.getFixBytes(keyLength)
-        clientIVBlock  = p.getFixBytes(ivLength)
-        serverIVBlock  = p.getFixBytes(ivLength)
-        if digestmod:
-            # Legacy cipher.
-            clientPendingState.macContext = createMACFunc(
-                compatHMAC(clientMACBlock), digestmod=digestmod)
-            serverPendingState.macContext = createMACFunc(
-                compatHMAC(serverMACBlock), digestmod=digestmod)
-            clientPendingState.encContext = createCipherFunc(clientKeyBlock,
-                                                             clientIVBlock,
-                                                             implementations)
-            serverPendingState.encContext = createCipherFunc(serverKeyBlock,
-                                                             serverIVBlock,
-                                                             implementations)
-        else:
-            # AEAD.
-            clientPendingState.macContext = None
-            serverPendingState.macContext = None
-            clientPendingState.encContext = createCipherFunc(clientKeyBlock,
-                                                             implementations)
-            serverPendingState.encContext = createCipherFunc(serverKeyBlock,
-                                                             implementations)
-            clientPendingState.fixedNonce = clientIVBlock
-            serverPendingState.fixedNonce = serverIVBlock
-
-        #Assign new connection states to pending states
-        if self._client:
-            self._pendingWriteState = clientPendingState
-            self._pendingReadState = serverPendingState
-        else:
-            self._pendingWriteState = serverPendingState
-            self._pendingReadState = clientPendingState
-
-        if self.version >= (3,2) and ivLength:
-            #Choose fixedIVBlock for TLS 1.1 (this is encrypted with the CBC
-            #residue to create the IV for each sent block)
-            self.fixedIVBlock = getRandomBytes(ivLength)
-
-    def _changeWriteState(self):
-        self._writeState = self._pendingWriteState
-        self._pendingWriteState = _ConnectionState()
-
-    def _changeReadState(self):
-        self._readState = self._pendingReadState
-        self._pendingReadState = _ConnectionState()
-
-    #Used for Finished messages and CertificateVerify messages in SSL v3
-    def _calcSSLHandshakeHash(self, masterSecret, label):
-        imac_md5 = self._handshake_md5.copy()
-        imac_sha = self._handshake_sha.copy()
-
-        imac_md5.update(compatHMAC(label + masterSecret + bytearray([0x36]*48)))
-        imac_sha.update(compatHMAC(label + masterSecret + bytearray([0x36]*40)))
-
-        md5Bytes = MD5(masterSecret + bytearray([0x5c]*48) + \
-                         bytearray(imac_md5.digest()))
-        shaBytes = SHA1(masterSecret + bytearray([0x5c]*40) + \
-                         bytearray(imac_sha.digest()))
-
-        return md5Bytes + shaBytes
-
-    def _getHandshakeHash(self):
-        if self.version in ((3,1), (3,2)):
-            return self._handshake_md5.digest() + \
-                self._handshake_sha.digest()
-        elif self.version == (3,3):
-            return self._handshake_sha256.digest()
diff --git a/third_party/tlslite/tlslite/utils/__init__.py b/third_party/tlslite/tlslite/utils/__init__.py
deleted file mode 100644
index 4d49df6..0000000
--- a/third_party/tlslite/tlslite/utils/__init__.py
+++ /dev/null
@@ -1,29 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Toolkit for crypto and other stuff."""
-
-__all__ = ["aes",
-           "asn1parser",
-           "cipherfactory",
-           "codec",
-           "cryptomath",
-           "datefuncs",
-           "compat",
-           "keyfactory",
-           "openssl_aes",
-           "openssl_rc4",
-           "openssl_rsakey",
-           "openssl_tripledes",
-           "pycrypto_aes",
-           "pycrypto_rc4",
-           "pycrypto_rsakey",
-           "pycrypto_tripledes",
-           "python_aes",
-           "python_rc4",
-           "python_rsakey",
-           "rc4",
-           "rijndael",
-           "rsakey",
-           "tackpywrapper",
-           "tripledes"]
diff --git a/third_party/tlslite/tlslite/utils/aes.py b/third_party/tlslite/tlslite/utils/aes.py
deleted file mode 100644
index 5a038fb..0000000
--- a/third_party/tlslite/tlslite/utils/aes.py
+++ /dev/null
@@ -1,35 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Abstract class for AES."""
-
-class AES(object):
-    def __init__(self, key, mode, IV, implementation):
-        if len(key) not in (16, 24, 32):
-            raise AssertionError()
-        if mode != 2:
-            raise AssertionError()
-        if len(IV) != 16:
-            raise AssertionError()
-        self.isBlockCipher = True
-        self.isAEAD = False
-        self.block_size = 16
-        self.implementation = implementation
-        if len(key)==16:
-            self.name = "aes128"
-        elif len(key)==24:
-            self.name = "aes192"
-        elif len(key)==32:
-            self.name = "aes256"
-        else:
-            raise AssertionError()
-
-    #CBC-Mode encryption, returns ciphertext
-    #WARNING: *MAY* modify the input as well
-    def encrypt(self, plaintext):
-        assert(len(plaintext) % 16 == 0)
-
-    #CBC-Mode decryption, returns plaintext
-    #WARNING: *MAY* modify the input as well
-    def decrypt(self, ciphertext):
-        assert(len(ciphertext) % 16 == 0)
diff --git a/third_party/tlslite/tlslite/utils/aesgcm.py b/third_party/tlslite/tlslite/utils/aesgcm.py
deleted file mode 100644
index c887f2f..0000000
--- a/third_party/tlslite/tlslite/utils/aesgcm.py
+++ /dev/null
@@ -1,195 +0,0 @@
-# Author: Google
-# See the LICENSE file for legal information regarding use of this file.
-
-# GCM derived from Go's implementation in crypto/cipher.
-#
-# https://golang.org/src/crypto/cipher/gcm.go
-
-# GCM works over elements of the field GF(2^128), each of which is a 128-bit
-# polynomial. Throughout this implementation, polynomials are represented as
-# Python integers with the low-order terms at the most significant bits. So a
-# 128-bit polynomial is an integer from 0 to 2^128-1 with the most significant
-# bit representing the x^0 term and the least significant bit representing the
-# x^127 term. This bit reversal also applies to polynomials used as indices in a
-# look-up table.
-
-from __future__ import division
-
-from .cryptomath import bytesToNumber, numberToByteArray
-
-class AESGCM(object):
-    """
-    AES-GCM implementation. Note: this implementation does not attempt
-    to be side-channel resistant. It's also rather slow.
-    """
-
-    def __init__(self, key, implementation, rawAesEncrypt):
-        self.isBlockCipher = False
-        self.isAEAD = True
-        self.nonceLength = 12
-        self.tagLength = 16
-        self.implementation = implementation
-        if len(key) == 16:
-            self.name = "aes128gcm"
-        elif len(key) == 32:
-            self.name = "aes256gcm"
-        else:
-            raise AssertionError()
-
-        self._rawAesEncrypt = rawAesEncrypt
-
-        # The GCM key is AES(0).
-        h = bytesToNumber(self._rawAesEncrypt(bytearray(16)))
-
-        # Pre-compute all 4-bit multiples of h. Note that bits are reversed
-        # because our polynomial representation places low-order terms at the
-        # most significant bit. Thus x^0 * h = h is at index 0b1000 = 8 and
-        # x^1 * h is at index 0b0100 = 4.
-        self._productTable = [0] * 16
-        self._productTable[_reverseBits(1)] = h
-        for i in range(2, 16, 2):
-            self._productTable[_reverseBits(i)] = \
-                _gcmShift(self._productTable[_reverseBits(i//2)])
-            self._productTable[_reverseBits(i+1)] = \
-                _gcmAdd(self._productTable[_reverseBits(i)], h)
-
-    def _rawAesCtrEncrypt(self, counter, inp):
-        """
-        Encrypts (or decrypts) plaintext with AES-CTR. counter is modified.
-        """
-        out = bytearray(len(inp))
-        for i in range(0, len(out), 16):
-            mask = self._rawAesEncrypt(counter)
-            for j in range(i, min(len(out), i + 16)):
-                out[j] = inp[j] ^ mask[j-i]
-            _inc32(counter)
-        return out
-
-    def _auth(self, ciphertext, ad, tagMask):
-        y = 0
-        y = self._update(y, ad)
-        y = self._update(y, ciphertext)
-        y ^= (len(ad) << (3 + 64)) | (len(ciphertext) << 3)
-        y = self._mul(y)
-        y ^= bytesToNumber(tagMask)
-        return numberToByteArray(y, 16)
-
-    def _update(self, y, data):
-        for i in range(0, len(data) // 16):
-            y ^= bytesToNumber(data[16*i:16*i+16])
-            y = self._mul(y)
-        extra = len(data) % 16
-        if extra != 0:
-            block = bytearray(16)
-            block[:extra] = data[-extra:]
-            y ^= bytesToNumber(block)
-            y = self._mul(y)
-        return y
-
-    def _mul(self, y):
-        """ Returns y*H, where H is the GCM key. """
-        ret = 0
-        # Multiply H by y 4 bits at a time, starting with the highest power
-        # terms.
-        for i in range(0, 128, 4):
-            # Multiply by x^4. The reduction for the top four terms is
-            # precomputed.
-            retHigh = ret & 0xf
-            ret >>= 4
-            ret ^= (_gcmReductionTable[retHigh] << (128-16))
-
-            # Add in y' * H where y' are the next four terms of y, shifted down
-            # to the x^0..x^4. This is one of the pre-computed multiples of
-            # H. The multiplication by x^4 shifts them back into place.
-            ret ^= self._productTable[y & 0xf]
-            y >>= 4
-        assert y == 0
-        return ret
-
-    def seal(self, nonce, plaintext, data):
-        """
-        Encrypts and authenticates plaintext using nonce and data. Returns the
-        ciphertext, consisting of the encrypted plaintext and tag concatenated.
-        """
-
-        if len(nonce) != 12:
-            raise ValueError("Bad nonce length")
-
-        # The initial counter value is the nonce, followed by a 32-bit counter
-        # that starts at 1. It's used to compute the tag mask.
-        counter = bytearray(16)
-        counter[:12] = nonce
-        counter[-1] = 1
-        tagMask = self._rawAesEncrypt(counter)
-
-        # The counter starts at 2 for the actual encryption.
-        counter[-1] = 2
-        ciphertext = self._rawAesCtrEncrypt(counter, plaintext)
-
-        tag = self._auth(ciphertext, data, tagMask)
-
-        return ciphertext + tag
-
-    def open(self, nonce, ciphertext, data):
-        """
-        Decrypts and authenticates ciphertext using nonce and data. If the
-        tag is valid, the plaintext is returned. If the tag is invalid,
-        returns None.
-        """
-
-        if len(nonce) != 12:
-            raise ValueError("Bad nonce length")
-        if len(ciphertext) < 16:
-            return None
-
-        tag = ciphertext[-16:]
-        ciphertext = ciphertext[:-16]
-
-        # The initial counter value is the nonce, followed by a 32-bit counter
-        # that starts at 1. It's used to compute the tag mask.
-        counter = bytearray(16)
-        counter[:12] = nonce
-        counter[-1] = 1
-        tagMask = self._rawAesEncrypt(counter)
-
-        if tag != self._auth(ciphertext, data, tagMask):
-            return None
-
-        # The counter starts at 2 for the actual decryption.
-        counter[-1] = 2
-        return self._rawAesCtrEncrypt(counter, ciphertext)
-
-def _reverseBits(i):
-    assert i < 16
-    i = ((i << 2) & 0xc) | ((i >> 2) & 0x3)
-    i = ((i << 1) & 0xa) | ((i >> 1) & 0x5)
-    return i
-
-def _gcmAdd(x, y):
-    return x ^ y
-
-def _gcmShift(x):
-    # Multiplying by x is a right shift, due to bit order.
-    highTermSet = x & 1
-    x >>= 1
-    if highTermSet:
-        # The x^127 term was shifted up to x^128, so subtract a 1+x+x^2+x^7
-        # term. This is 0b11100001 or 0xe1 when represented as an 8-bit
-        # polynomial.
-        x ^= 0xe1 << (128-8)
-    return x
-
-def _inc32(counter):
-    for i in range(len(counter)-1, len(counter)-5, -1):
-        counter[i] = (counter[i] + 1) % 256
-        if counter[i] != 0:
-            break
-    return counter
-
-# _gcmReductionTable[i] is i * (1+x+x^2+x^7) for all 4-bit polynomials i. The
-# result is stored as a 16-bit polynomial. This is used in the reduction step to
-# multiply elements of GF(2^128) by x^4.
-_gcmReductionTable = [
-    0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0,
-    0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0,
-]
diff --git a/third_party/tlslite/tlslite/utils/asn1parser.py b/third_party/tlslite/tlslite/utils/asn1parser.py
deleted file mode 100644
index 618e855..0000000
--- a/third_party/tlslite/tlslite/utils/asn1parser.py
+++ /dev/null
@@ -1,42 +0,0 @@
-# Author: Trevor Perrin
-# Patch from Google adding getChildBytes()
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Class for parsing ASN.1"""
-from .compat import *
-from .codec import *
-
-#Takes a byte array which has a DER TLV field at its head
-class ASN1Parser(object):
-    def __init__(self, bytes):
-        p = Parser(bytes)
-        p.get(1) #skip Type
-
-        #Get Length
-        self.length = self._getASN1Length(p)
-
-        #Get Value
-        self.value = p.getFixBytes(self.length)
-
-    #Assuming this is a sequence...
-    def getChild(self, which):
-        return ASN1Parser(self.getChildBytes(which))
-
-    def getChildBytes(self, which):
-        p = Parser(self.value)
-        for x in range(which+1):
-            markIndex = p.index
-            p.get(1) #skip Type
-            length = self._getASN1Length(p)
-            p.getFixBytes(length)
-        return p.bytes[markIndex : p.index]
-
-    #Decode the ASN.1 DER length field
-    def _getASN1Length(self, p):
-        firstLength = p.get(1)
-        if firstLength<=127:
-            return firstLength
-        else:
-            lengthLength = firstLength & 0x7F
-            return p.get(lengthLength)
diff --git a/third_party/tlslite/tlslite/utils/cipherfactory.py b/third_party/tlslite/tlslite/utils/cipherfactory.py
deleted file mode 100644
index d525644..0000000
--- a/third_party/tlslite/tlslite/utils/cipherfactory.py
+++ /dev/null
@@ -1,123 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Factory functions for symmetric cryptography."""
-
-import os
-
-from tlslite.utils import python_aes
-from tlslite.utils import python_aesgcm
-from tlslite.utils import python_rc4
-
-from tlslite.utils import cryptomath
-
-tripleDESPresent = False
-
-if cryptomath.m2cryptoLoaded:
-    from tlslite.utils import openssl_aes
-    from tlslite.utils import openssl_rc4
-    from tlslite.utils import openssl_tripledes
-    tripleDESPresent = True
-
-if cryptomath.pycryptoLoaded:
-    from tlslite.utils import pycrypto_aes
-    from tlslite.utils import pycrypto_aesgcm
-    from tlslite.utils import pycrypto_rc4
-    from tlslite.utils import pycrypto_tripledes
-    tripleDESPresent = True
-
-# **************************************************************************
-# Factory Functions for AES
-# **************************************************************************
-
-def createAES(key, IV, implList=None):
-    """Create a new AES object.
-
-    @type key: str
-    @param key: A 16, 24, or 32 byte string.
-
-    @type IV: str
-    @param IV: A 16 byte string
-
-    @rtype: L{tlslite.utils.AES}
-    @return: An AES object.
-    """
-    if implList == None:
-        implList = ["openssl", "pycrypto", "python"]
-
-    for impl in implList:
-        if impl == "openssl" and cryptomath.m2cryptoLoaded:
-            return openssl_aes.new(key, 2, IV)
-        elif impl == "pycrypto" and cryptomath.pycryptoLoaded:
-            return pycrypto_aes.new(key, 2, IV)
-        elif impl == "python":
-            return python_aes.new(key, 2, IV)
-    raise NotImplementedError()
-
-def createAESGCM(key, implList=None):
-    """Create a new AESGCM object.
-
-    @type key: bytearray
-    @param key: A 16 or 32 byte byte array.
-
-    @rtype: L{tlslite.utils.AESGCM}
-    @return: An AESGCM object.
-    """
-    if implList == None:
-        implList = ["pycrypto", "python"]
-
-    for impl in implList:
-        if impl == "pycrypto" and cryptomath.pycryptoLoaded:
-            return pycrypto_aesgcm.new(key)
-        if impl == "python":
-            return python_aesgcm.new(key)
-    raise NotImplementedError()
-
-def createRC4(key, IV, implList=None):
-    """Create a new RC4 object.
-
-    @type key: str
-    @param key: A 16 to 32 byte string.
-
-    @type IV: object
-    @param IV: Ignored, whatever it is.
-
-    @rtype: L{tlslite.utils.RC4}
-    @return: An RC4 object.
-    """
-    if implList == None:
-        implList = ["openssl", "pycrypto", "python"]
-
-    if len(IV) != 0:
-        raise AssertionError()
-    for impl in implList:
-        if impl == "openssl" and cryptomath.m2cryptoLoaded:
-            return openssl_rc4.new(key)
-        elif impl == "pycrypto" and cryptomath.pycryptoLoaded:
-            return pycrypto_rc4.new(key)
-        elif impl == "python":
-            return python_rc4.new(key)
-    raise NotImplementedError()
-
-#Create a new TripleDES instance
-def createTripleDES(key, IV, implList=None):
-    """Create a new 3DES object.
-
-    @type key: str
-    @param key: A 24 byte string.
-
-    @type IV: str
-    @param IV: An 8 byte string
-
-    @rtype: L{tlslite.utils.TripleDES}
-    @return: A 3DES object.
-    """
-    if implList == None:
-        implList = ["openssl", "pycrypto"]
-
-    for impl in implList:
-        if impl == "openssl" and cryptomath.m2cryptoLoaded:
-            return openssl_tripledes.new(key, 2, IV)
-        elif impl == "pycrypto" and cryptomath.pycryptoLoaded:
-            return pycrypto_tripledes.new(key, 2, IV)
-    raise NotImplementedError()
diff --git a/third_party/tlslite/tlslite/utils/codec.py b/third_party/tlslite/tlslite/utils/codec.py
deleted file mode 100644
index f1e21c9..0000000
--- a/third_party/tlslite/tlslite/utils/codec.py
+++ /dev/null
@@ -1,87 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Classes for reading/writing binary data (such as TLS records)."""
-
-from .compat import *
-
-class Writer(object):
-    def __init__(self):
-        self.bytes = bytearray(0)
-
-    def add(self, x, length):
-        self.bytes += bytearray(length)
-        newIndex = len(self.bytes) - 1
-        for count in range(length):
-            self.bytes[newIndex] = x & 0xFF
-            x >>= 8
-            newIndex -= 1
-
-    def addFixSeq(self, seq, length):
-        for e in seq:
-            self.add(e, length)
-
-    def addVarSeq(self, seq, length, lengthLength):
-        self.add(len(seq)*length, lengthLength)
-        for e in seq:
-            self.add(e, length)
-
-class Parser(object):
-    def __init__(self, bytes):
-        self.bytes = bytes
-        self.index = 0
-
-    def get(self, length):
-        if self.index + length > len(self.bytes):
-            raise SyntaxError()
-        x = 0
-        for count in range(length):
-            x <<= 8
-            x |= self.bytes[self.index]
-            self.index += 1
-        return x
-
-    def getFixBytes(self, lengthBytes):
-        bytes = self.bytes[self.index : self.index+lengthBytes]
-        self.index += lengthBytes
-        return bytes
-
-    def getVarBytes(self, lengthLength):
-        lengthBytes = self.get(lengthLength)
-        return self.getFixBytes(lengthBytes)
-
-    def getFixList(self, length, lengthList):
-        l = [0] * lengthList
-        for x in range(lengthList):
-            l[x] = self.get(length)
-        return l
-
-    def getVarList(self, length, lengthLength):
-        lengthList = self.get(lengthLength)
-        if lengthList % length != 0:
-            raise SyntaxError()
-        lengthList = lengthList // length
-        l = [0] * lengthList
-        for x in range(lengthList):
-            l[x] = self.get(length)
-        return l
-
-    def startLengthCheck(self, lengthLength):
-        self.lengthCheck = self.get(lengthLength)
-        self.indexCheck = self.index
-
-    def setLengthCheck(self, length):
-        self.lengthCheck = length
-        self.indexCheck = self.index
-
-    def stopLengthCheck(self):
-        if (self.index - self.indexCheck) != self.lengthCheck:
-            raise SyntaxError()
-
-    def atLengthCheck(self):
-        if (self.index - self.indexCheck) < self.lengthCheck:
-            return False
-        elif (self.index - self.indexCheck) == self.lengthCheck:
-            return True
-        else:
-            raise SyntaxError()
diff --git a/third_party/tlslite/tlslite/utils/compat.py b/third_party/tlslite/tlslite/utils/compat.py
deleted file mode 100644
index 124f630..0000000
--- a/third_party/tlslite/tlslite/utils/compat.py
+++ /dev/null
@@ -1,87 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Miscellaneous functions to mask Python version differences."""
-
-import sys
-import os
-import math
-import binascii
-
-if sys.version_info >= (3,0):
-
-    def compat26Str(x): return x
-    
-    # Python 3 requires bytes instead of bytearrays for HMAC   
-    
-    # So, python 2.6 requires strings, python 3 requires 'bytes',
-    # and python 2.7 can handle bytearrays...     
-    def compatHMAC(x): return bytes(x)
-    
-    def raw_input(s):
-        return input(s)
-    
-    # So, the python3 binascii module deals with bytearrays, and python2
-    # deals with strings...  I would rather deal with the "a" part as
-    # strings, and the "b" part as bytearrays, regardless of python version,
-    # so...
-    def a2b_hex(s):
-        try:
-            b = bytearray(binascii.a2b_hex(bytearray(s, "ascii")))
-        except Exception as e:
-            raise SyntaxError("base16 error: %s" % e) 
-        return b  
-
-    def a2b_base64(s):
-        try:
-            b = bytearray(binascii.a2b_base64(bytearray(s, "ascii")))
-        except Exception as e:
-            raise SyntaxError("base64 error: %s" % e)
-        return b
-
-    def b2a_hex(b):
-        return binascii.b2a_hex(b).decode("ascii")    
-            
-    def b2a_base64(b):
-        return binascii.b2a_base64(b).decode("ascii") 
-
-    def readStdinBinary():
-        return sys.stdin.buffer.read()        
-
-else:
-    # Python 2.6 requires strings instead of bytearrays in a couple places,
-    # so we define this function so it does the conversion if needed.
-    if sys.version_info < (2,7):
-        def compat26Str(x): return str(x)
-    else:
-        def compat26Str(x): return x
-
-    # So, python 2.6 requires strings, python 3 requires 'bytes',
-    # and python 2.7 can handle bytearrays...     
-    def compatHMAC(x): return compat26Str(x)
-
-    def a2b_hex(s):
-        try:
-            b = bytearray(binascii.a2b_hex(s))
-        except Exception as e:
-            raise SyntaxError("base16 error: %s" % e)
-        return b
-
-    def a2b_base64(s):
-        try:
-            b = bytearray(binascii.a2b_base64(s))
-        except Exception as e:
-            raise SyntaxError("base64 error: %s" % e)
-        return b
-        
-    def b2a_hex(b):
-        return binascii.b2a_hex(compat26Str(b))
-        
-    def b2a_base64(b):
-        return binascii.b2a_base64(compat26Str(b))
-        
-import traceback
-def formatExceptionTrace(e):
-    newStr = "".join(traceback.format_exception(sys.exc_type, sys.exc_value, sys.exc_traceback))
-    return newStr
-
diff --git a/third_party/tlslite/tlslite/utils/cryptomath.py b/third_party/tlslite/tlslite/utils/cryptomath.py
deleted file mode 100644
index f7142c0..0000000
--- a/third_party/tlslite/tlslite/utils/cryptomath.py
+++ /dev/null
@@ -1,312 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Martin von Loewis - python 3 port
-#   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""cryptomath module
-
-This module has basic math/crypto code."""
-from __future__ import print_function
-import os
-import math
-import base64
-import binascii
-
-from .compat import *
-
-
-# **************************************************************************
-# Load Optional Modules
-# **************************************************************************
-
-# Try to load M2Crypto/OpenSSL
-try:
-    from M2Crypto import m2
-    m2cryptoLoaded = True
-
-except ImportError:
-    m2cryptoLoaded = False
-
-#Try to load GMPY
-try:
-    import gmpy
-    gmpyLoaded = True
-except ImportError:
-    gmpyLoaded = False
-
-#Try to load pycrypto
-try:
-    import Crypto.Cipher.AES
-    pycryptoLoaded = True
-except ImportError:
-    pycryptoLoaded = False
-
-
-# **************************************************************************
-# PRNG Functions
-# **************************************************************************
-
-# Check that os.urandom works
-import zlib
-length = len(zlib.compress(os.urandom(1000)))
-assert(length > 900)
-
-def getRandomBytes(howMany):
-    b = bytearray(os.urandom(howMany))
-    assert(len(b) == howMany)
-    return b
-
-prngName = "os.urandom"
-
-# **************************************************************************
-# Simple hash functions
-# **************************************************************************
-
-import hmac
-import hashlib
-
-def MD5(b):
-    return bytearray(hashlib.md5(compat26Str(b)).digest())
-
-def SHA1(b):
-    return bytearray(hashlib.sha1(compat26Str(b)).digest())
-
-def SHA256(b):
-    return bytearray(hashlib.sha256(compat26Str(b)).digest())
-
-def HMAC_MD5(k, b):
-    k = compatHMAC(k)
-    b = compatHMAC(b)
-    return bytearray(hmac.new(k, b, hashlib.md5).digest())
-
-def HMAC_SHA1(k, b):
-    k = compatHMAC(k)
-    b = compatHMAC(b)
-    return bytearray(hmac.new(k, b, hashlib.sha1).digest())
-
-def HMAC_SHA256(k, b):
-    k = compatHMAC(k)
-    b = compatHMAC(b)
-    return bytearray(hmac.new(k, b, hashlib.sha256).digest())
-
-# **************************************************************************
-# Converter Functions
-# **************************************************************************
-
-def bytesToNumber(b):
-    total = 0
-    multiplier = 1
-    for count in range(len(b)-1, -1, -1):
-        byte = b[count]
-        total += multiplier * byte
-        multiplier *= 256
-    return total
-
-def numberToByteArray(n, howManyBytes=None):
-    """Convert an integer into a bytearray, zero-pad to howManyBytes.
-
-    The returned bytearray may be smaller than howManyBytes, but will
-    not be larger.  The returned bytearray will contain a big-endian
-    encoding of the input integer (n).
-    """    
-    if howManyBytes == None:
-        howManyBytes = numBytes(n)
-    b = bytearray(howManyBytes)
-    for count in range(howManyBytes-1, -1, -1):
-        b[count] = int(n % 256)
-        n >>= 8
-    return b
-
-def mpiToNumber(mpi): #mpi is an openssl-format bignum string
-    if (ord(mpi[4]) & 0x80) !=0: #Make sure this is a positive number
-        raise AssertionError()
-    b = bytearray(mpi[4:])
-    return bytesToNumber(b)
-
-def numberToMPI(n):
-    b = numberToByteArray(n)
-    ext = 0
-    #If the high-order bit is going to be set,
-    #add an extra byte of zeros
-    if (numBits(n) & 0x7)==0:
-        ext = 1
-    length = numBytes(n) + ext
-    b = bytearray(4+ext) + b
-    b[0] = (length >> 24) & 0xFF
-    b[1] = (length >> 16) & 0xFF
-    b[2] = (length >> 8) & 0xFF
-    b[3] = length & 0xFF
-    return bytes(b)
-
-
-# **************************************************************************
-# Misc. Utility Functions
-# **************************************************************************
-
-def numBits(n):
-    if n==0:
-        return 0
-    s = "%x" % n
-    return ((len(s)-1)*4) + \
-    {'0':0, '1':1, '2':2, '3':2,
-     '4':3, '5':3, '6':3, '7':3,
-     '8':4, '9':4, 'a':4, 'b':4,
-     'c':4, 'd':4, 'e':4, 'f':4,
-     }[s[0]]
-    return int(math.floor(math.log(n, 2))+1)
-
-def numBytes(n):
-    if n==0:
-        return 0
-    bits = numBits(n)
-    return int(math.ceil(bits / 8.0))
-
-# **************************************************************************
-# Big Number Math
-# **************************************************************************
-
-def getRandomNumber(low, high):
-    if low >= high:
-        raise AssertionError()
-    howManyBits = numBits(high)
-    howManyBytes = numBytes(high)
-    lastBits = howManyBits % 8
-    while 1:
-        bytes = getRandomBytes(howManyBytes)
-        if lastBits:
-            bytes[0] = bytes[0] % (1 << lastBits)
-        n = bytesToNumber(bytes)
-        if n >= low and n < high:
-            return n
-
-def gcd(a,b):
-    a, b = max(a,b), min(a,b)
-    while b:
-        a, b = b, a % b
-    return a
-
-def lcm(a, b):
-    return (a * b) // gcd(a, b)
-
-#Returns inverse of a mod b, zero if none
-#Uses Extended Euclidean Algorithm
-def invMod(a, b):
-    c, d = a, b
-    uc, ud = 1, 0
-    while c != 0:
-        q = d // c
-        c, d = d-(q*c), c
-        uc, ud = ud - (q * uc), uc
-    if d == 1:
-        return ud % b
-    return 0
-
-
-if gmpyLoaded:
-    def powMod(base, power, modulus):
-        base = gmpy.mpz(base)
-        power = gmpy.mpz(power)
-        modulus = gmpy.mpz(modulus)
-        result = pow(base, power, modulus)
-        return long(result)
-
-else:
-    def powMod(base, power, modulus):
-        if power < 0:
-            result = pow(base, power*-1, modulus)
-            result = invMod(result, modulus)
-            return result
-        else:
-            return pow(base, power, modulus)
-
-#Pre-calculate a sieve of the ~100 primes < 1000:
-def makeSieve(n):
-    sieve = list(range(n))
-    for count in range(2, int(math.sqrt(n))+1):
-        if sieve[count] == 0:
-            continue
-        x = sieve[count] * 2
-        while x < len(sieve):
-            sieve[x] = 0
-            x += sieve[count]
-    sieve = [x for x in sieve[2:] if x]
-    return sieve
-
-sieve = makeSieve(1000)
-
-def isPrime(n, iterations=5, display=False):
-    #Trial division with sieve
-    for x in sieve:
-        if x >= n: return True
-        if n % x == 0: return False
-    #Passed trial division, proceed to Rabin-Miller
-    #Rabin-Miller implemented per Ferguson & Schneier
-    #Compute s, t for Rabin-Miller
-    if display: print("*", end=' ')
-    s, t = n-1, 0
-    while s % 2 == 0:
-        s, t = s//2, t+1
-    #Repeat Rabin-Miller x times
-    a = 2 #Use 2 as a base for first iteration speedup, per HAC
-    for count in range(iterations):
-        v = powMod(a, s, n)
-        if v==1:
-            continue
-        i = 0
-        while v != n-1:
-            if i == t-1:
-                return False
-            else:
-                v, i = powMod(v, 2, n), i+1
-        a = getRandomNumber(2, n)
-    return True
-
-def getRandomPrime(bits, display=False):
-    if bits < 10:
-        raise AssertionError()
-    #The 1.5 ensures the 2 MSBs are set
-    #Thus, when used for p,q in RSA, n will have its MSB set
-    #
-    #Since 30 is lcm(2,3,5), we'll set our test numbers to
-    #29 % 30 and keep them there
-    low = ((2 ** (bits-1)) * 3) // 2
-    high = 2 ** bits - 30
-    p = getRandomNumber(low, high)
-    p += 29 - (p % 30)
-    while 1:
-        if display: print(".", end=' ')
-        p += 30
-        if p >= high:
-            p = getRandomNumber(low, high)
-            p += 29 - (p % 30)
-        if isPrime(p, display=display):
-            return p
-
-#Unused at the moment...
-def getRandomSafePrime(bits, display=False):
-    if bits < 10:
-        raise AssertionError()
-    #The 1.5 ensures the 2 MSBs are set
-    #Thus, when used for p,q in RSA, n will have its MSB set
-    #
-    #Since 30 is lcm(2,3,5), we'll set our test numbers to
-    #29 % 30 and keep them there
-    low = (2 ** (bits-2)) * 3//2
-    high = (2 ** (bits-1)) - 30
-    q = getRandomNumber(low, high)
-    q += 29 - (q % 30)
-    while 1:
-        if display: print(".", end=' ')
-        q += 30
-        if (q >= high):
-            q = getRandomNumber(low, high)
-            q += 29 - (q % 30)
-        #Ideas from Tom Wu's SRP code
-        #Do trial division on p and q before Rabin-Miller
-        if isPrime(q, 0, display=display):
-            p = (2 * q) + 1
-            if isPrime(p, display=display):
-                if isPrime(q, display=display):
-                    return p
diff --git a/third_party/tlslite/tlslite/utils/datefuncs.py b/third_party/tlslite/tlslite/utils/datefuncs.py
deleted file mode 100644
index d8f0d240..0000000
--- a/third_party/tlslite/tlslite/utils/datefuncs.py
+++ /dev/null
@@ -1,77 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-import os
-
-#Functions for manipulating datetime objects
-#CCYY-MM-DDThh:mm:ssZ
-def parseDateClass(s):
-    year, month, day = s.split("-")
-    day, tail = day[:2], day[2:]
-    hour, minute, second = tail[1:].split(":")
-    second = second[:2]
-    year, month, day = int(year), int(month), int(day)
-    hour, minute, second = int(hour), int(minute), int(second)
-    return createDateClass(year, month, day, hour, minute, second)
-
-
-if os.name != "java":
-    from datetime import datetime, timedelta
-
-    #Helper functions for working with a date/time class
-    def createDateClass(year, month, day, hour, minute, second):
-        return datetime(year, month, day, hour, minute, second)
-
-    def printDateClass(d):
-        #Split off fractional seconds, append 'Z'
-        return d.isoformat().split(".")[0]+"Z"
-
-    def getNow():
-        return datetime.utcnow()
-
-    def getHoursFromNow(hours):
-        return datetime.utcnow() + timedelta(hours=hours)
-
-    def getMinutesFromNow(minutes):
-        return datetime.utcnow() + timedelta(minutes=minutes)
-
-    def isDateClassExpired(d):
-        return d < datetime.utcnow()
-
-    def isDateClassBefore(d1, d2):
-        return d1 < d2
-
-else:
-    #Jython 2.1 is missing lots of python 2.3 stuff,
-    #which we have to emulate here:
-    import java
-    import jarray
-
-    def createDateClass(year, month, day, hour, minute, second):
-        c = java.util.Calendar.getInstance()
-        c.setTimeZone(java.util.TimeZone.getTimeZone("UTC"))
-        c.set(year, month-1, day, hour, minute, second)
-        return c
-
-    def printDateClass(d):
-        return "%04d-%02d-%02dT%02d:%02d:%02dZ" % \
-        (d.get(d.YEAR), d.get(d.MONTH)+1, d.get(d.DATE), \
-        d.get(d.HOUR_OF_DAY), d.get(d.MINUTE), d.get(d.SECOND))
-
-    def getNow():
-        c = java.util.Calendar.getInstance()
-        c.setTimeZone(java.util.TimeZone.getTimeZone("UTC"))
-        c.get(c.HOUR) #force refresh?
-        return c
-
-    def getHoursFromNow(hours):
-        d = getNow()
-        d.add(d.HOUR, hours)
-        return d
-
-    def isDateClassExpired(d):
-        n = getNow()
-        return d.before(n)
-
-    def isDateClassBefore(d1, d2):
-        return d1.before(d2)
diff --git a/third_party/tlslite/tlslite/utils/keyfactory.py b/third_party/tlslite/tlslite/utils/keyfactory.py
deleted file mode 100644
index 1ee338f3..0000000
--- a/third_party/tlslite/tlslite/utils/keyfactory.py
+++ /dev/null
@@ -1,191 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Factory functions for asymmetric cryptography.
-@sort: generateRSAKey, parsePEMKey, parseAsPublicKey
-"""
-
-from .compat import *
-
-from .rsakey import RSAKey
-from .python_rsakey import Python_RSAKey
-from tlslite.utils import cryptomath
-
-if cryptomath.m2cryptoLoaded:
-    from .openssl_rsakey import OpenSSL_RSAKey
-
-if cryptomath.pycryptoLoaded:
-    from .pycrypto_rsakey import PyCrypto_RSAKey
-
-# **************************************************************************
-# Factory Functions for RSA Keys
-# **************************************************************************
-
-def generateRSAKey(bits, implementations=["openssl", "python"]):
-    """Generate an RSA key with the specified bit length.
-
-    @type bits: int
-    @param bits: Desired bit length of the new key's modulus.
-
-    @rtype: L{tlslite.utils.rsakey.RSAKey}
-    @return: A new RSA private key.
-    """
-    for implementation in implementations:
-        if implementation == "openssl" and cryptomath.m2cryptoLoaded:
-            return OpenSSL_RSAKey.generate(bits)
-        elif implementation == "python":
-            return Python_RSAKey.generate(bits)
-    raise ValueError("No acceptable implementations")
-
-#Parse as an OpenSSL or Python key
-def parsePEMKey(s, private=False, public=False, passwordCallback=None,
-                implementations=["openssl", "python"]):
-    """Parse a PEM-format key.
-
-    The PEM format is used by OpenSSL and other tools.  The
-    format is typically used to store both the public and private
-    components of a key.  For example::
-
-       -----BEGIN RSA PRIVATE KEY-----
-        MIICXQIBAAKBgQDYscuoMzsGmW0pAYsmyHltxB2TdwHS0dImfjCMfaSDkfLdZY5+
-        dOWORVns9etWnr194mSGA1F0Pls/VJW8+cX9+3vtJV8zSdANPYUoQf0TP7VlJxkH
-        dSRkUbEoz5bAAs/+970uos7n7iXQIni+3erUTdYEk2iWnMBjTljfgbK/dQIDAQAB
-        AoGAJHoJZk75aKr7DSQNYIHuruOMdv5ZeDuJvKERWxTrVJqE32/xBKh42/IgqRrc
-        esBN9ZregRCd7YtxoL+EVUNWaJNVx2mNmezEznrc9zhcYUrgeaVdFO2yBF1889zO
-        gCOVwrO8uDgeyj6IKa25H6c1N13ih/o7ZzEgWbGG+ylU1yECQQDv4ZSJ4EjSh/Fl
-        aHdz3wbBa/HKGTjC8iRy476Cyg2Fm8MZUe9Yy3udOrb5ZnS2MTpIXt5AF3h2TfYV
-        VoFXIorjAkEA50FcJmzT8sNMrPaV8vn+9W2Lu4U7C+K/O2g1iXMaZms5PC5zV5aV
-        CKXZWUX1fq2RaOzlbQrpgiolhXpeh8FjxwJBAOFHzSQfSsTNfttp3KUpU0LbiVvv
-        i+spVSnA0O4rq79KpVNmK44Mq67hsW1P11QzrzTAQ6GVaUBRv0YS061td1kCQHnP
-        wtN2tboFR6lABkJDjxoGRvlSt4SOPr7zKGgrWjeiuTZLHXSAnCY+/hr5L9Q3ZwXG
-        6x6iBdgLjVIe4BZQNtcCQQDXGv/gWinCNTN3MPWfTW/RGzuMYVmyBFais0/VrgdH
-        h1dLpztmpQqfyH/zrBXQ9qL/zR4ojS6XYneO/U18WpEe
-        -----END RSA PRIVATE KEY-----
-
-    To generate a key like this with OpenSSL, run::
-
-        openssl genrsa 2048 > key.pem
-
-    This format also supports password-encrypted private keys.  TLS
-    Lite can only handle password-encrypted private keys when OpenSSL
-    and M2Crypto are installed.  In this case, passwordCallback will be
-    invoked to query the user for the password.
-
-    @type s: str
-    @param s: A string containing a PEM-encoded public or private key.
-
-    @type private: bool
-    @param private: If True, a L{SyntaxError} will be raised if the
-    private key component is not present.
-
-    @type public: bool
-    @param public: If True, the private key component (if present) will
-    be discarded, so this function will always return a public key.
-
-    @type passwordCallback: callable
-    @param passwordCallback: This function will be called, with no
-    arguments, if the PEM-encoded private key is password-encrypted.
-    The callback should return the password string.  If the password is
-    incorrect, SyntaxError will be raised.  If no callback is passed
-    and the key is password-encrypted, a prompt will be displayed at
-    the console.
-
-    @rtype: L{tlslite.utils.RSAKey.RSAKey}
-    @return: An RSA key.
-
-    @raise SyntaxError: If the key is not properly formatted.
-    """
-    for implementation in implementations:
-        if implementation == "openssl" and cryptomath.m2cryptoLoaded:
-            key = OpenSSL_RSAKey.parse(s, passwordCallback)
-            break
-        elif implementation == "python":
-            key = Python_RSAKey.parsePEM(s)
-            break
-    else:
-        raise ValueError("No acceptable implementations")
-
-    return _parseKeyHelper(key, private, public)
-
-
-def _parseKeyHelper(key, private, public):
-    if private:
-        if not key.hasPrivateKey():
-            raise SyntaxError("Not a private key!")
-
-    if public:
-        return _createPublicKey(key)
-
-    if private:
-        if hasattr(key, "d"):
-            return _createPrivateKey(key)
-        else:
-            return key
-
-    return key
-
-def parseAsPublicKey(s):
-    """Parse a PEM-formatted public key.
-
-    @type s: str
-    @param s: A string containing a PEM-encoded public or private key.
-
-    @rtype: L{tlslite.utils.rsakey.RSAKey}
-    @return: An RSA public key.
-
-    @raise SyntaxError: If the key is not properly formatted.
-    """
-    return parsePEMKey(s, public=True)
-
-def parsePrivateKey(s):
-    """Parse a PEM-formatted private key.
-
-    @type s: str
-    @param s: A string containing a PEM-encoded private key.
-
-    @rtype: L{tlslite.utils.rsakey.RSAKey}
-    @return: An RSA private key.
-
-    @raise SyntaxError: If the key is not properly formatted.
-    """
-    return parsePEMKey(s, private=True)
-
-def _createPublicKey(key):
-    """
-    Create a new public key.  Discard any private component,
-    and return the most efficient key possible.
-    """
-    if not isinstance(key, RSAKey):
-        raise AssertionError()
-    return _createPublicRSAKey(key.n, key.e)
-
-def _createPrivateKey(key):
-    """
-    Create a new private key.  Return the most efficient key possible.
-    """
-    if not isinstance(key, RSAKey):
-        raise AssertionError()
-    if not key.hasPrivateKey():
-        raise AssertionError()
-    return _createPrivateRSAKey(key.n, key.e, key.d, key.p, key.q, key.dP,
-                                key.dQ, key.qInv)
-
-def _createPublicRSAKey(n, e, implementations = ["openssl", "pycrypto",
-                                                "python"]):
-    for implementation in implementations:
-        if implementation == "openssl" and cryptomath.m2cryptoLoaded:
-            return OpenSSL_RSAKey(n, e)
-        elif implementation == "pycrypto" and cryptomath.pycryptoLoaded:
-            return PyCrypto_RSAKey(n, e)
-        elif implementation == "python":
-            return Python_RSAKey(n, e)
-    raise ValueError("No acceptable implementations")
-
-def _createPrivateRSAKey(n, e, d, p, q, dP, dQ, qInv,
-                        implementations = ["pycrypto", "python"]):
-    for implementation in implementations:
-        if implementation == "pycrypto" and cryptomath.pycryptoLoaded:
-            return PyCrypto_RSAKey(n, e, d, p, q, dP, dQ, qInv)
-        elif implementation == "python":
-            return Python_RSAKey(n, e, d, p, q, dP, dQ, qInv)
-    raise ValueError("No acceptable implementations")
diff --git a/third_party/tlslite/tlslite/utils/openssl_aes.py b/third_party/tlslite/tlslite/utils/openssl_aes.py
deleted file mode 100644
index 658cf83..0000000
--- a/third_party/tlslite/tlslite/utils/openssl_aes.py
+++ /dev/null
@@ -1,52 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""OpenSSL/M2Crypto AES implementation."""
-
-from .cryptomath import *
-from .aes import *
-
-if m2cryptoLoaded:
-
-    def new(key, mode, IV):
-        return OpenSSL_AES(key, mode, IV)
-
-    class OpenSSL_AES(AES):
-
-        def __init__(self, key, mode, IV):
-            AES.__init__(self, key, mode, IV, "openssl")
-            self.key = key
-            self.IV = IV
-
-        def _createContext(self, encrypt):
-            context = m2.cipher_ctx_new()
-            if len(self.key)==16:
-                cipherType = m2.aes_128_cbc()
-            if len(self.key)==24:
-                cipherType = m2.aes_192_cbc()
-            if len(self.key)==32:
-                cipherType = m2.aes_256_cbc()
-            m2.cipher_init(context, cipherType, self.key, self.IV, encrypt)
-            return context
-
-        def encrypt(self, plaintext):
-            AES.encrypt(self, plaintext)
-            context = self._createContext(1)
-            ciphertext = m2.cipher_update(context, plaintext)
-            m2.cipher_ctx_free(context)
-            self.IV = ciphertext[-self.block_size:]
-            return bytearray(ciphertext)
-
-        def decrypt(self, ciphertext):
-            AES.decrypt(self, ciphertext)
-            context = self._createContext(0)
-            #I think M2Crypto has a bug - it fails to decrypt and return the last block passed in.
-            #To work around this, we append sixteen zeros to the string, below:
-            plaintext = m2.cipher_update(context, ciphertext+('\0'*16))
-
-            #If this bug is ever fixed, then plaintext will end up having a garbage
-            #plaintext block on the end.  That's okay - the below code will discard it.
-            plaintext = plaintext[:len(ciphertext)]
-            m2.cipher_ctx_free(context)
-            self.IV = ciphertext[-self.block_size:]
-            return bytearray(plaintext)
diff --git a/third_party/tlslite/tlslite/utils/openssl_rc4.py b/third_party/tlslite/tlslite/utils/openssl_rc4.py
deleted file mode 100644
index 2fbfa07e..0000000
--- a/third_party/tlslite/tlslite/utils/openssl_rc4.py
+++ /dev/null
@@ -1,28 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""OpenSSL/M2Crypto RC4 implementation."""
-
-from .cryptomath import *
-from .rc4 import RC4
-
-if m2cryptoLoaded:
-
-    def new(key):
-        return OpenSSL_RC4(key)
-
-    class OpenSSL_RC4(RC4):
-
-        def __init__(self, key):
-            RC4.__init__(self, key, "openssl")
-            self.rc4 = m2.rc4_new()
-            m2.rc4_set_key(self.rc4, key)
-
-        def __del__(self):
-            m2.rc4_free(self.rc4)
-
-        def encrypt(self, plaintext):
-            return bytearray(m2.rc4_update(self.rc4, plaintext))
-
-        def decrypt(self, ciphertext):
-            return bytearray(self.encrypt(ciphertext))
diff --git a/third_party/tlslite/tlslite/utils/openssl_rsakey.py b/third_party/tlslite/tlslite/utils/openssl_rsakey.py
deleted file mode 100644
index f6ec85958..0000000
--- a/third_party/tlslite/tlslite/utils/openssl_rsakey.py
+++ /dev/null
@@ -1,136 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""OpenSSL/M2Crypto RSA implementation."""
-
-from .cryptomath import *
-
-from .rsakey import *
-from .python_rsakey import Python_RSAKey
-
-#copied from M2Crypto.util.py, so when we load the local copy of m2
-#we can still use it
-def password_callback(v, prompt1='Enter private key passphrase:',
-                           prompt2='Verify passphrase:'):
-    from getpass import getpass
-    while 1:
-        try:
-            p1=getpass(prompt1)
-            if v:
-                p2=getpass(prompt2)
-                if p1==p2:
-                    break
-            else:
-                break
-        except KeyboardInterrupt:
-            return None
-    return p1
-
-
-if m2cryptoLoaded:
-    class OpenSSL_RSAKey(RSAKey):
-        def __init__(self, n=0, e=0):
-            self.rsa = None
-            self._hasPrivateKey = False
-            if (n and not e) or (e and not n):
-                raise AssertionError()
-            if n and e:
-                self.rsa = m2.rsa_new()
-                m2.rsa_set_n(self.rsa, numberToMPI(n))
-                m2.rsa_set_e(self.rsa, numberToMPI(e))
-
-        def __del__(self):
-            if self.rsa:
-                m2.rsa_free(self.rsa)
-
-        def __getattr__(self, name):
-            if name == 'e':
-                if not self.rsa:
-                    return 0
-                return mpiToNumber(m2.rsa_get_e(self.rsa))
-            elif name == 'n':
-                if not self.rsa:
-                    return 0
-                return mpiToNumber(m2.rsa_get_n(self.rsa))
-            else:
-                raise AttributeError
-
-        def hasPrivateKey(self):
-            return self._hasPrivateKey
-
-        def _rawPrivateKeyOp(self, m):
-            b = numberToByteArray(m, numBytes(self.n))
-            s = m2.rsa_private_encrypt(self.rsa, bytes(b), m2.no_padding)
-            c = bytesToNumber(bytearray(s))
-            return c
-
-        def _rawPublicKeyOp(self, c):
-            b = numberToByteArray(c, numBytes(self.n))
-            s = m2.rsa_public_decrypt(self.rsa, bytes(b), m2.no_padding)
-            m = bytesToNumber(bytearray(s))
-            return m
-
-        def acceptsPassword(self): return True
-
-        def write(self, password=None):
-            bio = m2.bio_new(m2.bio_s_mem())
-            if self._hasPrivateKey:
-                if password:
-                    def f(v): return password
-                    m2.rsa_write_key(self.rsa, bio, m2.des_ede_cbc(), f)
-                else:
-                    def f(): pass
-                    m2.rsa_write_key_no_cipher(self.rsa, bio, f)
-            else:
-                if password:
-                    raise AssertionError()
-                m2.rsa_write_pub_key(self.rsa, bio)
-            s = m2.bio_read(bio, m2.bio_ctrl_pending(bio))
-            m2.bio_free(bio)
-            return s
-
-        def generate(bits):
-            key = OpenSSL_RSAKey()
-            def f():pass
-            key.rsa = m2.rsa_generate_key(bits, 3, f)
-            key._hasPrivateKey = True
-            return key
-        generate = staticmethod(generate)
-
-        def parse(s, passwordCallback=None):
-            # Skip forward to the first PEM header
-            start = s.find("-----BEGIN ")
-            if start == -1:
-                raise SyntaxError()
-            s = s[start:]            
-            if s.startswith("-----BEGIN "):
-                if passwordCallback==None:
-                    callback = password_callback
-                else:
-                    def f(v, prompt1=None, prompt2=None):
-                        return passwordCallback()
-                    callback = f
-                bio = m2.bio_new(m2.bio_s_mem())
-                try:
-                    m2.bio_write(bio, s)
-                    key = OpenSSL_RSAKey()
-                    if s.startswith("-----BEGIN RSA PRIVATE KEY-----"):
-                        def f():pass
-                        key.rsa = m2.rsa_read_key(bio, callback)
-                        if key.rsa == None:
-                            raise SyntaxError()
-                        key._hasPrivateKey = True
-                    elif s.startswith("-----BEGIN PUBLIC KEY-----"):
-                        key.rsa = m2.rsa_read_pub_key(bio)
-                        if key.rsa == None:
-                            raise SyntaxError()
-                        key._hasPrivateKey = False
-                    else:
-                        raise SyntaxError()
-                    return key
-                finally:
-                    m2.bio_free(bio)
-            else:
-                raise SyntaxError()
-
-        parse = staticmethod(parse)
diff --git a/third_party/tlslite/tlslite/utils/openssl_tripledes.py b/third_party/tlslite/tlslite/utils/openssl_tripledes.py
deleted file mode 100644
index 15a68bb4..0000000
--- a/third_party/tlslite/tlslite/utils/openssl_tripledes.py
+++ /dev/null
@@ -1,47 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""OpenSSL/M2Crypto 3DES implementation."""
-
-from .cryptomath import *
-from .tripledes import *
-
-if m2cryptoLoaded:
-
-    def new(key, mode, IV):
-        return OpenSSL_TripleDES(key, mode, IV)
-
-    class OpenSSL_TripleDES(TripleDES):
-
-        def __init__(self, key, mode, IV):
-            TripleDES.__init__(self, key, mode, IV, "openssl")
-            self.key = key
-            self.IV = IV
-
-        def _createContext(self, encrypt):
-            context = m2.cipher_ctx_new()
-            cipherType = m2.des_ede3_cbc()
-            m2.cipher_init(context, cipherType, self.key, self.IV, encrypt)
-            return context
-
-        def encrypt(self, plaintext):
-            TripleDES.encrypt(self, plaintext)
-            context = self._createContext(1)
-            ciphertext = m2.cipher_update(context, plaintext)
-            m2.cipher_ctx_free(context)
-            self.IV = ciphertext[-self.block_size:]
-            return bytearray(ciphertext)
-
-        def decrypt(self, ciphertext):
-            TripleDES.decrypt(self, ciphertext)
-            context = self._createContext(0)
-            #I think M2Crypto has a bug - it fails to decrypt and return the last block passed in.
-            #To work around this, we append sixteen zeros to the string, below:
-            plaintext = m2.cipher_update(context, ciphertext+('\0'*16))
-
-            #If this bug is ever fixed, then plaintext will end up having a garbage
-            #plaintext block on the end.  That's okay - the below code will ignore it.
-            plaintext = plaintext[:len(ciphertext)]
-            m2.cipher_ctx_free(context)
-            self.IV = ciphertext[-self.block_size:]
-            return bytearray(plaintext)
\ No newline at end of file
diff --git a/third_party/tlslite/tlslite/utils/p256.py b/third_party/tlslite/tlslite/utils/p256.py
deleted file mode 100644
index 45159000..0000000
--- a/third_party/tlslite/tlslite/utils/p256.py
+++ /dev/null
@@ -1,165 +0,0 @@
-# Author: Google
-# See the LICENSE file for legal information regarding use of this file.
-
-import os
-import six
-
-p = (
-    115792089210356248762697446949407573530086143415290314195533631308867097853951)
-order = (
-    115792089210356248762697446949407573529996955224135760342422259061068512044369)
-p256B = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
-
-baseX = 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296
-baseY = 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5
-basePoint = (baseX, baseY)
-
-
-def _pointAdd(a, b):
-    Z1Z1 = (a[2] * a[2]) % p
-    Z2Z2 = (b[2] * b[2]) % p
-    U1 = (a[0] * Z2Z2) % p
-    U2 = (b[0] * Z1Z1) % p
-    S1 = (a[1] * b[2] * Z2Z2) % p
-    S2 = (b[1] * a[2] * Z1Z1) % p
-    if U1 == U2 and S1 == S2:
-        return pointDouble(a)
-    H = (U2 - U1) % p
-    I = (4 * H * H) % p
-    J = (H * I) % p
-    r = (2 * (S2 - S1)) % p
-    V = (U1 * I) % p
-    X3 = (r * r - J - 2 * V) % p
-    Y3 = (r * (V - X3) - 2 * S1 * J) % p
-    Z3 = (((a[2] + b[2]) * (a[2] + b[2]) - Z1Z1 - Z2Z2) * H) % p
-
-    return (X3, Y3, Z3)
-
-
-def _pointDouble(a):
-    delta = (a[2] * a[2]) % p
-    gamma = (a[1] * a[1]) % p
-    beta = (a[0] * gamma) % p
-    alpha = (3 * (a[0] - delta) * (a[0] + delta)) % p
-    X3 = (alpha * alpha - 8 * beta) % p
-    Z3 = ((a[1] + a[2]) * (a[1] + a[2]) - gamma - delta) % p
-    Y3 = (alpha * (4 * beta - X3) - 8 * gamma * gamma) % p
-
-    return (X3, Y3, Z3)
-
-
-def _square(n):
-    return (n * n)
-
-
-def _modpow(a, n, p):
-    if n == 0:
-        return 1
-    if n == 1:
-        return a
-    r = _square(_modpow(a, n >> 1, p)) % p
-    if n & 1 == 1:
-        r = (r * a) % p
-    return r
-
-
-def _scalarMult(k, point):
-    accum = (0, 0, 0)
-    accumIsInfinity = True
-    jacobianPoint = (point[0], point[1], 1)
-
-    for bit in range(255, -1, -1):
-        if not accumIsInfinity:
-            accum = _pointDouble(accum)
-
-        if (k >> bit) & 1 == 1:
-            if accumIsInfinity:
-                accum = jacobianPoint
-                accumIsInfinity = False
-            else:
-                accum = _pointAdd(accum, jacobianPoint)
-
-    if accumIsInfinity:
-        return (0, 0)
-
-    zInv = _modpow(accum[2], p - 2, p)
-    return ((accum[0] * zInv * zInv) % p, (accum[1] * zInv * zInv * zInv) % p)
-
-
-def _scalarBaseMult(k):
-    return _scalarMult(k, basePoint)
-
-
-def _decodeBigEndian(b):
-    # TODO(davidben): Replace with int.from_bytes when removing Python 2.
-    return sum([six.indexbytes(b, len(b) - i - 1) << 8 * i
-                for i in range(len(b))])
-
-
-def _encodeBigEndian(n):
-    b = bytearray()
-    while n != 0:
-        b.append(n & 0xff)
-        n >>= 8
-
-    if len(b) == 0:
-        b.append(0)
-    b.reverse()
-
-    return bytes(b)
-
-
-def _zeroPad(b, length):
-    if len(b) < length:
-        return (b"\x00" * (length - len(b))) + b
-    return b
-
-
-def _encodePoint(point):
-    x = point[0]
-    y = point[1]
-    if (y * y) % p != (x * x * x - 3 * x + p256B) % p:
-        raise "point not on curve"
-    return b"\x04" + _zeroPad(_encodeBigEndian(point[0]), 32) + _zeroPad(
-        _encodeBigEndian(point[1]), 32)
-
-
-def _decodePoint(b):
-    if len(b) != 1 + 32 + 32 or six.indexbytes(b, 0) != 4:
-        raise "invalid encoded ec point"
-    x = _decodeBigEndian(b[1:33])
-    y = _decodeBigEndian(b[33:65])
-    if (y * y) % p != (x * x * x - 3 * x + p256B) % p:
-        raise "point not on curve"
-    return (x, y)
-
-
-def generatePublicPrivate():
-    """generatePublicPrivate returns a tuple of (X9.62 encoded public point,
-    private value), where the private value is generated from os.urandom."""
-    private = _decodeBigEndian(os.urandom(40)) % order
-    return _encodePoint(_scalarBaseMult(private)), private
-
-
-def generateSharedValue(theirPublic, private):
-    """generateSharedValue returns the encoded x-coordinate of the
-    multiplication of a peer's X9.62 encoded point and a private value."""
-    return _zeroPad(
-        _encodeBigEndian(_scalarMult(private, _decodePoint(theirPublic))[0]),
-        32)
-
-if __name__ == "__main__":
-    alice, alicePrivate = generatePublicPrivate()
-    bob, bobPrivate = generatePublicPrivate()
-
-    if generateSharedValue(alice, bobPrivate) != generateSharedValue(
-        bob, alicePrivate):
-        raise "simple DH test failed"
-
-    (x, _) = _scalarBaseMult(1)
-
-    for i in range(1000):
-        (x, _) = _scalarBaseMult(x)
-
-    if x != 2428281965257598569040586318034812501729437946720808289049534492833635302706:
-        raise "loop test failed"
diff --git a/third_party/tlslite/tlslite/utils/pem.py b/third_party/tlslite/tlslite/utils/pem.py
deleted file mode 100644
index 04b5d0b..0000000
--- a/third_party/tlslite/tlslite/utils/pem.py
+++ /dev/null
@@ -1,98 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-from .compat import *
-import binascii
-
-#This code is shared with tackpy (somewhat), so I'd rather make minimal
-#changes, and preserve the use of a2b_base64 throughout.
-
-def dePem(s, name):
-    """Decode a PEM string into a bytearray of its payload.
-    
-    The input must contain an appropriate PEM prefix and postfix
-    based on the input name string, e.g. for name="CERTIFICATE":
-
-    -----BEGIN CERTIFICATE-----
-    MIIBXDCCAUSgAwIBAgIBADANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDEwRUQUNL
-...
-    KoZIhvcNAQEFBQADAwA5kw==
-    -----END CERTIFICATE-----    
-
-    The first such PEM block in the input will be found, and its
-    payload will be base64 decoded and returned.
-    """
-    prefix  = "-----BEGIN %s-----" % name
-    postfix = "-----END %s-----" % name    
-    start = s.find(prefix)
-    if start == -1:
-        raise SyntaxError("Missing PEM prefix")
-    end = s.find(postfix, start+len(prefix))
-    if end == -1:
-        raise SyntaxError("Missing PEM postfix")
-    s = s[start+len("-----BEGIN %s-----" % name) : end]
-    retBytes = a2b_base64(s) # May raise SyntaxError
-    return retBytes
-    
-def dePemList(s, name):
-    """Decode a sequence of PEM blocks into a list of bytearrays.
-
-    The input must contain any number of PEM blocks, each with the appropriate
-    PEM prefix and postfix based on the input name string, e.g. for
-    name="TACK BREAK SIG".  Arbitrary text can appear between and before and
-    after the PEM blocks.  For example:
-
-    " Created by TACK.py 0.9.3 Created at 2012-02-01T00:30:10Z -----BEGIN TACK
-    BREAK SIG-----
-    ATKhrz5C6JHJW8BF5fLVrnQss6JnWVyEaC0p89LNhKPswvcC9/s6+vWLd9snYTUv
-    YMEBdw69PUP8JB4AdqA3K6Ap0Fgd9SSTOECeAKOUAym8zcYaXUwpk0+WuPYa7Zmm
-    SkbOlK4ywqt+amhWbg9txSGUwFO5tWUHT3QrnRlE/e3PeNFXLx5Bckg= -----END TACK
-    BREAK SIG----- Created by TACK.py 0.9.3 Created at 2012-02-01T00:30:11Z
-    -----BEGIN TACK BREAK SIG-----
-    ATKhrz5C6JHJW8BF5fLVrnQss6JnWVyEaC0p89LNhKPswvcC9/s6+vWLd9snYTUv
-    YMEBdw69PUP8JB4AdqA3K6BVCWfcjN36lx6JwxmZQncS6sww7DecFO/qjSePCxwM
-    +kdDqX/9/183nmjx6bf0ewhPXkA0nVXsDYZaydN8rJU1GaMlnjcIYxY= -----END TACK
-    BREAK SIG----- "
-    
-    All such PEM blocks will be found, decoded, and return in an ordered list
-    of bytearrays, which may have zero elements if not PEM blocks are found.
-     """
-    bList = []
-    prefix  = "-----BEGIN %s-----" % name
-    postfix = "-----END %s-----" % name
-    while 1:
-        start = s.find(prefix)
-        if start == -1:
-            return bList
-        end = s.find(postfix, start+len(prefix))
-        if end == -1:
-            raise SyntaxError("Missing PEM postfix")
-        s2 = s[start+len(prefix) : end]
-        retBytes = a2b_base64(s2) # May raise SyntaxError
-        bList.append(retBytes)
-        s = s[end+len(postfix) : ]
-
-def pem(b, name):
-    """Encode a payload bytearray into a PEM string.
-    
-    The input will be base64 encoded, then wrapped in a PEM prefix/postfix
-    based on the name string, e.g. for name="CERTIFICATE":
-    
-    -----BEGIN CERTIFICATE-----
-    MIIBXDCCAUSgAwIBAgIBADANBgkqhkiG9w0BAQUFADAPMQ0wCwYDVQQDEwRUQUNL
-...
-    KoZIhvcNAQEFBQADAwA5kw==
-    -----END CERTIFICATE-----    
-    """
-    s1 = b2a_base64(b)[:-1] # remove terminating \n
-    s2 = ""
-    while s1:
-        s2 += s1[:64] + "\n"
-        s1 = s1[64:]
-    s = ("-----BEGIN %s-----\n" % name) + s2 + \
-        ("-----END %s-----\n" % name)     
-    return s
-
-def pemSniff(inStr, name):
-    searchStr = "-----BEGIN %s-----" % name
-    return searchStr in inStr
diff --git a/third_party/tlslite/tlslite/utils/pycrypto_aes.py b/third_party/tlslite/tlslite/utils/pycrypto_aes.py
deleted file mode 100644
index b3425c0..0000000
--- a/third_party/tlslite/tlslite/utils/pycrypto_aes.py
+++ /dev/null
@@ -1,29 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""PyCrypto AES implementation."""
-
-from .cryptomath import *
-from .aes import *
-
-if pycryptoLoaded:
-    import Crypto.Cipher.AES
-
-    def new(key, mode, IV):
-        return PyCrypto_AES(key, mode, IV)
-
-    class PyCrypto_AES(AES):
-
-        def __init__(self, key, mode, IV):
-            AES.__init__(self, key, mode, IV, "pycrypto")
-            key = bytes(key)
-            IV = bytes(IV)
-            self.context = Crypto.Cipher.AES.new(key, mode, IV)
-
-        def encrypt(self, plaintext):
-            plaintext = bytes(plaintext)
-            return bytearray(self.context.encrypt(plaintext))
-
-        def decrypt(self, ciphertext):
-            ciphertext = bytes(ciphertext)
-            return bytearray(self.context.decrypt(ciphertext))
diff --git a/third_party/tlslite/tlslite/utils/pycrypto_aesgcm.py b/third_party/tlslite/tlslite/utils/pycrypto_aesgcm.py
deleted file mode 100644
index ee187eea..0000000
--- a/third_party/tlslite/tlslite/utils/pycrypto_aesgcm.py
+++ /dev/null
@@ -1,16 +0,0 @@
-# Author: Google
-# See the LICENSE file for legal information regarding use of this file.
-
-"""PyCrypto AES-GCM implementation."""
-
-from .cryptomath import *
-from .aesgcm import AESGCM
-
-if pycryptoLoaded:
-    import Crypto.Cipher.AES
-
-    def new(key):
-        cipher = Crypto.Cipher.AES.new(bytes(key))
-        def encrypt(plaintext):
-            return bytearray(cipher.encrypt(bytes(plaintext)))
-        return AESGCM(key, "pycrypto", encrypt)
diff --git a/third_party/tlslite/tlslite/utils/pycrypto_rc4.py b/third_party/tlslite/tlslite/utils/pycrypto_rc4.py
deleted file mode 100644
index fc98d7c..0000000
--- a/third_party/tlslite/tlslite/utils/pycrypto_rc4.py
+++ /dev/null
@@ -1,28 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""PyCrypto RC4 implementation."""
-
-from .cryptomath import *
-from .rc4 import *
-
-if pycryptoLoaded:
-    import Crypto.Cipher.ARC4
-
-    def new(key):
-        return PyCrypto_RC4(key)
-
-    class PyCrypto_RC4(RC4):
-
-        def __init__(self, key):
-            RC4.__init__(self, key, "pycrypto")
-            key = bytes(key)
-            self.context = Crypto.Cipher.ARC4.new(key)
-
-        def encrypt(self, plaintext):
-            plaintext = bytes(plaintext)
-            return bytearray(self.context.encrypt(plaintext))
-
-        def decrypt(self, ciphertext):
-            ciphertext = bytes(ciphertext)
-            return bytearray(self.context.decrypt(ciphertext))
\ No newline at end of file
diff --git a/third_party/tlslite/tlslite/utils/pycrypto_rsakey.py b/third_party/tlslite/tlslite/utils/pycrypto_rsakey.py
deleted file mode 100644
index 4537856..0000000
--- a/third_party/tlslite/tlslite/utils/pycrypto_rsakey.py
+++ /dev/null
@@ -1,42 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""PyCrypto RSA implementation."""
-
-from .cryptomath import *
-
-from .rsakey import *
-from .python_rsakey import Python_RSAKey
-
-if pycryptoLoaded:
-
-    from Crypto.PublicKey import RSA
-
-    class PyCrypto_RSAKey(RSAKey):
-        def __init__(self, n=0, e=0, d=0, p=0, q=0, dP=0, dQ=0, qInv=0):
-            if not d:
-                self.rsa = RSA.construct( (n, e) )
-            else:
-                self.rsa = RSA.construct( (n, e, d, p, q) )
-
-        def __getattr__(self, name):
-            return getattr(self.rsa, name)
-
-        def hasPrivateKey(self):
-            return self.rsa.has_private()
-
-        def _rawPrivateKeyOp(self, m):
-            c = self.rsa.decrypt((m,))
-            return c
-
-        def _rawPublicKeyOp(self, c):
-            m = self.rsa.encrypt(c, None)[0]
-            return m
-
-        def generate(bits):
-            key = PyCrypto_RSAKey()
-            def f(numBytes):
-                return bytes(getRandomBytes(numBytes))
-            key.rsa = RSA.generate(bits, f)
-            return key
-        generate = staticmethod(generate)
diff --git a/third_party/tlslite/tlslite/utils/pycrypto_tripledes.py b/third_party/tlslite/tlslite/utils/pycrypto_tripledes.py
deleted file mode 100644
index 8117f34..0000000
--- a/third_party/tlslite/tlslite/utils/pycrypto_tripledes.py
+++ /dev/null
@@ -1,29 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""PyCrypto 3DES implementation."""
-
-from .cryptomath import *
-from .tripledes import *
-
-if pycryptoLoaded:
-    import Crypto.Cipher.DES3
-
-    def new(key, mode, IV):
-        return PyCrypto_TripleDES(key, mode, IV)
-
-    class PyCrypto_TripleDES(TripleDES):
-
-        def __init__(self, key, mode, IV):
-            TripleDES.__init__(self, key, mode, IV, "pycrypto")
-            key = bytes(key)
-            IV = bytes(IV)
-            self.context = Crypto.Cipher.DES3.new(key, mode, IV)
-
-        def encrypt(self, plaintext):
-            plaintext = bytes(plaintext)
-            return bytearray(self.context.encrypt(plaintext))
-
-        def decrypt(self, ciphertext):
-            ciphertext = bytes(ciphertext)
-            return bytearray(self.context.decrypt(ciphertext))
\ No newline at end of file
diff --git a/third_party/tlslite/tlslite/utils/python_aes.py b/third_party/tlslite/tlslite/utils/python_aes.py
deleted file mode 100644
index cb8f87e..0000000
--- a/third_party/tlslite/tlslite/utils/python_aes.py
+++ /dev/null
@@ -1,69 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Pure-Python AES implementation."""
-
-from .cryptomath import *
-
-from .aes import *
-from .rijndael import rijndael
-
-def new(key, mode, IV):
-    return Python_AES(key, mode, IV)
-
-class Python_AES(AES):
-    def __init__(self, key, mode, IV):
-        AES.__init__(self, key, mode, IV, "python")
-        self.rijndael = rijndael(key, 16)
-        self.IV = IV
-
-    def encrypt(self, plaintext):
-        AES.encrypt(self, plaintext)
-
-        plaintextBytes = plaintext[:]
-        chainBytes = self.IV[:]
-
-        #CBC Mode: For each block...
-        for x in range(len(plaintextBytes)//16):
-
-            #XOR with the chaining block
-            blockBytes = plaintextBytes[x*16 : (x*16)+16]
-            for y in range(16):
-                blockBytes[y] ^= chainBytes[y]
-
-            #Encrypt it
-            encryptedBytes = self.rijndael.encrypt(blockBytes)
-
-            #Overwrite the input with the output
-            for y in range(16):
-                plaintextBytes[(x*16)+y] = encryptedBytes[y]
-
-            #Set the next chaining block
-            chainBytes = encryptedBytes
-
-        self.IV = chainBytes[:]
-        return plaintextBytes
-
-    def decrypt(self, ciphertext):
-        AES.decrypt(self, ciphertext)
-
-        ciphertextBytes = ciphertext[:]
-        chainBytes = self.IV[:]
-
-        #CBC Mode: For each block...
-        for x in range(len(ciphertextBytes)//16):
-
-            #Decrypt it
-            blockBytes = ciphertextBytes[x*16 : (x*16)+16]
-            decryptedBytes = self.rijndael.decrypt(blockBytes)
-
-            #XOR with the chaining block and overwrite the input with output
-            for y in range(16):
-                decryptedBytes[y] ^= chainBytes[y]
-                ciphertextBytes[(x*16)+y] = decryptedBytes[y]
-
-            #Set the next chaining block
-            chainBytes = blockBytes
-
-        self.IV = chainBytes[:]
-        return ciphertextBytes
diff --git a/third_party/tlslite/tlslite/utils/python_aesgcm.py b/third_party/tlslite/tlslite/utils/python_aesgcm.py
deleted file mode 100644
index 80a5fd5..0000000
--- a/third_party/tlslite/tlslite/utils/python_aesgcm.py
+++ /dev/null
@@ -1,10 +0,0 @@
-# Author: Google
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Pure-Python AES-GCM implementation."""
-
-from .aesgcm import AESGCM
-from .rijndael import rijndael
-
-def new(key):
-    return AESGCM(key, "python", rijndael(key, 16).encrypt)
diff --git a/third_party/tlslite/tlslite/utils/python_rc4.py b/third_party/tlslite/tlslite/utils/python_rc4.py
deleted file mode 100644
index 15d9fd491..0000000
--- a/third_party/tlslite/tlslite/utils/python_rc4.py
+++ /dev/null
@@ -1,41 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Pure-Python RC4 implementation."""
-
-from .rc4 import RC4
-from .cryptomath import *
-
-def new(key):
-    return Python_RC4(key)
-
-class Python_RC4(RC4):
-    def __init__(self, keyBytes):
-        RC4.__init__(self, keyBytes, "python")
-        S = [i for i in range(256)]
-        j = 0
-        for i in range(256):
-            j = (j + S[i] + keyBytes[i % len(keyBytes)]) % 256
-            S[i], S[j] = S[j], S[i]
-
-        self.S = S
-        self.i = 0
-        self.j = 0
-
-    def encrypt(self, plaintextBytes):
-        ciphertextBytes = plaintextBytes[:]
-        S = self.S
-        i = self.i
-        j = self.j
-        for x in range(len(ciphertextBytes)):
-            i = (i + 1) % 256
-            j = (j + S[i]) % 256
-            S[i], S[j] = S[j], S[i]
-            t = (S[i] + S[j]) % 256
-            ciphertextBytes[x] ^= S[t]
-        self.i = i
-        self.j = j
-        return ciphertextBytes
-
-    def decrypt(self, ciphertext):
-        return self.encrypt(ciphertext)
diff --git a/third_party/tlslite/tlslite/utils/python_rsakey.py b/third_party/tlslite/tlslite/utils/python_rsakey.py
deleted file mode 100644
index a62fc68..0000000
--- a/third_party/tlslite/tlslite/utils/python_rsakey.py
+++ /dev/null
@@ -1,140 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Pure-Python RSA implementation."""
-import threading
-from .cryptomath import *
-from .asn1parser import ASN1Parser
-from .rsakey import *
-from .pem import *
-
-class Python_RSAKey(RSAKey):
-    def __init__(self, n=0, e=0, d=0, p=0, q=0, dP=0, dQ=0, qInv=0):
-        if (n and not e) or (e and not n):
-            raise AssertionError()
-        self.n = n
-        self.e = e
-        self.d = d
-        self.p = p
-        self.q = q
-        self.dP = dP
-        self.dQ = dQ
-        self.qInv = qInv
-        self.blinder = 0
-        self.unblinder = 0
-        self._lock = threading.Lock()
-
-    def hasPrivateKey(self):
-        return self.d != 0
-
-    def _rawPrivateKeyOp(self, message):
-        with self._lock:
-            # Create blinding values, on the first pass:
-            if not self.blinder:
-                self.unblinder = getRandomNumber(2, self.n)
-                self.blinder = powMod(invMod(self.unblinder, self.n), self.e,
-                                      self.n)
-            unblinder = self.unblinder
-            blinder = self.blinder
-
-            # Update blinding values
-            self.blinder = (self.blinder * self.blinder) % self.n
-            self.unblinder = (self.unblinder * self.unblinder) % self.n
-
-        # Blind the input
-        message = (message * blinder) % self.n
-
-        # Perform the RSA operation
-        cipher = self._rawPrivateKeyOpHelper(message)
-
-        # Unblind the output
-        cipher = (cipher * unblinder) % self.n
-
-        # Return the output
-        return cipher
-
-    def _rawPrivateKeyOpHelper(self, m):
-        #Non-CRT version
-        #c = powMod(m, self.d, self.n)
-
-        #CRT version  (~3x faster)
-        s1 = powMod(m, self.dP, self.p)
-        s2 = powMod(m, self.dQ, self.q)
-        h = ((s1 - s2) * self.qInv) % self.p
-        c = s2 + self.q * h
-        return c
-
-    def _rawPublicKeyOp(self, c):
-        m = powMod(c, self.e, self.n)
-        return m
-
-    def acceptsPassword(self): return False
-
-    def generate(bits):
-        key = Python_RSAKey()
-        p = getRandomPrime(bits//2, False)
-        q = getRandomPrime(bits//2, False)
-        t = lcm(p-1, q-1)
-        key.n = p * q
-        key.e = 65537
-        key.d = invMod(key.e, t)
-        key.p = p
-        key.q = q
-        key.dP = key.d % (p-1)
-        key.dQ = key.d % (q-1)
-        key.qInv = invMod(q, p)
-        return key
-    generate = staticmethod(generate)
-
-    def parsePEM(s, passwordCallback=None):
-        """Parse a string containing a PEM-encoded <privateKey>."""
-
-        if pemSniff(s, "PRIVATE KEY"):
-            bytes = dePem(s, "PRIVATE KEY")
-            return Python_RSAKey._parsePKCS8(bytes)
-        elif pemSniff(s, "RSA PRIVATE KEY"):
-            bytes = dePem(s, "RSA PRIVATE KEY")
-            return Python_RSAKey._parseSSLeay(bytes)
-        else:
-            raise SyntaxError("Not a PEM private key file")
-    parsePEM = staticmethod(parsePEM)
-
-    def _parsePKCS8(bytes):
-        p = ASN1Parser(bytes)
-
-        version = p.getChild(0).value[0]
-        if version != 0:
-            raise SyntaxError("Unrecognized PKCS8 version")
-
-        rsaOID = p.getChild(1).value
-        if list(rsaOID) != [6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0]:
-            raise SyntaxError("Unrecognized AlgorithmIdentifier")
-
-        #Get the privateKey
-        privateKeyP = p.getChild(2)
-
-        #Adjust for OCTET STRING encapsulation
-        privateKeyP = ASN1Parser(privateKeyP.value)
-
-        return Python_RSAKey._parseASN1PrivateKey(privateKeyP)
-    _parsePKCS8 = staticmethod(_parsePKCS8)
-
-    def _parseSSLeay(bytes):
-        privateKeyP = ASN1Parser(bytes)
-        return Python_RSAKey._parseASN1PrivateKey(privateKeyP)
-    _parseSSLeay = staticmethod(_parseSSLeay)
-
-    def _parseASN1PrivateKey(privateKeyP):
-        version = privateKeyP.getChild(0).value[0]
-        if version != 0:
-            raise SyntaxError("Unrecognized RSAPrivateKey version")
-        n = bytesToNumber(privateKeyP.getChild(1).value)
-        e = bytesToNumber(privateKeyP.getChild(2).value)
-        d = bytesToNumber(privateKeyP.getChild(3).value)
-        p = bytesToNumber(privateKeyP.getChild(4).value)
-        q = bytesToNumber(privateKeyP.getChild(5).value)
-        dP = bytesToNumber(privateKeyP.getChild(6).value)
-        dQ = bytesToNumber(privateKeyP.getChild(7).value)
-        qInv = bytesToNumber(privateKeyP.getChild(8).value)
-        return Python_RSAKey(n, e, d, p, q, dP, dQ, qInv)
-    _parseASN1PrivateKey = staticmethod(_parseASN1PrivateKey)
diff --git a/third_party/tlslite/tlslite/utils/rc4.py b/third_party/tlslite/tlslite/utils/rc4.py
deleted file mode 100644
index 3853f5b..0000000
--- a/third_party/tlslite/tlslite/utils/rc4.py
+++ /dev/null
@@ -1,20 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Abstract class for RC4."""
-
-
-class RC4(object):
-    def __init__(self, keyBytes, implementation):
-        if len(keyBytes) < 16 or len(keyBytes) > 256:
-            raise ValueError()
-        self.isBlockCipher = False
-        self.isAEAD = False
-        self.name = "rc4"
-        self.implementation = implementation
-
-    def encrypt(self, plaintext):
-        raise NotImplementedError()
-
-    def decrypt(self, ciphertext):
-        raise NotImplementedError()
diff --git a/third_party/tlslite/tlslite/utils/rijndael.py b/third_party/tlslite/tlslite/utils/rijndael.py
deleted file mode 100644
index a1d720a2..0000000
--- a/third_party/tlslite/tlslite/utils/rijndael.py
+++ /dev/null
@@ -1,384 +0,0 @@
-# Authors:
-#   Bram Cohen
-#   Trevor Perrin - various changes
-#
-# See the LICENSE file for legal information regarding use of this file.
-# Also see Bram Cohen's statement below
-
-"""
-A pure python (slow) implementation of rijndael with a decent interface
-
-To include -
-
-from rijndael import rijndael
-
-To do a key setup -
-
-r = rijndael(key, block_size = 16)
-
-key must be a string of length 16, 24, or 32
-blocksize must be 16, 24, or 32. Default is 16
-
-To use -
-
-ciphertext = r.encrypt(plaintext)
-plaintext = r.decrypt(ciphertext)
-
-If any strings are of the wrong length a ValueError is thrown
-"""
-
-# ported from the Java reference code by Bram Cohen, bram@gawth.com, April 2001
-# this code is public domain, unless someone makes
-# an intellectual property claim against the reference
-# code, in which case it can be made public domain by
-# deleting all the comments and renaming all the variables
-
-import copy
-import string
-
-shifts = [[[0, 0], [1, 3], [2, 2], [3, 1]],
-          [[0, 0], [1, 5], [2, 4], [3, 3]],
-          [[0, 0], [1, 7], [3, 5], [4, 4]]]
-
-# [keysize][block_size]
-num_rounds = {16: {16: 10, 24: 12, 32: 14}, 24: {16: 12, 24: 12, 32: 14}, 32: {16: 14, 24: 14, 32: 14}}
-
-A = [[1, 1, 1, 1, 1, 0, 0, 0],
-     [0, 1, 1, 1, 1, 1, 0, 0],
-     [0, 0, 1, 1, 1, 1, 1, 0],
-     [0, 0, 0, 1, 1, 1, 1, 1],
-     [1, 0, 0, 0, 1, 1, 1, 1],
-     [1, 1, 0, 0, 0, 1, 1, 1],
-     [1, 1, 1, 0, 0, 0, 1, 1],
-     [1, 1, 1, 1, 0, 0, 0, 1]]
-
-# produce log and alog tables, needed for multiplying in the
-# field GF(2^m) (generator = 3)
-alog = [1]
-for i in range(255):
-    j = (alog[-1] << 1) ^ alog[-1]
-    if j & 0x100 != 0:
-        j ^= 0x11B
-    alog.append(j)
-
-log = [0] * 256
-for i in range(1, 255):
-    log[alog[i]] = i
-
-# multiply two elements of GF(2^m)
-def mul(a, b):
-    if a == 0 or b == 0:
-        return 0
-    return alog[(log[a & 0xFF] + log[b & 0xFF]) % 255]
-
-# substitution box based on F^{-1}(x)
-box = [[0] * 8 for i in range(256)]
-box[1][7] = 1
-for i in range(2, 256):
-    j = alog[255 - log[i]]
-    for t in range(8):
-        box[i][t] = (j >> (7 - t)) & 0x01
-
-B = [0, 1, 1, 0, 0, 0, 1, 1]
-
-# affine transform:  box[i] <- B + A*box[i]
-cox = [[0] * 8 for i in range(256)]
-for i in range(256):
-    for t in range(8):
-        cox[i][t] = B[t]
-        for j in range(8):
-            cox[i][t] ^= A[t][j] * box[i][j]
-
-# S-boxes and inverse S-boxes
-S =  [0] * 256
-Si = [0] * 256
-for i in range(256):
-    S[i] = cox[i][0] << 7
-    for t in range(1, 8):
-        S[i] ^= cox[i][t] << (7-t)
-    Si[S[i] & 0xFF] = i
-
-# T-boxes
-G = [[2, 1, 1, 3],
-    [3, 2, 1, 1],
-    [1, 3, 2, 1],
-    [1, 1, 3, 2]]
-
-AA = [[0] * 8 for i in range(4)]
-
-for i in range(4):
-    for j in range(4):
-        AA[i][j] = G[i][j]
-        AA[i][i+4] = 1
-
-for i in range(4):
-    pivot = AA[i][i]
-    if pivot == 0:
-        t = i + 1
-        while AA[t][i] == 0 and t < 4:
-            t += 1
-            assert t != 4, 'G matrix must be invertible'
-            for j in range(8):
-                AA[i][j], AA[t][j] = AA[t][j], AA[i][j]
-            pivot = AA[i][i]
-    for j in range(8):
-        if AA[i][j] != 0:
-            AA[i][j] = alog[(255 + log[AA[i][j] & 0xFF] - log[pivot & 0xFF]) % 255]
-    for t in range(4):
-        if i != t:
-            for j in range(i+1, 8):
-                AA[t][j] ^= mul(AA[i][j], AA[t][i])
-            AA[t][i] = 0
-
-iG = [[0] * 4 for i in range(4)]
-
-for i in range(4):
-    for j in range(4):
-        iG[i][j] = AA[i][j + 4]
-
-def mul4(a, bs):
-    if a == 0:
-        return 0
-    r = 0
-    for b in bs:
-        r <<= 8
-        if b != 0:
-            r = r | mul(a, b)
-    return r
-
-T1 = []
-T2 = []
-T3 = []
-T4 = []
-T5 = []
-T6 = []
-T7 = []
-T8 = []
-U1 = []
-U2 = []
-U3 = []
-U4 = []
-
-for t in range(256):
-    s = S[t]
-    T1.append(mul4(s, G[0]))
-    T2.append(mul4(s, G[1]))
-    T3.append(mul4(s, G[2]))
-    T4.append(mul4(s, G[3]))
-
-    s = Si[t]
-    T5.append(mul4(s, iG[0]))
-    T6.append(mul4(s, iG[1]))
-    T7.append(mul4(s, iG[2]))
-    T8.append(mul4(s, iG[3]))
-
-    U1.append(mul4(t, iG[0]))
-    U2.append(mul4(t, iG[1]))
-    U3.append(mul4(t, iG[2]))
-    U4.append(mul4(t, iG[3]))
-
-# round constants
-rcon = [1]
-r = 1
-for t in range(1, 30):
-    r = mul(2, r)
-    rcon.append(r)
-
-del A
-del AA
-del pivot
-del B
-del G
-del box
-del log
-del alog
-del i
-del j
-del r
-del s
-del t
-del mul
-del mul4
-del cox
-del iG
-
-class rijndael:
-    def __init__(self, key, block_size = 16):
-        if block_size != 16 and block_size != 24 and block_size != 32:
-            raise ValueError('Invalid block size: ' + str(block_size))
-        if len(key) != 16 and len(key) != 24 and len(key) != 32:
-            raise ValueError('Invalid key size: ' + str(len(key)))
-        self.block_size = block_size
-
-        ROUNDS = num_rounds[len(key)][block_size]
-        BC = block_size // 4
-        # encryption round keys
-        Ke = [[0] * BC for i in range(ROUNDS + 1)]
-        # decryption round keys
-        Kd = [[0] * BC for i in range(ROUNDS + 1)]
-        ROUND_KEY_COUNT = (ROUNDS + 1) * BC
-        KC = len(key) // 4
-
-        # copy user material bytes into temporary ints
-        tk = []
-        for i in range(0, KC):
-            tk.append((key[i * 4] << 24) | (key[i * 4 + 1] << 16) |
-                (key[i * 4 + 2] << 8) | key[i * 4 + 3])
-
-        # copy values into round key arrays
-        t = 0
-        j = 0
-        while j < KC and t < ROUND_KEY_COUNT:
-            Ke[t // BC][t % BC] = tk[j]
-            Kd[ROUNDS - (t // BC)][t % BC] = tk[j]
-            j += 1
-            t += 1
-        tt = 0
-        rconpointer = 0
-        while t < ROUND_KEY_COUNT:
-            # extrapolate using phi (the round key evolution function)
-            tt = tk[KC - 1]
-            tk[0] ^= (S[(tt >> 16) & 0xFF] & 0xFF) << 24 ^  \
-                     (S[(tt >>  8) & 0xFF] & 0xFF) << 16 ^  \
-                     (S[ tt        & 0xFF] & 0xFF) <<  8 ^  \
-                     (S[(tt >> 24) & 0xFF] & 0xFF)       ^  \
-                     (rcon[rconpointer]    & 0xFF) << 24
-            rconpointer += 1
-            if KC != 8:
-                for i in range(1, KC):
-                    tk[i] ^= tk[i-1]
-            else:
-                for i in range(1, KC // 2):
-                    tk[i] ^= tk[i-1]
-                tt = tk[KC // 2 - 1]
-                tk[KC // 2] ^= (S[ tt        & 0xFF] & 0xFF)       ^ \
-                              (S[(tt >>  8) & 0xFF] & 0xFF) <<  8 ^ \
-                              (S[(tt >> 16) & 0xFF] & 0xFF) << 16 ^ \
-                              (S[(tt >> 24) & 0xFF] & 0xFF) << 24
-                for i in range(KC // 2 + 1, KC):
-                    tk[i] ^= tk[i-1]
-            # copy values into round key arrays
-            j = 0
-            while j < KC and t < ROUND_KEY_COUNT:
-                Ke[t // BC][t % BC] = tk[j]
-                Kd[ROUNDS - (t // BC)][t % BC] = tk[j]
-                j += 1
-                t += 1
-        # inverse MixColumn where needed
-        for r in range(1, ROUNDS):
-            for j in range(BC):
-                tt = Kd[r][j]
-                Kd[r][j] = U1[(tt >> 24) & 0xFF] ^ \
-                           U2[(tt >> 16) & 0xFF] ^ \
-                           U3[(tt >>  8) & 0xFF] ^ \
-                           U4[ tt        & 0xFF]
-        self.Ke = Ke
-        self.Kd = Kd
-
-    def encrypt(self, plaintext):
-        if len(plaintext) != self.block_size:
-            raise ValueError('wrong block length, expected ' + str(self.block_size) + ' got ' + str(len(plaintext)))
-        Ke = self.Ke
-
-        BC = self.block_size // 4
-        ROUNDS = len(Ke) - 1
-        if BC == 4:
-            SC = 0
-        elif BC == 6:
-            SC = 1
-        else:
-            SC = 2
-        s1 = shifts[SC][1][0]
-        s2 = shifts[SC][2][0]
-        s3 = shifts[SC][3][0]
-        a = [0] * BC
-        # temporary work array
-        t = []
-        # plaintext to ints + key
-        for i in range(BC):
-            t.append((plaintext[i * 4    ] << 24 |
-                      plaintext[i * 4 + 1] << 16 |
-                      plaintext[i * 4 + 2] <<  8 |
-                      plaintext[i * 4 + 3]        ) ^ Ke[0][i])
-        # apply round transforms
-        for r in range(1, ROUNDS):
-            for i in range(BC):
-                a[i] = (T1[(t[ i           ] >> 24) & 0xFF] ^
-                        T2[(t[(i + s1) % BC] >> 16) & 0xFF] ^
-                        T3[(t[(i + s2) % BC] >>  8) & 0xFF] ^
-                        T4[ t[(i + s3) % BC]        & 0xFF]  ) ^ Ke[r][i]
-            t = copy.copy(a)
-        # last round is special
-        result = []
-        for i in range(BC):
-            tt = Ke[ROUNDS][i]
-            result.append((S[(t[ i           ] >> 24) & 0xFF] ^ (tt >> 24)) & 0xFF)
-            result.append((S[(t[(i + s1) % BC] >> 16) & 0xFF] ^ (tt >> 16)) & 0xFF)
-            result.append((S[(t[(i + s2) % BC] >>  8) & 0xFF] ^ (tt >>  8)) & 0xFF)
-            result.append((S[ t[(i + s3) % BC]        & 0xFF] ^  tt       ) & 0xFF)
-        return bytearray(result)
-
-    def decrypt(self, ciphertext):
-        if len(ciphertext) != self.block_size:
-            raise ValueError('wrong block length, expected ' + str(self.block_size) + ' got ' + str(len(plaintext)))
-        Kd = self.Kd
-
-        BC = self.block_size // 4
-        ROUNDS = len(Kd) - 1
-        if BC == 4:
-            SC = 0
-        elif BC == 6:
-            SC = 1
-        else:
-            SC = 2
-        s1 = shifts[SC][1][1]
-        s2 = shifts[SC][2][1]
-        s3 = shifts[SC][3][1]
-        a = [0] * BC
-        # temporary work array
-        t = [0] * BC
-        # ciphertext to ints + key
-        for i in range(BC):
-            t[i] = (ciphertext[i * 4    ] << 24 |
-                    ciphertext[i * 4 + 1] << 16 |
-                    ciphertext[i * 4 + 2] <<  8 |
-                    ciphertext[i * 4 + 3]        ) ^ Kd[0][i]
-        # apply round transforms
-        for r in range(1, ROUNDS):
-            for i in range(BC):
-                a[i] = (T5[(t[ i           ] >> 24) & 0xFF] ^
-                        T6[(t[(i + s1) % BC] >> 16) & 0xFF] ^
-                        T7[(t[(i + s2) % BC] >>  8) & 0xFF] ^
-                        T8[ t[(i + s3) % BC]        & 0xFF]  ) ^ Kd[r][i]
-            t = copy.copy(a)
-        # last round is special
-        result = []
-        for i in range(BC):
-            tt = Kd[ROUNDS][i]
-            result.append((Si[(t[ i           ] >> 24) & 0xFF] ^ (tt >> 24)) & 0xFF)
-            result.append((Si[(t[(i + s1) % BC] >> 16) & 0xFF] ^ (tt >> 16)) & 0xFF)
-            result.append((Si[(t[(i + s2) % BC] >>  8) & 0xFF] ^ (tt >>  8)) & 0xFF)
-            result.append((Si[ t[(i + s3) % BC]        & 0xFF] ^  tt       ) & 0xFF)
-        return bytearray(result)
-
-def encrypt(key, block):
-    return rijndael(key, len(block)).encrypt(block)
-
-def decrypt(key, block):
-    return rijndael(key, len(block)).decrypt(block)
-
-def test():
-    def t(kl, bl):
-        b = 'b' * bl
-        r = rijndael('a' * kl, bl)
-        assert r.decrypt(r.encrypt(b)) == b
-    t(16, 16)
-    t(16, 24)
-    t(16, 32)
-    t(24, 16)
-    t(24, 24)
-    t(24, 32)
-    t(32, 16)
-    t(32, 24)
-    t(32, 32)
-
diff --git a/third_party/tlslite/tlslite/utils/rsakey.py b/third_party/tlslite/tlslite/utils/rsakey.py
deleted file mode 100644
index 7e3f9788..0000000
--- a/third_party/tlslite/tlslite/utils/rsakey.py
+++ /dev/null
@@ -1,265 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Abstract class for RSA."""
-
-from .cryptomath import *
-
-
-class RSAKey(object):
-    """This is an abstract base class for RSA keys.
-
-    Particular implementations of RSA keys, such as
-    L{openssl_rsakey.OpenSSL_RSAKey},
-    L{python_rsakey.Python_RSAKey}, and
-    L{pycrypto_rsakey.PyCrypto_RSAKey},
-    inherit from this.
-
-    To create or parse an RSA key, don't use one of these classes
-    directly.  Instead, use the factory functions in
-    L{tlslite.utils.keyfactory}.
-    """
-
-    def __init__(self, n=0, e=0):
-        """Create a new RSA key.
-
-        If n and e are passed in, the new key will be initialized.
-
-        @type n: int
-        @param n: RSA modulus.
-
-        @type e: int
-        @param e: RSA public exponent.
-        """
-        raise NotImplementedError()
-
-    def __len__(self):
-        """Return the length of this key in bits.
-
-        @rtype: int
-        """
-        return numBits(self.n)
-
-    def hasPrivateKey(self):
-        """Return whether or not this key has a private component.
-
-        @rtype: bool
-        """
-        raise NotImplementedError()
-
-    def hashAndSign(self, bytes):
-        """Hash and sign the passed-in bytes.
-
-        This requires the key to have a private component.  It performs
-        a PKCS1-SHA1 signature on the passed-in data.
-
-        @type bytes: str or L{bytearray} of unsigned bytes
-        @param bytes: The value which will be hashed and signed.
-
-        @rtype: L{bytearray} of unsigned bytes.
-        @return: A PKCS1-SHA1 signature on the passed-in data.
-        """
-        hashBytes = SHA1(bytearray(bytes))
-        prefixedHashBytes = self.addPKCS1SHA1Prefix(hashBytes)
-        sigBytes = self.sign(prefixedHashBytes)
-        return sigBytes
-
-    def hashAndVerify(self, sigBytes, bytes):
-        """Hash and verify the passed-in bytes with the signature.
-
-        This verifies a PKCS1-SHA1 signature on the passed-in data.
-
-        @type sigBytes: L{bytearray} of unsigned bytes
-        @param sigBytes: A PKCS1-SHA1 signature.
-
-        @type bytes: str or L{bytearray} of unsigned bytes
-        @param bytes: The value which will be hashed and verified.
-
-        @rtype: bool
-        @return: Whether the signature matches the passed-in data.
-        """
-        hashBytes = SHA1(bytearray(bytes))
-        
-        # Try it with/without the embedded NULL
-        prefixedHashBytes1 = self.addPKCS1SHA1Prefix(hashBytes, False)
-        prefixedHashBytes2 = self.addPKCS1SHA1Prefix(hashBytes, True)
-        result1 = self.verify(sigBytes, prefixedHashBytes1)
-        result2 = self.verify(sigBytes, prefixedHashBytes2)
-        return (result1 or result2)
-
-    def sign(self, bytes):
-        """Sign the passed-in bytes.
-
-        This requires the key to have a private component.  It performs
-        a PKCS1 signature on the passed-in data.
-
-        @type bytes: L{bytearray} of unsigned bytes
-        @param bytes: The value which will be signed.
-
-        @rtype: L{bytearray} of unsigned bytes.
-        @return: A PKCS1 signature on the passed-in data.
-        """
-        if not self.hasPrivateKey():
-            raise AssertionError()
-        paddedBytes = self._addPKCS1Padding(bytes, 1)
-        m = bytesToNumber(paddedBytes)
-        if m >= self.n:
-            raise ValueError()
-        c = self._rawPrivateKeyOp(m)
-        sigBytes = numberToByteArray(c, numBytes(self.n))
-        return sigBytes
-
-    def verify(self, sigBytes, bytes):
-        """Verify the passed-in bytes with the signature.
-
-        This verifies a PKCS1 signature on the passed-in data.
-
-        @type sigBytes: L{bytearray} of unsigned bytes
-        @param sigBytes: A PKCS1 signature.
-
-        @type bytes: L{bytearray} of unsigned bytes
-        @param bytes: The value which will be verified.
-
-        @rtype: bool
-        @return: Whether the signature matches the passed-in data.
-        """
-        if len(sigBytes) != numBytes(self.n):
-            return False
-        paddedBytes = self._addPKCS1Padding(bytes, 1)
-        c = bytesToNumber(sigBytes)
-        if c >= self.n:
-            return False
-        m = self._rawPublicKeyOp(c)
-        checkBytes = numberToByteArray(m, numBytes(self.n))
-        return checkBytes == paddedBytes
-
-    def encrypt(self, bytes):
-        """Encrypt the passed-in bytes.
-
-        This performs PKCS1 encryption of the passed-in data.
-
-        @type bytes: L{bytearray} of unsigned bytes
-        @param bytes: The value which will be encrypted.
-
-        @rtype: L{bytearray} of unsigned bytes.
-        @return: A PKCS1 encryption of the passed-in data.
-        """
-        paddedBytes = self._addPKCS1Padding(bytes, 2)
-        m = bytesToNumber(paddedBytes)
-        if m >= self.n:
-            raise ValueError()
-        c = self._rawPublicKeyOp(m)
-        encBytes = numberToByteArray(c, numBytes(self.n))
-        return encBytes
-
-    def decrypt(self, encBytes):
-        """Decrypt the passed-in bytes.
-
-        This requires the key to have a private component.  It performs
-        PKCS1 decryption of the passed-in data.
-
-        @type encBytes: L{bytearray} of unsigned bytes
-        @param encBytes: The value which will be decrypted.
-
-        @rtype: L{bytearray} of unsigned bytes or None.
-        @return: A PKCS1 decryption of the passed-in data or None if
-        the data is not properly formatted.
-        """
-        if not self.hasPrivateKey():
-            raise AssertionError()
-        if len(encBytes) != numBytes(self.n):
-            return None
-        c = bytesToNumber(encBytes)
-        if c >= self.n:
-            return None
-        m = self._rawPrivateKeyOp(c)
-        decBytes = numberToByteArray(m, numBytes(self.n))
-        #Check first two bytes
-        if decBytes[0] != 0 or decBytes[1] != 2:
-            return None
-        #Scan through for zero separator
-        for x in range(1, len(decBytes)-1):
-            if decBytes[x]== 0:
-                break
-        else:
-            return None
-        return decBytes[x+1:] #Return everything after the separator
-
-    def _rawPrivateKeyOp(self, m):
-        raise NotImplementedError()
-
-    def _rawPublicKeyOp(self, c):
-        raise NotImplementedError()
-
-    def acceptsPassword(self):
-        """Return True if the write() method accepts a password for use
-        in encrypting the private key.
-
-        @rtype: bool
-        """
-        raise NotImplementedError()
-
-    def write(self, password=None):
-        """Return a string containing the key.
-
-        @rtype: str
-        @return: A string describing the key, in whichever format (PEM)
-        is native to the implementation.
-        """
-        raise NotImplementedError()
-
-    def generate(bits):
-        """Generate a new key with the specified bit length.
-
-        @rtype: L{tlslite.utils.RSAKey.RSAKey}
-        """
-        raise NotImplementedError()
-    generate = staticmethod(generate)
-
-
-    # **************************************************************************
-    # Helper Functions for RSA Keys
-    # **************************************************************************
-
-    @staticmethod
-    def addPKCS1SHA1Prefix(bytes, withNULL=True):
-        # There is a long history of confusion over whether the SHA1 
-        # algorithmIdentifier should be encoded with a NULL parameter or 
-        # with the parameter omitted.  While the original intention was 
-        # apparently to omit it, many toolkits went the other way.  TLS 1.2
-        # specifies the NULL should be included, and this behavior is also
-        # mandated in recent versions of PKCS #1, and is what tlslite has
-        # always implemented.  Anyways, verification code should probably 
-        # accept both.
-        if not withNULL:
-            prefixBytes = bytearray(\
-            [0x30,0x1f,0x30,0x07,0x06,0x05,0x2b,0x0e,0x03,0x02,0x1a,0x04,0x14])            
-        else:
-            prefixBytes = bytearray(\
-            [0x30,0x21,0x30,0x09,0x06,0x05,0x2b,0x0e,0x03,0x02,0x1a,0x05,0x00,0x04,0x14])            
-        prefixedBytes = prefixBytes + bytes
-        return prefixedBytes
-
-    @staticmethod
-    def addPKCS1SHA256Prefix(bytes):
-        prefixBytes = bytearray([
-            0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65,
-            0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20])
-        return prefixBytes + bytes
-
-    def _addPKCS1Padding(self, bytes, blockType):
-        padLength = (numBytes(self.n) - (len(bytes)+3))
-        if blockType == 1: #Signature padding
-            pad = [0xFF] * padLength
-        elif blockType == 2: #Encryption padding
-            pad = bytearray(0)
-            while len(pad) < padLength:
-                padBytes = getRandomBytes(padLength * 2)
-                pad = [b for b in padBytes if b != 0]
-                pad = pad[:padLength]
-        else:
-            raise AssertionError()
-
-        padding = bytearray([0,blockType] + pad + [0])
-        paddedBytes = padding + bytes
-        return paddedBytes
diff --git a/third_party/tlslite/tlslite/utils/tackwrapper.py b/third_party/tlslite/tlslite/utils/tackwrapper.py
deleted file mode 100644
index 4eb39ef..0000000
--- a/third_party/tlslite/tlslite/utils/tackwrapper.py
+++ /dev/null
@@ -1,11 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-try:
-    from tack.structures.Tack import Tack
-    from tack.structures.TackExtension import TackExtension
-    from tack.tls.TlsCertificate import TlsCertificate
-    
-    tackpyLoaded = True
-except ImportError:
-    tackpyLoaded = False
diff --git a/third_party/tlslite/tlslite/utils/tripledes.py b/third_party/tlslite/tlslite/utils/tripledes.py
deleted file mode 100644
index ddcdcad3..0000000
--- a/third_party/tlslite/tlslite/utils/tripledes.py
+++ /dev/null
@@ -1,28 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Abstract class for 3DES."""
-
-class TripleDES(object):
-    def __init__(self, key, mode, IV, implementation):
-        if len(key) != 24:
-            raise ValueError()
-        if mode != 2:
-            raise ValueError()
-        if len(IV) != 8:
-            raise ValueError()
-        self.isBlockCipher = True
-        self.isAEAD = False
-        self.block_size = 8
-        self.implementation = implementation
-        self.name = "3des"
-
-    #CBC-Mode encryption, returns ciphertext
-    #WARNING: *MAY* modify the input as well
-    def encrypt(self, plaintext):
-        assert(len(plaintext) % 8 == 0)
-
-    #CBC-Mode decryption, returns plaintext
-    #WARNING: *MAY* modify the input as well
-    def decrypt(self, ciphertext):
-        assert(len(ciphertext) % 8 == 0)
diff --git a/third_party/tlslite/tlslite/verifierdb.py b/third_party/tlslite/tlslite/verifierdb.py
deleted file mode 100644
index 4384541..0000000
--- a/third_party/tlslite/tlslite/verifierdb.py
+++ /dev/null
@@ -1,95 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Class for storing SRP password verifiers."""
-
-from .utils.cryptomath import *
-from .utils.compat import *
-from tlslite import mathtls
-from .basedb import BaseDB
-
-class VerifierDB(BaseDB):
-    """This class represent an in-memory or on-disk database of SRP
-    password verifiers.
-
-    A VerifierDB can be passed to a server handshake to authenticate
-    a client based on one of the verifiers.
-
-    This class is thread-safe.
-    """
-    def __init__(self, filename=None):
-        """Create a new VerifierDB instance.
-
-        @type filename: str
-        @param filename: Filename for an on-disk database, or None for
-        an in-memory database.  If the filename already exists, follow
-        this with a call to open().  To create a new on-disk database,
-        follow this with a call to create().
-        """
-        BaseDB.__init__(self, filename, "verifier")
-
-    def _getItem(self, username, valueStr):
-        (N, g, salt, verifier) = valueStr.split(" ")
-        N = bytesToNumber(a2b_base64(N))
-        g = bytesToNumber(a2b_base64(g))
-        salt = a2b_base64(salt)
-        verifier = bytesToNumber(a2b_base64(verifier))
-        return (N, g, salt, verifier)
-
-    def __setitem__(self, username, verifierEntry):
-        """Add a verifier entry to the database.
-
-        @type username: str
-        @param username: The username to associate the verifier with.
-        Must be less than 256 characters in length.  Must not already
-        be in the database.
-
-        @type verifierEntry: tuple
-        @param verifierEntry: The verifier entry to add.  Use
-        L{tlslite.verifierdb.VerifierDB.makeVerifier} to create a
-        verifier entry.
-        """
-        BaseDB.__setitem__(self, username, verifierEntry)
-
-
-    def _setItem(self, username, value):
-        if len(username)>=256:
-            raise ValueError("username too long")
-        N, g, salt, verifier = value
-        N = b2a_base64(numberToByteArray(N))
-        g = b2a_base64(numberToByteArray(g))
-        salt = b2a_base64(salt)
-        verifier = b2a_base64(numberToByteArray(verifier))
-        valueStr = " ".join( (N, g, salt, verifier)  )
-        return valueStr
-
-    def _checkItem(self, value, username, param):
-        (N, g, salt, verifier) = value
-        x = mathtls.makeX(salt, username, param)
-        v = powMod(g, x, N)
-        return (verifier == v)
-
-
-    def makeVerifier(username, password, bits):
-        """Create a verifier entry which can be stored in a VerifierDB.
-
-        @type username: str
-        @param username: The username for this verifier.  Must be less
-        than 256 characters in length.
-
-        @type password: str
-        @param password: The password for this verifier.
-
-        @type bits: int
-        @param bits: This values specifies which SRP group parameters
-        to use.  It must be one of (1024, 1536, 2048, 3072, 4096, 6144,
-        8192).  Larger values are more secure but slower.  2048 is a
-        good compromise between safety and speed.
-
-        @rtype: tuple
-        @return: A tuple which may be stored in a VerifierDB.
-        """
-        usernameBytes = bytearray(username, "utf-8")
-        passwordBytes = bytearray(password, "utf-8")
-        return mathtls.makeVerifier(usernameBytes, passwordBytes, bits)
-    makeVerifier = staticmethod(makeVerifier)
diff --git a/third_party/tlslite/tlslite/x509.py b/third_party/tlslite/tlslite/x509.py
deleted file mode 100644
index 94dd00d..0000000
--- a/third_party/tlslite/tlslite/x509.py
+++ /dev/null
@@ -1,110 +0,0 @@
-# Authors: 
-#   Trevor Perrin
-#   Google - parsing subject field
-#
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Class representing an X.509 certificate."""
-
-from .utils.asn1parser import ASN1Parser
-from .utils.cryptomath import *
-from .utils.keyfactory import _createPublicRSAKey
-from .utils.pem import *
-
-
-class X509(object):
-    """This class represents an X.509 certificate.
-
-    @type bytes: L{bytearray} of unsigned bytes
-    @ivar bytes: The DER-encoded ASN.1 certificate
-
-    @type publicKey: L{tlslite.utils.rsakey.RSAKey}
-    @ivar publicKey: The subject public key from the certificate.
-
-    @type subject: L{bytearray} of unsigned bytes
-    @ivar subject: The DER-encoded ASN.1 subject distinguished name.
-    """
-
-    def __init__(self):
-        self.bytes = bytearray(0)
-        self.publicKey = None
-        self.subject = None
-
-    def parse(self, s):
-        """Parse a PEM-encoded X.509 certificate.
-
-        @type s: str
-        @param s: A PEM-encoded X.509 certificate (i.e. a base64-encoded
-        certificate wrapped with "-----BEGIN CERTIFICATE-----" and
-        "-----END CERTIFICATE-----" tags).
-        """
-
-        bytes = dePem(s, "CERTIFICATE")
-        self.parseBinary(bytes)
-        return self
-
-    def parseBinary(self, bytes):
-        """Parse a DER-encoded X.509 certificate.
-
-        @type bytes: str or L{bytearray} of unsigned bytes
-        @param bytes: A DER-encoded X.509 certificate.
-        """
-
-        self.bytes = bytearray(bytes)
-        p = ASN1Parser(bytes)
-
-        #Get the tbsCertificate
-        tbsCertificateP = p.getChild(0)
-
-        #Is the optional version field present?
-        #This determines which index the key is at.
-        if tbsCertificateP.value[0]==0xA0:
-            subjectPublicKeyInfoIndex = 6
-        else:
-            subjectPublicKeyInfoIndex = 5
-
-        #Get the subject
-        self.subject = tbsCertificateP.getChildBytes(\
-                           subjectPublicKeyInfoIndex - 1)
-
-        #Get the subjectPublicKeyInfo
-        subjectPublicKeyInfoP = tbsCertificateP.getChild(\
-                                    subjectPublicKeyInfoIndex)
-
-        #Get the algorithm
-        algorithmP = subjectPublicKeyInfoP.getChild(0)
-        rsaOID = algorithmP.value
-        if list(rsaOID) != [6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0]:
-            raise SyntaxError("Unrecognized AlgorithmIdentifier")
-
-        #Get the subjectPublicKey
-        subjectPublicKeyP = subjectPublicKeyInfoP.getChild(1)
-
-        #Adjust for BIT STRING encapsulation
-        if (subjectPublicKeyP.value[0] !=0):
-            raise SyntaxError()
-        subjectPublicKeyP = ASN1Parser(subjectPublicKeyP.value[1:])
-
-        #Get the modulus and exponent
-        modulusP = subjectPublicKeyP.getChild(0)
-        publicExponentP = subjectPublicKeyP.getChild(1)
-
-        #Decode them into numbers
-        n = bytesToNumber(modulusP.value)
-        e = bytesToNumber(publicExponentP.value)
-
-        #Create a public key instance
-        self.publicKey = _createPublicRSAKey(n, e)
-
-    def getFingerprint(self):
-        """Get the hex-encoded fingerprint of this certificate.
-
-        @rtype: str
-        @return: A hex-encoded fingerprint.
-        """
-        return b2a_hex(SHA1(self.bytes))
-
-    def writeBytes(self):
-        return self.bytes
-
-
diff --git a/third_party/tlslite/tlslite/x509certchain.py b/third_party/tlslite/tlslite/x509certchain.py
deleted file mode 100644
index 2a592b6..0000000
--- a/third_party/tlslite/tlslite/x509certchain.py
+++ /dev/null
@@ -1,91 +0,0 @@
-# Author: Trevor Perrin
-# See the LICENSE file for legal information regarding use of this file.
-
-"""Class representing an X.509 certificate chain."""
-
-from .utils import cryptomath
-from .utils.tackwrapper import *
-from .utils.pem import *
-from .x509 import X509
-
-class X509CertChain(object):
-    """This class represents a chain of X.509 certificates.
-
-    @type x509List: list
-    @ivar x509List: A list of L{tlslite.x509.X509} instances,
-    starting with the end-entity certificate and with every
-    subsequent certificate certifying the previous.
-    """
-
-    def __init__(self, x509List=None):
-        """Create a new X509CertChain.
-
-        @type x509List: list
-        @param x509List: A list of L{tlslite.x509.X509} instances,
-        starting with the end-entity certificate and with every
-        subsequent certificate certifying the previous.
-        """
-        if x509List:
-            self.x509List = x509List
-        else:
-            self.x509List = []
-
-    def parsePemList(self, s):
-        """Parse a string containing a sequence of PEM certs.
-
-        Raise a SyntaxError if input is malformed.
-        """
-        x509List = []
-        bList = dePemList(s, "CERTIFICATE")
-        for b in bList:
-            x509 = X509()
-            x509.parseBinary(b)
-            x509List.append(x509)
-        self.x509List = x509List
-
-    def getNumCerts(self):
-        """Get the number of certificates in this chain.
-
-        @rtype: int
-        """
-        return len(self.x509List)
-
-    def getEndEntityPublicKey(self):
-        """Get the public key from the end-entity certificate.
-
-        @rtype: L{tlslite.utils.rsakey.RSAKey}
-        """
-        if self.getNumCerts() == 0:
-            raise AssertionError()
-        return self.x509List[0].publicKey
-
-    def getFingerprint(self):
-        """Get the hex-encoded fingerprint of the end-entity certificate.
-
-        @rtype: str
-        @return: A hex-encoded fingerprint.
-        """
-        if self.getNumCerts() == 0:
-            raise AssertionError()
-        return self.x509List[0].getFingerprint()
-        
-    def checkTack(self, tack):
-        if self.x509List:
-            tlsCert = TlsCertificate(self.x509List[0].bytes)
-            if tlsCert.matches(tack):
-                return True
-        return False
-        
-    def getTackExt(self):
-        """Get the TACK and/or Break Sigs from a TACK Cert in the chain."""
-        tackExt = None
-        # Search list in backwards order
-        for x509 in self.x509List[::-1]:
-            tlsCert = TlsCertificate(x509.bytes)
-            if tlsCert.tackExt:
-                if tackExt:
-                    raise SyntaxError("Multiple TACK Extensions")
-                else:
-                    tackExt = tlsCert.tackExt
-        return tackExt
-                
diff --git a/tools/checklicenses/checklicenses.py b/tools/checklicenses/checklicenses.py
index bef0318..b71fb52 100755
--- a/tools/checklicenses/checklicenses.py
+++ b/tools/checklicenses/checklicenses.py
@@ -505,9 +505,6 @@
     'third_party/tcmalloc': [
         'UNKNOWN',  # http://crbug.com/98589
     ],
-    'third_party/tlslite': [
-        'UNKNOWN',
-    ],
     # MIT license but some files contain no licensing info. e.g. autogen.sh.
     # Files missing licensing info are not shipped.
     'third_party/wayland': [  #  http://crbug.com/553573
diff --git a/tools/checkperms/checkperms.py b/tools/checkperms/checkperms.py
index 3141417..68f9aea 100755
--- a/tools/checkperms/checkperms.py
+++ b/tools/checkperms/checkperms.py
@@ -185,7 +185,6 @@
   'third_party/protobuf/',
   'third_party/sqlite/',
   'third_party/tcmalloc/',
-  'third_party/tlslite/setup.py',
 )
 
 #### USER EDITABLE SECTION ENDS HERE ####
diff --git a/weblayer/test/BUILD.gn b/weblayer/test/BUILD.gn
index 5d4597f..72964702 100644
--- a/weblayer/test/BUILD.gn
+++ b/weblayer/test/BUILD.gn
@@ -95,7 +95,6 @@
     "//components/test/data",
     "//net/tools/testserver/",
     "//third_party/pywebsocket3/src/mod_pywebsocket/",
-    "//third_party/tlslite/",
   ]
 
   data_deps = [