| diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py |
| index 82e8c075fe2a..8fb75d0948e4 100644 |
| --- a/third_party/tlslite/tlslite/constants.py |
| +++ b/third_party/tlslite/tlslite/constants.py |
| @@ -58,6 +58,7 @@ class ExtensionType: # RFC 6066 / 4366 |
| signed_cert_timestamps = 18 # RFC 6962 |
| extended_master_secret = 23 # RFC 7627 |
| token_binding = 24 # draft-ietf-tokbind-negotiation |
| + supported_versions = 43 # RFC 8446 |
| tack = 0xF300 |
| supports_npn = 13172 |
| channel_id = 30032 |
| diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py |
| index ac7e563021d9..b29db939c2a8 100644 |
| --- a/third_party/tlslite/tlslite/messages.py |
| +++ b/third_party/tlslite/tlslite/messages.py |
| @@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg): |
| self.tb_client_params = [] |
| self.support_signed_cert_timestamps = False |
| self.status_request = False |
| + self.has_supported_versions = False |
| self.ri = False |
| |
| def create(self, version, random, session_id, cipher_suites, |
| @@ -251,6 +252,11 @@ class ClientHello(HandshakeMsg): |
| if extLength != 1 or p.getFixBytes(extLength)[0] != 0: |
| raise SyntaxError() |
| self.ri = True |
| + elif extType == ExtensionType.supported_versions: |
| + # Ignore the extension, but make a note of it for |
| + # intolerance simulation. |
| + self.has_supported_versions = True |
| + _ = p.getFixBytes(extLength) |
| else: |
| _ = p.getFixBytes(extLength) |
| index2 = p.index |
| diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py |
| index 8ba1c6e636ab..2309d4fa8f3a 100644 |
| --- a/third_party/tlslite/tlslite/tlsconnection.py |
| +++ b/third_party/tlslite/tlslite/tlsconnection.py |
| @@ -1457,6 +1457,15 @@ class TLSConnection(TLSRecordLayer): |
| self._handshakeDone(resumed=False) |
| |
| |
| + def _isIntolerant(self, settings, clientHello): |
| + if settings.tlsIntolerant is None: |
| + return False |
| + clientVersion = clientHello.client_version |
| + if clientHello.has_supported_versions: |
| + clientVersion = (3, 4) |
| + return clientVersion >= settings.tlsIntolerant |
| + |
| + |
| def _serverGetClientHello(self, settings, certChain, verifierDB, |
| sessionCache, anon, fallbackSCSV): |
| #Tentatively set version to most-desirable version, so if an error |
| @@ -1480,8 +1489,7 @@ class TLSConnection(TLSRecordLayer): |
| yield result |
| |
| #If simulating TLS intolerance, reject certain TLS versions. |
| - elif (settings.tlsIntolerant is not None and |
| - clientHello.client_version >= settings.tlsIntolerant): |
| + elif self._isIntolerant(settings, clientHello): |
| if settings.tlsIntoleranceType == "alert": |
| for result in self._sendError(\ |
| AlertDescription.handshake_failure): |