1 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py 2 index e8dd859..8415592 100755 3 --- a/third_party/tlslite/tlslite/tlsconnection.py 4 +++ b/third_party/tlslite/tlslite/tlsconnection.py 5 @@ -965,7 +965,8 @@ class TLSConnection(TLSRecordLayer): 6 sessionCache=None, settings=None, checker=None, 7 reqCAs = None, 8 tacks=None, activationFlags=0, 9 - nextProtos=None, anon=False): 10 + nextProtos=None, anon=False, 11 + tlsIntolerant=None): 12 """Perform a handshake in the role of server. 13 14 This function performs an SSL or TLS handshake. Depending on 15 @@ -1034,6 +1035,11 @@ class TLSConnection(TLSRecordLayer): 16 clients through the Next-Protocol Negotiation Extension, 17 if they support it. 18 19 + @type tlsIntolerant: (int, int) or None 20 + @param tlsIntolerant: If tlsIntolerant is not None, the server will 21 + simulate TLS version intolerance by returning a fatal handshake_failure 22 + alert to all TLS versions tlsIntolerant or higher. 23 + 24 @raise socket.error: If a socket error occurs. 25 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed 26 without a preceding alert. 27 @@ -1045,7 +1051,7 @@ class TLSConnection(TLSRecordLayer): 28 certChain, privateKey, reqCert, sessionCache, settings, 29 checker, reqCAs, 30 tacks=tacks, activationFlags=activationFlags, 31 - nextProtos=nextProtos, anon=anon): 32 + nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant): 33 pass 34 35 36 @@ -1054,7 +1060,8 @@ class TLSConnection(TLSRecordLayer): 37 sessionCache=None, settings=None, checker=None, 38 reqCAs=None, 39 tacks=None, activationFlags=0, 40 - nextProtos=None, anon=False 41 + nextProtos=None, anon=False, 42 + tlsIntolerant=None 43 ): 44 """Start a server handshake operation on the TLS connection. 45 46 @@ -1073,7 +1080,8 @@ class TLSConnection(TLSRecordLayer): 47 sessionCache=sessionCache, settings=settings, 48 reqCAs=reqCAs, 49 tacks=tacks, activationFlags=activationFlags, 50 - nextProtos=nextProtos, anon=anon) 51 + nextProtos=nextProtos, anon=anon, 52 + tlsIntolerant=tlsIntolerant) 53 for result in self._handshakeWrapperAsync(handshaker, checker): 54 yield result 55 56 @@ -1082,7 +1090,8 @@ class TLSConnection(TLSRecordLayer): 57 certChain, privateKey, reqCert, sessionCache, 58 settings, reqCAs, 59 tacks, activationFlags, 60 - nextProtos, anon): 61 + nextProtos, anon, 62 + tlsIntolerant): 63 64 self._handshakeStart(client=False) 65 66 @@ -1114,7 +1123,7 @@ class TLSConnection(TLSRecordLayer): 67 # Handle ClientHello and resumption 68 for result in self._serverGetClientHello(settings, certChain,\ 69 verifierDB, sessionCache, 70 - anon): 71 + anon, tlsIntolerant): 72 if result in (0,1): yield result 73 elif result == None: 74 self._handshakeDone(resumed=True) 75 @@ -1211,7 +1220,7 @@ class TLSConnection(TLSRecordLayer): 76 77 78 def _serverGetClientHello(self, settings, certChain, verifierDB, 79 - sessionCache, anon): 80 + sessionCache, anon, tlsIntolerant): 81 #Initialize acceptable cipher suites 82 cipherSuites = [] 83 if verifierDB: 84 @@ -1246,6 +1255,13 @@ class TLSConnection(TLSRecordLayer): 85 "Too old version: %s" % str(clientHello.client_version)): 86 yield result 87 88 + #If simulating TLS intolerance, reject certain TLS versions. 89 + elif (tlsIntolerant is not None and 90 + clientHello.client_version >= tlsIntolerant): 91 + for result in self._sendError(\ 92 + AlertDescription.handshake_failure): 93 + yield result 94 + 95 #If client's version is too high, propose my highest version 96 elif clientHello.client_version > settings.maxVersion: 97 self.version = settings.maxVersion 98