net: don't remember TLS intolerant servers.

third_party/tlslite/patches/tls_intolerant.patch

Index: third_party/tlslite/patches/tls_intolerant.patch
diff --git a/third_party/tlslite/patches/tls_intolerant.patch b/third_party/tlslite/patches/tls_intolerant.patch
new file mode 100644
index 0000000000000000000000000000000000000000..506b4d3c3f26ec8a7c769485cfb5a183c869ff2c
--- /dev/null
+++ b/third_party/tlslite/patches/tls_intolerant.patch
@@ -0,0 +1,60 @@
+diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py
+index 7e38a23..02c7478 100644
+--- a/third_party/tlslite/tlslite/TLSConnection.py
++++ b/third_party/tlslite/tlslite/TLSConnection.py
+@@ -932,7 +932,7 @@ class TLSConnection(TLSRecordLayer):
+     def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
+                         certChain=None, privateKey=None, reqCert=False,
+                         sessionCache=None, settings=None, checker=None,
+-                        reqCAs=None):
++                        reqCAs=None, tlsIntolerant=False):
+         """Perform a handshake in the role of server.
+ 
+         This function performs an SSL or TLS handshake.  Depending on
+@@ -1012,14 +1012,14 @@ class TLSConnection(TLSRecordLayer):
+         """
+         for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
+                 certChain, privateKey, reqCert, sessionCache, settings,
+-                checker, reqCAs):
++                checker, reqCAs, tlsIntolerant):
+             pass
+ 
+ 
+     def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None,
+                              certChain=None, privateKey=None, reqCert=False,
+                              sessionCache=None, settings=None, checker=None,
+-                             reqCAs=None):
++                             reqCAs=None, tlsIntolerant=False):
+         """Start a server handshake operation on the TLS connection.
+ 
+         This function returns a generator which behaves similarly to
+@@ -1036,14 +1036,15 @@ class TLSConnection(TLSRecordLayer):
+             verifierDB=verifierDB, certChain=certChain,
+             privateKey=privateKey, reqCert=reqCert,
+             sessionCache=sessionCache, settings=settings,
+-            reqCAs=reqCAs)
++            reqCAs=reqCAs,
++            tlsIntolerant=tlsIntolerant)
+         for result in self._handshakeWrapperAsync(handshaker, checker):
+             yield result
+ 
+ 
+     def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB,
+                              certChain, privateKey, reqCert, sessionCache,
+-                             settings, reqCAs):
++                             settings, reqCAs, tlsIntolerant):
+ 
+         self._handshakeStart(client=False)
+ 
+@@ -1111,6 +1112,11 @@ class TLSConnection(TLSRecordLayer):
+                   "Too old version: %s" % str(clientHello.client_version)):
+                 yield result
+ 
++        if tlsIntolerant and clientHello.client_version > (3, 0):
++            for result in self._sendError(\
++                    AlertDescription.handshake_failure):
++                yield result
++
+         #If client's version is too high, propose my highest version
+         elif clientHello.client_version > settings.maxVersion:
+             self.version = settings.maxVersion