Add DHE_RSA support to tlslite.

net/tools/testserver/testserver.py

Index: net/tools/testserver/testserver.py
diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py
index 8f10d8a49924f02225acfbcf2b0a476dbdc05f03..1f82ecb91b3a795eb6230ef2c1a11f621ed8ec70 100755
--- a/net/tools/testserver/testserver.py
+++ b/net/tools/testserver/testserver.py
@@ -149,7 +149,8 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
   client verification."""
 
   def __init__(self, server_address, request_hander_class, pem_cert_and_key,
-               ssl_client_auth, ssl_client_cas, ssl_bulk_ciphers,
+               ssl_client_auth, ssl_client_cas,
+               ssl_bulk_ciphers, ssl_key_exchanges,
                record_resume_info, tls_intolerant, signed_cert_timestamps,
                fallback_scsv_enabled, ocsp_response):
     self.cert_chain = tlslite.api.X509CertChain()
@@ -179,6 +180,8 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
     self.ssl_handshake_settings = tlslite.api.HandshakeSettings()
     if ssl_bulk_ciphers is not None:
       self.ssl_handshake_settings.cipherNames = ssl_bulk_ciphers
+    if ssl_key_exchanges is not None:
+      self.ssl_handshake_settings.keyExchangeNames = ssl_key_exchanges
 
     if record_resume_info:
       # If record_resume_info is true then we'll replace the session cache with
@@ -1979,6 +1982,7 @@ class ServerRunner(testserver_base.TestServerRunner):
                              self.options.ssl_client_auth,
                              self.options.ssl_client_ca,
                              self.options.ssl_bulk_cipher,
+                             self.options.ssl_key_exchange,
                              self.options.record_resume,
                              self.options.tls_intolerant,
                              self.options.signed_cert_timestamps_tls_ext.decode(
@@ -2167,6 +2171,14 @@ class ServerRunner(testserver_base.TestServerRunner):
                                   'algorithms will be used. This option may '
                                   'appear multiple times, indicating '
                                   'multiple algorithms should be enabled.');
+    self.option_parser.add_option('--ssl-key-exchange', action='append',
+                                  help='Specify the key exchange algorithm(s)'
+                                  'that will be accepted by the SSL server. '
+                                  'Valid values are "rsa", "dhe_rsa". If '

[wtc, 2014/04/02 19:11:29]

"srp_sha, "srp_sha_rsa", "dh_anon" are also supported by tlslite. Should they
also be documented here?

[davidben, 2014/04/03 18:45:48]

_serverGetClientHello only enables certain sets of cipher suites depending on
what we pass in. For the configuration we've chosen, only those two actually
work. (Others require other sets of parameters, and they're currently mutually
exclusive.)

+                                  'omitted, all algorithms will be used. This '
+                                  'option may appear multiple times, '
+                                  'indicating multiple algorithms should be '
+                                  'enabled.');
     self.option_parser.add_option('--file-root-url', default='/files/',
                                   help='Specify a root URL for files served.')