Preserve transport errors for OpenSSL sockets.

net/tools/testserver/testserver.py

Index: net/tools/testserver/testserver.py
diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py
index c7af46b06360d8bab3187aa89a544131c61b40a1..0977564fafd9b2c9bc3e46259dfc1466c7e66943 100755
--- a/net/tools/testserver/testserver.py
+++ b/net/tools/testserver/testserver.py
@@ -154,7 +154,8 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
   def __init__(self, server_address, request_hander_class, pem_cert_and_key,
                ssl_client_auth, ssl_client_cas, ssl_client_cert_types,
                ssl_bulk_ciphers, ssl_key_exchanges, enable_npn,
-               record_resume_info, tls_intolerant, signed_cert_timestamps,
+               record_resume_info, tls_intolerant,
+               reset_on_intolerance, signed_cert_timestamps,
                fallback_scsv_enabled, ocsp_response):
     self.cert_chain = tlslite.api.X509CertChain()
     self.cert_chain.parsePemList(pem_cert_and_key)
@@ -172,10 +173,6 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
       self.next_protos = ['http/1.1']
     else:
       self.next_protos = None
-    if tls_intolerant == 0:
-      self.tls_intolerant = None
-    else:
-      self.tls_intolerant = (3, tls_intolerant)
     self.signed_cert_timestamps = signed_cert_timestamps
     self.fallback_scsv_enabled = fallback_scsv_enabled
     self.ocsp_response = ocsp_response
@@ -199,6 +196,9 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
       self.ssl_handshake_settings.cipherNames = ssl_bulk_ciphers
     if ssl_key_exchanges is not None:
       self.ssl_handshake_settings.keyExchangeNames = ssl_key_exchanges
+    if tls_intolerant != 0:
+      self.ssl_handshake_settings.tlsIntolerant = (3, tls_intolerant)
+      self.ssl_handshake_settings.resetOnIntolerance = reset_on_intolerance
 
     if record_resume_info:
       # If record_resume_info is true then we'll replace the session cache with
@@ -223,7 +223,6 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn,
                                     reqCAs=self.ssl_client_cas,
                                     reqCertTypes=self.ssl_client_cert_types,
                                     nextProtos=self.next_protos,
-                                    tlsIntolerant=self.tls_intolerant,
                                     signedCertTimestamps=
                                     self.signed_cert_timestamps,
                                     fallbackSCSV=self.fallback_scsv_enabled,
@@ -2006,6 +2005,7 @@ class ServerRunner(testserver_base.TestServerRunner):
                              self.options.enable_npn,
                              self.options.record_resume,
                              self.options.tls_intolerant,
+                             self.options.reset_on_intolerance,
                              self.options.signed_cert_timestamps_tls_ext.decode(
                                  "base64"),
                              self.options.fallback_scsv,
@@ -2147,6 +2147,12 @@ class ServerRunner(testserver_base.TestServerRunner):
                                   'aborted. 2 means TLS 1.1 or higher will be '
                                   'aborted. 3 means TLS 1.2 or higher will be '
                                   'aborted.')
+    self.option_parser.add_option('--reset-on-intolerance',
+                                  dest='reset_on_intolerance',
+                                  default=False, const=True,
+                                  action='store_const',
+                                  help='Send a TCP reset on TLS version '
+                                  'intolerance rather than a handshake alert')
     self.option_parser.add_option('--signed-cert-timestamps-tls-ext',
                                   dest='signed_cert_timestamps_tls_ext',
                                   default='',