Add tests for TLS fallback on connection reset and close.

third_party/tlslite/tlslite/handshakesettings.py

Index: third_party/tlslite/tlslite/handshakesettings.py
diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
index e0bc0e661c5712a3d28e49ef8539510b1f91f27e..4af37918c2b87d532267257adaf7a014f8d4feb8 100644
--- a/third_party/tlslite/tlslite/handshakesettings.py
+++ b/third_party/tlslite/tlslite/handshakesettings.py
@@ -18,6 +18,7 @@ ALL_MAC_NAMES = ["sha", "md5"]
 KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"]
 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"]
 CERTIFICATE_TYPES = ["x509"]
+TLS_INTOLERANCE_TYPES = ["alert", "close", "reset"]
 
 class HandshakeSettings(object):
     """This class encapsulates various parameters that can be used with
@@ -92,6 +93,17 @@ class HandshakeSettings(object):
     The default is (3,2).  (WARNING: Some servers may (improperly)
     reject clients which offer support for TLS 1.1.  In this case,
     try lowering maxVersion to (3,1)).
+
+    @type tlsIntolerant: tuple
+    @ivar tlsIntolerant: TLS version intolerance for servers.

[wtc, 2014/06/24 21:33:29]

The comment should point out the tuple represents a TLS version.

[davidben, 2014/06/25 21:19:56]

Done.

+
+    If tlsIntolerant is not None, the server will simulate TLS version
+    intolerance by returning a fatal handshake_failure alert or a TCP reset to

[wtc, 2014/06/24 21:33:29]

Nit: this comment doesn't mention the "close" type. You can either add it, or
just say "aborting the handshake".

[davidben, 2014/06/25 21:19:56]

Done.

+    all TLS versions tlsIntolerant or higher.
+
+    @type tlsIntoleranceType: str
+    @ivar tlsIntoleranceType: How the server should react when simulating
+    TLS intolerance.

[wtc, 2014/06/24 21:33:29]

Nit: should we document the possible values here?

[davidben, 2014/06/25 21:19:56]

Done.

     
     @type useExperimentalTackExtension: bool
     @ivar useExperimentalTackExtension: Whether to enabled TACK support.
@@ -109,6 +121,8 @@ class HandshakeSettings(object):
         self.certificateTypes = CERTIFICATE_TYPES
         self.minVersion = (3,0)
         self.maxVersion = (3,2)
+        self.tlsIntolerant = None
+        self.tlsIntoleranceType = 'alert'
         self.useExperimentalTackExtension = False
 
     # Validates the min/max fields, and certificateTypes
@@ -124,6 +138,8 @@ class HandshakeSettings(object):
         other.certificateTypes = self.certificateTypes
         other.minVersion = self.minVersion
         other.maxVersion = self.maxVersion
+        other.tlsIntolerant = self.tlsIntolerant
+        other.tlsIntoleranceType = self.tlsIntoleranceType
 
         if not cipherfactory.tripleDESPresent:
             other.cipherNames = [e for e in self.cipherNames if e != "3des"]
@@ -165,6 +181,10 @@ class HandshakeSettings(object):
             if s not in CERTIFICATE_TYPES:
                 raise ValueError("Unknown certificate type: '%s'" % s)
 
+        if other.tlsIntoleranceType not in TLS_INTOLERANCE_TYPES:
+            raise ValueError(
+                "Unknown TLS intolerance type: '%s'" % other.tlsIntoleranceType)
+
         if other.minVersion > other.maxVersion:
             raise ValueError("Versions set incorrectly")