Index: third_party/tlslite/tlslite/handshakesettings.py |
diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py |
index e0bc0e661c5712a3d28e49ef8539510b1f91f27e..4af37918c2b87d532267257adaf7a014f8d4feb8 100644 |
--- a/third_party/tlslite/tlslite/handshakesettings.py |
+++ b/third_party/tlslite/tlslite/handshakesettings.py |
@@ -18,6 +18,7 @@ ALL_MAC_NAMES = ["sha", "md5"] |
KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"] |
CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] |
CERTIFICATE_TYPES = ["x509"] |
+TLS_INTOLERANCE_TYPES = ["alert", "close", "reset"] |
class HandshakeSettings(object): |
"""This class encapsulates various parameters that can be used with |
@@ -92,6 +93,17 @@ class HandshakeSettings(object): |
The default is (3,2). (WARNING: Some servers may (improperly) |
reject clients which offer support for TLS 1.1. In this case, |
try lowering maxVersion to (3,1)). |
+ |
+ @type tlsIntolerant: tuple |
+ @ivar tlsIntolerant: TLS version intolerance for servers. |
wtc
2014/06/24 21:33:29
The comment should point out the tuple represents
davidben
2014/06/25 21:19:56
Done.
|
+ |
+ If tlsIntolerant is not None, the server will simulate TLS version |
+ intolerance by returning a fatal handshake_failure alert or a TCP reset to |
wtc
2014/06/24 21:33:29
Nit: this comment doesn't mention the "close" type
davidben
2014/06/25 21:19:56
Done.
|
+ all TLS versions tlsIntolerant or higher. |
+ |
+ @type tlsIntoleranceType: str |
+ @ivar tlsIntoleranceType: How the server should react when simulating |
+ TLS intolerance. |
wtc
2014/06/24 21:33:29
Nit: should we document the possible values here?
davidben
2014/06/25 21:19:56
Done.
|
@type useExperimentalTackExtension: bool |
@ivar useExperimentalTackExtension: Whether to enabled TACK support. |
@@ -109,6 +121,8 @@ class HandshakeSettings(object): |
self.certificateTypes = CERTIFICATE_TYPES |
self.minVersion = (3,0) |
self.maxVersion = (3,2) |
+ self.tlsIntolerant = None |
+ self.tlsIntoleranceType = 'alert' |
self.useExperimentalTackExtension = False |
# Validates the min/max fields, and certificateTypes |
@@ -124,6 +138,8 @@ class HandshakeSettings(object): |
other.certificateTypes = self.certificateTypes |
other.minVersion = self.minVersion |
other.maxVersion = self.maxVersion |
+ other.tlsIntolerant = self.tlsIntolerant |
+ other.tlsIntoleranceType = self.tlsIntoleranceType |
if not cipherfactory.tripleDESPresent: |
other.cipherNames = [e for e in self.cipherNames if e != "3des"] |
@@ -165,6 +181,10 @@ class HandshakeSettings(object): |
if s not in CERTIFICATE_TYPES: |
raise ValueError("Unknown certificate type: '%s'" % s) |
+ if other.tlsIntoleranceType not in TLS_INTOLERANCE_TYPES: |
+ raise ValueError( |
+ "Unknown TLS intolerance type: '%s'" % other.tlsIntoleranceType) |
+ |
if other.minVersion > other.maxVersion: |
raise ValueError("Versions set incorrectly") |