third_party/tlslite/tlslite/handshakesettings.py - Issue 342793003: Add tests for TLS fallback on connection reset and close.

Unified Diff: third_party/tlslite/tlslite/handshakesettings.py

Issue 342793003: Add tests for TLS fallback on connection reset and close. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: wtc comment Created 6 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« net/test/spawned_test_server/base_test_server.cc ('K') | « third_party/tlslite/patches/intolerance_options.patch ('k') | third_party/tlslite/tlslite/tlsconnection.py » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/tlslite/tlslite/handshakesettings.py

diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py

index e0bc0e661c5712a3d28e49ef8539510b1f91f27e..5d751d2076660dcfc3df8f7834754ce0d033a357 100644

--- a/third_party/tlslite/tlslite/handshakesettings.py

+++ b/third_party/tlslite/tlslite/handshakesettings.py

@@ -18,6 +18,7 @@ ALL_MAC_NAMES = ["sha", "md5"]

KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"]

CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"]

CERTIFICATE_TYPES = ["x509"]

+TLS_INTOLERANCE_TYPES = ["alert", "close", "reset"]

class HandshakeSettings(object):

"""This class encapsulates various parameters that can be used with

@@ -92,6 +93,19 @@ class HandshakeSettings(object):

The default is (3,2). (WARNING: Some servers may (improperly)

reject clients which offer support for TLS 1.1. In this case,

try lowering maxVersion to (3,1)).

+ @type tlsIntolerant: tuple

+ @ivar tlsIntolerant: The TLS ClientHello version which the server

+ simulates intolerance of.

+ If tlsIntolerant is not None, the server will simulate TLS version

+ intolerance by aborting the handshake in response to all TLS versions

+ tlsIntolerant or higher.

+ @type tlsIntoleranceType: str @ivar tlsIntoleranceType: How the server

wtc 2014/06/25 23:32:22 Should @ivar start on a new line?

davidben 2014/06/26 17:01:01 Oops. I blame M-q.

+ should react when simulating TLS intolerance. The allowed values are "alert"

+ (return a fatal handshake_failure alert), "close" (abruptly close the

+ connection), and "reset" (send a TCP reset).

@type useExperimentalTackExtension: bool

@ivar useExperimentalTackExtension: Whether to enabled TACK support.

@@ -109,6 +123,8 @@ class HandshakeSettings(object):

self.certificateTypes = CERTIFICATE_TYPES

self.minVersion = (3,0)

self.maxVersion = (3,2)

+ self.tlsIntolerant = None

+ self.tlsIntoleranceType = 'alert'

self.useExperimentalTackExtension = False

# Validates the min/max fields, and certificateTypes

@@ -124,6 +140,8 @@ class HandshakeSettings(object):

other.certificateTypes = self.certificateTypes

other.minVersion = self.minVersion

other.maxVersion = self.maxVersion

+ other.tlsIntolerant = self.tlsIntolerant

+ other.tlsIntoleranceType = self.tlsIntoleranceType

if not cipherfactory.tripleDESPresent:

other.cipherNames = [e for e in self.cipherNames if e != "3des"]

@@ -165,6 +183,10 @@ class HandshakeSettings(object):

if s not in CERTIFICATE_TYPES:

raise ValueError("Unknown certificate type: '%s'" % s)

+ if other.tlsIntoleranceType not in TLS_INTOLERANCE_TYPES:

+ raise ValueError(

+ "Unknown TLS intolerance type: '%s'" % other.tlsIntoleranceType)

if other.minVersion > other.maxVersion:

raise ValueError("Versions set incorrectly")