Index: third_party/tlslite/patches/intolerance_options.patch |
diff --git a/third_party/tlslite/patches/intolerance_options.patch b/third_party/tlslite/patches/intolerance_options.patch |
index 0bee1d634246527948595f2a080c4fbf52738140..2aee3c6f8d593b78a030586f4dd2babfc4a73fce 100644 |
--- a/third_party/tlslite/patches/intolerance_options.patch |
+++ b/third_party/tlslite/patches/intolerance_options.patch |
@@ -1,8 +1,8 @@ |
diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py |
-index e0bc0e6..0d4ccf2 100644 |
+index 7998e2e..2e9e06d 100644 |
--- a/third_party/tlslite/tlslite/handshakesettings.py |
+++ b/third_party/tlslite/tlslite/handshakesettings.py |
-@@ -18,6 +18,7 @@ ALL_MAC_NAMES = ["sha", "md5"] |
+@@ -19,6 +19,7 @@ ALL_MAC_NAMES = ["sha", "sha256", "md5"] |
KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"] |
CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] |
CERTIFICATE_TYPES = ["x509"] |
@@ -10,10 +10,10 @@ index e0bc0e6..0d4ccf2 100644 |
class HandshakeSettings(object): |
"""This class encapsulates various parameters that can be used with |
-@@ -92,6 +93,21 @@ class HandshakeSettings(object): |
- The default is (3,2). (WARNING: Some servers may (improperly) |
- reject clients which offer support for TLS 1.1. In this case, |
- try lowering maxVersion to (3,1)). |
+@@ -91,6 +92,21 @@ class HandshakeSettings(object): |
+ version, a protocol_version alert will be signalled. The default is (3,3). |
+ (WARNING: Some servers may (improperly) reject clients which offer support |
+ for TLS 1.1. In this case, try lowering maxVersion to (3,1)). |
+ |
+ @type tlsIntolerant: tuple |
+ @ivar tlsIntolerant: The TLS ClientHello version which the server |
@@ -32,16 +32,16 @@ index e0bc0e6..0d4ccf2 100644 |
@type useExperimentalTackExtension: bool |
@ivar useExperimentalTackExtension: Whether to enabled TACK support. |
-@@ -109,6 +125,8 @@ class HandshakeSettings(object): |
+@@ -108,6 +124,8 @@ class HandshakeSettings(object): |
self.certificateTypes = CERTIFICATE_TYPES |
- self.minVersion = (3,0) |
- self.maxVersion = (3,2) |
+ self.minVersion = (3,1) |
+ self.maxVersion = (3,3) |
+ self.tlsIntolerant = None |
+ self.tlsIntoleranceType = 'alert' |
self.useExperimentalTackExtension = False |
# Validates the min/max fields, and certificateTypes |
-@@ -124,6 +142,8 @@ class HandshakeSettings(object): |
+@@ -123,6 +141,8 @@ class HandshakeSettings(object): |
other.certificateTypes = self.certificateTypes |
other.minVersion = self.minVersion |
other.maxVersion = self.maxVersion |
@@ -50,7 +50,7 @@ index e0bc0e6..0d4ccf2 100644 |
if not cipherfactory.tripleDESPresent: |
other.cipherNames = [e for e in self.cipherNames if e != "3des"] |
-@@ -165,6 +185,10 @@ class HandshakeSettings(object): |
+@@ -164,6 +184,10 @@ class HandshakeSettings(object): |
if s not in CERTIFICATE_TYPES: |
raise ValueError("Unknown certificate type: '%s'" % s) |
@@ -62,10 +62,10 @@ index e0bc0e6..0d4ccf2 100644 |
raise ValueError("Versions set incorrectly") |
diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py |
-index 044ad59..7c1572f 100644 |
+index f8547d5..4f3ba1c 100644 |
--- a/third_party/tlslite/tlslite/tlsconnection.py |
+++ b/third_party/tlslite/tlslite/tlsconnection.py |
-@@ -1065,7 +1065,7 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1073,7 +1073,7 @@ class TLSConnection(TLSRecordLayer): |
reqCAs = None, reqCertTypes = None, |
tacks=None, activationFlags=0, |
nextProtos=None, anon=False, |
@@ -74,7 +74,7 @@ index 044ad59..7c1572f 100644 |
fallbackSCSV=False, ocspResponse=None): |
"""Perform a handshake in the role of server. |
-@@ -1139,11 +1139,6 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1147,11 +1147,6 @@ class TLSConnection(TLSRecordLayer): |
clients through the Next-Protocol Negotiation Extension, |
if they support it. |
@@ -86,7 +86,7 @@ index 044ad59..7c1572f 100644 |
@type signedCertTimestamps: str |
@param signedCertTimestamps: A SignedCertificateTimestampList (as a |
binary 8-bit string) that will be sent as a TLS extension whenever |
-@@ -1175,7 +1170,7 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1183,7 +1178,7 @@ class TLSConnection(TLSRecordLayer): |
certChain, privateKey, reqCert, sessionCache, settings, |
checker, reqCAs, reqCertTypes, |
tacks=tacks, activationFlags=activationFlags, |
@@ -95,7 +95,7 @@ index 044ad59..7c1572f 100644 |
signedCertTimestamps=signedCertTimestamps, |
fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse): |
pass |
-@@ -1187,7 +1182,6 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1195,7 +1190,6 @@ class TLSConnection(TLSRecordLayer): |
reqCAs=None, reqCertTypes=None, |
tacks=None, activationFlags=0, |
nextProtos=None, anon=False, |
@@ -103,7 +103,7 @@ index 044ad59..7c1572f 100644 |
signedCertTimestamps=None, |
fallbackSCSV=False, |
ocspResponse=None |
-@@ -1210,7 +1204,6 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1218,7 +1212,6 @@ class TLSConnection(TLSRecordLayer): |
reqCAs=reqCAs, reqCertTypes=reqCertTypes, |
tacks=tacks, activationFlags=activationFlags, |
nextProtos=nextProtos, anon=anon, |
@@ -111,7 +111,7 @@ index 044ad59..7c1572f 100644 |
signedCertTimestamps=signedCertTimestamps, |
fallbackSCSV=fallbackSCSV, |
ocspResponse=ocspResponse) |
-@@ -1223,7 +1216,7 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1231,7 +1224,7 @@ class TLSConnection(TLSRecordLayer): |
settings, reqCAs, reqCertTypes, |
tacks, activationFlags, |
nextProtos, anon, |
@@ -120,7 +120,7 @@ index 044ad59..7c1572f 100644 |
ocspResponse): |
self._handshakeStart(client=False) |
-@@ -1261,7 +1254,7 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1269,7 +1262,7 @@ class TLSConnection(TLSRecordLayer): |
# Handle ClientHello and resumption |
for result in self._serverGetClientHello(settings, certChain,\ |
verifierDB, sessionCache, |
@@ -129,7 +129,7 @@ index 044ad59..7c1572f 100644 |
if result in (0,1): yield result |
elif result == None: |
self._handshakeDone(resumed=True) |
-@@ -1376,7 +1369,7 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1384,7 +1377,7 @@ class TLSConnection(TLSRecordLayer): |
def _serverGetClientHello(self, settings, certChain, verifierDB, |
@@ -138,7 +138,7 @@ index 044ad59..7c1572f 100644 |
#Initialize acceptable cipher suites |
cipherSuites = [] |
if verifierDB: |
-@@ -1413,11 +1406,21 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1421,11 +1414,21 @@ class TLSConnection(TLSRecordLayer): |
yield result |
#If simulating TLS intolerance, reject certain TLS versions. |
@@ -165,10 +165,10 @@ index 044ad59..7c1572f 100644 |
#If client's version is too high, propose my highest version |
elif clientHello.client_version > settings.maxVersion: |
diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py |
-index 370dc9a..23c2a2f 100644 |
+index 3584726..eda11e6 100644 |
--- a/third_party/tlslite/tlslite/tlsrecordlayer.py |
+++ b/third_party/tlslite/tlslite/tlsrecordlayer.py |
-@@ -19,6 +19,7 @@ from .constants import * |
+@@ -20,6 +20,7 @@ from .constants import * |
from .utils.cryptomath import getRandomBytes |
import socket |
@@ -176,7 +176,7 @@ index 370dc9a..23c2a2f 100644 |
import errno |
import traceback |
-@@ -523,6 +524,13 @@ class TLSRecordLayer(object): |
+@@ -527,6 +528,13 @@ class TLSRecordLayer(object): |
self._shutdown(False) |
raise TLSLocalAlert(alert, errorStr) |