OLD | NEW |
1 diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/
tlslite/TLSConnection.py | 1 Index: third_party/tlslite/tlslite/TLSConnection.py |
2 index 7e38a23..02c7478 100644 | 2 =================================================================== |
3 --- a/third_party/tlslite/tlslite/TLSConnection.py | 3 --- third_party/tlslite/tlslite/TLSConnection.py» (revision 134128) |
4 +++ b/third_party/tlslite/tlslite/TLSConnection.py | 4 +++ third_party/tlslite/tlslite/TLSConnection.py» (working copy) |
5 @@ -932,7 +932,7 @@ class TLSConnection(TLSRecordLayer): | 5 @@ -932,7 +932,7 @@ |
6 def handshakeServer(self, sharedKeyDB=None, verifierDB=None, | 6 def handshakeServer(self, sharedKeyDB=None, verifierDB=None, |
7 certChain=None, privateKey=None, reqCert=False, | 7 certChain=None, privateKey=None, reqCert=False, |
8 sessionCache=None, settings=None, checker=None, | 8 sessionCache=None, settings=None, checker=None, |
9 - reqCAs=None): | 9 - reqCAs=None): |
10 + reqCAs=None, tlsIntolerant=False): | 10 + reqCAs=None, tlsIntolerant=0): |
11 """Perform a handshake in the role of server. | 11 """Perform a handshake in the role of server. |
12 | 12 |
13 This function performs an SSL or TLS handshake. Depending on | 13 This function performs an SSL or TLS handshake. Depending on |
14 @@ -1012,14 +1012,14 @@ class TLSConnection(TLSRecordLayer): | 14 @@ -1012,14 +1012,14 @@ |
15 """ | 15 """ |
16 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, | 16 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, |
17 certChain, privateKey, reqCert, sessionCache, settings, | 17 certChain, privateKey, reqCert, sessionCache, settings, |
18 - checker, reqCAs): | 18 - checker, reqCAs): |
19 + checker, reqCAs, tlsIntolerant): | 19 + checker, reqCAs, tlsIntolerant): |
20 pass | 20 pass |
21 | 21 |
22 | 22 |
23 def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, | 23 def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, |
24 certChain=None, privateKey=None, reqCert=False, | 24 certChain=None, privateKey=None, reqCert=False, |
25 sessionCache=None, settings=None, checker=None, | 25 sessionCache=None, settings=None, checker=None, |
26 - reqCAs=None): | 26 - reqCAs=None): |
27 + reqCAs=None, tlsIntolerant=False): | 27 + reqCAs=None, tlsIntolerant=0): |
28 """Start a server handshake operation on the TLS connection. | 28 """Start a server handshake operation on the TLS connection. |
29 | 29 |
30 This function returns a generator which behaves similarly to | 30 This function returns a generator which behaves similarly to |
31 @@ -1036,14 +1036,15 @@ class TLSConnection(TLSRecordLayer): | 31 @@ -1036,14 +1036,15 @@ |
32 verifierDB=verifierDB, certChain=certChain, | 32 verifierDB=verifierDB, certChain=certChain, |
33 privateKey=privateKey, reqCert=reqCert, | 33 privateKey=privateKey, reqCert=reqCert, |
34 sessionCache=sessionCache, settings=settings, | 34 sessionCache=sessionCache, settings=settings, |
35 - reqCAs=reqCAs) | 35 - reqCAs=reqCAs) |
36 + reqCAs=reqCAs, | 36 + reqCAs=reqCAs, |
37 + tlsIntolerant=tlsIntolerant) | 37 + tlsIntolerant=tlsIntolerant) |
38 for result in self._handshakeWrapperAsync(handshaker, checker): | 38 for result in self._handshakeWrapperAsync(handshaker, checker): |
39 yield result | 39 yield result |
40 | 40 |
41 | 41 |
42 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, | 42 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, |
43 certChain, privateKey, reqCert, sessionCache, | 43 certChain, privateKey, reqCert, sessionCache, |
44 - settings, reqCAs): | 44 - settings, reqCAs): |
45 + settings, reqCAs, tlsIntolerant): | 45 + settings, reqCAs, tlsIntolerant): |
46 | 46 |
47 self._handshakeStart(client=False) | 47 self._handshakeStart(client=False) |
48 | 48 |
49 @@ -1111,6 +1112,11 @@ class TLSConnection(TLSRecordLayer): | 49 @@ -1111,6 +1112,17 @@ |
50 "Too old version: %s" % str(clientHello.client_version)): | 50 "Too old version: %s" % str(clientHello.client_version)): |
51 yield result | 51 yield result |
52 | 52 |
53 + if tlsIntolerant and clientHello.client_version > (3, 0): | 53 + #If tlsIntolerant is nonzero, reject certain TLS versions. |
| 54 + #1: reject all TLS versions. |
| 55 + #2: reject TLS 1.1 or higher. |
| 56 + #3: reject TLS 1.2 or higher. |
| 57 + if (tlsIntolerant == 1 and clientHello.client_version > (3, 0) or |
| 58 + tlsIntolerant == 2 and clientHello.client_version > (3, 1) or |
| 59 + tlsIntolerant == 3 and clientHello.client_version > (3, 2)): |
54 + for result in self._sendError(\ | 60 + for result in self._sendError(\ |
55 + AlertDescription.handshake_failure): | 61 + AlertDescription.handshake_failure): |
56 + yield result | 62 + yield result |
57 + | 63 + |
58 #If client's version is too high, propose my highest version | 64 #If client's version is too high, propose my highest version |
59 elif clientHello.client_version > settings.maxVersion: | 65 elif clientHello.client_version > settings.maxVersion: |
60 self.version = settings.maxVersion | 66 self.version = settings.maxVersion |
OLD | NEW |