• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Index: third_party/tlslite/tlslite/TLSConnection.py
2===================================================================
3--- third_party/tlslite/tlslite/TLSConnection.py	(revision 134128)
4+++ third_party/tlslite/tlslite/TLSConnection.py	(working copy)
5@@ -932,7 +932,7 @@
6     def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
7                         certChain=None, privateKey=None, reqCert=False,
8                         sessionCache=None, settings=None, checker=None,
9-                        reqCAs=None):
10+                        reqCAs=None, tlsIntolerant=0):
11         """Perform a handshake in the role of server.
12
13         This function performs an SSL or TLS handshake.  Depending on
14@@ -1012,14 +1012,14 @@
15         """
16         for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
17                 certChain, privateKey, reqCert, sessionCache, settings,
18-                checker, reqCAs):
19+                checker, reqCAs, tlsIntolerant):
20             pass
21
22
23     def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None,
24                              certChain=None, privateKey=None, reqCert=False,
25                              sessionCache=None, settings=None, checker=None,
26-                             reqCAs=None):
27+                             reqCAs=None, tlsIntolerant=0):
28         """Start a server handshake operation on the TLS connection.
29
30         This function returns a generator which behaves similarly to
31@@ -1036,14 +1036,15 @@
32             verifierDB=verifierDB, certChain=certChain,
33             privateKey=privateKey, reqCert=reqCert,
34             sessionCache=sessionCache, settings=settings,
35-            reqCAs=reqCAs)
36+            reqCAs=reqCAs,
37+            tlsIntolerant=tlsIntolerant)
38         for result in self._handshakeWrapperAsync(handshaker, checker):
39             yield result
40
41
42     def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB,
43                              certChain, privateKey, reqCert, sessionCache,
44-                             settings, reqCAs):
45+                             settings, reqCAs, tlsIntolerant):
46
47         self._handshakeStart(client=False)
48
49@@ -1111,6 +1112,17 @@
50                   "Too old version: %s" % str(clientHello.client_version)):
51                 yield result
52
53+        #If tlsIntolerant is nonzero, reject certain TLS versions.
54+        #1: reject all TLS versions.
55+        #2: reject TLS 1.1 or higher.
56+        #3: reject TLS 1.2 or higher.
57+        if (tlsIntolerant == 1 and clientHello.client_version > (3, 0) or
58+            tlsIntolerant == 2 and clientHello.client_version > (3, 1) or
59+            tlsIntolerant == 3 and clientHello.client_version > (3, 2)):
60+            for result in self._sendError(\
61+                    AlertDescription.handshake_failure):
62+                yield result
63+
64         #If client's version is too high, propose my highest version
65         elif clientHello.client_version > settings.maxVersion:
66             self.version = settings.maxVersion
67