1diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py 2index 82e8c075fe2a..8fb75d0948e4 100644 3--- a/third_party/tlslite/tlslite/constants.py 4+++ b/third_party/tlslite/tlslite/constants.py 5@@ -58,6 +58,7 @@ class ExtensionType: # RFC 6066 / 4366 6 signed_cert_timestamps = 18 # RFC 6962 7 extended_master_secret = 23 # RFC 7627 8 token_binding = 24 # draft-ietf-tokbind-negotiation 9+ supported_versions = 43 # RFC 8446 10 tack = 0xF300 11 supports_npn = 13172 12 channel_id = 30032 13diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py 14index ac7e563021d9..b29db939c2a8 100644 15--- a/third_party/tlslite/tlslite/messages.py 16+++ b/third_party/tlslite/tlslite/messages.py 17@@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg): 18 self.tb_client_params = [] 19 self.support_signed_cert_timestamps = False 20 self.status_request = False 21+ self.has_supported_versions = False 22 self.ri = False 23 24 def create(self, version, random, session_id, cipher_suites, 25@@ -251,6 +252,11 @@ class ClientHello(HandshakeMsg): 26 if extLength != 1 or p.getFixBytes(extLength)[0] != 0: 27 raise SyntaxError() 28 self.ri = True 29+ elif extType == ExtensionType.supported_versions: 30+ # Ignore the extension, but make a note of it for 31+ # intolerance simulation. 32+ self.has_supported_versions = True 33+ _ = p.getFixBytes(extLength) 34 else: 35 _ = p.getFixBytes(extLength) 36 index2 = p.index 37diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py 38index 8ba1c6e636ab..2309d4fa8f3a 100644 39--- a/third_party/tlslite/tlslite/tlsconnection.py 40+++ b/third_party/tlslite/tlslite/tlsconnection.py 41@@ -1457,6 +1457,15 @@ class TLSConnection(TLSRecordLayer): 42 self._handshakeDone(resumed=False) 43 44 45+ def _isIntolerant(self, settings, clientHello): 46+ if settings.tlsIntolerant is None: 47+ return False 48+ clientVersion = clientHello.client_version 49+ if clientHello.has_supported_versions: 50+ clientVersion = (3, 4) 51+ return clientVersion >= settings.tlsIntolerant 52+ 53+ 54 def _serverGetClientHello(self, settings, certChain, verifierDB, 55 sessionCache, anon, fallbackSCSV): 56 #Tentatively set version to most-desirable version, so if an error 57@@ -1480,8 +1489,7 @@ class TLSConnection(TLSRecordLayer): 58 yield result 59 60 #If simulating TLS intolerance, reject certain TLS versions. 61- elif (settings.tlsIntolerant is not None and 62- clientHello.client_version >= settings.tlsIntolerant): 63+ elif self._isIntolerant(settings, clientHello): 64 if settings.tlsIntoleranceType == "alert": 65 for result in self._sendError(\ 66 AlertDescription.handshake_failure): 67