1diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
2index 82e8c075fe2a..8fb75d0948e4 100644
3--- a/third_party/tlslite/tlslite/constants.py
4+++ b/third_party/tlslite/tlslite/constants.py
5@@ -58,6 +58,7 @@ class ExtensionType:    # RFC 6066 / 4366
6     signed_cert_timestamps = 18  # RFC 6962
7     extended_master_secret = 23  # RFC 7627
8     token_binding = 24           # draft-ietf-tokbind-negotiation
9+    supported_versions = 43      # RFC 8446
10     tack = 0xF300
11     supports_npn = 13172
12     channel_id = 30032
13diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
14index ac7e563021d9..b29db939c2a8 100644
15--- a/third_party/tlslite/tlslite/messages.py
16+++ b/third_party/tlslite/tlslite/messages.py
17@@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg):
18         self.tb_client_params = []
19         self.support_signed_cert_timestamps = False
20         self.status_request = False
21+        self.has_supported_versions = False
22         self.ri = False
23
24     def create(self, version, random, session_id, cipher_suites,
25@@ -251,6 +252,11 @@ class ClientHello(HandshakeMsg):
26                         if extLength != 1 or p.getFixBytes(extLength)[0] != 0:
27                             raise SyntaxError()
28                         self.ri = True
29+                    elif extType == ExtensionType.supported_versions:
30+                        # Ignore the extension, but make a note of it for
31+                        # intolerance simulation.
32+                        self.has_supported_versions = True
33+                        _ = p.getFixBytes(extLength)
34                     else:
35                         _ = p.getFixBytes(extLength)
36                     index2 = p.index
37diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
38index 8ba1c6e636ab..2309d4fa8f3a 100644
39--- a/third_party/tlslite/tlslite/tlsconnection.py
40+++ b/third_party/tlslite/tlslite/tlsconnection.py
41@@ -1457,6 +1457,15 @@ class TLSConnection(TLSRecordLayer):
42         self._handshakeDone(resumed=False)
43
44
45+    def _isIntolerant(self, settings, clientHello):
46+        if settings.tlsIntolerant is None:
47+            return False
48+        clientVersion = clientHello.client_version
49+        if clientHello.has_supported_versions:
50+            clientVersion = (3, 4)
51+        return clientVersion >= settings.tlsIntolerant
52+
53+
54     def _serverGetClientHello(self, settings, certChain, verifierDB,
55                                 sessionCache, anon, fallbackSCSV):
56         #Tentatively set version to most-desirable version, so if an error
57@@ -1480,8 +1489,7 @@ class TLSConnection(TLSRecordLayer):
58                 yield result
59
60         #If simulating TLS intolerance, reject certain TLS versions.
61-        elif (settings.tlsIntolerant is not None and
62-              clientHello.client_version >= settings.tlsIntolerant):
63+        elif self._isIntolerant(settings, clientHello):
64             if settings.tlsIntoleranceType == "alert":
65                 for result in self._sendError(\
66                     AlertDescription.handshake_failure):
67