Switch TLS intolerance tests to EmbeddedTestServer
We can simulate TLS intolerance with the ClientHello callback, so no
need for tlslite.
Bug: 1250903
Change-Id: Icbe85b17f94d04b375d744de1959f61cdb4da703
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3282446
Reviewed-by: Matt Mueller <mattm@chromium.org>
Commit-Queue: David Benjamin <davidben@chromium.org>
Cr-Commit-Position: refs/heads/main@{#942237}
NOKEYCHECK=True
GitOrigin-RevId: d8d00b6458d3f65be7b98aaacfe81a18d9db47e2
diff --git a/testserver.py b/testserver.py
index 2f8d643..3126802 100755
--- a/testserver.py
+++ b/testserver.py
@@ -102,9 +102,8 @@
def __init__(self, server_address, request_hander_class, pem_cert_and_key,
ssl_client_auth, ssl_client_cas, ssl_client_cert_types,
- tls_intolerant, tls_intolerance_type, alert_after_handshake,
- simulate_tls13_downgrade, simulate_tls12_downgrade,
- tls_max_version):
+ alert_after_handshake, simulate_tls13_downgrade,
+ simulate_tls12_downgrade, tls_max_version):
self.cert_chain = tlslite.api.X509CertChain()
self.cert_chain.parsePemList(pem_cert_and_key)
# Force using only python implementation - otherwise behavior is different
@@ -134,9 +133,6 @@
self.ssl_handshake_settings = tlslite.api.HandshakeSettings()
# Enable SSLv3 for testing purposes.
self.ssl_handshake_settings.minVersion = (3, 0)
- if tls_intolerant != 0:
- self.ssl_handshake_settings.tlsIntolerant = (3, tls_intolerant)
- self.ssl_handshake_settings.tlsIntoleranceType = tls_intolerance_type
if alert_after_handshake:
self.ssl_handshake_settings.alertAfterHandshake = True
if simulate_tls13_downgrade:
@@ -412,8 +408,7 @@
server = HTTPSServer(
(host, port), TestPageHandler, pem_cert_and_key,
self.options.ssl_client_auth, self.options.ssl_client_ca,
- self.options.ssl_client_cert_type, self.options.tls_intolerant,
- self.options.tls_intolerance_type,
+ self.options.ssl_client_cert_type,
self.options.alert_after_handshake,
self.options.simulate_tls13_downgrade,
self.options.simulate_tls12_downgrade, self.options.tls_max_version)
@@ -503,21 +498,6 @@
'path to the file containing the certificate '
'and private key for the server in PEM '
'format')
- self.option_parser.add_option('--tls-intolerant', dest='tls_intolerant',
- default='0', type='int',
- help='If nonzero, certain TLS connections '
- 'will be aborted in order to test version '
- 'fallback. 1 means all TLS versions will be '
- 'aborted. 2 means TLS 1.1 or higher will be '
- 'aborted. 3 means TLS 1.2 or higher will be '
- 'aborted. 4 means TLS 1.3 or higher will be '
- 'aborted.')
- self.option_parser.add_option('--tls-intolerance-type',
- dest='tls_intolerance_type',
- default="alert",
- help='Controls how the server reacts to a '
- 'TLS version it is intolerant to. Valid '
- 'values are "alert", "close", and "reset".')
self.option_parser.add_option('--ssl-client-auth', action='store_true',
help='Require SSL client auth on every '
'connection.')