+ok($fatal_alert, "Duplicate ServerHello extension");
+
+SKIP: {
+ skip "TLS <= 1.2 disabled", 3 if $no_below_tls13;
+
+ #Test 3: Sending a zero length extension block should pass
+ $proxy->clear();
+ $proxy->filter(\&extension_filter);
+ $proxy->start();
+ ok(TLSProxy::Message->success, "Zero extension length test");
+
+ #Test 4: Inject an unsolicited extension (<= TLSv1.2)
+ $fatal_alert = 0;
+ $proxy->clear();
+ $proxy->filter(\&inject_unsolicited_extension);
+ $testtype = UNSOLICITED_SERVER_NAME;
+ $proxy->clientflags("-no_tls1_3 -noservername");
+ $proxy->start();
+ ok($fatal_alert, "Unsolicited server name extension");
+
+ #Test 5: Inject a noncompliant supported_groups extension (<= TLSv1.2)
+ $proxy->clear();
+ $proxy->filter(\&inject_unsolicited_extension);
+ $testtype = NONCOMPLIANT_SUPPORTED_GROUPS;
+ $proxy->clientflags("-no_tls1_3");
+ $proxy->start();
+ ok(TLSProxy::Message->success(), "Noncompliant supported_groups extension");
+}
+
+SKIP: {
+ skip "TLS <= 1.2 or CT disabled", 1
+ if $no_below_tls13 || disabled("ct");
+ #Test 6: Same as above for the SCT extension which has special handling
+ $fatal_alert = 0;
+ $proxy->clear();
+ $testtype = UNSOLICITED_SCT;
+ $proxy->clientflags("-no_tls1_3");
+ $proxy->start();
+ ok($fatal_alert, "Unsolicited sct extension");
+}
+
+SKIP: {
+ skip "TLS 1.3 disabled", 1 if disabled("tls1_3");
+ #Test 7: Inject an unsolicited extension (TLSv1.3)
+ $fatal_alert = 0;
+ $proxy->clear();
+ $proxy->filter(\&inject_unsolicited_extension);
+ $testtype = UNSOLICITED_SERVER_NAME_TLS13;
+ $proxy->clientflags("-noservername");
+ $proxy->start();
+ ok($fatal_alert, "Unsolicited server name extension (TLSv1.3)");
+}