diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
index e9743e4..82e8c07 100644
--- a/third_party/tlslite/tlslite/constants.py
+++ b/third_party/tlslite/tlslite/constants.py
@@ -61,6 +61,7 @@ class ExtensionType:    # RFC 6066 / 4366
     tack = 0xF300
     supports_npn = 13172
     channel_id = 30032
+    renegotiation_info = 0xFF01 # RFC 5746
 
 class HashAlgorithm:
     none = 0
diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
index 1ce9320..ac7e563 100644
--- a/third_party/tlslite/tlslite/messages.py
+++ b/third_party/tlslite/tlslite/messages.py
@@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg):
         self.tb_client_params = []
         self.support_signed_cert_timestamps = False
         self.status_request = False
+        self.ri = False
 
     def create(self, version, random, session_id, cipher_suites,
                certificate_types=None, srpUsername=None,
@@ -244,12 +245,20 @@ class ClientHello(HandshakeMsg):
                         # request_extensions in the OCSP request.
                         p.getFixBytes(extLength)
                         self.status_request = True
+                    elif extType == ExtensionType.renegotiation_info:
+                        # We don't support renegotiation, so if we receive this
+                        # extension, it should contain a single null byte.
+                        if extLength != 1 or p.getFixBytes(extLength)[0] != 0:
+                            raise SyntaxError()
+                        self.ri = True
                     else:
                         _ = p.getFixBytes(extLength)
                     index2 = p.index
                     if index2 - index1 != extLength:
                         raise SyntaxError("Bad length for extension_data")
                     soFar += 4 + extLength
+            if CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV in self.cipher_suites:
+                self.ri = True
             p.stopLengthCheck()
         return self
 
@@ -327,6 +336,7 @@ class ServerHello(HandshakeMsg):
         self.tb_params = None
         self.signed_cert_timestamps = None
         self.status_request = False
+        self.send_ri = False
 
     def create(self, version, random, session_id, cipher_suite,
                certificate_type, tackExt, alpn_proto_selected,
@@ -432,6 +442,10 @@ class ServerHello(HandshakeMsg):
         if self.status_request:
             w2.add(ExtensionType.status_request, 2)
             w2.add(0, 2)
+        if self.send_ri:
+            w2.add(ExtensionType.renegotiation_info, 2)
+            w2.add(1, 2)
+            w2.add(0, 1)
         if len(w2.bytes):
             w.add(len(w2.bytes), 2)
             w.bytes += w2.bytes        
diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
index de5d580..8ba1c6e 100644
--- a/third_party/tlslite/tlslite/tlsconnection.py
+++ b/third_party/tlslite/tlslite/tlsconnection.py
@@ -1370,6 +1370,8 @@ class TLSConnection(TLSRecordLayer):
             serverHello.signed_cert_timestamps = signedCertTimestamps
         if clientHello.status_request:
             serverHello.status_request = ocspResponse
+        if clientHello.ri:
+            serverHello.send_ri = True
 
         # Perform the SRP key exchange
         clientCertChain = None
@@ -1583,6 +1585,8 @@ class TLSConnection(TLSRecordLayer):
                     if param in settings.supportedTokenBindingParams:
                           serverHello.tb_params = param
                           break
+                if clientHello.ri:
+                    serverHello.send_ri = True
                 for result in self._sendMsg(serverHello):
                     yield result