Reject all invalid records.

The check on the DTLS side was broken anyway. On the TLS side, the spec does
say to ignore them, but there should be no need for this in future-proofing and
NSS doesn't appear to be lenient here. See also

Change-Id: I0846222936c5e08acdcfd9d6f854a99df767e468
Reviewed-by: Adam Langley <>
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 3e37f1d..f5ceefc 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -616,6 +616,10 @@
 	// pre-CCS flights to be sent twice. (Post-CCS flights consist of
 	// Finished and will trigger a spurious retransmit.)
 	ReorderHandshakeFragments bool
+	// SendInvalidRecordType, if true, causes a record with an invalid
+	// content type to be sent immediately following the handshake.
+	SendInvalidRecordType bool
 func (c *Config) serverInit() {