-diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py
-index f8811a9..e882e2c 100644
---- a/third_party/tlslite/tlslite/TLSConnection.py
-+++ b/third_party/tlslite/tlslite/TLSConnection.py
-@@ -611,6 +611,8 @@ class TLSConnection(TLSRecordLayer):
- settings.cipherImplementations)
-
- #Exchange ChangeCipherSpec and Finished messages
-+ for result in self._getChangeCipherSpec():
-+ yield result
- for result in self._getFinished():
- yield result
- for result in self._sendFinished():
-@@ -920,6 +922,8 @@ class TLSConnection(TLSRecordLayer):
- #Exchange ChangeCipherSpec and Finished messages
- for result in self._sendFinished():
- yield result
-+ for result in self._getChangeCipherSpec():
-+ yield result
- for result in self._getFinished():
- yield result
-
-@@ -1089,6 +1093,7 @@ class TLSConnection(TLSRecordLayer):
- clientCertChain = None
- serverCertChain = None #We may set certChain to this later
- postFinishedError = None
-+ doingChannelID = False
-
- #Tentatively set version to most-desirable version, so if an error
- #occurs parsing the ClientHello, this is what we'll use for the
-@@ -1208,6 +1213,8 @@ class TLSConnection(TLSRecordLayer):
- serverHello.create(self.version, serverRandom,
- session.sessionID, session.cipherSuite,
- certificateType)
-+ serverHello.channel_id = clientHello.channel_id
-+ doingChannelID = clientHello.channel_id
- for result in self._sendMsg(serverHello):
- yield result
-
-@@ -1221,6 +1228,11 @@ class TLSConnection(TLSRecordLayer):
- #Exchange ChangeCipherSpec and Finished messages
- for result in self._sendFinished():
- yield result
-+ for result in self._getChangeCipherSpec():
-+ yield result
-+ if doingChannelID:
-+ for result in self._getEncryptedExtensions():
-+ yield result
- for result in self._getFinished():
- yield result
-
-@@ -1399,8 +1411,12 @@ class TLSConnection(TLSRecordLayer):
- #Send ServerHello, Certificate[, CertificateRequest],
- #ServerHelloDone
- msgs = []
-- msgs.append(ServerHello().create(self.version, serverRandom,
-- sessionID, cipherSuite, certificateType))
-+ serverHello = ServerHello().create(
-+ self.version, serverRandom,
-+ sessionID, cipherSuite, certificateType)
-+ serverHello.channel_id = clientHello.channel_id
-+ doingChannelID = clientHello.channel_id
-+ msgs.append(serverHello)
- msgs.append(Certificate(certificateType).create(serverCertChain))
- if reqCert and reqCAs:
- msgs.append(CertificateRequest().create([], reqCAs))
-@@ -1528,6 +1544,11 @@ class TLSConnection(TLSRecordLayer):
- settings.cipherImplementations)
-
- #Exchange ChangeCipherSpec and Finished messages
-+ for result in self._getChangeCipherSpec():
-+ yield result
-+ if doingChannelID:
-+ for result in self._getEncryptedExtensions():
-+ yield result
- for result in self._getFinished():
- yield result
-
-diff --git a/third_party/tlslite/tlslite/TLSRecordLayer.py b/third_party/tlslite/tlslite/TLSRecordLayer.py
-index 1bbd09d..933b95a 100644
---- a/third_party/tlslite/tlslite/TLSRecordLayer.py
-+++ b/third_party/tlslite/tlslite/TLSRecordLayer.py
-@@ -714,6 +714,8 @@ class TLSRecordLayer:
- self.version).parse(p)
- elif subType == HandshakeType.finished:
- yield Finished(self.version).parse(p)
-+ elif subType == HandshakeType.encrypted_extensions:
-+ yield EncryptedExtensions().parse(p)
- else:
- raise AssertionError()
-
-@@ -1067,7 +1069,7 @@ class TLSRecordLayer:
- for result in self._sendMsg(finished):
- yield result
-
-- def _getFinished(self):
-+ def _getChangeCipherSpec(self):
- #Get and check ChangeCipherSpec
- for result in self._getMsg(ContentType.change_cipher_spec):
- if result in (0,1):
-@@ -1082,6 +1084,15 @@ class TLSRecordLayer:
- #Switch to pending read state
- self._changeReadState()
-
-+ def _getEncryptedExtensions(self):
-+ for result in self._getMsg(ContentType.handshake,
-+ HandshakeType.encrypted_extensions):
-+ if result in (0,1):
-+ yield result
-+ encrypted_extensions = result
-+ self.channel_id = encrypted_extensions.channel_id_key
-+
-+ def _getFinished(self):
- #Calculate verification data
- verifyData = self._calcFinished(False)
-