[CalendarServer-changes] [15671] CalendarServer/trunk/calendarserver
source_changes at macosforge.org
source_changes at macosforge.org
Tue Jun 14 13:29:09 PDT 2016
Revision: 15671
http://trac.calendarserver.org//changeset/15671
Author: sagen at apple.com
Date: 2016-06-14 13:29:09 -0700 (Tue, 14 Jun 2016)
Log Message:
-----------
Check for expired APNS certificate during pre-flight checks; don't continually reconnect if APNS servers drop the connection due to certificate issue.
Modified Paths:
--------------
CalendarServer/trunk/calendarserver/push/applepush.py
CalendarServer/trunk/calendarserver/tap/util.py
Modified: CalendarServer/trunk/calendarserver/push/applepush.py
===================================================================
--- CalendarServer/trunk/calendarserver/push/applepush.py 2016-06-12 01:11:06 UTC (rev 15670)
+++ CalendarServer/trunk/calendarserver/push/applepush.py 2016-06-14 20:29:09 UTC (rev 15671)
@@ -476,7 +476,11 @@
def clientConnectionLost(self, connector, reason):
if not self.shuttingDown:
- self.log.info("Connection to APN server lost: {reason}", reason=reason)
+ self.log.error("Connection to APN server lost: {reason}", reason=reason)
+ if reason.type == OpenSSL.SSL.Error:
+ # If we're failing due to a certificate issue, stop retrying.
+ self.log.error("Ensure APNS certificate is not expired")
+ ReconnectingClientFactory.stopTrying(self)
ReconnectingClientFactory.clientConnectionLost(self, connector, reason)
Modified: CalendarServer/trunk/calendarserver/tap/util.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/util.py 2016-06-12 01:11:06 UTC (rev 15670)
+++ CalendarServer/trunk/calendarserver/tap/util.py 2016-06-14 20:29:09 UTC (rev 15671)
@@ -62,6 +62,7 @@
from twisted.internet.protocol import Factory
from twisted.internet.tcp import Connection
from twisted.protocols import amp
+from twisted.python.procutils import which
from twisted.python.usage import UsageError
from twistedcaldav.bind import doBind
@@ -1384,6 +1385,10 @@
if not protoConfig.Enabled:
continue
+ if not hasattr(OpenSSL, "__SecureTransport__"):
+ if not checkCertExpiration(protoConfig.CertificatePath):
+ return False, "APNS certificate expired {}".format(protoConfig.CertificatePath)
+
try:
getAPNTopicFromConfig(protocol, accountName, protoConfig)
except ValueError as e:
@@ -1431,7 +1436,28 @@
return True, "APNS disabled"
+def checkCertExpiration(certPath):
+ """
+ See if the given certificate is expired.
+ @param certPath: the path of the certificate
+ @type certPath: C{str}
+ @return: True if the cert has not expired (or we can't check because we
+ can't find the openssl command line utility); False otherwise
+ """
+
+ try:
+ opensslTool = which("openssl")[0]
+ args = [opensslTool, "x509", "-checkend", "0", "-noout", "-in", certPath]
+ child = Popen(args=args, stdout=PIPE, stderr=PIPE)
+ output, error = child.communicate()
+ return error == 0
+ except IndexError:
+ # We can't check
+ return True
+
+
+
def getSSLPassphrase(*ignored):
if not config.SSLPrivateKey:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20160614/f417d738/attachment.html>
More information about the calendarserver-changes
mailing list