[CalendarServer-changes] [15671] CalendarServer/trunk/calendarserver

source_changes at macosforge.org source_changes at macosforge.org
Tue Jun 14 13:29:09 PDT 2016 

Revision: 15671
          http://trac.calendarserver.org//changeset/15671
Author:   sagen at apple.com
Date:     2016-06-14 13:29:09 -0700 (Tue, 14 Jun 2016)
Log Message:
-----------
Check for expired APNS certificate during pre-flight checks; don't continually reconnect if APNS servers drop the connection due to certificate issue.

Modified Paths:
--------------
    CalendarServer/trunk/calendarserver/push/applepush.py
    CalendarServer/trunk/calendarserver/tap/util.py

Modified: CalendarServer/trunk/calendarserver/push/applepush.py
===================================================================
--- CalendarServer/trunk/calendarserver/push/applepush.py	2016-06-12 01:11:06 UTC (rev 15670)
+++ CalendarServer/trunk/calendarserver/push/applepush.py	2016-06-14 20:29:09 UTC (rev 15671)
@@ -476,7 +476,11 @@
 
     def clientConnectionLost(self, connector, reason):
         if not self.shuttingDown:
-            self.log.info("Connection to APN server lost: {reason}", reason=reason)
+            self.log.error("Connection to APN server lost: {reason}", reason=reason)
+            if reason.type == OpenSSL.SSL.Error:
+                # If we're failing due to a certificate issue, stop retrying.
+                self.log.error("Ensure APNS certificate is not expired")
+                ReconnectingClientFactory.stopTrying(self)
         ReconnectingClientFactory.clientConnectionLost(self, connector, reason)
 
 

Modified: CalendarServer/trunk/calendarserver/tap/util.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/util.py	2016-06-12 01:11:06 UTC (rev 15670)
+++ CalendarServer/trunk/calendarserver/tap/util.py	2016-06-14 20:29:09 UTC (rev 15671)
@@ -62,6 +62,7 @@
 from twisted.internet.protocol import Factory
 from twisted.internet.tcp import Connection
 from twisted.protocols import amp
+from twisted.python.procutils import which
 from twisted.python.usage import UsageError
 
 from twistedcaldav.bind import doBind
@@ -1384,6 +1385,10 @@
             if not protoConfig.Enabled:
                 continue
 
+            if not hasattr(OpenSSL, "__SecureTransport__"):
+                if not checkCertExpiration(protoConfig.CertificatePath):
+                    return False, "APNS certificate expired {}".format(protoConfig.CertificatePath)
+
             try:
                 getAPNTopicFromConfig(protocol, accountName, protoConfig)
             except ValueError as e:
@@ -1431,7 +1436,28 @@
         return True, "APNS disabled"
 
 
+def checkCertExpiration(certPath):
+    """
+    See if the given certificate is expired.
 
+    @param certPath: the path of the certificate
+    @type certPath: C{str}
+    @return: True if the cert has not expired (or we can't check because we
+        can't find the openssl command line utility); False otherwise
+    """
+
+    try:
+        opensslTool = which("openssl")[0]
+        args = [opensslTool, "x509", "-checkend", "0", "-noout", "-in", certPath]
+        child = Popen(args=args, stdout=PIPE, stderr=PIPE)
+        output, error = child.communicate()
+        return error == 0
+    except IndexError:
+        # We can't check
+        return True
+
+
+
 def getSSLPassphrase(*ignored):
 
     if not config.SSLPrivateKey:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20160614/f417d738/attachment.html>

More information about the calendarserver-changes mailing list