TLS cert rotation: attempt to load valid certs for 10 times before disabling TLS

syncplay/constants.py

@@ -187,6 +187,8 @@ STYLE_NOFILEITEM_COLOR = 'blue'
 STYLE_NOTCONTROLLER_COLOR = 'grey'
 STYLE_UNTRUSTEDITEM_COLOR = 'purple'
 
+TLS_CERT_ROTATION_MAX_RETRIES = 10
+
 USERLIST_GUI_USERNAME_OFFSET = 21  # Pixels
 USERLIST_GUI_USERNAME_COLUMN = 0
 USERLIST_GUI_FILENAME_COLUMN = 3

syncplay/protocols.py

@@ -669,7 +669,7 @@ class SyncServerProtocol(JSONCommandProtocol):
     def handleTLS(self, message):
         inquiry = message["startTLS"] if "startTLS" in message else None
         if "send" in inquiry:
-            if not self.isLogged() and self._factory.serverAcceptsTLS and self._factory.options is not None:
+            if not self.isLogged() and self._factory.serverAcceptsTLS:
                 lastEditCertTime = self._factory.checkLastEditCertTime()
                 if lastEditCertTime is not None and lastEditCertTime != self._factory.lastEditCertTime:
                     self._factory.updateTLSContextFactory()

syncplay/server.py

@@ -56,6 +56,7 @@ class SyncFactory(Factory):
             self._statsDbHandle = None
         if tlsCertPath is not None:
             self.certPath = tlsCertPath
+            self._TLSattempts = 0
             self._allowTLSconnections(self.certPath)
         else:
             self.certPath = None
@@ -230,6 +231,7 @@ class SyncFactory(Factory):
 
             self.options = contextFactory
             self.serverAcceptsTLS = True
+            print("TLS support is enabled.")
         except Exception as e:
             self.options = None
             self.serverAcceptsTLS = False
@@ -247,7 +249,9 @@ class SyncFactory(Factory):
 
     def updateTLSContextFactory(self):
         self._allowTLSconnections(self.certPath)
-
+        self._TLSattempts += 1
+        if self._TLSattempts < constants.TLS_CERT_ROTATION_MAX_RETRIES:
+            self.serverAcceptsTLS = True
 
 
 class StatsRecorder(object):