How can I force python apns-client to avoid using SSL 3?

Question

A vulnerability was recently found in SSL 3, and Apple decided to turn it off for push notifications (APNS). Here is the announcement published on Oct 22, 2014.

For the last few days, my development push server has been crashing with this exception:

Traceback (most recent call last):
  File "/var/django/current/manage.py", line 12, in <module>
    execute_from_command_line(sys.argv)
  File "/var/django/shared/env/local/lib/python2.7/site-packages/django/core/management/__init__.py", line 399, in execute_from_command_line
    utility.execute()
  File "/var/django/shared/env/local/lib/python2.7/site-packages/django/core/management/__init__.py", line 392, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/var/django/shared/env/local/lib/python2.7/site-packages/django/core/management/base.py", line 242, in run_from_argv
    self.execute(*args, **options.__dict__)
  File "/var/django/shared/env/local/lib/python2.7/site-packages/django/core/management/base.py", line 285, in execute
    output = self.handle(*args, **options)
  File "/var/django/releases/7f093a6773161ea21d18c502eaf1a38c76749314/my_app/management/commands/load_apns_feedback.py", line 35, in handle
    for ios_push_notification_hex_token, unavailability_detected_at in feedback_service.feedback():
  File "/var/django/shared/env/local/lib/python2.7/site-packages/apnsclient/apns.py", line 696, in feedback
    self._connection.refresh()
  File "/var/django/shared/env/local/lib/python2.7/site-packages/apnsclient/apns.py", line 269, in refresh
    self._ensure_socket_open()
  File "/var/django/shared/env/local/lib/python2.7/site-packages/apnsclient/apns.py", line 262, in _ensure_socket_open
    self._connect_and_handshake()
  File "/var/django/shared/env/local/lib/python2.7/site-packages/apnsclient/apns.py", line 252, in _connect_and_handshake
    self._connection.do_handshake()
  File "/var/django/shared/env/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1076, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/var/django/shared/env/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 871, in _raise_ssl_error
    _raise_current_error()
  File "/var/django/shared/env/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 22, in exception_from_error_queue
    raise exceptionType(errors)
OpenSSL.SSL.Error: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert handshake failure')]

How can I fix this? Is there a way to tell apns-client to avoid SSL 3 and use TLS instead?

Answer 1

Someone created a patch for apns-client to make it default to TLS, which is Apple's recommended solution going forward. It will certainly be merged soon.

Hope this helps.