Difference between revisions of "Accessing Swestore with cURL"

From SNIC Documentation
Jump to: navigation, search
m (Optional parameters)
(Optional parameters)
Line 18: Line 18:
 
--location (or -L) instructs cURL to follow HTTP redirects, in this case the 302 redirects that the dCache door uses to direct clients to different storage nodes.
 
--location (or -L) instructs cURL to follow HTTP redirects, in this case the 302 redirects that the dCache door uses to direct clients to different storage nodes.
  
== Optional parameters ==
+
== Required parameters ==
  
  --sslv3
+
  --tls or -1
There exists older cURL versions out there which still prefer SSLv2 when making a connection. They will fail to connect to SweStore national storage with an error along the lines of <tt>curl: (35) Unknown SSL protocol error in connection to ...</tt>. If you use such a client and cannot upgrade or otherwise circumvent the problem, --sslv3 (or -3) instructs those versions of cURL to force SSLv3. This parameter is only recommended and needed for older versions, if you use it you should re-evaluate your need for it whenever you end up upgrading cURL to see if it's still required. Using it unnecessarily for newer versions of cURL that do not exhibit the problem will reduce their choice of SSL/TLS versions and ultimately reduce security strength.
+
Since sslv3 Version is disabled on servers due to POODLE: SSLv3 vulnerability (CVE-2014-3566) but some of the cURL Versions are trying to connect to SSLv3 instead of TLS and failing to connect to with an error along the lines of <tt>curl: (35) Unknown SSL protocol error in connection to ...</tt>.So this parameter is recommended to be used with cURL till the problem is solved.
 +
 
 +
Ex:- curl --tls --location --capath /etc/grid-security/certificates
  
 
== Sample invocations ==
 
== Sample invocations ==

Revision as of 15:06, 12 March 2015

< SweStore


This guide outlines the procedure for using cURL to access files through the WebDav door of dCache.

Essential parameters

--capath /etc/grid-security/certificates

The certificate bundle provided through --capath is required in order for cURL to accept the server certificates the door presents. If the certificate bundle is not available, the -k flag may be passed to allow untrusted server certificates.

--cert /tmp/x509up_u1234

--cert (or -E) names the proxy certificate generated by arcproxy or similar tools, which is a single PEM file consisting of the client certificate, the proxy key and the proxy certificate. The name will vary based on the user issuing it. grid-proxy-init (and thus arcproxy) will put the certificate in /tmp by default and name it according to the pattern x509up_u<NumericUID>. The -out parameter to grid-proxy-init takes a location to store the certificate in if the default is not sufficient.

--location

--location (or -L) instructs cURL to follow HTTP redirects, in this case the 302 redirects that the dCache door uses to direct clients to different storage nodes.

Required parameters

--tls or -1

Since sslv3 Version is disabled on servers due to POODLE: SSLv3 vulnerability (CVE-2014-3566) but some of the cURL Versions are trying to connect to SSLv3 instead of TLS and failing to connect to with an error along the lines of curl: (35) Unknown SSL protocol error in connection to ....So this parameter is recommended to be used with cURL till the problem is solved.

Ex:- curl --tls --location --capath /etc/grid-security/certificates

Sample invocations

Downloads the file 'file-to-download.ext':

curl --location --capath /etc/grid-security/certificates --cert /tmp/x509up_u1234 -O https://webdav.swegrid.se/target/path/file-to-download.ext

Upload the file 'source.file' as 'uploaded.ext':

curl --location --capath /etc/grid-security/certificates --cert /tmp/x509up_u1234 -T ~/source.file https://webdav.swegrid.se/target/path/uploaded.ext

Credits

This guide was written by Lars Viklund