Project

General

Profile

Bug #3627

inconsistent SSL peer not auth exceptions with KNB content (godaddy CA)

Added by Rob Nahf about 11 years ago. Updated about 11 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Rob Nahf
Category:
d1_client_r
Target version:
-
Start date:
Due date:
% Done:

0%

Milestone:
None
Product Version:
*
Story Points:
Sprint:

Description

Some objects can be downloaded with the getD1Object D1Client method (in R), while others give the SSL peer not authorized exception from the same MN (knb.informatics.org). but the problem cannot be duplicated outside the R client.

Test conditions:
1) no client cert
2) no GoDaddy cert in the libclient shipped certs / using default shipped certs to extend the truststore
3) Rob's laptop, updated R client

Behavior:
the following can be downloaded:
doi:10.5063/AA/bowdish.217.3
resourceMap_bowdish.217.3
resourceMap_sharrer.6.1

these cannot
doi:10.5063/AA/bowdish.220.1
doi:10.5063/AA/bowdish.218.1
doi:10.5063/AA/bowdish.219.1
doi:10.5063/AA/sharrer.7.1

laptop was physically restarted to try to unstick any cache and the sharrer items were never seen before the tests, so could not be in libclient LocalCache....

Testing other setups gives consistent results:
1) curl, Rob, no client cert, laptop - both bowdish.220.1, and 217.3 can be downloaded
2) chrome, Rob, can get all objects
3) Robert, from cn, no client cert, gets consistent SSL peer not auth exceptions
4) Rob, via JUnit, no client cert, gets consistent SSL peer not auth exceptions

Testing on desktop R Client duplicates results on laptop

need to try to libclient trunk with laptop.

Related issues

Related to Member Nodes - Task #3583: Production KNB node should return intermediate CA certs Closed 2013-02-17

History

#1 Updated by Rob Nahf about 11 years ago

  • Description updated (diff)

#2 Updated by Rob Nahf about 11 years ago

info from R Client shows fewer CA certificates...

20130227-17:23:02: [INFO]: creating custom TrustManager [org.dataone.client.auth.CertificateManager]
20130227-17:23:02: [INFO]: loading into client truststore: [org.dataone.client.auth.CertificateManager]
20130227-17:23:02: [INFO]: 0 alias CN=DataONE Root CA,DC=dataone,DC=org [org.dataone.client.auth.CertificateManager]
20130227-17:23:02: [INFO]: 1 alias CN=DataONE Production CA,DC=dataone,DC=org [org.dataone.client.auth.CertificateManager]
20130227-17:23:02: [INFO]: 2 alias CN=CILogon Basic CA 1,O=CILogon,C=US,DC=cilogon,DC=org [org.dataone.client.auth.CertificateManager]
20130227-17:23:02: [INFO]: 3 alias CN=CILogon OpenID CA 1,O=CILogon,C=US,DC=cilogon,DC=org [org.dataone.client.auth.CertificateManager]
20130227-17:23:02: [INFO]: 4 alias CN=CILogon Silver CA 1,O=CILogon,C=US,DC=cilogon,DC=org [org.dataone.client.auth.CertificateManager]
20130227-17:23:02: [INFO]: 5 alias CN=RapidSSL CA,O=GeoTrust\, Inc.,C=US [org.dataone.client.auth.CertificateManager]
20130227-17:23:02: [INFO]: using allow-all hostname verifier [org.dataone.client.auth.CertificateManager]
checkServerTrusted - RSA

#3 Updated by Rob Nahf about 11 years ago

  • Status changed from New to Rejected

d1_libclient_java doesn't ship with the godaddy cert that KNB is sending out without the full CA chain. So, by that measure, the R Client should not be able to retrieve any content from that member node.

However, the R Client can gets around this limitation for science metadata and resourceMaps because it gets them from the CN after unsuccessful connect to KNB.

As there is already a ticket related to the missing intermediate certificate in the CA chain sent by KNB, ticket #3583, I'm simply rejecting the ticket.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)