Difference between revisions of "Accessing Swestore with cURL"
m (Add categories and "up" link.) |
(Add section on SSLv3 as the problem has been mentioned on dCache user-forum mailing list) |
||
| Line 17: | Line 17: | ||
--location | --location | ||
--location (or -L) instructs cURL to follow HTTP redirects, in this case the 302 redirects that the dCache door uses to direct clients to different storage nodes. | --location (or -L) instructs cURL to follow HTTP redirects, in this case the 302 redirects that the dCache door uses to direct clients to different storage nodes. | ||
| + | |||
| + | == Optional parameters == | ||
| + | |||
| + | --sslv3 | ||
| + | There exists older cURL versions out there which still prefer SSLv2 when making a connection. They will fail to connect to SweStore national storage with an error along the lines of "curl: (35) Unknown SSL protocol error in connection to ...". If you use such a client and cannot upgrade or otherwise circumvent the problem, --sslv3 (or -3) instructs those versions of cURL to force SSLv3. This parameter is only recommended and needed for older versions, if you use it you should re-evaluate your need for it whenever you end up upgrading cURL to see if it's still required. Using it unnecessarily for newer versions of cURL that do not exhibit the problem will reduce their choice of SSL/TLS versions and ultimately reduce security strength. | ||
== Sample invocations == | == Sample invocations == | ||
Revision as of 15:58, 21 November 2013
This guide outlines the procedure for using cURL to access files through the WebDav door of dCache.
Essential parameters
--capath /etc/grid-security/certificates
The certificate bundle provided through --capath is required in order for cURL to accept the server certificates the door presents. If the certificate bundle is not available, the -k flag may be passed to allow untrusted server certificates.
--cert /tmp/x509up_u1234
--cert (or -E) names the proxy certificate generated by arcproxy or similar tools, which is a single PEM file consisting of the client certificate, the proxy key and the proxy certificate. The name will vary based on the user issuing it. grid-proxy-init (and thus arcproxy) will put the certificate in /tmp by default and name it according to the pattern x509up_u<NumericUID>. The -out parameter to grid-proxy-init takes a location to store the certificate in if the default is not sufficient.
--location
--location (or -L) instructs cURL to follow HTTP redirects, in this case the 302 redirects that the dCache door uses to direct clients to different storage nodes.
Optional parameters
--sslv3
There exists older cURL versions out there which still prefer SSLv2 when making a connection. They will fail to connect to SweStore national storage with an error along the lines of "curl: (35) Unknown SSL protocol error in connection to ...". If you use such a client and cannot upgrade or otherwise circumvent the problem, --sslv3 (or -3) instructs those versions of cURL to force SSLv3. This parameter is only recommended and needed for older versions, if you use it you should re-evaluate your need for it whenever you end up upgrading cURL to see if it's still required. Using it unnecessarily for newer versions of cURL that do not exhibit the problem will reduce their choice of SSL/TLS versions and ultimately reduce security strength.
Sample invocations
Downloads the file 'file-to-download.ext':
curl --location --capath /etc/grid-security/certificates --cert /tmp/x509up_u1234 -O https://webdav.swegrid.se/target/path/file-to-download.ext
Upload the file 'source.file' as 'uploaded.ext':
curl --location --capath /etc/grid-security/certificates --cert /tmp/x509up_u1234 -T ~/source.file https://webdav.swegrid.se/target/path/uploaded.ext
Credits
This guide was written by Lars Viklund
