Details
-
Type:
Connection Issue
-
Status: Closed (View Workflow)
-
Priority:
Blocker
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: None
-
Labels:None
-
Story Points:1
-
Sprint:Fall 2019 Sprint 2, Fall 2019 Sprint 3
Description
Situation:
After maintenance to CyVerse systems, IGB stopped being able to connect and retrieve data from public CyVerse files from https://data.cyverse.org/dav-anon/iplant/home/.
When IGB tried to load data from the CyVerse URL, it would ask if the user trusts the certificate - 1.2.840.113549.1.9.1=#1620726f6f74407230336330387531382d6461762d312e637976657273652e6f7267,CN=r03c08u18-dav-1.cyverse.org,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--,
If the user consented, IGB would then fail to connect and would issue a warning to the user saying the URL failed to load.
Confusingly, the same URL would work correctly in a web browser (the data would be downloaded), and the certificates were considered valid.
Resolution:
After talking with the CyVerse team, they believe the issue had to do with Server Name Indication (SNI). The server is data.cyverse.org, however, the certificate that was being sent (as can be seen from the IGB message) was r03c08u18-dav-1.cyverse.org. Most likely IGB does not handle SNI and as the certificate did not match the server, considered it invalid.
CyVerse has updated their server configuration, and the new certificate reads as *.cyverse.org, which works correctly with IGB.
Attachments
Issue Links
- relates to
-
IGBF-2009 Rework IGB Trust Certificate Dialog
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Epic Link |
|
| Status | Open [ 1 ] | To-Do [ 10305 ] |
| Status | To-Do [ 10305 ] | In Progress [ 3 ] |
| Description |
Situation:
After maintenance to CyVerse systems, IGB stopped being able to connect and retrieve data from public CyVerse files from https://data.cyverse.org/dav-anon/iplant/home/. When IGB tried to load data from the CyVerse URL, it would ask if the user trusts the certificate - 1.2.840.113549.1.9.1=#1620726f6f74407230336330387531382d6461762d312e637976657273652e6f7267,CN=r03c08u18-dav-1.cyverse.org,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--, If the user consented, IGB would then fail to connect and would issue a warning to the user saying the URL failed to load. Confusingly, the same URL would work correctly in a web browser (the data would be downloaded), and the certificates were considered valid. Resolution: After talking with the CyVerse team, the issue had to do with Server Name Indication (SNI). The server is data.cyverse.org, however, the certificate that was being sent (as can be seen from the IGB message) was r03c08u18-dav-1.cyverse.org. Most likely IGB does not handle SNI and as the certificate did not match the server, considered it invalid. CyVerse has updated their server configuration, and the new certificate reads as *.cyverse.org, which works correctly with IGB. |
Situation:
After maintenance to CyVerse systems, IGB stopped being able to connect and retrieve data from public CyVerse files from https://data.cyverse.org/dav-anon/iplant/home/. When IGB tried to load data from the CyVerse URL, it would ask if the user trusts the certificate - 1.2.840.113549.1.9.1=#1620726f6f74407230336330387531382d6461762d312e637976657273652e6f7267,CN=r03c08u18-dav-1.cyverse.org,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--, If the user consented, IGB would then fail to connect and would issue a warning to the user saying the URL failed to load. Confusingly, the same URL would work correctly in a web browser (the data would be downloaded), and the certificates were considered valid. Resolution: After talking with the CyVerse team, they believe the issue had to do with Server Name Indication (SNI). The server is data.cyverse.org, however, the certificate that was being sent (as can be seen from the IGB message) was r03c08u18-dav-1.cyverse.org. Most likely IGB does not handle SNI and as the certificate did not match the server, considered it invalid. CyVerse has updated their server configuration, and the new certificate reads as *.cyverse.org, which works correctly with IGB. |
| Status | In Progress [ 3 ] | Needs 1st Level Review [ 10005 ] |
| Assignee | Nowlan Freese [ nfreese ] |
| Sprint | Fall 2019 Sprint 2 [ 73 ] | Fall 2019 Sprint 2, Fall 2019 Sprint 4 [ 73, 74 ] |
| Rank | Ranked higher |
| Status | Needs 1st Level Review [ 10005 ] | First Level Review in Progress [ 10301 ] |
| Status | First Level Review in Progress [ 10301 ] | Ready for Pull Request [ 10304 ] |
| Status | Ready for Pull Request [ 10304 ] | Pull Request Submitted [ 10101 ] |
| Status | Pull Request Submitted [ 10101 ] | Reviewing Pull Request [ 10303 ] |
| Status | Reviewing Pull Request [ 10303 ] | Merged Needs Testing [ 10002 ] |
| Status | Merged Needs Testing [ 10002 ] | Post-merge Testing In Progress [ 10003 ] |
| Status | Post-merge Testing In Progress [ 10003 ] | Closed [ 6 ] |
| Resolution | Fixed [ 1 ] |
| Assignee | Nowlan Freese [ nfreese ] |
| Workflow | Fall 2019 Workflow Update [ 20765 ] | Revised Fall 2019 Workflow Update [ 22510 ] |