We teach a Sat. Oceanography lab every year and rely on the OceanColor data and Seadas for part of the lab during the semester. I am sniffing out problems, (we had a LOT of connectivity issues last year) and am experiencing download timeouts from both the L1&L2 browser, and the "Direct Data Access" files, which I ralize are the same CGI source...
I am working from a fuily up-to-date Centos 7 (7.4.1708) workstation. I have tried to make some sense of the openssl "cookbook" but it's pretty opaque.
The first test results in:
$ openssl s_client -connect oceancolor.gsfc.nasa.gov:443
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = oceancolor.sci.gsfc.nasa.gov
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=oceancolor.sci.gsfc.nasa.gov
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE5zCCBI6gAwIBAgIQYO599t+yPkKgiQdZJ7rZ7TAKBggqhkjOPQQDAjCBkDEL
.....lines deleted.......
QlpDJ2UMm0dBQSjVnqA6CmCtGxGq3K7S2AIgLY1SU/UogJgP3L7zGob4fLgx+Eve
VQ5C+P8Pr+V8fzw=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=oceancolor.sci.gsfc.nasa.gov
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3502 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 384 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 806E7C7CA724472CCA74FA29703C5053F6E7E4740B51E79CAEBC11F2B28E3E94F832FC67065366F887000907F5A31B35
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1521494303
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
Using a browser, the download seems to start, and then times out ("Failed - network error" is all Chrome says). Using curl, I am seeing failures as shown below. If I wait several seconds I _might_ see success, or I might see a repeated failure. This was pretty much the behavior I fought last year. I can assure that a firewall at my end is NOT the issue. My attempts are from the 130.39.x.x domain, around 16:25 Central time. As I write this, I am seeing repeated successes and failures. I am simply waiting a few to many seconds, hitting up-arrow to repeat the "curl" command, so no scripts running at my end. As I understand the "throttle" I'd have to make multiple request PER second. The goal will be to have 8 students able to reliably download a granule (or two) for class use in teaching theory, etc. Any bulk data requests would be handled through my own (lab admin) subscription, or by directing the student to register themselves for any research, etc.
$ curl -vvv -O https://oceandata.sci.gsfc.nasa.gov/cgi/getfile/A2018074193500.L1A_LAC.bz2
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to oceandata.sci.gsfc.nasa.gov port 443 (#0)
* Trying 2001:4d0:2418:128::84...
* Connected to oceandata.sci.gsfc.nasa.gov (2001:4d0:2418:128::84) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=oceancolor.sci.gsfc.nasa.gov,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated
* start date: Dec 14 00:00:00 2016 GMT
* expire date: Dec 14 23:59:59 2019 GMT
* common name: oceancolor.sci.gsfc.nasa.gov
* issuer: CN=COMODO ECC Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
> GET /cgi/getfile/A2018074193500.L1A_LAC.bz2 HTTP/1.1
> User-Agent: curl/7.29.0
> Host: oceandata.sci.gsfc.nasa.gov
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Mon, 19 Mar 2018 21:18:50 GMT
< Content-Type: application/octet-stream
< Content-Length: 231070539
< Connection: keep-alive
< Keep-Alive: timeout=60
< Last-Modified: Thu, 15 Mar 2018 20:54:37 GMT
< Content-Disposition: attachment; filename=A2018074193500.L1A_LAC.bz2
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
<
{ [data not shown]
34 220M 34 75.2M 0 0 6217k 0 0:00:36 0:00:12 0:00:24 6217k* SSL read: errno -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
36 220M 36 79.5M 0 0 6552k 0 0:00:34 0:00:12 0:00:22 6551k
* Closing connection 0
curl: (56) TCP connection reset by peer
Many thanks!
Alaric Haag
Systems Admin
LSU Earth Scan Laboratory
