NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802) in iOS 9? - objective-c

I know this question is previously asked! But none of the solutions seems to work for me. I'm getting this error while playing an audio file via url.
Note: Server has been upgraded according to the Apple ATS and using https://. All the network call are updated (AFNetworking 3.0) to use and compatible to iOS 9. No work around have been made as handling exception in plist (see below).
I had to play video/audio file from below code snippet which throwing this error. NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9802)
How app play video/audio file:
//This is https url:
self.movieController = [[MPMoviePlayerController alloc] initWithContentURL:[NSURL URLWithString:self.browserMediaItem.mediaItem.media_item_hd_url]];
self.movieController.movieSourceType = MPMovieSourceTypeFile;
[self.movieController prepareToPlay];
[self.movieController.view setFrame:_photoImageView.frame];
[self addSubview:self.movieController.view];
[self.movieController play];
If I added <key>NSAllowsArbitraryLoads</key> line in the plist, it gives below error.
NSURLSession/NSURLConnection HTTP load failed (kCFStreamErrorDomainSSL, -9843)
Here is my .plist file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>en</string>
<key>CFBundleDisplayName</key>
<string>AppName</string>
<key>CFBundleExecutable</key>
<string>${EXECUTABLE_NAME}</string>
<key>CFBundleIdentifier</key>
<string>domain.com</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>${PRODUCT_NAME}</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>2.2.2</string>
<key>CFBundleSignature</key>
<string>????</string>
<key>CFBundleVersion</key>
<string>73</string>
<key>LSRequiresIPhoneOS</key>
<true/>
<key>UIAppFonts</key>
<array>
<string>OpenSans-Italic.ttf</string>
<string>FontAwesome.ttf</string>
<string>OpenSans-Semibold.ttf</string>
<string>OpenSans-Bold.ttf</string>
<string>OpenSans-Regular.ttf</string>
<string>OpenSans-Light.ttf</string>
</array>
<key>UIMainStoryboardFile</key>
<string>Main_iPhone</string>
<key>UIMainStoryboardFile~ipad</key>
<string>Main_iPad</string>
<key>UIRequiredDeviceCapabilities</key>
<array>
<string>armv7</string>
</array>
<key>UIStatusBarHidden</key>
<false/>
<key>UIStatusBarStyle</key>
<string>UIStatusBarStyleBlackTranslucent</string>
<key>UISupportedInterfaceOrientations</key>
<array>
<string>UIInterfaceOrientationPortrait</string>
</array>
<key>UISupportedInterfaceOrientations~ipad</key>
<array>
<string>UIInterfaceOrientationPortrait</string>
</array>
<key>UIViewControllerBasedStatusBarAppearance</key>
<false/>
<key>UIViewEdgeAntialiasing</key>
<true/>
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>
</dict>
</plist>
Edited:
Output of curl -v your_url:
* Trying 40.146.243.53...
* Connected to t-mobi.name.school.nz (40.146.243.53) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: *.name.school.nz
* Server certificate: COMODO RSA Domain Validation Secure Server CA
* Server certificate: COMODO RSA Certification Authority
* Server certificate: AddTrust External CA Root
> GET /api/v2/users/bW9iaWxldGVzdA==/galleries/197/audios/27 HTTP/1.1
> Host: t-mobi.name.school.nz
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Cache-Control: no-cache
< Pragma: no-cache
< Expires: -1
< Location: https://t.azure.name.school.nz//DataStore/Users/test/uSpace/Audio/mp3/0b27c797-5.mp3
< Server: Microsoft-IIS/8.5
< X-AspNet-Version: 4.0.30319
< X-Powered-By: ASP.NET
< Date: Mon, 22 Feb 2016 18:33:16 GMT
< Content-Length: 0
<
* Connection #0 to host t-mobi.name.school.nz left intact
Out put for : openssl s_client -connect your_host:your_port -showcerts:(i.e. openssl s_client -connect t-mobi.name.school.nz:443 -showcerts)
CONNECTED(00000003)
709:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:593:
Output for curl -vL url:
* Trying 40.146.243.53...
* Connected to t-mobi.name.school.nz (40.146.243.53) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: *.name.school.nz
* Server certificate: COMODO RSA Domain Validation Secure Server CA
* Server certificate: COMODO RSA Certification Authority
* Server certificate: AddTrust External CA Root
> GET /api/v2/users/bW9iaWxldGVzdA==/galleries/197/audios/27 HTTP/1.1
> Host: t-mobi.name.school.nz
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Cache-Control: no-cache
< Pragma: no-cache
< Expires: -1
< Location: https://t.name.school.nz//DataStore/Users/mobiletest/uSpace/Audio/mp3/0b27c797-5.mp3
< Server: Microsoft-IIS/8.5
< X-AspNet-Version: 4.0.30319
< X-Powered-By: ASP.NET
< Date: Tue, 23 Feb 2016 03:50:12 GMT
< Content-Length: 0
<
* Connection #0 to host t-mobi.name.school.nz left intact
* Issue another request to this URL: 'https://t.name.school.nz//DataStore/Users/mobiletest/uSpace/Audio/mp3/0b27c797-5.mp3'
* Trying 40.146.243.53...
* Connected to t.name.school.nz (40.146.243.53) port 443 (#1)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: *.name.school.nz
* Server certificate: COMODO RSA Domain Validation Secure Server CA
* Server certificate: COMODO RSA Certification Authority
* Server certificate: AddTrust External CA Root
> GET //DataStore/Users/mobiletest/uSpace/Audio/mp3/0b27c797-5.mp3 HTTP/1.1
> Host: t.name.school.nz
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: public,max-age=1209601
< Content-Type: audio/mpeg
< Last-Modified: Fri, 19 Feb 2016 02:22:53 GMT
< Accept-Ranges: bytes
< ETag: "fb7d26fbc6ad11:0"
< Server: Microsoft-IIS/8.5
< X-Powered-By: ASP.NET
< Date: Tue, 23 Feb 2016 03:50:16 GMT
< Content-Length: 2593081
<
ID36TIT2 1rack10TSSELavf55.14.101????Info
'??...
Output for whereis openssl:
/usr/bin/openssl
Output for openssl version:
OpenSSL 0.9.8zg 14 July 2015

Related

curl authentication works with `--netrc` but not `--user`

With curl 7.74.0, the command
$ curl -b ~/.cookies -c ~/.cookies -L --user 'USERNAME:PASSWORD' https://daac.ornl.gov/daacdata/daymet/Daymet_V4_Stn_Level_CrossVal/data/stnxvalmeta_tmin_pr_2016.txt
yields HTTP 401 (verbose output listed below). However, the following works:
$ echo 'machine urs.earthdata.nasa.gov login USERNAME password PASSWORD' >>~/.netrc
$ curl -b ~/.cookies -c ~/.cookies -L --netrc https://daac.ornl.gov/daacdata/daymet/Daymet_V4_Stn_Level_CrossVal/data/stnxvalmeta_tmin_pr_2016.txt
Why is that? Shouldn't these approaches be equivalent? Perhaps there's an extra option I need to convince curl to pass the credentials set with --user down to urs.earthdata.nasa.gov.
You can create an Earthdata account at https://urs.earthdata.nasa.gov/users/new to test these commands.
(N.B. The --user version works if you already have a valid login cookie from the --netrc version. The question is why login doesn't work.)
The -v output for the --user version is (authenticating cookies etc. censored with "XXX"):
* Trying 160.91.19.24:443...
* Connected to daac.ornl.gov (160.91.19.24) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Tennessee; L=Oak Ridge; O=Oak Ridge National Laboratory; OU=DAAC; CN=*.ornl.gov
* start date: Jul 14 00:00:00 2020 GMT
* expire date: Oct 11 12:00:00 2022 GMT
* subjectAltName: host "daac.ornl.gov" matched cert's "*.ornl.gov"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
* SSL certificate verify ok.
* Server auth using Basic with user 'Kodiologist'
> GET /daacdata/daymet/Daymet_V4_Stn_Level_CrossVal/data/stnxvalmeta_tmin_pr_2016.txt HTTP/1.1
> Host: daac.ornl.gov
> Authorization: Basic XXX
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Mon, 25 Apr 2022 13:02:02 GMT
< Server: Apache
< Strict-Transport-Security: max-age=31536000
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
* Connection #0 to host daac.ornl.gov left intact
The -v output for the --netrc version is:
* Couldn't find host daac.ornl.gov in the .netrc file; using defaults
* Trying 160.91.19.24:443...
* Connected to daac.ornl.gov (160.91.19.24) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Tennessee; L=Oak Ridge; O=Oak Ridge National Laboratory; OU=DAAC; CN=*.ornl.gov
* start date: Jul 14 00:00:00 2020 GMT
* expire date: Oct 11 12:00:00 2022 GMT
* subjectAltName: host "daac.ornl.gov" matched cert's "*.ornl.gov"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
* SSL certificate verify ok.
> GET /daacdata/daymet/Daymet_V4_Stn_Level_CrossVal/data/stnxvalmeta_tmin_pr_2016.txt HTTP/1.1
> Host: daac.ornl.gov
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Mon, 25 Apr 2022 13:03:08 GMT
< Server: Apache
< Strict-Transport-Security: max-age=31536000
< Location: https://urs.earthdata.nasa.gov/oauth/authorize?app_type=401&client_id=XXXA&response_type=code&redirect_uri=https%3A%2F%2Fdaac.ornl.gov%2Fdaacdata%2Fdoesntmater&state=XXX
< Content-Length: 518
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host daac.ornl.gov left intact
* Issue another request to this URL: 'https://urs.earthdata.nasa.gov/oauth/authorize?app_type=401&client_id=XXX&response_type=code&redirect_uri=https%3A%2F%2Fdaac.ornl.gov%2Fdaacdata%2Fdoesntmater&state=XXX'
* Trying 198.118.243.33:443...
* Connected to urs.earthdata.nasa.gov (198.118.243.33) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Maryland; L=Greenbelt; jurisdictionC=US; O=NASA (National Aeronautics and Space Administration); businessCategory=Government Entity; serialNumber=1958-07-29; CN=urs.earthdata.nasa.gov
* start date: Aug 27 16:09:18 2021 GMT
* expire date: Sep 12 16:09:18 2022 GMT
* subjectAltName: host "urs.earthdata.nasa.gov" matched cert's "urs.earthdata.nasa.gov"
* issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; OU=(c) 2014 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1M
* SSL certificate verify ok.
* Server auth using Basic with user 'Kodiologist'
> GET /oauth/authorize?app_type=401&client_id=XXX&response_type=code&redirect_uri=https%3A%2F%2Fdaac.ornl.gov%2Fdaacdata%2Fdoesntmater&state=XXX HTTP/1.1
> Host: urs.earthdata.nasa.gov
> Authorization: Basic XXX
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Server: nginx/1.20.1
< Date: Mon, 25 Apr 2022 13:03:08 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Referrer-Policy: strict-origin-when-cross-origin
< Cache-Control: no-store
< Pragma: no-cache
< Expires: Fri, 01 Jan 1990 00:00:00 GMT
< Access-Control-Allow-Origin: null
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: GET, POST
< Access-Control-Expose-Headers: true
< Location: https://daac.ornl.gov/daacdata/doesntmater?code=XXX&state=XXX
* Added cookie urs_user_already_logged="yes" for domain earthdata.nasa.gov, path /, expire 1650978188
< Set-Cookie: urs_user_already_logged=yes; domain=earthdata.nasa.gov; path=/; expires=Tue, 26 Apr 2022 13:03:08 GMT; secure; HttpOnly
* Added cookie _urs-gui_session="XXX" for domain urs.earthdata.nasa.gov, path /, expire 1650978188
< Set-Cookie: _urs-gui_session=XXX; path=/; expires=Tue, 26 Apr 2022 13:03:08 GMT; HttpOnly
< X-Request-Id: XXX
< X-Runtime: 0.053834
< Strict-Transport-Security: max-age=31536000
<
* Ignoring the response-body
* Connection #1 to host urs.earthdata.nasa.gov left intact
* Issue another request to this URL: 'https://daac.ornl.gov/daacdata/doesntmater?code=XXX&state=XXX'
* Couldn't find host daac.ornl.gov in the .netrc file; using defaults
* Found bundle for host daac.ornl.gov: XXX [serially]
* Can not multiplex, even if we wanted to!
* Re-using existing connection! (#0) with host daac.ornl.gov
* Connected to daac.ornl.gov (160.91.19.24) port 443 (#0)
> GET /daacdata/doesntmater?code=XXX&state=XXX HTTP/1.1
> Host: daac.ornl.gov
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Mon, 25 Apr 2022 13:03:08 GMT
< Server: Apache
< Strict-Transport-Security: max-age=31536000
* Added cookie AppAuth="XXX" for domain daac.ornl.gov, path /, expire 0
< Set-Cookie: AppAuth=XXX; Path=/
< Location: https://daac.ornl.gov/daacdata/daymet/Daymet_V4_Stn_Level_CrossVal/data/stnxvalmeta_tmin_pr_2016.txt
< Content-Length: 284
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host daac.ornl.gov left intact
* Issue another request to this URL: 'https://daac.ornl.gov/daacdata/daymet/Daymet_V4_Stn_Level_CrossVal/data/stnxvalmeta_tmin_pr_2016.txt'
* Couldn't find host daac.ornl.gov in the .netrc file; using defaults
* Found bundle for host daac.ornl.gov: XXX [serially]
* Can not multiplex, even if we wanted to!
* Connection 0 seems to be dead!
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
* Hostname daac.ornl.gov was found in DNS cache
* Trying 160.91.19.24:443...
* Connected to daac.ornl.gov (160.91.19.24) port 443 (#2)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* SSL re-using session ID
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Tennessee; L=Oak Ridge; O=Oak Ridge National Laboratory; OU=DAAC; CN=*.ornl.gov
* start date: Jul 14 00:00:00 2020 GMT
* expire date: Oct 11 12:00:00 2022 GMT
* subjectAltName: host "daac.ornl.gov" matched cert's "*.ornl.gov"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
* SSL certificate verify ok.
> GET /daacdata/daymet/Daymet_V4_Stn_Level_CrossVal/data/stnxvalmeta_tmin_pr_2016.txt HTTP/1.1
> Host: daac.ornl.gov
> User-Agent: curl/7.74.0
> Accept: */*
> Cookie: AppAuth=XXX
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 25 Apr 2022 13:03:09 GMT
< Server: Apache
< Strict-Transport-Security: max-age=31536000
< Last-Modified: Mon, 07 Dec 2020 22:32:53 GMT
< ETag: "5b5-5b5e76833e87e"
< Accept-Ranges: bytes
< Content-Length: 1461
< Vary: Accept-Encoding
< Content-Type: text/plain; charset=UTF-8
<
station_id,station_name,stn_lat,stn_lon,stnz
RQC00660152,AGUIRRE,17.9556,-66.2222,7.6
RQC00664193,GUAYAMA 2E,17.9783,-66.0875,21.9
RQC00665693,MAGUEYES IS,17.9722,-67.0461,3.7
VQC00671740,CHRISTIANSTED FT,17.7469,-64.7014,9.1
VQW00011624,CHRISTIANSTED AP,17.7028,-64.8056,18.6
RQC00660061,ADJUNTAS SUBSTN,18.1747,-66.7978,557.8
RQC00660158,AIBONITO 1 S,18.1281,-66.2642,710.2
RQC00660426,ARECIBO OBSY,18.3494,-66.7525,323.1
RQC00662801,COLOSO,18.3808,-67.1569,12.2
RQC00663431,DOS BOCAS,18.3361,-66.6667,61.0
RQC00664614,HUMACAO NATURAL RESERVE,18.1506,-66.7719,2.7
RQC00664702,ISABELA SUBSTN,18.4653,-67.0525,128.0
RQC00665097,LAJAS SUBSTN,18.0331,-67.0722,27.4
RQC00665807,MANATI 2 E,18.4308,-66.4661,76.2
RQC00665908,MARICAO 2 SSW,18.1511,-66.9889,863.2
RQC00666730,PALMAREJO VEGA BAJA,18.385,-66.43,170.7
RQC00667292,PONCE 4 E,18.0258,-66.5253,21.3
RQC00668306,RIO PIEDRAS EXP STN,18.3906,-66.0542,28.0
RQC00669415,TOA BAJA LEVITTOWN,18.4356,-66.1678,8.5
RQC00669432,TORO NEGRO FOREST,18.1731,-66.4928,868.1
RQC00669521,TRUJILLO ALTO 2 SSW,18.3283,-66.0164,35.1
RQW00011641,SAN JUAN L M MARIN AP,18.4325,-66.0108,2.7
RQC00665064,JUNCOS 1 SE,18.2264,-65.9114,64.9
RQC00666343,CULEBRA HILL,18.2972,-65.29,71.3
RQC00666725,PALMA SOLA,18.3169,-65.8664,466.0
RQC00668814,WFO SAN JUAN,18.4311,-65.9917,3.0
RQW00011630,ROOSEVELT ROADS,18.255,-65.6408,10.1
VQC00677600,REDHOOK BAY ST THOMAS,18.3236,-64.8542,0.6
VQW00011640,CHARLOTTE AMALIE AP,18.3331,-64.9667,6.1
* Connection #2 to host daac.ornl.gov left intact

The --user version works if -L is replaced with --location-trusted and --anyauth is added.

in your netrc you specifically say "this is the username:password for urs.earthdata.nasa.gov", and your command first connects to a different domain: daac.ornl.gov. so your netrc does not trigger on daac.ornl.gov, your "broken" curl command sends the username:password to daac.ornl.gov and and daac.ornl.gov does not like this invalid username:password and your curl request get rejected. meanwhile your working curl command does not send username:password to daac.ornl.gov, then daac.ornl.gov proceed to redirect you to to urs.earthdata.nasa.gov , here your netrc kicks in and your username:password gets sent to urs.earthdata.nasa.gov as it should..
unfortunately curl does not (currently?) support loading netrc from stdin, and does not support setting username:password for specific domains via arguments (not as far as i know anyway?), so your best bet is probably:
NETRCTMPFILE="$(mktemp)"
echo 'machine urs.earthdata.nasa.gov login USERNAME password PASSWORD' > "$NETRCTMPFILE";
curl -b ~/.cookies -c ~/.cookies -L --netrc-file "$NETRCTMPFILE" https://daac.ornl.gov/daacdata/daymet/Daymet_V4_Stn_Level_CrossVal/data/stnxvalmeta_tmin_pr_2016.txt
rm "$NETRCTMPFILE"

You're using quotes around the username and password. In my experience this causes issues.
try
curl -b ~/.cookies -c ~/.cookies -L --user USERNAME:PASSWORD https://daac.ornl.gov/daacdata/daymet/Daymet_V4_Stn_Level_CrossVal/data/stnxvalmeta_tmin_pr_2016.txt
This has issues with your user and password being present in bash history.
This link has a lot of good info on other ways to do this safely too
https://stackoverflow.com/a/56130884/496405

Error while curling a https website using self signed certificate

I am trying to curl a tool's rest api which is using self signed certificate.
curl -D- -u user:pass -X GET -H "Content-Type: application/json" https://server:8006/api2/json/nodes
It gives following error:
"curl: (60) SSL certificate problem: unable to get local issuer certificate"
When using insecure option, following output is received:
HTTP/1.1 401 No ticket
Cache-Control: max-age=0
Connection: close
Date: Mon, 22 Aug 2016 15:25:18 GMT
Pragma: no-cache
Server: pve-api-daemon/3.0
Expires: Mon, 22 Aug 2016 15:25:18 GMT
I tried generating server certificate using:
echo "" | openssl s_client -connect server:8006 -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > cacert.pem
However, when using this certificate using --cacert option it still gives "curl: (60) SSL certificate problem: unable to get local issuer certificate" error message.
Please let me know what am I missing?

A self-signed certificate is untrusted by design, you can't get a self-signed certificate to be trusted.
If you want the certificate to be trusted, you need to purchase/request the certificate from a trusted Certificate Authority.

Trying to view website after IP change in Chrome

I've recently changed the IP on a website as I added a SSL certificate.
Now going back to view the site I get the "Apache is working on your cPanel and WHM Server" message.
http://domain.com/cgi-sys/defaultwebpage.cgi
This looks like a cache issue with Chrome as I can see the page on other devices and when using Incognito browsing in Chrome also in other browsers on the same PC.
I've cleared every history entry in Chrome from my domain and also removed cookies. I still can't view my site. It has been 6 days since I changed the IP.
Any ideas? I'd rather be using Chrome by the way .
Thanks for any suggestions :)

The real URL will take you to the site more than likely with no problems www.tshirtsofoz.com.au
It looks like a configuration issue at the server. I don't believe its at the client. Below, the point of interest is the response:
HTTP/1.1 302 Moved Temporarily
Date: Wed, 27 Aug 2014 08:01:52 GMT
Server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.4.21
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: https://tshirtsofoz.com.au/xmlrpc.php
Set-Cookie: PHPSESSID=9690b2302154849c9f0f4b1583cd6175; path=/
Location: https://tshirtsofoz.com.au/wp-admin/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
And I get no response when following the redirect (i.e., GET /wp-admin/ ...). If I follow without the trailing slash, I get:
$ echo -e "GET /wp-admin HTTPS/1.1\r\n" | openssl s_client -connect www.tshirtsofoz.com.au:443 -ign_eof
...
HTTP/1.1 301 Moved Permanently
Date: Wed, 27 Aug 2014 08:07:45 GMT
Server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
Location: https://tshirtsofoz.com.au/wp-admin/
Content-Length: 386
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved here.</p>
<hr>
<address>Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 Server at tshirtsofoz.com.au Port 443</address>
</body></html>
closed
Also, OpenSSL 0.9.8e has a number of vulnerablities.
$ echo -e "GET / HTTPS/1.1\r\n" | openssl s_client -connect www.tshirtsofoz.com.au:443 -ign_eof
CONNECTED(00000003)
depth=1 C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = "Trustwave Organization Validation CA, Level 2", emailAddress = ca#trustwave.com
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=tshirtsofoz.com.au/O=T-shirts of Oz/L=Adelaide/ST=SA/C=AU
i:/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Organization Validation CA, Level 2/emailAddress=ca#trustwave.com
1 s:/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Organization Validation CA, Level 2/emailAddress=ca#trustwave.com
i:/C=US/O=SecureTrust Corporation/CN=SecureTrust CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFYTCCBEmgAwIBAgITBlERJ/3dcNwVHxcP+I8iPTg4jTANBgkqhkiG9w0BAQUF
ADCBrjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdD
aGljYWdvMSEwHwYDVQQKExhUcnVzdHdhdmUgSG9sZGluZ3MsIEluYy4xNjA0BgNV
BAMTLVRydXN0d2F2ZSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBDQSwgTGV2ZWwg
MjEfMB0GCSqGSIb3DQEJARYQY2FAdHJ1c3R3YXZlLmNvbTAeFw0xNDA4MjExNzM0
MDJaFw0xNTA4MjEyMzM0MDJaMGMxGzAZBgNVBAMMEnRzaGlydHNvZm96LmNvbS5h
dTEXMBUGA1UECgwOVC1zaGlydHMgb2YgT3oxETAPBgNVBAcMCEFkZWxhaWRlMQsw
CQYDVQQIDAJTQTELMAkGA1UEBhMCQVUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQC+9GB9oA1AlmI0BbIqDxpwVwWamGUwfGcc91tHoqkgXDQ/GztGTLb9
OLJD2ZYDt8PWe1NQHlpOo1LZkaqhoUEakvcI0DA10KUYGG77qNGG6jvseue/ndKn
T6UXsptFdnAyDBCbICRcWjcjgPq4MAjkMDCTZSyrQ7fKigjVlAiw0bqh3twnpp+Q
CLk51J3tDto9pYdgUWkEZoL4bdvxdP7iat8cd7b6JQuNWPU28SAagytUNj0IrU1q
nLm8YNJf38QvoWHonXl3dBdrkhHGFE2i7RRirGG6LJHb1KMpmJwXWlX+nHqK2yXk
nBAjsf8pBmSLuLZlPhVzjDGCHbDXS7eTAgMBAAGjggHAMIIBvDALBgNVHQ8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBR+2SN4
zqcGpgpVrM1f36uxdTINBTAfBgNVHSMEGDAWgBRd2ZaaQMcnyyybouzPGavIr8yG
SDBIBgNVHSAEQTA/MD0GDysGAQQBge0YAwMDAwQEAzAqMCgGCCsGAQUFBwIBFhxo
dHRwczovL3NzbC50cnVzdHdhdmUuY29tL0NBMFsGA1UdEQRUMFKCEnRzaGlydHNv
Zm96LmNvbS5hdYIPdHNoaXJ0c29mb3ouY29tghZ3d3cudHNoaXJ0c29mb3ouY29t
LmF1ghN3d3cudHNoaXJ0c29mb3ouY29tMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6
Ly9jcmwudHJ1c3R3YXZlLmNvbS9PVkNBX0wyLmNybDBwBggrBgEFBQcBAQRkMGIw
JgYIKwYBBQUHMAGGGmh0dHA6Ly9vY3NwLnRydXN0d2F2ZS5jb20vMDgGCCsGAQUF
BzAChixodHRwOi8vc3NsLnRydXN0d2F2ZS5jb20vaXNzdWVycy9PVkNBX0wyLmNy
dDANBgkqhkiG9w0BAQUFAAOCAQEAPm7pdeMacdxfke86QEo/lR8lFlzcpalx/sSE
2GdmWLINFu2k1UbbhBNfqD9QaleKK7UaqxvKNkziJb0QGvQu4zQVjgTgW3X7xEdh
tHRINpAD5Pqn6snhtGLsuEWXngJSVjj8HvEpnZBtEHwsWuoQJhv0JUtHU5hrh96y
AvUrqLCXg52Rb3h6IZxKgsO6yhBtpSHf5W4zW8PCF7v7BD8jRvhn421vQM2MDQUt
0EW8NWu2WU780tBCIGgUDAudDcuv2sDlvSrCl4qw9JvZtxEjvYhxetPWUccTbLz+
uK8T3Pf6/zSE3hLU4w+kslmKflrRzI4aCAAHekPd1+r3RAgt5w==
-----END CERTIFICATE-----
subject=/CN=tshirtsofoz.com.au/O=T-shirts of Oz/L=Adelaide/ST=SA/C=AU
issuer=/C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Organization Validation CA, Level 2/emailAddress=ca#trustwave.com
---
No client certificate CA names sent
---
SSL handshake has read 3217 bytes and written 506 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 94A2EBDFF8EBA3B60B0CBCE497B21FB5753DD07FABFBD21CC2642C2F0665EE34
Session-ID-ctx:
Master-Key: 74BBCA1A44D5A8AAD5FD916C761E349B7FAD876D35B03AB499E20ADBC8170C643917DAF414D8AAE46D5574349DBCBB07
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1409126533
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
HTTP/1.1 302 Moved Temporarily
Date: Wed, 27 Aug 2014 08:01:52 GMT
Server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.4.21
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: https://tshirtsofoz.com.au/xmlrpc.php
Set-Cookie: PHPSESSID=9690b2302154849c9f0f4b1583cd6175; path=/
Location: https://tshirtsofoz.com.au/wp-admin/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
closed

Apache SSLInsecureRenegotiation directive not working

I'm testing SSL Insecure Renegotiation vulnerability with Apache and OpenSSL.
When Apache 2.2.14 was compiled against OpenSSL 0.9.8k, openssl command could establish client-initiated insecure SSL renegotiation with Apache as follows:
# /usr/local/openssl-0.9.8k/bin/openssl s_client -connect debian:443
[...]
HEAD / HTTP/1.0
R
RENEGOTIATING
depth=0 /C=UA/ST=Some-State/O=Alice Cruel Ltd/CN=strawberry.xxx
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=UA/ST=Some-State/O=Alice Cruel Ltd/CN=strawberry.xxx
verify return:1
HTTP/1.1 200 OK
Date: Thu, 23 Jan 2014 13:54:33 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8k
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "1b006b0-2c-3e9564c23b600"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html
closed
#
But with Apache 2.2.15 compiled against OpenSSL 0.9.8m, client-initiated SSL renegotiation failed even when "SSLInsecureRenegotiation on" was added to ssl.conf:
# /usr/local/openssl-0.9.8k/bin/openssl s_client -connect debian:443
CONNECTED(00000003)
[...]
HEAD / HTTP/1.0
R
RENEGOTIATING
4790:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
#
The latter result is seemingly unexpected. Is SSLInsecureRenegotiation directive not working? I want to know how to make the directive effective.
Thank you in advance.

Creating a fulfillment via the Shopify API

I am having trouble creating a fulfillment via the API. I am currently using curl to test, but am receiving a "Required parameter missing" error.
Anybody able to catch the error?
curl command:
curl -i -v -H "Accept: application/json" -X POST -d "{'fulfillment': {'tracking_number': null,'line_items': [{'id': 322959149}]}}" https://[apikey]:[password]#[shop-name].myshopify.com/admin/orders/186122043/fulfillments.json
curl output:
* About to connect() to [shop-name].myshopify.com port 443 (#0)
* Trying 204.93.213.94...
* connected
* Connected to [shop-name].myshopify.com (204.93.213.94) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: serialNumber=inVwoUGzj3duFEUBdzDQrbS2kO1qx0Vr; C=CA; ST=Ontario; L=Ottawa; O=Jaded Pixel Technologies Inc.; CN=*.myshopify.com
* start date: 2010-05-10 22:23:08 GMT
* expire date: 2015-08-12 19:17:14 GMT
* subjectAltName: [shop-name].myshopify.com matched
* issuer: C=US; O=Equifax; OU=Equifax Secure Certificate Authority
* SSL certificate verify ok.
* Server auth using Basic with user '4a93b24da162b9ce3f6426206b63e692'
> POST /admin/orders/186122043/fulfillments.json HTTP/1.1
> Authorization: Basic NGE5M2IyNGRhMTYyYjljZTNmNjQyNjIwNmI2M2U2OTI6ZDljMWYwMDNlZWZiMDE1MmQ1MzExMGNjMzk1N2MzMDI=
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5
> Host: [shop-name].myshopify.com
> Accept: application/json
> Content-Length: 76
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 76 out of 76 bytes
< HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
< Server: nginx
Server: nginx
< Date: Mon, 07 Oct 2013 21:10:02 GMT
Date: Mon, 07 Oct 2013 21:10:02 GMT
< Content-Type: application/json; charset=utf-8
Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Status: 400 Bad Request
Status: 400 Bad Request
< X-ShopId: 2235177
X-ShopId: 2235177
< X-Shopify-Asset-Version: 529b6843243276ab3e385c6b38a3bd7b17b4b92f
X-Shopify-Asset-Version: 529b6843243276ab3e385c6b38a3bd7b17b4b92f
< X-Shopify-Shop-Api-Call-Limit: 2/500
X-Shopify-Shop-Api-Call-Limit: 2/500
< HTTP_X_SHOPIFY_SHOP_API_CALL_LIMIT: 2/500
HTTP_X_SHOPIFY_SHOP_API_CALL_LIMIT: 2/500
< X-Frame-Options: DENY
X-Frame-Options: DENY
< X-UA-Compatible: IE=Edge,chrome=1
X-UA-Compatible: IE=Edge,chrome=1
< Set-Cookie: _secure_session_id=989c50f70ca8fd46d381770aa5ad3e72; path=/; secure; HttpOnly
Set-Cookie: _secure_session_id=989c50f70ca8fd46d381770aa5ad3e72; path=/; secure; HttpOnly
< X-Request-Id: 3c394e98aebf3ae3ba4c3f75b8f069be
X-Request-Id: 3c394e98aebf3ae3ba4c3f75b8f069be
<
* Connection #0 to host [shop-name].myshopify.com left intact
{"errors":{"fulfillment":"Required parameter missing"}}
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

Your ' should "
curl -i -v -H "Accept: application/json" -X POST -d '{"fulfillment": {"tracking_number": null,"line_items": [{"id": 322959149}]}}' https://[apikey]:[password]#[shop-name].myshopify.com/admin/orders/186122043/fulfillments.json
following link should help you.