CDDIS File Upload FAQ
  1. Why am I getting "curl: (35) error …SSL routines… sslv3 alert handshake failure" when trying to upload files?
    Over the past day, some of you may have experienced difficulty in uploading, resulting in a ssl v3 handshaking error. This was caused by the CDDIS's parent organization moving their authentication systems to using TLS 1.2 as required by the US Government. Most of you are already using a version of cURL that automatically worked with this change; cURL versions 7.54 and higher typically work without any interventions. If you are having issues connecting you should do the following:

    Check your version of cURL (curl -v ).

    Mac and Windows Users - if your version is less than 7.34, you must update. If you have Version 7.34 - 7.54 you can try to use the command line option "--tlsv1.2". Version 7.54 or greater should work automatically but you can force tls1.2 with the same command line option.

    Linux Users -
    • RedHat/CentOS 6 - if you type "curl -v" and get 7.19.7-XX, where XX = 43 or greater, then you can put the command line option "--tlsv1.2" on your login line and everything should work. If XX is less than 43 you MUST update curl. A simply yum update should be all that is needed here.
    • RedHat/CentOS 7 - If you are running RedHat/CentOS 7.4 or higher, curl should connect automatically. Older versions should be able to use the command line option "--tlsv1.2".
    • Other versions of Linux - If you are running some other flavor of Linux (Suse, Ubuntu, etc.), you will have to investigate what version you have and if it supports TSL 1.1 and TLS 1.2.
    So, in summary: If you are using cURL with a version less than 7.34, you absolutely have to update cURL. If your version is between 7.34 and 7.54, you will have to force TLS1.2 with the command line option "--tlsv1.2". If your version is greater than 7.54, it should automatically work with TLS1.2. The version information for RedHat/CentOS is slightly different and you need to follow the information listed above. For all other flavors of Linux, you need to investigate if your version supports TLS1.2 and if so how to force it to utilize TLS1.2 encryption.

    If this does not fix the encryption error please contact the help desk at support-cddis@earthdata.nasa.gov
  2. What is the new CDDIS file upload method?
    The CDDIS has transitioned the method used to supply files to its archive from an ftp-based to an HTTP-based procedure. The new system also uses a NASA single sign-on system for user authentication.
  3. Why did the CDDIS change from ftp upload to https?
    The major reason for changing these procedures at CDDIS is security; ftp with its clear text username and password is just not acceptable in this day and age. In fact, some organizations have deprecated ftp or outright banned its usage. ftp also has the disadvantage of being a two-port protocol along with both an active and passive operation mode. This means that EVERY firewall/switch in the network path between CDDIS and the data provider must be configured correctly to function reliably. Unfortunately we have found this too often to not be the case and in most instances outside the control of CDDIS or the data provider to fix.
  4. Why not use sftp or some other ftp variant?
    CDDIS looked into using some other variants to ftp for file upload but there were disadvantages (some major) to all of these approaches. The http(s) protocol offered more advantages and had performance equal to ftp.
  5. What is Earthdata Login?
    Earthdata login (https://urs.earthdata.nasa.gov/) is the single mechanism for user registration and profile management for all Earth Observing System Data and Information System (EOSDIS) components. CDDIS, as one of the 12 EOSDIS Distributed Active Archive Centers (DAACs), is moving to be more integrated with its larger parent organization.
  6. When will this new file upload system go operational?
    Current plans are for the new file upload procedure to go operational in Fall 2016 when CDDIS moves to its new computer facilities.
  7. Will my old scripts stop working?
    When CDDIS transitions to its new computer facilities in Fall 2016, all legacy ftp upload systems will be turned off. Any application or scripts using ftp for file upload will cease to work at that time.
  8. Do I need to only use cURL?
    No, you can use any tool that allows you to submit an HTTP POST request and that follows an HTTP redirect (302 request). CDDIS recommends that you use cURL as it’s what we support but you are free to use other tools or write your own. CDDIS has provided a Java example to showcase how this can be done.
  9. Is there a list of file upload parameters and examples?
    Yes. A list of upload parameters and example filenames is available.
  10. When I upload a batch of files there seems to be a delay before anything happens; is this normal?
    Yes, the new upload system allows the user to upload either a single file or batch of files in a single call. If a large number of files are being uploaded in a single call there can be a short time lag as the HTTP POST request is generated. NOTE: the HTTP POST generation takes place on the user’s machine and therefore is not related to CDDIS performance. You are always free to write your scripts so that single files or a small number of files are uploaded sequentially instead of in batch mode.
  11. What is the largest file size that CDDIS can accept?
    500MB; for larger files please contact support-cddis@earthdata.nasa.gov for assistance.
  12. What browsers are supported for the web-based interface?
    The latest versions of Firefox, Chrome, Internet Explorer (IE), and Safari are officially supported. The process may work in other browsers, but is not guaranteed.
  13. Who do I contact for questions?
    Any questions related to the new upload system should be directed to support-cddis@earthdata.nasa.gov.
  14. I just updated to the latest Debian-based linux distribution and now I get the following error: unsafe legacy renegotiation disabled. Why?
    This is a known issue at this time, the only workaround of which CDDIS is aware is to add the following lines to the end of the file /etc/ssl/openssl.cnf.

    openssl_conf = openssl_init

    [openssl_init]
    ssl_conf = ssl_sect

    [ssl_sect]
    system_default = system_default_sect

    [system_default_sect]
    Options = UnsafeLegacyRenegotiation

Related Links: