Can't upload data to test instance

50 views
Skip to first unread message

Leif Neve

unread,
Jan 10, 2012, 1:30:50 PM1/10/12
to personfinder
If I post to the documented URL:

https://www.google.org/personfinder/test/api/write?key=xxx

I get this error:

SSL: certificate subject name 'www.google.com' does not match target
host name 'www.google.org'

Thanks for any help.

Lee Schumacher

unread,
Jan 10, 2012, 1:59:05 PM1/10/12
to personfinder on behalf of Leif Neve
Hmm.  We shouldn't be doing the redirect to www.google.com anymore (and I don't see it in my browser).   I get a 'misc.google.com' cert with 'subject alternative name' that includes *.google.org.  Perhaps your ssl library doesn't handle that extension?  Can you provide some more detail on how you're doing that post?  We've just started using this kind of cert in order to allow us to support ssl on more properties, so we need to iron this out.

 

Thanks for any help.

--
You received this because you are subscribed to the "personfinder" Google Group.
To post, send mail to person...@googlegroups.com
To unsubscribe, send mail to personfinder...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/personfinder



--
Lee Schumacher | Software Engineer | lschu...@google.com | (650) 336-5330

Leif Neve

unread,
Jan 10, 2012, 2:13:15 PM1/10/12
to personfinder
Does this help?

% curl -X POST -H 'Content-type: application/xml' --data-binary
cronpfif.xml https://www.google.org/personfinder/test/api/write?key=xxx

curl: (51) SSL: certificate subject name 'www.google.com' does not
match target host name 'www.google.org'

FWIW, here is the XML data:

<?xml version="1.0" encoding="utf-8"?>
<pfif:pfif xmlns:pfif="http://zesty.ca/pfif/1.3" xmlns:xsi="http://
www.w3.org/2001/XMLSchema-instance" xsi:schema
Location="http://zesty.ca/pfif/1.3
http://zesty.ca/pfif/1.3/pfif-1.3.xsd"><pfif:person><pfif:person_record_id>pl.
nlm.nih.gov/person.2957919</
pfif:person_record_id><pfif:entry_date>2012-01-10T18:17:53Z</
pfif:entry_date><pfif:ex
piry_date>2013-01-10T18:17:53Z</
pfif:expiry_date><pfif:author_name>Leif Neve</
pfif:author_name><pfif:source_name>
pl.nlm.nih.gov</
pfif:source_name><pfif:source_date>2012-01-10T18:16:24Z</
pfif:source_date><pfif:source_url>https:
//pl.nlm.nih.gov/person.2957919</pfif:source_url><pfif:full_name>NLM
person2</pfif:full_name><pfif:first_name>NLM
</pfif:first_name><pfif:last_name>person2</
pfif:last_name><pfif:sex>female</pfif:sex><pfif:age>66</pfif:age><pfif
:other>description: height: 6', weight: 123, eye color: Black, skin
color: Albino, hair color: White, other featu
res: This person is nicknamed "bonnie lass" if you see her.</
pfif:other></pfif:person><pfif:note><pfif:note_recor
d_id>pl.nlm.nih.gov/note.1036</
pfif:note_record_id><pfif:person_record_id>pl.nlm.nih.gov/person.
2957919</pfif:per
son_record_id><pfif:entry_date>2012-01-10T18:17:53Z</
pfif:entry_date><pfif:author_name>Leif Neve</pfif:author_nam
e><pfif:source_date>2012-01-10T18:17:53Z</
pfif:source_date><pfif:status>believed_alive</pfif:status></
pfif:note><
/pfif:pfif>

We are running fully patched and updated RHEL5.


On Jan 10, 1:59 pm, Lee Schumacher wrote:
> On Tue, Jan 10, 2012 at 10:30 AM, personfinder on behalf of Leif Neve <
>
> [email address]> wrote:
> > If I post to the documented URL:
>
> >  https://www.google.org/personfinder/test/api/write?key=xxx
>
> > I get this error:
>
> >  SSL: certificate subject name 'www.google.com'does not match target
> > host name 'www.google.org'
>
> Hmm.  We shouldn't be doing the redirect towww.google.comanymore (and I
> don't see it in my browser).   I get a 'misc.google.com' cert with 'subject
> alternative name' that includes *.google.org.  Perhaps your ssl library
> doesn't handle that extension?  Can you provide some more detail on how
> you're doing that post?  We've just started using this kind of cert in
> order to allow us to support ssl on more properties, so we need to iron
> this out.
>
>
>
> > Thanks for any help.
>
> > --
> > You received this because you are subscribed to the "personfinder" Google
> > Group.
> > To post, send mail to [email address]
> > To unsubscribe, send mail to [email address]
> > For more options, visit this group at
> >http://groups.google.com/group/personfinder
>
> --
> Lee Schumacher | Software Engineer | [email address] | (650) 336-5330

Lee Schumacher

unread,
Jan 10, 2012, 2:17:53 PM1/10/12
to personfinder on behalf of Leif Neve
Perfect.  If i run that command with -v i see: 
* About to connect() to www.google.org port 443 (#0)
*   Trying 2001:4860:8009::68... connected
* Connected to www.google.org (2001:4860:8009::68) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=misc.google.com
* start date: 2011-11-21 03:59:28 GMT
* expire date: 2012-11-21 04:09:28 GMT
* subjectAltName: www.google.org matched
* issuer: C=US; O=Google Inc; CN=Google Internet Authority
* SSL certificate verify ok.
> POST /personfinder/test/api/write?key=xxx HTTP/1.1
> User-Agent: curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8r zlib/1.2.3
> Accept: */*
> Content-type: application/xml
> Content-Length: 12

(and then it bombs because xxx isn't the right key :)).  What are you seeing from your end? 


To post, send mail to person...@googlegroups.com
To unsubscribe, send mail to personfinder...@googlegroups.com

For more options, visit this group at http://groups.google.com/group/personfinder



--
Lee Schumacher | Software Engineer | lschu...@google.com | (650) 336-5330

Leif Neve

unread,
Jan 10, 2012, 2:33:25 PM1/10/12
to personfinder
* About to connect() to www.google.org port 443
* Trying 72.14.204.104... connected
* Connected to www.google.org (72.14.204.104) port 443
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using RC4-SHA
* Server certificate:
* subject: /C=US/ST=California/L=Mountain View/O=Google Inc/
CN=www.google.com
* start date: 2011-10-26 00:00:00 GMT
* expire date: 2013-09-30 23:59:59 GMT
* SSL: certificate subject name 'www.google.com' does not match target
host name 'www.google.org'
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: certificate subject name 'www.google.com' does not
match target host name 'www.google.org'


On Jan 10, 2:17 pm, Lee Schumacher wrote:
> Perfect.  If i run that command with -v i see:
> * About to connect() towww.google.orgport 443 (#0)
> *   Trying 2001:4860:8009::68... connected
> * Connected towww.google.org(2001:4860:8009::68) port 443 (#0)
> > cronpfif.xmlhttps://www.google.org/personfinder/test/api/write?key=xxx
> > > >  SSL: certificate subject name 'www.google.com'doesnot match target
> > > > host name 'www.google.org'
>
> > > Hmm.  We shouldn't be doing the redirect towww.google.comanymore(and I

Lee Schumacher

unread,
Jan 10, 2012, 2:36:41 PM1/10/12
to personfinder on behalf of Leif Neve
hmm, clearly thats a problem on our end - looks like not everything we did is visible externally yet.  I'll contact the internal experts on this stuff and get back to you.  
 
To post, send mail to person...@googlegroups.com
To unsubscribe, send mail to personfinder...@googlegroups.com

For more options, visit this group at http://groups.google.com/group/personfinder



--
Lee Schumacher | Software Engineer | lschu...@google.com | (650) 336-5330

Lee Schumacher

unread,
Jan 10, 2012, 4:44:38 PM1/10/12
to personfinder on behalf of Leif Neve
Ok, according to the experts on our end the sslv3 protocol will work.  Ssl v2 won't work until our dns configuration is completed (its currently pending).  Based on the line: 
"* SSLv2, Client hello (1):" (which is missing in my successful trace) you're attempting a v2 connection.  Try doing curl -3 to force v3 and see if that works.

Leif Neve

unread,
Jan 10, 2012, 4:48:20 PM1/10/12
to personfinder
Still no joy. curl -3 output:

* About to connect() to www.google.org port 443
* Trying 72.14.204.103... connected
* Connected to www.google.org (72.14.204.103) port 443
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using RC4-SHA
* Server certificate:
* subject: /C=US/ST=California/L=Mountain View/O=Google Inc/
CN=www.google.com
* start date: 2011-10-26 00:00:00 GMT
* expire date: 2013-09-30 23:59:59 GMT
* SSL: certificate subject name 'www.google.com' does not match target
host name 'www.google.org'
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: certificate subject name 'www.google.com' does not
match target host name 'www.google.org'


On Jan 10, 4:44 pm, Lee Schumacher wrote:
> Ok, according to the experts on our end the sslv3 protocol will work.  Ssl
> v2 won't work until our dns configuration is completed (its currently
> pending).  Based on the line:
> "* SSLv2, Client hello (1):" (which is missing in my successful trace)
> you're attempting a v2 connection.  Try doing curl -3 to force v3 and see
> if that works.
>
> On Tue, Jan 10, 2012 at 11:36 AM, Lee Schumacher <[email address]>wrote:
>
>
>
>
>
> > On Tue, Jan 10, 2012 at 11:33 AM, personfinder on behalf of Leif Neve <
> > [email address]> wrote:
>
> >> * About to connect() towww.google.orgport 443
> >> *   Trying 72.14.204.104... connected
> >> * Connected towww.google.org(72.14.204.104) port 443
> >> > * About to connect() towww.google.orgport443 (#0)
> >> > > curl: (51) SSL: certificate subject name 'www.google.com'doesnot

Ka-Ping Yee

unread,
Jan 10, 2012, 8:40:24 PM1/10/12
to personfinder on behalf of Leif Neve
Of course we do still need to get this fixed, but as a temporary workaround you can use "curl -k" to ignore the SSL warning.


—Ka-Ping Yee
Google Crisis Response


To post, send mail to person...@googlegroups.com
To unsubscribe, send mail to personfinder...@googlegroups.com

Leif Neve

unread,
Jan 10, 2012, 10:02:54 PM1/10/12
to personfinder
That was successful as a workaround, thanks.

On Jan 10, 8:40 pm, Ka-Ping Yee wrote:
> Of course we do still need to get this fixed, but as a temporary workaround
> you can use "curl -k" to ignore the SSL warning.
>
> —Ka-Ping Yee
> Google Crisis Response
>
> On Tue, Jan 10, 2012 at 16:48, personfinder on behalf of Leif Neve <
>
>
>
>
>
>
>
> [email address]> wrote:
> > Still no joy. curl -3  output:
>
> > * About to connect() towww.google.orgport 443
> > *   Trying 72.14.204.103... connected
> > * Connected towww.google.org(72.14.204.103) port 443
> > > >> * SSL: certificate subject name 'www.google.com'doesnot match target
> > > >> host name 'www.google.org'
> > > >> * Closing connection #0
> > > >> * SSLv3, TLS alert, Client hello (1):
> > > >> curl: (51) SSL: certificate subject name 'www.google.com'doesnot
> > > >> match target host name 'www.google.org'
>
> ...
>
> read more »
Reply all
Reply to author
Forward
0 new messages