[foaf-protocols] getting the certificate to work on first useage

Nathan nathan at webr3.org
Thu May 20 13:49:51 CEST 2010 

Nathan wrote:
> Story Henry wrote:
>> Ok, I just tried it with Chromium on  this very useful script 
>>
>>    https://foafssl.org/srv/test.jsp
>>
>> Just after the test it shows:
>>
>> Certificate chain:
>>  - CN=TEST3Chrome,UID=http://webid.myxwiki.org/xwiki/bin/view/XWiki/test20101\#me,OU=The Community Of Self Signers,O=FOAF\+SSL
>> Verified URIs:
>>
>> So it looks like the certificate is sent, but not verified on first attempt.
>> This seems to rule out a problem with the browser, and we should look more at foafssl.org server server or perhaps xwiki.
> 
> Henry,
> 
> I've done some testing, and the issue appears to be specific to IDP.
> 
> To be specific, after some intensive testing; the issue seems to be 
> specific to IDP, and time related, if I create a new certificate and 
> immediately try and use it on IDP i get a fail, try and use it on other 
> test sites and I get success. Moreover and more specifically, the issue 
> seems to be time dependent, certificate failed several times in quick 
> succession, then I went for a smoke, came back and it worked (withuot 
> doing anything but refreshing).
> 
> Thus if I was trying to fix this, my first point of call would be to 
> check that IDP wasn't caching responses from xwiki for a couple of minutes.

Henry,

After even more testing, here's what I've found:

The issue is not browser dependant, or client side, or cert related.

The issue is specific to IDP ( i get fails on IDP in one tab, and 
success in other non-idp dependent foaf+ssl services in other tabs - 
using same new cert of course).

The issue is intermittent.

Judging by the speed with which IDP fails, I'm rather sure that IDP is 
doing one or both of the following:
  - not GETing the doc pointed to by the webid successfully
  - caching responses for circa 5 minutes, whether valid or not.

Obviously not having access to the server I can't tell whether it's 
attempting to dereference or not (ie issue creeping in before GET), or 
whether the issue is with intermittent RDFa parsing failure (which would 
be strange I guess).

A very possible option is that IDP server is hitting a router or 
software controlled firewall so often that it's triggering a rule that 
bans the server from contacting xwiki server for 5 minutes. (and using 
acached response until it manages another successful GET ?)

Best,

Nathan

More information about the foaf-protocols mailing list