Jump to content

Profile viewer shows unstyled content


Lena Docherty
 Share

You are about to reply to a thread that has been inactive for 3641 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Hello,

the current viewers (release and beta) ate both showing pages of unstyled content when I try to read profiles. It works every 10th klick or so to actually watch a profile like it is supposed to look like. The other 9 clicks (or even worse) produce something that looks like an html page without css loaded. This behaviour occurs since quite a few viewer versions and seems to get worse over time.

(osx lion, official release or beta viewer)

Link to comment
Share on other sites

Hi Lena, same problem happened to me and one of my friends. We are both on Mac OSX 10.6.8./viewer 3.0.3. Also I have tested it on several viewers, on 2.7, I got "SSL handshake failed" message and blank window. It looks similar with the past issue - check the Fredrik Linden's comment.

I contacted support, and it said:
When the issue occurs at the region handshake, the problem is usually a router or firewall issue. Try turning off the router for 20 seconds and bring it back up again. This may clear the issue. If not, try connecting directly to your modem.

Actually it didn't work for me and my friend, but you would be better to try this first. Also check your firewall setting.
I got this problem fixed yesterday while I was trying various ways (like installing security update for 10.6.8, clearing cache, updating FireFox…) but not really sure what caused to get proper profile window.
My friend is still getting same unformed page :smileysad:

Link to comment
Share on other sites

It IS the SSL handshake problem. I tried the DEV viewer which displayed this error message

The my.secondlife.com profile view is working properly. The site's certificate is ok and issued by Geotrust which is a built-in certificate in the system keychain.

I tried resetting my router (and as I expected - I just did this so nobody can claim I didn't give it a try) the problem persists.

I tried disabling OCSP and CRL checking but the issue persists.

Why the heck can't the built-in browser connect an SSL website? This is ridiculous. Even more as the profile is partly loaded. The HTML seems to be loaded. It's only the CSS/JavaScript stuff that's missing. Why can't this just work like any normal browser.

And it doesn't seem to be any strange Lion dependent issue since the above posting confirmed this issue for Snow Leopard.

Link to comment
Share on other sites

I've checked system.log and there were some interresting messages suggesting the SL embedded viewer has an own instance of a certificate store. Its located under /Applications/Second Life Viewer 2.app/Contents/Resources/app_settings and named CA.pem. This file contains a bunch of certificates that need further investigation.

For the time being it looks like a workarround to rename this file to i.e. CA.pem.bak - this enabled my viewer to load profiles again. UPDATE: It fixed the profile view when I renamed it after I loggen in. Without this file the viewer won't connect the grid. So this is NOT a workarround. :-(

I will check out the contained certificates to hopefully find out more.

Link to comment
Share on other sites

It HAS to do something with this file. There are **bleep**ups in it. some hundred copy commandlines that aren't supposed to be inside a pem format certificate container. Removing them didn't do the trick but they are a pointer that somebody **bleep**ed up this file big time.

I can confirm that profiles load properly when I rename this file _after_ I logged in. But is has to be there at login time to enable the viewer to verify LL login servers.

Link to comment
Share on other sites

After some investigation I can tell there are two certificates in this file that expired on sept. 23th. Another two will expire on oct. 23th and nov. 30th. I bet the two expired certs are causing the issue. I just have to nail them down. (There are 218 certs inside this file and I have to redefine my greps to regognize which of them are the expired ones.)

 

BTW: Thanks LL for not lettling me report this problem to you since I am a basic member and you are therfore not netting me open technical tickets anymore.

 

UPDATE:

        Issuer: C=PL, O=TP Internet Sp. z o.O., OU=Centrum Certyfikacji Signet, CN=CC Signet - CA Klasa 1
        Validity
            Not Before: Oct 17 12:29:02 2003 GMT
            Not After : Sep 23 11:18:17 2011 GMT
        Subject: C=PL, O=TP Internet Sp. z o.O., OU=Centrum Certyfikacji Signet, CN=CC Signet - TSA Klasa 1

 

        Issuer: C=PL, O=TP Internet Sp. z o.O., OU=Centrum Certyfikacji Signet, CN=CC Signet - RootCA
        Validity
            Not Before: Sep 23 14:18:17 2001 GMT
            Not After : Sep 23 13:18:17 2011 GMT
        Subject: C=PL, O=TP Internet Sp. z o.O., OU=Centrum Certyfikacji Signet, CN=CC Signet - CA Klasa 1

 

        Issuer: C=AT, ST=Austria, L=Vienna, O=ARGE DATEN - Austrian Society for Data Protection, OU=A-CERT Certification Service, CN=A-CERT ADVANCED/emailAddress=info@a-cert.at
        Validity
            Not Before: Oct 23 14:14:14 2004 GMT
            Not After : Oct 23 14:14:14 2011 GMT
        Subject: C=AT, ST=Austria, L=Vienna, O=ARGE DATEN - Austrian Society for Data Protection, OU=A-CERT Certification Service, CN=A-CERT ADVANCED/emailAddress=info@a-cert.at

 

        Issuer: C=BR, O=ICP-Brasil, OU=Instituto Nacional de Tecnologia da Informacao - ITI, L=Brasilia, ST=DF, CN=Autoridade Certificadora Raiz Brasileira
        Validity
            Not Before: Nov 30 12:58:00 2001 GMT
            Not After : Nov 30 23:59:00 2011 GMT
        Subject: C=BR, O=ICP-Brasil, OU=Instituto Nacional de Tecnologia da Informacao - ITI, L=Brasilia, ST=DF, CN=Autoridade Certificadora Raiz Brasileira


Link to comment
Share on other sites

I recompiled me a version of this file without the mentioned certificates. Now I get a real SSL handshake failed error message. So there have to be more issues with the contained certificates.

OK. Now I only threw out the two expired ones. It's now still unstyled but looks different.

So my best guess at this moment is following:

- Login is dependent on CA.pem to verify login servers (this is actually good since logging on to unverified servers is bad from security POV)

- The build-in browser handles CA.pem as optional. If it isn't there it just accepts HTTP connections or falls back to the system's API for checking certs. Therefore it works when I move it away after i logged in.

- When I recompile a new CA.pem leaving out the expired certs the embedded browser checks againt the file but fails to find the (valid) certs and therefore fails to display the profile properly.

For now I'm fed up and leave the rest to LL. ;-)

Link to comment
Share on other sites

You are about to reply to a thread that has been inactive for 3641 days.

Please take a moment to consider if this thread is worth bumping.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...