diff --git a/build/extract_cert_locs.xsl b/build/extract_cert_locs.xsl
new file mode 100644
index 00000000..bff9297c
--- /dev/null
+++ b/build/extract_cert_locs.xsl
@@ -0,0 +1,39 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/build/extract_nocert_locs.xsl b/build/extract_nocert_locs.xsl
new file mode 100644
index 00000000..ad5a1c03
--- /dev/null
+++ b/build/extract_nocert_locs.xsl
@@ -0,0 +1,39 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/build/probe_certs.pl b/build/probe_certs.pl
new file mode 100644
index 00000000..b7e28d18
--- /dev/null
+++ b/build/probe_certs.pl
@@ -0,0 +1,55 @@
+#!/usr/bin/perl -w
+
+open(XML,"java -cp ../xalan-j_2_6_0/bin/xalan.jar org.apache.xalan.xslt.Process -IN ../xml/sdss-metadata-unsigned.xml -XSL extract_cert_locs.xsl|") || die "could not open input file";
+while () {
+ if (/^http:/) {
+ print "skipping http location: $_";
+ } elsif (/^https:\/\/([^\/:]+(:\d+)?)\//) {
+ my $location = $1;
+ $location .= ":443" unless defined $2;
+ $locations{$location} = 1;
+ } else {
+ print "bad location: $_";
+ }
+}
+close XML;
+
+$count = scalar keys %locations;
+print "Unique SSL with-certificate locations: $count\n";
+foreach $loc (sort keys %locations) {
+ print "probing: $loc\n";
+ $cmd = "openssl s_client -connect $loc -showcerts -verify 10 -cert ssl_test.pem -key ssl_test.key /dev/null ";
+ open (CMD, "$cmd|") || die "can't open s_client command";
+ $got = 0;
+ while () {
+ if (/^Server certificate/ .. /\-\-\-/) {
+ if (/^issuer=(.*)$/) {
+ $issuers{$1}{$loc} = 1;
+ $numissued++;
+ $got = 1;
+ }
+ }
+ }
+ close CMD;
+ $failed{$loc} = 1 unless $got;
+}
+print "\n\n";
+
+$count = scalar keys %failed;
+print "\n\nProbes that failed: $count\n";
+foreach $loc (sort keys %failed) {
+ print " $loc\n";
+}
+print "\n\n";
+
+print "Probes we got an issuer back from: $numissued\n";
+$count = scalar keys %issuers;
+print "Unique issuers: $count\n";
+foreach $issuer (sort keys %issuers) {
+ %locs = %{ $issuers{$issuer} };
+ $n = scalar keys %locs;
+ print "$n: $issuer\n";
+ foreach $loc (sort keys %locs) {
+ print " $loc\n";
+ }
+}
diff --git a/build/probe_nocerts.pl b/build/probe_nocerts.pl
new file mode 100644
index 00000000..66a9e423
--- /dev/null
+++ b/build/probe_nocerts.pl
@@ -0,0 +1,61 @@
+#!/usr/bin/perl -w
+
+$known_bad{'census.data-archive.ac.uk:8080'} = 1;
+
+open(XML,"java -cp ../xalan-j_2_6_0/bin/xalan.jar org.apache.xalan.xslt.Process -IN ../xml/sdss-metadata-unsigned.xml -XSL extract_nocert_locs.xsl|") || die "could not open input file";
+while () {
+ if (/^http:/) {
+ print "skipping http location: $_";
+ } elsif (/^https:\/\/([^\/:]+(:\d+)?)\//) {
+ my $location = $1;
+ $location .= ":443" unless defined $2;
+ if ($known_bad{$location}) {
+ print "skipping known bad location: $_";
+ } else {
+ $locations{$location} = 1;
+ }
+ } else {
+ print "bad location: $_";
+ }
+}
+close XML;
+
+$count = scalar keys %locations;
+print "Unique SSL non-certificate locations: $count\n";
+foreach $loc (sort keys %locations) {
+ print "probing: $loc\n";
+ $cmd = "openssl s_client -connect $loc -showcerts -verify 10 /dev/null ";
+ open (CMD, "$cmd|") || die "can't open s_client command";
+ $got = 0;
+ while () {
+ if (/^Server certificate/ .. /\-\-\-/) {
+ if (/^issuer=(.*)$/) {
+ $issuers{$1}{$loc} = 1;
+ $numissued++;
+ $got = 1;
+ }
+ }
+ }
+ close CMD;
+ $failed{$loc} = 1 unless $got;
+}
+print "\n\n";
+
+$count = scalar keys %failed;
+print "\n\nProbes that failed: $count\n";
+foreach $loc (sort keys %failed) {
+ print " $loc\n";
+}
+print "\n\n";
+
+print "Probes we got an issuer back from: $numissued\n";
+$count = scalar keys %issuers;
+print "Unique issuers: $count\n";
+foreach $issuer (sort keys %issuers) {
+ %locs = %{ $issuers{$issuer} };
+ $n = scalar keys %locs;
+ print "$n: $issuer\n";
+ foreach $loc (sort keys %locs) {
+ print " $loc\n";
+ }
+}
diff --git a/build/ssl_test.key b/build/ssl_test.key
new file mode 100644
index 00000000..78e2108e
--- /dev/null
+++ b/build/ssl_test.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQDSB22xmJ6+JezeMmmo5vw/ElWORMgDxsmpi7M/b1Aftl1fk76y
+XubZBmLFhO2zxkPO4fjefS/kyP4SIyiHWEagXjm/WcPeJSWSqoxaQs/YzQ1jw11V
+vONqCx/O0MO4Y0reSt4Ato1WhJboThExLgN61+Lz60D+Q2hAc8cG+fzd2QIDAQAB
+AoGALjWKMd/FVUqc0co/qvSfHPVYs4N4ijQrXE0rM9K2yzNhWcz00OPGYItiIdj8
+P2hotNTM346lge2i0LTBjv2iE/JRcZevIA15MV7qCzTiWCfALNTqPnyrIEOjfoms
+L/t3Rbb5Id+X2g3OKtyaNF/ImHYP0+nUKjdK7zNs/giXLHECQQD16LltmL82pYR9
+oxlnRum/TXKjEPUfBAgnfVUbnpq+wpoBSI35YNNLMNzNrBJOic7eZp3JF3ystbXU
+fU20A8C9AkEA2qXItAjAyZWlvhA41XiLu/MZf3pjuao+qzKnxvUdOQZxl5lf6A42
+UYXZUGdgNYyFxfUaHLFBU9mA53lHi95JTQJAMzLyMIRmA22wySvFJUCZeFAatyLX
+tk5zmC07JBYAqAkCYZQGo05qj7QrtNLHuPxuStXYsj6moZrvsb8pB3rkjQJAAm6f
+qekDA/sHKfMSPsWlgES2/uUEoPcU1WCt3xew6IZ60v3gxDsMPaHohe1wc4gJoOcW
+EEWkfWNI/MorkpG5bQJAD5qGQunLqxVwwTpYG6si5OtxnQ4hSgYgZcgrePO5yRsi
+wcwT+rpCmi5rpsiuu9bP8upPHzV3pnJdVSR6K/wKBw==
+-----END RSA PRIVATE KEY-----
diff --git a/build/ssl_test.pem b/build/ssl_test.pem
new file mode 100644
index 00000000..bdd6549f
--- /dev/null
+++ b/build/ssl_test.pem
@@ -0,0 +1,67 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 65 (0x41)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: C=GB, O=JISC Core Middleware Programme, CN=SDSS CA
+ Validity
+ Not Before: Aug 9 09:21:54 2006 GMT
+ Not After : Dec 31 00:00:00 2008 GMT
+ Subject: C=GB, O=JISC Core Middleware Programme, OU=SDSS Project, CN=SDSS Federation SSL Tester
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (1024 bit)
+ Modulus (1024 bit):
+ 00:d2:07:6d:b1:98:9e:be:25:ec:de:32:69:a8:e6:
+ fc:3f:12:55:8e:44:c8:03:c6:c9:a9:8b:b3:3f:6f:
+ 50:1f:b6:5d:5f:93:be:b2:5e:e6:d9:06:62:c5:84:
+ ed:b3:c6:43:ce:e1:f8:de:7d:2f:e4:c8:fe:12:23:
+ 28:87:58:46:a0:5e:39:bf:59:c3:de:25:25:92:aa:
+ 8c:5a:42:cf:d8:cd:0d:63:c3:5d:55:bc:e3:6a:0b:
+ 1f:ce:d0:c3:b8:63:4a:de:4a:de:00:b6:8d:56:84:
+ 96:e8:4e:11:31:2e:03:7a:d7:e2:f3:eb:40:fe:43:
+ 68:40:73:c7:06:f9:fc:dd:d9
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Key Usage:
+ Digital Signature, Key Encipherment, Data Encipherment
+ X509v3 CRL Distribution Points:
+ URI:http://sdss.ac.uk/ca/sdss-ca.crl
+
+ X509v3 Subject Key Identifier:
+ 7C:67:CC:3D:6D:40:43:EE:1A:79:5D:14:DA:C3:A0:54:B2:96:B8:06
+ X509v3 Authority Key Identifier:
+ keyid:BE:AD:20:87:49:07:67:71:1E:CF:D7:BA:AB:40:8A:77:16:1D:2B:C0
+ DirName:/C=GB/O=JISC Core Middleware Programme/CN=SDSS CA
+ serial:00
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 1e:e1:11:92:b1:0c:5e:6a:8e:55:93:0c:2b:92:0b:a0:9b:ba:
+ 55:37:de:91:78:4a:a8:87:09:50:d5:46:fa:53:98:c4:9c:94:
+ ac:0f:92:28:40:bf:7d:63:cf:1f:a1:2b:af:6f:63:ba:e4:26:
+ a3:3e:05:f8:8a:cc:a3:47:a1:86:74:d9:92:96:89:88:37:4d:
+ 28:c7:bb:d4:5c:f2:93:d3:8e:08:2d:68:6c:72:cf:7c:83:6d:
+ 98:6f:dd:37:9b:5c:4a:6e:3b:9d:a5:66:25:6d:69:05:8c:2e:
+ f4:d9:41:63:ef:0b:5a:7a:8e:1e:e4:5f:35:6a:93:7d:6f:67:
+ 4a:4a
+-----BEGIN CERTIFICATE-----
+MIIDEDCCAnmgAwIBAgIBQTANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJHQjEn
+MCUGA1UEChMeSklTQyBDb3JlIE1pZGRsZXdhcmUgUHJvZ3JhbW1lMRAwDgYDVQQD
+EwdTRFNTIENBMB4XDTA2MDgwOTA5MjE1NFoXDTA4MTIzMTAwMDAwMFowcjELMAkG
+A1UEBhMCR0IxJzAlBgNVBAoTHkpJU0MgQ29yZSBNaWRkbGV3YXJlIFByb2dyYW1t
+ZTEVMBMGA1UECxMMU0RTUyBQcm9qZWN0MSMwIQYDVQQDExpTRFNTIEZlZGVyYXRp
+b24gU1NMIFRlc3RlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0gdtsZie
+viXs3jJpqOb8PxJVjkTIA8bJqYuzP29QH7ZdX5O+sl7m2QZixYTts8ZDzuH43n0v
+5Mj+EiMoh1hGoF45v1nD3iUlkqqMWkLP2M0NY8NdVbzjagsfztDDuGNK3kreALaN
+VoSW6E4RMS4Detfi8+tA/kNoQHPHBvn83dkCAwEAAaOB3zCB3DAJBgNVHRMEAjAA
+MAsGA1UdDwQEAwIEsDAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vc2Rzcy5hYy51
+ay9jYS9zZHNzLWNhLmNybDAdBgNVHQ4EFgQUfGfMPW1AQ+4aeV0U2sOgVLKWuAYw
+cAYDVR0jBGkwZ4AUvq0gh0kHZ3Eez9e6q0CKdxYdK8ChTKRKMEgxCzAJBgNVBAYT
+AkdCMScwJQYDVQQKEx5KSVNDIENvcmUgTWlkZGxld2FyZSBQcm9ncmFtbWUxEDAO
+BgNVBAMTB1NEU1MgQ0GCAQAwDQYJKoZIhvcNAQEFBQADgYEAHuERkrEMXmqOVZMM
+K5ILoJu6VTfekXhKqIcJUNVG+lOYxJyUrA+SKEC/fWPPH6Err29juuQmoz4F+IrM
+o0ehhnTZkpaJiDdNKMe71Fzyk9OOCC1obHLPfINtmG/dN5tcSm47naVmJW1pBYwu
+9NlBY+8LWnqOHuRfNWqTfW9nSko=
+-----END CERTIFICATE-----