ssl-test 1.4.1 → 1.6.0

data/spec/ssl-test_spec.rb

@@ -1,12 +1,33 @@
 require "ssl-test"
 require "benchmark"
+require 'webrick'
+require 'webrick/httpproxy'
+require 'rspec/retry'
 
 # Uncomment for debug logging:
 # require "logger"
 # SSLTest.logger = Logger.new(STDOUT)
 
+RSpec.configure do |config|
+  # The error/revocation examples below hit several public TLS test endpoints
+  # (badssl.com, testserver.host, ssl.com) which intermittently reset connections
+  # under load. They're spread across a few providers to avoid hammering a single
+  # one, and examples tagged `:retry` are re-run a few times (via rspec-retry) so
+  # transient network blips don't fail the suite.
+  config.verbose_retry = true
+  config.display_try_failure_messages = true
+  config.default_sleep_interval = 1
+end
+
 describe SSLTest do
-  describe '.test' do
+  before { SSLTest.flush_cache }
+
+  let(:proxy_thread) { nil }
+
+
+  after(:each) { proxy_thread&.kill }
+
+  describe '.test_url' do
     it "returns no error on valid SNI website" do
       valid, error, cert = SSLTest.test("https://www.mycs.com")
       expect(error).to be_nil
@@ -15,20 +36,22 @@ describe SSLTest do
     end
 
     it "returns no error on valid SAN" do
-      pending "Expired for the moment"
-      valid, error, cert = SSLTest.test("https://1000-sans.badssl.com/")
+      # CN is updown.io, www.updown.io is an Alternative Name
+      valid, error, cert = SSLTest.test("https://www.updown.io/")
       expect(error).to be_nil
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns no error when no CN" do
-      pending "Expired for the moment https://github.com/chromium/badssl.com/issues/447"
-      valid, error, cert = SSLTest.test("https://no-common-name.badssl.com/")
-      expect(error).to be_nil
-      expect(valid).to eq(true)
-      expect(cert).to be_a OpenSSL::X509::Certificate
-    end
+    # Disabled: unlikely to be repaired anytime soon: https://github.com/chromium/badssl.com/issues/447
+    # Couldn't find a good alternative
+    # it "returns no error when no CN" do
+    #   pending "Expired for the moment https://github.com/chromium/badssl.com/issues/447"
+    #   valid, error, cert = SSLTest.test("https://no-common-name.badssl.com/")
+    #   expect(error).to be_nil
+    #   expect(valid).to eq(true)
+    #   expect(cert).to be_a OpenSSL::X509::Certificate
+    # end
 
     it "works with websites blocking http requests" do
       valid, error, cert = SSLTest.test("https://obyava.ua")
@@ -37,36 +60,36 @@ describe SSLTest do
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on self signed certificate" do
-      valid, error, cert = SSLTest.test("https://self-signed.badssl.com/")
+    it "returns error on self signed certificate", :retry => 5 do
+      valid, error, cert = SSLTest.test("https://self-signed.testserver.host/")
       expect(error).to eq ("error code 18: self-signed certificate")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on incomplete chain" do
+    it "returns error on incomplete chain", :retry => 5 do
       valid, error, cert = SSLTest.test("https://incomplete-chain.badssl.com/")
       expect(error).to eq ("error code 20: unable to get local issuer certificate")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on untrusted root" do
-      valid, error, cert = SSLTest.test("https://untrusted-root.badssl.com/")
+    it "returns error on untrusted root", :retry => 5 do
+      valid, error, cert = SSLTest.test("https://untrusted-root.testserver.host/")
       expect(error).to eq ("error code 19: self-signed certificate in certificate chain")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on invalid host" do
+    it "returns error on invalid host", :retry => 5 do
       valid, error, cert = SSLTest.test("https://wrong.host.badssl.com/")
       expect(error).to include('error code 62: hostname mismatch')
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on expired cert" do
-      valid, error, cert = SSLTest.test("https://expired.badssl.com/")
+    it "returns error on expired cert", :retry => 5 do
+      valid, error, cert = SSLTest.test("https://expired-rsa-dv.ssl.com/")
       expect(error).to eq ("error code 10: certificate has expired")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
@@ -74,65 +97,71 @@ describe SSLTest do
 
     it "returns undetermined state on unhandled error" do
       valid, error, cert = SSLTest.test("https://pijoinlrfgind.com")
-      expect(error).to eq ("SSL certificate test failed: Failed to open TCP connection to pijoinlrfgind.com:443 (getaddrinfo: Name or service not known)")
+      expect(error).to include("SSL certificate test failed: Failed to open TCP connection to pijoinlrfgind.com:443")
+      expect(error).to match(/name.*not known/i)
       expect(valid).to be_nil
       expect(cert).to be_nil
     end
 
     it "stops on timeouts" do
       valid, error, cert = SSLTest.test("https://updown.io", open_timeout: 0)
-      expect(error).to eq ("SSL certificate test failed: Failed to open TCP connection to updown.io:443 (Connection timed out - user specified timeout)")
+      expect(error).to include("SSL certificate test failed")
+      expect(error).to match(/timeout/i)
       expect(valid).to be_nil
       expect(cert).to be_nil
     end
 
     it "reports revocation exceptions" do
-      expect(SSLTest).to receive(:follow_ocsp_redirects).and_raise(ArgumentError.new("test"))
-      valid, error, cert = SSLTest.test("https://updown.io")
+      expect(SSLTest).to receive(:follow_crl_redirects).and_raise(ArgumentError.new("test"))
+      valid, error, cert = SSLTest.test("https://digicert.com")
       expect(error).to eq ("SSL certificate test failed: test")
       expect(valid).to be_nil
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
     it "returns error on revoked cert (OCSP)" do
+      # CRL is tried first; disable it so OCSP performs the revocation check
+      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
-      expect(SSLTest).not_to receive(:follow_crl_redirects)
-      valid, error, cert = SSLTest.test("https://revoked.badssl.com/")
-      expect(error).to eq ("SSL certificate revoked: The certificate was revoked for an unknown reason (revocation date: 2021-10-27 21:38:48 UTC)")
+      valid, error, cert = SSLTest.test("https://revoked-rsa-dv.ssl.com/")
+      expect(error).to eq ("SSL certificate revoked: The certificate was revoked for an unspecified reason (revocation date: 2026-06-09 14:37:38 UTC)")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on revoked cert (CRL)" do
-      expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
+    it "returns error on revoked cert (CRL)", :retry => 5 do
+      # CRL is tried first and detects the revocation, so OCSP is never used
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
+      expect(SSLTest).not_to receive(:test_ocsp_revocation)
       valid, error, cert = SSLTest.test("https://revoked.badssl.com/")
-      expect(error).to eq ("SSL certificate revoked: Unknown reason (revocation date: 2021-10-27 21:38:48 UTC)")
+      expect(error).to eq ("SSL certificate revoked: Key Compromise (revocation date: 2026-05-12 21:01:31 UTC)")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
     it "stops following redirection after the limit for the revoked certs check" do
       valid, error, cert = SSLTest.test("https://github.com/", redirection_limit: 0)
-      expect(error).to eq ("Revocation test couldn't be performed: OCSP: Request failed (URI: http://ocsp.digicert.com): Too many redirections (> 0), CRL: Request failed (URI: http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl): Too many redirections (> 0)")
+      expect(error).to include("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension")
+      expect(error).to include("OCSP: Request failed")
+      expect(error).to include("Too many redirections (> 0)")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
     it "warns when the OCSP URI is missing" do
-      # Disable CRL fallback to see error message
-      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
+      # Disable CRL (tried first) to see the OCSP error message
+      expect(SSLTest).to receive(:test_crl_revocation).twice.and_return([false, "skip CRL", nil])
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
-      valid, error, cert = SSLTest.test("https://www.demarches-simplifiees.fr")
-      expect(error).to eq ("Revocation test couldn't be performed: OCSP: Missing OCSP URI in authorityInfoAccess extension, CRL: skip CRL")
+      valid, error, cert = SSLTest.test("https://google.com")
+      expect(error).to eq ("Revocation test couldn't be performed: CRL: skip CRL, OCSP: Missing OCSP URI in authorityInfoAccess extension")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
     it "works with CRL only" do
-      # Disable OCSP
-      expect(SSLTest).to receive(:test_ocsp_revocation).twice.and_return([false, "skip OCSP", nil])
+      # CRL is tried first and succeeds for both certs, so OCSP is never used
       expect(SSLTest).to receive(:follow_crl_redirects).twice.and_call_original
+      expect(SSLTest).not_to receive(:test_ocsp_revocation)
       valid, error, cert = SSLTest.test("https://www.demarches-simplifiees.fr")
       expect(error).to be_nil
       expect(valid).to eq(true)
@@ -143,29 +172,24 @@ describe SSLTest do
       # Disable OCSP to see error message
       expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
       expect(SSLTest).not_to receive(:follow_crl_redirects)
-      valid, error, cert = SSLTest.test("https://meta.updown.io")
-      expect(error).to eq ("Revocation test couldn't be performed: OCSP: skip OCSP, CRL: Missing crlDistributionPoints extension")
+      valid, error, cert = SSLTest.test("https://github.com")
+      expect(error).to eq ("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension, OCSP: skip OCSP")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "works with OCSP for first cert and CRL for intermediate (Let's Encrypt R3 intermediate)" do
+    it "works with OCSP for first cert and CRL for intermediate (GitHub)" do
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
-      valid, error, cert = SSLTest.test("https://meta.updown.io/")
-      expect(error).to be_nil
-      expect(valid).to eq(true)
-      expect(cert).to be_a OpenSSL::X509::Certificate
-    end
-
-    it "works with OCSP for first cert and CRL for intermediate (Certigna Services CA)" do
-      expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
-      expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
-      # Similar chain: https://www.demarches-simplifiees.fr
-      valid, error, cert = SSLTest.test("https://www.anonymisation.gov.pf")
+      valid, error, cert = SSLTest.test("https://github.com")
       expect(error).to be_nil
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
+      # make sure both were used
+      expect(SSLTest.cache_size).to match({
+        crl:  hash_including(lists: 1),
+        ocsp: hash_including(responses: 1, errors: 0)
+      })
     end
 
     it "accepts tcps scheme" do
@@ -174,6 +198,43 @@ describe SSLTest do
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
+
+    context 'when specifying a proxy' do
+      context 'when the proxy is active' do
+        let(:proxy_thread) do
+          thread = Thread.new do
+            dev_null = WEBrick::Log::new("/dev/null", 7)
+            $proxy = WEBrick::HTTPProxyServer.new Port: 8080,  :Logger => dev_null, :AccessLog => []
+            $proxy.start
+          end
+
+          sleep 0.1 # wait for the proxy to start!
+          allow($proxy).to receive(:do_GET).and_call_original
+
+          thread
+        end
+
+        it 'uses the provided http proxy' do
+          proxy_thread
+
+          valid, error, cert = SSLTest.test("https://updown.io", proxy_host: '127.0.0.1', proxy_port: 8080)
+          expect(error).to be_nil
+          expect(valid).to eq(true)
+          expect(cert).to be_a OpenSSL::X509::Certificate
+
+          expect($proxy).to have_received(:do_GET).twice
+        end
+      end
+
+      context 'when the proxy is not reachable' do
+        it 'returns a http error' do
+          valid, error, cert = SSLTest.test("https://updown.io", proxy_host: '127.0.0.1', proxy_port: 55000)
+          expect(error).to include('(Connection refused - connect(2) for "127.0.0.1" port 55000)')
+          expect(valid).to be_nil
+          expect(cert).to be_nil
+        end
+      end
+    end
   end
 
   describe '.cache_size' do
@@ -190,11 +251,11 @@ describe SSLTest do
       SSLTest.send(:follow_crl_redirects, URI("http://crl.certigna.fr/certigna.crl")) # 1.1k
       SSLTest.send(:follow_crl_redirects, URI("http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl")) # 26k
       expect(SSLTest.cache_size[:crl][:lists]).to eq(2)
-      expect(SSLTest.cache_size[:crl][:bytes]).to be > 27_000
+      expect(SSLTest.cache_size[:crl][:bytes]).to be > 2000
     end
 
     it "returns OCSP cache size properly" do
-      SSLTest.test("https://updown.io")
+      SSLTest.test("https://github.com")
       expect(SSLTest.cache_size[:ocsp][:responses]).to eq(1)
       expect(SSLTest.cache_size[:ocsp][:errors]).to eq(0)
       expect(SSLTest.cache_size[:ocsp][:bytes]).to be > 150
@@ -209,7 +270,7 @@ describe SSLTest do
     it "fetch CRL list and updates cache" do
       uri = URI("http://crl.certigna.fr/certigna.crl")
       body, error = SSLTest.send(:follow_crl_redirects, uri)
-      expect(body.bytesize).to equal 1152
+      expect(body.bytesize).to equal 1417
       expect(error).to be_nil
 
       # Check cache status
@@ -233,4 +294,199 @@ describe SSLTest do
       expect(body2).to be(body) # but we're still using cache because it's a 304
     end
   end
-end
+
+  describe '.test_cert' do
+    it "returns no error on valid SNI website" do
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_mycs_com_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_mycs_com_ca_bundle.pem')))
+
+      valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
+      expect(error).to be_nil
+      expect(valid).to eq(true)
+      expect(cert).to eq(cert)
+    end
+
+    it "returns no error on self signed certificates" do
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/self_signed_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/self_signed_ca_bundle.pem')))
+
+      valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
+      expect(error).to be_nil
+      expect(valid).to eq(true)
+      expect(cert).to eq(cert)
+    end
+
+    it "returns error on expired cert" do
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/expired_cert_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/expired_cert_ca_bundle.pem')))
+
+      valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
+      expect(error).to eq ("error code 10: certificate has expired")
+      expect(valid).to eq(false)
+      expect(cert).to eq(cert)
+    end
+
+    it "returns error on incomplete chain" do
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/incomplete_chain_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/incomplete_chain_ca_bundle.pem')))
+      valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
+      expect(error).to eq ("error code 20: unable to get local issuer certificate")
+      expect(valid).to eq(false)
+      expect(cert).to eq(cert)
+    end
+
+    it "reports revocation exceptions" do
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/digicert_com_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/digicert_com_ca_bundle.pem')))
+      expect(SSLTest).to receive(:follow_crl_redirects).and_raise(ArgumentError.new("test"))
+      valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
+      expect(error).to eq("SSL certificate test failed: test")
+      expect(valid).to be_nil
+      expect(cert).to eq(cert)
+    end
+
+    it "returns error on revoked cert (OCSP)" do
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/revoked_rsa_dv_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/revoked_rsa_dv_ca_bundle.pem')))
+
+      # CRL is tried first; disable it so OCSP performs the revocation check
+      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
+      expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
+
+      valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
+      expect(error).to eq ("SSL certificate revoked: The certificate was revoked for an unknown reason (revocation date: 2025-06-09 15:07:39 UTC)")
+      expect(valid).to eq(false)
+      expect(cert).to eq(cert)
+    end
+
+    it "returns error on revoked cert (CRL)" do
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/revoked_badssl_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/revoked_badssl_ca_bundle.pem')))
+
+      # CRL is tried first and detects the revocation, so OCSP is never used
+      expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
+      expect(SSLTest).not_to receive(:test_ocsp_revocation)
+      valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
+      expect(error).to eq ("SSL certificate revoked: Key Compromise (revocation date: 2026-05-12 21:01:31 UTC)")
+      expect(valid).to eq(false)
+      expect(cert).to eq(cert)
+    end
+
+    it "stops following redirection after the limit for the revoked certs check" do
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_github_com_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_github_com_ca_bundle.pem')))
+
+      valid, error, cert = SSLTest.test_cert(cert, ca_bundle, redirection_limit: 0)
+      expect(error).to include("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension")
+      expect(error).to include("OCSP: Request failed")
+      expect(error).to include("Too many redirections (> 0)")
+      expect(valid).to eq(true)
+      expect(cert).to eq(cert)
+    end
+
+    it "warns when the OCSP URI is missing" do
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/google_com_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/google_com_ca_bundle.pem')))
+
+      # Disable CRL (tried first) to see the OCSP error message
+      expect(SSLTest).to receive(:test_crl_revocation).twice.and_return([false, "skip CRL", nil])
+      expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
+
+      valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
+      expect(error).to eq ("Revocation test couldn't be performed: CRL: skip CRL, OCSP: Missing OCSP URI in authorityInfoAccess extension")
+      expect(valid).to eq(true)
+      expect(cert).to eq(cert)
+    end
+
+    it "works with CRL only" do
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_demarches-simplifiees_fr_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_demarches-simplifiees_fr_ca_bundle.pem')))
+
+      # CRL is tried first and succeeds for both certs, so OCSP is never used
+      expect(SSLTest).to receive(:follow_crl_redirects).twice.and_call_original
+      expect(SSLTest).not_to receive(:test_ocsp_revocation)
+
+      valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
+      expect(error).to be_nil
+      expect(valid).to eq(true)
+      expect(cert).to eq(cert)
+    end
+
+    it "warns when the CRL URI is missing" do
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_github_com_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_github_com_ca_bundle.pem')))
+
+      # Disable OCSP to see error message
+      expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
+      expect(SSLTest).not_to receive(:follow_crl_redirects)
+
+      valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
+      expect(error).to eq ("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension, OCSP: skip OCSP")
+      expect(valid).to eq(true)
+      expect(cert).to eq(cert)
+
+    end
+
+    it "works with OCSP for first cert and CRL for intermediate (GitHub)" do
+      expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
+      expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
+
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_github_com_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_github_com_ca_bundle.pem')))
+
+      valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
+      expect(error).to be_nil
+      expect(valid).to eq(true)
+      expect(cert).to eq(cert)
+      # make sure both were used
+      expect(SSLTest.cache_size).to match({
+        crl:  hash_including(lists: 1),
+        ocsp: hash_including(responses: 1, errors: 0)
+      })
+    end
+
+    context 'when specifying a proxy' do
+      context 'when the proxy is active' do
+        let(:proxy_thread) do
+          thread = Thread.new do
+            dev_null = WEBrick::Log::new("/dev/null", 7)
+            $proxy = WEBrick::HTTPProxyServer.new Port: 8080,  :Logger => dev_null, :AccessLog => []
+            $proxy.start
+          end
+
+          sleep 0.1 # wait for the proxy to start!
+          allow($proxy).to receive(:do_GET).and_call_original
+
+          thread
+        end
+
+        it 'uses the provided http proxy' do
+          proxy_thread
+
+          cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/google_com_client.pem')))
+          ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/google_com_ca_bundle.pem')))
+
+          valid, error, cert = SSLTest.test_cert(cert, ca_bundle, proxy_host: '127.0.0.1', proxy_port: 8080)
+          expect(error).to be_nil
+          expect(valid).to eq(true)
+          expect(cert).to eq(cert)
+
+          # CRL is tried first, so both certs are checked via CRL (GET) through the proxy
+          expect($proxy).to have_received(:do_GET).twice
+        end
+      end
+
+      context 'when the proxy is not reachable' do
+        it 'returns a http error' do
+          cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/google_com_client.pem')))
+          ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/google_com_ca_bundle.pem')))
+
+          valid, error, cert = SSLTest.test_cert(cert, ca_bundle, proxy_host: '127.0.0.1', proxy_port: 55000)
+          expect(error).to include('(Connection refused - connect(2) for "127.0.0.1" port 55000)')
+          expect(valid).to be_nil
+          expect(cert).to eq(cert)
+        end
+      end
+    end
+  end
+end

data/ssl-test.gemspec

@@ -20,4 +20,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", ">= 1.7"
   spec.add_development_dependency "rake"
   spec.add_development_dependency "rspec"
+  spec.add_development_dependency "rspec-retry"
+  spec.add_development_dependency "webrick"
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: ssl-test
 version: !ruby/object:Gem::Version
-  version: 1.4.1
+  version: 1.6.0
 platform: ruby
 authors:
 - Adrien Rey-Jarthon
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-10-24 00:00:00.000000000 Z
+date: 2026-06-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -52,7 +51,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+- !ruby/object:Gem::Dependency
+  name: rspec-retry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 email:
 - jobs@adrienjarthon.com
 executables: []
@@ -70,13 +96,32 @@ files:
 - lib/ssl-test/crl.rb
 - lib/ssl-test/object_size.rb
 - lib/ssl-test/ocsp.rb
+- spec/fixtures/digicert_com_ca_bundle.pem
+- spec/fixtures/digicert_com_client.pem
+- spec/fixtures/expired_cert_ca_bundle.pem
+- spec/fixtures/expired_cert_client.pem
+- spec/fixtures/google_com_ca_bundle.pem
+- spec/fixtures/google_com_client.pem
+- spec/fixtures/incomplete_chain_ca_bundle.pem
+- spec/fixtures/incomplete_chain_client.pem
+- spec/fixtures/revoked_badssl_ca_bundle.pem
+- spec/fixtures/revoked_badssl_client.pem
+- spec/fixtures/revoked_rsa_dv_ca_bundle.pem
+- spec/fixtures/revoked_rsa_dv_client.pem
+- spec/fixtures/self_signed_ca_bundle.pem
+- spec/fixtures/self_signed_client.pem
+- spec/fixtures/www_demarches-simplifiees_fr_ca_bundle.pem
+- spec/fixtures/www_demarches-simplifiees_fr_client.pem
+- spec/fixtures/www_github_com_ca_bundle.pem
+- spec/fixtures/www_github_com_client.pem
+- spec/fixtures/www_mycs_com_ca_bundle.pem
+- spec/fixtures/www_mycs_com_client.pem
 - spec/ssl-test_spec.rb
 - ssl-test.gemspec
 homepage: https://github.com/jarthod/ssl-test
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -91,9 +136,28 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
-signing_key: 
+rubygems_version: 3.6.2
 specification_version: 4
 summary: Test website SSL certificate validity
 test_files:
+- spec/fixtures/digicert_com_ca_bundle.pem
+- spec/fixtures/digicert_com_client.pem
+- spec/fixtures/expired_cert_ca_bundle.pem
+- spec/fixtures/expired_cert_client.pem
+- spec/fixtures/google_com_ca_bundle.pem
+- spec/fixtures/google_com_client.pem
+- spec/fixtures/incomplete_chain_ca_bundle.pem
+- spec/fixtures/incomplete_chain_client.pem
+- spec/fixtures/revoked_badssl_ca_bundle.pem
+- spec/fixtures/revoked_badssl_client.pem
+- spec/fixtures/revoked_rsa_dv_ca_bundle.pem
+- spec/fixtures/revoked_rsa_dv_client.pem
+- spec/fixtures/self_signed_ca_bundle.pem
+- spec/fixtures/self_signed_client.pem
+- spec/fixtures/www_demarches-simplifiees_fr_ca_bundle.pem
+- spec/fixtures/www_demarches-simplifiees_fr_client.pem
+- spec/fixtures/www_github_com_ca_bundle.pem
+- spec/fixtures/www_github_com_client.pem
+- spec/fixtures/www_mycs_com_ca_bundle.pem
+- spec/fixtures/www_mycs_com_client.pem
 - spec/ssl-test_spec.rb