ssl-test 1.5.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 56fc310f88c6cf01540cb98cd8704cf9e4bbbf63f107398ad0c506d809f1661f
-  data.tar.gz: a6540f367f4fc62a6cb171e90084fe5d30a7d4247b7dd3f5fe76bd6c78770f52
+  metadata.gz: 886440c38c24dd0ad30e2fff8552fe89aa924010e8f9218032d030eceb29a422
+  data.tar.gz: b854a7f800c8aa3364ed78ebf29b4ec731e3904b7c33b682a39383a5096742d0
 SHA512:
-  metadata.gz: 827d397d81d91b110ee6e3012f7f0e0816390da20b37bafc563b584fa7d9106b938663f47720c553028fc49f057588ae1fea9e319e561d4d9f2a30f2702ce13d
-  data.tar.gz: b4f315bf38d8b86c3411047467c0c01c997f533190c1c54be597c480a5a8ec2bcced348fe8a417fbfa1c77d8ed47e3aab19aeff72167e67f3c4d01e20e4fd223
+  metadata.gz: 895f1193c0924d93b0bc4c29dea5d9de8b38b047f25c83273d13146c3bffa0a201676e320d6f4a6f373f231f87fdf0fda7bbef5a8983e40d489c8179097ed8dc
+  data.tar.gz: c1d2d3cd0014d31e01456dd5f0d1e58a59e820bb77f8e15a2755a27421a107b63d6cc653f115a7e50f19b475f40b1961bbdccab3b92181f1a5f812f68a668604

data/.github/workflows/ruby.yml

@@ -3,6 +3,14 @@ on: [push]
 jobs:
   specs:
     runs-on: ubuntu-22.04
+    services:
+      redis:
+        image: redis
+        ports: ['6379:6379']
+        options: --health-cmd "redis-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5
+      memcached:
+        image: memcached
+        ports: ['11211:11211']
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby

data/README.md

@@ -59,23 +59,23 @@ error # => nil
 cert # => #<OpenSSL::X509::Certificate...>
 ```
 
-Revoked certificates are detected using [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) endpoint by default:
+Revoked certificates are detected using [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) by default:
 
 ```ruby
 valid, error, cert = SSLTest.test_url "https://revoked.badssl.com"
 valid # => false
-error # => "SSL certificate revoked: The certificate was revoked for an unknown reason (revocation date: 2019-10-07 20:30:39 UTC)"
+error # => "SSL certificate revoked: Key Compromise (revocation date: 2019-10-07 20:30:39 UTC)"
 cert # => #<OpenSSL::X509::Certificate...>
 ```
 
-If the OCSP endpoint is missing, invalid or unreachable the certificate revocation will be tested using [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list).
+If the CRL is missing, invalid or unreachable the certificate revocation will be tested using [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol).
 
-If both OCSP and CRL tests are impossible, the certificate will still be considered valid but with an error message:
+If both CRL and OCSP tests are impossible, the certificate will still be considered valid but with an error message:
 
 ```ruby
 valid, error, cert = SSLTest.test_url "https://sitewithnoOCSPorCRL.com"
 valid # => true
-error # => "Revocation test couldn't be performed: OCSP: Missing OCSP URI in authorityInfoAccess extension, CRL: Missing crlDistributionPoints extension"
+error # => "Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension, OCSP: Missing OCSP URI in authorityInfoAccess extension"
 cert # => #<OpenSSL::X509::Certificate...>
 ```
 
@@ -96,20 +96,46 @@ This check will pass for self-signed certificates if the certificate is signed b
 
 SSLTester connects as an HTTPS client (without issuing any requests) and then closes the connection. It does so using ruby `net/https` library and verifies the SSL status. It also hooks into the validation process to intercept the raw certificate for you.
 
-After that it queries the [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) endpoint to verify if the certificate has been revoked. If OCSP is not available it'll fetch the [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) instead. It does this for every certificates in the chain (except the root which is trusted by your Operating System). It is possible the first one will be validated with OCSP and the intermediate with CRL depending on what they offer.
+After that it fetches the [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) to verify if the certificate has been revoked. If the CRL is not available it'll query the [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) endpoint instead. It does this for every certificates in the chain (except the root which is trusted by your Operating System). It is possible the first one will be validated with CRL and the intermediate with OCSP depending on what they offer.
 
 ### Caching
 
-OCSP and CRL responses are cached in memory, which makes subsequent testing faster and more robust (avoids network error and throttling) but be careful about memory usage if you try to validate millions of certificates in a row.
+OCSP and CRL responses are cached, which makes subsequent testing faster and more robust (avoids network error and throttling).
 
 About the caching duration:
 - OCSP responses are cached until their "next_update" indicated inside the repsonse
 - OCSP errors are cached for 5 minutes
 - CRL responses are cached for 1 hour
 
-CRL responses can be big so when they expires they are re-validated with the server using HTTP caching headers when available (`Etag` & `Last-Modified`) to avoid downloading the list again if it didn't change.
+CRL responses can be big so when they expires they are re-validated with the server using HTTP caching headers when available (`Etag` & `Last-Modified`) to avoid downloading the list again if it didn't change. The cached body is therefore kept in the backend for a longer retention period (~4 days, refreshed on each use) so it's still around to revalidate against; unused lists are dropped after that.
 
-You can check the size of the cache with `SSLTest.cache_size`, which returns:
+#### Cache backend
+
+The cache backend is configurable. By default SSLTest uses a simple in-process store (`SSLTest::MemoryStore`). To share the cache across processes and get compression, assign any object implementing the `Rails.cache`-style API (`read`, `write(key, value, expires_in:)`, `delete`):
+
+```ruby
+SSLTest.cache = Rails.cache          # shared + compressed (e.g. memcache via Dalli)
+SSLTest.cache = SSLTest::MemoryStore.new  # the default in-process store
+SSLTest.cache = MyCustomStore.new    # anything responding to read/write/delete
+```
+
+The default in-process store is per-process and unbounded, so be careful about memory usage if you try to validate millions of certificates in a row (the OCSP cache is keyed by certificate serial). Using a shared store like `Rails.cache` with memcache avoids this and shares the cache across processes.
+
+If you want a bounded/compressed in-process cache without pulling in `Rails.cache`, the API is intentionally compatible with `ActiveSupport::Cache::MemoryStore`, which you can drop in directly:
+
+```ruby
+require "active_support/cache"
+SSLTest.cache = ActiveSupport::Cache::MemoryStore.new(size: 64.megabytes, compress: true)
+```
+
+(It auto-prunes when it exceeds `size`, unlike the built-in store. Note the introspection helpers below are specific to `SSLTest::MemoryStore`.)
+
+> **Using memcached (Dalli)?** CRL lists can be large (commonly several MB, up to ~20MB for busy CAs). memcached rejects values over its max item size — 1MB by default — which Dalli surfaces as `Dalli::ValueOverMaxSize` (logged and skipped by `ActiveSupport::Cache::MemCacheStore`, so the test still passes but the list isn't cached and gets re-downloaded every time). To actually cache big CRLs, raise the limit on **both** sides to at least 64MB:
+>
+> - memcached server: start it with `-I 64m`
+> - Dalli client: `Dalli::Client.new(servers, value_max_bytes: 64 * 1024 * 1024)`, or via Rails: `config.cache_store = :mem_cache_store, servers, { value_max_bytes: 64.megabytes }`
+
+You can check the size of the **built-in** store with `SSLTest.cache.size`, which returns:
 
 ```ruby
 {
@@ -125,7 +151,9 @@ You can check the size of the cache with `SSLTest.cache_size`, which returns:
 }
 ```
 
-You can also flush the cache using `SSLTest.flush_cache` if you want (not recommended)
+You can also flush it using `SSLTest.cache.clear` if you want (not recommended).
+
+`size` is specific to the built-in `MemoryStore`; other backends won't respond to it. (The module-level `SSLTest.cache_size` and `SSLTest.flush_cache` from previous versions were **removed in 2.0** — use `SSLTest.cache.size` / `SSLTest.cache.clear` instead.)
 
 ### Logging
 
@@ -140,11 +168,11 @@ SSLTest will log various messages depending on the log level you specify, exampl
 ```
  INFO -- : SSLTest https://www.anonymisation.gov.pf started
 DEBUG -- : SSLTest + test_chain_revocation: www.anonymisation.gov.pf
+DEBUG -- : SSLTest   + CRL: [false, "Missing crlDistributionPoints extension", nil]
 DEBUG -- : SSLTest   + OCSP: fetch URI http://servicesca.ocsp.certigna.fr
 DEBUG -- : SSLTest   + OCSP: 200 OK (4661 bytes)
 DEBUG -- : SSLTest   + OCSP: ocsp_ok
 DEBUG -- : SSLTest + test_chain_revocation: Certigna Services CA
-DEBUG -- : SSLTest   + OCSP: [false, "Missing OCSP URI in authorityInfoAccess extension", nil]
 DEBUG -- : SSLTest   + CRL: fetch URI http://crl.certigna.fr/certigna.crl
 DEBUG -- : SSLTest   + CRL: 200 OK (1152 bytes)
 DEBUG -- : SSLTest   + CRL: crl_ok
@@ -167,6 +195,8 @@ But also **revoked certs** like most browsers (not handled by `curl`)
 
 See also github releases: https://github.com/jarthod/ssl-test/releases
 
+* 2.0.0 - 2026-06-16: Make the cache backend configurable. The default stays an in-process `SSLTest::MemoryStore`, but you can now assign any object responding to the `Rails.cache`-style API (`read`/`write`/`delete`) with `SSLTest.cache = Rails.cache` to share responses across processes and get compression (e.g. memcache via Dalli — see the memcached note in the Caching section about raising the max value size for large CRLs). **Breaking:** the module-level `SSLTest.cache_size` and `SSLTest.flush_cache` were removed — use `SSLTest.cache.size` and `SSLTest.cache.clear` instead (these only work with the built-in `MemoryStore`; shared backends like `Rails.cache` can't be enumerated and shouldn't be wholesale-cleared)
+* 1.6.0 - 2026-06-16: Check revocation with CRL first and fall back to OCSP (was OCSP first) to reduce revocation detection delay
 * 1.5.0 - 2025-11-28: Add support for local certificates testing and HTTP proxies (#8), changed `#test` method into `#test_url` and `#test_cert` (`#test` remains as an alias for `#test_url` for backward-compatibility)
 * 1.4.1 - 2022-10-24: Add support for "tcps://" scheme
 * 1.4.0 - 2021-01-16: Implemented CRL as fallback to OCSP + expose cache metrics + add logger support

data/lib/ssl-test/crl.rb

@@ -1,6 +1,13 @@
 module SSLTest
   module CRL
     CRL_CACHE_DURATION = 3600 # 1 hour
+    # How long a CRL entry is kept in the backend before being dropped if it's no
+    # longer used. This is much longer than CRL_CACHE_DURATION so the cached body
+    # and caching headers survive past the revalidation window (for cheap 304s),
+    # but bounded so unused lists don't pile up forever in a shared/long-lived
+    # backend (e.g. memcache). It's refreshed on every fetch (200/304), so
+    # actively-used entries never expire from this.
+    CRL_CACHE_RETENTION = 100 * CRL_CACHE_DURATION # ~4 days
 
     # A note about caching:
     # I choose to only cache the raw HTTP body here (and not the parsed list or better a hash
@@ -13,9 +20,9 @@ module SSLTest
     # and building a hash with serial, time and reason takes even more.
     # So doing this would be MUCH faster in terms of CPU for subsequent tests on the same CRL
     # but would take a LOT of memory.
-    # Also I expect most providers to support OCSP for first level cert (a lot of revokation),
-    # which means we should have to use CRL mostly for intermediaries with much smaller CRL.
-    # That's what Let's Encrypt is doing with their R3 intermediate for example.
+    # Note: we now check CRL first for every cert in the chain (leaf included), so leaf
+    # CRLs are fetched and cached too. These can be large for busy CAs, which makes the
+    # memory tradeoff above (caching the raw body rather than the parsed list) even more relevant.
 
     private
 
@@ -54,10 +61,14 @@ module SSLTest
     def follow_crl_redirects(uri, open_timeout: 5, read_timeout: 5, redirection_limit: 5, proxy_host: nil, proxy_port: nil)
       return [nil, "Too many redirections (> #{redirection_limit})"] if redirection_limit == 0
 
-      # Return file from cache if not expired
-      @crl_response_cache ||= {}
-      cache_entry = @crl_response_cache[uri]
-      return [cache_entry[:body], nil] if cache_entry && cache_entry.fetch(:expires) > Time.now
+      # Return file from cache if not expired.
+      # CRL entries are kept in the backend for CRL_CACHE_RETENTION (much longer
+      # than CRL_CACHE_DURATION) so the cached body + caching headers survive past
+      # the freshness window and can be revalidated cheaply with a conditional
+      # request (304). We track our own freshness window with the :expires field.
+      cache_key = "#{CACHE_NAMESPACE}/crl/#{uri}"
+      cache_entry = cache.read(cache_key)
+      return [cache_entry[:body], nil] if cache_entry && cache_entry[:expires] > Time.now
 
       @logger&.debug { "SSLTest   + CRL: fetch URI #{uri}" }
       path = uri.path == "" ? "/" : uri.path
@@ -67,9 +78,9 @@ module SSLTest
 
       req = Net::HTTP::Get.new(path)
       # Include conditional caching headers from cache to save bandwidth if list didn't change (304)
-      if etag = cache_entry&.fetch(:etag)
+      if etag = cache_entry&.[](:etag)
         req["If-None-Match"] = etag
-      elsif last_mod = cache_entry&.fetch(:last_mod)
+      elsif last_mod = cache_entry&.[](:last_mod)
         req["If-Modified-Since"] = last_mod
       end
       http_response = http.request(req)
@@ -77,19 +88,19 @@ module SSLTest
       when Net::HTTPNotModified
         # No changes, bump cache expiration time and return cached body
         @logger&.debug { "SSLTest   + CRL: 304 Not Modified" }
-        @crl_response_cache[uri][:expires] = Time.now + CRL_CACHE_DURATION
+        cache.write(cache_key, cache_entry.merge(expires: Time.now + CRL_CACHE_DURATION), expires_in: CRL_CACHE_RETENTION)
         [cache_entry[:body], nil]
       when Net::HTTPSuccess
         # Success, update (or add to) cache and return frech body
         @logger&.debug { "SSLTest   + CRL: 200 OK (#{http_response.body.bytesize} bytes)" }
         @logger&.warn { "SSLTest   + CRL: Warning: massive file size" } if http_response.body.bytesize > 1024**2 # 1MB
         @logger&.warn { "SSLTest   + CRL: Warning: no caching headers on #{uri}" } unless http_response["Etag"] or http_response["Last-Modified"]
-        @crl_response_cache[uri] = {
+        cache.write(cache_key, {
           body: http_response.body,
           expires: Time.now + CRL_CACHE_DURATION,
           etag: http_response["Etag"],
           last_mod: http_response["Last-Modified"]
-        }
+        }, expires_in: CRL_CACHE_RETENTION)
         [http_response.body, nil]
       when Net::HTTPRedirection
         follow_crl_redirects(URI(http_response["location"]), open_timeout: open_timeout, read_timeout: read_timeout, proxy_host: proxy_host, proxy_port: proxy_port, redirection_limit: redirection_limit - 1)

data/lib/ssl-test/memory_store.rb

@@ -0,0 +1,81 @@
+module SSLTest
+  # A tiny in-process cache store used as the default backend. It mirrors the
+  # small subset of the ActiveSupport::Cache / Rails.cache API that SSLTest relies
+  # on (read/write/delete) so they're interchangeable (assign Rails.cache via
+  # SSLTest.cache= to share/compress across processes). Access is guarded by a
+  # Mutex because SSLTest is typically used from threaded servers (e.g. Puma).
+  #
+  # Unlike a shared/compressed backend (memcache via Dalli), this store is
+  # per-process, uncompressed and unbounded, so be careful about memory usage if
+  # you validate millions of certificates in a row (the OCSP cache is keyed by
+  # certificate serial). For those workloads, configure SSLTest.cache to a shared
+  # store instead.
+  class MemoryStore
+    def initialize
+      @data = {}
+      @mutex = Mutex.new
+    end
+
+    def read(key)
+      @mutex.synchronize do
+        entry = @data[key]
+        next nil unless entry
+        if entry[:expires_at] && entry[:expires_at] <= Time.now
+          @data.delete(key)
+          next nil
+        end
+        entry[:value]
+      end
+    end
+
+    def write(key, value, expires_in: nil)
+      @mutex.synchronize do
+        @data[key] = { value: value, expires_at: expires_in && Time.now + expires_in }
+      end
+      value
+    end
+
+    def delete(key)
+      @mutex.synchronize { @data.delete(key) }
+    end
+
+    def clear
+      @mutex.synchronize { @data.clear }
+    end
+
+    # Yields [key, value] for every entry that hasn't expired.
+    def each
+      return enum_for(:each) unless block_given?
+      now = Time.now
+      @mutex.synchronize { @data.dup }.each do |key, entry|
+        next if entry[:expires_at] && entry[:expires_at] <= now
+        yield key, entry[:value]
+      end
+    end
+
+    # Returns a breakdown of the cached SSLTest entries (CRL lists and OCSP
+    # responses/errors) with approximate byte sizes, mainly useful for monitoring
+    # memory usage. Specific to ssl-test's key namespace.
+    def size
+      crl_lists = ocsp_responses = ocsp_errors = 0
+      crl_bytes = ocsp_bytes = 0
+      each do |key, value|
+        case key
+        when %r{\A#{CACHE_NAMESPACE}/crl/}
+          crl_lists += 1
+          crl_bytes += ObjectSize.size(value)
+        when %r{\A#{CACHE_NAMESPACE}/ocsp-error/}
+          ocsp_errors += 1
+          ocsp_bytes += ObjectSize.size(value)
+        when %r{\A#{CACHE_NAMESPACE}/ocsp/}
+          ocsp_responses += 1
+          ocsp_bytes += ObjectSize.size(value)
+        end
+      end
+      {
+        crl: { lists: crl_lists, bytes: crl_bytes },
+        ocsp: { responses: ocsp_responses, errors: ocsp_errors, bytes: ocsp_bytes }
+      }
+    end
+  end
+end

data/lib/ssl-test/ocsp.rb

@@ -5,15 +5,18 @@ module SSLTest
     private
 
     def test_ocsp_revocation cert, issuer:, chain:, **options
-      @ocsp_response_cache ||= {}
-      @ocsp_request_error_cache ||= {}
-
       unicity_key = "#{cert.issuer}/#{cert.serial}"
+      error_cache_key = "#{CACHE_NAMESPACE}/ocsp-error/#{unicity_key}"
+      response_cache_key = "#{CACHE_NAMESPACE}/ocsp/#{unicity_key}"
 
-      current_request_error_cache = @ocsp_request_error_cache[unicity_key]
-      return current_request_error_cache[:error] if current_request_error_cache && Time.now <= current_request_error_cache[:expires]
+      # Expiry is handled by the cache backend (expires_in), so a cached value is
+      # always still valid: a present error means we recently failed, a present
+      # response means it hasn't reached its next_update yet.
+      cached_error = cache.read(error_cache_key)
+      return cached_error if cached_error
 
-      if @ocsp_response_cache[unicity_key].nil? || @ocsp_response_cache[unicity_key][:next_update] <= Time.now
+      ocsp_response = cache.read(response_cache_key)
+      if ocsp_response.nil?
         authority_info_access = cert.extensions.find do |extension|
           extension.oid == "authorityInfoAccess"
         end
@@ -57,11 +60,13 @@ module SSLTest
 
         return ocsp_soft_fail_return("Serial check failed (URI: #{ocsp_uri})", unicity_key) unless response_certificate_id.serial == certificate_id.serial
 
-        @ocsp_response_cache[unicity_key] = { status: status, reason: reason, revocation_time: revocation_time, next_update: next_update }
+        ocsp_response = { status: status, reason: reason, revocation_time: revocation_time }
+        # Cache until the response's next_update. If it's already past (or
+        # missing), skip caching and just use the fresh result for this call.
+        ttl = next_update && next_update - Time.now
+        cache.write(response_cache_key, ocsp_response, expires_in: ttl) if ttl && ttl > 0
       end
 
-      ocsp_response = @ocsp_response_cache[unicity_key]
-
       return [true, revocation_reason_to_string(ocsp_response[:reason]), ocsp_response[:revocation_time]] if ocsp_response[:status] == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
       :ocsp_ok
     end
@@ -135,7 +140,7 @@ module SSLTest
 
     def ocsp_soft_fail_return(reason, unicity_key = nil)
        error = [false, reason, nil]
-       @ocsp_request_error_cache[unicity_key] = { error: error, expires: Time.now + ERROR_CACHE_DURATION } if unicity_key
+       cache.write("#{CACHE_NAMESPACE}/ocsp-error/#{unicity_key}", error, expires_in: ERROR_CACHE_DURATION) if unicity_key
        error
     end
   end

data/lib/ssl-test.rb

@@ -3,6 +3,7 @@ require "net/https"
 require "openssl"
 require "uri"
 require "ssl-test/object_size"
+require "ssl-test/memory_store"
 require "ssl-test/ocsp"
 require "ssl-test/crl"
 
@@ -10,7 +11,11 @@ module SSLTest
   extend OCSP
   extend CRL
 
-  VERSION = -"1.5.0"
+  VERSION = -"2.0.0"
+
+  # Prefix for all cache keys so SSLTest entries coexist cleanly inside a shared
+  # cache (e.g. Rails.cache).
+  CACHE_NAMESPACE = -"ssl-test"
 
   class << self
     def test_url url, open_timeout: 5, read_timeout: 5, proxy_host: nil, proxy_port: nil, redirection_limit: 5
@@ -79,24 +84,30 @@ module SSLTest
       end
     end
 
+    # The cache backend used to store CRL and OCSP responses. Defaults to an
+    # in-process MemoryStore. To share the cache across processes (and get
+    # compression), assign Rails.cache (or any object responding to the
+    # Rails.cache-style API: read/write/delete), e.g. `SSLTest.cache = Rails.cache`.
+    def cache
+      @cache ||= MemoryStore.new
+    end
+
+    def cache= store
+      @cache = store
+    end
+
+    # Removed in 2.0: introspection now lives on the cache store. With the
+    # built-in MemoryStore use SSLTest.cache.size; other backends (e.g. memcache)
+    # can't be enumerated.
     def cache_size
-      {
-        crl: {
-          lists: @crl_response_cache&.size || 0,
-          bytes: ObjectSize.size(@crl_response_cache)
-        },
-        ocsp: {
-          responses: @ocsp_response_cache&.size || 0,
-          errors: @ocsp_request_error_cache&.size || 0,
-          bytes: ObjectSize.size(@ocsp_response_cache) + ObjectSize.size(@ocsp_request_error_cache)
-        }
-      }
+      raise NoMethodError, "SSLTest.cache_size was removed in 2.0; use SSLTest.cache.size instead (available on the built-in SSLTest::MemoryStore)."
     end
 
+    # Removed in 2.0: clearing now lives on the cache store. With the built-in
+    # MemoryStore use SSLTest.cache.clear (note: calling clear on a shared backend
+    # like Rails.cache would wipe unrelated entries).
     def flush_cache
-      @crl_response_cache = {}
-      @ocsp_response_cache = {}
-      @ocsp_request_error_cache = {}
+      raise NoMethodError, "SSLTest.flush_cache was removed in 2.0; use SSLTest.cache.clear instead."
     end
 
     def logger= logger
@@ -136,20 +147,20 @@ module SSLTest
       chain[0..-2].each_with_index do |cert, i|
         @logger&.debug { "SSLTest + test_chain_revocation: #{cert_field_to_hash(cert.subject)['CN']}" }
 
-        # Try with OCSP first
-        ocsp_result = test_ocsp_revocation(cert, issuer: chain[i + 1], chain: chain, **options)
-        @logger&.debug { "SSLTest   + OCSP: #{ocsp_result}" }
-        next if ocsp_result == :ocsp_ok # passed, go to next cert
-        return ocsp_result if ocsp_result[0] == true # revoked
-
-        # Otherwise it means there was an error so let's try with CRL instead
+        # Try with CRL first
         crl_result = test_crl_revocation(cert, issuer: chain[i + 1], chain: chain, **options)
         @logger&.debug { "SSLTest   + CRL: #{crl_result}" }
         next if crl_result == :crl_ok # passed, go to next cert
         return crl_result if crl_result[0] == true # revoked
 
+        # Otherwise it means there was an error so let's try with OCSP instead
+        ocsp_result = test_ocsp_revocation(cert, issuer: chain[i + 1], chain: chain, **options)
+        @logger&.debug { "SSLTest   + OCSP: #{ocsp_result}" }
+        next if ocsp_result == :ocsp_ok # passed, go to next cert
+        return ocsp_result if ocsp_result[0] == true # revoked
+
         # If both method failed, return a soft fail with a combination of both error messages
-        return [false, "OCSP: #{ocsp_result[1]}, CRL: #{crl_result[1]}", nil]
+        return [false, "CRL: #{crl_result[1]}, OCSP: #{ocsp_result[1]}", nil]
       end
 
       # If all test passed, the certificate is not revoked

data/spec/cache_backends_spec.rb

@@ -0,0 +1,103 @@
+require "ssl-test"
+require "active_support"
+require "active_support/cache"
+require "tmpdir"
+
+# Verifies the cache backends people are likely to plug into SSLTest.cache (the
+# classic Rails/ActiveSupport stores) satisfy the read / write / expiration
+# contract SSLTest relies on, including (de)serialization of the value shapes it
+# stores: Hashes containing Strings (incl. binary CRL bodies), Times, Integers
+# and nils, plus Arrays (OCSP errors).
+#
+# Stores backed by an external server (MemCacheStore, RedisCacheStore) or an
+# extra gem are skipped when unavailable, so the suite stays green locally; CI
+# provides the servers (see .github/workflows/ruby.yml) so they actually run.
+describe "ActiveSupport cache backend compatibility" do
+  # Representative of what SSLTest caches: a CRL entry (binary body + Time) and
+  # an OCSP error entry (an Array). Fixed Time so serialization round-trips are
+  # deterministic.
+  let(:crl_entry) do
+    { body: ("\x30\x82\x01\x02".b * 50), expires: Time.utc(2030, 1, 1, 12), etag: 'W/"abc123"', last_mod: nil }
+  end
+  let(:ocsp_error) { [false, "Request failed (URI: http://ocsp.example.com)", nil] }
+
+  # Stores that actually persist values (NullStore intentionally doesn't).
+  CACHING_STORES = %w[MemoryStore FileStore MemCacheStore RedisCacheStore]
+
+  def build_store(name)
+    case name
+    when "MemoryStore"
+      ActiveSupport::Cache::MemoryStore.new
+    when "FileStore"
+      ActiveSupport::Cache::FileStore.new(Dir.mktmpdir("ssl-test-cache"))
+    when "NullStore"
+      ActiveSupport::Cache::NullStore.new
+    when "MemCacheStore"
+      require "dalli"
+      ActiveSupport::Cache::MemCacheStore.new(ENV.fetch("MEMCACHE_SERVERS", "127.0.0.1:11211"))
+    when "RedisCacheStore"
+      require "redis"
+      ActiveSupport::Cache::RedisCacheStore.new(url: ENV.fetch("REDIS_URL", "redis://127.0.0.1:6379/15"))
+    end
+  end
+
+  around do |example|
+    previous = SSLTest.cache
+    example.run
+  ensure
+    SSLTest.cache = previous
+  end
+
+  (CACHING_STORES + %w[NullStore]).each do |name|
+    context name do
+      before do
+        begin
+          SSLTest.cache = build_store(name)
+        rescue LoadError => e
+          skip "#{name} unavailable: #{e.message}"
+        end
+
+        # For server-backed stores, ActiveSupport silently treats a missing
+        # server as a cache miss; probe so we skip (rather than fail) when the
+        # server isn't running.
+        if CACHING_STORES.include?(name)
+          SSLTest.cache.write("ssl-test/probe", "ok", expires_in: 60)
+          skip "#{name} server not reachable" unless SSLTest.cache.read("ssl-test/probe") == "ok"
+        end
+      end
+
+      if name == "NullStore"
+        it "acts as a no-op (the gem still works, just without caching)" do
+          SSLTest.cache.write("ssl-test/crl/x", crl_entry, expires_in: nil)
+          expect(SSLTest.cache.read("ssl-test/crl/x")).to be_nil
+        end
+      else
+        it "round-trips a CRL entry (binary body + Time serialization)" do
+          SSLTest.cache.write("ssl-test/crl/x", crl_entry, expires_in: 100 * 3600)
+          expect(SSLTest.cache.read("ssl-test/crl/x")).to eq(crl_entry)
+        end
+
+        it "round-trips an OCSP error entry (Array serialization)" do
+          SSLTest.cache.write("ssl-test/ocsp-error/y", ocsp_error, expires_in: 300)
+          expect(SSLTest.cache.read("ssl-test/ocsp-error/y")).to eq(ocsp_error)
+        end
+
+        it "returns nil for a missing key" do
+          expect(SSLTest.cache.read("ssl-test/ocsp/missing")).to be_nil
+        end
+
+        it "persists entries written with no expiry (expires_in: nil)" do
+          SSLTest.cache.write("ssl-test/crl/persist", crl_entry, expires_in: nil)
+          expect(SSLTest.cache.read("ssl-test/crl/persist")).to eq(crl_entry)
+        end
+
+        it "honors expires_in" do
+          SSLTest.cache.write("ssl-test/ocsp/z", { status: 0 }, expires_in: 0.1)
+          expect(SSLTest.cache.read("ssl-test/ocsp/z")).to eq({ status: 0 })
+          sleep 0.2
+          expect(SSLTest.cache.read("ssl-test/ocsp/z")).to be_nil
+        end
+      end
+    end
+  end
+end

data/spec/fixtures/digicert_com_ca_bundle.pem

@@ -1,19 +1,19 @@
 -----BEGIN CERTIFICATE-----
-MIIG7jCCBdagAwIBAgIQBz2KfzHX7LJ6+D64tWXIFTANBgkqhkiG9w0BAQsFADBE
+MIIG7TCCBdWgAwIBAgIQD4I+q2GZA3ujBecwxBeStjANBgkqhkiG9w0BAQsFADBE
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMR4wHAYDVQQDExVE
-aWdpQ2VydCBFViBSU0EgQ0EgRzIwHhcNMjUxMTAzMDAwMDAwWhcNMjUxMjE5MjM1
+aWdpQ2VydCBFViBSU0EgQ0EgRzIwHhcNMjYwNjA5MDAwMDAwWhcNMjYwNzI1MjM1
 OTU5WjCBwTETMBEGCysGAQQBgjc8AgEDEwJVUzEVMBMGCysGAQQBgjc8AgECEwRV
 dGFoMR0wGwYDVQQPDBRQcml2YXRlIE9yZ2FuaXphdGlvbjEVMBMGA1UEBRMMNTI5
 OTUzNy0wMTQyMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxME
 TGVoaTEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xGTAXBgNVBAMTEHd3dy5kaWdp
-Y2VydC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoFf4dPzKL
-K3KtscZ8hWhinM8VizoyYg6qF7zpGIphVHZtiuMowkKcHN8zk+Te9o3BFDnQYU6L
-LSvI3JqcCxe8G7xOLxHG94ZDwjhhXUo/CxcHgNgyuSx1+OC5bXISTibb7jF2YU8u
-9rh4Vuyn13JNqU4HqrdwqEVZiW7rlC5yPO5sKadgjIu7CjjLsSYfen7uSfM0Mc4i
-qs8TNqD2jQViefdIvmQGVqyJf+Fk12LlW2TdUeh89aEOagK+ZhSJx2bipeyj0eBB
-ybJ8Q6kd4XLIPpx1QOV7yy755vLdfedllgnCv9C0BdHQF90SS+oADvyefXNNOTqT
-fe+XwDdfkATTAgMBAAGjggNcMIIDWDAfBgNVHSMEGDAWgBRqTlC/mGidW3sgddRZ
-AXlIZpIyBjAdBgNVHQ4EFgQUGd8hbnJtfOowjka/Sg7kOYi2oeEwKQYDVR0RBCIw
+Y2VydC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDso4J0VSPj
+9L8seWfRT+SDm0gw4xANEk34z3gDbVzCUNvAmi5SQIDxoSpUJaVaprR4wpkXT/di
+WJK7uV2iOozOFZ05cHGBmrv/SQAjZjLhKYHgRXQr/Kuu89IH++nxp9WdT12BEzsS
+WDxVRCissVv8LZBNkH3rJDGSqaW8mLTvfF9DKL3ReXsit5/ibELWnYoOwbG1uPvi
+36Ennp7rR+hckf1bXN638K1/cBQQPAKiv750qxKDwv13XKwV9f3B/3RpRqIUcOAw
++cuj4nVtWE3+P/pkOEsy7ckH5aV0AIz5bF9prDVSmlYZm69o2Q03cUgt/BqcYkg7
+YqOg203JLBNNAgMBAAGjggNbMIIDVzAfBgNVHSMEGDAWgBRqTlC/mGidW3sgddRZ
+AXlIZpIyBjAdBgNVHQ4EFgQUMxYTQjzRD/R9svhyUBNlsQxeeTowKQYDVR0RBCIw
 IIIQd3d3LmRpZ2ljZXJ0LmNvbYIMZGlnaWNlcnQuY29tMEoGA1UdIARDMEEwCwYJ
 YIZIAYb9bAIBMDIGBWeBDAEBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGln
 aWNlcnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
@@ -22,23 +22,22 @@ Z2lDZXJ0RVZSU0FDQUcyLmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQu
 Y29tL0RpZ2lDZXJ0RVZSU0FDQUcyLmNybDBzBggrBgEFBQcBAQRnMGUwJAYIKwYB
 BQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA9BggrBgEFBQcwAoYxaHR0
 cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0RVZSU0FDQUcyLmNydDAM
-BgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgDd3Mo0ldfh
-FgXnlTL6x5/4PRxQ39sAOhQSdgosrLvIKgAAAZpIkZnpAAAEAwBHMEUCIC8jE0Ey
-0Q7xGE3PenZUJKcj+18nm0myb27cIyHx2jsVAiEA+YQXhHCbJc17AXmWgc63Z7RT
-PvhE/Fq8k53T2H6SirYAdwDtPEvW6AbCpKIAV9vLJOI4Ad9RL+3EhsVwDyDdtz4/
-4AAAAZpIkZnnAAAEAwBIMEYCIQD+lFI/hO60oJOUndldghaqClo9/dy0O6FWaP06
-Mn619QIhAMUSTSyO09wXaoiCUGrEZLlPvU1a3woB7Ja63sh1aUkbAHUApELFBklg
-YVSPD9TqnPt6LSZFTYepfy/fRVn2J086hFQAAAGaSJGZ+AAABAMARjBEAiBWGFi2
-0F9ZZMzWcCcdmVpEz5y5T7cQ91z1DojVjc8Y4AIgGVU0KD/MTHi8b0nZb6B4uiD8
-k97tErH3VPd1N5CiMPcwDQYJKoZIhvcNAQELBQADggEBADwGDULnh6YXMyl5Zylo
-su7Bzw6lLG6RVYUtkJuiWeDfCCxaXkzUYIA/bsAQFBrWTQmyxBm6vIh/eNgGYUtO
-05uFrRbijre0+DiF1QTtfg9lBPtXVp4GwpB3om7C283TQvlDczpyPKkVtYrvsp0L
-VUyt7LDPgaR69+ieVMQIn4pH/vWNGA8xlrL1jqv3W9RnGc1w1X/ceCshQD+VcNDe
-7xm0tesmOzuFwJbEetuDLWfXHUs2UWkbGyS8XMt76mo6rsesex0GjO2VsTkrV5Fg
-xdboAzxOYE7ASn/LTbdtGQBuKyZHS1wH6g2q8vr9INk2rj+XvTCPe6DSffRrKdMf
-LbM=
+BgNVHRMBAf8EAjAAMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdgDCMX5XRRmj
+Re5/ON6ykEHrx8IhWiK/f9W1rXaa2Q5SzQAAAZ6rBBTHAAAEAwBHMEUCIQClS0CE
+o9NLQgyRRj+NXa6M5vHiMAeQQXdvxrztgEUfpAIgVPxQCT16MQ2CJVoDwW1hP0//
+QEb7cE3fYpJazoOv/+oAdgDXbX0Q0af1d8LH6V/XAL/5gskzWmXh0LMBcxfAyMVp
+dwAAAZ6rBBSRAAAEAwBHMEUCIQC7NRXmFL0D3t/iLvfezwsB/DyzDuXle3u4BA8L
+CT5LigIgZ5Tmcmgzv42s15QbHNEkgpi1DyocInQgxjo3yyVye94AdQCUTkOH+uzB
+74HzGSQmqBhlAcfTXzgCAT9yZ31VNy4Z2AAAAZ6rBBS1AAAEAwBGMEQCICLSuVkk
+OVVXxrPAzuUj7zs5dpgDAVoVgzQelsixO8H6AiB0bB4SNowTnVZDEJ5knILVRQof
+4OrJVterjy9djCUUMDANBgkqhkiG9w0BAQsFAAOCAQEAMQ+sL8XkSJozMEFlXm3D
+L5gN/ApjW+Yzz1naeWLuoz5qTO6q2mzB6b5F9PyWJH170xRFcY9DrAqY5KfXq2Pu
+2ASgUecTeRWTF4HMgelFelPhlqycpHHCBrxLJkI7X9XNG/ZFVT4VdP8LRofpPM8b
+0eHmt4RkiTKoSpbZbn06nobyb3UD7Snrya8iwMXmdHr5l9rknrmB6eYWbToRB+MN
+PZXeabHjHp+etL8FUMc9HeFwWuI3rB0WstcrSiFtXI2gkdmR3wkMh1lmzTH8XHAx
+61mAo5VRwqC8zWZ0S1RJOFu7H829vDFetORJUbhIKPaYFEtABdOwkWwexeyc1TH0
+nA==
 -----END CERTIFICATE-----
-
 -----BEGIN CERTIFICATE-----
 MIIFPDCCBCSgAwIBAgIQAWePH++IIlXYsKcOa3uyIDANBgkqhkiG9w0BAQsFADBh
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
@@ -69,7 +68,6 @@ WLBNN29Z/nbCS7H/qLGt7gViEvTIdU8x+H4l/XigZMUDaVmJ+B5d7cwSK7yOoQdf
 oIBGmA5Mp4LhMzo52rf//kXPfE3wYIZVHqVuxxlnTkFYmffCX9/Lon7SWaGdg6Rc
 k4RHhHLWtmz2lTZ5CEo2ljDsGzCFGJP7oT4q6Q8oFC38irvdKIJ95cUxYzj4tnOI
 -----END CERTIFICATE-----
-
 -----BEGIN CERTIFICATE-----
 MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3