ssl-test 1.6.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fa4bf88f0998469b7b82910dcef9f53cc6a64827c5aba691591138b78d33877e
-  data.tar.gz: 1666b7fd1b40b3a611d04521041ad64a5a0c6536c3d2fafb3b412ce184c371d5
+  metadata.gz: 886440c38c24dd0ad30e2fff8552fe89aa924010e8f9218032d030eceb29a422
+  data.tar.gz: b854a7f800c8aa3364ed78ebf29b4ec731e3904b7c33b682a39383a5096742d0
 SHA512:
-  metadata.gz: a40f9e0a498e0ede200cfd6382c24af3b1ab39163b4ac040b4817dff08dc7c320136b3e8516eb5a4fd4f443083da54cf5a822a5736a4795d93de8c7e2581e38b
-  data.tar.gz: c51a2d657031506b792960ccd3975521e8cfe5f9c5ffdfd06a7d48a6eacadef63811c4467acc34145d17022de8c3f92ac3a5ccf56316f4766b5ccbefe5fbc9a9
+  metadata.gz: 895f1193c0924d93b0bc4c29dea5d9de8b38b047f25c83273d13146c3bffa0a201676e320d6f4a6f373f231f87fdf0fda7bbef5a8983e40d489c8179097ed8dc
+  data.tar.gz: c1d2d3cd0014d31e01456dd5f0d1e58a59e820bb77f8e15a2755a27421a107b63d6cc653f115a7e50f19b475f40b1961bbdccab3b92181f1a5f812f68a668604

data/.github/workflows/ruby.yml

@@ -3,6 +3,14 @@ on: [push]
 jobs:
   specs:
     runs-on: ubuntu-22.04
+    services:
+      redis:
+        image: redis
+        ports: ['6379:6379']
+        options: --health-cmd "redis-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5
+      memcached:
+        image: memcached
+        ports: ['11211:11211']
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby

data/README.md

@@ -100,16 +100,42 @@ After that it fetches the [CRL](https://en.wikipedia.org/wiki/Certificate_revoca
 
 ### Caching
 
-OCSP and CRL responses are cached in memory, which makes subsequent testing faster and more robust (avoids network error and throttling) but be careful about memory usage if you try to validate millions of certificates in a row.
+OCSP and CRL responses are cached, which makes subsequent testing faster and more robust (avoids network error and throttling).
 
 About the caching duration:
 - OCSP responses are cached until their "next_update" indicated inside the repsonse
 - OCSP errors are cached for 5 minutes
 - CRL responses are cached for 1 hour
 
-CRL responses can be big so when they expires they are re-validated with the server using HTTP caching headers when available (`Etag` & `Last-Modified`) to avoid downloading the list again if it didn't change.
+CRL responses can be big so when they expires they are re-validated with the server using HTTP caching headers when available (`Etag` & `Last-Modified`) to avoid downloading the list again if it didn't change. The cached body is therefore kept in the backend for a longer retention period (~4 days, refreshed on each use) so it's still around to revalidate against; unused lists are dropped after that.
 
-You can check the size of the cache with `SSLTest.cache_size`, which returns:
+#### Cache backend
+
+The cache backend is configurable. By default SSLTest uses a simple in-process store (`SSLTest::MemoryStore`). To share the cache across processes and get compression, assign any object implementing the `Rails.cache`-style API (`read`, `write(key, value, expires_in:)`, `delete`):
+
+```ruby
+SSLTest.cache = Rails.cache          # shared + compressed (e.g. memcache via Dalli)
+SSLTest.cache = SSLTest::MemoryStore.new  # the default in-process store
+SSLTest.cache = MyCustomStore.new    # anything responding to read/write/delete
+```
+
+The default in-process store is per-process and unbounded, so be careful about memory usage if you try to validate millions of certificates in a row (the OCSP cache is keyed by certificate serial). Using a shared store like `Rails.cache` with memcache avoids this and shares the cache across processes.
+
+If you want a bounded/compressed in-process cache without pulling in `Rails.cache`, the API is intentionally compatible with `ActiveSupport::Cache::MemoryStore`, which you can drop in directly:
+
+```ruby
+require "active_support/cache"
+SSLTest.cache = ActiveSupport::Cache::MemoryStore.new(size: 64.megabytes, compress: true)
+```
+
+(It auto-prunes when it exceeds `size`, unlike the built-in store. Note the introspection helpers below are specific to `SSLTest::MemoryStore`.)
+
+> **Using memcached (Dalli)?** CRL lists can be large (commonly several MB, up to ~20MB for busy CAs). memcached rejects values over its max item size — 1MB by default — which Dalli surfaces as `Dalli::ValueOverMaxSize` (logged and skipped by `ActiveSupport::Cache::MemCacheStore`, so the test still passes but the list isn't cached and gets re-downloaded every time). To actually cache big CRLs, raise the limit on **both** sides to at least 64MB:
+>
+> - memcached server: start it with `-I 64m`
+> - Dalli client: `Dalli::Client.new(servers, value_max_bytes: 64 * 1024 * 1024)`, or via Rails: `config.cache_store = :mem_cache_store, servers, { value_max_bytes: 64.megabytes }`
+
+You can check the size of the **built-in** store with `SSLTest.cache.size`, which returns:
 
 ```ruby
 {
@@ -125,7 +151,9 @@ You can check the size of the cache with `SSLTest.cache_size`, which returns:
 }
 ```
 
-You can also flush the cache using `SSLTest.flush_cache` if you want (not recommended)
+You can also flush it using `SSLTest.cache.clear` if you want (not recommended).
+
+`size` is specific to the built-in `MemoryStore`; other backends won't respond to it. (The module-level `SSLTest.cache_size` and `SSLTest.flush_cache` from previous versions were **removed in 2.0** — use `SSLTest.cache.size` / `SSLTest.cache.clear` instead.)
 
 ### Logging
 
@@ -167,6 +195,7 @@ But also **revoked certs** like most browsers (not handled by `curl`)
 
 See also github releases: https://github.com/jarthod/ssl-test/releases
 
+* 2.0.0 - 2026-06-16: Make the cache backend configurable. The default stays an in-process `SSLTest::MemoryStore`, but you can now assign any object responding to the `Rails.cache`-style API (`read`/`write`/`delete`) with `SSLTest.cache = Rails.cache` to share responses across processes and get compression (e.g. memcache via Dalli — see the memcached note in the Caching section about raising the max value size for large CRLs). **Breaking:** the module-level `SSLTest.cache_size` and `SSLTest.flush_cache` were removed — use `SSLTest.cache.size` and `SSLTest.cache.clear` instead (these only work with the built-in `MemoryStore`; shared backends like `Rails.cache` can't be enumerated and shouldn't be wholesale-cleared)
 * 1.6.0 - 2026-06-16: Check revocation with CRL first and fall back to OCSP (was OCSP first) to reduce revocation detection delay
 * 1.5.0 - 2025-11-28: Add support for local certificates testing and HTTP proxies (#8), changed `#test` method into `#test_url` and `#test_cert` (`#test` remains as an alias for `#test_url` for backward-compatibility)
 * 1.4.1 - 2022-10-24: Add support for "tcps://" scheme

data/lib/ssl-test/crl.rb

@@ -1,6 +1,13 @@
 module SSLTest
   module CRL
     CRL_CACHE_DURATION = 3600 # 1 hour
+    # How long a CRL entry is kept in the backend before being dropped if it's no
+    # longer used. This is much longer than CRL_CACHE_DURATION so the cached body
+    # and caching headers survive past the revalidation window (for cheap 304s),
+    # but bounded so unused lists don't pile up forever in a shared/long-lived
+    # backend (e.g. memcache). It's refreshed on every fetch (200/304), so
+    # actively-used entries never expire from this.
+    CRL_CACHE_RETENTION = 100 * CRL_CACHE_DURATION # ~4 days
 
     # A note about caching:
     # I choose to only cache the raw HTTP body here (and not the parsed list or better a hash
@@ -54,10 +61,14 @@ module SSLTest
     def follow_crl_redirects(uri, open_timeout: 5, read_timeout: 5, redirection_limit: 5, proxy_host: nil, proxy_port: nil)
       return [nil, "Too many redirections (> #{redirection_limit})"] if redirection_limit == 0
 
-      # Return file from cache if not expired
-      @crl_response_cache ||= {}
-      cache_entry = @crl_response_cache[uri]
-      return [cache_entry[:body], nil] if cache_entry && cache_entry.fetch(:expires) > Time.now
+      # Return file from cache if not expired.
+      # CRL entries are kept in the backend for CRL_CACHE_RETENTION (much longer
+      # than CRL_CACHE_DURATION) so the cached body + caching headers survive past
+      # the freshness window and can be revalidated cheaply with a conditional
+      # request (304). We track our own freshness window with the :expires field.
+      cache_key = "#{CACHE_NAMESPACE}/crl/#{uri}"
+      cache_entry = cache.read(cache_key)
+      return [cache_entry[:body], nil] if cache_entry && cache_entry[:expires] > Time.now
 
       @logger&.debug { "SSLTest   + CRL: fetch URI #{uri}" }
       path = uri.path == "" ? "/" : uri.path
@@ -67,9 +78,9 @@ module SSLTest
 
       req = Net::HTTP::Get.new(path)
       # Include conditional caching headers from cache to save bandwidth if list didn't change (304)
-      if etag = cache_entry&.fetch(:etag)
+      if etag = cache_entry&.[](:etag)
         req["If-None-Match"] = etag
-      elsif last_mod = cache_entry&.fetch(:last_mod)
+      elsif last_mod = cache_entry&.[](:last_mod)
         req["If-Modified-Since"] = last_mod
       end
       http_response = http.request(req)
@@ -77,19 +88,19 @@ module SSLTest
       when Net::HTTPNotModified
         # No changes, bump cache expiration time and return cached body
         @logger&.debug { "SSLTest   + CRL: 304 Not Modified" }
-        @crl_response_cache[uri][:expires] = Time.now + CRL_CACHE_DURATION
+        cache.write(cache_key, cache_entry.merge(expires: Time.now + CRL_CACHE_DURATION), expires_in: CRL_CACHE_RETENTION)
         [cache_entry[:body], nil]
       when Net::HTTPSuccess
         # Success, update (or add to) cache and return frech body
         @logger&.debug { "SSLTest   + CRL: 200 OK (#{http_response.body.bytesize} bytes)" }
         @logger&.warn { "SSLTest   + CRL: Warning: massive file size" } if http_response.body.bytesize > 1024**2 # 1MB
         @logger&.warn { "SSLTest   + CRL: Warning: no caching headers on #{uri}" } unless http_response["Etag"] or http_response["Last-Modified"]
-        @crl_response_cache[uri] = {
+        cache.write(cache_key, {
           body: http_response.body,
           expires: Time.now + CRL_CACHE_DURATION,
           etag: http_response["Etag"],
           last_mod: http_response["Last-Modified"]
-        }
+        }, expires_in: CRL_CACHE_RETENTION)
         [http_response.body, nil]
       when Net::HTTPRedirection
         follow_crl_redirects(URI(http_response["location"]), open_timeout: open_timeout, read_timeout: read_timeout, proxy_host: proxy_host, proxy_port: proxy_port, redirection_limit: redirection_limit - 1)

data/lib/ssl-test/memory_store.rb

@@ -0,0 +1,81 @@
+module SSLTest
+  # A tiny in-process cache store used as the default backend. It mirrors the
+  # small subset of the ActiveSupport::Cache / Rails.cache API that SSLTest relies
+  # on (read/write/delete) so they're interchangeable (assign Rails.cache via
+  # SSLTest.cache= to share/compress across processes). Access is guarded by a
+  # Mutex because SSLTest is typically used from threaded servers (e.g. Puma).
+  #
+  # Unlike a shared/compressed backend (memcache via Dalli), this store is
+  # per-process, uncompressed and unbounded, so be careful about memory usage if
+  # you validate millions of certificates in a row (the OCSP cache is keyed by
+  # certificate serial). For those workloads, configure SSLTest.cache to a shared
+  # store instead.
+  class MemoryStore
+    def initialize
+      @data = {}
+      @mutex = Mutex.new
+    end
+
+    def read(key)
+      @mutex.synchronize do
+        entry = @data[key]
+        next nil unless entry
+        if entry[:expires_at] && entry[:expires_at] <= Time.now
+          @data.delete(key)
+          next nil
+        end
+        entry[:value]
+      end
+    end
+
+    def write(key, value, expires_in: nil)
+      @mutex.synchronize do
+        @data[key] = { value: value, expires_at: expires_in && Time.now + expires_in }
+      end
+      value
+    end
+
+    def delete(key)
+      @mutex.synchronize { @data.delete(key) }
+    end
+
+    def clear
+      @mutex.synchronize { @data.clear }
+    end
+
+    # Yields [key, value] for every entry that hasn't expired.
+    def each
+      return enum_for(:each) unless block_given?
+      now = Time.now
+      @mutex.synchronize { @data.dup }.each do |key, entry|
+        next if entry[:expires_at] && entry[:expires_at] <= now
+        yield key, entry[:value]
+      end
+    end
+
+    # Returns a breakdown of the cached SSLTest entries (CRL lists and OCSP
+    # responses/errors) with approximate byte sizes, mainly useful for monitoring
+    # memory usage. Specific to ssl-test's key namespace.
+    def size
+      crl_lists = ocsp_responses = ocsp_errors = 0
+      crl_bytes = ocsp_bytes = 0
+      each do |key, value|
+        case key
+        when %r{\A#{CACHE_NAMESPACE}/crl/}
+          crl_lists += 1
+          crl_bytes += ObjectSize.size(value)
+        when %r{\A#{CACHE_NAMESPACE}/ocsp-error/}
+          ocsp_errors += 1
+          ocsp_bytes += ObjectSize.size(value)
+        when %r{\A#{CACHE_NAMESPACE}/ocsp/}
+          ocsp_responses += 1
+          ocsp_bytes += ObjectSize.size(value)
+        end
+      end
+      {
+        crl: { lists: crl_lists, bytes: crl_bytes },
+        ocsp: { responses: ocsp_responses, errors: ocsp_errors, bytes: ocsp_bytes }
+      }
+    end
+  end
+end

data/lib/ssl-test/ocsp.rb

@@ -5,15 +5,18 @@ module SSLTest
     private
 
     def test_ocsp_revocation cert, issuer:, chain:, **options
-      @ocsp_response_cache ||= {}
-      @ocsp_request_error_cache ||= {}
-
       unicity_key = "#{cert.issuer}/#{cert.serial}"
+      error_cache_key = "#{CACHE_NAMESPACE}/ocsp-error/#{unicity_key}"
+      response_cache_key = "#{CACHE_NAMESPACE}/ocsp/#{unicity_key}"
 
-      current_request_error_cache = @ocsp_request_error_cache[unicity_key]
-      return current_request_error_cache[:error] if current_request_error_cache && Time.now <= current_request_error_cache[:expires]
+      # Expiry is handled by the cache backend (expires_in), so a cached value is
+      # always still valid: a present error means we recently failed, a present
+      # response means it hasn't reached its next_update yet.
+      cached_error = cache.read(error_cache_key)
+      return cached_error if cached_error
 
-      if @ocsp_response_cache[unicity_key].nil? || @ocsp_response_cache[unicity_key][:next_update] <= Time.now
+      ocsp_response = cache.read(response_cache_key)
+      if ocsp_response.nil?
         authority_info_access = cert.extensions.find do |extension|
           extension.oid == "authorityInfoAccess"
         end
@@ -57,11 +60,13 @@ module SSLTest
 
         return ocsp_soft_fail_return("Serial check failed (URI: #{ocsp_uri})", unicity_key) unless response_certificate_id.serial == certificate_id.serial
 
-        @ocsp_response_cache[unicity_key] = { status: status, reason: reason, revocation_time: revocation_time, next_update: next_update }
+        ocsp_response = { status: status, reason: reason, revocation_time: revocation_time }
+        # Cache until the response's next_update. If it's already past (or
+        # missing), skip caching and just use the fresh result for this call.
+        ttl = next_update && next_update - Time.now
+        cache.write(response_cache_key, ocsp_response, expires_in: ttl) if ttl && ttl > 0
       end
 
-      ocsp_response = @ocsp_response_cache[unicity_key]
-
       return [true, revocation_reason_to_string(ocsp_response[:reason]), ocsp_response[:revocation_time]] if ocsp_response[:status] == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
       :ocsp_ok
     end
@@ -135,7 +140,7 @@ module SSLTest
 
     def ocsp_soft_fail_return(reason, unicity_key = nil)
        error = [false, reason, nil]
-       @ocsp_request_error_cache[unicity_key] = { error: error, expires: Time.now + ERROR_CACHE_DURATION } if unicity_key
+       cache.write("#{CACHE_NAMESPACE}/ocsp-error/#{unicity_key}", error, expires_in: ERROR_CACHE_DURATION) if unicity_key
        error
     end
   end

data/lib/ssl-test.rb

@@ -3,6 +3,7 @@ require "net/https"
 require "openssl"
 require "uri"
 require "ssl-test/object_size"
+require "ssl-test/memory_store"
 require "ssl-test/ocsp"
 require "ssl-test/crl"
 
@@ -10,7 +11,11 @@ module SSLTest
   extend OCSP
   extend CRL
 
-  VERSION = -"1.6.0"
+  VERSION = -"2.0.0"
+
+  # Prefix for all cache keys so SSLTest entries coexist cleanly inside a shared
+  # cache (e.g. Rails.cache).
+  CACHE_NAMESPACE = -"ssl-test"
 
   class << self
     def test_url url, open_timeout: 5, read_timeout: 5, proxy_host: nil, proxy_port: nil, redirection_limit: 5
@@ -79,24 +84,30 @@ module SSLTest
       end
     end
 
+    # The cache backend used to store CRL and OCSP responses. Defaults to an
+    # in-process MemoryStore. To share the cache across processes (and get
+    # compression), assign Rails.cache (or any object responding to the
+    # Rails.cache-style API: read/write/delete), e.g. `SSLTest.cache = Rails.cache`.
+    def cache
+      @cache ||= MemoryStore.new
+    end
+
+    def cache= store
+      @cache = store
+    end
+
+    # Removed in 2.0: introspection now lives on the cache store. With the
+    # built-in MemoryStore use SSLTest.cache.size; other backends (e.g. memcache)
+    # can't be enumerated.
     def cache_size
-      {
-        crl: {
-          lists: @crl_response_cache&.size || 0,
-          bytes: ObjectSize.size(@crl_response_cache)
-        },
-        ocsp: {
-          responses: @ocsp_response_cache&.size || 0,
-          errors: @ocsp_request_error_cache&.size || 0,
-          bytes: ObjectSize.size(@ocsp_response_cache) + ObjectSize.size(@ocsp_request_error_cache)
-        }
-      }
+      raise NoMethodError, "SSLTest.cache_size was removed in 2.0; use SSLTest.cache.size instead (available on the built-in SSLTest::MemoryStore)."
     end
 
+    # Removed in 2.0: clearing now lives on the cache store. With the built-in
+    # MemoryStore use SSLTest.cache.clear (note: calling clear on a shared backend
+    # like Rails.cache would wipe unrelated entries).
     def flush_cache
-      @crl_response_cache = {}
-      @ocsp_response_cache = {}
-      @ocsp_request_error_cache = {}
+      raise NoMethodError, "SSLTest.flush_cache was removed in 2.0; use SSLTest.cache.clear instead."
     end
 
     def logger= logger

data/spec/cache_backends_spec.rb

@@ -0,0 +1,103 @@
+require "ssl-test"
+require "active_support"
+require "active_support/cache"
+require "tmpdir"
+
+# Verifies the cache backends people are likely to plug into SSLTest.cache (the
+# classic Rails/ActiveSupport stores) satisfy the read / write / expiration
+# contract SSLTest relies on, including (de)serialization of the value shapes it
+# stores: Hashes containing Strings (incl. binary CRL bodies), Times, Integers
+# and nils, plus Arrays (OCSP errors).
+#
+# Stores backed by an external server (MemCacheStore, RedisCacheStore) or an
+# extra gem are skipped when unavailable, so the suite stays green locally; CI
+# provides the servers (see .github/workflows/ruby.yml) so they actually run.
+describe "ActiveSupport cache backend compatibility" do
+  # Representative of what SSLTest caches: a CRL entry (binary body + Time) and
+  # an OCSP error entry (an Array). Fixed Time so serialization round-trips are
+  # deterministic.
+  let(:crl_entry) do
+    { body: ("\x30\x82\x01\x02".b * 50), expires: Time.utc(2030, 1, 1, 12), etag: 'W/"abc123"', last_mod: nil }
+  end
+  let(:ocsp_error) { [false, "Request failed (URI: http://ocsp.example.com)", nil] }
+
+  # Stores that actually persist values (NullStore intentionally doesn't).
+  CACHING_STORES = %w[MemoryStore FileStore MemCacheStore RedisCacheStore]
+
+  def build_store(name)
+    case name
+    when "MemoryStore"
+      ActiveSupport::Cache::MemoryStore.new
+    when "FileStore"
+      ActiveSupport::Cache::FileStore.new(Dir.mktmpdir("ssl-test-cache"))
+    when "NullStore"
+      ActiveSupport::Cache::NullStore.new
+    when "MemCacheStore"
+      require "dalli"
+      ActiveSupport::Cache::MemCacheStore.new(ENV.fetch("MEMCACHE_SERVERS", "127.0.0.1:11211"))
+    when "RedisCacheStore"
+      require "redis"
+      ActiveSupport::Cache::RedisCacheStore.new(url: ENV.fetch("REDIS_URL", "redis://127.0.0.1:6379/15"))
+    end
+  end
+
+  around do |example|
+    previous = SSLTest.cache
+    example.run
+  ensure
+    SSLTest.cache = previous
+  end
+
+  (CACHING_STORES + %w[NullStore]).each do |name|
+    context name do
+      before do
+        begin
+          SSLTest.cache = build_store(name)
+        rescue LoadError => e
+          skip "#{name} unavailable: #{e.message}"
+        end
+
+        # For server-backed stores, ActiveSupport silently treats a missing
+        # server as a cache miss; probe so we skip (rather than fail) when the
+        # server isn't running.
+        if CACHING_STORES.include?(name)
+          SSLTest.cache.write("ssl-test/probe", "ok", expires_in: 60)
+          skip "#{name} server not reachable" unless SSLTest.cache.read("ssl-test/probe") == "ok"
+        end
+      end
+
+      if name == "NullStore"
+        it "acts as a no-op (the gem still works, just without caching)" do
+          SSLTest.cache.write("ssl-test/crl/x", crl_entry, expires_in: nil)
+          expect(SSLTest.cache.read("ssl-test/crl/x")).to be_nil
+        end
+      else
+        it "round-trips a CRL entry (binary body + Time serialization)" do
+          SSLTest.cache.write("ssl-test/crl/x", crl_entry, expires_in: 100 * 3600)
+          expect(SSLTest.cache.read("ssl-test/crl/x")).to eq(crl_entry)
+        end
+
+        it "round-trips an OCSP error entry (Array serialization)" do
+          SSLTest.cache.write("ssl-test/ocsp-error/y", ocsp_error, expires_in: 300)
+          expect(SSLTest.cache.read("ssl-test/ocsp-error/y")).to eq(ocsp_error)
+        end
+
+        it "returns nil for a missing key" do
+          expect(SSLTest.cache.read("ssl-test/ocsp/missing")).to be_nil
+        end
+
+        it "persists entries written with no expiry (expires_in: nil)" do
+          SSLTest.cache.write("ssl-test/crl/persist", crl_entry, expires_in: nil)
+          expect(SSLTest.cache.read("ssl-test/crl/persist")).to eq(crl_entry)
+        end
+
+        it "honors expires_in" do
+          SSLTest.cache.write("ssl-test/ocsp/z", { status: 0 }, expires_in: 0.1)
+          expect(SSLTest.cache.read("ssl-test/ocsp/z")).to eq({ status: 0 })
+          sleep 0.2
+          expect(SSLTest.cache.read("ssl-test/ocsp/z")).to be_nil
+        end
+      end
+    end
+  end
+end

data/spec/memory_store_spec.rb

@@ -0,0 +1,79 @@
+require "ssl-test"
+
+describe SSLTest::MemoryStore do
+  subject(:store) { described_class.new }
+
+  it "round-trips written values" do
+    store.write("k", "v")
+    expect(store.read("k")).to eq("v")
+  end
+
+  it "returns nil for missing keys" do
+    expect(store.read("missing")).to be_nil
+  end
+
+  it "expires entries after expires_in" do
+    store.write("k", "v", expires_in: -1) # already expired
+    expect(store.read("k")).to be_nil
+  end
+
+  it "keeps entries with no expiry" do
+    store.write("k", "v", expires_in: nil)
+    expect(store.read("k")).to eq("v")
+  end
+
+  it "deletes and clears entries" do
+    store.write("a", 1)
+    store.write("b", 2)
+    store.delete("a")
+    expect(store.read("a")).to be_nil
+    expect(store.read("b")).to eq(2)
+    store.clear
+    expect(store.read("b")).to be_nil
+  end
+
+  it "iterates non-expired entries with #each" do
+    store.write("live", 1)
+    store.write("dead", 2, expires_in: -1)
+    expect(store.each.to_a).to eq([["live", 1]])
+  end
+
+  it "#size reports a CRL/OCSP breakdown" do
+    store.write("ssl-test/crl/http://example.com/x.crl", "body")
+    store.write("ssl-test/ocsp/issuer/1", { status: 0 })
+    store.write("ssl-test/ocsp-error/issuer/2", [false, "err", nil])
+    store.write("unrelated/key", "ignored")
+    expect(store.size).to match({
+      crl:  { lists: 1, bytes: be > 0 },
+      ocsp: { responses: 1, errors: 1, bytes: be > 0 }
+    })
+  end
+end
+
+# #size as reported through the default store after real CRL/OCSP fetches.
+describe "SSLTest.cache.size" do
+  before { SSLTest.cache.clear }
+
+  it "returns 0 by default" do
+    expect(SSLTest.cache.size).to eq({
+      crl:  { bytes: 0,  lists: 0 },
+      ocsp: { bytes: 0, errors: 0, responses: 0 }
+    })
+  end
+
+  it "returns CRL cache size properly" do
+    SSLTest.send(:follow_crl_redirects, URI("http://crl.certigna.fr/certigna.crl")) # 1.1k
+    SSLTest.send(:follow_crl_redirects, URI("http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl")) # 26k
+    expect(SSLTest.cache.size[:crl][:lists]).to eq(2)
+    expect(SSLTest.cache.size[:crl][:bytes]).to be > 2000
+  end
+
+  it "returns OCSP cache size properly" do
+    SSLTest.test("https://github.com")
+    expect(SSLTest.cache.size[:ocsp][:responses]).to eq(1)
+    expect(SSLTest.cache.size[:ocsp][:errors]).to eq(0)
+    expect(SSLTest.cache.size[:ocsp][:bytes]).to be > 0
+    expect(SSLTest.cache.size[:crl][:lists]).to eq(1)
+    expect(SSLTest.cache.size[:crl][:bytes]).to be > 100
+  end
+end

data/spec/ssl-test_spec.rb

@@ -15,12 +15,11 @@ RSpec.configure do |config|
   # one, and examples tagged `:retry` are re-run a few times (via rspec-retry) so
   # transient network blips don't fail the suite.
   config.verbose_retry = true
-  config.display_try_failure_messages = true
   config.default_sleep_interval = 1
 end
 
 describe SSLTest do
-  before { SSLTest.flush_cache }
+  before { SSLTest.cache.clear }
 
   let(:proxy_thread) { nil }
 
@@ -186,7 +185,7 @@ describe SSLTest do
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
       # make sure both were used
-      expect(SSLTest.cache_size).to match({
+      expect(SSLTest.cache.size).to match({
         crl:  hash_including(lists: 1),
         ocsp: hash_including(responses: 1, errors: 0)
       })
@@ -237,35 +236,8 @@ describe SSLTest do
     end
   end
 
-  describe '.cache_size' do
-    before { SSLTest.flush_cache }
-
-    it "returns 0 by default" do
-      expect(SSLTest.cache_size).to eq({
-        crl:  { bytes: 0,  lists: 0 },
-        ocsp: { bytes: 0, errors: 0, responses: 0 }
-      })
-    end
-
-    it "returns CRL cache size properly" do
-      SSLTest.send(:follow_crl_redirects, URI("http://crl.certigna.fr/certigna.crl")) # 1.1k
-      SSLTest.send(:follow_crl_redirects, URI("http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl")) # 26k
-      expect(SSLTest.cache_size[:crl][:lists]).to eq(2)
-      expect(SSLTest.cache_size[:crl][:bytes]).to be > 2000
-    end
-
-    it "returns OCSP cache size properly" do
-      SSLTest.test("https://github.com")
-      expect(SSLTest.cache_size[:ocsp][:responses]).to eq(1)
-      expect(SSLTest.cache_size[:ocsp][:errors]).to eq(0)
-      expect(SSLTest.cache_size[:ocsp][:bytes]).to be > 150
-      expect(SSLTest.cache_size[:crl][:lists]).to eq(1)
-      expect(SSLTest.cache_size[:crl][:bytes]).to be > 500
-    end
-  end
-
   describe '.follow_crl_redirects' do
-    before { SSLTest.flush_cache }
+    before { SSLTest.cache.clear }
     # 19MB: http://crl3.digicert.com/ssca-sha2-g6.crl
     it "fetch CRL list and updates cache" do
       uri = URI("http://crl.certigna.fr/certigna.crl")
@@ -274,11 +246,11 @@ describe SSLTest do
       expect(error).to be_nil
 
       # Check cache status
-      cache = SSLTest.instance_variable_get('@crl_response_cache')
-      expect(cache.size).to equal 1
-      expect(cache.keys).to match_array [uri]
-      expect(cache[uri].keys).to match_array [:body, :expires, :etag, :last_mod]
-      expect(cache[uri][:expires]).to be > (Time.now + 3590)
+      cache_key = "ssl-test/crl/#{uri}"
+      entry = SSLTest.cache.read(cache_key)
+      expect(entry).not_to be_nil
+      expect(entry.keys).to match_array [:body, :expires, :etag, :last_mod]
+      expect(entry[:expires]).to be > (Time.now + 3590)
 
       # Make sure we return value from cache
       body2, error2 = nil, nil
@@ -287,7 +259,7 @@ describe SSLTest do
       expect(body2).to be(body) # using cache
 
       # Make sure we return cached value in case of 304
-      cache[uri][:expires] = Time.now # cache is now expired
+      SSLTest.cache.write(cache_key, entry.merge(expires: Time.now), expires_in: nil) # cache is now expired
       body2, error2 = nil, nil
       time = Benchmark.realtime { body2, error2 = SSLTest.send(:follow_crl_redirects, uri) }
       expect(time).to be > 0.001 # a request is made
@@ -295,6 +267,33 @@ describe SSLTest do
     end
   end
 
+  describe '.cache' do
+    # Restore the default in-process store after tests that swap the backend so
+    # global state doesn't leak between examples.
+    after { SSLTest.cache = SSLTest::MemoryStore.new }
+
+    it "defaults to an in-process MemoryStore" do
+      SSLTest.instance_variable_set(:@cache, nil) # reset memoized default
+      expect(SSLTest.cache).to be_a SSLTest::MemoryStore
+    end
+
+    it "uses the configured backend for CRL and OCSP" do
+      store = SSLTest::MemoryStore.new
+      SSLTest.cache = store
+      expect(store).to receive(:write).at_least(:once).and_call_original
+      expect(store).to receive(:read).at_least(:once).and_call_original
+      SSLTest.test("https://github.com")
+    end
+
+    it "cache_size (removed in 2.0) raises pointing to cache.size" do
+      expect { SSLTest.cache_size }.to raise_error(NoMethodError, /SSLTest\.cache\.size/)
+    end
+
+    it "flush_cache (removed in 2.0) raises pointing to cache.clear" do
+      expect { SSLTest.flush_cache }.to raise_error(NoMethodError, /SSLTest\.cache\.clear/)
+    end
+  end
+
   describe '.test_cert' do
     it "returns no error on valid SNI website" do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_mycs_com_client.pem')))
@@ -439,7 +438,7 @@ describe SSLTest do
       expect(valid).to eq(true)
       expect(cert).to eq(cert)
       # make sure both were used
-      expect(SSLTest.cache_size).to match({
+      expect(SSLTest.cache.size).to match({
         crl:  hash_including(lists: 1),
         ocsp: hash_including(responses: 1, errors: 0)
       })

data/ssl-test.gemspec

@@ -22,4 +22,10 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rspec"
   spec.add_development_dependency "rspec-retry"
   spec.add_development_dependency "webrick"
+  # Used to verify SSLTest.cache works with the classic Rails/ActiveSupport
+  # cache stores (MemoryStore, FileStore, NullStore, MemCacheStore via dalli,
+  # RedisCacheStore via redis).
+  spec.add_development_dependency "activesupport"
+  spec.add_development_dependency "dalli"
+  spec.add_development_dependency "redis"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: ssl-test
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Adrien Rey-Jarthon
 bindir: bin
 cert_chain: []
-date: 2026-06-16 00:00:00.000000000 Z
+date: 2026-06-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -79,6 +79,48 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: dalli
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: redis
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 email:
 - jobs@adrienjarthon.com
 executables: []
@@ -94,8 +136,10 @@ files:
 - Rakefile
 - lib/ssl-test.rb
 - lib/ssl-test/crl.rb
+- lib/ssl-test/memory_store.rb
 - lib/ssl-test/object_size.rb
 - lib/ssl-test/ocsp.rb
+- spec/cache_backends_spec.rb
 - spec/fixtures/digicert_com_ca_bundle.pem
 - spec/fixtures/digicert_com_client.pem
 - spec/fixtures/expired_cert_ca_bundle.pem
@@ -116,6 +160,7 @@ files:
 - spec/fixtures/www_github_com_client.pem
 - spec/fixtures/www_mycs_com_ca_bundle.pem
 - spec/fixtures/www_mycs_com_client.pem
+- spec/memory_store_spec.rb
 - spec/ssl-test_spec.rb
 - ssl-test.gemspec
 homepage: https://github.com/jarthod/ssl-test
@@ -140,6 +185,7 @@ rubygems_version: 3.6.2
 specification_version: 4
 summary: Test website SSL certificate validity
 test_files:
+- spec/cache_backends_spec.rb
 - spec/fixtures/digicert_com_ca_bundle.pem
 - spec/fixtures/digicert_com_client.pem
 - spec/fixtures/expired_cert_ca_bundle.pem
@@ -160,4 +206,5 @@ test_files:
 - spec/fixtures/www_github_com_client.pem
 - spec/fixtures/www_mycs_com_ca_bundle.pem
 - spec/fixtures/www_mycs_com_client.pem
+- spec/memory_store_spec.rb
 - spec/ssl-test_spec.rb