ssl-test 1.6.0 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fa4bf88f0998469b7b82910dcef9f53cc6a64827c5aba691591138b78d33877e
-  data.tar.gz: 1666b7fd1b40b3a611d04521041ad64a5a0c6536c3d2fafb3b412ce184c371d5
+  metadata.gz: 073a878a42dbba9b30e7c69ec4b435cd8f2c607e59a6b894099af73ea60526f8
+  data.tar.gz: 709b2f097b7d8a61922f2cfcee0cb6651046c57854dea0b3dc17c8367b7b856a
 SHA512:
-  metadata.gz: a40f9e0a498e0ede200cfd6382c24af3b1ab39163b4ac040b4817dff08dc7c320136b3e8516eb5a4fd4f443083da54cf5a822a5736a4795d93de8c7e2581e38b
-  data.tar.gz: c51a2d657031506b792960ccd3975521e8cfe5f9c5ffdfd06a7d48a6eacadef63811c4467acc34145d17022de8c3f92ac3a5ccf56316f4766b5ccbefe5fbc9a9
+  metadata.gz: 150c1d97a77c0a37c71a180d7cd643f3a4264280f65261e2cb830b184fed00cb60458bf4d27ce1eb52225db506398d2e1480bf69d5a7d6ffc4ee7e5ad288a5b1
+  data.tar.gz: '08f66249c1b7d951b71283589d957b6bfe4451934ff155af255e4e31a5f77d0aa27bcd1dcc9cee1dcb0b1ddc450618d97c9a445c5067990009b14ad616933128'

data/.github/workflows/ruby.yml

@@ -3,12 +3,24 @@ on: [push]
 jobs:
   specs:
     runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby-version: ['3.2', '3.3', '3.4']
+    services:
+      redis:
+        image: redis
+        ports: ['6379:6379']
+        options: --health-cmd "redis-cli ping" --health-interval 10s --health-timeout 5s --health-retries 5
+      memcached:
+        image: memcached
+        ports: ['11211:11211']
     steps:
     - uses: actions/checkout@v2
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
-        ruby-version: '3.1'
+        ruby-version: ${{ matrix.ruby-version }}
         bundler-cache: true # runs 'bundle install' and caches installed gems automatically
     - name: Run specs
       run: |

data/README.md

@@ -70,6 +70,13 @@ cert # => #<OpenSSL::X509::Certificate...>
 
 If the CRL is missing, invalid or unreachable the certificate revocation will be tested using [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol).
 
+You can swap the order if you'd rather check OCSP first and only fall back to CRL on error (the default is CRL first, since 1.6, to reduce the revocation propagation delay):
+
+```ruby
+SSLTest.revocation_order = %i[ocsp crl]   # OCSP first, CRL fallback
+SSLTest.revocation_order = %i[crl ocsp]   # the default: CRL first, OCSP fallback
+```
+
 If both CRL and OCSP tests are impossible, the certificate will still be considered valid but with an error message:
 
 ```ruby
@@ -100,16 +107,42 @@ After that it fetches the [CRL](https://en.wikipedia.org/wiki/Certificate_revoca
 
 ### Caching
 
-OCSP and CRL responses are cached in memory, which makes subsequent testing faster and more robust (avoids network error and throttling) but be careful about memory usage if you try to validate millions of certificates in a row.
+OCSP and CRL responses are cached, which makes subsequent testing faster and more robust (avoids network error and throttling).
 
 About the caching duration:
 - OCSP responses are cached until their "next_update" indicated inside the repsonse
 - OCSP errors are cached for 5 minutes
 - CRL responses are cached for 1 hour
 
-CRL responses can be big so when they expires they are re-validated with the server using HTTP caching headers when available (`Etag` & `Last-Modified`) to avoid downloading the list again if it didn't change.
+CRL responses can be big so when they expires they are re-validated with the server using HTTP caching headers when available (`Etag` & `Last-Modified`) to avoid downloading the list again if it didn't change. The cached body is therefore kept in the backend for a longer retention period (~4 days, refreshed on each use) so it's still around to revalidate against; unused lists are dropped after that.
+
+#### Cache backend
 
-You can check the size of the cache with `SSLTest.cache_size`, which returns:
+The cache backend is configurable. By default SSLTest uses a simple in-process store (`SSLTest::MemoryStore`). To share the cache across processes and get compression, assign any object implementing the `Rails.cache`-style API (`read`, `write(key, value, expires_in:)`, `delete`):
+
+```ruby
+SSLTest.cache = Rails.cache          # shared + compressed (e.g. memcache via Dalli)
+SSLTest.cache = SSLTest::MemoryStore.new  # the default in-process store
+SSLTest.cache = MyCustomStore.new    # anything responding to read/write/delete
+```
+
+The default in-process store is per-process and unbounded, so be careful about memory usage if you try to validate millions of certificates in a row (the OCSP cache is keyed by certificate serial). Using a shared store like `Rails.cache` with memcache avoids this and shares the cache across processes.
+
+If you want a bounded/compressed in-process cache without pulling in `Rails.cache`, the API is intentionally compatible with `ActiveSupport::Cache::MemoryStore`, which you can drop in directly:
+
+```ruby
+require "active_support/cache"
+SSLTest.cache = ActiveSupport::Cache::MemoryStore.new(size: 64.megabytes, compress: true)
+```
+
+(It auto-prunes when it exceeds `size`, unlike the built-in store. Note the introspection helpers below are specific to `SSLTest::MemoryStore`.)
+
+> **Using memcached (Dalli)?** CRL lists can be large (commonly several MB, up to ~20MB for busy CAs). memcached rejects values over its max item size — 1MB by default — which Dalli surfaces as `Dalli::ValueOverMaxSize` (logged and skipped by `ActiveSupport::Cache::MemCacheStore`, so the test still passes but the list isn't cached and gets re-downloaded every time). To actually cache big CRLs, raise the limit on **both** sides to at least 64MB:
+>
+> - memcached server: start it with `-I 64m`
+> - Dalli client: `Dalli::Client.new(servers, value_max_bytes: 64 * 1024 * 1024)`, or via Rails: `config.cache_store = :mem_cache_store, servers, { value_max_bytes: 64.megabytes }`
+
+You can check the size of the **built-in** store with `SSLTest.cache.size`, which returns:
 
 ```ruby
 {
@@ -125,7 +158,9 @@ You can check the size of the cache with `SSLTest.cache_size`, which returns:
 }
 ```
 
-You can also flush the cache using `SSLTest.flush_cache` if you want (not recommended)
+You can also flush it using `SSLTest.cache.clear` if you want (not recommended).
+
+`size` is specific to the built-in `MemoryStore`; other backends won't respond to it. (The module-level `SSLTest.cache_size` and `SSLTest.flush_cache` from previous versions were **removed in 2.0** — use `SSLTest.cache.size` / `SSLTest.cache.clear` instead.)
 
 ### Logging
 
@@ -167,6 +202,8 @@ But also **revoked certs** like most browsers (not handled by `curl`)
 
 See also github releases: https://github.com/jarthod/ssl-test/releases
 
+* 2.0.1 - 2026-06-19: Speed up and shrink the memory use of CRL checks with a fast path that scans the raw CRL for the certificate's serial before parsing, avoiding instantiating the entire revocation list (>1M Ruby objects for busy CAs) when the cert isn't revoked. Send both `If-None-Match` and `If-Modified-Since` on CRL revalidation so CDN-backed CAs that don't honor their own ETag (e.g. DigiCert) still return a `304` instead of re-downloading the whole list.
+* 2.0.0 - 2026-06-16: Make the revocation check order configurable via `SSLTest.revocation_order` (`%i[crl ocsp]` by default, set `%i[ocsp crl]` to check OCSP first). Make the cache backend configurable. The default stays an in-process `SSLTest::MemoryStore`, but you can now assign any object responding to the `Rails.cache`-style API (`read`/`write`/`delete`) with `SSLTest.cache = Rails.cache` to share responses across processes and get compression (e.g. memcache via Dalli — see the memcached note in the Caching section about raising the max value size for large CRLs). **Breaking:** the module-level `SSLTest.cache_size` and `SSLTest.flush_cache` were removed — use `SSLTest.cache.size` and `SSLTest.cache.clear` instead (these only work with the built-in `MemoryStore`; shared backends like `Rails.cache` can't be enumerated and shouldn't be wholesale-cleared)
 * 1.6.0 - 2026-06-16: Check revocation with CRL first and fall back to OCSP (was OCSP first) to reduce revocation detection delay
 * 1.5.0 - 2025-11-28: Add support for local certificates testing and HTTP proxies (#8), changed `#test` method into `#test_url` and `#test_cert` (`#test` remains as an alias for `#test_url` for backward-compatibility)
 * 1.4.1 - 2022-10-24: Add support for "tcps://" scheme

data/lib/ssl-test/crl.rb

@@ -1,6 +1,13 @@
 module SSLTest
   module CRL
     CRL_CACHE_DURATION = 3600 # 1 hour
+    # How long a CRL entry is kept in the backend before being dropped if it's no
+    # longer used. This is much longer than CRL_CACHE_DURATION so the cached body
+    # and caching headers survive past the revalidation window (for cheap 304s),
+    # but bounded so unused lists don't pile up forever in a shared/long-lived
+    # backend (e.g. memcache). It's refreshed on every fetch (200/304), so
+    # actively-used entries never expire from this.
+    CRL_CACHE_RETENTION = 100 * CRL_CACHE_DURATION # ~4 days
 
     # A note about caching:
     # I choose to only cache the raw HTTP body here (and not the parsed list or better a hash
@@ -40,11 +47,19 @@ module SSLTest
       response = OpenSSL::X509::CRL.new http_response
       return [false, "Signature verification failed (URI: #{crl_uri})", nil] unless response.verify(issuer.public_key)
 
+      # Fast path: scan the raw response for the cert's serial encoded as DER.
+      # In most case (not revoked) this lets us skip response.revoked, which
+      # instantiate the *entire* revocation list as Ruby objects (>1M objects for busy CAs)
+      serial_der = OpenSSL::ASN1::Integer.new(cert.serial).to_der
+      return :crl_ok unless response.to_der.include?(serial_der)
+
+      # The serial's bytes appear (a real hit, or a rare collision):
+      # confirm authoritatively and pull the reason/date. The costly revoked-list
+      # materialisation only happens here, i.e. for actually-revoked certs.
       revoked = response.revoked.find { |r| r.serial == cert.serial }
       if revoked
         reason = revoked.extensions.find {|e| e.oid == "CRLReason"}&.value
         return [true, reason || "Unknown reason", revoked.time]
-      else
       end
 
       :crl_ok
@@ -54,10 +69,14 @@ module SSLTest
     def follow_crl_redirects(uri, open_timeout: 5, read_timeout: 5, redirection_limit: 5, proxy_host: nil, proxy_port: nil)
       return [nil, "Too many redirections (> #{redirection_limit})"] if redirection_limit == 0
 
-      # Return file from cache if not expired
-      @crl_response_cache ||= {}
-      cache_entry = @crl_response_cache[uri]
-      return [cache_entry[:body], nil] if cache_entry && cache_entry.fetch(:expires) > Time.now
+      # Return file from cache if not expired.
+      # CRL entries are kept in the backend for CRL_CACHE_RETENTION (much longer
+      # than CRL_CACHE_DURATION) so the cached body + caching headers survive past
+      # the freshness window and can be revalidated cheaply with a conditional
+      # request (304). We track our own freshness window with the :expires field.
+      cache_key = "#{CACHE_NAMESPACE}/crl/#{uri}"
+      cache_entry = cache.read(cache_key)
+      return [cache_entry[:body], nil] if cache_entry && cache_entry[:expires] > Time.now
 
       @logger&.debug { "SSLTest   + CRL: fetch URI #{uri}" }
       path = uri.path == "" ? "/" : uri.path
@@ -66,30 +85,31 @@ module SSLTest
       http.read_timeout = read_timeout
 
       req = Net::HTTP::Get.new(path)
-      # Include conditional caching headers from cache to save bandwidth if list didn't change (304)
-      if etag = cache_entry&.fetch(:etag)
-        req["If-None-Match"] = etag
-      elsif last_mod = cache_entry&.fetch(:last_mod)
-        req["If-Modified-Since"] = last_mod
-      end
+      # Include conditional caching headers from cache to save bandwidth if the
+      # list didn't change (304). Send both validators when present: some
+      # CDN-backed CAs (e.g. DigiCert) serve per-node ETags they won't honor via
+      # If-None-Match but will revalidate via If-Modified-Since, so sending only
+      # the ETag defeats the 304 and re-downloads the whole list every time.
+      req["If-None-Match"] = cache_entry[:etag] if cache_entry&.[](:etag)
+      req["If-Modified-Since"] = cache_entry[:last_mod] if cache_entry&.[](:last_mod)
       http_response = http.request(req)
       case http_response
       when Net::HTTPNotModified
         # No changes, bump cache expiration time and return cached body
         @logger&.debug { "SSLTest   + CRL: 304 Not Modified" }
-        @crl_response_cache[uri][:expires] = Time.now + CRL_CACHE_DURATION
+        cache.write(cache_key, cache_entry.merge(expires: Time.now + CRL_CACHE_DURATION), expires_in: CRL_CACHE_RETENTION)
         [cache_entry[:body], nil]
       when Net::HTTPSuccess
         # Success, update (or add to) cache and return frech body
         @logger&.debug { "SSLTest   + CRL: 200 OK (#{http_response.body.bytesize} bytes)" }
-        @logger&.warn { "SSLTest   + CRL: Warning: massive file size" } if http_response.body.bytesize > 1024**2 # 1MB
+        @logger&.warn { "SSLTest   + CRL: Warning: massive file size (#{http_response.body.bytesize} bytes)" } if http_response.body.bytesize > 1024**2 # 1MB
         @logger&.warn { "SSLTest   + CRL: Warning: no caching headers on #{uri}" } unless http_response["Etag"] or http_response["Last-Modified"]
-        @crl_response_cache[uri] = {
+        cache.write(cache_key, {
           body: http_response.body,
           expires: Time.now + CRL_CACHE_DURATION,
           etag: http_response["Etag"],
           last_mod: http_response["Last-Modified"]
-        }
+        }, expires_in: CRL_CACHE_RETENTION)
         [http_response.body, nil]
       when Net::HTTPRedirection
         follow_crl_redirects(URI(http_response["location"]), open_timeout: open_timeout, read_timeout: read_timeout, proxy_host: proxy_host, proxy_port: proxy_port, redirection_limit: redirection_limit - 1)

data/lib/ssl-test/memory_store.rb

@@ -0,0 +1,81 @@
+module SSLTest
+  # A tiny in-process cache store used as the default backend. It mirrors the
+  # small subset of the ActiveSupport::Cache / Rails.cache API that SSLTest relies
+  # on (read/write/delete) so they're interchangeable (assign Rails.cache via
+  # SSLTest.cache= to share/compress across processes). Access is guarded by a
+  # Mutex because SSLTest is typically used from threaded servers (e.g. Puma).
+  #
+  # Unlike a shared/compressed backend (memcache via Dalli), this store is
+  # per-process, uncompressed and unbounded, so be careful about memory usage if
+  # you validate millions of certificates in a row (the OCSP cache is keyed by
+  # certificate serial). For those workloads, configure SSLTest.cache to a shared
+  # store instead.
+  class MemoryStore
+    def initialize
+      @data = {}
+      @mutex = Mutex.new
+    end
+
+    def read(key)
+      @mutex.synchronize do
+        entry = @data[key]
+        next nil unless entry
+        if entry[:expires_at] && entry[:expires_at] <= Time.now
+          @data.delete(key)
+          next nil
+        end
+        entry[:value]
+      end
+    end
+
+    def write(key, value, expires_in: nil)
+      @mutex.synchronize do
+        @data[key] = { value: value, expires_at: expires_in && Time.now + expires_in }
+      end
+      value
+    end
+
+    def delete(key)
+      @mutex.synchronize { @data.delete(key) }
+    end
+
+    def clear
+      @mutex.synchronize { @data.clear }
+    end
+
+    # Yields [key, value] for every entry that hasn't expired.
+    def each
+      return enum_for(:each) unless block_given?
+      now = Time.now
+      @mutex.synchronize { @data.dup }.each do |key, entry|
+        next if entry[:expires_at] && entry[:expires_at] <= now
+        yield key, entry[:value]
+      end
+    end
+
+    # Returns a breakdown of the cached SSLTest entries (CRL lists and OCSP
+    # responses/errors) with approximate byte sizes, mainly useful for monitoring
+    # memory usage. Specific to ssl-test's key namespace.
+    def size
+      crl_lists = ocsp_responses = ocsp_errors = 0
+      crl_bytes = ocsp_bytes = 0
+      each do |key, value|
+        case key
+        when %r{\A#{CACHE_NAMESPACE}/crl/}
+          crl_lists += 1
+          crl_bytes += ObjectSize.size(value)
+        when %r{\A#{CACHE_NAMESPACE}/ocsp-error/}
+          ocsp_errors += 1
+          ocsp_bytes += ObjectSize.size(value)
+        when %r{\A#{CACHE_NAMESPACE}/ocsp/}
+          ocsp_responses += 1
+          ocsp_bytes += ObjectSize.size(value)
+        end
+      end
+      {
+        crl: { lists: crl_lists, bytes: crl_bytes },
+        ocsp: { responses: ocsp_responses, errors: ocsp_errors, bytes: ocsp_bytes }
+      }
+    end
+  end
+end

data/lib/ssl-test/ocsp.rb

@@ -5,15 +5,18 @@ module SSLTest
     private
 
     def test_ocsp_revocation cert, issuer:, chain:, **options
-      @ocsp_response_cache ||= {}
-      @ocsp_request_error_cache ||= {}
-
       unicity_key = "#{cert.issuer}/#{cert.serial}"
+      error_cache_key = "#{CACHE_NAMESPACE}/ocsp-error/#{unicity_key}"
+      response_cache_key = "#{CACHE_NAMESPACE}/ocsp/#{unicity_key}"
 
-      current_request_error_cache = @ocsp_request_error_cache[unicity_key]
-      return current_request_error_cache[:error] if current_request_error_cache && Time.now <= current_request_error_cache[:expires]
+      # Expiry is handled by the cache backend (expires_in), so a cached value is
+      # always still valid: a present error means we recently failed, a present
+      # response means it hasn't reached its next_update yet.
+      cached_error = cache.read(error_cache_key)
+      return cached_error if cached_error
 
-      if @ocsp_response_cache[unicity_key].nil? || @ocsp_response_cache[unicity_key][:next_update] <= Time.now
+      ocsp_response = cache.read(response_cache_key)
+      if ocsp_response.nil?
         authority_info_access = cert.extensions.find do |extension|
           extension.oid == "authorityInfoAccess"
         end
@@ -57,11 +60,13 @@ module SSLTest
 
         return ocsp_soft_fail_return("Serial check failed (URI: #{ocsp_uri})", unicity_key) unless response_certificate_id.serial == certificate_id.serial
 
-        @ocsp_response_cache[unicity_key] = { status: status, reason: reason, revocation_time: revocation_time, next_update: next_update }
+        ocsp_response = { status: status, reason: reason, revocation_time: revocation_time }
+        # Cache until the response's next_update. If it's already past (or
+        # missing), skip caching and just use the fresh result for this call.
+        ttl = next_update && next_update - Time.now
+        cache.write(response_cache_key, ocsp_response, expires_in: ttl) if ttl && ttl > 0
       end
 
-      ocsp_response = @ocsp_response_cache[unicity_key]
-
       return [true, revocation_reason_to_string(ocsp_response[:reason]), ocsp_response[:revocation_time]] if ocsp_response[:status] == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
       :ocsp_ok
     end
@@ -135,7 +140,7 @@ module SSLTest
 
     def ocsp_soft_fail_return(reason, unicity_key = nil)
        error = [false, reason, nil]
-       @ocsp_request_error_cache[unicity_key] = { error: error, expires: Time.now + ERROR_CACHE_DURATION } if unicity_key
+       cache.write("#{CACHE_NAMESPACE}/ocsp-error/#{unicity_key}", error, expires_in: ERROR_CACHE_DURATION) if unicity_key
        error
     end
   end

data/lib/ssl-test.rb

@@ -3,6 +3,7 @@ require "net/https"
 require "openssl"
 require "uri"
 require "ssl-test/object_size"
+require "ssl-test/memory_store"
 require "ssl-test/ocsp"
 require "ssl-test/crl"
 
@@ -10,7 +11,11 @@ module SSLTest
   extend OCSP
   extend CRL
 
-  VERSION = -"1.6.0"
+  VERSION = -"2.0.1"
+
+  # Prefix for all cache keys so SSLTest entries coexist cleanly inside a shared
+  # cache (e.g. Rails.cache).
+  CACHE_NAMESPACE = -"ssl-test"
 
   class << self
     def test_url url, open_timeout: 5, read_timeout: 5, proxy_host: nil, proxy_port: nil, redirection_limit: 5
@@ -79,30 +84,53 @@ module SSLTest
       end
     end
 
+    # The cache backend used to store CRL and OCSP responses. Defaults to an
+    # in-process MemoryStore. To share the cache across processes (and get
+    # compression), assign Rails.cache (or any object responding to the
+    # Rails.cache-style API: read/write/delete), e.g. `SSLTest.cache = Rails.cache`.
+    def cache
+      @cache ||= MemoryStore.new
+    end
+
+    def cache= store
+      @cache = store
+    end
+
+    # Removed in 2.0: introspection now lives on the cache store. With the
+    # built-in MemoryStore use SSLTest.cache.size; other backends (e.g. memcache)
+    # can't be enumerated.
     def cache_size
-      {
-        crl: {
-          lists: @crl_response_cache&.size || 0,
-          bytes: ObjectSize.size(@crl_response_cache)
-        },
-        ocsp: {
-          responses: @ocsp_response_cache&.size || 0,
-          errors: @ocsp_request_error_cache&.size || 0,
-          bytes: ObjectSize.size(@ocsp_response_cache) + ObjectSize.size(@ocsp_request_error_cache)
-        }
-      }
+      raise NoMethodError, "SSLTest.cache_size was removed in 2.0; use SSLTest.cache.size instead (available on the built-in SSLTest::MemoryStore)."
     end
 
+    # Removed in 2.0: clearing now lives on the cache store. With the built-in
+    # MemoryStore use SSLTest.cache.clear (note: calling clear on a shared backend
+    # like Rails.cache would wipe unrelated entries).
     def flush_cache
-      @crl_response_cache = {}
-      @ocsp_response_cache = {}
-      @ocsp_request_error_cache = {}
+      raise NoMethodError, "SSLTest.flush_cache was removed in 2.0; use SSLTest.cache.clear instead."
     end
 
     def logger= logger
       @logger = logger
     end
 
+    # The order in which revocation check methods are tried for each certificate.
+    # The first method to return a conclusive answer (ok or revoked) wins; the
+    # next is only tried when the previous one errors out (missing endpoint,
+    # network error, etc.). Defaults to CRL first (since 1.6) to reduce the
+    # revocation propagation delay. Set to %i[ocsp crl] to check OCSP first.
+    def revocation_order
+      @revocation_order ||= %i[crl ocsp]
+    end
+
+    def revocation_order= order
+      order = Array(order).map { |m| m.to_sym }
+      unless order.sort == %i[crl ocsp]
+        raise ArgumentError, "SSLTest.revocation_order must be %i[crl ocsp] or %i[ocsp crl], got #{order.inspect}"
+      end
+      @revocation_order = order
+    end
+
     private
 
     def revocation_message(revoked, revocation_date, message)
@@ -136,26 +164,37 @@ module SSLTest
       chain[0..-2].each_with_index do |cert, i|
         @logger&.debug { "SSLTest + test_chain_revocation: #{cert_field_to_hash(cert.subject)['CN']}" }
 
-        # Try with CRL first
-        crl_result = test_crl_revocation(cert, issuer: chain[i + 1], chain: chain, **options)
-        @logger&.debug { "SSLTest   + CRL: #{crl_result}" }
-        next if crl_result == :crl_ok # passed, go to next cert
-        return crl_result if crl_result[0] == true # revoked
-
-        # Otherwise it means there was an error so let's try with OCSP instead
-        ocsp_result = test_ocsp_revocation(cert, issuer: chain[i + 1], chain: chain, **options)
-        @logger&.debug { "SSLTest   + OCSP: #{ocsp_result}" }
-        next if ocsp_result == :ocsp_ok # passed, go to next cert
-        return ocsp_result if ocsp_result[0] == true # revoked
+        # Try each revocation method in the configured order, falling back to the
+        # next one only when the current method errors out.
+        errors = {}
+        passed = false
+        revocation_order.each do |method|
+          result = test_revocation(method, cert, issuer: chain[i + 1], chain: chain, **options)
+          @logger&.debug { "SSLTest   + #{method.to_s.upcase}: #{result}" }
+          if result == :"#{method}_ok" # passed, go to next cert
+            passed = true
+            break
+          end
+          return result if result[0] == true # revoked
+          errors[method] = result[1] # errored, try the next method
+        end
+        next if passed
 
-        # If both method failed, return a soft fail with a combination of both error messages
-        return [false, "CRL: #{crl_result[1]}, OCSP: #{ocsp_result[1]}", nil]
+        # If all methods failed, return a soft fail with a combination of the error messages
+        return [false, errors.map { |method, message| "#{method.to_s.upcase}: #{message}" }.join(", "), nil]
       end
 
       # If all test passed, the certificate is not revoked
       [false, nil, nil]
     end
 
+    def test_revocation method, cert, **options
+      case method
+      when :crl  then test_crl_revocation(cert, **options)
+      when :ocsp then test_ocsp_revocation(cert, **options)
+      end
+    end
+
     def cert_field_to_hash field
       field.to_a.each.with_object({}) do |v, h|
         v = v.to_a

data/spec/cache_backends_spec.rb

@@ -0,0 +1,103 @@
+require "ssl-test"
+require "active_support"
+require "active_support/cache"
+require "tmpdir"
+
+# Verifies the cache backends people are likely to plug into SSLTest.cache (the
+# classic Rails/ActiveSupport stores) satisfy the read / write / expiration
+# contract SSLTest relies on, including (de)serialization of the value shapes it
+# stores: Hashes containing Strings (incl. binary CRL bodies), Times, Integers
+# and nils, plus Arrays (OCSP errors).
+#
+# Stores backed by an external server (MemCacheStore, RedisCacheStore) or an
+# extra gem are skipped when unavailable, so the suite stays green locally; CI
+# provides the servers (see .github/workflows/ruby.yml) so they actually run.
+describe "ActiveSupport cache backend compatibility" do
+  # Representative of what SSLTest caches: a CRL entry (binary body + Time) and
+  # an OCSP error entry (an Array). Fixed Time so serialization round-trips are
+  # deterministic.
+  let(:crl_entry) do
+    { body: ("\x30\x82\x01\x02".b * 50), expires: Time.utc(2030, 1, 1, 12), etag: 'W/"abc123"', last_mod: nil }
+  end
+  let(:ocsp_error) { [false, "Request failed (URI: http://ocsp.example.com)", nil] }
+
+  # Stores that actually persist values (NullStore intentionally doesn't).
+  CACHING_STORES = %w[MemoryStore FileStore MemCacheStore RedisCacheStore]
+
+  def build_store(name)
+    case name
+    when "MemoryStore"
+      ActiveSupport::Cache::MemoryStore.new
+    when "FileStore"
+      ActiveSupport::Cache::FileStore.new(Dir.mktmpdir("ssl-test-cache"))
+    when "NullStore"
+      ActiveSupport::Cache::NullStore.new
+    when "MemCacheStore"
+      require "dalli"
+      ActiveSupport::Cache::MemCacheStore.new(ENV.fetch("MEMCACHE_SERVERS", "127.0.0.1:11211"))
+    when "RedisCacheStore"
+      require "redis"
+      ActiveSupport::Cache::RedisCacheStore.new(url: ENV.fetch("REDIS_URL", "redis://127.0.0.1:6379/15"))
+    end
+  end
+
+  around do |example|
+    previous = SSLTest.cache
+    example.run
+  ensure
+    SSLTest.cache = previous
+  end
+
+  (CACHING_STORES + %w[NullStore]).each do |name|
+    context name do
+      before do
+        begin
+          SSLTest.cache = build_store(name)
+        rescue LoadError => e
+          skip "#{name} unavailable: #{e.message}"
+        end
+
+        # For server-backed stores, ActiveSupport silently treats a missing
+        # server as a cache miss; probe so we skip (rather than fail) when the
+        # server isn't running.
+        if CACHING_STORES.include?(name)
+          SSLTest.cache.write("ssl-test/probe", "ok", expires_in: 60)
+          skip "#{name} server not reachable" unless SSLTest.cache.read("ssl-test/probe") == "ok"
+        end
+      end
+
+      if name == "NullStore"
+        it "acts as a no-op (the gem still works, just without caching)" do
+          SSLTest.cache.write("ssl-test/crl/x", crl_entry, expires_in: nil)
+          expect(SSLTest.cache.read("ssl-test/crl/x")).to be_nil
+        end
+      else
+        it "round-trips a CRL entry (binary body + Time serialization)" do
+          SSLTest.cache.write("ssl-test/crl/x", crl_entry, expires_in: 100 * 3600)
+          expect(SSLTest.cache.read("ssl-test/crl/x")).to eq(crl_entry)
+        end
+
+        it "round-trips an OCSP error entry (Array serialization)" do
+          SSLTest.cache.write("ssl-test/ocsp-error/y", ocsp_error, expires_in: 300)
+          expect(SSLTest.cache.read("ssl-test/ocsp-error/y")).to eq(ocsp_error)
+        end
+
+        it "returns nil for a missing key" do
+          expect(SSLTest.cache.read("ssl-test/ocsp/missing")).to be_nil
+        end
+
+        it "persists entries written with no expiry (expires_in: nil)" do
+          SSLTest.cache.write("ssl-test/crl/persist", crl_entry, expires_in: nil)
+          expect(SSLTest.cache.read("ssl-test/crl/persist")).to eq(crl_entry)
+        end
+
+        it "honors expires_in" do
+          SSLTest.cache.write("ssl-test/ocsp/z", { status: 0 }, expires_in: 0.1)
+          expect(SSLTest.cache.read("ssl-test/ocsp/z")).to eq({ status: 0 })
+          sleep 0.2
+          expect(SSLTest.cache.read("ssl-test/ocsp/z")).to be_nil
+        end
+      end
+    end
+  end
+end

data/spec/memory_store_spec.rb

@@ -0,0 +1,80 @@
+require "ssl-test"
+require "rspec/retry" # the cache.size examples below hit live CRL/OCSP endpoints
+
+describe SSLTest::MemoryStore do
+  subject(:store) { described_class.new }
+
+  it "round-trips written values" do
+    store.write("k", "v")
+    expect(store.read("k")).to eq("v")
+  end
+
+  it "returns nil for missing keys" do
+    expect(store.read("missing")).to be_nil
+  end
+
+  it "expires entries after expires_in" do
+    store.write("k", "v", expires_in: -1) # already expired
+    expect(store.read("k")).to be_nil
+  end
+
+  it "keeps entries with no expiry" do
+    store.write("k", "v", expires_in: nil)
+    expect(store.read("k")).to eq("v")
+  end
+
+  it "deletes and clears entries" do
+    store.write("a", 1)
+    store.write("b", 2)
+    store.delete("a")
+    expect(store.read("a")).to be_nil
+    expect(store.read("b")).to eq(2)
+    store.clear
+    expect(store.read("b")).to be_nil
+  end
+
+  it "iterates non-expired entries with #each" do
+    store.write("live", 1)
+    store.write("dead", 2, expires_in: -1)
+    expect(store.each.to_a).to eq([["live", 1]])
+  end
+
+  it "#size reports a CRL/OCSP breakdown" do
+    store.write("ssl-test/crl/http://example.com/x.crl", "body")
+    store.write("ssl-test/ocsp/issuer/1", { status: 0 })
+    store.write("ssl-test/ocsp-error/issuer/2", [false, "err", nil])
+    store.write("unrelated/key", "ignored")
+    expect(store.size).to match({
+      crl:  { lists: 1, bytes: be > 0 },
+      ocsp: { responses: 1, errors: 1, bytes: be > 0 }
+    })
+  end
+end
+
+# #size as reported through the default store after real CRL/OCSP fetches.
+describe "SSLTest.cache.size", retry: 5 do # examples hit live CRL/OCSP endpoints
+  before { SSLTest.cache.clear }
+
+  it "returns 0 by default" do
+    expect(SSLTest.cache.size).to eq({
+      crl:  { bytes: 0,  lists: 0 },
+      ocsp: { bytes: 0, errors: 0, responses: 0 }
+    })
+  end
+
+  it "returns CRL cache size properly" do
+    SSLTest.send(:follow_crl_redirects, URI("http://crl.certigna.fr/certigna.crl")) # 1.1k
+    SSLTest.send(:follow_crl_redirects, URI("http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl")) # 26k
+    expect(SSLTest.cache.size[:crl][:lists]).to eq(2)
+    expect(SSLTest.cache.size[:crl][:bytes]).to be > 2000
+  end
+
+  it "returns OCSP cache size properly" do
+    SSLTest.test("https://github.com")
+    expect(SSLTest.cache.size[:ocsp][:responses]).to eq(1)
+    expect(SSLTest.cache.size[:ocsp][:errors]).to eq(0)
+    expect(SSLTest.cache.size[:ocsp][:bytes]).to be > 0
+    expect(SSLTest.cache.size[:crl][:lists]).to eq(1)
+    expect(SSLTest.cache.size[:crl][:bytes]).to be > 100
+  end
+end

data/spec/ssl-test_spec.rb

@@ -12,22 +12,21 @@ RSpec.configure do |config|
   # The error/revocation examples below hit several public TLS test endpoints
   # (badssl.com, testserver.host, ssl.com) which intermittently reset connections
   # under load. They're spread across a few providers to avoid hammering a single
-  # one, and examples tagged `:retry` are re-run a few times (via rspec-retry) so
-  # transient network blips don't fail the suite.
+  # one, and the network-hitting describe blocks are tagged `retry: 5` (via
+  # rspec-retry) so transient network blips don't fail the suite.
   config.verbose_retry = true
-  config.display_try_failure_messages = true
   config.default_sleep_interval = 1
 end
 
 describe SSLTest do
-  before { SSLTest.flush_cache }
+  before { SSLTest.cache.clear }
 
   let(:proxy_thread) { nil }
 
 
   after(:each) { proxy_thread&.kill }
 
-  describe '.test_url' do
+  describe '.test_url', retry: 5 do # examples hit live TLS/CRL/OCSP endpoints
     it "returns no error on valid SNI website" do
       valid, error, cert = SSLTest.test("https://www.mycs.com")
       expect(error).to be_nil
@@ -60,35 +59,35 @@ describe SSLTest do
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on self signed certificate", :retry => 5 do
+    it "returns error on self signed certificate" do
       valid, error, cert = SSLTest.test("https://self-signed.testserver.host/")
       expect(error).to eq ("error code 18: self-signed certificate")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on incomplete chain", :retry => 5 do
+    it "returns error on incomplete chain" do
       valid, error, cert = SSLTest.test("https://incomplete-chain.badssl.com/")
       expect(error).to eq ("error code 20: unable to get local issuer certificate")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on untrusted root", :retry => 5 do
+    it "returns error on untrusted root" do
       valid, error, cert = SSLTest.test("https://untrusted-root.testserver.host/")
       expect(error).to eq ("error code 19: self-signed certificate in certificate chain")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on invalid host", :retry => 5 do
+    it "returns error on invalid host" do
       valid, error, cert = SSLTest.test("https://wrong.host.badssl.com/")
       expect(error).to include('error code 62: hostname mismatch')
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on expired cert", :retry => 5 do
+    it "returns error on expired cert" do
       valid, error, cert = SSLTest.test("https://expired-rsa-dv.ssl.com/")
       expect(error).to eq ("error code 10: certificate has expired")
       expect(valid).to eq(false)
@@ -129,10 +128,12 @@ describe SSLTest do
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on revoked cert (CRL)", :retry => 5 do
+    it "returns error on revoked cert (CRL)" do
       # CRL is tried first and detects the revocation, so OCSP is never used
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
       expect(SSLTest).not_to receive(:test_ocsp_revocation)
+      # On a serial byte-match we fall back to #revoked to extract the reason/date
+      expect_any_instance_of(OpenSSL::X509::CRL).to receive(:revoked).and_call_original
       valid, error, cert = SSLTest.test("https://revoked.badssl.com/")
       expect(error).to eq ("SSL certificate revoked: Key Compromise (revocation date: 2026-05-12 21:01:31 UTC)")
       expect(valid).to eq(false)
@@ -162,6 +163,9 @@ describe SSLTest do
       # CRL is tried first and succeeds for both certs, so OCSP is never used
       expect(SSLTest).to receive(:follow_crl_redirects).twice.and_call_original
       expect(SSLTest).not_to receive(:test_ocsp_revocation)
+      # Both certs are absent from their CRL, so the serial byte-search short-circuits
+      # and we never materialise the (potentially huge) revoked list.
+      expect_any_instance_of(OpenSSL::X509::CRL).not_to receive(:revoked)
       valid, error, cert = SSLTest.test("https://www.demarches-simplifiees.fr")
       expect(error).to be_nil
       expect(valid).to eq(true)
@@ -186,7 +190,7 @@ describe SSLTest do
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
       # make sure both were used
-      expect(SSLTest.cache_size).to match({
+      expect(SSLTest.cache.size).to match({
         crl:  hash_including(lists: 1),
         ocsp: hash_including(responses: 1, errors: 0)
       })
@@ -237,35 +241,8 @@ describe SSLTest do
     end
   end
 
-  describe '.cache_size' do
-    before { SSLTest.flush_cache }
-
-    it "returns 0 by default" do
-      expect(SSLTest.cache_size).to eq({
-        crl:  { bytes: 0,  lists: 0 },
-        ocsp: { bytes: 0, errors: 0, responses: 0 }
-      })
-    end
-
-    it "returns CRL cache size properly" do
-      SSLTest.send(:follow_crl_redirects, URI("http://crl.certigna.fr/certigna.crl")) # 1.1k
-      SSLTest.send(:follow_crl_redirects, URI("http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl")) # 26k
-      expect(SSLTest.cache_size[:crl][:lists]).to eq(2)
-      expect(SSLTest.cache_size[:crl][:bytes]).to be > 2000
-    end
-
-    it "returns OCSP cache size properly" do
-      SSLTest.test("https://github.com")
-      expect(SSLTest.cache_size[:ocsp][:responses]).to eq(1)
-      expect(SSLTest.cache_size[:ocsp][:errors]).to eq(0)
-      expect(SSLTest.cache_size[:ocsp][:bytes]).to be > 150
-      expect(SSLTest.cache_size[:crl][:lists]).to eq(1)
-      expect(SSLTest.cache_size[:crl][:bytes]).to be > 500
-    end
-  end
-
-  describe '.follow_crl_redirects' do
-    before { SSLTest.flush_cache }
+  describe '.follow_crl_redirects', retry: 5 do # fetches a live CRL
+    before { SSLTest.cache.clear }
     # 19MB: http://crl3.digicert.com/ssca-sha2-g6.crl
     it "fetch CRL list and updates cache" do
       uri = URI("http://crl.certigna.fr/certigna.crl")
@@ -274,11 +251,11 @@ describe SSLTest do
       expect(error).to be_nil
 
       # Check cache status
-      cache = SSLTest.instance_variable_get('@crl_response_cache')
-      expect(cache.size).to equal 1
-      expect(cache.keys).to match_array [uri]
-      expect(cache[uri].keys).to match_array [:body, :expires, :etag, :last_mod]
-      expect(cache[uri][:expires]).to be > (Time.now + 3590)
+      cache_key = "ssl-test/crl/#{uri}"
+      entry = SSLTest.cache.read(cache_key)
+      expect(entry).not_to be_nil
+      expect(entry.keys).to match_array [:body, :expires, :etag, :last_mod]
+      expect(entry[:expires]).to be > (Time.now + 3590)
 
       # Make sure we return value from cache
       body2, error2 = nil, nil
@@ -287,7 +264,7 @@ describe SSLTest do
       expect(body2).to be(body) # using cache
 
       # Make sure we return cached value in case of 304
-      cache[uri][:expires] = Time.now # cache is now expired
+      SSLTest.cache.write(cache_key, entry.merge(expires: Time.now), expires_in: nil) # cache is now expired
       body2, error2 = nil, nil
       time = Benchmark.realtime { body2, error2 = SSLTest.send(:follow_crl_redirects, uri) }
       expect(time).to be > 0.001 # a request is made
@@ -295,7 +272,34 @@ describe SSLTest do
     end
   end
 
-  describe '.test_cert' do
+  describe '.cache', retry: 5 do # some examples hit live CRL/OCSP endpoints
+    # Restore the default in-process store after tests that swap the backend so
+    # global state doesn't leak between examples.
+    after { SSLTest.cache = SSLTest::MemoryStore.new }
+
+    it "defaults to an in-process MemoryStore" do
+      SSLTest.instance_variable_set(:@cache, nil) # reset memoized default
+      expect(SSLTest.cache).to be_a SSLTest::MemoryStore
+    end
+
+    it "uses the configured backend for CRL and OCSP" do
+      store = SSLTest::MemoryStore.new
+      SSLTest.cache = store
+      expect(store).to receive(:write).at_least(:once).and_call_original
+      expect(store).to receive(:read).at_least(:once).and_call_original
+      SSLTest.test("https://github.com")
+    end
+
+    it "cache_size (removed in 2.0) raises pointing to cache.size" do
+      expect { SSLTest.cache_size }.to raise_error(NoMethodError, /SSLTest\.cache\.size/)
+    end
+
+    it "flush_cache (removed in 2.0) raises pointing to cache.clear" do
+      expect { SSLTest.flush_cache }.to raise_error(NoMethodError, /SSLTest\.cache\.clear/)
+    end
+  end
+
+  describe '.test_cert', retry: 5 do # revocation checks hit live CRL/OCSP endpoints
     it "returns no error on valid SNI website" do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_mycs_com_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_mycs_com_ca_bundle.pem')))
@@ -439,7 +443,7 @@ describe SSLTest do
       expect(valid).to eq(true)
       expect(cert).to eq(cert)
       # make sure both were used
-      expect(SSLTest.cache_size).to match({
+      expect(SSLTest.cache.size).to match({
         crl:  hash_including(lists: 1),
         ocsp: hash_including(responses: 1, errors: 0)
       })
@@ -489,4 +493,51 @@ describe SSLTest do
       end
     end
   end
+
+  describe '.revocation_order' do # no network: dispatch logic is stubbed
+    after { SSLTest.revocation_order = %i[crl ocsp] } # reset to the default
+
+    let(:cert)   { OpenSSL::X509::Certificate.new }
+    let(:issuer) { OpenSSL::X509::Certificate.new }
+    let(:chain)  { [cert, issuer] }
+
+    it "defaults to CRL first" do
+      expect(SSLTest.revocation_order).to eq(%i[crl ocsp])
+    end
+
+    it "validates the value" do
+      expect { SSLTest.revocation_order = %i[crl] }.to raise_error(ArgumentError)
+      expect { SSLTest.revocation_order = %i[ocsp bogus] }.to raise_error(ArgumentError)
+    end
+
+    it "checks CRL first by default, falling back to OCSP on error" do
+      expect(SSLTest).to receive(:test_crl_revocation).ordered.and_return([false, "CRL boom", nil])
+      expect(SSLTest).to receive(:test_ocsp_revocation).ordered.and_return(:ocsp_ok)
+      result = SSLTest.send(:test_chain_revocation, chain)
+      expect(result).to eq([false, nil, nil])
+    end
+
+    it "checks OCSP first when configured, falling back to CRL on error" do
+      SSLTest.revocation_order = %i[ocsp crl]
+      expect(SSLTest).to receive(:test_ocsp_revocation).ordered.and_return([false, "OCSP boom", nil])
+      expect(SSLTest).to receive(:test_crl_revocation).ordered.and_return(:crl_ok)
+      result = SSLTest.send(:test_chain_revocation, chain)
+      expect(result).to eq([false, nil, nil])
+    end
+
+    it "does not try the second method when the first one passes" do
+      SSLTest.revocation_order = %i[ocsp crl]
+      expect(SSLTest).to receive(:test_ocsp_revocation).and_return(:ocsp_ok)
+      expect(SSLTest).not_to receive(:test_crl_revocation)
+      expect(SSLTest.send(:test_chain_revocation, chain)).to eq([false, nil, nil])
+    end
+
+    it "combines error messages in the configured order when all methods fail" do
+      SSLTest.revocation_order = %i[ocsp crl]
+      allow(SSLTest).to receive(:test_ocsp_revocation).and_return([false, "OCSP boom", nil])
+      allow(SSLTest).to receive(:test_crl_revocation).and_return([false, "CRL boom", nil])
+      _revoked, message, _date = SSLTest.send(:test_chain_revocation, chain)
+      expect(message).to eq("OCSP: OCSP boom, CRL: CRL boom")
+    end
+  end
 end

data/ssl-test.gemspec

@@ -22,4 +22,10 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rspec"
   spec.add_development_dependency "rspec-retry"
   spec.add_development_dependency "webrick"
+  # Used to verify SSLTest.cache works with the classic Rails/ActiveSupport
+  # cache stores (MemoryStore, FileStore, NullStore, MemCacheStore via dalli,
+  # RedisCacheStore via redis).
+  spec.add_development_dependency "activesupport"
+  spec.add_development_dependency "dalli"
+  spec.add_development_dependency "redis"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: ssl-test
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 2.0.1
 platform: ruby
 authors:
 - Adrien Rey-Jarthon
 bindir: bin
 cert_chain: []
-date: 2026-06-16 00:00:00.000000000 Z
+date: 2026-06-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -79,6 +79,48 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: dalli
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: redis
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 email:
 - jobs@adrienjarthon.com
 executables: []
@@ -94,8 +136,10 @@ files:
 - Rakefile
 - lib/ssl-test.rb
 - lib/ssl-test/crl.rb
+- lib/ssl-test/memory_store.rb
 - lib/ssl-test/object_size.rb
 - lib/ssl-test/ocsp.rb
+- spec/cache_backends_spec.rb
 - spec/fixtures/digicert_com_ca_bundle.pem
 - spec/fixtures/digicert_com_client.pem
 - spec/fixtures/expired_cert_ca_bundle.pem
@@ -116,6 +160,7 @@ files:
 - spec/fixtures/www_github_com_client.pem
 - spec/fixtures/www_mycs_com_ca_bundle.pem
 - spec/fixtures/www_mycs_com_client.pem
+- spec/memory_store_spec.rb
 - spec/ssl-test_spec.rb
 - ssl-test.gemspec
 homepage: https://github.com/jarthod/ssl-test
@@ -140,6 +185,7 @@ rubygems_version: 3.6.2
 specification_version: 4
 summary: Test website SSL certificate validity
 test_files:
+- spec/cache_backends_spec.rb
 - spec/fixtures/digicert_com_ca_bundle.pem
 - spec/fixtures/digicert_com_client.pem
 - spec/fixtures/expired_cert_ca_bundle.pem
@@ -160,4 +206,5 @@ test_files:
 - spec/fixtures/www_github_com_client.pem
 - spec/fixtures/www_mycs_com_ca_bundle.pem
 - spec/fixtures/www_mycs_com_client.pem
+- spec/memory_store_spec.rb
 - spec/ssl-test_spec.rb