ssl-test 2.0.0 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 886440c38c24dd0ad30e2fff8552fe89aa924010e8f9218032d030eceb29a422
-  data.tar.gz: b854a7f800c8aa3364ed78ebf29b4ec731e3904b7c33b682a39383a5096742d0
+  metadata.gz: 073a878a42dbba9b30e7c69ec4b435cd8f2c607e59a6b894099af73ea60526f8
+  data.tar.gz: 709b2f097b7d8a61922f2cfcee0cb6651046c57854dea0b3dc17c8367b7b856a
 SHA512:
-  metadata.gz: 895f1193c0924d93b0bc4c29dea5d9de8b38b047f25c83273d13146c3bffa0a201676e320d6f4a6f373f231f87fdf0fda7bbef5a8983e40d489c8179097ed8dc
-  data.tar.gz: c1d2d3cd0014d31e01456dd5f0d1e58a59e820bb77f8e15a2755a27421a107b63d6cc653f115a7e50f19b475f40b1961bbdccab3b92181f1a5f812f68a668604
+  metadata.gz: 150c1d97a77c0a37c71a180d7cd643f3a4264280f65261e2cb830b184fed00cb60458bf4d27ce1eb52225db506398d2e1480bf69d5a7d6ffc4ee7e5ad288a5b1
+  data.tar.gz: '08f66249c1b7d951b71283589d957b6bfe4451934ff155af255e4e31a5f77d0aa27bcd1dcc9cee1dcb0b1ddc450618d97c9a445c5067990009b14ad616933128'

data/.github/workflows/ruby.yml

@@ -3,6 +3,10 @@ on: [push]
 jobs:
   specs:
     runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby-version: ['3.2', '3.3', '3.4']
     services:
       redis:
         image: redis
@@ -16,7 +20,7 @@ jobs:
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
-        ruby-version: '3.1'
+        ruby-version: ${{ matrix.ruby-version }}
         bundler-cache: true # runs 'bundle install' and caches installed gems automatically
     - name: Run specs
       run: |

data/README.md

@@ -70,6 +70,13 @@ cert # => #<OpenSSL::X509::Certificate...>
 
 If the CRL is missing, invalid or unreachable the certificate revocation will be tested using [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol).
 
+You can swap the order if you'd rather check OCSP first and only fall back to CRL on error (the default is CRL first, since 1.6, to reduce the revocation propagation delay):
+
+```ruby
+SSLTest.revocation_order = %i[ocsp crl]   # OCSP first, CRL fallback
+SSLTest.revocation_order = %i[crl ocsp]   # the default: CRL first, OCSP fallback
+```
+
 If both CRL and OCSP tests are impossible, the certificate will still be considered valid but with an error message:
 
 ```ruby
@@ -195,7 +202,8 @@ But also **revoked certs** like most browsers (not handled by `curl`)
 
 See also github releases: https://github.com/jarthod/ssl-test/releases
 
-* 2.0.0 - 2026-06-16: Make the cache backend configurable. The default stays an in-process `SSLTest::MemoryStore`, but you can now assign any object responding to the `Rails.cache`-style API (`read`/`write`/`delete`) with `SSLTest.cache = Rails.cache` to share responses across processes and get compression (e.g. memcache via Dalli — see the memcached note in the Caching section about raising the max value size for large CRLs). **Breaking:** the module-level `SSLTest.cache_size` and `SSLTest.flush_cache` were removed — use `SSLTest.cache.size` and `SSLTest.cache.clear` instead (these only work with the built-in `MemoryStore`; shared backends like `Rails.cache` can't be enumerated and shouldn't be wholesale-cleared)
+* 2.0.1 - 2026-06-19: Speed up and shrink the memory use of CRL checks with a fast path that scans the raw CRL for the certificate's serial before parsing, avoiding instantiating the entire revocation list (>1M Ruby objects for busy CAs) when the cert isn't revoked. Send both `If-None-Match` and `If-Modified-Since` on CRL revalidation so CDN-backed CAs that don't honor their own ETag (e.g. DigiCert) still return a `304` instead of re-downloading the whole list.
+* 2.0.0 - 2026-06-16: Make the revocation check order configurable via `SSLTest.revocation_order` (`%i[crl ocsp]` by default, set `%i[ocsp crl]` to check OCSP first). Make the cache backend configurable. The default stays an in-process `SSLTest::MemoryStore`, but you can now assign any object responding to the `Rails.cache`-style API (`read`/`write`/`delete`) with `SSLTest.cache = Rails.cache` to share responses across processes and get compression (e.g. memcache via Dalli — see the memcached note in the Caching section about raising the max value size for large CRLs). **Breaking:** the module-level `SSLTest.cache_size` and `SSLTest.flush_cache` were removed — use `SSLTest.cache.size` and `SSLTest.cache.clear` instead (these only work with the built-in `MemoryStore`; shared backends like `Rails.cache` can't be enumerated and shouldn't be wholesale-cleared)
 * 1.6.0 - 2026-06-16: Check revocation with CRL first and fall back to OCSP (was OCSP first) to reduce revocation detection delay
 * 1.5.0 - 2025-11-28: Add support for local certificates testing and HTTP proxies (#8), changed `#test` method into `#test_url` and `#test_cert` (`#test` remains as an alias for `#test_url` for backward-compatibility)
 * 1.4.1 - 2022-10-24: Add support for "tcps://" scheme

data/lib/ssl-test/crl.rb

@@ -47,11 +47,19 @@ module SSLTest
       response = OpenSSL::X509::CRL.new http_response
       return [false, "Signature verification failed (URI: #{crl_uri})", nil] unless response.verify(issuer.public_key)
 
+      # Fast path: scan the raw response for the cert's serial encoded as DER.
+      # In most case (not revoked) this lets us skip response.revoked, which
+      # instantiate the *entire* revocation list as Ruby objects (>1M objects for busy CAs)
+      serial_der = OpenSSL::ASN1::Integer.new(cert.serial).to_der
+      return :crl_ok unless response.to_der.include?(serial_der)
+
+      # The serial's bytes appear (a real hit, or a rare collision):
+      # confirm authoritatively and pull the reason/date. The costly revoked-list
+      # materialisation only happens here, i.e. for actually-revoked certs.
       revoked = response.revoked.find { |r| r.serial == cert.serial }
       if revoked
         reason = revoked.extensions.find {|e| e.oid == "CRLReason"}&.value
         return [true, reason || "Unknown reason", revoked.time]
-      else
       end
 
       :crl_ok
@@ -77,12 +85,13 @@ module SSLTest
       http.read_timeout = read_timeout
 
       req = Net::HTTP::Get.new(path)
-      # Include conditional caching headers from cache to save bandwidth if list didn't change (304)
-      if etag = cache_entry&.[](:etag)
-        req["If-None-Match"] = etag
-      elsif last_mod = cache_entry&.[](:last_mod)
-        req["If-Modified-Since"] = last_mod
-      end
+      # Include conditional caching headers from cache to save bandwidth if the
+      # list didn't change (304). Send both validators when present: some
+      # CDN-backed CAs (e.g. DigiCert) serve per-node ETags they won't honor via
+      # If-None-Match but will revalidate via If-Modified-Since, so sending only
+      # the ETag defeats the 304 and re-downloads the whole list every time.
+      req["If-None-Match"] = cache_entry[:etag] if cache_entry&.[](:etag)
+      req["If-Modified-Since"] = cache_entry[:last_mod] if cache_entry&.[](:last_mod)
       http_response = http.request(req)
       case http_response
       when Net::HTTPNotModified
@@ -93,7 +102,7 @@ module SSLTest
       when Net::HTTPSuccess
         # Success, update (or add to) cache and return frech body
         @logger&.debug { "SSLTest   + CRL: 200 OK (#{http_response.body.bytesize} bytes)" }
-        @logger&.warn { "SSLTest   + CRL: Warning: massive file size" } if http_response.body.bytesize > 1024**2 # 1MB
+        @logger&.warn { "SSLTest   + CRL: Warning: massive file size (#{http_response.body.bytesize} bytes)" } if http_response.body.bytesize > 1024**2 # 1MB
         @logger&.warn { "SSLTest   + CRL: Warning: no caching headers on #{uri}" } unless http_response["Etag"] or http_response["Last-Modified"]
         cache.write(cache_key, {
           body: http_response.body,

data/lib/ssl-test.rb

@@ -11,7 +11,7 @@ module SSLTest
   extend OCSP
   extend CRL
 
-  VERSION = -"2.0.0"
+  VERSION = -"2.0.1"
 
   # Prefix for all cache keys so SSLTest entries coexist cleanly inside a shared
   # cache (e.g. Rails.cache).
@@ -114,6 +114,23 @@ module SSLTest
       @logger = logger
     end
 
+    # The order in which revocation check methods are tried for each certificate.
+    # The first method to return a conclusive answer (ok or revoked) wins; the
+    # next is only tried when the previous one errors out (missing endpoint,
+    # network error, etc.). Defaults to CRL first (since 1.6) to reduce the
+    # revocation propagation delay. Set to %i[ocsp crl] to check OCSP first.
+    def revocation_order
+      @revocation_order ||= %i[crl ocsp]
+    end
+
+    def revocation_order= order
+      order = Array(order).map { |m| m.to_sym }
+      unless order.sort == %i[crl ocsp]
+        raise ArgumentError, "SSLTest.revocation_order must be %i[crl ocsp] or %i[ocsp crl], got #{order.inspect}"
+      end
+      @revocation_order = order
+    end
+
     private
 
     def revocation_message(revoked, revocation_date, message)
@@ -147,26 +164,37 @@ module SSLTest
       chain[0..-2].each_with_index do |cert, i|
         @logger&.debug { "SSLTest + test_chain_revocation: #{cert_field_to_hash(cert.subject)['CN']}" }
 
-        # Try with CRL first
-        crl_result = test_crl_revocation(cert, issuer: chain[i + 1], chain: chain, **options)
-        @logger&.debug { "SSLTest   + CRL: #{crl_result}" }
-        next if crl_result == :crl_ok # passed, go to next cert
-        return crl_result if crl_result[0] == true # revoked
-
-        # Otherwise it means there was an error so let's try with OCSP instead
-        ocsp_result = test_ocsp_revocation(cert, issuer: chain[i + 1], chain: chain, **options)
-        @logger&.debug { "SSLTest   + OCSP: #{ocsp_result}" }
-        next if ocsp_result == :ocsp_ok # passed, go to next cert
-        return ocsp_result if ocsp_result[0] == true # revoked
+        # Try each revocation method in the configured order, falling back to the
+        # next one only when the current method errors out.
+        errors = {}
+        passed = false
+        revocation_order.each do |method|
+          result = test_revocation(method, cert, issuer: chain[i + 1], chain: chain, **options)
+          @logger&.debug { "SSLTest   + #{method.to_s.upcase}: #{result}" }
+          if result == :"#{method}_ok" # passed, go to next cert
+            passed = true
+            break
+          end
+          return result if result[0] == true # revoked
+          errors[method] = result[1] # errored, try the next method
+        end
+        next if passed
 
-        # If both method failed, return a soft fail with a combination of both error messages
-        return [false, "CRL: #{crl_result[1]}, OCSP: #{ocsp_result[1]}", nil]
+        # If all methods failed, return a soft fail with a combination of the error messages
+        return [false, errors.map { |method, message| "#{method.to_s.upcase}: #{message}" }.join(", "), nil]
       end
 
       # If all test passed, the certificate is not revoked
       [false, nil, nil]
     end
 
+    def test_revocation method, cert, **options
+      case method
+      when :crl  then test_crl_revocation(cert, **options)
+      when :ocsp then test_ocsp_revocation(cert, **options)
+      end
+    end
+
     def cert_field_to_hash field
       field.to_a.each.with_object({}) do |v, h|
         v = v.to_a

data/spec/memory_store_spec.rb

@@ -1,4 +1,5 @@
 require "ssl-test"
+require "rspec/retry" # the cache.size examples below hit live CRL/OCSP endpoints
 
 describe SSLTest::MemoryStore do
   subject(:store) { described_class.new }
@@ -51,7 +52,7 @@ describe SSLTest::MemoryStore do
 end
 
 # #size as reported through the default store after real CRL/OCSP fetches.
-describe "SSLTest.cache.size" do
+describe "SSLTest.cache.size", retry: 5 do # examples hit live CRL/OCSP endpoints
   before { SSLTest.cache.clear }
 
   it "returns 0 by default" do

data/spec/ssl-test_spec.rb

@@ -12,8 +12,8 @@ RSpec.configure do |config|
   # The error/revocation examples below hit several public TLS test endpoints
   # (badssl.com, testserver.host, ssl.com) which intermittently reset connections
   # under load. They're spread across a few providers to avoid hammering a single
-  # one, and examples tagged `:retry` are re-run a few times (via rspec-retry) so
-  # transient network blips don't fail the suite.
+  # one, and the network-hitting describe blocks are tagged `retry: 5` (via
+  # rspec-retry) so transient network blips don't fail the suite.
   config.verbose_retry = true
   config.default_sleep_interval = 1
 end
@@ -26,7 +26,7 @@ describe SSLTest do
 
   after(:each) { proxy_thread&.kill }
 
-  describe '.test_url' do
+  describe '.test_url', retry: 5 do # examples hit live TLS/CRL/OCSP endpoints
     it "returns no error on valid SNI website" do
       valid, error, cert = SSLTest.test("https://www.mycs.com")
       expect(error).to be_nil
@@ -59,35 +59,35 @@ describe SSLTest do
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on self signed certificate", :retry => 5 do
+    it "returns error on self signed certificate" do
       valid, error, cert = SSLTest.test("https://self-signed.testserver.host/")
       expect(error).to eq ("error code 18: self-signed certificate")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on incomplete chain", :retry => 5 do
+    it "returns error on incomplete chain" do
       valid, error, cert = SSLTest.test("https://incomplete-chain.badssl.com/")
       expect(error).to eq ("error code 20: unable to get local issuer certificate")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on untrusted root", :retry => 5 do
+    it "returns error on untrusted root" do
       valid, error, cert = SSLTest.test("https://untrusted-root.testserver.host/")
       expect(error).to eq ("error code 19: self-signed certificate in certificate chain")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on invalid host", :retry => 5 do
+    it "returns error on invalid host" do
       valid, error, cert = SSLTest.test("https://wrong.host.badssl.com/")
       expect(error).to include('error code 62: hostname mismatch')
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on expired cert", :retry => 5 do
+    it "returns error on expired cert" do
       valid, error, cert = SSLTest.test("https://expired-rsa-dv.ssl.com/")
       expect(error).to eq ("error code 10: certificate has expired")
       expect(valid).to eq(false)
@@ -128,10 +128,12 @@ describe SSLTest do
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on revoked cert (CRL)", :retry => 5 do
+    it "returns error on revoked cert (CRL)" do
       # CRL is tried first and detects the revocation, so OCSP is never used
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
       expect(SSLTest).not_to receive(:test_ocsp_revocation)
+      # On a serial byte-match we fall back to #revoked to extract the reason/date
+      expect_any_instance_of(OpenSSL::X509::CRL).to receive(:revoked).and_call_original
       valid, error, cert = SSLTest.test("https://revoked.badssl.com/")
       expect(error).to eq ("SSL certificate revoked: Key Compromise (revocation date: 2026-05-12 21:01:31 UTC)")
       expect(valid).to eq(false)
@@ -161,6 +163,9 @@ describe SSLTest do
       # CRL is tried first and succeeds for both certs, so OCSP is never used
       expect(SSLTest).to receive(:follow_crl_redirects).twice.and_call_original
       expect(SSLTest).not_to receive(:test_ocsp_revocation)
+      # Both certs are absent from their CRL, so the serial byte-search short-circuits
+      # and we never materialise the (potentially huge) revoked list.
+      expect_any_instance_of(OpenSSL::X509::CRL).not_to receive(:revoked)
       valid, error, cert = SSLTest.test("https://www.demarches-simplifiees.fr")
       expect(error).to be_nil
       expect(valid).to eq(true)
@@ -236,7 +241,7 @@ describe SSLTest do
     end
   end
 
-  describe '.follow_crl_redirects' do
+  describe '.follow_crl_redirects', retry: 5 do # fetches a live CRL
     before { SSLTest.cache.clear }
     # 19MB: http://crl3.digicert.com/ssca-sha2-g6.crl
     it "fetch CRL list and updates cache" do
@@ -267,7 +272,7 @@ describe SSLTest do
     end
   end
 
-  describe '.cache' do
+  describe '.cache', retry: 5 do # some examples hit live CRL/OCSP endpoints
     # Restore the default in-process store after tests that swap the backend so
     # global state doesn't leak between examples.
     after { SSLTest.cache = SSLTest::MemoryStore.new }
@@ -294,7 +299,7 @@ describe SSLTest do
     end
   end
 
-  describe '.test_cert' do
+  describe '.test_cert', retry: 5 do # revocation checks hit live CRL/OCSP endpoints
     it "returns no error on valid SNI website" do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_mycs_com_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_mycs_com_ca_bundle.pem')))
@@ -488,4 +493,51 @@ describe SSLTest do
       end
     end
   end
+
+  describe '.revocation_order' do # no network: dispatch logic is stubbed
+    after { SSLTest.revocation_order = %i[crl ocsp] } # reset to the default
+
+    let(:cert)   { OpenSSL::X509::Certificate.new }
+    let(:issuer) { OpenSSL::X509::Certificate.new }
+    let(:chain)  { [cert, issuer] }
+
+    it "defaults to CRL first" do
+      expect(SSLTest.revocation_order).to eq(%i[crl ocsp])
+    end
+
+    it "validates the value" do
+      expect { SSLTest.revocation_order = %i[crl] }.to raise_error(ArgumentError)
+      expect { SSLTest.revocation_order = %i[ocsp bogus] }.to raise_error(ArgumentError)
+    end
+
+    it "checks CRL first by default, falling back to OCSP on error" do
+      expect(SSLTest).to receive(:test_crl_revocation).ordered.and_return([false, "CRL boom", nil])
+      expect(SSLTest).to receive(:test_ocsp_revocation).ordered.and_return(:ocsp_ok)
+      result = SSLTest.send(:test_chain_revocation, chain)
+      expect(result).to eq([false, nil, nil])
+    end
+
+    it "checks OCSP first when configured, falling back to CRL on error" do
+      SSLTest.revocation_order = %i[ocsp crl]
+      expect(SSLTest).to receive(:test_ocsp_revocation).ordered.and_return([false, "OCSP boom", nil])
+      expect(SSLTest).to receive(:test_crl_revocation).ordered.and_return(:crl_ok)
+      result = SSLTest.send(:test_chain_revocation, chain)
+      expect(result).to eq([false, nil, nil])
+    end
+
+    it "does not try the second method when the first one passes" do
+      SSLTest.revocation_order = %i[ocsp crl]
+      expect(SSLTest).to receive(:test_ocsp_revocation).and_return(:ocsp_ok)
+      expect(SSLTest).not_to receive(:test_crl_revocation)
+      expect(SSLTest.send(:test_chain_revocation, chain)).to eq([false, nil, nil])
+    end
+
+    it "combines error messages in the configured order when all methods fail" do
+      SSLTest.revocation_order = %i[ocsp crl]
+      allow(SSLTest).to receive(:test_ocsp_revocation).and_return([false, "OCSP boom", nil])
+      allow(SSLTest).to receive(:test_crl_revocation).and_return([false, "CRL boom", nil])
+      _revoked, message, _date = SSLTest.send(:test_chain_revocation, chain)
+      expect(message).to eq("OCSP: OCSP boom, CRL: CRL boom")
+    end
+  end
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: ssl-test
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.0.1
 platform: ruby
 authors:
 - Adrien Rey-Jarthon
 bindir: bin
 cert_chain: []
-date: 2026-06-17 00:00:00.000000000 Z
+date: 2026-06-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler