ssl-test 2.0.0 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 886440c38c24dd0ad30e2fff8552fe89aa924010e8f9218032d030eceb29a422
-  data.tar.gz: b854a7f800c8aa3364ed78ebf29b4ec731e3904b7c33b682a39383a5096742d0
+  metadata.gz: 48563a079839f759ca0f765c768fa7280af962036d2e1e9acd81aaa2dd8967fb
+  data.tar.gz: 2a51edf744b6116222f52ea1b72b502805f2a2c78beab94620b408a8c7b05d07
 SHA512:
-  metadata.gz: 895f1193c0924d93b0bc4c29dea5d9de8b38b047f25c83273d13146c3bffa0a201676e320d6f4a6f373f231f87fdf0fda7bbef5a8983e40d489c8179097ed8dc
-  data.tar.gz: c1d2d3cd0014d31e01456dd5f0d1e58a59e820bb77f8e15a2755a27421a107b63d6cc653f115a7e50f19b475f40b1961bbdccab3b92181f1a5f812f68a668604
+  metadata.gz: bd2cb2d7de4d133df831932a4d8a44974fc49dd592765fa7669f9d272c1e169d8ea90c728109824dafc89d20a11d83da135f9a7852466781bc58890dcc3a322a
+  data.tar.gz: b96a5c2515c952f25ebe823c88d5daf2e8bcc60024d76a7ea715fc854b199bb4e1e06f4d3f787490a6f9bfb987eaba3f4be5692a063a74b4f55fa605e3e8c7e4

data/.github/workflows/ruby.yml

@@ -3,6 +3,10 @@ on: [push]
 jobs:
   specs:
     runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby-version: ['3.2', '3.3', '3.4']
     services:
       redis:
         image: redis
@@ -16,7 +20,7 @@ jobs:
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
-        ruby-version: '3.1'
+        ruby-version: ${{ matrix.ruby-version }}
         bundler-cache: true # runs 'bundle install' and caches installed gems automatically
     - name: Run specs
       run: |

data/README.md

@@ -59,7 +59,7 @@ error # => nil
 cert # => #<OpenSSL::X509::Certificate...>
 ```
 
-Revoked certificates are detected using [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) by default:
+Revoked certificates are detected using [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) by default:
 
 ```ruby
 valid, error, cert = SSLTest.test_url "https://revoked.badssl.com"
@@ -68,7 +68,14 @@ error # => "SSL certificate revoked: Key Compromise (revocation date: 2019-10-07
 cert # => #<OpenSSL::X509::Certificate...>
 ```
 
-If the CRL is missing, invalid or unreachable the certificate revocation will be tested using [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol).
+If the OCSP endpoint is missing, invalid or unreachable the certificate revocation will be tested using the [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list).
+
+You can swap the order if you'd rather check CRL first and only fall back to OCSP on error (the default is OCSP first, since 2.1, because CRLs can be large and checking them is significantly more memory- and CPU-intensive):
+
+```ruby
+SSLTest.revocation_order = %i[crl ocsp]   # CRL first, OCSP fallback
+SSLTest.revocation_order = %i[ocsp crl]   # the default: OCSP first, CRL fallback
+```
 
 If both CRL and OCSP tests are impossible, the certificate will still be considered valid but with an error message:
 
@@ -96,7 +103,7 @@ This check will pass for self-signed certificates if the certificate is signed b
 
 SSLTester connects as an HTTPS client (without issuing any requests) and then closes the connection. It does so using ruby `net/https` library and verifies the SSL status. It also hooks into the validation process to intercept the raw certificate for you.
 
-After that it fetches the [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) to verify if the certificate has been revoked. If the CRL is not available it'll query the [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) endpoint instead. It does this for every certificates in the chain (except the root which is trusted by your Operating System). It is possible the first one will be validated with CRL and the intermediate with OCSP depending on what they offer.
+After that it queries the [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) endpoint to verify if the certificate has been revoked. If the OCSP endpoint is not available it'll fetch the [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) instead. It does this for every certificates in the chain (except the root which is trusted by your Operating System). It is possible the first one will be validated with OCSP and the intermediate with CRL depending on what they offer.
 
 ### Caching
 
@@ -193,9 +200,10 @@ But also **revoked certs** like most browsers (not handled by `curl`)
 
 ## Changelog
 
-See also github releases: https://github.com/jarthod/ssl-test/releases
-
-* 2.0.0 - 2026-06-16: Make the cache backend configurable. The default stays an in-process `SSLTest::MemoryStore`, but you can now assign any object responding to the `Rails.cache`-style API (`read`/`write`/`delete`) with `SSLTest.cache = Rails.cache` to share responses across processes and get compression (e.g. memcache via Dalli — see the memcached note in the Caching section about raising the max value size for large CRLs). **Breaking:** the module-level `SSLTest.cache_size` and `SSLTest.flush_cache` were removed — use `SSLTest.cache.size` and `SSLTest.cache.clear` instead (these only work with the built-in `MemoryStore`; shared backends like `Rails.cache` can't be enumerated and shouldn't be wholesale-cleared)
+* 2.1.1 - 2026-06-21: Refactor CRL code to use newer OpenSSL `crl_uris` helper
+* 2.1.0 - 2026-06-20: Check revocation with OCSP first and fall back to CRL (was CRL first since 1.6) because CRLs can be large and checking them is significantly more memory- and CPU-intensive. Set `SSLTest.revocation_order = %i[crl ocsp]` to restore the previous order.
+* 2.0.1 - 2026-06-19: Speed up and shrink the memory use of CRL checks with a fast path that scans the raw CRL for the certificate's serial before parsing, avoiding instantiating the entire revocation list (>1M Ruby objects for busy CAs) when the cert isn't revoked. Send both `If-None-Match` and `If-Modified-Since` on CRL revalidation so CDN-backed CAs that don't honor their own ETag (e.g. DigiCert) still return a `304` instead of re-downloading the whole list.
+* 2.0.0 - 2026-06-16: Make the revocation check order configurable via `SSLTest.revocation_order` (`%i[crl ocsp]` by default, set `%i[ocsp crl]` to check OCSP first). Make the cache backend configurable. The default stays an in-process `SSLTest::MemoryStore`, but you can now assign any object responding to the `Rails.cache`-style API (`read`/`write`/`delete`) with `SSLTest.cache = Rails.cache` to share responses across processes and get compression (e.g. memcache via Dalli — see the memcached note in the Caching section about raising the max value size for large CRLs). **Breaking:** the module-level `SSLTest.cache_size` and `SSLTest.flush_cache` were removed — use `SSLTest.cache.size` and `SSLTest.cache.clear` instead (these only work with the built-in `MemoryStore`; shared backends like `Rails.cache` can't be enumerated and shouldn't be wholesale-cleared)
 * 1.6.0 - 2026-06-16: Check revocation with CRL first and fall back to OCSP (was OCSP first) to reduce revocation detection delay
 * 1.5.0 - 2025-11-28: Add support for local certificates testing and HTTP proxies (#8), changed `#test` method into `#test_url` and `#test_cert` (`#test` remains as an alias for `#test_url` for backward-compatibility)
 * 1.4.1 - 2022-10-24: Add support for "tcps://" scheme

data/by_serial_bench.rb

@@ -0,0 +1,65 @@
+#!/usr/bin/env ruby
+#
+# Needs the patched openssl that defines #by_serial; point OPENSSL_LIB at the dev
+# build (defaults to ../openssl/lib). gem install benchmark-ips benchmark-memory
+#
+#   ruby by_serial_bench.rb [CRL_URL]
+
+dev = ENV["OPENSSL_LIB"] || File.expand_path("../openssl/lib", __dir__)
+$LOAD_PATH.unshift(dev) if File.exist?(File.join(dev, "openssl.so"))
+
+require "openssl"
+require "net/http"
+require "uri"
+require "tmpdir"
+require "benchmark/ips"
+require "benchmark/memory"
+
+abort "loaded openssl has no #by_serial (set OPENSSL_LIB to the patched build)" unless
+  OpenSSL::X509::CRL.method_defined?(:by_serial)
+
+url   = ARGV[0] || "http://c.cf-i.ssl.com/ae801ed1c55bb579d79208b0d772acfb8cc3a208.crl" # big CRL example
+cache = File.join(Dir.tmpdir, "by_serial_bench_#{File.basename(URI(url).path)}")
+body  = File.exist?(cache) ? File.binread(cache) :
+        (warn("downloading #{url} ..."); d = Net::HTTP.get(URI(url)); File.binwrite(cache, d); d)
+
+crl     = OpenSSL::X509::CRL.new(body)
+entries = crl.revoked.size
+absent  = 0xDEAD_BEEF_CAFE_F00D
+present = crl.revoked[entries / 2].serial # middle of the list for median performance
+
+puts "#{OpenSSL::OPENSSL_LIBRARY_VERSION} — #{url}"
+puts "#{(body.bytesize / 1e6).round(1)} MB DER, #{entries} revoked entries"
+
+[["not revoked", absent], ["revoked", present]].each do |label, serial|
+  abort "mismatch for #{label}" unless
+    crl.by_serial(serial) == crl.revoked.find { |r| r.serial == serial }
+  puts "\n=== #{label} serial ==="
+
+  puts "\n-- warm: lookup on a parsed CRL --"
+  @list = nil
+  Benchmark.ips do |x|
+    x.config(warmup: 1, time: 3)
+    x.report("revoked.find") { (@list ||= crl.revoked).find { |r| r.serial == serial } }
+    x.report("by_serial")    { crl.by_serial(serial) }
+    x.compare!
+  end
+  Benchmark.memory do |x|
+    x.report("revoked.find") { crl.revoked.find { |r| r.serial == serial } }
+    x.report("by_serial")    { crl.by_serial(serial) }
+    x.compare!
+  end
+
+  puts "\n-- cold: parse a fresh CRL + one lookup --"
+  Benchmark.ips do |x|
+    x.config(warmup: 0, time: 3)
+    x.report("revoked.find") { OpenSSL::X509::CRL.new(body).revoked.find { |r| r.serial == serial } }
+    x.report("by_serial")    { OpenSSL::X509::CRL.new(body).by_serial(serial) }
+    x.compare!
+  end
+  Benchmark.memory do |x|
+    x.report("revoked.find") { OpenSSL::X509::CRL.new(body).revoked.find { |r| r.serial == serial } }
+    x.report("by_serial")    { OpenSSL::X509::CRL.new(body).by_serial(serial) }
+    x.compare!
+  end
+end

data/crl_bench.rb

@@ -0,0 +1,122 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+#
+# Benchmark: checking whether a single serial is revoked in a CRL.
+#   A) OpenSSL::X509::CRL#revoked.find { ... }   (only API available today)
+#   B) X509_CRL_get0_by_serial()                 (proposed, via Fiddle)
+#
+# Each approach runs in its own forked process so the reported peak RSS reflects
+# only that approach. Requires MRI on Linux (uses fork + /proc; falls back to
+# Process.getrusage on macOS/BSD).
+#
+#   ruby crl_bench.rb [CRL_URL]
+
+require "openssl"
+require "fiddle"
+require "benchmark"
+require "net/http"
+require "uri"
+require "tmpdir"
+
+CRL_URL = ARGV[0] || "http://c.cf-i.ssl.com/ae801ed1c55bb579d79208b0d772acfb8cc3a208.crl"
+
+# --- fetch the CRL (cached in /tmp so reruns are offline) ----------------------
+cache = File.join(Dir.tmpdir, "crl_bench_#{File.basename(URI(CRL_URL).path)}")
+body  = if File.exist?(cache)
+          File.binread(cache)
+        else
+          warn "downloading #{CRL_URL} ..."
+          data = Net::HTTP.get_response(URI(CRL_URL)).body
+          File.binwrite(cache, data)
+          data
+        end
+
+# --- libcrypto bindings (symbols are already in-process via require "openssl") -
+def sym(name)
+  Fiddle::Handle::DEFAULT[name]
+rescue Fiddle::DLError
+  @lib ||= %w[libcrypto.so libcrypto.so.3 libcrypto.dylib libcrypto.so.1.1]
+           .lazy.map { |n| begin; Fiddle.dlopen(n); rescue Fiddle::DLError; nil; end }.find(&:itself)
+  @lib[name]
+end
+
+P, L, I = Fiddle::TYPE_VOIDP, Fiddle::TYPE_LONG, Fiddle::TYPE_INT
+D2I_CRL = Fiddle::Function.new(sym("d2i_X509_CRL"),           [P, P, L], P)
+D2I_INT = Fiddle::Function.new(sym("d2i_ASN1_INTEGER"),       [P, P, L], P)
+GET0    = Fiddle::Function.new(sym("X509_CRL_get0_by_serial"),[P, P, P], I)
+
+# d2i_*(a, **pp, len) advances *pp; wrap a DER String into a C object pointer.
+def d2i(fn, der)
+  buf = Fiddle::Pointer[der]
+  obj = fn.call(nil, Fiddle::Pointer[[buf.to_i].pack("q")], der.bytesize)
+  raise "d2i failed" if obj.null?
+  obj
+end
+
+# Peak resident set size in MB (high-water mark for this process).
+def peak_mb
+  if File.exist?("/proc/self/status") # Linux
+    File.foreach("/proc/self/status") { |l| return l.split[1].to_f / 1024 if l.start_with?("VmHWM:") }
+  end
+  if Process.respond_to?(:getrusage) # macOS / BSD
+    m = Process.getrusage(:SELF).maxrss
+    return RUBY_PLATFORM.include?("darwin") ? m / 1024.0 / 1024 : m / 1024.0
+  end
+  0.0
+end
+
+# Run the block in a fresh process; peak RSS then reflects only that work.
+def isolate
+  rd, wr = IO.pipe
+  pid = fork { rd.close; wr.write(Marshal.dump(yield)); wr.close; exit! }
+  wr.close
+  out = rd.read; rd.close; Process.wait(pid)
+  Marshal.load(out)
+end
+
+# Approach A: the only thing the gem can do today.
+def bench_revoked(body, serial)
+  bn = OpenSSL::BN.new(serial)
+  crl = nil; tp = Benchmark.realtime { crl = OpenSSL::X509::CRL.new(body) }
+  hit = nil; entries = nil
+  tl = Benchmark.realtime { list = crl.revoked; entries = list.size; hit = list.find { |r| r.serial == bn } }
+  { entries: entries, parse_ms: tp * 1000, lookup_ms: tl * 1000, rss_mb: peak_mb, revoked: !hit.nil? }
+end
+
+# Approach B: X509_CRL_get0_by_serial (0 = not found, 1/2 = found).
+def bench_get0(body, serial)
+  crl = nil; tp = Benchmark.realtime { crl = d2i(D2I_CRL, body) }
+  rc = nil
+  tl = Benchmark.realtime do
+    asn1 = d2i(D2I_INT, OpenSSL::ASN1::Integer.new(serial).to_der)
+    rc = GET0.call(crl, Fiddle::NULL, asn1)
+  end
+  { parse_ms: tp * 1000, lookup_ms: tl * 1000, rss_mb: peak_mb, revoked: rc != 0 }
+end
+
+absent  = 0xDEAD_BEEF_CAFE_F00D                              # ~certainly not in the CRL
+present = isolate { OpenSSL::X509::CRL.new(body).revoked.first&.serial&.to_i } # a real revoked serial
+
+puts "CRL: #{CRL_URL}"
+puts "DER: #{body.bytesize} bytes (#{(body.bytesize / 1e6).round(1)} MB)"
+puts "Ruby #{RUBY_VERSION}, openssl gem #{OpenSSL::VERSION}, #{OpenSSL::OPENSSL_LIBRARY_VERSION}"
+puts
+
+a = isolate { bench_revoked(body, absent) }
+b = isolate { bench_get0(body, absent) }
+
+puts "Lookup of an absent serial (#{a[:entries]} entries in the CRL):"
+printf "  %-26s parse %7.1f ms | lookup %8.1f ms | peak RSS %7.1f MB\n",
+       "A #revoked.find", a[:parse_ms], a[:lookup_ms], a[:rss_mb]
+printf "  %-26s parse %7.1f ms | lookup %8.1f ms | peak RSS %7.1f MB\n",
+       "B get0_by_serial", b[:parse_ms], b[:lookup_ms], b[:rss_mb]
+printf "  => %.1fx faster lookup, %.1fx less peak RSS\n",
+       a[:lookup_ms] / b[:lookup_ms], a[:rss_mb] / b[:rss_mb]
+puts
+
+# correctness: both must agree on an absent and a present serial
+ok_absent  = (a[:revoked] == false) && (b[:revoked] == false)
+ok_present = present && isolate { bench_revoked(body, present)[:revoked] } &&
+                        isolate { bench_get0(body, present)[:revoked] }
+puts "correctness: absent serial -> both 'not revoked' (#{ok_absent ? 'PASS' : 'FAIL'}); " \
+     "present serial -> both 'revoked' (#{ok_present ? 'PASS' : 'FAIL'})"

data/lib/ssl-test/crl.rb

@@ -12,46 +12,41 @@ module SSLTest
     # A note about caching:
     # I choose to only cache the raw HTTP body here (and not the parsed list or better a hash
     # indexed by certificat serial). This is not CPU efficient because it means every time we
-    # need to check a cert from a cached CRL we need to parse it again, instantiate the list
+    # need to check a cert from a cached CRL we need to read it again, optionally instantiate the list
     # of Revoked certs and then iterate to find it (there's no API to find one cert without
-    # generting the list unfortuantely).
+    # generting the list yet: https://github.com/ruby/openssl/pull/1065).
     # I did this because of memory efficiency, because for big 20MB CRL list (so taking 20MB
     # in memory cache), the parsed version takes more than 100M, the list of Revoked certs 120MB,
     # and building a hash with serial, time and reason takes even more.
     # So doing this would be MUCH faster in terms of CPU for subsequent tests on the same CRL
     # but would take a LOT of memory.
-    # Note: we now check CRL first for every cert in the chain (leaf included), so leaf
-    # CRLs are fetched and cached too. These can be large for busy CAs, which makes the
-    # memory tradeoff above (caching the raw body rather than the parsed list) even more relevant.
 
     private
 
     def test_crl_revocation cert, issuer:, chain:, **options
-      crl_distribution_points = cert.extensions.find do |extension|
-        extension.oid == "crlDistributionPoints"
-      end
-
-      return [false, "Missing crlDistributionPoints extension", nil] unless crl_distribution_points
-
-      # OpenSSL 2.2+ may simplify this: https://github.com/ruby/openssl/commit/ea702a106d3d8136c48f244593de95666be0edf9
-      crl = crl_distribution_points.value.split("\n").find do |description|
-        description.match?(/URI:/)
-      end
+      crl = cert.crl_uris&.first
+      return [false, "Missing crlDistributionPoints extension", nil] if crl.nil?
 
-      return [false, "Missing CRL URI in crlDistributionPoints extension", nil] unless crl
-
-      crl_uri = URI(crl[/URI:(.*)/, 1])
+      crl_uri = URI(crl)
       http_response, crl_request_error = follow_crl_redirects(crl_uri, **options)
       return [false, "Request failed (URI: #{crl_uri}): #{crl_request_error}", nil] unless http_response
 
       response = OpenSSL::X509::CRL.new http_response
       return [false, "Signature verification failed (URI: #{crl_uri})", nil] unless response.verify(issuer.public_key)
 
+      # Fast path: scan the raw response for the cert's serial encoded as DER.
+      # In most case (not revoked) this lets us skip response.revoked, which
+      # instantiate the *entire* revocation list as Ruby objects (>1M objects for busy CAs)
+      serial_der = OpenSSL::ASN1::Integer.new(cert.serial).to_der
+      return :crl_ok unless response.to_der.include?(serial_der)
+
+      # The serial's bytes appear (a real hit, or a rare collision):
+      # confirm authoritatively and pull the reason/date. The costly revoked-list
+      # materialisation only happens here, i.e. for actually-revoked certs.
       revoked = response.revoked.find { |r| r.serial == cert.serial }
       if revoked
         reason = revoked.extensions.find {|e| e.oid == "CRLReason"}&.value
         return [true, reason || "Unknown reason", revoked.time]
-      else
       end
 
       :crl_ok
@@ -77,12 +72,13 @@ module SSLTest
       http.read_timeout = read_timeout
 
       req = Net::HTTP::Get.new(path)
-      # Include conditional caching headers from cache to save bandwidth if list didn't change (304)
-      if etag = cache_entry&.[](:etag)
-        req["If-None-Match"] = etag
-      elsif last_mod = cache_entry&.[](:last_mod)
-        req["If-Modified-Since"] = last_mod
-      end
+      # Include conditional caching headers from cache to save bandwidth if the
+      # list didn't change (304). Send both validators when present: some
+      # CDN-backed CAs (e.g. DigiCert) serve per-node ETags they won't honor via
+      # If-None-Match but will revalidate via If-Modified-Since, so sending only
+      # the ETag defeats the 304 and re-downloads the whole list every time.
+      req["If-None-Match"] = cache_entry[:etag] if cache_entry&.[](:etag)
+      req["If-Modified-Since"] = cache_entry[:last_mod] if cache_entry&.[](:last_mod)
       http_response = http.request(req)
       case http_response
       when Net::HTTPNotModified
@@ -93,7 +89,7 @@ module SSLTest
       when Net::HTTPSuccess
         # Success, update (or add to) cache and return frech body
         @logger&.debug { "SSLTest   + CRL: 200 OK (#{http_response.body.bytesize} bytes)" }
-        @logger&.warn { "SSLTest   + CRL: Warning: massive file size" } if http_response.body.bytesize > 1024**2 # 1MB
+        @logger&.warn { "SSLTest   + CRL: Warning: massive file size (#{http_response.body.bytesize} bytes)" } if http_response.body.bytesize > 1024**2 # 1MB
         @logger&.warn { "SSLTest   + CRL: Warning: no caching headers on #{uri}" } unless http_response["Etag"] or http_response["Last-Modified"]
         cache.write(cache_key, {
           body: http_response.body,

data/lib/ssl-test.rb

@@ -11,7 +11,7 @@ module SSLTest
   extend OCSP
   extend CRL
 
-  VERSION = -"2.0.0"
+  VERSION = -"2.1.1"
 
   # Prefix for all cache keys so SSLTest entries coexist cleanly inside a shared
   # cache (e.g. Rails.cache).
@@ -114,6 +114,24 @@ module SSLTest
       @logger = logger
     end
 
+    # The order in which revocation check methods are tried for each certificate.
+    # The first method to return a conclusive answer (ok or revoked) wins; the
+    # next is only tried when the previous one errors out (missing endpoint,
+    # network error, etc.). Defaults to OCSP first, since CRLs can be large and
+    # checking them is significantly more memory- and CPU-intensive. Set to
+    # %i[crl ocsp] to check CRL first (e.g. to reduce revocation propagation delay).
+    def revocation_order
+      @revocation_order ||= %i[ocsp crl]
+    end
+
+    def revocation_order= order
+      order = Array(order).map { |m| m.to_sym }
+      unless order.sort == %i[crl ocsp]
+        raise ArgumentError, "SSLTest.revocation_order must be %i[crl ocsp] or %i[ocsp crl], got #{order.inspect}"
+      end
+      @revocation_order = order
+    end
+
     private
 
     def revocation_message(revoked, revocation_date, message)
@@ -147,26 +165,37 @@ module SSLTest
       chain[0..-2].each_with_index do |cert, i|
         @logger&.debug { "SSLTest + test_chain_revocation: #{cert_field_to_hash(cert.subject)['CN']}" }
 
-        # Try with CRL first
-        crl_result = test_crl_revocation(cert, issuer: chain[i + 1], chain: chain, **options)
-        @logger&.debug { "SSLTest   + CRL: #{crl_result}" }
-        next if crl_result == :crl_ok # passed, go to next cert
-        return crl_result if crl_result[0] == true # revoked
-
-        # Otherwise it means there was an error so let's try with OCSP instead
-        ocsp_result = test_ocsp_revocation(cert, issuer: chain[i + 1], chain: chain, **options)
-        @logger&.debug { "SSLTest   + OCSP: #{ocsp_result}" }
-        next if ocsp_result == :ocsp_ok # passed, go to next cert
-        return ocsp_result if ocsp_result[0] == true # revoked
+        # Try each revocation method in the configured order, falling back to the
+        # next one only when the current method errors out.
+        errors = {}
+        passed = false
+        revocation_order.each do |method|
+          result = test_revocation(method, cert, issuer: chain[i + 1], chain: chain, **options)
+          @logger&.debug { "SSLTest   + #{method.to_s.upcase}: #{result}" }
+          if result == :"#{method}_ok" # passed, go to next cert
+            passed = true
+            break
+          end
+          return result if result[0] == true # revoked
+          errors[method] = result[1] # errored, try the next method
+        end
+        next if passed
 
-        # If both method failed, return a soft fail with a combination of both error messages
-        return [false, "CRL: #{crl_result[1]}, OCSP: #{ocsp_result[1]}", nil]
+        # If all methods failed, return a soft fail with a combination of the error messages
+        return [false, errors.map { |method, message| "#{method.to_s.upcase}: #{message}" }.join(", "), nil]
       end
 
       # If all test passed, the certificate is not revoked
       [false, nil, nil]
     end
 
+    def test_revocation method, cert, **options
+      case method
+      when :crl  then test_crl_revocation(cert, **options)
+      when :ocsp then test_ocsp_revocation(cert, **options)
+      end
+    end
+
     def cert_field_to_hash field
       field.to_a.each.with_object({}) do |v, h|
         v = v.to_a

data/spec/memory_store_spec.rb

@@ -1,4 +1,5 @@
 require "ssl-test"
+require "rspec/retry" # the cache.size examples below hit live CRL/OCSP endpoints
 
 describe SSLTest::MemoryStore do
   subject(:store) { described_class.new }
@@ -51,7 +52,7 @@ describe SSLTest::MemoryStore do
 end
 
 # #size as reported through the default store after real CRL/OCSP fetches.
-describe "SSLTest.cache.size" do
+describe "SSLTest.cache.size", retry: 5 do # examples hit live CRL/OCSP endpoints
   before { SSLTest.cache.clear }
 
   it "returns 0 by default" do
@@ -69,7 +70,9 @@ describe "SSLTest.cache.size" do
   end
 
   it "returns OCSP cache size properly" do
-    SSLTest.test("https://github.com")
+    # Google's leaf is checked via OCSP and its intermediate (no OCSP URI) via CRL,
+    # so this populates both the OCSP and CRL caches under the default OCSP-first order.
+    SSLTest.test("https://google.com")
     expect(SSLTest.cache.size[:ocsp][:responses]).to eq(1)
     expect(SSLTest.cache.size[:ocsp][:errors]).to eq(0)
     expect(SSLTest.cache.size[:ocsp][:bytes]).to be > 0

data/spec/ssl-test_spec.rb

@@ -12,9 +12,10 @@ RSpec.configure do |config|
   # The error/revocation examples below hit several public TLS test endpoints
   # (badssl.com, testserver.host, ssl.com) which intermittently reset connections
   # under load. They're spread across a few providers to avoid hammering a single
-  # one, and examples tagged `:retry` are re-run a few times (via rspec-retry) so
-  # transient network blips don't fail the suite.
+  # one, and the network-hitting describe blocks are tagged `retry: 5` (via
+  # rspec-retry) so transient network blips don't fail the suite.
   config.verbose_retry = true
+  config.display_try_failure_messages = true
   config.default_sleep_interval = 1
 end
 
@@ -26,7 +27,7 @@ describe SSLTest do
 
   after(:each) { proxy_thread&.kill }
 
-  describe '.test_url' do
+  describe '.test_url', retry: 5 do # examples hit live TLS/CRL/OCSP endpoints
     it "returns no error on valid SNI website" do
       valid, error, cert = SSLTest.test("https://www.mycs.com")
       expect(error).to be_nil
@@ -59,35 +60,35 @@ describe SSLTest do
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on self signed certificate", :retry => 5 do
+    it "returns error on self signed certificate" do
       valid, error, cert = SSLTest.test("https://self-signed.testserver.host/")
       expect(error).to eq ("error code 18: self-signed certificate")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on incomplete chain", :retry => 5 do
+    it "returns error on incomplete chain" do
       valid, error, cert = SSLTest.test("https://incomplete-chain.badssl.com/")
       expect(error).to eq ("error code 20: unable to get local issuer certificate")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on untrusted root", :retry => 5 do
+    it "returns error on untrusted root" do
       valid, error, cert = SSLTest.test("https://untrusted-root.testserver.host/")
       expect(error).to eq ("error code 19: self-signed certificate in certificate chain")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on invalid host", :retry => 5 do
-      valid, error, cert = SSLTest.test("https://wrong.host.badssl.com/")
-      expect(error).to include('error code 62: hostname mismatch')
+    it "returns error on invalid host" do
+      valid, error, cert = SSLTest.test("https://db3.updn.io/")
+      expect(error).to eq('error code 62: hostname mismatch')
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on expired cert", :retry => 5 do
+    it "returns error on expired cert" do
       valid, error, cert = SSLTest.test("https://expired-rsa-dv.ssl.com/")
       expect(error).to eq ("error code 10: certificate has expired")
       expect(valid).to eq(false)
@@ -111,7 +112,7 @@ describe SSLTest do
     end
 
     it "reports revocation exceptions" do
-      expect(SSLTest).to receive(:follow_crl_redirects).and_raise(ArgumentError.new("test"))
+      expect(SSLTest).to receive(:follow_ocsp_redirects).and_raise(ArgumentError.new("test"))
       valid, error, cert = SSLTest.test("https://digicert.com")
       expect(error).to eq ("SSL certificate test failed: test")
       expect(valid).to be_nil
@@ -119,48 +120,52 @@ describe SSLTest do
     end
 
     it "returns error on revoked cert (OCSP)" do
-      # CRL is tried first; disable it so OCSP performs the revocation check
-      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
+      # OCSP is tried first and detects the revocation, so CRL is never used
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
+      expect(SSLTest).not_to receive(:follow_crl_redirects)
       valid, error, cert = SSLTest.test("https://revoked-rsa-dv.ssl.com/")
       expect(error).to eq ("SSL certificate revoked: The certificate was revoked for an unspecified reason (revocation date: 2026-06-09 14:37:38 UTC)")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on revoked cert (CRL)", :retry => 5 do
-      # CRL is tried first and detects the revocation, so OCSP is never used
+    it "returns error on revoked cert (CRL)" do
+      # Disable OCSP (tried first) so the CRL performs the revocation check
+      expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
-      expect(SSLTest).not_to receive(:test_ocsp_revocation)
-      valid, error, cert = SSLTest.test("https://revoked.badssl.com/")
-      expect(error).to eq ("SSL certificate revoked: Key Compromise (revocation date: 2026-05-12 21:01:31 UTC)")
+      # On a serial byte-match we fall back to #revoked to extract the reason/date
+      expect_any_instance_of(OpenSSL::X509::CRL).to receive(:revoked).and_call_original
+      valid, error, cert = SSLTest.test("https://revoked.testserver.host/")
+      expect(error).to match(/SSL certificate revoked: Unknown reason \(revocation date:/)
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
     it "stops following redirection after the limit for the revoked certs check" do
       valid, error, cert = SSLTest.test("https://github.com/", redirection_limit: 0)
-      expect(error).to include("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension")
-      expect(error).to include("OCSP: Request failed")
+      expect(error).to include("Revocation test couldn't be performed: OCSP: Request failed")
       expect(error).to include("Too many redirections (> 0)")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
     it "warns when the OCSP URI is missing" do
-      # Disable CRL (tried first) to see the OCSP error message
-      expect(SSLTest).to receive(:test_crl_revocation).twice.and_return([false, "skip CRL", nil])
+      # Disable CRL fallback to see the OCSP error message
+      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
       valid, error, cert = SSLTest.test("https://google.com")
-      expect(error).to eq ("Revocation test couldn't be performed: CRL: skip CRL, OCSP: Missing OCSP URI in authorityInfoAccess extension")
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: Missing OCSP URI in authorityInfoAccess extension, CRL: skip CRL")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
     it "works with CRL only" do
-      # CRL is tried first and succeeds for both certs, so OCSP is never used
+      # Disable OCSP so the CRL performs the revocation check for both certs
+      expect(SSLTest).to receive(:test_ocsp_revocation).twice.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).twice.and_call_original
-      expect(SSLTest).not_to receive(:test_ocsp_revocation)
+      # Both certs are absent from their CRL, so the serial byte-search short-circuits
+      # and we never materialise the (potentially huge) revoked list.
+      expect_any_instance_of(OpenSSL::X509::CRL).not_to receive(:revoked)
       valid, error, cert = SSLTest.test("https://www.demarches-simplifiees.fr")
       expect(error).to be_nil
       expect(valid).to eq(true)
@@ -172,15 +177,15 @@ describe SSLTest do
       expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
       expect(SSLTest).not_to receive(:follow_crl_redirects)
       valid, error, cert = SSLTest.test("https://github.com")
-      expect(error).to eq ("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension, OCSP: skip OCSP")
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: skip OCSP, CRL: Missing crlDistributionPoints extension")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "works with OCSP for first cert and CRL for intermediate (GitHub)" do
+    it "works with OCSP for first cert and CRL for intermediate (Google)" do
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
-      valid, error, cert = SSLTest.test("https://github.com")
+      valid, error, cert = SSLTest.test("https://google.com")
       expect(error).to be_nil
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
@@ -236,7 +241,7 @@ describe SSLTest do
     end
   end
 
-  describe '.follow_crl_redirects' do
+  describe '.follow_crl_redirects', retry: 5 do # fetches a live CRL
     before { SSLTest.cache.clear }
     # 19MB: http://crl3.digicert.com/ssca-sha2-g6.crl
     it "fetch CRL list and updates cache" do
@@ -267,7 +272,7 @@ describe SSLTest do
     end
   end
 
-  describe '.cache' do
+  describe '.cache', retry: 5 do # some examples hit live CRL/OCSP endpoints
     # Restore the default in-process store after tests that swap the backend so
     # global state doesn't leak between examples.
     after { SSLTest.cache = SSLTest::MemoryStore.new }
@@ -294,7 +299,7 @@ describe SSLTest do
     end
   end
 
-  describe '.test_cert' do
+  describe '.test_cert', retry: 5 do # revocation checks hit live CRL/OCSP endpoints
     it "returns no error on valid SNI website" do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_mycs_com_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_mycs_com_ca_bundle.pem')))
@@ -337,7 +342,7 @@ describe SSLTest do
     it "reports revocation exceptions" do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/digicert_com_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/digicert_com_ca_bundle.pem')))
-      expect(SSLTest).to receive(:follow_crl_redirects).and_raise(ArgumentError.new("test"))
+      expect(SSLTest).to receive(:follow_ocsp_redirects).and_raise(ArgumentError.new("test"))
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to eq("SSL certificate test failed: test")
       expect(valid).to be_nil
@@ -348,9 +353,9 @@ describe SSLTest do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/revoked_rsa_dv_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/revoked_rsa_dv_ca_bundle.pem')))
 
-      # CRL is tried first; disable it so OCSP performs the revocation check
-      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
+      # OCSP is tried first and detects the revocation, so CRL is never used
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
+      expect(SSLTest).not_to receive(:follow_crl_redirects)
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to eq ("SSL certificate revoked: The certificate was revoked for an unknown reason (revocation date: 2025-06-09 15:07:39 UTC)")
@@ -362,9 +367,9 @@ describe SSLTest do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/revoked_badssl_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/revoked_badssl_ca_bundle.pem')))
 
-      # CRL is tried first and detects the revocation, so OCSP is never used
+      # Disable OCSP (tried first) so the CRL performs the revocation check
+      expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
-      expect(SSLTest).not_to receive(:test_ocsp_revocation)
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to eq ("SSL certificate revoked: Key Compromise (revocation date: 2026-05-12 21:01:31 UTC)")
       expect(valid).to eq(false)
@@ -376,8 +381,7 @@ describe SSLTest do
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_github_com_ca_bundle.pem')))
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle, redirection_limit: 0)
-      expect(error).to include("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension")
-      expect(error).to include("OCSP: Request failed")
+      expect(error).to include("Revocation test couldn't be performed: OCSP: Request failed")
       expect(error).to include("Too many redirections (> 0)")
       expect(valid).to eq(true)
       expect(cert).to eq(cert)
@@ -387,12 +391,12 @@ describe SSLTest do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/google_com_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/google_com_ca_bundle.pem')))
 
-      # Disable CRL (tried first) to see the OCSP error message
-      expect(SSLTest).to receive(:test_crl_revocation).twice.and_return([false, "skip CRL", nil])
+      # Disable CRL fallback to see the OCSP error message
+      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
-      expect(error).to eq ("Revocation test couldn't be performed: CRL: skip CRL, OCSP: Missing OCSP URI in authorityInfoAccess extension")
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: Missing OCSP URI in authorityInfoAccess extension, CRL: skip CRL")
       expect(valid).to eq(true)
       expect(cert).to eq(cert)
     end
@@ -401,9 +405,9 @@ describe SSLTest do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_demarches-simplifiees_fr_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_demarches-simplifiees_fr_ca_bundle.pem')))
 
-      # CRL is tried first and succeeds for both certs, so OCSP is never used
+      # Disable OCSP so the CRL performs the revocation check for both certs
+      expect(SSLTest).to receive(:test_ocsp_revocation).twice.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).twice.and_call_original
-      expect(SSLTest).not_to receive(:test_ocsp_revocation)
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to be_nil
@@ -420,18 +424,18 @@ describe SSLTest do
       expect(SSLTest).not_to receive(:follow_crl_redirects)
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
-      expect(error).to eq ("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension, OCSP: skip OCSP")
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: skip OCSP, CRL: Missing crlDistributionPoints extension")
       expect(valid).to eq(true)
       expect(cert).to eq(cert)
 
     end
 
-    it "works with OCSP for first cert and CRL for intermediate (GitHub)" do
+    it "works with OCSP for first cert and CRL for intermediate (Google)" do
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
 
-      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_github_com_client.pem')))
-      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_github_com_ca_bundle.pem')))
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/google_com_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/google_com_ca_bundle.pem')))
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to be_nil
@@ -470,8 +474,7 @@ describe SSLTest do
           expect(valid).to eq(true)
           expect(cert).to eq(cert)
 
-          # CRL is tried first, so both certs are checked via CRL (GET) through the proxy
-          expect($proxy).to have_received(:do_GET).twice
+          expect($proxy).to have_received(:do_GET).once
         end
       end
 
@@ -488,4 +491,50 @@ describe SSLTest do
       end
     end
   end
+
+  describe '.revocation_order' do # no network: dispatch logic is stubbed
+    after { SSLTest.revocation_order = %i[ocsp crl] } # reset to the default
+
+    let(:cert)   { OpenSSL::X509::Certificate.new }
+    let(:issuer) { OpenSSL::X509::Certificate.new }
+    let(:chain)  { [cert, issuer] }
+
+    it "defaults to OCSP first" do
+      expect(SSLTest.revocation_order).to eq(%i[ocsp crl])
+    end
+
+    it "validates the value" do
+      expect { SSLTest.revocation_order = %i[crl] }.to raise_error(ArgumentError)
+      expect { SSLTest.revocation_order = %i[ocsp bogus] }.to raise_error(ArgumentError)
+    end
+
+    it "checks OCSP first by default, falling back to CRL on error" do
+      expect(SSLTest).to receive(:test_ocsp_revocation).ordered.and_return([false, "OCSP boom", nil])
+      expect(SSLTest).to receive(:test_crl_revocation).ordered.and_return(:crl_ok)
+      result = SSLTest.send(:test_chain_revocation, chain)
+      expect(result).to eq([false, nil, nil])
+    end
+
+    it "checks CRL first when configured, falling back to OCSP on error" do
+      SSLTest.revocation_order = %i[crl ocsp]
+      expect(SSLTest).to receive(:test_crl_revocation).ordered.and_return([false, "CRL boom", nil])
+      expect(SSLTest).to receive(:test_ocsp_revocation).ordered.and_return(:ocsp_ok)
+      result = SSLTest.send(:test_chain_revocation, chain)
+      expect(result).to eq([false, nil, nil])
+    end
+
+    it "does not try the second method when the first one passes" do
+      expect(SSLTest).to receive(:test_ocsp_revocation).and_return(:ocsp_ok)
+      expect(SSLTest).not_to receive(:test_crl_revocation)
+      expect(SSLTest.send(:test_chain_revocation, chain)).to eq([false, nil, nil])
+    end
+
+    it "combines error messages in the configured order when all methods fail" do
+      SSLTest.revocation_order = %i[ocsp crl]
+      allow(SSLTest).to receive(:test_ocsp_revocation).and_return([false, "OCSP boom", nil])
+      allow(SSLTest).to receive(:test_crl_revocation).and_return([false, "CRL boom", nil])
+      _revoked, message, _date = SSLTest.send(:test_chain_revocation, chain)
+      expect(message).to eq("OCSP: OCSP boom, CRL: CRL boom")
+    end
+  end
 end

data/ssl-test.gemspec

@@ -12,6 +12,8 @@ Gem::Specification.new do |spec|
   spec.homepage      = "https://github.com/jarthod/ssl-test"
   spec.license       = "MIT"
 
+  spec.required_ruby_version = ">= 3.1"
+
   spec.files         = `git ls-files -z`.split("\x0")
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: ssl-test
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.1
 platform: ruby
 authors:
 - Adrien Rey-Jarthon
 bindir: bin
 cert_chain: []
-date: 2026-06-17 00:00:00.000000000 Z
+date: 2026-06-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -134,6 +134,8 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- by_serial_bench.rb
+- crl_bench.rb
 - lib/ssl-test.rb
 - lib/ssl-test/crl.rb
 - lib/ssl-test/memory_store.rb
@@ -174,7 +176,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '3.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="