ssl-test 2.0.1 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 073a878a42dbba9b30e7c69ec4b435cd8f2c607e59a6b894099af73ea60526f8
-  data.tar.gz: 709b2f097b7d8a61922f2cfcee0cb6651046c57854dea0b3dc17c8367b7b856a
+  metadata.gz: 48563a079839f759ca0f765c768fa7280af962036d2e1e9acd81aaa2dd8967fb
+  data.tar.gz: 2a51edf744b6116222f52ea1b72b502805f2a2c78beab94620b408a8c7b05d07
 SHA512:
-  metadata.gz: 150c1d97a77c0a37c71a180d7cd643f3a4264280f65261e2cb830b184fed00cb60458bf4d27ce1eb52225db506398d2e1480bf69d5a7d6ffc4ee7e5ad288a5b1
-  data.tar.gz: '08f66249c1b7d951b71283589d957b6bfe4451934ff155af255e4e31a5f77d0aa27bcd1dcc9cee1dcb0b1ddc450618d97c9a445c5067990009b14ad616933128'
+  metadata.gz: bd2cb2d7de4d133df831932a4d8a44974fc49dd592765fa7669f9d272c1e169d8ea90c728109824dafc89d20a11d83da135f9a7852466781bc58890dcc3a322a
+  data.tar.gz: b96a5c2515c952f25ebe823c88d5daf2e8bcc60024d76a7ea715fc854b199bb4e1e06f4d3f787490a6f9bfb987eaba3f4be5692a063a74b4f55fa605e3e8c7e4

data/README.md

@@ -59,7 +59,7 @@ error # => nil
 cert # => #<OpenSSL::X509::Certificate...>
 ```
 
-Revoked certificates are detected using [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) by default:
+Revoked certificates are detected using [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) by default:
 
 ```ruby
 valid, error, cert = SSLTest.test_url "https://revoked.badssl.com"
@@ -68,13 +68,13 @@ error # => "SSL certificate revoked: Key Compromise (revocation date: 2019-10-07
 cert # => #<OpenSSL::X509::Certificate...>
 ```
 
-If the CRL is missing, invalid or unreachable the certificate revocation will be tested using [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol).
+If the OCSP endpoint is missing, invalid or unreachable the certificate revocation will be tested using the [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list).
 
-You can swap the order if you'd rather check OCSP first and only fall back to CRL on error (the default is CRL first, since 1.6, to reduce the revocation propagation delay):
+You can swap the order if you'd rather check CRL first and only fall back to OCSP on error (the default is OCSP first, since 2.1, because CRLs can be large and checking them is significantly more memory- and CPU-intensive):
 
 ```ruby
-SSLTest.revocation_order = %i[ocsp crl]   # OCSP first, CRL fallback
-SSLTest.revocation_order = %i[crl ocsp]   # the default: CRL first, OCSP fallback
+SSLTest.revocation_order = %i[crl ocsp]   # CRL first, OCSP fallback
+SSLTest.revocation_order = %i[ocsp crl]   # the default: OCSP first, CRL fallback
 ```
 
 If both CRL and OCSP tests are impossible, the certificate will still be considered valid but with an error message:
@@ -103,7 +103,7 @@ This check will pass for self-signed certificates if the certificate is signed b
 
 SSLTester connects as an HTTPS client (without issuing any requests) and then closes the connection. It does so using ruby `net/https` library and verifies the SSL status. It also hooks into the validation process to intercept the raw certificate for you.
 
-After that it fetches the [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) to verify if the certificate has been revoked. If the CRL is not available it'll query the [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) endpoint instead. It does this for every certificates in the chain (except the root which is trusted by your Operating System). It is possible the first one will be validated with CRL and the intermediate with OCSP depending on what they offer.
+After that it queries the [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) endpoint to verify if the certificate has been revoked. If the OCSP endpoint is not available it'll fetch the [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) instead. It does this for every certificates in the chain (except the root which is trusted by your Operating System). It is possible the first one will be validated with OCSP and the intermediate with CRL depending on what they offer.
 
 ### Caching
 
@@ -200,8 +200,8 @@ But also **revoked certs** like most browsers (not handled by `curl`)
 
 ## Changelog
 
-See also github releases: https://github.com/jarthod/ssl-test/releases
-
+* 2.1.1 - 2026-06-21: Refactor CRL code to use newer OpenSSL `crl_uris` helper
+* 2.1.0 - 2026-06-20: Check revocation with OCSP first and fall back to CRL (was CRL first since 1.6) because CRLs can be large and checking them is significantly more memory- and CPU-intensive. Set `SSLTest.revocation_order = %i[crl ocsp]` to restore the previous order.
 * 2.0.1 - 2026-06-19: Speed up and shrink the memory use of CRL checks with a fast path that scans the raw CRL for the certificate's serial before parsing, avoiding instantiating the entire revocation list (>1M Ruby objects for busy CAs) when the cert isn't revoked. Send both `If-None-Match` and `If-Modified-Since` on CRL revalidation so CDN-backed CAs that don't honor their own ETag (e.g. DigiCert) still return a `304` instead of re-downloading the whole list.
 * 2.0.0 - 2026-06-16: Make the revocation check order configurable via `SSLTest.revocation_order` (`%i[crl ocsp]` by default, set `%i[ocsp crl]` to check OCSP first). Make the cache backend configurable. The default stays an in-process `SSLTest::MemoryStore`, but you can now assign any object responding to the `Rails.cache`-style API (`read`/`write`/`delete`) with `SSLTest.cache = Rails.cache` to share responses across processes and get compression (e.g. memcache via Dalli — see the memcached note in the Caching section about raising the max value size for large CRLs). **Breaking:** the module-level `SSLTest.cache_size` and `SSLTest.flush_cache` were removed — use `SSLTest.cache.size` and `SSLTest.cache.clear` instead (these only work with the built-in `MemoryStore`; shared backends like `Rails.cache` can't be enumerated and shouldn't be wholesale-cleared)
 * 1.6.0 - 2026-06-16: Check revocation with CRL first and fall back to OCSP (was OCSP first) to reduce revocation detection delay

data/by_serial_bench.rb

@@ -0,0 +1,65 @@
+#!/usr/bin/env ruby
+#
+# Needs the patched openssl that defines #by_serial; point OPENSSL_LIB at the dev
+# build (defaults to ../openssl/lib). gem install benchmark-ips benchmark-memory
+#
+#   ruby by_serial_bench.rb [CRL_URL]
+
+dev = ENV["OPENSSL_LIB"] || File.expand_path("../openssl/lib", __dir__)
+$LOAD_PATH.unshift(dev) if File.exist?(File.join(dev, "openssl.so"))
+
+require "openssl"
+require "net/http"
+require "uri"
+require "tmpdir"
+require "benchmark/ips"
+require "benchmark/memory"
+
+abort "loaded openssl has no #by_serial (set OPENSSL_LIB to the patched build)" unless
+  OpenSSL::X509::CRL.method_defined?(:by_serial)
+
+url   = ARGV[0] || "http://c.cf-i.ssl.com/ae801ed1c55bb579d79208b0d772acfb8cc3a208.crl" # big CRL example
+cache = File.join(Dir.tmpdir, "by_serial_bench_#{File.basename(URI(url).path)}")
+body  = File.exist?(cache) ? File.binread(cache) :
+        (warn("downloading #{url} ..."); d = Net::HTTP.get(URI(url)); File.binwrite(cache, d); d)
+
+crl     = OpenSSL::X509::CRL.new(body)
+entries = crl.revoked.size
+absent  = 0xDEAD_BEEF_CAFE_F00D
+present = crl.revoked[entries / 2].serial # middle of the list for median performance
+
+puts "#{OpenSSL::OPENSSL_LIBRARY_VERSION} — #{url}"
+puts "#{(body.bytesize / 1e6).round(1)} MB DER, #{entries} revoked entries"
+
+[["not revoked", absent], ["revoked", present]].each do |label, serial|
+  abort "mismatch for #{label}" unless
+    crl.by_serial(serial) == crl.revoked.find { |r| r.serial == serial }
+  puts "\n=== #{label} serial ==="
+
+  puts "\n-- warm: lookup on a parsed CRL --"
+  @list = nil
+  Benchmark.ips do |x|
+    x.config(warmup: 1, time: 3)
+    x.report("revoked.find") { (@list ||= crl.revoked).find { |r| r.serial == serial } }
+    x.report("by_serial")    { crl.by_serial(serial) }
+    x.compare!
+  end
+  Benchmark.memory do |x|
+    x.report("revoked.find") { crl.revoked.find { |r| r.serial == serial } }
+    x.report("by_serial")    { crl.by_serial(serial) }
+    x.compare!
+  end
+
+  puts "\n-- cold: parse a fresh CRL + one lookup --"
+  Benchmark.ips do |x|
+    x.config(warmup: 0, time: 3)
+    x.report("revoked.find") { OpenSSL::X509::CRL.new(body).revoked.find { |r| r.serial == serial } }
+    x.report("by_serial")    { OpenSSL::X509::CRL.new(body).by_serial(serial) }
+    x.compare!
+  end
+  Benchmark.memory do |x|
+    x.report("revoked.find") { OpenSSL::X509::CRL.new(body).revoked.find { |r| r.serial == serial } }
+    x.report("by_serial")    { OpenSSL::X509::CRL.new(body).by_serial(serial) }
+    x.compare!
+  end
+end

data/crl_bench.rb

@@ -0,0 +1,122 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+#
+# Benchmark: checking whether a single serial is revoked in a CRL.
+#   A) OpenSSL::X509::CRL#revoked.find { ... }   (only API available today)
+#   B) X509_CRL_get0_by_serial()                 (proposed, via Fiddle)
+#
+# Each approach runs in its own forked process so the reported peak RSS reflects
+# only that approach. Requires MRI on Linux (uses fork + /proc; falls back to
+# Process.getrusage on macOS/BSD).
+#
+#   ruby crl_bench.rb [CRL_URL]
+
+require "openssl"
+require "fiddle"
+require "benchmark"
+require "net/http"
+require "uri"
+require "tmpdir"
+
+CRL_URL = ARGV[0] || "http://c.cf-i.ssl.com/ae801ed1c55bb579d79208b0d772acfb8cc3a208.crl"
+
+# --- fetch the CRL (cached in /tmp so reruns are offline) ----------------------
+cache = File.join(Dir.tmpdir, "crl_bench_#{File.basename(URI(CRL_URL).path)}")
+body  = if File.exist?(cache)
+          File.binread(cache)
+        else
+          warn "downloading #{CRL_URL} ..."
+          data = Net::HTTP.get_response(URI(CRL_URL)).body
+          File.binwrite(cache, data)
+          data
+        end
+
+# --- libcrypto bindings (symbols are already in-process via require "openssl") -
+def sym(name)
+  Fiddle::Handle::DEFAULT[name]
+rescue Fiddle::DLError
+  @lib ||= %w[libcrypto.so libcrypto.so.3 libcrypto.dylib libcrypto.so.1.1]
+           .lazy.map { |n| begin; Fiddle.dlopen(n); rescue Fiddle::DLError; nil; end }.find(&:itself)
+  @lib[name]
+end
+
+P, L, I = Fiddle::TYPE_VOIDP, Fiddle::TYPE_LONG, Fiddle::TYPE_INT
+D2I_CRL = Fiddle::Function.new(sym("d2i_X509_CRL"),           [P, P, L], P)
+D2I_INT = Fiddle::Function.new(sym("d2i_ASN1_INTEGER"),       [P, P, L], P)
+GET0    = Fiddle::Function.new(sym("X509_CRL_get0_by_serial"),[P, P, P], I)
+
+# d2i_*(a, **pp, len) advances *pp; wrap a DER String into a C object pointer.
+def d2i(fn, der)
+  buf = Fiddle::Pointer[der]
+  obj = fn.call(nil, Fiddle::Pointer[[buf.to_i].pack("q")], der.bytesize)
+  raise "d2i failed" if obj.null?
+  obj
+end
+
+# Peak resident set size in MB (high-water mark for this process).
+def peak_mb
+  if File.exist?("/proc/self/status") # Linux
+    File.foreach("/proc/self/status") { |l| return l.split[1].to_f / 1024 if l.start_with?("VmHWM:") }
+  end
+  if Process.respond_to?(:getrusage) # macOS / BSD
+    m = Process.getrusage(:SELF).maxrss
+    return RUBY_PLATFORM.include?("darwin") ? m / 1024.0 / 1024 : m / 1024.0
+  end
+  0.0
+end
+
+# Run the block in a fresh process; peak RSS then reflects only that work.
+def isolate
+  rd, wr = IO.pipe
+  pid = fork { rd.close; wr.write(Marshal.dump(yield)); wr.close; exit! }
+  wr.close
+  out = rd.read; rd.close; Process.wait(pid)
+  Marshal.load(out)
+end
+
+# Approach A: the only thing the gem can do today.
+def bench_revoked(body, serial)
+  bn = OpenSSL::BN.new(serial)
+  crl = nil; tp = Benchmark.realtime { crl = OpenSSL::X509::CRL.new(body) }
+  hit = nil; entries = nil
+  tl = Benchmark.realtime { list = crl.revoked; entries = list.size; hit = list.find { |r| r.serial == bn } }
+  { entries: entries, parse_ms: tp * 1000, lookup_ms: tl * 1000, rss_mb: peak_mb, revoked: !hit.nil? }
+end
+
+# Approach B: X509_CRL_get0_by_serial (0 = not found, 1/2 = found).
+def bench_get0(body, serial)
+  crl = nil; tp = Benchmark.realtime { crl = d2i(D2I_CRL, body) }
+  rc = nil
+  tl = Benchmark.realtime do
+    asn1 = d2i(D2I_INT, OpenSSL::ASN1::Integer.new(serial).to_der)
+    rc = GET0.call(crl, Fiddle::NULL, asn1)
+  end
+  { parse_ms: tp * 1000, lookup_ms: tl * 1000, rss_mb: peak_mb, revoked: rc != 0 }
+end
+
+absent  = 0xDEAD_BEEF_CAFE_F00D                              # ~certainly not in the CRL
+present = isolate { OpenSSL::X509::CRL.new(body).revoked.first&.serial&.to_i } # a real revoked serial
+
+puts "CRL: #{CRL_URL}"
+puts "DER: #{body.bytesize} bytes (#{(body.bytesize / 1e6).round(1)} MB)"
+puts "Ruby #{RUBY_VERSION}, openssl gem #{OpenSSL::VERSION}, #{OpenSSL::OPENSSL_LIBRARY_VERSION}"
+puts
+
+a = isolate { bench_revoked(body, absent) }
+b = isolate { bench_get0(body, absent) }
+
+puts "Lookup of an absent serial (#{a[:entries]} entries in the CRL):"
+printf "  %-26s parse %7.1f ms | lookup %8.1f ms | peak RSS %7.1f MB\n",
+       "A #revoked.find", a[:parse_ms], a[:lookup_ms], a[:rss_mb]
+printf "  %-26s parse %7.1f ms | lookup %8.1f ms | peak RSS %7.1f MB\n",
+       "B get0_by_serial", b[:parse_ms], b[:lookup_ms], b[:rss_mb]
+printf "  => %.1fx faster lookup, %.1fx less peak RSS\n",
+       a[:lookup_ms] / b[:lookup_ms], a[:rss_mb] / b[:rss_mb]
+puts
+
+# correctness: both must agree on an absent and a present serial
+ok_absent  = (a[:revoked] == false) && (b[:revoked] == false)
+ok_present = present && isolate { bench_revoked(body, present)[:revoked] } &&
+                        isolate { bench_get0(body, present)[:revoked] }
+puts "correctness: absent serial -> both 'not revoked' (#{ok_absent ? 'PASS' : 'FAIL'}); " \
+     "present serial -> both 'revoked' (#{ok_present ? 'PASS' : 'FAIL'})"

data/lib/ssl-test/crl.rb

@@ -12,35 +12,22 @@ module SSLTest
     # A note about caching:
     # I choose to only cache the raw HTTP body here (and not the parsed list or better a hash
     # indexed by certificat serial). This is not CPU efficient because it means every time we
-    # need to check a cert from a cached CRL we need to parse it again, instantiate the list
+    # need to check a cert from a cached CRL we need to read it again, optionally instantiate the list
     # of Revoked certs and then iterate to find it (there's no API to find one cert without
-    # generting the list unfortuantely).
+    # generting the list yet: https://github.com/ruby/openssl/pull/1065).
     # I did this because of memory efficiency, because for big 20MB CRL list (so taking 20MB
     # in memory cache), the parsed version takes more than 100M, the list of Revoked certs 120MB,
     # and building a hash with serial, time and reason takes even more.
     # So doing this would be MUCH faster in terms of CPU for subsequent tests on the same CRL
     # but would take a LOT of memory.
-    # Note: we now check CRL first for every cert in the chain (leaf included), so leaf
-    # CRLs are fetched and cached too. These can be large for busy CAs, which makes the
-    # memory tradeoff above (caching the raw body rather than the parsed list) even more relevant.
 
     private
 
     def test_crl_revocation cert, issuer:, chain:, **options
-      crl_distribution_points = cert.extensions.find do |extension|
-        extension.oid == "crlDistributionPoints"
-      end
-
-      return [false, "Missing crlDistributionPoints extension", nil] unless crl_distribution_points
-
-      # OpenSSL 2.2+ may simplify this: https://github.com/ruby/openssl/commit/ea702a106d3d8136c48f244593de95666be0edf9
-      crl = crl_distribution_points.value.split("\n").find do |description|
-        description.match?(/URI:/)
-      end
-
-      return [false, "Missing CRL URI in crlDistributionPoints extension", nil] unless crl
+      crl = cert.crl_uris&.first
+      return [false, "Missing crlDistributionPoints extension", nil] if crl.nil?
 
-      crl_uri = URI(crl[/URI:(.*)/, 1])
+      crl_uri = URI(crl)
       http_response, crl_request_error = follow_crl_redirects(crl_uri, **options)
       return [false, "Request failed (URI: #{crl_uri}): #{crl_request_error}", nil] unless http_response
 

data/lib/ssl-test.rb

@@ -11,7 +11,7 @@ module SSLTest
   extend OCSP
   extend CRL
 
-  VERSION = -"2.0.1"
+  VERSION = -"2.1.1"
 
   # Prefix for all cache keys so SSLTest entries coexist cleanly inside a shared
   # cache (e.g. Rails.cache).
@@ -117,10 +117,11 @@ module SSLTest
     # The order in which revocation check methods are tried for each certificate.
     # The first method to return a conclusive answer (ok or revoked) wins; the
     # next is only tried when the previous one errors out (missing endpoint,
-    # network error, etc.). Defaults to CRL first (since 1.6) to reduce the
-    # revocation propagation delay. Set to %i[ocsp crl] to check OCSP first.
+    # network error, etc.). Defaults to OCSP first, since CRLs can be large and
+    # checking them is significantly more memory- and CPU-intensive. Set to
+    # %i[crl ocsp] to check CRL first (e.g. to reduce revocation propagation delay).
     def revocation_order
-      @revocation_order ||= %i[crl ocsp]
+      @revocation_order ||= %i[ocsp crl]
     end
 
     def revocation_order= order

data/spec/memory_store_spec.rb

@@ -70,7 +70,9 @@ describe "SSLTest.cache.size", retry: 5 do # examples hit live CRL/OCSP endpoint
   end
 
   it "returns OCSP cache size properly" do
-    SSLTest.test("https://github.com")
+    # Google's leaf is checked via OCSP and its intermediate (no OCSP URI) via CRL,
+    # so this populates both the OCSP and CRL caches under the default OCSP-first order.
+    SSLTest.test("https://google.com")
     expect(SSLTest.cache.size[:ocsp][:responses]).to eq(1)
     expect(SSLTest.cache.size[:ocsp][:errors]).to eq(0)
     expect(SSLTest.cache.size[:ocsp][:bytes]).to be > 0

data/spec/ssl-test_spec.rb

@@ -15,6 +15,7 @@ RSpec.configure do |config|
   # one, and the network-hitting describe blocks are tagged `retry: 5` (via
   # rspec-retry) so transient network blips don't fail the suite.
   config.verbose_retry = true
+  config.display_try_failure_messages = true
   config.default_sleep_interval = 1
 end
 
@@ -81,8 +82,8 @@ describe SSLTest do
     end
 
     it "returns error on invalid host" do
-      valid, error, cert = SSLTest.test("https://wrong.host.badssl.com/")
-      expect(error).to include('error code 62: hostname mismatch')
+      valid, error, cert = SSLTest.test("https://db3.updn.io/")
+      expect(error).to eq('error code 62: hostname mismatch')
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
@@ -111,7 +112,7 @@ describe SSLTest do
     end
 
     it "reports revocation exceptions" do
-      expect(SSLTest).to receive(:follow_crl_redirects).and_raise(ArgumentError.new("test"))
+      expect(SSLTest).to receive(:follow_ocsp_redirects).and_raise(ArgumentError.new("test"))
       valid, error, cert = SSLTest.test("https://digicert.com")
       expect(error).to eq ("SSL certificate test failed: test")
       expect(valid).to be_nil
@@ -119,9 +120,9 @@ describe SSLTest do
     end
 
     it "returns error on revoked cert (OCSP)" do
-      # CRL is tried first; disable it so OCSP performs the revocation check
-      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
+      # OCSP is tried first and detects the revocation, so CRL is never used
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
+      expect(SSLTest).not_to receive(:follow_crl_redirects)
       valid, error, cert = SSLTest.test("https://revoked-rsa-dv.ssl.com/")
       expect(error).to eq ("SSL certificate revoked: The certificate was revoked for an unspecified reason (revocation date: 2026-06-09 14:37:38 UTC)")
       expect(valid).to eq(false)
@@ -129,40 +130,39 @@ describe SSLTest do
     end
 
     it "returns error on revoked cert (CRL)" do
-      # CRL is tried first and detects the revocation, so OCSP is never used
+      # Disable OCSP (tried first) so the CRL performs the revocation check
+      expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
-      expect(SSLTest).not_to receive(:test_ocsp_revocation)
       # On a serial byte-match we fall back to #revoked to extract the reason/date
       expect_any_instance_of(OpenSSL::X509::CRL).to receive(:revoked).and_call_original
-      valid, error, cert = SSLTest.test("https://revoked.badssl.com/")
-      expect(error).to eq ("SSL certificate revoked: Key Compromise (revocation date: 2026-05-12 21:01:31 UTC)")
+      valid, error, cert = SSLTest.test("https://revoked.testserver.host/")
+      expect(error).to match(/SSL certificate revoked: Unknown reason \(revocation date:/)
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
     it "stops following redirection after the limit for the revoked certs check" do
       valid, error, cert = SSLTest.test("https://github.com/", redirection_limit: 0)
-      expect(error).to include("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension")
-      expect(error).to include("OCSP: Request failed")
+      expect(error).to include("Revocation test couldn't be performed: OCSP: Request failed")
       expect(error).to include("Too many redirections (> 0)")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
     it "warns when the OCSP URI is missing" do
-      # Disable CRL (tried first) to see the OCSP error message
-      expect(SSLTest).to receive(:test_crl_revocation).twice.and_return([false, "skip CRL", nil])
+      # Disable CRL fallback to see the OCSP error message
+      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
       valid, error, cert = SSLTest.test("https://google.com")
-      expect(error).to eq ("Revocation test couldn't be performed: CRL: skip CRL, OCSP: Missing OCSP URI in authorityInfoAccess extension")
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: Missing OCSP URI in authorityInfoAccess extension, CRL: skip CRL")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
     it "works with CRL only" do
-      # CRL is tried first and succeeds for both certs, so OCSP is never used
+      # Disable OCSP so the CRL performs the revocation check for both certs
+      expect(SSLTest).to receive(:test_ocsp_revocation).twice.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).twice.and_call_original
-      expect(SSLTest).not_to receive(:test_ocsp_revocation)
       # Both certs are absent from their CRL, so the serial byte-search short-circuits
       # and we never materialise the (potentially huge) revoked list.
       expect_any_instance_of(OpenSSL::X509::CRL).not_to receive(:revoked)
@@ -177,15 +177,15 @@ describe SSLTest do
       expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
       expect(SSLTest).not_to receive(:follow_crl_redirects)
       valid, error, cert = SSLTest.test("https://github.com")
-      expect(error).to eq ("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension, OCSP: skip OCSP")
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: skip OCSP, CRL: Missing crlDistributionPoints extension")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "works with OCSP for first cert and CRL for intermediate (GitHub)" do
+    it "works with OCSP for first cert and CRL for intermediate (Google)" do
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
-      valid, error, cert = SSLTest.test("https://github.com")
+      valid, error, cert = SSLTest.test("https://google.com")
       expect(error).to be_nil
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
@@ -342,7 +342,7 @@ describe SSLTest do
     it "reports revocation exceptions" do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/digicert_com_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/digicert_com_ca_bundle.pem')))
-      expect(SSLTest).to receive(:follow_crl_redirects).and_raise(ArgumentError.new("test"))
+      expect(SSLTest).to receive(:follow_ocsp_redirects).and_raise(ArgumentError.new("test"))
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to eq("SSL certificate test failed: test")
       expect(valid).to be_nil
@@ -353,9 +353,9 @@ describe SSLTest do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/revoked_rsa_dv_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/revoked_rsa_dv_ca_bundle.pem')))
 
-      # CRL is tried first; disable it so OCSP performs the revocation check
-      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
+      # OCSP is tried first and detects the revocation, so CRL is never used
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
+      expect(SSLTest).not_to receive(:follow_crl_redirects)
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to eq ("SSL certificate revoked: The certificate was revoked for an unknown reason (revocation date: 2025-06-09 15:07:39 UTC)")
@@ -367,9 +367,9 @@ describe SSLTest do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/revoked_badssl_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/revoked_badssl_ca_bundle.pem')))
 
-      # CRL is tried first and detects the revocation, so OCSP is never used
+      # Disable OCSP (tried first) so the CRL performs the revocation check
+      expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
-      expect(SSLTest).not_to receive(:test_ocsp_revocation)
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to eq ("SSL certificate revoked: Key Compromise (revocation date: 2026-05-12 21:01:31 UTC)")
       expect(valid).to eq(false)
@@ -381,8 +381,7 @@ describe SSLTest do
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_github_com_ca_bundle.pem')))
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle, redirection_limit: 0)
-      expect(error).to include("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension")
-      expect(error).to include("OCSP: Request failed")
+      expect(error).to include("Revocation test couldn't be performed: OCSP: Request failed")
       expect(error).to include("Too many redirections (> 0)")
       expect(valid).to eq(true)
       expect(cert).to eq(cert)
@@ -392,12 +391,12 @@ describe SSLTest do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/google_com_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/google_com_ca_bundle.pem')))
 
-      # Disable CRL (tried first) to see the OCSP error message
-      expect(SSLTest).to receive(:test_crl_revocation).twice.and_return([false, "skip CRL", nil])
+      # Disable CRL fallback to see the OCSP error message
+      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
-      expect(error).to eq ("Revocation test couldn't be performed: CRL: skip CRL, OCSP: Missing OCSP URI in authorityInfoAccess extension")
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: Missing OCSP URI in authorityInfoAccess extension, CRL: skip CRL")
       expect(valid).to eq(true)
       expect(cert).to eq(cert)
     end
@@ -406,9 +405,9 @@ describe SSLTest do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_demarches-simplifiees_fr_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_demarches-simplifiees_fr_ca_bundle.pem')))
 
-      # CRL is tried first and succeeds for both certs, so OCSP is never used
+      # Disable OCSP so the CRL performs the revocation check for both certs
+      expect(SSLTest).to receive(:test_ocsp_revocation).twice.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).twice.and_call_original
-      expect(SSLTest).not_to receive(:test_ocsp_revocation)
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to be_nil
@@ -425,18 +424,18 @@ describe SSLTest do
       expect(SSLTest).not_to receive(:follow_crl_redirects)
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
-      expect(error).to eq ("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension, OCSP: skip OCSP")
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: skip OCSP, CRL: Missing crlDistributionPoints extension")
       expect(valid).to eq(true)
       expect(cert).to eq(cert)
 
     end
 
-    it "works with OCSP for first cert and CRL for intermediate (GitHub)" do
+    it "works with OCSP for first cert and CRL for intermediate (Google)" do
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
 
-      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_github_com_client.pem')))
-      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_github_com_ca_bundle.pem')))
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/google_com_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/google_com_ca_bundle.pem')))
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to be_nil
@@ -475,8 +474,7 @@ describe SSLTest do
           expect(valid).to eq(true)
           expect(cert).to eq(cert)
 
-          # CRL is tried first, so both certs are checked via CRL (GET) through the proxy
-          expect($proxy).to have_received(:do_GET).twice
+          expect($proxy).to have_received(:do_GET).once
         end
       end
 
@@ -495,14 +493,14 @@ describe SSLTest do
   end
 
   describe '.revocation_order' do # no network: dispatch logic is stubbed
-    after { SSLTest.revocation_order = %i[crl ocsp] } # reset to the default
+    after { SSLTest.revocation_order = %i[ocsp crl] } # reset to the default
 
     let(:cert)   { OpenSSL::X509::Certificate.new }
     let(:issuer) { OpenSSL::X509::Certificate.new }
     let(:chain)  { [cert, issuer] }
 
-    it "defaults to CRL first" do
-      expect(SSLTest.revocation_order).to eq(%i[crl ocsp])
+    it "defaults to OCSP first" do
+      expect(SSLTest.revocation_order).to eq(%i[ocsp crl])
     end
 
     it "validates the value" do
@@ -510,23 +508,22 @@ describe SSLTest do
       expect { SSLTest.revocation_order = %i[ocsp bogus] }.to raise_error(ArgumentError)
     end
 
-    it "checks CRL first by default, falling back to OCSP on error" do
-      expect(SSLTest).to receive(:test_crl_revocation).ordered.and_return([false, "CRL boom", nil])
-      expect(SSLTest).to receive(:test_ocsp_revocation).ordered.and_return(:ocsp_ok)
+    it "checks OCSP first by default, falling back to CRL on error" do
+      expect(SSLTest).to receive(:test_ocsp_revocation).ordered.and_return([false, "OCSP boom", nil])
+      expect(SSLTest).to receive(:test_crl_revocation).ordered.and_return(:crl_ok)
       result = SSLTest.send(:test_chain_revocation, chain)
       expect(result).to eq([false, nil, nil])
     end
 
-    it "checks OCSP first when configured, falling back to CRL on error" do
-      SSLTest.revocation_order = %i[ocsp crl]
-      expect(SSLTest).to receive(:test_ocsp_revocation).ordered.and_return([false, "OCSP boom", nil])
-      expect(SSLTest).to receive(:test_crl_revocation).ordered.and_return(:crl_ok)
+    it "checks CRL first when configured, falling back to OCSP on error" do
+      SSLTest.revocation_order = %i[crl ocsp]
+      expect(SSLTest).to receive(:test_crl_revocation).ordered.and_return([false, "CRL boom", nil])
+      expect(SSLTest).to receive(:test_ocsp_revocation).ordered.and_return(:ocsp_ok)
       result = SSLTest.send(:test_chain_revocation, chain)
       expect(result).to eq([false, nil, nil])
     end
 
     it "does not try the second method when the first one passes" do
-      SSLTest.revocation_order = %i[ocsp crl]
       expect(SSLTest).to receive(:test_ocsp_revocation).and_return(:ocsp_ok)
       expect(SSLTest).not_to receive(:test_crl_revocation)
       expect(SSLTest.send(:test_chain_revocation, chain)).to eq([false, nil, nil])

data/ssl-test.gemspec

@@ -12,6 +12,8 @@ Gem::Specification.new do |spec|
   spec.homepage      = "https://github.com/jarthod/ssl-test"
   spec.license       = "MIT"
 
+  spec.required_ruby_version = ">= 3.1"
+
   spec.files         = `git ls-files -z`.split("\x0")
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: ssl-test
 version: !ruby/object:Gem::Version
-  version: 2.0.1
+  version: 2.1.1
 platform: ruby
 authors:
 - Adrien Rey-Jarthon
 bindir: bin
 cert_chain: []
-date: 2026-06-19 00:00:00.000000000 Z
+date: 2026-06-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -134,6 +134,8 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- by_serial_bench.rb
+- crl_bench.rb
 - lib/ssl-test.rb
 - lib/ssl-test/crl.rb
 - lib/ssl-test/memory_store.rb
@@ -174,7 +176,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '3.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="