ssl-test 2.0.1 → 2.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 073a878a42dbba9b30e7c69ec4b435cd8f2c607e59a6b894099af73ea60526f8
-  data.tar.gz: 709b2f097b7d8a61922f2cfcee0cb6651046c57854dea0b3dc17c8367b7b856a
+  metadata.gz: 36325440b8b451a3a2820ab4c597ed765a9d7787ff613ea36aeea671892a9882
+  data.tar.gz: 794733e1186c7a03f9b04823a165637cf7c559554e84b478d7b3fb57fe2e9e0e
 SHA512:
-  metadata.gz: 150c1d97a77c0a37c71a180d7cd643f3a4264280f65261e2cb830b184fed00cb60458bf4d27ce1eb52225db506398d2e1480bf69d5a7d6ffc4ee7e5ad288a5b1
-  data.tar.gz: '08f66249c1b7d951b71283589d957b6bfe4451934ff155af255e4e31a5f77d0aa27bcd1dcc9cee1dcb0b1ddc450618d97c9a445c5067990009b14ad616933128'
+  metadata.gz: 682c775642e4dbae339d37afe3c059f2e34511c942d199eb09b3090a73f65840e09c0df904d2790893752cc7ad4db2f2c7cbdf68f17765cbee4015967d665282
+  data.tar.gz: 9bf3c4f4d6113d2884fd33041310a22cb5b6610aebb5e44b62a3cffa3396e56e6e7b6091dab907dcbf0fdec6d2ccdb00eac5f60a5018045ace13d334f0b1d581

data/README.md

@@ -59,7 +59,7 @@ error # => nil
 cert # => #<OpenSSL::X509::Certificate...>
 ```
 
-Revoked certificates are detected using [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) by default:
+Revoked certificates are detected using [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) by default:
 
 ```ruby
 valid, error, cert = SSLTest.test_url "https://revoked.badssl.com"
@@ -68,13 +68,13 @@ error # => "SSL certificate revoked: Key Compromise (revocation date: 2019-10-07
 cert # => #<OpenSSL::X509::Certificate...>
 ```
 
-If the CRL is missing, invalid or unreachable the certificate revocation will be tested using [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol).
+If the OCSP endpoint is missing, invalid or unreachable the certificate revocation will be tested using the [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list).
 
-You can swap the order if you'd rather check OCSP first and only fall back to CRL on error (the default is CRL first, since 1.6, to reduce the revocation propagation delay):
+You can swap the order if you'd rather check CRL first and only fall back to OCSP on error (the default is OCSP first, since 2.1, because CRLs can be large and checking them is significantly more memory- and CPU-intensive):
 
 ```ruby
-SSLTest.revocation_order = %i[ocsp crl]   # OCSP first, CRL fallback
-SSLTest.revocation_order = %i[crl ocsp]   # the default: CRL first, OCSP fallback
+SSLTest.revocation_order = %i[crl ocsp]   # CRL first, OCSP fallback
+SSLTest.revocation_order = %i[ocsp crl]   # the default: OCSP first, CRL fallback
 ```
 
 If both CRL and OCSP tests are impossible, the certificate will still be considered valid but with an error message:
@@ -103,7 +103,7 @@ This check will pass for self-signed certificates if the certificate is signed b
 
 SSLTester connects as an HTTPS client (without issuing any requests) and then closes the connection. It does so using ruby `net/https` library and verifies the SSL status. It also hooks into the validation process to intercept the raw certificate for you.
 
-After that it fetches the [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) to verify if the certificate has been revoked. If the CRL is not available it'll query the [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) endpoint instead. It does this for every certificates in the chain (except the root which is trusted by your Operating System). It is possible the first one will be validated with CRL and the intermediate with OCSP depending on what they offer.
+After that it queries the [OCSP](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) endpoint to verify if the certificate has been revoked. If the OCSP endpoint is not available it'll fetch the [CRL](https://en.wikipedia.org/wiki/Certificate_revocation_list) instead. It does this for every certificates in the chain (except the root which is trusted by your Operating System). It is possible the first one will be validated with OCSP and the intermediate with CRL depending on what they offer.
 
 ### Caching
 
@@ -200,8 +200,9 @@ But also **revoked certs** like most browsers (not handled by `curl`)
 
 ## Changelog
 
-See also github releases: https://github.com/jarthod/ssl-test/releases
-
+* 2.1.2 - 2026-06-23: Add support for faster `CRL#by_serial` method I just added to OpenSSL (https://github.com/ruby/openssl/pull/1065)
+* 2.1.1 - 2026-06-21: Refactor CRL code to use newer OpenSSL `crl_uris` helper
+* 2.1.0 - 2026-06-20: Check revocation with OCSP first and fall back to CRL (was CRL first since 1.6) because CRLs can be large and checking them is significantly more memory- and CPU-intensive. Set `SSLTest.revocation_order = %i[crl ocsp]` to restore the previous order.
 * 2.0.1 - 2026-06-19: Speed up and shrink the memory use of CRL checks with a fast path that scans the raw CRL for the certificate's serial before parsing, avoiding instantiating the entire revocation list (>1M Ruby objects for busy CAs) when the cert isn't revoked. Send both `If-None-Match` and `If-Modified-Since` on CRL revalidation so CDN-backed CAs that don't honor their own ETag (e.g. DigiCert) still return a `304` instead of re-downloading the whole list.
 * 2.0.0 - 2026-06-16: Make the revocation check order configurable via `SSLTest.revocation_order` (`%i[crl ocsp]` by default, set `%i[ocsp crl]` to check OCSP first). Make the cache backend configurable. The default stays an in-process `SSLTest::MemoryStore`, but you can now assign any object responding to the `Rails.cache`-style API (`read`/`write`/`delete`) with `SSLTest.cache = Rails.cache` to share responses across processes and get compression (e.g. memcache via Dalli — see the memcached note in the Caching section about raising the max value size for large CRLs). **Breaking:** the module-level `SSLTest.cache_size` and `SSLTest.flush_cache` were removed — use `SSLTest.cache.size` and `SSLTest.cache.clear` instead (these only work with the built-in `MemoryStore`; shared backends like `Rails.cache` can't be enumerated and shouldn't be wholesale-cleared)
 * 1.6.0 - 2026-06-16: Check revocation with CRL first and fall back to OCSP (was OCSP first) to reduce revocation detection delay

data/by_serial_bench.rb

@@ -0,0 +1,65 @@
+#!/usr/bin/env ruby
+#
+# Needs the patched openssl that defines #by_serial; point OPENSSL_LIB at the dev
+# build (defaults to ../openssl/lib). gem install benchmark-ips benchmark-memory
+#
+#   ruby by_serial_bench.rb [CRL_URL]
+
+dev = ENV["OPENSSL_LIB"] || File.expand_path("../openssl/lib", __dir__)
+$LOAD_PATH.unshift(dev) if File.exist?(File.join(dev, "openssl.so"))
+
+require "openssl"
+require "net/http"
+require "uri"
+require "tmpdir"
+require "benchmark/ips"
+require "benchmark/memory"
+
+abort "loaded openssl has no #by_serial (set OPENSSL_LIB to the patched build)" unless
+  OpenSSL::X509::CRL.method_defined?(:by_serial)
+
+url   = ARGV[0] || "http://c.cf-i.ssl.com/ae801ed1c55bb579d79208b0d772acfb8cc3a208.crl" # big CRL example
+cache = File.join(Dir.tmpdir, "by_serial_bench_#{File.basename(URI(url).path)}")
+body  = File.exist?(cache) ? File.binread(cache) :
+        (warn("downloading #{url} ..."); d = Net::HTTP.get(URI(url)); File.binwrite(cache, d); d)
+
+crl     = OpenSSL::X509::CRL.new(body)
+entries = crl.revoked.size
+absent  = 0xDEAD_BEEF_CAFE_F00D
+present = crl.revoked[entries / 2].serial # middle of the list for median performance
+
+puts "#{OpenSSL::OPENSSL_LIBRARY_VERSION} — #{url}"
+puts "#{(body.bytesize / 1e6).round(1)} MB DER, #{entries} revoked entries"
+
+[["not revoked", absent], ["revoked", present]].each do |label, serial|
+  abort "mismatch for #{label}" unless
+    crl.by_serial(serial) == crl.revoked.find { |r| r.serial == serial }
+  puts "\n=== #{label} serial ==="
+
+  puts "\n-- warm: lookup on a parsed CRL --"
+  @list = nil
+  Benchmark.ips do |x|
+    x.config(warmup: 1, time: 3)
+    x.report("revoked.find") { (@list ||= crl.revoked).find { |r| r.serial == serial } }
+    x.report("by_serial")    { crl.by_serial(serial) }
+    x.compare!
+  end
+  Benchmark.memory do |x|
+    x.report("revoked.find") { crl.revoked.find { |r| r.serial == serial } }
+    x.report("by_serial")    { crl.by_serial(serial) }
+    x.compare!
+  end
+
+  puts "\n-- cold: parse a fresh CRL + one lookup --"
+  Benchmark.ips do |x|
+    x.config(warmup: 0, time: 3)
+    x.report("revoked.find") { OpenSSL::X509::CRL.new(body).revoked.find { |r| r.serial == serial } }
+    x.report("by_serial")    { OpenSSL::X509::CRL.new(body).by_serial(serial) }
+    x.compare!
+  end
+  Benchmark.memory do |x|
+    x.report("revoked.find") { OpenSSL::X509::CRL.new(body).revoked.find { |r| r.serial == serial } }
+    x.report("by_serial")    { OpenSSL::X509::CRL.new(body).by_serial(serial) }
+    x.compare!
+  end
+end

data/crl_bench.rb

@@ -0,0 +1,122 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+#
+# Benchmark: checking whether a single serial is revoked in a CRL.
+#   A) OpenSSL::X509::CRL#revoked.find { ... }   (only API available today)
+#   B) X509_CRL_get0_by_serial()                 (proposed, via Fiddle)
+#
+# Each approach runs in its own forked process so the reported peak RSS reflects
+# only that approach. Requires MRI on Linux (uses fork + /proc; falls back to
+# Process.getrusage on macOS/BSD).
+#
+#   ruby crl_bench.rb [CRL_URL]
+
+require "openssl"
+require "fiddle"
+require "benchmark"
+require "net/http"
+require "uri"
+require "tmpdir"
+
+CRL_URL = ARGV[0] || "http://c.cf-i.ssl.com/ae801ed1c55bb579d79208b0d772acfb8cc3a208.crl"
+
+# --- fetch the CRL (cached in /tmp so reruns are offline) ----------------------
+cache = File.join(Dir.tmpdir, "crl_bench_#{File.basename(URI(CRL_URL).path)}")
+body  = if File.exist?(cache)
+          File.binread(cache)
+        else
+          warn "downloading #{CRL_URL} ..."
+          data = Net::HTTP.get_response(URI(CRL_URL)).body
+          File.binwrite(cache, data)
+          data
+        end
+
+# --- libcrypto bindings (symbols are already in-process via require "openssl") -
+def sym(name)
+  Fiddle::Handle::DEFAULT[name]
+rescue Fiddle::DLError
+  @lib ||= %w[libcrypto.so libcrypto.so.3 libcrypto.dylib libcrypto.so.1.1]
+           .lazy.map { |n| begin; Fiddle.dlopen(n); rescue Fiddle::DLError; nil; end }.find(&:itself)
+  @lib[name]
+end
+
+P, L, I = Fiddle::TYPE_VOIDP, Fiddle::TYPE_LONG, Fiddle::TYPE_INT
+D2I_CRL = Fiddle::Function.new(sym("d2i_X509_CRL"),           [P, P, L], P)
+D2I_INT = Fiddle::Function.new(sym("d2i_ASN1_INTEGER"),       [P, P, L], P)
+GET0    = Fiddle::Function.new(sym("X509_CRL_get0_by_serial"),[P, P, P], I)
+
+# d2i_*(a, **pp, len) advances *pp; wrap a DER String into a C object pointer.
+def d2i(fn, der)
+  buf = Fiddle::Pointer[der]
+  obj = fn.call(nil, Fiddle::Pointer[[buf.to_i].pack("q")], der.bytesize)
+  raise "d2i failed" if obj.null?
+  obj
+end
+
+# Peak resident set size in MB (high-water mark for this process).
+def peak_mb
+  if File.exist?("/proc/self/status") # Linux
+    File.foreach("/proc/self/status") { |l| return l.split[1].to_f / 1024 if l.start_with?("VmHWM:") }
+  end
+  if Process.respond_to?(:getrusage) # macOS / BSD
+    m = Process.getrusage(:SELF).maxrss
+    return RUBY_PLATFORM.include?("darwin") ? m / 1024.0 / 1024 : m / 1024.0
+  end
+  0.0
+end
+
+# Run the block in a fresh process; peak RSS then reflects only that work.
+def isolate
+  rd, wr = IO.pipe
+  pid = fork { rd.close; wr.write(Marshal.dump(yield)); wr.close; exit! }
+  wr.close
+  out = rd.read; rd.close; Process.wait(pid)
+  Marshal.load(out)
+end
+
+# Approach A: the only thing the gem can do today.
+def bench_revoked(body, serial)
+  bn = OpenSSL::BN.new(serial)
+  crl = nil; tp = Benchmark.realtime { crl = OpenSSL::X509::CRL.new(body) }
+  hit = nil; entries = nil
+  tl = Benchmark.realtime { list = crl.revoked; entries = list.size; hit = list.find { |r| r.serial == bn } }
+  { entries: entries, parse_ms: tp * 1000, lookup_ms: tl * 1000, rss_mb: peak_mb, revoked: !hit.nil? }
+end
+
+# Approach B: X509_CRL_get0_by_serial (0 = not found, 1/2 = found).
+def bench_get0(body, serial)
+  crl = nil; tp = Benchmark.realtime { crl = d2i(D2I_CRL, body) }
+  rc = nil
+  tl = Benchmark.realtime do
+    asn1 = d2i(D2I_INT, OpenSSL::ASN1::Integer.new(serial).to_der)
+    rc = GET0.call(crl, Fiddle::NULL, asn1)
+  end
+  { parse_ms: tp * 1000, lookup_ms: tl * 1000, rss_mb: peak_mb, revoked: rc != 0 }
+end
+
+absent  = 0xDEAD_BEEF_CAFE_F00D                              # ~certainly not in the CRL
+present = isolate { OpenSSL::X509::CRL.new(body).revoked.first&.serial&.to_i } # a real revoked serial
+
+puts "CRL: #{CRL_URL}"
+puts "DER: #{body.bytesize} bytes (#{(body.bytesize / 1e6).round(1)} MB)"
+puts "Ruby #{RUBY_VERSION}, openssl gem #{OpenSSL::VERSION}, #{OpenSSL::OPENSSL_LIBRARY_VERSION}"
+puts
+
+a = isolate { bench_revoked(body, absent) }
+b = isolate { bench_get0(body, absent) }
+
+puts "Lookup of an absent serial (#{a[:entries]} entries in the CRL):"
+printf "  %-26s parse %7.1f ms | lookup %8.1f ms | peak RSS %7.1f MB\n",
+       "A #revoked.find", a[:parse_ms], a[:lookup_ms], a[:rss_mb]
+printf "  %-26s parse %7.1f ms | lookup %8.1f ms | peak RSS %7.1f MB\n",
+       "B get0_by_serial", b[:parse_ms], b[:lookup_ms], b[:rss_mb]
+printf "  => %.1fx faster lookup, %.1fx less peak RSS\n",
+       a[:lookup_ms] / b[:lookup_ms], a[:rss_mb] / b[:rss_mb]
+puts
+
+# correctness: both must agree on an absent and a present serial
+ok_absent  = (a[:revoked] == false) && (b[:revoked] == false)
+ok_present = present && isolate { bench_revoked(body, present)[:revoked] } &&
+                        isolate { bench_get0(body, present)[:revoked] }
+puts "correctness: absent serial -> both 'not revoked' (#{ok_absent ? 'PASS' : 'FAIL'}); " \
+     "present serial -> both 'revoked' (#{ok_present ? 'PASS' : 'FAIL'})"

data/lib/ssl-test/crl.rb

@@ -12,35 +12,22 @@ module SSLTest
     # A note about caching:
     # I choose to only cache the raw HTTP body here (and not the parsed list or better a hash
     # indexed by certificat serial). This is not CPU efficient because it means every time we
-    # need to check a cert from a cached CRL we need to parse it again, instantiate the list
+    # need to check a cert from a cached CRL we need to read it again, optionally instantiate the list
     # of Revoked certs and then iterate to find it (there's no API to find one cert without
-    # generting the list unfortuantely).
+    # generting the list yet: https://github.com/ruby/openssl/pull/1065).
     # I did this because of memory efficiency, because for big 20MB CRL list (so taking 20MB
     # in memory cache), the parsed version takes more than 100M, the list of Revoked certs 120MB,
     # and building a hash with serial, time and reason takes even more.
     # So doing this would be MUCH faster in terms of CPU for subsequent tests on the same CRL
     # but would take a LOT of memory.
-    # Note: we now check CRL first for every cert in the chain (leaf included), so leaf
-    # CRLs are fetched and cached too. These can be large for busy CAs, which makes the
-    # memory tradeoff above (caching the raw body rather than the parsed list) even more relevant.
 
     private
 
     def test_crl_revocation cert, issuer:, chain:, **options
-      crl_distribution_points = cert.extensions.find do |extension|
-        extension.oid == "crlDistributionPoints"
-      end
-
-      return [false, "Missing crlDistributionPoints extension", nil] unless crl_distribution_points
-
-      # OpenSSL 2.2+ may simplify this: https://github.com/ruby/openssl/commit/ea702a106d3d8136c48f244593de95666be0edf9
-      crl = crl_distribution_points.value.split("\n").find do |description|
-        description.match?(/URI:/)
-      end
-
-      return [false, "Missing CRL URI in crlDistributionPoints extension", nil] unless crl
+      crl = cert.crl_uris&.first
+      return [false, "Missing crlDistributionPoints extension", nil] if crl.nil?
 
-      crl_uri = URI(crl[/URI:(.*)/, 1])
+      crl_uri = URI(crl)
       http_response, crl_request_error = follow_crl_redirects(crl_uri, **options)
       return [false, "Request failed (URI: #{crl_uri}): #{crl_request_error}", nil] unless http_response
 
@@ -53,10 +40,18 @@ module SSLTest
       serial_der = OpenSSL::ASN1::Integer.new(cert.serial).to_der
       return :crl_ok unless response.to_der.include?(serial_der)
 
-      # The serial's bytes appear (a real hit, or a rare collision):
-      # confirm authoritatively and pull the reason/date. The costly revoked-list
-      # materialisation only happens here, i.e. for actually-revoked certs.
-      revoked = response.revoked.find { |r| r.serial == cert.serial }
+      # The serial's bytes appear (a real hit, or a rare collision): confirm
+      # authoritatively and pull the reason/date. This only runs for the few
+      # certs that look revoked, so we can afford the lookup here.
+      revoked =
+        if response.respond_to?(:by_serial)
+          # O(log n) C-level lookup, no full-list materialisation. Only on recent
+          # openssl gems (https://github.com/ruby/openssl/pull/1065).
+          response.by_serial(cert.serial)
+        else
+          response.revoked.find { |r| r.serial == cert.serial }
+        end
+
       if revoked
         reason = revoked.extensions.find {|e| e.oid == "CRLReason"}&.value
         return [true, reason || "Unknown reason", revoked.time]

data/lib/ssl-test.rb

@@ -11,7 +11,7 @@ module SSLTest
   extend OCSP
   extend CRL
 
-  VERSION = -"2.0.1"
+  VERSION = -"2.1.2"
 
   # Prefix for all cache keys so SSLTest entries coexist cleanly inside a shared
   # cache (e.g. Rails.cache).
@@ -117,10 +117,11 @@ module SSLTest
     # The order in which revocation check methods are tried for each certificate.
     # The first method to return a conclusive answer (ok or revoked) wins; the
     # next is only tried when the previous one errors out (missing endpoint,
-    # network error, etc.). Defaults to CRL first (since 1.6) to reduce the
-    # revocation propagation delay. Set to %i[ocsp crl] to check OCSP first.
+    # network error, etc.). Defaults to OCSP first, since CRLs can be large and
+    # checking them is significantly more memory- and CPU-intensive. Set to
+    # %i[crl ocsp] to check CRL first (e.g. to reduce revocation propagation delay).
     def revocation_order
-      @revocation_order ||= %i[crl ocsp]
+      @revocation_order ||= %i[ocsp crl]
     end
 
     def revocation_order= order

data/spec/memory_store_spec.rb

@@ -52,7 +52,7 @@ describe SSLTest::MemoryStore do
 end
 
 # #size as reported through the default store after real CRL/OCSP fetches.
-describe "SSLTest.cache.size", retry: 5 do # examples hit live CRL/OCSP endpoints
+describe "SSLTest.cache.size", retry: 2 do # examples hit live CRL/OCSP endpoints
   before { SSLTest.cache.clear }
 
   it "returns 0 by default" do
@@ -70,7 +70,9 @@ describe "SSLTest.cache.size", retry: 5 do # examples hit live CRL/OCSP endpoint
   end
 
   it "returns OCSP cache size properly" do
-    SSLTest.test("https://github.com")
+    # Google's leaf is checked via OCSP and its intermediate (no OCSP URI) via CRL,
+    # so this populates both the OCSP and CRL caches under the default OCSP-first order.
+    SSLTest.test("https://google.com")
     expect(SSLTest.cache.size[:ocsp][:responses]).to eq(1)
     expect(SSLTest.cache.size[:ocsp][:errors]).to eq(0)
     expect(SSLTest.cache.size[:ocsp][:bytes]).to be > 0

data/spec/ssl-test_spec.rb

@@ -12,9 +12,10 @@ RSpec.configure do |config|
   # The error/revocation examples below hit several public TLS test endpoints
   # (badssl.com, testserver.host, ssl.com) which intermittently reset connections
   # under load. They're spread across a few providers to avoid hammering a single
-  # one, and the network-hitting describe blocks are tagged `retry: 5` (via
+  # one, and the network-hitting describe blocks are tagged `retry: 2` (via
   # rspec-retry) so transient network blips don't fail the suite.
   config.verbose_retry = true
+  config.display_try_failure_messages = true
   config.default_sleep_interval = 1
 end
 
@@ -26,7 +27,7 @@ describe SSLTest do
 
   after(:each) { proxy_thread&.kill }
 
-  describe '.test_url', retry: 5 do # examples hit live TLS/CRL/OCSP endpoints
+  describe '.test_url', retry: 2 do # examples hit live TLS/CRL/OCSP endpoints
     it "returns no error on valid SNI website" do
       valid, error, cert = SSLTest.test("https://www.mycs.com")
       expect(error).to be_nil
@@ -66,7 +67,7 @@ describe SSLTest do
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on incomplete chain" do
+    it "returns error on incomplete chain", retry: 5 do
       valid, error, cert = SSLTest.test("https://incomplete-chain.badssl.com/")
       expect(error).to eq ("error code 20: unable to get local issuer certificate")
       expect(valid).to eq(false)
@@ -81,8 +82,8 @@ describe SSLTest do
     end
 
     it "returns error on invalid host" do
-      valid, error, cert = SSLTest.test("https://wrong.host.badssl.com/")
-      expect(error).to include('error code 62: hostname mismatch')
+      valid, error, cert = SSLTest.test("https://db3.updn.io/")
+      expect(error).to eq('error code 62: hostname mismatch')
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
@@ -111,7 +112,7 @@ describe SSLTest do
     end
 
     it "reports revocation exceptions" do
-      expect(SSLTest).to receive(:follow_crl_redirects).and_raise(ArgumentError.new("test"))
+      expect(SSLTest).to receive(:follow_ocsp_redirects).and_raise(ArgumentError.new("test"))
       valid, error, cert = SSLTest.test("https://digicert.com")
       expect(error).to eq ("SSL certificate test failed: test")
       expect(valid).to be_nil
@@ -119,9 +120,9 @@ describe SSLTest do
     end
 
     it "returns error on revoked cert (OCSP)" do
-      # CRL is tried first; disable it so OCSP performs the revocation check
-      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
+      # OCSP is tried first and detects the revocation, so CRL is never used
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
+      expect(SSLTest).not_to receive(:follow_crl_redirects)
       valid, error, cert = SSLTest.test("https://revoked-rsa-dv.ssl.com/")
       expect(error).to eq ("SSL certificate revoked: The certificate was revoked for an unspecified reason (revocation date: 2026-06-09 14:37:38 UTC)")
       expect(valid).to eq(false)
@@ -129,43 +130,45 @@ describe SSLTest do
     end
 
     it "returns error on revoked cert (CRL)" do
-      # CRL is tried first and detects the revocation, so OCSP is never used
+      # Disable OCSP (tried first) so the CRL performs the revocation check
+      expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
-      expect(SSLTest).not_to receive(:test_ocsp_revocation)
-      # On a serial byte-match we fall back to #revoked to extract the reason/date
-      expect_any_instance_of(OpenSSL::X509::CRL).to receive(:revoked).and_call_original
-      valid, error, cert = SSLTest.test("https://revoked.badssl.com/")
-      expect(error).to eq ("SSL certificate revoked: Key Compromise (revocation date: 2026-05-12 21:01:31 UTC)")
+      # On a serial byte-match we confirm via #by_serial (recent openssl) or, as a
+      # fallback, #revoked, to extract the reason/date.
+      confirm = OpenSSL::X509::CRL.method_defined?(:by_serial) ? :by_serial : :revoked
+      expect_any_instance_of(OpenSSL::X509::CRL).to receive(confirm).and_call_original
+      valid, error, cert = SSLTest.test("https://revoked.testserver.host/")
+      expect(error).to match(/SSL certificate revoked: Unknown reason \(revocation date:/)
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
     it "stops following redirection after the limit for the revoked certs check" do
       valid, error, cert = SSLTest.test("https://github.com/", redirection_limit: 0)
-      expect(error).to include("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension")
-      expect(error).to include("OCSP: Request failed")
+      expect(error).to include("Revocation test couldn't be performed: OCSP: Request failed")
       expect(error).to include("Too many redirections (> 0)")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
     it "warns when the OCSP URI is missing" do
-      # Disable CRL (tried first) to see the OCSP error message
-      expect(SSLTest).to receive(:test_crl_revocation).twice.and_return([false, "skip CRL", nil])
+      # Disable CRL fallback to see the OCSP error message
+      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
       valid, error, cert = SSLTest.test("https://google.com")
-      expect(error).to eq ("Revocation test couldn't be performed: CRL: skip CRL, OCSP: Missing OCSP URI in authorityInfoAccess extension")
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: Missing OCSP URI in authorityInfoAccess extension, CRL: skip CRL")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
     it "works with CRL only" do
-      # CRL is tried first and succeeds for both certs, so OCSP is never used
+      # Disable OCSP so the CRL performs the revocation check for both certs
+      expect(SSLTest).to receive(:test_ocsp_revocation).twice.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).twice.and_call_original
-      expect(SSLTest).not_to receive(:test_ocsp_revocation)
       # Both certs are absent from their CRL, so the serial byte-search short-circuits
-      # and we never materialise the (potentially huge) revoked list.
+      # and we never reach a per-serial lookup (let alone materialise the revoked list).
       expect_any_instance_of(OpenSSL::X509::CRL).not_to receive(:revoked)
+      expect_any_instance_of(OpenSSL::X509::CRL).not_to receive(:by_serial) if OpenSSL::X509::CRL.method_defined?(:by_serial)
       valid, error, cert = SSLTest.test("https://www.demarches-simplifiees.fr")
       expect(error).to be_nil
       expect(valid).to eq(true)
@@ -177,15 +180,15 @@ describe SSLTest do
       expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
       expect(SSLTest).not_to receive(:follow_crl_redirects)
       valid, error, cert = SSLTest.test("https://github.com")
-      expect(error).to eq ("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension, OCSP: skip OCSP")
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: skip OCSP, CRL: Missing crlDistributionPoints extension")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "works with OCSP for first cert and CRL for intermediate (GitHub)" do
+    it "works with OCSP for first cert and CRL for intermediate (Google)" do
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
-      valid, error, cert = SSLTest.test("https://github.com")
+      valid, error, cert = SSLTest.test("https://google.com")
       expect(error).to be_nil
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
@@ -226,7 +229,7 @@ describe SSLTest do
           expect(valid).to eq(true)
           expect(cert).to be_a OpenSSL::X509::Certificate
 
-          expect($proxy).to have_received(:do_GET).twice
+          expect($proxy).to have_received(:do_GET).thrice
         end
       end
 
@@ -241,7 +244,7 @@ describe SSLTest do
     end
   end
 
-  describe '.follow_crl_redirects', retry: 5 do # fetches a live CRL
+  describe '.follow_crl_redirects', retry: 2 do # fetches a live CRL
     before { SSLTest.cache.clear }
     # 19MB: http://crl3.digicert.com/ssca-sha2-g6.crl
     it "fetch CRL list and updates cache" do
@@ -272,7 +275,7 @@ describe SSLTest do
     end
   end
 
-  describe '.cache', retry: 5 do # some examples hit live CRL/OCSP endpoints
+  describe '.cache', retry: 2 do # some examples hit live CRL/OCSP endpoints
     # Restore the default in-process store after tests that swap the backend so
     # global state doesn't leak between examples.
     after { SSLTest.cache = SSLTest::MemoryStore.new }
@@ -299,7 +302,7 @@ describe SSLTest do
     end
   end
 
-  describe '.test_cert', retry: 5 do # revocation checks hit live CRL/OCSP endpoints
+  describe '.test_cert', retry: 2 do # revocation checks hit live CRL/OCSP endpoints
     it "returns no error on valid SNI website" do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_mycs_com_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_mycs_com_ca_bundle.pem')))
@@ -342,7 +345,7 @@ describe SSLTest do
     it "reports revocation exceptions" do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/digicert_com_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/digicert_com_ca_bundle.pem')))
-      expect(SSLTest).to receive(:follow_crl_redirects).and_raise(ArgumentError.new("test"))
+      expect(SSLTest).to receive(:follow_ocsp_redirects).and_raise(ArgumentError.new("test"))
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to eq("SSL certificate test failed: test")
       expect(valid).to be_nil
@@ -353,9 +356,9 @@ describe SSLTest do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/revoked_rsa_dv_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/revoked_rsa_dv_ca_bundle.pem')))
 
-      # CRL is tried first; disable it so OCSP performs the revocation check
-      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
+      # OCSP is tried first and detects the revocation, so CRL is never used
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
+      expect(SSLTest).not_to receive(:follow_crl_redirects)
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to eq ("SSL certificate revoked: The certificate was revoked for an unknown reason (revocation date: 2025-06-09 15:07:39 UTC)")
@@ -367,9 +370,12 @@ describe SSLTest do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/revoked_badssl_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/revoked_badssl_ca_bundle.pem')))
 
-      # CRL is tried first and detects the revocation, so OCSP is never used
+      # Disable OCSP (tried first) so the CRL performs the revocation check
+      expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
-      expect(SSLTest).not_to receive(:test_ocsp_revocation)
+      # On a serial byte-match we confirm via #by_serial (recent openssl) or #revoked
+      confirm = OpenSSL::X509::CRL.method_defined?(:by_serial) ? :by_serial : :revoked
+      expect_any_instance_of(OpenSSL::X509::CRL).to receive(confirm).and_call_original
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to eq ("SSL certificate revoked: Key Compromise (revocation date: 2026-05-12 21:01:31 UTC)")
       expect(valid).to eq(false)
@@ -381,8 +387,7 @@ describe SSLTest do
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_github_com_ca_bundle.pem')))
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle, redirection_limit: 0)
-      expect(error).to include("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension")
-      expect(error).to include("OCSP: Request failed")
+      expect(error).to include("Revocation test couldn't be performed: OCSP: Request failed")
       expect(error).to include("Too many redirections (> 0)")
       expect(valid).to eq(true)
       expect(cert).to eq(cert)
@@ -392,12 +397,12 @@ describe SSLTest do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/google_com_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/google_com_ca_bundle.pem')))
 
-      # Disable CRL (tried first) to see the OCSP error message
-      expect(SSLTest).to receive(:test_crl_revocation).twice.and_return([false, "skip CRL", nil])
+      # Disable CRL fallback to see the OCSP error message
+      expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
-      expect(error).to eq ("Revocation test couldn't be performed: CRL: skip CRL, OCSP: Missing OCSP URI in authorityInfoAccess extension")
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: Missing OCSP URI in authorityInfoAccess extension, CRL: skip CRL")
       expect(valid).to eq(true)
       expect(cert).to eq(cert)
     end
@@ -406,9 +411,9 @@ describe SSLTest do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_demarches-simplifiees_fr_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_demarches-simplifiees_fr_ca_bundle.pem')))
 
-      # CRL is tried first and succeeds for both certs, so OCSP is never used
+      # Disable OCSP so the CRL performs the revocation check for both certs
+      expect(SSLTest).to receive(:test_ocsp_revocation).twice.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).twice.and_call_original
-      expect(SSLTest).not_to receive(:test_ocsp_revocation)
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to be_nil
@@ -425,18 +430,18 @@ describe SSLTest do
       expect(SSLTest).not_to receive(:follow_crl_redirects)
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
-      expect(error).to eq ("Revocation test couldn't be performed: CRL: Missing crlDistributionPoints extension, OCSP: skip OCSP")
+      expect(error).to eq ("Revocation test couldn't be performed: OCSP: skip OCSP, CRL: Missing crlDistributionPoints extension")
       expect(valid).to eq(true)
       expect(cert).to eq(cert)
 
     end
 
-    it "works with OCSP for first cert and CRL for intermediate (GitHub)" do
+    it "works with OCSP for first cert and CRL for intermediate (Google)" do
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
 
-      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_github_com_client.pem')))
-      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_github_com_ca_bundle.pem')))
+      cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/google_com_client.pem')))
+      ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/google_com_ca_bundle.pem')))
 
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to be_nil
@@ -475,8 +480,7 @@ describe SSLTest do
           expect(valid).to eq(true)
           expect(cert).to eq(cert)
 
-          # CRL is tried first, so both certs are checked via CRL (GET) through the proxy
-          expect($proxy).to have_received(:do_GET).twice
+          expect($proxy).to have_received(:do_GET).once
         end
       end
 
@@ -495,14 +499,14 @@ describe SSLTest do
   end
 
   describe '.revocation_order' do # no network: dispatch logic is stubbed
-    after { SSLTest.revocation_order = %i[crl ocsp] } # reset to the default
+    after { SSLTest.revocation_order = %i[ocsp crl] } # reset to the default
 
     let(:cert)   { OpenSSL::X509::Certificate.new }
     let(:issuer) { OpenSSL::X509::Certificate.new }
     let(:chain)  { [cert, issuer] }
 
-    it "defaults to CRL first" do
-      expect(SSLTest.revocation_order).to eq(%i[crl ocsp])
+    it "defaults to OCSP first" do
+      expect(SSLTest.revocation_order).to eq(%i[ocsp crl])
     end
 
     it "validates the value" do
@@ -510,23 +514,22 @@ describe SSLTest do
       expect { SSLTest.revocation_order = %i[ocsp bogus] }.to raise_error(ArgumentError)
     end
 
-    it "checks CRL first by default, falling back to OCSP on error" do
-      expect(SSLTest).to receive(:test_crl_revocation).ordered.and_return([false, "CRL boom", nil])
-      expect(SSLTest).to receive(:test_ocsp_revocation).ordered.and_return(:ocsp_ok)
+    it "checks OCSP first by default, falling back to CRL on error" do
+      expect(SSLTest).to receive(:test_ocsp_revocation).ordered.and_return([false, "OCSP boom", nil])
+      expect(SSLTest).to receive(:test_crl_revocation).ordered.and_return(:crl_ok)
       result = SSLTest.send(:test_chain_revocation, chain)
       expect(result).to eq([false, nil, nil])
     end
 
-    it "checks OCSP first when configured, falling back to CRL on error" do
-      SSLTest.revocation_order = %i[ocsp crl]
-      expect(SSLTest).to receive(:test_ocsp_revocation).ordered.and_return([false, "OCSP boom", nil])
-      expect(SSLTest).to receive(:test_crl_revocation).ordered.and_return(:crl_ok)
+    it "checks CRL first when configured, falling back to OCSP on error" do
+      SSLTest.revocation_order = %i[crl ocsp]
+      expect(SSLTest).to receive(:test_crl_revocation).ordered.and_return([false, "CRL boom", nil])
+      expect(SSLTest).to receive(:test_ocsp_revocation).ordered.and_return(:ocsp_ok)
       result = SSLTest.send(:test_chain_revocation, chain)
       expect(result).to eq([false, nil, nil])
     end
 
     it "does not try the second method when the first one passes" do
-      SSLTest.revocation_order = %i[ocsp crl]
       expect(SSLTest).to receive(:test_ocsp_revocation).and_return(:ocsp_ok)
       expect(SSLTest).not_to receive(:test_crl_revocation)
       expect(SSLTest.send(:test_chain_revocation, chain)).to eq([false, nil, nil])

data/ssl-test.gemspec

@@ -12,6 +12,8 @@ Gem::Specification.new do |spec|
   spec.homepage      = "https://github.com/jarthod/ssl-test"
   spec.license       = "MIT"
 
+  spec.required_ruby_version = ">= 3.1"
+
   spec.files         = `git ls-files -z`.split("\x0")
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: ssl-test
 version: !ruby/object:Gem::Version
-  version: 2.0.1
+  version: 2.1.2
 platform: ruby
 authors:
 - Adrien Rey-Jarthon
 bindir: bin
 cert_chain: []
-date: 2026-06-19 00:00:00.000000000 Z
+date: 2026-06-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -134,6 +134,8 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- by_serial_bench.rb
+- crl_bench.rb
 - lib/ssl-test.rb
 - lib/ssl-test/crl.rb
 - lib/ssl-test/memory_store.rb
@@ -174,7 +176,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '3.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="