ssl-test 2.1.1 → 2.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 48563a079839f759ca0f765c768fa7280af962036d2e1e9acd81aaa2dd8967fb
-  data.tar.gz: 2a51edf744b6116222f52ea1b72b502805f2a2c78beab94620b408a8c7b05d07
+  metadata.gz: 36325440b8b451a3a2820ab4c597ed765a9d7787ff613ea36aeea671892a9882
+  data.tar.gz: 794733e1186c7a03f9b04823a165637cf7c559554e84b478d7b3fb57fe2e9e0e
 SHA512:
-  metadata.gz: bd2cb2d7de4d133df831932a4d8a44974fc49dd592765fa7669f9d272c1e169d8ea90c728109824dafc89d20a11d83da135f9a7852466781bc58890dcc3a322a
-  data.tar.gz: b96a5c2515c952f25ebe823c88d5daf2e8bcc60024d76a7ea715fc854b199bb4e1e06f4d3f787490a6f9bfb987eaba3f4be5692a063a74b4f55fa605e3e8c7e4
+  metadata.gz: 682c775642e4dbae339d37afe3c059f2e34511c942d199eb09b3090a73f65840e09c0df904d2790893752cc7ad4db2f2c7cbdf68f17765cbee4015967d665282
+  data.tar.gz: 9bf3c4f4d6113d2884fd33041310a22cb5b6610aebb5e44b62a3cffa3396e56e6e7b6091dab907dcbf0fdec6d2ccdb00eac5f60a5018045ace13d334f0b1d581

data/README.md

@@ -200,6 +200,7 @@ But also **revoked certs** like most browsers (not handled by `curl`)
 
 ## Changelog
 
+* 2.1.2 - 2026-06-23: Add support for faster `CRL#by_serial` method I just added to OpenSSL (https://github.com/ruby/openssl/pull/1065)
 * 2.1.1 - 2026-06-21: Refactor CRL code to use newer OpenSSL `crl_uris` helper
 * 2.1.0 - 2026-06-20: Check revocation with OCSP first and fall back to CRL (was CRL first since 1.6) because CRLs can be large and checking them is significantly more memory- and CPU-intensive. Set `SSLTest.revocation_order = %i[crl ocsp]` to restore the previous order.
 * 2.0.1 - 2026-06-19: Speed up and shrink the memory use of CRL checks with a fast path that scans the raw CRL for the certificate's serial before parsing, avoiding instantiating the entire revocation list (>1M Ruby objects for busy CAs) when the cert isn't revoked. Send both `If-None-Match` and `If-Modified-Since` on CRL revalidation so CDN-backed CAs that don't honor their own ETag (e.g. DigiCert) still return a `304` instead of re-downloading the whole list.

data/lib/ssl-test/crl.rb

@@ -40,10 +40,18 @@ module SSLTest
       serial_der = OpenSSL::ASN1::Integer.new(cert.serial).to_der
       return :crl_ok unless response.to_der.include?(serial_der)
 
-      # The serial's bytes appear (a real hit, or a rare collision):
-      # confirm authoritatively and pull the reason/date. The costly revoked-list
-      # materialisation only happens here, i.e. for actually-revoked certs.
-      revoked = response.revoked.find { |r| r.serial == cert.serial }
+      # The serial's bytes appear (a real hit, or a rare collision): confirm
+      # authoritatively and pull the reason/date. This only runs for the few
+      # certs that look revoked, so we can afford the lookup here.
+      revoked =
+        if response.respond_to?(:by_serial)
+          # O(log n) C-level lookup, no full-list materialisation. Only on recent
+          # openssl gems (https://github.com/ruby/openssl/pull/1065).
+          response.by_serial(cert.serial)
+        else
+          response.revoked.find { |r| r.serial == cert.serial }
+        end
+
       if revoked
         reason = revoked.extensions.find {|e| e.oid == "CRLReason"}&.value
         return [true, reason || "Unknown reason", revoked.time]

data/lib/ssl-test.rb

@@ -11,7 +11,7 @@ module SSLTest
   extend OCSP
   extend CRL
 
-  VERSION = -"2.1.1"
+  VERSION = -"2.1.2"
 
   # Prefix for all cache keys so SSLTest entries coexist cleanly inside a shared
   # cache (e.g. Rails.cache).

data/spec/memory_store_spec.rb

@@ -52,7 +52,7 @@ describe SSLTest::MemoryStore do
 end
 
 # #size as reported through the default store after real CRL/OCSP fetches.
-describe "SSLTest.cache.size", retry: 5 do # examples hit live CRL/OCSP endpoints
+describe "SSLTest.cache.size", retry: 2 do # examples hit live CRL/OCSP endpoints
   before { SSLTest.cache.clear }
 
   it "returns 0 by default" do

data/spec/ssl-test_spec.rb

@@ -12,7 +12,7 @@ RSpec.configure do |config|
   # The error/revocation examples below hit several public TLS test endpoints
   # (badssl.com, testserver.host, ssl.com) which intermittently reset connections
   # under load. They're spread across a few providers to avoid hammering a single
-  # one, and the network-hitting describe blocks are tagged `retry: 5` (via
+  # one, and the network-hitting describe blocks are tagged `retry: 2` (via
   # rspec-retry) so transient network blips don't fail the suite.
   config.verbose_retry = true
   config.display_try_failure_messages = true
@@ -27,7 +27,7 @@ describe SSLTest do
 
   after(:each) { proxy_thread&.kill }
 
-  describe '.test_url', retry: 5 do # examples hit live TLS/CRL/OCSP endpoints
+  describe '.test_url', retry: 2 do # examples hit live TLS/CRL/OCSP endpoints
     it "returns no error on valid SNI website" do
       valid, error, cert = SSLTest.test("https://www.mycs.com")
       expect(error).to be_nil
@@ -67,7 +67,7 @@ describe SSLTest do
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "returns error on incomplete chain" do
+    it "returns error on incomplete chain", retry: 5 do
       valid, error, cert = SSLTest.test("https://incomplete-chain.badssl.com/")
       expect(error).to eq ("error code 20: unable to get local issuer certificate")
       expect(valid).to eq(false)
@@ -133,8 +133,10 @@ describe SSLTest do
       # Disable OCSP (tried first) so the CRL performs the revocation check
       expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
-      # On a serial byte-match we fall back to #revoked to extract the reason/date
-      expect_any_instance_of(OpenSSL::X509::CRL).to receive(:revoked).and_call_original
+      # On a serial byte-match we confirm via #by_serial (recent openssl) or, as a
+      # fallback, #revoked, to extract the reason/date.
+      confirm = OpenSSL::X509::CRL.method_defined?(:by_serial) ? :by_serial : :revoked
+      expect_any_instance_of(OpenSSL::X509::CRL).to receive(confirm).and_call_original
       valid, error, cert = SSLTest.test("https://revoked.testserver.host/")
       expect(error).to match(/SSL certificate revoked: Unknown reason \(revocation date:/)
       expect(valid).to eq(false)
@@ -164,8 +166,9 @@ describe SSLTest do
       expect(SSLTest).to receive(:test_ocsp_revocation).twice.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).twice.and_call_original
       # Both certs are absent from their CRL, so the serial byte-search short-circuits
-      # and we never materialise the (potentially huge) revoked list.
+      # and we never reach a per-serial lookup (let alone materialise the revoked list).
       expect_any_instance_of(OpenSSL::X509::CRL).not_to receive(:revoked)
+      expect_any_instance_of(OpenSSL::X509::CRL).not_to receive(:by_serial) if OpenSSL::X509::CRL.method_defined?(:by_serial)
       valid, error, cert = SSLTest.test("https://www.demarches-simplifiees.fr")
       expect(error).to be_nil
       expect(valid).to eq(true)
@@ -226,7 +229,7 @@ describe SSLTest do
           expect(valid).to eq(true)
           expect(cert).to be_a OpenSSL::X509::Certificate
 
-          expect($proxy).to have_received(:do_GET).twice
+          expect($proxy).to have_received(:do_GET).thrice
         end
       end
 
@@ -241,7 +244,7 @@ describe SSLTest do
     end
   end
 
-  describe '.follow_crl_redirects', retry: 5 do # fetches a live CRL
+  describe '.follow_crl_redirects', retry: 2 do # fetches a live CRL
     before { SSLTest.cache.clear }
     # 19MB: http://crl3.digicert.com/ssca-sha2-g6.crl
     it "fetch CRL list and updates cache" do
@@ -272,7 +275,7 @@ describe SSLTest do
     end
   end
 
-  describe '.cache', retry: 5 do # some examples hit live CRL/OCSP endpoints
+  describe '.cache', retry: 2 do # some examples hit live CRL/OCSP endpoints
     # Restore the default in-process store after tests that swap the backend so
     # global state doesn't leak between examples.
     after { SSLTest.cache = SSLTest::MemoryStore.new }
@@ -299,7 +302,7 @@ describe SSLTest do
     end
   end
 
-  describe '.test_cert', retry: 5 do # revocation checks hit live CRL/OCSP endpoints
+  describe '.test_cert', retry: 2 do # revocation checks hit live CRL/OCSP endpoints
     it "returns no error on valid SNI website" do
       cert = OpenSSL::X509::Certificate.new(File.read(File.join(__dir__, 'fixtures/www_mycs_com_client.pem')))
       ca_bundle = OpenSSL::X509::Certificate.load(File.read(File.join(__dir__, 'fixtures/www_mycs_com_ca_bundle.pem')))
@@ -370,6 +373,9 @@ describe SSLTest do
       # Disable OCSP (tried first) so the CRL performs the revocation check
       expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
+      # On a serial byte-match we confirm via #by_serial (recent openssl) or #revoked
+      confirm = OpenSSL::X509::CRL.method_defined?(:by_serial) ? :by_serial : :revoked
+      expect_any_instance_of(OpenSSL::X509::CRL).to receive(confirm).and_call_original
       valid, error, cert = SSLTest.test_cert(cert, ca_bundle)
       expect(error).to eq ("SSL certificate revoked: Key Compromise (revocation date: 2026-05-12 21:01:31 UTC)")
       expect(valid).to eq(false)

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: ssl-test
 version: !ruby/object:Gem::Version
-  version: 2.1.1
+  version: 2.1.2
 platform: ruby
 authors:
 - Adrien Rey-Jarthon
 bindir: bin
 cert_chain: []
-date: 2026-06-21 00:00:00.000000000 Z
+date: 2026-06-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler