search

chromium / badssl.com

:lock: Memorable site for testing clients against bad SSL configs.
https://badssl.com
Apache License 2.0
2.85k stars 191 forks source link

Add revoked-intermediate #278

Closed galaara98 closed 7 years ago

galaara98 commented 7 years ago

would it be possible for you to add a "revoked" chain test Server Cert (valid) -> Issuing CA (valid, EXCEPT "is REVOKED") -> Root CA (valid)

Aaron

lgarron commented 7 years ago

Do you specifically want/mind whether it's something from a legacy root (#218), or something else?

It helps to know the specific use case, and if it's related to browsers or security UI, then that's a good signal of priority.

galaara98 commented 7 years ago

The specific roots were not part of MY use cases, but perhaps they are relevant (I do not know) I am tasked with testing revocation in these scenarios

A trusted root, issues an intermediate, who issues a server cert.

1) the server cert has crl and/or ocsp data, and is revoked...

2) the server cert has crl and ocsp data, but ocsp is unreachable, and is revoked

3) the server cert has crl and ocsp data, but both are unreachable, and is revoked (expect overall a fail closed result)

4) the server cert has no revocation urls, but is revoked (expect a overall failed open result)

5) the server cert is not revoked, the intermediate cert has crl and/or ocsp data, and is revoked

6) the server cert is not revoked, the intermediate cert has crl and ocsp data, but ocsp is unreachable, and is revoke

7) the server cert is not revoked, the intermediate cert has crl and ocsp data, but both are unreachable, and is revoked (expect overall a fail closed result)

8) the server cert is not revoked, the intermediate cert has no revocation urls, but is revoked (expect a overall failed open result)

9) the root cert is Not in keystore, the intermediate is in keystore and is trustedcacert. The server cert is not revoked, the intermediate cert is not revoked (I am not sure the expect result here, according to RFC, openssl, schannel)

10) the root cert is Not in keystore, the intermediate is in keystore and is trustedcacert. The server cert is not revoked, the intermediate cert is revoked.

Not all test are equally valuable, but all are of interest. 10) was the original use case asked by a firewall admin

lgarron commented 7 years ago

That's... a lot of ideas. :-P

I don't have time to pursue any of them, but I'm happy to look at PRs or talk to CAs if they have any appropriate intermediates.

How would you check for revocation in #10?

april commented 7 years ago

I believe this is a duplicate of #136.