Fail to do revocation checking on hosts, other than on google.TLD (and similar) (#1046)

[drwetter]

Those hosts also show a problem (hosts from Alexa Top-something):

prompt% grep 'Certificate Revocation List' * | grep -v "not revoked" | grep revoked                                                                                   
adidas.com: Certificate Revocation List  http://crl.entrust.net/level1k.crl, revoked
banggood.com: Certificate Revocation List  http://cdp1.digicert.com/ssca-sha2-g6.crl, revoked
biobiochile.cl: Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl, revoked
ca.gov: Certificate Revocation List  http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl, revoked
csdn.net: Certificate Revocation List  http://cdp1.digicert.com/ssca-sha2-g6.crl, revoked
expedia.com: Certificate Revocation List  http://crl.entrust.net/level1k.crl, revoked
hitcpm.com: Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl, revoked
mozilla.org: Certificate Revocation List  http://crl3.digicert.com/sha2-ev-server-g2.crl, revoked
nba.com: Certificate Revocation List  http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl, revoked
okta.com: Certificate Revocation List  http://crl3.digicert.com/sha2-ha-server-g5.crl, revoked
onlinesbi.com: Certificate Revocation List  http://sr.symcb.com/sr.crl, revoked
sourceforge.net: Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl, revoked
thefreedictionary.com: Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl, revoked
tianya.cn: Certificate Revocation List  http://crl.entrust.net/level1k.crl, revoked
tribunnews.com: Certificate Revocation List  http://gp.symcb.com/gp.crl, revoked
ups.com: Certificate Revocation List  http://crl.comodoca.com/COMODORSAExtendedValidationSecureServerCA.crl, revoked
zhanqi.tv:   Certificate Revocation List  http://ss.symcb.com/ss.crl, revoked
zhanqi.tv:   Certificate Revocation List  http://crl.entrust.net/level1k.crl, revoked
prompt% 

related tickets: #254, #1051

[dcooper16]

I tried banggood.com and csdn.net, and they are just broken. The cRLDistributionPoints extensions in the certificates contain http://cdp1.digicert.com/ssca-sha2-g6.crl. If you use wget or curl to retrieve the CRL from that location, the CRL that you receive contains an issuingDistributionPoint extension with a value of http://crl3.digicert.com/ssca-sha2-g6.crl. The two URLs are not the same, so this CRL cannot be used to determine the status of the servers' certificates. That is why OpenSSL reports an error of "Different CRL scope."

There is nothing we can do about it, except perhaps report the error.

[drwetter]

Can close this now. According to my checks on the Alexa Top 1k we're fine now. There a a few (1%) which don't seem ok. A part of it is just a trust issue (certificate <--> hostname) other parts are more tricky and either broken OCSP/CRL endpoints or misconfiguration of supplied certificates on the server side.