Open ItsNotTom opened 3 years ago
Thanks! You happen to have a host name?
Which version 3.0 or 3.1dev?
Hi, sorry, I completely missed all the useful information. This was tested on 3.1dev and an example hostname developer.lloydsbanking.com
yeah, thanks. That seems to be related to the case with LE, see #1682
That was revoked a week ago (https://crt.sh/?id=6006154&opt=ocsp).
The chain is fine (except the additional root certificate) How did you check the revoked status with openssl?
I followed the steps provided here: https://www.redpill-linpro.com/techblog/2017/01/11/understanding_ocsp.html
Ok, I understood just by a simple openssl s_client -status -connect ..
and I thought I missed something.
Digicert recently expired some of their ICAs
https://knowledge.digicert.com/alerts/DigiCert-ICA-Update.html
https://www.auscert.org.au/blog/2021-01-15-quovadis-issue-impacting-multiple-customers
Lots of sites are still providing the old ICA certificates in their chain but when you run testssl against them it reports back the status of them is fine. Manually checking what's being served using openssl or other services such as ssllabs show that there are issues with the chain.