Certification Revocation List (CRL) / Online Certification Status Protocol (OCSP) checks

[halderen]

Duplicate issue OCSP?

[halderen]

Decided by steeringcmte on 2017-01-19 to keep issue icebox as many browsers aren't using it anyway.

[baknu]

1. https://mobile.twitter.com/ernstdemoor/status/1143846343355576320
2. Mail d.d. Tue, 14 Jul 2020: "It seems https://internet.nl doesn’t check for revoked certificates.

[...]

Can I submit revocation checking as a feature request?

This seems a valuable addition to me as sometimes browsers don’t warn users that the server certificate has been revoked and site admins don’t seem to know that they have a problem."

[bwbroersma]

Result is that https://revoked-rsa-dv.ssl.com/ ¹ is passing with no TLS issues other than HSTS, while Firefox cannot visit the site because it's revoked. Such a sub test would be extra interesting since Chrome does not check for revocation, so if an the admin only uses Chrome/Edge this issue won't be noticed. Some failing sub test would be a plus here.

---

¹ Sadly a lot of BadSSL certificates uses expired root CA's, these are known issues in the project. Luckily SSL.com has some test certificates too: https://www.ssl.com/sample-valid-revoked-and-expired-ssl-tls-certificates/