Closed
Bug 1382308
Opened 7 years ago
Closed 7 years ago
Create a test site with an SSL certificate that has been revoked via OneCRL
Categories
(Toolkit :: Blocklist Policy Requests, enhancement)
Toolkit
Blocklist Policy Requests
Tracking
()
RESOLVED
DUPLICATE
of bug 1300977
People
(Reporter: mwobensmith, Assigned: mwobensmith)
References
Details
We need a live example of a site with a revoked cert in OneCRL to test against, to ensure that the full stack is working. One step is to create a site purely for testing, using a certificate that we will block. This is similar to https://revoked.badssl.com, but we specifically want a cert that has not been revoked by other means. The next step would be to stage an entry in Kinto for this cert. Lastly, I would like to then test against this entry in TLS Canary to ensure, on every run, that we are testing with a working OneCRL mechanism. Filing this bug to track the progress of the above.
Assignee | ||
Comment 1•7 years ago
|
||
Looks like bug 1300977 already did this via OneCRL, so no point in doing again.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Comment 2•7 years ago
|
||
Note that revoked.badssl.com is revoked via OCSP in addition to being included in OneCRL [1], so unless you turn off OCSP and the site doesn't staple, you have the possibility of a false-negative. Note: The site does not staple OCSP at this time [2]. [1] https://crt.sh/?id=30883525 [2] https://observatory.mozilla.org/analyze.html?host=revoked.badssl.com#tls
Assignee | ||
Comment 3•7 years ago
|
||
Excellent catch, JC, thank you! For the test, I can disable OCSP. I can follow up with April to inquire about stapling and if this will ever happen to the test site in the future.
You need to log in
before you can comment on or make changes to this bug.
Description
•