Create a test site with an SSL certificate that has been revoked via OneCRL

RESOLVED DUPLICATE of bug 1300977

Status

()

Toolkit
Blocklisting
RESOLVED DUPLICATE of bug 1300977
7 months ago
5 months ago

People

(Reporter: mwobensmith, Assigned: mwobensmith)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

We need a live example of a site with a revoked cert in OneCRL to test against, to ensure that the full stack is working. 

One step is to create a site purely for testing, using a certificate that we will block. This is similar to https://revoked.badssl.com, but we specifically want a cert that has not been revoked by other means.

The next step would be to stage an entry in Kinto for this cert. 

Lastly, I would like to then test against this entry in TLS Canary to ensure, on every run, that we are testing with a working OneCRL mechanism.

Filing this bug to track the progress of the above.
(Assignee)

Comment 1

7 months ago
Looks like bug 1300977 already did this via OneCRL, so no point in doing again.
Status: ASSIGNED → RESOLVED
Last Resolved: 7 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1300977

Comment 2

7 months ago
Note that revoked.badssl.com is revoked via OCSP in addition to being included in OneCRL [1], so unless you turn off OCSP and the site doesn't staple, you have the possibility of a false-negative.

Note: The site does not staple OCSP at this time [2].

[1] https://crt.sh/?id=30883525
[2] https://observatory.mozilla.org/analyze.html?host=revoked.badssl.com#tls
(Assignee)

Comment 3

7 months ago
Excellent catch, JC, thank you!

For the test, I can disable OCSP. I can follow up with April to inquire about stapling and if this will ever happen to the test site in the future.
(Assignee)

Updated

5 months ago
See Also: → bug 1403286
You need to log in before you can comment on or make changes to this bug.