Closed Bug 1382308 Opened 7 years ago Closed 7 years ago

Create a test site with an SSL certificate that has been revoked via OneCRL

Categories

(Toolkit :: Blocklist Policy Requests, enhancement)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1300977

People

(Reporter: mwobensmith, Assigned: mwobensmith)

References

Details

We need a live example of a site with a revoked cert in OneCRL to test against, to ensure that the full stack is working. 

One step is to create a site purely for testing, using a certificate that we will block. This is similar to https://revoked.badssl.com, but we specifically want a cert that has not been revoked by other means.

The next step would be to stage an entry in Kinto for this cert. 

Lastly, I would like to then test against this entry in TLS Canary to ensure, on every run, that we are testing with a working OneCRL mechanism.

Filing this bug to track the progress of the above.
Looks like bug 1300977 already did this via OneCRL, so no point in doing again.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Note that revoked.badssl.com is revoked via OCSP in addition to being included in OneCRL [1], so unless you turn off OCSP and the site doesn't staple, you have the possibility of a false-negative.

Note: The site does not staple OCSP at this time [2].

[1] https://crt.sh/?id=30883525
[2] https://observatory.mozilla.org/analyze.html?host=revoked.badssl.com#tls
Excellent catch, JC, thank you!

For the test, I can disable OCSP. I can follow up with April to inquire about stapling and if this will ever happen to the test site in the future.
See Also: → 1403286
You need to log in before you can comment on or make changes to this bug.