revoked.badssl.com and pinning-test.badssl.com have trusted certificates

[knewbold17]

The two mentioned sites don't cause any errors to be generated (in cryptonice nor in sslyze). Not sure what the issue here is, so I'm not sure how to catch them.

[warburtr0n]

Yeah this is a problem as the root stores that SSLyze users all report the cert is valid...

 Certificate #0 - Trust
   Hostname Validation:               OK - Certificate matches server hostname
   Android CA Store (9.0.0_r9):       OK - Certificate is trusted
   Apple CA Store (iOS 13, iPadOS 13, macOS 10.15, watchOS 6, and tvOS 13):OK - Certificate is trusted
   Java CA Store (jdk-13.0.2):        OK - Certificate is trusted
   Mozilla CA Store (2020-06-21):     OK - Certificate is trusted
   Windows CA Store (2020-05-04):     OK - Certificate is trusted
   Symantec 2018 Deprecation:         OK - Not a Symantec-issued certificate

...even the Mozilla one, despite the fact that if you try to visit the site in Firefox you will be blocked as the cert is revoked.

Revocation checks use one of 3 methods...

1. Certificate revocation lists (CRLs)
2. OCSP and OCSP-stapling
3. In-browser checks

It could be that Firefox is using its built in list of blocked certs and that SSLyze isn't performing any revocation checks at all. We may need to look at adding this functionality in a new module using the core openssl libraries.

[warburtr0n]

https://docs.python.org/2/library/ssl.html#constants

[warburtr0n]

https://cryptography.io/en/latest/x509/reference/#loading-certificate-revocation-lists

[warburtr0n]

Need to create function to check...

• CRL
• OCSP
• Stapled OCSP response