We just visited the test URL https://revoked-isrgrootx1.letsencrypt.org using Safari, Chrome, Opera, and Firefox.
Much to our surprise - only Opera and Firefox showed the server’s certificate as revoked. Settings in Keychain Access are correct (“best effort” or “required if cert indicates”).
Thoughts?
Safari/macOS does not check CRLs and OCSP by default. To enable it:
Chrome disabled OCSP and CRL support several years ago:
It is not possible to re-enable it. However, Chrome uses the certificate machinery built-in to operating systems, so it will sometimes work regardless, e.g. on the Mac if you enable it in Keychain Access as the first link explains.
If you want a wider range of browsers to know if the certificate for your particular site is later revoked, you can use a mechanism called must-staple (and a newer mechanism called expect-staple) to indicate that it’s mandatory to include a recent OCSP response along with the certificate itself. These mechanisms should be used with caution because, if you apply them and then don’t set up the web server correctly, visitors can be locked out of visiting the site.
That's the thing - this didn't work, preferences already set as advised there.
Is https://revoked.badssl.com/ rejected?
If so, it might be related to the fact that Let’s Encrypt only offers revocation status via OCSP.
EDIT: Firefox for Android rejects https://revoked.badssl.com/ but not https://revoked-isrgrootx1.letsencrypt.org/ so whatever is going on may not be Mac-specific. (And the isrg test site is reported as revoked by SSL Labs so it would appear to be configured properly.)
gets a bit better - Chrome correctly shows "Not Secure". However, Safari is still happy. Both browsers behave the same when I changed the preference of CRL/OCSP in Keychain Access.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.