Update tests (#9)

updown.io (let's encrypt) no longer returns a certificate with an authorityInfoAccess extension so it's falling back to CRL check. So we need to update our tests to use another domain: google.com is fine!

Author: mariovisic

spec/ssl-test_spec.rb

@@ -74,21 +74,23 @@
 
     it "returns undetermined state on unhandled error" do
       valid, error, cert = SSLTest.test("https://pijoinlrfgind.com")
-      expect(error).to eq ("SSL certificate test failed: Failed to open TCP connection to pijoinlrfgind.com:443 (getaddrinfo: Name or service not known)")
+      expect(error).to include("SSL certificate test failed: Failed to open TCP connection to pijoinlrfgind.com:443")
+      expect(error).to include(/name.*not known/i)
       expect(valid).to be_nil
       expect(cert).to be_nil
     end
 
     it "stops on timeouts" do
       valid, error, cert = SSLTest.test("https://updown.io", open_timeout: 0)
-      expect(error).to eq ("SSL certificate test failed: Failed to open TCP connection to updown.io:443 (Connection timed out - user specified timeout)")
+      expect(error).to include("SSL certificate test failed")
+      expect(error).to include(/timeout/i)
       expect(valid).to be_nil
       expect(cert).to be_nil
     end
 
     it "reports revocation exceptions" do
       expect(SSLTest).to receive(:follow_ocsp_redirects).and_raise(ArgumentError.new("test"))
-      valid, error, cert = SSLTest.test("https://updown.io")
+      valid, error, cert = SSLTest.test("https://digicert.com")
       expect(error).to eq ("SSL certificate test failed: test")
       expect(valid).to be_nil
       expect(cert).to be_a OpenSSL::X509::Certificate
@@ -98,7 +100,7 @@
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
       expect(SSLTest).not_to receive(:follow_crl_redirects)
       valid, error, cert = SSLTest.test("https://revoked.badssl.com/")
-      expect(error).to eq ("SSL certificate revoked: The certificate was revoked for an unknown reason (revocation date: 2021-10-27 21:38:48 UTC)")
+      expect(error).to eq ("SSL certificate revoked: Key Compromise (revocation date: 2025-11-04 21:01:29 UTC)")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
@@ -107,14 +109,15 @@
       expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
       valid, error, cert = SSLTest.test("https://revoked.badssl.com/")
-      expect(error).to eq ("SSL certificate revoked: Unknown reason (revocation date: 2021-10-27 21:38:48 UTC)")
+      expect(error).to eq ("SSL certificate revoked: Key Compromise (revocation date: 2025-11-04 21:01:29 UTC)")
       expect(valid).to eq(false)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
     it "stops following redirection after the limit for the revoked certs check" do
       valid, error, cert = SSLTest.test("https://github.com/", redirection_limit: 0)
-      expect(error).to eq ("Revocation test couldn't be performed: OCSP: Request failed (URI: http://ocsp.digicert.com): Too many redirections (> 0), CRL: Request failed (URI: http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl): Too many redirections (> 0)")
+      expect(error).to include("Revocation test couldn't be performed: OCSP: Request failed")
+      expect(error).to include("Too many redirections (> 0)")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
@@ -123,7 +126,7 @@
       # Disable CRL fallback to see error message
       expect(SSLTest).to receive(:test_crl_revocation).once.and_return([false, "skip CRL", nil])
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
-      valid, error, cert = SSLTest.test("https://www.demarches-simplifiees.fr")
+      valid, error, cert = SSLTest.test("https://google.com")
       expect(error).to eq ("Revocation test couldn't be performed: OCSP: Missing OCSP URI in authorityInfoAccess extension, CRL: skip CRL")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
@@ -143,26 +146,16 @@
       # Disable OCSP to see error message
       expect(SSLTest).to receive(:test_ocsp_revocation).once.and_return([false, "skip OCSP", nil])
       expect(SSLTest).not_to receive(:follow_crl_redirects)
-      valid, error, cert = SSLTest.test("https://meta.updown.io")
+      valid, error, cert = SSLTest.test("https://github.com")
       expect(error).to eq ("Revocation test couldn't be performed: OCSP: skip OCSP, CRL: Missing crlDistributionPoints extension")
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
     end
 
-    it "works with OCSP for first cert and CRL for intermediate (Let's Encrypt R3 intermediate)" do
-      expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
-      expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
-      valid, error, cert = SSLTest.test("https://meta.updown.io/")
-      expect(error).to be_nil
-      expect(valid).to eq(true)
-      expect(cert).to be_a OpenSSL::X509::Certificate
-    end
-
-    it "works with OCSP for first cert and CRL for intermediate (Certigna Services CA)" do
+    it "works with OCSP for first cert and CRL for intermediate (Google)" do
       expect(SSLTest).to receive(:follow_ocsp_redirects).once.and_call_original
       expect(SSLTest).to receive(:follow_crl_redirects).once.and_call_original
-      # Similar chain: https://www.demarches-simplifiees.fr
-      valid, error, cert = SSLTest.test("https://www.anonymisation.gov.pf")
+      valid, error, cert = SSLTest.test("https://google.com")
       expect(error).to be_nil
       expect(valid).to eq(true)
       expect(cert).to be_a OpenSSL::X509::Certificate
@@ -190,11 +183,11 @@
       SSLTest.send(:follow_crl_redirects, URI("http://crl.certigna.fr/certigna.crl")) # 1.1k
       SSLTest.send(:follow_crl_redirects, URI("http://crl3.digicert.com/DigiCertTLSHybridECCSHA3842020CA1-1.crl")) # 26k
       expect(SSLTest.cache_size[:crl][:lists]).to eq(2)
-      expect(SSLTest.cache_size[:crl][:bytes]).to be > 27_000
+      expect(SSLTest.cache_size[:crl][:bytes]).to be > 6000
     end
 
     it "returns OCSP cache size properly" do
-      SSLTest.test("https://updown.io")
+      SSLTest.test("https://google.com")
       expect(SSLTest.cache_size[:ocsp][:responses]).to eq(1)
       expect(SSLTest.cache_size[:ocsp][:errors]).to eq(0)
       expect(SSLTest.cache_size[:ocsp][:bytes]).to be > 150
@@ -209,7 +202,7 @@
     it "fetch CRL list and updates cache" do
       uri = URI("http://crl.certigna.fr/certigna.crl")
       body, error = SSLTest.send(:follow_crl_redirects, uri)
-      expect(body.bytesize).to equal 1152
+      expect(body.bytesize).to equal 1417
       expect(error).to be_nil
 
       # Check cache status