Feature Idea: Is there a way to monitor revoked certificates in synthetics API test?

evgeny.astafev · April 15, 2020, 7:17am

request module doesn’t fail when connected to a host with revoked certificate. Example of such host: revoked.badssl.com

Similar functionality can be provided by pair of ocsp/https modules, but they are not supported by default…

New Relic edit

I want this, too
I have more info to share (reply below)
I have a solution for this

0 voters

We take feature ideas seriously and our product managers review every one when plotting their roadmaps. However, there is no guarantee this feature will be implemented. This post ensures the idea is put on the table and discussed though. So please vote and share your extra details with our team.

philweber · October 20, 2017, 12:45pm

Hi, @evgeny.astafev: Does this solution do what you’re looking for?

evgeny.astafev · October 20, 2017, 2:14pm

Hi, no, it’s different, this is check for expiration date. I’m talking about revocation of a certificate, it’s a situation when a certificate was compromised before expiration date.

evgeny.astafev · October 24, 2017, 5:01pm

Solved the problem by copying and partial refactoring of content of the ocsp, asn1 and few more libraries. The script became almost 7k lines length. Probably there’s no sense to share it here, NR synthetics is not the best system to do this check…

btribbia · October 26, 2017, 9:09pm

Hi @evgeny.astafev Though not ideal, I’m glad to hear you found a workaround. I think having the ability to check for revoked certificates is a great feature idea so @Linds is going to jump in here to get a community poll started on that.

paolo.dellarocca1 · February 24, 2020, 7:17pm

Any update on this? I would like to know if monitoring revoked certs is something supported

RyanVeitch · February 27, 2020, 9:37am

Hey @paolo.dellarocca1 - we do have the Verify SSL option in Ping and Simple Browser - which will verify the validity of the SSL certs - if your certs are revoked, presumably they will be invalidated, thus the monitors will fail.
https://docs.newrelic.com/docs/synthetics/new-relic-synthetics/using-monitors/add-edit-monitors#simple

paolo.dellarocca1 · April 15, 2020, 12:15am

No.
As mentioned before by someone else in this thread, revoke is a different beast.
We experienced a success from New Relic and some old browsers but blocked site if users are using Chrome as not all browsers are checking if the cert is still valid (not expired) but revoked by CA.

You can see here how the revocation should be checked using openssl

https://www.namecheap.com/support/knowledgebase/article.aspx/9968/38/how-to-check-the-certificate-revocation-status

RyanVeitch · April 15, 2020, 9:55am

Oh I see, sorry @paolo.dellarocca1 - In that case, no, I don’t think there has been any changes to how we are checking SSL certs. I’ll get your +1 and feedback added internally