From 78cb75543fc6935222b59c8a15eaee9f5c40ab7d Mon Sep 17 00:00:00 2001
From: David Cooper <dcooper16@gmail.com>
Date: Thu, 26 Apr 2018 10:23:52 -0400
Subject: [PATCH] Don't check expired certificates

In general, a CA only needs to keep the status information for a certificate until it expires. So, once a certificate has expired, the information provided about it in a CRL or OCSP response may no longer be reliable. The certificate may no longer be listed as revoked, even it is had been revoked at some point before it expired.

So, this PR changes certificate_info() to only check CRLs for revocation status if the certificate has not expired.
---
 testssl.sh | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/testssl.sh b/testssl.sh
index e5fe255..cedfbfb 100755
--- a/testssl.sh
+++ b/testssl.sh
@@ -7445,8 +7445,10 @@ certificate_info() {
      else
           if [[ $(count_lines "$crl") -eq 1 ]]; then
                out "$crl"
-               check_revocation_crl "$crl" "cert_CRLrevoked_${json_postfix}"
-               ret=$((ret +$?))
+               if [[ "$expfinding" != "expired" ]]; then
+                    check_revocation_crl "$crl" "cert_CRLrevoked_${json_postfix}"
+                    ret=$((ret +$?))
+               fi
                outln
           else # more than one CRL
                first_crl=true
@@ -7457,8 +7459,10 @@ certificate_info() {
                          out "$spaces"
                     fi
                     out "$line"
-                    check_revocation_crl "$line" "cert_CRLrevoked_${json_postfix}"
-                    ret=$((ret +$?))
+                    if [[ "$expfinding" != "expired" ]]; then
+                         check_revocation_crl "$line" "cert_CRLrevoked_${json_postfix}"
+                         ret=$((ret +$?))
+                    fi
                     outln
                done <<< "$crl"
           fi