With Let's Encrypt having completely dropped support for OCSP recently [1], I wanted to ask if macOS has a means of keeping up to date with their CRLs and if so, roughly how often this occurs?
I first observed an issue where a revoked-certificate test site, "revoked.badssl.com" (cert signed by Let's Encrypt), was not getting blocked on any browser, when a revocation policy was set up using the SecPolicyCreateRevocation API, in tandem with the kSecRevocationUseAnyAvailableMethod and kSecRevocationPreferCRL flags.
After further investigation, I noticed that even on a fresh install of macOS, Safari does not block this test website, while Chrome and Firefox (usually) do, due to its revoked certificate. Chrome and Firefox both have their own means of dealing with CRLs, while I assume Safari uses the system Keychain and APIs.
I checked cert info for the site here [2]. It was issued on 2025-07-01 20:00 and revoked an hour later.
[1] https://letsencrypt.org/2024/12/05/ending-ocsp/
[2] https://www.ssllabs.com/ssltest/analyze.html?d=revoked.badssl.com
So, yeah, this is a complex issue that I’m not going to wade in to. Sorry.
My general advice in cases like this, where the system isn’t behaving the way you want it to behave, is to file a bug. That way the relevant folks here at Apple will be able to look it it properly.
Please post your bug number, just for the record
ps We gave an interesting talk about this stuff a few years back, namely WWDC 2017 Session 701 Your Apps and Evolving Network Security Standards. Unfortunately the video is no longer available from Apple, but you might be use the link to find info about it elsewhere on the Internet.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"