Originally Posted by
mother-
No, sorry, no software would tell you a certificate is revoked when it's a different type of error. Saying it's invalid or expired is something else entirely.
Understanding TLS security and client behavior is part of what I do for a living.
BTW They must have taken the rogue tkpi.delta.com refs out of their site, because whatever is pretending to be that host is still no bueno:
Code:
Server Key and Certificate #1
Subject TKPI.DELTA.COM
Fingerprint SHA256: 22c29a7d4ec5aa401c71e7122a3c6ebeeba96c0f5b27ccc7bbff391711bd6c5c
Pin SHA256: Mo2e+JsVqY+mMb6p...l9e+QfFyd0JGN02thGFAirvs=
Common names TKPI.DELTA.COM
Alternative names TKPI.DELTA.COM
Valid from Thu, 11 May 2017 00:00:00 UTC
Valid until Sat, 12 May 2018 23:59:59 UTC (expires in 11 months and 26 days)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer Symantec Class 3 Secure Server SHA256 SSL CA
AIA: http://sg.symcb.com/sg.crt
Signature algorithm SHA256withRSA
Extended Validation No
Certificate TransparencyYes (certificate)
OCSP Must Staple No
Revocation information CRL, OCSP
CRL: http://sg.symcb.com/sg.crl
OCSP: http://sg.symcd.com
Revocation status Revoked INSECURE
DNS CAA No (more info)
Trusted No NOT TRUSTED (Why?)
I also understand TLS very well... Your info provided is very accurate, however, as mentioned in my previous post, Avast and other tools will often use the generic term even for a simple certificate mismatch.
Btw, do you really think Symantec would issue a rogue SSL certificate without doing the proper verification with the domain owner? Chances are a certificate was created for the CN TKPI.DELTA.COM by Delta and for some reason it was decided to revoke it later on.