Use CRL by default instead of OCSP on android

[stormshield-gt]

Hi, I have a certificate signed by let's encrypt, which only has a CRL extension but not an OCSP one, as for the let's encrypt new policy.

On the rustls-platform-verifier documentation on Android, from my understanding, it says that if there is not a stapled OCSP response, an OCSP extension or a CRL extension must be present.

But I've the following error:

WARN rustls_platform_verifier::verification::android: certificate was revoked: java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder    
ERROR rustls_platform_verifier::verification::android: failed to verify TLS certificate: invalid peer certificate: Revoked 

I use the latest version of the crate, 0.6.0.

This MR propose to enable CRL by default on Android

[ctz]

I guess my question on this is: reading the documentation it seems quite clear that CRLs are the fallback from OCSP, but the observed behaviour contradicts that. The described behaviour seems acceptable, so can we work out a way to have that behaviour rather whatever is happening here?

If the "fallback" thing doesn't actually work as described, maybe we can try two verifications with NO_FALLBACK and do the fallback ourselves?

[iliabylich]

I have exactly the same issue with my server that uses certificate from Let's Encrypt (certificate is returned by the server but then it gets immediately rejected with an error Certificate does not specify OCSP responder, which is true, openssl returns OCSP response: no response sent).

The patches fixes it for me. Thanks @stormshield-gt !