With stunnel 4.26 (or ealier), in order to verify revocation of clients' certificates, I use this configuration file :
-------------------8<------------------
CAfile=/etc/ssl/stunnel/ca_certs.pem
CRLfile=/etc/ssl/stunnel/crl.pem
cert=/etc/ssl/stunnel/server.pem
key=/etc/ssl/stunnel/server.key
sslVersion=TLSv1
verify=2

[WEB]
accept=8080
connect=127.0.0.1:3128
------------------->8------------------

1/ If there is no CRLfile when stunnel starts, stunnel dies and logs show "Failed to load /etc/ssl/stunnel/crl.pem revocation lookup file"
-> ok.

2/ If the CRLfile is correct, stunnel starts. When the CRL expires, stunnel rejects any new connection.
Logs then show : " Found CRL is expired - revoking all certificates until you get updated CRL"
-> ok

3/ If the CRLfile is not a valid CRL, stunnel starts and ignores the CRLfile.
Then, for any new connection, logs show "CRL: verification passed".
-> NOT ok, IMO.
examples of wrong CRLs : a CRL issued by an unknown CA or a certificate in the PEM format.
This can happen when the CRL expires (soon) and the administrator puts a "new one" but misfits files. He then restarts stunnel, which works.
This behaviour can be annoying because the logs of CRL are now in level 6 (INFO) and not any more in level 5 (NOTICE). My configuration was in debug=5 and  logs showed only "CRL: verification passed", I could not  determine what CRL was really used.

I propose the attached patch to modify behaviour in case 3/,  ie if no CRL corresponding to the issuer of each certificate of the chain is found :
- reject connection if CRLdir or CRLfile was specified in the config file
- accept connection but warn in logs if the use of CRL was not explicitly set in the config file.

NB : the source code of function "crl_check" shows "/* based on BSD-style licensed code of mod_ssl */".
I looked into the code of "mod_ssl-2.8.31-1.3.41" (file pkg.sslmod/ssl_engine_kernel.c, line 1601-1769) and there is actually the same behaviour.

--
Christophe Nanteuil