For some reason I'm having issues with getting nginx to accept my CRL. The CRL is valid (confirmed by OpenSSL) and can be used to verify if certificates have been revoked or not. However I keep getting: "client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers" when attempting to use ssl_crl and the respective file.

The config is:
ssl on;
ssl_certificate ssl/ca/theallseeingeye.mcblock.it.crt;
ssl_certificate_key ssl/ca/theallseeingeye.mcblock.it.key;
ssl_client_certificate ssl/ca/med.bundle.crt;
ssl_crl ssl/ca.crl;
ssl_verify_depth 3;
ssl_verify_client on;

The CRL is:
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=GB/ST=Buckinghamshire/L=Aylesbury/O=MCBlockIt/OU=SSL CA/CN=theallseeingeye.mcblock.it/emailAddress=kite@mcblock.it
Last Update: May 27 14:15:11 2012 GMT
Next Update: May 27 14:15:11 2013 GMT
CRL extensions:
X509v3 CRL Number:
4
Revoked Certificates:
Serial Number: 3838727809
Revocation Date: May 27 13:29:46 2012 GMT
Signature Algorithm: sha1WithRSAEncryption
11:34:8f:14:26:1c:67:01:2c:9e:6f:a1:3d:c1:9a:c9:a6:37:
08:65:7e:36:e3:67:ba:cd:27:be:fd:1b:e9:10:a5:d4:67:f5:
eb:83:ba:9e:50:4d:42:be:4f:84:fd:7c:ec:85:21:05:13:1b:
9f:d0:42:06:e8:a6:1e:a6:a8:e0:40:dd:60:f8:20:6a:09:80:
38:4e:e3:47:55:b7:a8:0b:c4:db:8b:24:64:8c:a3:73:f6:a3:
a9:c1:14:31:9b:17:83:f0:09:67:19:4d:37:57:78:ae:e2:84:
5d:0b:0f:60:f4:4e:eb:9f:78:36:e6:91:aa:90:3c:a6:f1:a9:
b7:77:c2:25:be:9b:1a:70:4f:6f:0f:ab:ce:7b:31:1e:fd:55:
d6:29:29:c1:36:28:a6:a7:c3:f6:19:34:69:c5:ee:4a:a2:68:
f1:84:3e:b2:e8:06:bb:75:ed:f5:ed:3c:14:aa:7b:41:9a:a4:
f7:f7:54:cf:1b:8f:8f:96:b2:e2:68:8e:4c:25:e3:aa:8f:8c:
6a:c2:1a:d0:84:12:08:41:b6:32:5c:31:fb:e9:0f:41:4d:6a:
ac:74:b2:99:ee:d1:92:a6:8b:5c:8a:3a:03:33:2e:be:e0:fb:
da:d7:d4:c1:76:9b:d4:ed:ee:47:17:a3:87:87:43:d1:e3:7b:
49:8c:7a:31:09:e1:70:87:22:8b:bc:e2:2b:9e:c8:3a:d9:87:
ae:04:52:47:46:47:63:78:cb:4a:3b:e6:81:f4:14:1b:cd:30:
0c:7f:18:5b:43:26:9c:41:1f:8b:2f:8e:25:ff:be:35:5d:de:
13:e0:90:f5:f5:c8:6c:44:ee:73:02:dc:f1:ef:5a:d3:77:d7:
e2:7b:f4:81:1f:37:b0:83:2d:e9:7b:c9:69:5f:60:71:ff:ae:
47:28:a4:60:55:84:cd:d3:ee:c0:05:97:49:d5:2c:15:93:30:
58:b0:93:41:6c:d2:5f:da:2e:b0:e3:21:53:9f:47:7d:29:16:
0d:d9:72:a5:94:d3:70:dc:46:1b:b6:c1:14:47:d2:bb:ce:f7:
14:6e:3b:e2:aa:32:07:5a:16:85:89:8c:21:8b:30:17:e7:ea:
46:e5:47:a1:de:fd:89:30:d5:d1:23:85:76:79:89:69:14:5c:
f9:e6:fe:c7:03:b5:9f:1c:5c:e3:5a:f8:e5:c4:9d:e5:a6:cf:
a0:45:39:76:b7:ca:6d:fd:66:a2:3a:b1:04:3a:a2:7c:57:74:
7f:41:1d:7f:31:06:10:86:06:8b:48:bb:b0:0a:ba:2a:f1:fc:
77:5c:1f:e0:a7:07:50:ae:c2:4d:4e:69:06:fd:cd:33:04:f5:
74:c9:2b:ea:ea:63:9a:de
-----BEGIN X509 CRL-----
MIIDGjCCAQICAQEwDQYJKoZIhvcNAQEFBQAwgaUxCzAJBgNVBAYTAkdCMRgwFgYD
VQQIEw9CdWNraW5naGFtc2hpcmUxEjAQBgNVBAcTCUF5bGVzYnVyeTESMBAGA1UE
ChMJTUNCbG9ja0l0MQ8wDQYDVQQLEwZTU0wgQ0ExIzAhBgNVBAMTGnRoZWFsbHNl
ZWluZ2V5ZS5tY2Jsb2NrLml0MR4wHAYJKoZIhvcNAQkBFg9raXRlQG1jYmxvY2su
aXQXDTEyMDUyNzE0MTUxMVoXDTEzMDUyNzE0MTUxMVowGDAWAgU4OHJ4CRcNMTIw
NTI3MTMyOTQ2WqAOMAwwCgYDVR0UBAMCAQQwDQYJKoZIhvcNAQEFBQADggIBABE0
jxQmHGcBLJ5voT3BmsmmNwhlfjbjZ7rNJ779G+kQpdRn9euDup5QTUK+T4T9fOyF
IQUTG5/QQgboph6mqOBA3WD4IGoJgDhO40dVt6gLxNuLJGSMo3P2o6nBFDGbF4Pw
CWcZTTdXeK7ihF0LD2D0TuufeDbmkaqQPKbxqbd3wiW+mxpwT28Pq857MR79VdYp
KcE2KKanw/YZNGnF7kqiaPGEPrLoBrt17fXtPBSqe0GapPf3VM8bj4+WsuJojkwl
46qPjGrCGtCEEghBtjJcMfvpD0FNaqx0spnu0ZKmi1yKOgMzLr7g+9rX1MF2m9Tt
7kcXo4eHQ9Hje0mMejEJ4XCHIou84iueyDrZh64EUkdGR2N4y0o75oH0FBvNMAx/
GFtDJpxBH4svjiX/vjVd3hPgkPX1yGxE7nMC3PHvWtN31+J79IEfN7CDLel7yWlf
YHH/rkcopGBVhM3T7sAFl0nVLBWTMFiwk0Fs0l/aLrDjIVOfR30pFg3ZcqWU03Dc
Rhu2wRRH0rvO9xRuO+KqMgdaFoWJjCGLMBfn6kblR6He/Ykw1dEjhXZ5iWkUXPnm
/scDtZ8cXONa+OXEneWmz6BFOXa3ym39ZqI6sQQ6onxXdH9BHX8xBhCGBotIu7AK
uirx/HdcH+CnB1Cuwk1OaQb9zTME9XTJK+rqY5re
-----END X509 CRL-----