If any of the concatenated CRLs in the file provided to ssl_crl have expired (root or intermediate), what is the Nginx behavior (assuming ssl_verify_client is on)? Does it result in failing verification of the client certificate (chain), or does it just log a warning, or nothing happens? If it does fail verification, how can I detect that specific problems and still perform the rest of verification (valid certificate which itself has not expired and chain of trust can be established to the verification depth) (the CA I'm using to generate the CRLs is on the same server, so it's not a problem if it's actually expired -- though a warning message would be nice as a reminder to the admin).