I'd like to see openssl s_client print or show an error if a server presents a revoked certificate.
Servers I've tested against include:
revoked.badssl.com-- Though this one is currently broken with an expired certificatedigicert-tls-ecc-p384-root-g5-revoked.chain-demos.digicert.com-- Pulled from https://www.digicert.com/kb/digicert-root-certificates.htm
The command I've used is:
HOST="revoked.badssl.com" ; echo -en "GET / HTTP/1.1\r\nHost: $HOST\r\n\r\n" | openssl s_client -ign_eof -connect $HOST:443 -ign_eof -prexit -security_debug_verbose -crl_download -crl_check_all -debug
I've tried variations of including or not including the command line options, but I get HTML, indicating that s_client sent the GET request and received data when I was hoping it would error out beforehand.
In the revoked.badssl.com case, I've seen an error message "Verification error: unable to get certificate CRL", but I can download those CRLs manually.