Configuring crl-file breaks valid certificates

Hi,

I have problem with using CRL in HaProxy. In short, if I have two certificates and will add CRL with one of them then the other one also breaks.
Long story: I am using HaProxy Ingress and started discussion with Joao Morais there however I am able to reproduce this issue with pure HaProxy (kudos for Joao to help with this).
My HaProxy config:

defaults
  timeout server 1m
  timeout client 1m
  timeout connect 5s
listen l
  bind :443 ssl crt-list /tmp/crt.list  ca-ignore-err all crt-ignore-err all
  mode http
  http-request deny if { ssl_c_verify gt 0 }
  http-request return content-type "text/plain" string "ok\n"

and crt.list content :

tmp/crt.pem [ca-file /tmp/ca.pem verify optional crl-file /tmp/crl.pem] !*

I have following certificate chaing : RootCA → Intermediate → (leaf certificate A, leaf certificate B).
In ca.pem I have my Intermediate certificate which is used for mTLS. In crl.pem I have leaf certificate B.
My assumption was that I should still be able to authorize using certificate A since only B is revoked.
Unfortunately it doesn’t work like that, I have executed following tests:

In first scenario I am adding crl-file /tmp/crl.pem into crl.list file, here are the results:

  1. Test with valid certificate A - getting 403
  2. Test with revoked certificate B - getting 403
  3. Test with invalid certificate C - getting 403

Then I have executed the same test but without CRL. I simply removed crl-file /tmp/crl.pem from the config. The results were as follows:

  1. Test with valid certificate A - getting OK response
  2. Test with revoked certificate B - getting OK response (its because I haven’t declared crl-file of course)
  3. Test with invalid certificate C - getting 403

As I could clearly see adding CRL breaks valid certificate for some reason.
Test was executed using docker haproxy:2.2.10-alpine.

Please advice if I am doing something wrong or maybe its just a bug ?

Hi, unfortunately I wasn’t able to solve this issue yet, if some of you would have any suggestion what could I do wrong I would be very grateful.