Today I discovered that there can be dire consequences from having an improperly formatted Certificate Revocation List file. The consequence seems to be that if you do then all connections are rejected. With a little help from Magnus that pointed me in the right direction, I got a CRL file that was formatted correctly, and then certificates that were signed by the CA contained in the CRL were rejected, while other certificates signed by a different CA were accepted. I'm not sure if this behaviour is desirable, but it's essentially out of our control. The best advice is to make sure the format is correct before you install the file. The best way to do that is something like:
openssl crl -in my_crl.pem -text