Fix certificate revocation check in crt_verifycrl_and_check_revocation with Cyclone library

Description

The function crt_verifycrl_and_check_revocation is supposed to verify the validity of a certificate against the CRLs.

Currently, with the Cyclone library, it only checks the certificate against the first valid CRL it finds, without considering whether there are other valid CRLs for the same CA.

The goal of this ticket is to update the function to check the certificate against all valid CRLs associated with the CA.

Code version and environment identification

a442f472

Steps to reproduce

The test push_server_revoke is a good reproducer

Start a push server, connect two clients (A and B), revoke the certificate of the client.

The connection of the client B should be closed but it stays activated.

Security impact

This function could lead to a situation where a revoked certificate is incorrectly accepted by the server, because subsequent valid CRLs may indicate that the certificate is revoked. According to the security requirements, the connection must be terminated if a certificate is revoked.

Also see the created CVE-2026-6899

Possible fixes

To fix this issue, the function crt_verifycrl_and_check_revocation should iterate over all CRLs associated with the same CA.

For each CRL, the function must evaluate whether the certificate is revoked. The certificate should only be accepted if none of the CRLs indicate revocation. If any CRL indicates that the certificate is revoked, the server must reject the certificate.