# Description The function `crt_verifycrl_and_check_revocation` is supposed to verify the validity of a certificate against the CRLs. Currently, with the Cyclone library, it only checks the certificate against the first valid CRL it finds, without considering whether there are other valid CRLs for the same CA. The goal of this ticket is to update the function to check the certificate against all valid CRLs associated with the CA. ## Code version and environment identification a442f47200aaf3e58194b209e0738a4f9056393a ## Steps to reproduce The test `push_server_revoke` is a good reproducer Start a push server, connect two clients (A and B), revoke the certificate of the client. The connection of the client B should be closed but it stays activated. # Security impact This function could lead to a situation where a revoked certificate is incorrectly accepted by the server, because subsequent valid CRLs may indicate that the certificate is revoked. According to the security requirements, the connection must be terminated if a certificate is revoked. Also see the created [CVE-2026-6899](https://www.cve.org/CVERecord?id=CVE-2026-6899) # Possible fixes To fix this issue, the function `crt_verifycrl_and_check_revocation` should iterate over all CRLs associated with the same CA. For each CRL, the function must evaluate whether the certificate is revoked. The certificate should only be accepted if none of the CRLs indicate revocation. If any CRL indicates that the certificate is revoked, the server must reject the certificate.