If old CRL expires no new connections are allowed until the application is restarted and new working crl is loaded.

Sep 27 14:53:52 test-reg epp_proxy[671]: [info] <0.19895.473>@epp_tls_worker:log_opened_connection:168 New client connection. IP: x.x.x.x, Process: <0.19895.473>.
Sep 27 14:53:52 test-reg epp_proxy[671]: [info] <0.20227.473> TLS server: In state certify at ssl_handshake.erl:1365 generated SERVER ALERT: Fatal - Bad Certificate - {bad_crls,no_relevant_crls}
Sep 27 14:53:52 test-reg epp_proxy[671]: [info] <0.19895.473>@epp_tls_worker:log_on_invalid_handshake:161 Failed SSL handshake. IP: x.x.x, Error: [{tls_alert,{bad_certificate,"received SERVER ALERT: Fatal - Bad Certificate - {bad_crls,no_relevant_crls}"}}]

Yeah, I'll try to experiment over the weekend with https://github.com/erlang/otp/blob/master/lib/ssl/src/ssl_pem_cache.erl to see if I can force it clear every now and then.

Unfortunately the issue is quite painful to test so it might take me a while.

there still is a point to this ticket, or consider implementig OCSP, but this is not priority at the moment - removing this from todo list for now