how to use curl to verify if a site's certificate has been revoked?

That's my everyday script:

curl --insecure -vvI https://www.google.com 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'

Ouput:

* Server certificate:
*    subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
*    start date: 2016-01-07 11:34:33 GMT
*    expire date: 2016-04-06 00:00:00 GMT
*    issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
*    SSL certificate verify ok.
* Server GFE/2.0 is not blacklisted
* Connection #0 to host www.google.com left intact

Apparently, you cannot just verify a site with a single simple request. See https://stackoverflow.com/questions/16244084/how-to-programmatically-check-if-a-certificate-has-been-revoked?lq=1 and older related questions on stackoverflow.

curl did not work with Certificate Revocation Lists for me either, neither on Windows, nor on Linux. Why should you use curl? Openssl seems more appropriate:

openssl s_client -connect www.google.com:443

We get

---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---

Then we can inspect some certificate:

curl http://pki.google.com/GIAG2.crt | openssl x509 -inform der -text

grep crl in the output of the above command. The interesting parts are:

        X509v3 CRL Distribution Points:
            URI:http://crl.geotrust.com/crls/gtglobal.crl

        Authority Information Access:
            OCSP - URI:http://gtglobal-ocsp.geotrust.com

Now we can manually inspect crl:

curl http://crl.geotrust.com/crls/gtglobal.crl | openssl crl -inform der -text
curl http://pki.google.com/GIAG2.crl | openssl crl -inform der -text

Now we see a list of revoked certificates. IMHO, using curl is not enough, another program is required to check certificates. By doing a simple

strace curl https://www.google.com   -v

we see that curl is not checking revocations (not even connecting to the relevant places). It just says

* Server certificate:
*        subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
*        start date: 2014-04-09 11:40:11 GMT
*        expire date: 2014-07-08 00:00:00 GMT
*        subjectAltName: www.google.com matched
*        issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
*        SSL certificate verify ok.

curl since 7.41.0 has a --cert-status option, but it does not work for me:

$ curl --cert-status https://www.google.com
curl: (91) No OCSP response received

It appears maybe it only works if the server is configured with OCSP stapling, and it does not cause curl to make its own OCSP request.

I had better success using openssl with the steps at https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html

Fetch the cert:

$ openssl s_client -connect www.google.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > /tmp/google.pem

Output the cert's OCSP URI:

$ openssl x509 -noout -ocsp_uri -in /tmp/google.pem 
http://ocsp.pki.goog/gts1o1

Build a /tmp/chain.pem from the certs 1-n output by:

openssl s_client -connect www.google.com:443 -showcerts 2>&1 < /dev/null

Copy each cert into the chain.pem file, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- and everything in between. Do not include the 0th cert since that's in the google.pem file.

Make the OCSP request:

openssl ocsp -issuer /tmp/chain.pem -cert /tmp/google.pem -text -url http://ocsp.pki.goog/gts1o1
...
Response verify OK
/tmp/google.pem: good
    This Update: Mar 24 12:40:59 2020 GMT
    Next Update: Mar 31 12:40:59 2020 GMT