My many thanks to Radu Radutiu who has found the solution to my SSL problem. It turns out that if you use a CRL file it needs to contain a CRL (even if it's only empty) for every CA in the chain of CAs. We need to document this.
One should also make sure that the CRLs are always valid. If any CRL in the chain is expired or considered invalid (e.g. contains an invalid revocation reason) the authentication will fail. This becomes a major issue if you are using an external CA with a very short CRL lifetime (like 24 or 48 h).