CRLs in ssl.py or at the documentation is broken. Specifically I think the documentation here is wrong: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locations

Here is a stackoverflow post: https://stackoverflow.com/questions/51196492/how-to-use-crls-in-pyopenssl?noredirect=1#comment89407186_51196492 

I made a very user friendly test suite of files to show how it is broken. 

Run the code in here (follow readme instructions) to see the bug.
https://github.com/nettijoe96/bugInSSL

Cert revocation check is working fine for me. I've attached a demo script that uses badssl.com:

$ curl -O http://crl3.digicert.com/ssca-sha2-g5.crl
$ openssl crl -in ssca-sha2-g5.crl -inform DER -out ssca-sha2-g5.pem.crl -outform PEM
$ python3.7 testcrl.py 
Traceback (most recent call last):
  File "testcrl.py", line 19, in <module>
    s.connect(('revoked.badssl.com', 443))
  File "/usr/lib64/python3.7/ssl.py", line 1141, in connect
    self._real_connect(addr, False)
  File "/usr/lib64/python3.7/ssl.py", line 1132, in _real_connect
    self.do_handshake()
  File "/usr/lib64/python3.7/ssl.py", line 1108, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate revoked (_ssl.c:1045)

openssl s_client:

$ cat /etc/pki/tls/cert.pem ssca-sha2-g5.pem.crl > combined.pem
$ openssl s_client -connect revoked.badssl.com:443 -servername revoked.badssl.com -CAfile combined.pem | grep Verify
    Verify return code: 0 (ok)
$ openssl s_client -connect revoked.badssl.com:443 -servername revoked.badssl.com -CAfile combined.pem -crl_check | grep Verify
    Verify return code: 23 (certificate revoked)

No response in over two years. I'm closing the issue. Please feel free to reopen the issue with more information.