I'll just add that:
1, Neither CRL or OCSP-based revocation checks are done by default.
CRLs need to be imported manually first (for any interesting CA), OCSP needs to be enabled in "config vpn certificate setting" (ocsp-status etc.).
2, SNI check can be directly controlled in newer firmware versions with the "Server certificate SNI check" option (GUI):
SNI check GUI snippet
[ corrections always welcome ]