Documenting CRL download usage and restrictions

Fixes #25603

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25608)

(cherry picked from commit e647220c00bb1da0518f8a31ed07b2a0977a3c9e)

diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
index 31729d6bdd252bf3759d80abed57b76545c7c82a..d722bea9e35634b4b05f7f6ec35f433ed777f1d9 100644 (file)
--- a/doc/man1/openssl-s_client.pod.in
+++ b/doc/man1/openssl-s_client.pod.in
@@ -263,7 +263,9 @@ See L<openssl-format-options(1)> for details.
 
 =item B<-crl_download>
 
-Download CRL from distribution points in the certificate.
+Download CRL from distribution points in the certificate. Note that this option
+is ignored if B<-crl_check> option is not provided. Note that the maximum size
+of CRL is limited by L<X509_CRL_load_http(3)> function.
 
 =item B<-key> I<filename>|I<uri>
 

diff --git a/doc/man3/X509_load_http.pod b/doc/man3/X509_load_http.pod
index a147c43caa3fde07f5f81aabfe05e0b189bd47c6..e17330b05587f73cb896d98bfedf4665b130f8e8 100644 (file)
--- a/doc/man3/X509_load_http.pod
+++ b/doc/man3/X509_load_http.pod
@@ -27,6 +27,9 @@ see L<openssl_user_macros(7)>:
 X509_load_http() and X509_CRL_load_http() loads a certificate or a CRL,
 respectively, in ASN.1 format using HTTP from the given B<url>.
 
+Maximum size of the HTTP response is 100 kB for certificates and 32 MB for CRLs
+and hard coded in the functions.
+
 If B<bio> is given and B<rbio> is NULL then this BIO is used instead of an
 internal one for connecting, writing the request, and reading the response.
 If both B<bio> and B<rbio> are given (which may be memory BIOs, for instance)