Documenting CRL download usage and restrictions

Fixes #25603

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25608)

(cherry picked from commit e647220c00)

doc/man1/openssl-s_client.pod.in

@@ -279,7 +279,9 @@ See L<openssl-format-options(1)> for details.
 
 =item B<-crl_download>
 
-Download CRL from distribution points in the certificate.
+Download CRL from distribution points in the certificate. Note that this option
+is ignored if B<-crl_check> option is not provided. Note that the maximum size
+of CRL is limited by L<X509_CRL_load_http(3)> function.
 
 =item B<-key> I<filename>|I<uri>
 

doc/man3/X509_load_http.pod

@@ -27,6 +27,9 @@ see L<openssl_user_macros(7)>:
 X509_load_http() and X509_CRL_load_http() loads a certificate or a CRL,
 respectively, in ASN.1 format using HTTP from the given B<url>.
 
+Maximum size of the HTTP response is 100 kB for certificates and 32 MB for CRLs
+and hard coded in the functions.
+
 If B<bio> is given and B<rbio> is NULL then this BIO is used instead of an
 internal one for connecting, writing the request, and reading the response.
 If both B<bio> and B<rbio> are given (which may be memory BIOs, for instance)