I am using 1.0.2g. CRL checking works fine on my certificate when I download and save CRL in PEM format locally.
I noticed that “openssl verify” has this option:
Attempt to download CRL information for this certificate.
But it does not work for me. The CRL URL embedded in my certificate points to CRL file of DER format, maybe this is the reason “download” didn’t work?
If I want to enable “automatic download” in C code, do I have to provide a callback to X509_STORE_set_lookup_crls_cb or there is a simpler way (e.g. a flag)?
If I must provide such a callback, do I need to handle DER vs PEM encoding in the callback?