diff --git a/CHANGES b/CHANGES
index 65da1b3..b9b0a4f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+Security:
+	Socats OpenSSL addresses do not (and never did) check certificate
+	revocation lists (CRLs). Socat now prints a warning about this.
+
 Features:
 	Added the --experimental option that enables use of features that might
 	change in the future.
diff --git a/xio-openssl.c b/xio-openssl.c
index 2215662..311d61b 100644
--- a/xio-openssl.c
+++ b/xio-openssl.c
@@ -1397,6 +1397,7 @@ cont_out:
       sycSSL_CTX_set_verify(ctx,
 			    SSL_VERIFY_PEER| SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 			    NULL);
+      Warn("OpenSSL: Warning: this implementation does not check CRLs");
    } else {
       sycSSL_CTX_set_verify(ctx,
 			    SSL_VERIFY_NONE,