--- contrib/mod_tls.c
+++ contrib/mod_tls.c
@@ -5902,8 +5902,9 @@ static int tls_verify_crl(int ok, X509_S
int len;
BIO *b = BIO_new(BIO_s_mem());
+ crl = sk_X509_CRL_value(crls, i);
BIO_printf(b, "CA CRL: Issuer: ");
- X509_NAME_print(b, issuer, 0);
+ X509_NAME_print(b, X509_CRL_get_issuer(crl), 0);
BIO_printf(b, ", lastUpdate: ");
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
@@ -5984,9 +5985,9 @@ static int tls_verify_crl(int ok, X509_S
*/
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
- crls = X509_STORE_CTX_get1_crls(store_ctx, subject);
+ crls = X509_STORE_CTX_get1_crls(store_ctx, issuer);
#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
- crls = X509_STORE_get1_crls(store_ctx, subject);
+ crls = X509_STORE_get1_crls(store_ctx, issuer);
#else
/* Your OpenSSL is before 1.0.0. You really need to upgrade. */
crls = NULL;
@@ -6004,7 +6005,10 @@ static int tls_verify_crl(int ok, X509_S
X509_REVOKED *revoked;
ASN1_INTEGER *sn;
- revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
+ revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j);
+ if (revoked == NULL) {
+ continue;
+ }
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
sn = X509_REVOKED_get0_serialNumber(revoked);
#else