--- contrib/mod_tls.c
+++ contrib/mod_tls.c
@@ -5902,8 +5902,9 @@ static int tls_verify_crl(int ok, X509_S
       int len;
       BIO *b = BIO_new(BIO_s_mem());
 
+      crl = sk_X509_CRL_value(crls, i);
       BIO_printf(b, "CA CRL: Issuer: ");
-      X509_NAME_print(b, issuer, 0);
+      X509_NAME_print(b, X509_CRL_get_issuer(crl), 0);
 
       BIO_printf(b, ", lastUpdate: ");
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
@@ -5984,9 +5985,9 @@ static int tls_verify_crl(int ok, X509_S
    */
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
-  crls = X509_STORE_CTX_get1_crls(store_ctx, subject);
+  crls = X509_STORE_CTX_get1_crls(store_ctx, issuer);
 #elif OPENSSL_VERSION_NUMBER >= 0x10000000L
-  crls = X509_STORE_get1_crls(store_ctx, subject);
+  crls = X509_STORE_get1_crls(store_ctx, issuer);
 #else
   /* Your OpenSSL is before 1.0.0.  You really need to upgrade. */
   crls = NULL;
@@ -6004,7 +6005,10 @@ static int tls_verify_crl(int ok, X509_S
         X509_REVOKED *revoked;
         ASN1_INTEGER *sn;
 
-        revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
+        revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j);
+        if (revoked == NULL) {
+          continue;
+        }
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
         sn = X509_REVOKED_get0_serialNumber(revoked);
 #else