diff --git a/src/crl.c b/src/crl.c
index f3f52c855..628acda78 100644
--- a/src/crl.c
+++ b/src/crl.c
@@ -527,6 +527,16 @@ static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap)
             if (head == NULL)
                 head = tmp;
         }
+        else {
+            WOLFSSL_MSG("Failed to allocate new RevokedCert structure");
+            /* free up any existing list */
+            while (head != NULL) {
+                current = head;
+                head = head->next;
+                XFREE(current, heap, DYNAMIC_TYPE_REVOKED);
+            }
+            return NULL;
+        }
         current = current->next;
     }
     return head;
@@ -534,7 +544,7 @@ static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap)
 
 
 /* returns a deep copy of ent on success and null on fail */
-static CRL_Entry* DupCRL_Entry(CRL_Entry* ent, void* heap)
+static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap)
 {
     CRL_Entry *dup;
 
@@ -543,6 +553,7 @@ static CRL_Entry* DupCRL_Entry(CRL_Entry* ent, void* heap)
         WOLFSSL_MSG("alloc CRL Entry failed");
         return NULL;
     }
+    XMEMSET(dup, 0, sizeof(CRL_Entry));
 
     XMEMCPY(dup->issuerHash, ent->issuerHash, CRL_DIGEST_SIZE);
     XMEMCPY(dup->lastDate, ent->lastDate, MAX_DATE_SIZE);
@@ -561,6 +572,7 @@ static CRL_Entry* DupCRL_Entry(CRL_Entry* ent, void* heap)
         dup->toBeSigned = (byte*)XMALLOC(dup->tbsSz, heap,
                                           DYNAMIC_TYPE_CRL_ENTRY);
         if (dup->toBeSigned == NULL) {
+            FreeCRL_Entry(dup, heap);
             XFREE(dup, heap, DYNAMIC_TYPE_CRL_ENTRY);
             return NULL;
         }
@@ -568,8 +580,8 @@ static CRL_Entry* DupCRL_Entry(CRL_Entry* ent, void* heap)
         dup->signature = (byte*)XMALLOC(dup->signatureSz, heap,
                                          DYNAMIC_TYPE_CRL_ENTRY);
         if (dup->signature == NULL) {
+            FreeCRL_Entry(dup, heap);
             XFREE(dup, heap, DYNAMIC_TYPE_CRL_ENTRY);
-            XFREE(dup->toBeSigned, heap, DYNAMIC_TYPE_CRL_ENTRY);
             return NULL;
         }
         XMEMCPY(dup->toBeSigned, ent->toBeSigned, dup->tbsSz);
@@ -617,7 +629,7 @@ static CRL_Entry* DupCRL_list(CRL_Entry* crl, void* heap)
 /* Duplicates everything except the parent cm pointed to.
  * Expects that Init has already been done to 'dup'
  * return 0 on success */
-static int DupX509_CRL(WOLFSSL_X509_CRL *dup, WOLFSSL_X509_CRL* crl)
+static int DupX509_CRL(WOLFSSL_X509_CRL *dup, const WOLFSSL_X509_CRL* crl)
 {
     if (dup == NULL || crl == NULL) {
         return BAD_FUNC_ARG;
@@ -660,7 +672,10 @@ int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newc
 
     if (store->cm->crl == NULL) {
         crl = wolfSSL_X509_crl_new(store->cm);
-        DupX509_CRL(crl, newcrl);
+        if (DupX509_CRL(crl, newcrl) != 0) {
+            FreeCRL(crl, 1);
+            return WOLFSSL_FAILURE;
+        }
         store->crl = store->cm->crl = crl;
         return WOLFSSL_SUCCESS;
     }
diff --git a/src/ssl.c b/src/ssl.c
index 1106300e8..ae2da8636 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -22921,7 +22921,6 @@ void wolfSSL_X509_STORE_CTX_cleanup(WOLFSSL_X509_STORE_CTX* ctx)
     /* Do nothing */
 }
 
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
 /* Returns corresponding X509 error from internal ASN error <e> */
 static int GetX509Error(int e)
 {
@@ -22947,7 +22946,6 @@ static int GetX509Error(int e)
             return e;
     }
 }
-#endif /* OPENSSL_ALL || WOLFSSL_QT */
 
 /* Verifies certificate chain using WOLFSSL_X509_STORE_CTX
  * returns 0 on success or < 0 on failure.
@@ -22955,11 +22953,10 @@ static int GetX509Error(int e)
 int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
 {
     int ret = 0;
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
     int depth = 0;
     int error;
     byte *afterDate, *beforeDate;
-#endif
+
     WOLFSSL_ENTER("wolfSSL_X509_verify_cert");
 
     if (ctx != NULL && ctx->store != NULL && ctx->store->cm != NULL
@@ -22969,7 +22966,6 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
                     ctx->current_cert->derCert->length,
                     WOLFSSL_FILETYPE_ASN1);
 
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
         /* If there was an error, process it and add it to CTX */
         if (ret < 0) {
             /* Get corresponding X509 error */
@@ -22980,8 +22976,10 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
 
             wolfSSL_X509_STORE_CTX_set_error(ctx, error);
             wolfSSL_X509_STORE_CTX_set_error_depth(ctx, depth);
+        #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
             if (ctx->store && ctx->store->verify_cb)
                 ctx->store->verify_cb(0, ctx);
+        #endif
         }
 
         error = 0;
@@ -23004,10 +23002,11 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
         if (error != 0 ) {
             wolfSSL_X509_STORE_CTX_set_error(ctx, error);
             wolfSSL_X509_STORE_CTX_set_error_depth(ctx, depth);
+        #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
             if (ctx->store && ctx->store->verify_cb)
                 ctx->store->verify_cb(0, ctx);
+        #endif
         }
-#endif /* OPENSSL_ALL || WOLFSSL_QT */
         return ret;
     }
     return WOLFSSL_FATAL_ERROR;
diff --git a/tests/api.c b/tests/api.c
index f289dd513..7a24b1662 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -22561,26 +22561,48 @@ static void test_wolfSSL_X509_STORE(void)
     X509_STORE *store;
 
     #ifdef HAVE_CRL
+    X509_STORE_CTX *storeCtx;
     X509_CRL *crl;
     X509 *x509;
-    const char crl_pem[] = "./certs/crl/crl.pem";
-    const char svrCert[] = "./certs/server-cert.pem";
+    const char crlPem[] = "./certs/crl/crl.revoked";
+    const char srvCert[] = "./certs/server-revoked-cert.pem";
+    const char caCert[] = "./certs/ca-cert.pem";
     XFILE fp;
 
     printf(testingFmt, "test_wolfSSL_X509_STORE");
     AssertNotNull(store = (X509_STORE *)X509_STORE_new());
-    AssertNotNull((x509 =
-                       wolfSSL_X509_load_certificate_file(svrCert, SSL_FILETYPE_PEM)));
+    AssertNotNull((x509 = wolfSSL_X509_load_certificate_file(caCert,
+                           SSL_FILETYPE_PEM)));
     AssertIntEQ(X509_STORE_add_cert(store, x509), SSL_SUCCESS);
+    AssertNotNull((x509 = wolfSSL_X509_load_certificate_file(srvCert,
+                    SSL_FILETYPE_PEM)));
+    AssertNotNull((storeCtx = X509_STORE_CTX_new()));
+    AssertIntEQ(X509_STORE_CTX_init(storeCtx, store, x509, NULL), SSL_SUCCESS);
+    AssertIntEQ(X509_verify_cert(storeCtx), SSL_SUCCESS);
+    X509_STORE_CTX_free(storeCtx);
     X509_free(x509);
 
-    fp = XFOPEN(crl_pem, "rb");
+    /* should fail to verify now after adding in CRL */
+    AssertNotNull(store = (X509_STORE *)X509_STORE_new());
+    AssertNotNull((x509 = wolfSSL_X509_load_certificate_file(caCert,
+                           SSL_FILETYPE_PEM)));
+    AssertIntEQ(X509_STORE_add_cert(store, x509), SSL_SUCCESS);
+    fp = XFOPEN(crlPem, "rb");
     AssertTrue((fp != XBADFILE));
-    AssertNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL, NULL, NULL));
+    AssertNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL,
+                NULL, NULL));
     XFCLOSE(fp);
     AssertIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS);
+    AssertIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK),SSL_SUCCESS);
+    AssertNotNull((storeCtx = X509_STORE_CTX_new()));
+    AssertNotNull((x509 = wolfSSL_X509_load_certificate_file(srvCert,
+                    SSL_FILETYPE_PEM)));
+    AssertIntEQ(X509_STORE_CTX_init(storeCtx, store, x509, NULL), SSL_SUCCESS);
+    AssertIntNE(X509_verify_cert(storeCtx), SSL_SUCCESS);
+    AssertIntEQ(X509_STORE_CTX_get_error(storeCtx), CRL_CERT_REVOKED);
+    X509_free(x509);
+    X509_STORE_CTX_free(storeCtx);
     X509_CRL_free(crl);
-    X509_STORE_free(store);
     #endif /* HAVE_CRL */