diff -up openssl-fips-0.9.8e/crypto/x509/x509_lu.c.multi-crl openssl-fips-0.9.8e/crypto/x509/x509_lu.c
--- openssl-fips-0.9.8e/crypto/x509/x509_lu.c.multi-crl	2005-05-11 05:45:35.000000000 +0200
+++ openssl-fips-0.9.8e/crypto/x509/x509_lu.c	2009-03-26 15:09:49.000000000 +0100
@@ -453,19 +453,41 @@ X509_OBJECT *X509_OBJECT_retrieve_by_sub
 	return sk_X509_OBJECT_value(h, idx);
 }
 
+static int x509_crl_match(const X509_CRL *a, const X509_CRL *b)
+{
+	if (a->signature == NULL || b->signature == NULL)
+		return a->signature != b->signature;
+
+	if (a->signature->length != b->signature->length)
+		return 0;
+
+	return memcmp(a->signature->data, b->signature->data, a->signature->length);
+}
+
 X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
 {
 	int idx, i;
 	X509_OBJECT *obj;
 	idx = sk_X509_OBJECT_find(h, x);
 	if (idx == -1) return NULL;
-	if (x->type != X509_LU_X509) return sk_X509_OBJECT_value(h, idx);
+	if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))
+		return sk_X509_OBJECT_value(h, idx);
 	for (i = idx; i < sk_X509_OBJECT_num(h); i++)
 		{
 		obj = sk_X509_OBJECT_value(h, i);
 		if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))
 			return NULL;
-		if ((x->type != X509_LU_X509) || !X509_cmp(obj->data.x509, x->data.x509))
+		if (x->type == X509_LU_X509)
+			{
+			if (!X509_cmp(obj->data.x509, x->data.x509))
+				return obj;
+			}
+		else if (x->type == X509_LU_CRL)
+			{
+			if (!x509_crl_match(obj->data.crl, x->data.crl))
+				return obj;
+			}
+		else
 			return obj;
 		}
 	return NULL;
diff -up openssl-fips-0.9.8e/crypto/x509/x509_vfy.c.multi-crl openssl-fips-0.9.8e/crypto/x509/x509_vfy.c
--- openssl-fips-0.9.8e/crypto/x509/x509_vfy.c.multi-crl	2007-02-07 02:42:51.000000000 +0100
+++ openssl-fips-0.9.8e/crypto/x509/x509_vfy.c	2009-03-26 15:00:05.000000000 +0100
@@ -721,7 +721,38 @@ static int get_crl(X509_STORE_CTX *ctx, 
 		return 0;
 		}
 
-	*pcrl = xobj.data.crl;
+	/* If CRL times not valid look through store */
+	if (!check_crl_time(ctx, xobj.data.crl, 0))
+		{
+		int idx, i;
+		X509_OBJECT *pobj;
+		X509_OBJECT_free_contents(&xobj);
+		idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs,
+							X509_LU_CRL, nm);
+		if (idx == -1)
+			return 0;
+		*pcrl = NULL;
+		for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
+			{
+			pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
+			/* Check to see if it is a CRL and issuer matches */
+			if (pobj->type != X509_LU_CRL)
+				break;
+			if (X509_NAME_cmp(nm,
+					X509_CRL_get_issuer(pobj->data.crl)))
+				break;
+			/* Set *pcrl because the CRL will either be valid or
+			 * a "best fit" CRL.
+			 */
+			*pcrl = pobj->data.crl;
+			if (check_crl_time(ctx, *pcrl, 0))
+				break;
+			}
+		if (*pcrl)
+			CRYPTO_add(&(*pcrl)->references, 1, CRYPTO_LOCK_X509);
+		}
+	else 
+		*pcrl = xobj.data.crl;
 	if (crl)
 		X509_CRL_free(crl);
 	return 1;