diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh
index 2f3fb33188..f377a1fdd0 100755
--- a/certs/ocsp/renewcerts.sh
+++ b/certs/ocsp/renewcerts.sh
@@ -1,5 +1,14 @@
 #!/bin/sh
 
+# bwrap execution environment to avoid port conflicts
+if [ "${AM_BWRAPPED-}" != "yes" ]; then
+    bwrap_path="$(command -v bwrap)"
+    if [ -n "$bwrap_path" ]; then
+        export AM_BWRAPPED=yes
+        exec "$bwrap_path" --cap-add ALL --unshare-net --dev-bind / / "$0" "$@"
+    fi
+fi
+
 check_result(){
     if [ $1 -ne 0 ]; then
         if [ -n "$2" ]; then
diff --git a/src/crl.c b/src/crl.c
index 51aa49e025..2fc5341fc3 100644
--- a/src/crl.c
+++ b/src/crl.c
@@ -221,8 +221,12 @@ static void CRL_Entry_free(CRL_Entry* crle, void* heap)
 /* Free all CRL resources */
 void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
 {
-    CRL_Entry* tmp = crl->crlList;
+    CRL_Entry* tmp;
 
+    if (crl == NULL)
+        return;
+
+    tmp = crl->crlList;
     WOLFSSL_ENTER("FreeCRL");
     if (crl->monitors[0].path)
         XFREE(crl->monitors[0].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR);
@@ -829,6 +833,7 @@ static int DupX509_CRL(WOLFSSL_X509_CRL *dupl, const WOLFSSL_X509_CRL* crl)
 int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newcrl)
 {
     WOLFSSL_X509_CRL *crl;
+    int ret = 0;
 
     WOLFSSL_ENTER("wolfSSL_X509_STORE_add_crl");
     if (store == NULL || newcrl == NULL || store->cm == NULL)
@@ -837,20 +842,19 @@ int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newc
     if (store->cm->crl == NULL) {
         crl = wolfSSL_X509_crl_new(store->cm);
         if (crl == NULL) {
+            WOLFSSL_MSG("wolfSSL_X509_crl_new failed");
             return WOLFSSL_FAILURE;
         }
         if (wc_LockRwLock_Rd(&newcrl->crlLock) != 0) {
             WOLFSSL_MSG("wc_LockRwLock_Rd failed");
             return BAD_MUTEX_E;
         }
-        if (DupX509_CRL(crl, newcrl) != 0) {
-            if (crl != NULL) {
-                wc_UnLockRwLock(&newcrl->crlLock);
-                FreeCRL(crl, 1);
-            }
+        ret = DupX509_CRL(crl, newcrl);
+        wc_UnLockRwLock(&newcrl->crlLock);
+        if (ret != 0) {
+            FreeCRL(crl, 1);
             return WOLFSSL_FAILURE;
         }
-        wc_UnLockRwLock(&newcrl->crlLock);
         store->crl = store->cm->crl = crl;
         if (wolfSSL_CertManagerEnableCRL(store->cm, WOLFSSL_CRL_CHECKALL)
                 != WOLFSSL_SUCCESS) {