diff -up -r ./apps/apps.c ../openssl-fips-0.9.8e/apps/apps.c
--- ./apps/apps.c	2005-07-16 07:13:02.000000000 -0400
+++ ../openssl-fips-0.9.8e/apps/apps.c	2012-03-05 10:37:39.000000000 -0500
@@ -2257,6 +2257,8 @@ int args_verify(char ***pargs, int *parg
 		flags |= X509_V_FLAG_X509_STRICT;
 	else if (!strcmp(arg, "-policy_print"))
 		flags |= X509_V_FLAG_NOTIFY_POLICY;
+	else if (!strcmp(arg, "-trusted_first"))
+		flags |= X509_V_FLAG_TRUSTED_FIRST;
 	else
 		return 0;
 
diff -up -r ./crypto/x509/x509_vfy.c ../openssl-fips-0.9.8e/crypto/x509/x509_vfy.c
--- ./crypto/x509/x509_vfy.c	2007-02-06 20:42:51.000000000 -0500
+++ ../openssl-fips-0.9.8e/crypto/x509/x509_vfy.c	2012-03-05 10:35:17.000000000 -0500
@@ -151,6 +151,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 		/* If we are self signed, we break */
 		xn=X509_get_issuer_name(x);
 		if (ctx->check_issued(ctx, x,x)) break;
+		/* If asked see if we can find issuer in trusted store first */
+		if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
+			{
+			ok = ctx->get_issuer(&xtmp, ctx, x);
+			if (ok < 0)
+				return ok;
+			/* If successful for now free up cert so it
+			 * will be picked up again later.
+			 */
+			if (ok > 0)
+				{
+				X509_free(xtmp);
+				break;
+				}
+			}
 
 		/* If we were passed a cert chain, use it first */
 		if (ctx->untrusted != NULL)
diff -up -r ./crypto/x509/x509_vfy.h ../openssl-fips-0.9.8e/crypto/x509/x509_vfy.h
--- ./crypto/x509/x509_vfy.h	2008-07-17 03:11:03.000000000 -0400
+++ ../openssl-fips-0.9.8e/crypto/x509/x509_vfy.h	2012-03-05 10:36:36.000000000 -0500
@@ -362,6 +362,8 @@ void X509_STORE_CTX_set_depth(X509_STORE
 #define X509_V_FLAG_INHIBIT_MAP			0x400
 /* Notify callback that policy is OK */
 #define X509_V_FLAG_NOTIFY_POLICY		0x800
+/* Use trusted store first */
+#define X509_V_FLAG_TRUSTED_FIRST		0x8000
 
 #define X509_VP_FLAG_DEFAULT			0x1
 #define X509_VP_FLAG_OVERWRITE			0x2