2 files changed, 6 insertions, 6 deletions

diff --git a/openssl/trunk/apps/verify.c b/openssl/trunk/apps/verify.c
index 57396563..9ff32cb0 100644
--- a/openssl/trunk/apps/verify.c
+++ b/openssl/trunk/apps/verify.c
@@ -355,7 +355,6 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
 		if (ctx->error == X509_V_ERR_CRL_HAS_EXPIRED) ok=1;
 		if (ctx->error == X509_V_ERR_CRL_NOT_YET_VALID) ok=1;
 		if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1;
-		if (ctx->error == X509_V_ERR_UNNESTED_RESOURCE) ok=1;
 
 		if (ctx->error == X509_V_ERR_NO_EXPLICIT_POLICY)
 			policies_print(NULL, ctx);
diff --git a/openssl/trunk/crypto/x509/x509_vfy.c b/openssl/trunk/crypto/x509/x509_vfy.c
index 713109b5..ecee8164 100644
--- a/openssl/trunk/crypto/x509/x509_vfy.c
+++ b/openssl/trunk/crypto/x509/x509_vfy.c
@@ -312,6 +312,12 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
 		ok=internal_verify(ctx);
 	if(!ok) goto end;
 
+	/* RFC 3779 path validation, now that CRL check has been done */
+	ok = v3_asid_validate_path(ctx);
+	if (!ok) goto end;
+	ok = v3_addr_validate_path(ctx);
+	if (!ok) goto end;
+
 	/* If we get this far evaluate policies */
 	if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
 		ok = ctx->check_policy(ctx);
@@ -518,11 +524,6 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 		else
 			must_be_ca = 1;
 		}
-	/* RFC 3779 path validation */
-	ok = v3_asid_validate_path(ctx);
-	if (!ok) goto end;
-	ok = v3_addr_validate_path(ctx);
-	if (!ok) goto end;
 	ok = 1;
  end:
 	return ok;