diff -Naur httpd-2.2.3-source/httpd-2.2.3/modules/ssl/mod_ssl.c httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/mod_ssl.c
--- httpd-2.2.3-source/httpd-2.2.3/modules/ssl/mod_ssl.c	2006-07-23 07:11:58.000000000 -0400
+++ httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/mod_ssl.c	2012-03-09 08:40:42.000000000 -0500
@@ -145,6 +145,9 @@
                 "Use the server's cipher ordering preference")
     SSL_CMD_ALL(UserName, TAKE1,
                 "Set user name to SSL variable value")
+    SSL_CMD_SRV(TrustedFirst, TAKE1,
+                "SSL Client Check Trusted Store first "
+                "(`on', `off')")
 
     /*
      * Proxy configuration for remote SSL connections
diff -Naur httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_engine_config.c httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_engine_config.c
--- httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_engine_config.c	2006-07-23 07:11:58.000000000 -0400
+++ httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_engine_config.c	2012-03-09 09:07:26.000000000 -0500
@@ -125,6 +125,7 @@
     mctx->auth.ca_cert_file   = NULL;
     mctx->auth.cipher_suite   = NULL;
     mctx->auth.verify_depth   = UNSET;
+    mctx->auth.trusted_first  = UNSET;
     mctx->auth.verify_mode    = SSL_CVERIFY_UNSET;
 }
 
@@ -213,6 +214,7 @@
     cfgMergeString(auth.ca_cert_file);
     cfgMergeString(auth.cipher_suite);
     cfgMergeInt(auth.verify_depth);
+    cfgMergeInt(auth.trusted_first);
     cfgMerge(auth.verify_mode, SSL_CVERIFY_UNSET);
 }
 
@@ -977,6 +979,24 @@
     return NULL;
 }
 
+const char *ssl_cmd_SSLTrustedFirst(cmd_parms *cmd,
+                                   void *dcfg,
+                                   const char *arg)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    if (!strcasecmp(arg, "On")) {
+        sc->server->auth.trusted_first = 1;
+        return NULL;
+    }
+    else if (!strcasecmp(arg, "Off")) {
+        sc->server->auth.trusted_first = 0;
+        return NULL;
+    }
+
+    return "Argument must be On or Off";
+}
+
 #define MODSSL_NO_SHARED_MEMORY_ERROR \
     "SSLSessionCache: shared memory cache not useable on this platform"
 
diff -Naur httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_engine_init.c httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_engine_init.c
--- httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_engine_init.c	2006-07-23 07:11:58.000000000 -0400
+++ httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_engine_init.c	2012-03-09 08:40:38.000000000 -0500
@@ -516,6 +516,18 @@
         mctx->auth.verify_depth = 1;
     }
 
+	/**
+	 * If requested, set flag for using Trusted set of CA
+	 * Certificates first. (Backport from openssl-1.0.2)
+	 */
+    if (mctx->auth.trusted_first == SSL_CVERIFY_TRUSTED_ON) {
+		if (s->loglevel >= APLOG_INFO) {
+			ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
+				"Setting Use Trusted First Flag for Client Verification");
+		}
+		ctx->param->flags |= X509_V_FLAG_TRUSTED_FIRST;
+	}
+
     /*
      *  Configure callbacks for SSL context
      */
diff -Naur httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_private.h httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_private.h
--- httpd-2.2.3-source/httpd-2.2.3/modules/ssl/ssl_private.h	2006-07-23 07:11:58.000000000 -0400
+++ httpd-2.2.3-source-vargo/httpd-2.2.3/modules/ssl/ssl_private.h	2012-03-09 08:27:59.000000000 -0500
@@ -238,6 +238,26 @@
     || (errnum == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
 
 /**
+ * Define SSL Verification Flags
+ * (Backport from openssl-1.0.2)
+ */
+
+#ifndef X509_V_FLAG_TRUSTED_FIRST 
+#define X509_V_FLAG_TRUSTED_FIRST 0x8000
+#endif
+
+/**
+ * Define the values for Client Verification Trust enabled or not
+ */
+#ifndef SSL_CVERIFY_TRUSTED
+#define SSL_CVERIFY_TRUSTED_ON 1
+#define SSL_CVERIFY_TRUSTED_OFF 0
+
+#define SSL_CVERIFY_TRUSTED
+#endif
+
+
+/**
  * Define the SSL pass phrase dialog types
  */
 typedef enum {
@@ -344,6 +364,7 @@
     const char *verify_info;
     const char *verify_error;
     int verify_depth;
+    int trusted_first;
     int is_proxy;
     int disabled;
     int non_ssl_request;
@@ -410,6 +431,7 @@
 
     /** for client or downstream server authentication */
     int          verify_depth;
+    int          trusted_first;
     ssl_verify_t verify_mode;
 } modssl_auth_ctx_t;
 
@@ -506,6 +528,7 @@
 const char  *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
 const char  *ssl_cmd_SSLVerifyClient(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLVerifyDepth(cmd_parms *, void *, const char *);
+const char  *ssl_cmd_SSLTrustedFirst(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCache(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLSessionCacheTimeout(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLProtocol(cmd_parms *, void *, const char *);