Add Kerberos fix which was in 0.9.8-stable but never committed to HEAD and

			case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:

			ok = 1;

			case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:

			ok = 1;

			}

		return ok;

	if (!ok) return((int)n);

	if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)

	if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||

		((s->s3->tmp.new_cipher->algorithms & SSL_aKRB5) && 

		(s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))

		{

		s->s3->tmp.reuse_message=1;

		return(1);

	DH *dh;

#endif

	sc=s->session->sess_cert;

	if (sc == NULL)

		{

		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);

		goto err;

		}

	alg_k=s->s3->tmp.new_cipher->algorithm_mkey;

	alg_a=s->s3->tmp.new_cipher->algorithm_auth;

	if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))

		return(1);

	sc=s->session->sess_cert;

	if (sc == NULL)

		{

		SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);

		goto err;

		}

#ifndef OPENSSL_NO_RSA

	rsa=s->session->sess_cert->peer_rsa_tmp;

#endif

				SSL_R_DATA_LENGTH_TOO_LONG);

			goto err;

			}

		if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))

		if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff))))

		    {

		    /* The premaster secret must contain the same version number as the

		     * ClientHello to detect version rollback attacks (strangely, the

		     * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. 

		     * (Perhaps we should have a separate BUG value for the Kerberos cipher)

		     */

		    if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) &&

			   (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))

		    if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG))

			{

			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,

			       SSL_AD_DECODE_ERROR);