diff -ur openssl-0.9.8g/crypto/x509/x509_cmp.c openssl-0.9.8g-work/crypto/x509/x509_cmp.c
--- openssl-0.9.8g/crypto/x509/x509_cmp.c	2004-11-30 17:45:30.000000000 -0800
+++ openssl-0.9.8g-work/crypto/x509/x509_cmp.c	2009-02-27 12:20:32.000000000 -0800
@@ -263,6 +263,18 @@
 	return memcmp(a->data, b->data, a->length);
 	}
 
+static int X509_NAME_bytescmp(const X509_NAME *a, const X509_NAME *b)
+        {
+#ifndef OPENSSL_NO_BUFFER
+	int j;
+	j = a->bytes->length - b->bytes->length;
+	if (j) return j;
+	return memcmp(a->bytes->data, b->bytes->data, a->bytes->length);
+#else
+	return strcmp(a->bytes, b->bytes);
+#endif 
+        }
+
 #define STR_TYPE_CMP (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_UTF8STRING)
 
 int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
@@ -271,11 +283,12 @@
 	X509_NAME_ENTRY *na,*nb;
 
 	unsigned long nabit, nbbit;
+        int bytes_cmp = X509_NAME_bytescmp(a, b);
+        if (!bytes_cmp) return 0;
 
 	j = sk_X509_NAME_ENTRY_num(a->entries)
 		  - sk_X509_NAME_ENTRY_num(b->entries);
-	if (j)
-		return j;
+        if (j) return bytes_cmp;
 	for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
 		{
 		na=sk_X509_NAME_ENTRY_value(a->entries,i);
@@ -287,7 +300,7 @@
 			nbbit = ASN1_tag2bit(nb->value->type);
 			if (!(nabit & STR_TYPE_CMP) ||
 				!(nbbit & STR_TYPE_CMP))
-				return j;
+				return bytes_cmp;
 			j = asn1_string_memcmp(na->value, nb->value);
 			}
 		else if (na->value->type == V_ASN1_PRINTABLESTRING)
@@ -297,9 +310,9 @@
 			j=nocase_cmp(na->value, nb->value);
 		else
 			j = asn1_string_memcmp(na->value, nb->value);
-		if (j) return(j);
+		if (j) return bytes_cmp;
 		j=na->set-nb->set;
-		if (j) return(j);
+		if (j) return bytes_cmp;
 		}
 
 	/* We will check the object types after checking the values
@@ -310,7 +323,7 @@
 		na=sk_X509_NAME_ENTRY_value(a->entries,i);
 		nb=sk_X509_NAME_ENTRY_value(b->entries,i);
 		j=OBJ_cmp(na->object,nb->object);
-		if (j) return(j);
+		if (j) return bytes_cmp;
 		}
 	return(0);
 	}