diff --git a/security/nss/lib/ssl/ssl.h b/security/nss/lib/ssl/ssl.h
index 00b5db131959..8e51d4d349d3 100644
--- a/security/nss/lib/ssl/ssl.h
+++ b/security/nss/lib/ssl/ssl.h
@@ -32,7 +32,7 @@
  * may use your version of this file under either the MPL or the
  * GPL.
  *
- * $Id: ssl.h,v 1.13 2002/06/21 18:25:46 wtc%netscape.com Exp $
+ * $Id: ssl.h,v 1.14 2002/06/22 01:40:31 nelsonb%netscape.com Exp $
  */
 
 #ifndef __ssl_h_
@@ -138,6 +138,12 @@ SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
 #define SSL_ALLOWED		 1
 #define SSL_RESTRICTED		 2	      /* only with "Step-Up" certs. */
 
+/* Values for "on" with SSL_REQUIRE_CERTIFICATE. */
+#define SSL_REQUIRE_NEVER           ((PRBool)0)
+#define SSL_REQUIRE_ALWAYS          ((PRBool)1)
+#define SSL_REQUIRE_FIRST_HANDSHAKE ((PRBool)2)
+#define SSL_REQUIRE_NO_ERROR        ((PRBool)3)
+
 /*
 ** Reset the handshake state for fd. This will make the complete SSL
 ** handshake protocol execute from the ground up on the next i/o
diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c
index 3970e41c6de8..3d6680194195 100644
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -33,7 +33,7 @@
  * may use your version of this file under either the MPL or the
  * GPL.
  *
- * $Id: ssl3con.c,v 1.36 2002/06/19 15:21:37 ian.mcgreer%sun.com Exp $
+ * $Id: ssl3con.c,v 1.37 2002/06/22 01:40:32 nelsonb%netscape.com Exp $
  */
 
 #include "nssrenam.h"
@@ -1615,8 +1615,9 @@ ssl3_HandleNoCertificate(sslSocket *ss)
      * first handshake because if we're redoing the handshake we 
      * know the server is paying attention to the certificate.
      */
-    if ((ss->requireCertificate == 1) ||
-	(!ss->firstHsDone && (ss->requireCertificate > 1))) {
+    if ((ss->requireCertificate == SSL_REQUIRE_ALWAYS) ||
+	(!ss->firstHsDone && 
+	 (ss->requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE))) {
 	PRFileDesc * lower;
 
 	ss->sec.uncache(ss->sec.ci.sid);
@@ -5009,8 +5010,10 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 	 * then drop this old cache entry and start a new session.
 	 */
 	if ((sid->peerCert == NULL) && ss->requestCertificate &&
-	    ((ss->requireCertificate == 1) ||
-	     ((ss->requireCertificate == 2) && !ss->firstHsDone))) {
+	    ((ss->requireCertificate == SSL_REQUIRE_ALWAYS) ||
+	     (ss->requireCertificate == SSL_REQUIRE_NO_ERROR) ||
+	     ((ss->requireCertificate == SSL_REQUIRE_FIRST_HANDSHAKE) 
+	      && !ss->firstHsDone))) {
 
 	    ++ssl3stats.hch_sid_cache_not_ok;
 	    ss->sec.uncache(sid);