diff -u -r -N squid-3.4.0.1/acinclude/compiler-flags.m4 squid-3.4.0.2/acinclude/compiler-flags.m4
--- squid-3.4.0.1/acinclude/compiler-flags.m4	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/acinclude/compiler-flags.m4	2013-10-04 00:32:47.000000000 +1200
@@ -170,8 +170,8 @@
    squid_cv_cc_arg_pipe=""
    ;;
   clang) 
-   squid_cv_cxx_option_werror="-Werror -Wno-error=parentheses-equality -Qunused-arguments"
-   squid_cv_cc_option_werror="$squid_cv_cxx_option_werror" 
+   squid_cv_cxx_option_werror="-Werror -Qunused-arguments"
+   squid_cv_cc_option_werror="$squid_cv_cxx_option_werror"
    squid_cv_cc_option_wall="-Wall"
    squid_cv_cc_option_optimize="-O2"
    squid_cv_cc_arg_pipe=""
diff -u -r -N squid-3.4.0.1/acinclude/squid-util.m4 squid-3.4.0.2/acinclude/squid-util.m4
--- squid-3.4.0.1/acinclude/squid-util.m4	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/acinclude/squid-util.m4	2013-10-04 00:32:47.000000000 +1200
@@ -216,10 +216,8 @@
       ;;
   esac
   ])
-  if test "x${squid_build_info:=no}" != "xno"; then
-    AC_DEFINE_UNQUOTED([SQUID_BUILD_INFO],["$squid_build_info"],
-       [Squid extended build info field for "squid -v" output])
-  fi
+  AC_DEFINE_UNQUOTED([SQUID_BUILD_INFO],["$squid_build_info"],
+     [Squid extended build info field for "squid -v" output])
 ])
 
 dnl like AC_SEARCH_LIBS, with an extra argument which is
diff -u -r -N squid-3.4.0.1/ChangeLog squid-3.4.0.2/ChangeLog
--- squid-3.4.0.1/ChangeLog	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/ChangeLog	2013-10-04 00:32:47.000000000 +1200
@@ -1,3 +1,17 @@
+Changes to squid-3.4.0.2 (03 Oct 2013):
+
+	- Regression Bug 3891: squid.conf parser errors in 3.4.0.1
+	- Regression Fix: re-disable MinGW C++11 support
+	- Bug 3914: partial: make squidclient tool build cleanly with -Wconversion
+	- Fix memory leak in refresh_pattern parsing
+	- negotiate_kerberos_auth: upgrade to present group= keys
+	- Handle NTLM helper returning OK without user= value
+	- Add dns_multicast_local to control mDNS operation
+	- Add --disable-arch-native build option
+	- Display Build-Info in cache manager info report
+	- ... and all changes from squid 3.3.9
+	- ... and some code and debug output polishing
+
 Changes to squid-3.4.0.1 (29 Jul 2013):
 
 	- Port from 2.7: StoreURL (renamed Store-ID) support
@@ -40,6 +54,26 @@
 	- ... and many documentation changes
 	- ... and much code cleanup and polishing
 
+Changes to squid-3.3.9 (11 Sep 2013):
+
+	- Regression Bug 3077: off-by-one error in Digest header decoding
+	- Bug 3895: fix acl_uses_indirect_client and cache_peer_access
+	- Bug 3879: assertion failed ConnStateData::validatePinnedConnection
+	- Bug 3863: myportname acl causes segmentation fault
+	- Bug 3849: Duplicate certificate sent when using https_port
+	- Bug 2287: Better fix for unsupported HTTP version handling
+	- Bug 2112: Reload into If-None-Match
+	- Fix several assert with side effects in ICAP/eCAP response handling
+	- Fix myportname ACL on ICAP/eCAP transactions
+	- Fix external ACL user:pass detail logging after adaptation
+	- Fix SMP mgr:info report 'Largest file desc currently in use'
+	- Handle infinite certificate validation loops caused by OpenSSL Bug 3090.
+	- Improved compatibility with gcc 4.8, clang and icc
+	- Show number of available filedescriptors when reserved FD changes
+	- Sync with newest OpenSSL error codes
+	- Register Http2-Settings header
+	- ... and many Windows portability fixes
+
 Changes to squid-3.3.8 (13 Jul 2013):
 
 	- Bug 3869: assertion failed: MemBuf.cc:272: size < capacity
diff -u -r -N squid-3.4.0.1/compat/cmsg.h squid-3.4.0.2/compat/cmsg.h
--- squid-3.4.0.1/compat/cmsg.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/compat/cmsg.h	2013-10-04 00:32:47.000000000 +1200
@@ -9,6 +9,12 @@
 #include <sys/socket.h>
 #endif
 
+// WinSock2.h defines these for Windows
+#if HAVE_WINSOCK2_H
+#include <winsock2.h>
+#define CMSG_H_ // prevent re-definition
+#endif
+
 #ifndef CMSG_H_
 #define CMSG_H_
 
diff -u -r -N squid-3.4.0.1/compat/GnuRegex.c squid-3.4.0.2/compat/GnuRegex.c
--- squid-3.4.0.1/compat/GnuRegex.c	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/compat/GnuRegex.c	2013-10-04 00:32:47.000000000 +1200
@@ -90,8 +90,6 @@
 
 #endif /* not SYNTAX_TABLE */
 
-#define SYNTAX(c) re_syntax_table[c]
-
 /* Get the interface, including the syntax bits.  */
 #include "compat/GnuRegex.h"
 
@@ -889,9 +887,6 @@
 
 #define INIT_COMPILE_STACK_SIZE 32
 
-#define COMPILE_STACK_EMPTY  (compile_stack.avail == 0)
-#define COMPILE_STACK_FULL  (compile_stack.avail == compile_stack.size)
-
 /* The next available element.  */
 #define COMPILE_STACK_TOP (compile_stack.stack[compile_stack.avail])
 
@@ -1420,7 +1415,7 @@
                 bufp->re_nsub++;
                 regnum++;
 
-                if (COMPILE_STACK_FULL) {
+                if (compile_stack.avail == compile_stack.size) {
                     RETALLOC(compile_stack.stack, compile_stack.size << 1,
                              compile_stack_elt_t);
                     if (compile_stack.stack == NULL)
@@ -1461,7 +1456,7 @@
                 if (syntax & RE_NO_BK_PARENS)
                     goto normal_backslash;
 
-                if (COMPILE_STACK_EMPTY) {
+                if (compile_stack.avail == 0) {
                     if (syntax & RE_UNMATCHED_RIGHT_PAREN_ORD)
                         goto normal_backslash;
                     else
@@ -1479,7 +1474,7 @@
                     STORE_JUMP(jump_past_alt, fixup_alt_jump, b - 1);
                 }
                 /* See similar code for backslashed left paren above.  */
-                if (COMPILE_STACK_EMPTY) {
+                if (compile_stack.avail == 0) {
                     if (syntax & RE_UNMATCHED_RIGHT_PAREN_ORD)
                         goto normal_char;
                     else
@@ -1832,7 +1827,7 @@
     if (fixup_alt_jump)
         STORE_JUMP(jump_past_alt, fixup_alt_jump, b);
 
-    if (!COMPILE_STACK_EMPTY)
+    if (compile_stack.avail != 0)
         return REG_EPAREN;
 
     free(compile_stack.stack);
@@ -2374,13 +2369,13 @@
 
         case wordchar:
             for (j = 0; j < (1 << BYTEWIDTH); j++)
-                if (SYNTAX(j) == Sword)
+                if (re_syntax_table[j] == Sword)
                     fastmap[j] = 1;
             break;
 
         case notwordchar:
             for (j = 0; j < (1 << BYTEWIDTH); j++)
-                if (SYNTAX(j) != Sword)
+                if (re_syntax_table[j] != Sword)
                     fastmap[j] = 1;
             break;
 
@@ -2732,21 +2727,31 @@
 /* Test if at very beginning or at very end of the virtual concatenation
  * of `string1' and `string2'.  If only one string, it's `string2'.  */
 #define AT_STRINGS_BEG(d) ((d) == (size1 ? string1 : string2) || !size2)
-#define AT_STRINGS_END(d) ((d) == end2)
+static int at_strings_end(const char *d, const char *end2)
+{
+    return d == end2;
+}
 
 /* Test if D points to a character which is word-constituent.  We have
  * two special cases to check for: if past the end of string1, look at
  * the first character in string2; and if before the beginning of
  * string2, look at the last character in string1.  */
 #define WORDCHAR_P(d)							\
-  (SYNTAX ((d) == end1 ? *string2					\
-           : (d) == string2 - 1 ? *(end1 - 1) : *(d))			\
+  (re_syntax_table[(d) == end1 ? *string2					\
+           : (d) == string2 - 1 ? *(end1 - 1) : *(d)]			\
    == Sword)
+static int
+wordchar_p(const char *d, const char *end1, const char *string2)
+{
+    return re_syntax_table[(d) == end1 ? *string2
+                           : (d) == string2 - 1 ? *(end1 - 1) : *(d)]
+           == Sword;
+}
 
 /* Test if the character before D and the one at D differ with respect
  * to being word-constituent.  */
 #define AT_WORD_BOUNDARY(d)						\
-  (AT_STRINGS_BEG (d) || AT_STRINGS_END (d)				\
+  (AT_STRINGS_BEG (d) || at_strings_end(d,end2)				\
    || WORDCHAR_P (d - 1) != WORDCHAR_P (d))
 
 /* Free everything we malloc.  */
@@ -3440,7 +3445,7 @@
         case endline:
             DEBUG_PRINT1("EXECUTING endline.\n");
 
-            if (AT_STRINGS_END(d)) {
+            if (at_strings_end(d,end2)) {
                 if (!bufp->not_eol)
                     break;
             }
@@ -3461,7 +3466,7 @@
             /* Match at the very end of the data.  */
         case endbuf:
             DEBUG_PRINT1("EXECUTING endbuf.\n");
-            if (AT_STRINGS_END(d))
+            if (at_strings_end(d,end2))
                 break;
             goto fail;
 
@@ -3739,21 +3744,21 @@
 
         case wordbeg:
             DEBUG_PRINT1("EXECUTING wordbeg.\n");
-            if (WORDCHAR_P(d) && (AT_STRINGS_BEG(d) || !WORDCHAR_P(d - 1)))
+            if (wordchar_p(d,end1,string2) && (AT_STRINGS_BEG(d) || !WORDCHAR_P(d - 1)))
                 break;
             goto fail;
 
         case wordend:
             DEBUG_PRINT1("EXECUTING wordend.\n");
             if (!AT_STRINGS_BEG(d) && WORDCHAR_P(d - 1)
-                    && (!WORDCHAR_P(d) || AT_STRINGS_END(d)))
+                    && (!wordchar_p(d,end1,string2) || at_strings_end(d,end2)))
                 break;
             goto fail;
 
         case wordchar:
             DEBUG_PRINT1("EXECUTING non-Emacs wordchar.\n");
             PREFETCH();
-            if (!WORDCHAR_P(d))
+            if (!wordchar_p(d,end1,string2))
                 goto fail;
             SET_REGS_MATCHED();
             d++;
@@ -3762,7 +3767,7 @@
         case notwordchar:
             DEBUG_PRINT1("EXECUTING non-Emacs notwordchar.\n");
             PREFETCH();
-            if (WORDCHAR_P(d))
+            if (wordchar_p(d,end1,string2))
                 goto fail;
             SET_REGS_MATCHED();
             d++;
diff -u -r -N squid-3.4.0.1/compat/os/mswindows.h squid-3.4.0.2/compat/os/mswindows.h
--- squid-3.4.0.1/compat/os/mswindows.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/compat/os/mswindows.h	2013-10-04 00:32:47.000000000 +1200
@@ -71,6 +71,11 @@
 #define NOMINMAX
 #endif
 
+/// some builds of MinGW do not define IPV6_V6ONLY socket option
+#if !defined(IPV6_V6ONLY)
+#define IPV6_V6ONLY 27
+#endif
+
 #if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64
 # define __USE_FILE_OFFSET64	1
 #endif
@@ -469,6 +474,18 @@
 {
 /** \endcond */
 
+/*
+ * Each of these functions is defined in the Squid namespace so as not to
+ * clash with the winsock.h and winsock2.h definitions.
+ * It is then paired with a #define to cause these wrappers to be used by
+ * the main code instead of those system definitions.
+ *
+ * We do this wrapper in order to:
+ * - cast the parameter types in only one place, and
+ * - record errors in POSIX errno variable, and
+ * - map the FD value used by Squid to the socket handes used by Windows.
+ */
+
 inline int
 accept(int s, struct sockaddr * a, socklen_t * l)
 {
@@ -720,6 +737,7 @@
     } else
         return 0;
 }
+#define WSAAsyncSelect(s,h,w,e) Squid::WSAAsyncSelect(s,h,w,e)
 
 #undef WSADuplicateSocket
 inline int
@@ -735,6 +753,7 @@
     } else
         return 0;
 }
+#define WSADuplicateSocket(s,n,l) Squid::WSADuplicateSocket(s,n,l)
 
 #undef WSASocket
 inline int
@@ -752,6 +771,7 @@
     } else
         return _open_osfhandle(result, 0);
 }
+#define WSASocket(a,t,p,i,g,f) Squid::WSASocket(a,t,p,i,g,f)
 
 } /* namespace Squid */
 
@@ -782,6 +802,11 @@
 #define open       _open /* Needed in win32lib.c */
 #endif /* #ifdef __cplusplus */
 
+/* provide missing definitions from resoruce.h */
+/* NP: sys/resource.h and sys/time.h are apparently order-dependant. */
+#if HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
 #if HAVE_SYS_RESOURCE_H
 #include <sys/resource.h>
 #else
diff -u -r -N squid-3.4.0.1/configure squid-3.4.0.2/configure
--- squid-3.4.0.1/configure	2013-07-29 10:46:52.000000000 +1200
+++ squid-3.4.0.2/configure	2013-10-04 00:33:30.000000000 +1200
@@ -1,7 +1,7 @@
 #! /bin/sh
 # From configure.ac Revision.
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.4.0.1.
+# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.4.0.2.
 #
 # Report bugs to <http://bugs.squid-cache.org/>.
 #
@@ -575,8 +575,8 @@
 # Identity of this package.
 PACKAGE_NAME='Squid Web Proxy'
 PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='3.4.0.1'
-PACKAGE_STRING='Squid Web Proxy 3.4.0.1'
+PACKAGE_VERSION='3.4.0.2'
+PACKAGE_STRING='Squid Web Proxy 3.4.0.2'
 PACKAGE_BUGREPORT='http://bugs.squid-cache.org/'
 PACKAGE_URL=''
 
@@ -912,6 +912,7 @@
 enable_option_checking
 enable_maintainer_mode
 enable_dependency_tracking
+enable_arch_native
 enable_strict_error_checking
 enable_loadable_modules
 enable_shared
@@ -1574,7 +1575,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures Squid Web Proxy 3.4.0.1 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 3.4.0.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1644,7 +1645,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Squid Web Proxy 3.4.0.1:";;
+     short | recursive ) echo "Configuration of Squid Web Proxy 3.4.0.2:";;
    esac
   cat <<\_ACEOF
 
@@ -1656,6 +1657,10 @@
 			  (and sometimes confusing) to the casual installer
   --disable-dependency-tracking  speeds up one-time build
   --enable-dependency-tracking   do not reject slow dependency extractors
+  --disable-arch-native   Some compilers offer CPU-specific optimizations with
+                          the -march=native parameter. This flag disables the
+                          optimization. The default is to auto-detect compiler
+                          support and use where available.
   --disable-strict-error-checking
                           By default squid is compiled with all possible
                           static compiler error-checks enabled. This flag
@@ -2028,7 +2033,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-Squid Web Proxy configure 3.4.0.1
+Squid Web Proxy configure 3.4.0.2
 generated by GNU Autoconf 2.68
 
 Copyright (C) 2010 Free Software Foundation, Inc.
@@ -3124,7 +3129,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Squid Web Proxy $as_me 3.4.0.1, which was
+It was created by Squid Web Proxy $as_me 3.4.0.2, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   $ $0 $@
@@ -3943,7 +3948,7 @@
 
 # Define the identity of the package.
  PACKAGE='squid'
- VERSION='3.4.0.1'
+ VERSION='3.4.0.2'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -5983,8 +5988,24 @@
 
 
 
-# Clang 3.2 on some CPUs requires -march-native to detect correctly
-# GCC 4.3+ can also produce faster executables when its used
+# Clang 3.2 on some CPUs requires -march-native to detect correctly.
+# GCC 4.3+ can also produce faster executables when its used.
+# But building inside a virtual machine environment has been found to
+# cause random Illegal Instruction errors due to mis-detection of CPU.
+# Check whether --enable-arch-native was given.
+if test "${enable_arch_native+set}" = set; then :
+  enableval=$enable_arch_native;
+
+if test "$enableval" != "yes" -a "$enableval" != "no" ; then
+  as_fn_error $? "Unrecognized argument to --disable-arch-native: $enableval" "$LINENO" 5
+fi
+
+
+fi
+
+{ $as_echo "$as_me:${as_lineno-$LINENO}: CPU -march=native optimization enabled: ${enable_arch_native:=auto}" >&5
+$as_echo "$as_me: CPU -march=native optimization enabled: ${enable_arch_native:=auto}" >&6;}
+if test "x${enable_arch_native}" != "xno"; then
 
 
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether compiler accepts -march=native" >&5
@@ -6023,6 +6044,7 @@
 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $squid_cv_check_marchnative" >&5
 $as_echo "$squid_cv_check_marchnative" >&6; }
 
+fi
 
 # might be cross-compiling.
 if test "x$HOSTCXX" = "x"; then
@@ -6687,7 +6709,8 @@
 
   fi
 
-if test "x$ax_cv_cxx_compile_cxx0x_cxx" = "xyes" ; then
+if test "x$ax_cv_cxx_compile_cxx0x_cxx" = "xyes" -a \
+  "x$squid_host_os" != "xmingw" ; then
     #BUG 3613: when clang -std=c++0x is used, it activates a "strict mode"
     # in the system libraries, which makes some c99 methods unavailable
     # (e.g. strtoll), yet configure detects them as avilable.
@@ -18608,7 +18631,7 @@
    squid_cv_cc_arg_pipe=""
    ;;
   clang)
-   squid_cv_cxx_option_werror="-Werror -Wno-error=parentheses-equality -Qunused-arguments"
+   squid_cv_cxx_option_werror="-Werror -Qunused-arguments"
    squid_cv_cc_option_werror="$squid_cv_cxx_option_werror"
    squid_cv_cc_option_wall="-Wall"
    squid_cv_cc_option_optimize="-O2"
@@ -18956,13 +18979,11 @@
 
 fi
 
-  if test "x${squid_build_info:=no}" != "xno"; then
 
 cat >>confdefs.h <<_ACEOF
 #define SQUID_BUILD_INFO "$squid_build_info"
 _ACEOF
 
-  fi
 
 
 # Check whether --enable-optimizations was given.
@@ -24126,6 +24147,14 @@
 #define HAVE_DECL_KRB5_KT_FREE_ENTRY $ac_have_decl
 _ACEOF
 
+  ac_fn_cxx_check_type "$LINENO" "krb5_pac" "ac_cv_type_krb5_pac" "#include <krb5.h>
+"
+if test "x$ac_cv_type_krb5_pac" = xyes; then :
+
+$as_echo "#define HAVE_KRB5_PAC 1" >>confdefs.h
+
+fi
+
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for krb5_kt_free_entry in -lkrb5" >&5
 $as_echo_n "checking for krb5_kt_free_entry in -lkrb5... " >&6; }
 if ${ac_cv_lib_krb5_krb5_kt_free_entry+:} false; then :
@@ -24378,6 +24407,190 @@
 
 fi
 
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for krb5_get_renewed_creds in -lkrb5" >&5
+$as_echo_n "checking for krb5_get_renewed_creds in -lkrb5... " >&6; }
+if ${ac_cv_lib_krb5_krb5_get_renewed_creds+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lkrb5  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char krb5_get_renewed_creds ();
+int
+main ()
+{
+return krb5_get_renewed_creds ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_cxx_try_link "$LINENO"; then :
+  ac_cv_lib_krb5_krb5_get_renewed_creds=yes
+else
+  ac_cv_lib_krb5_krb5_get_renewed_creds=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_krb5_krb5_get_renewed_creds" >&5
+$as_echo "$ac_cv_lib_krb5_krb5_get_renewed_creds" >&6; }
+if test "x$ac_cv_lib_krb5_krb5_get_renewed_creds" = xyes; then :
+
+$as_echo "#define HAVE_KRB5_GET_RENEWED_CREDS 1" >>confdefs.h
+
+fi
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for krb5_principal_get_realm in -lkrb5" >&5
+$as_echo_n "checking for krb5_principal_get_realm in -lkrb5... " >&6; }
+if ${ac_cv_lib_krb5_krb5_principal_get_realm+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lkrb5  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char krb5_principal_get_realm ();
+int
+main ()
+{
+return krb5_principal_get_realm ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_cxx_try_link "$LINENO"; then :
+  ac_cv_lib_krb5_krb5_principal_get_realm=yes
+else
+  ac_cv_lib_krb5_krb5_principal_get_realm=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_krb5_krb5_principal_get_realm" >&5
+$as_echo "$ac_cv_lib_krb5_krb5_principal_get_realm" >&6; }
+if test "x$ac_cv_lib_krb5_krb5_principal_get_realm" = xyes; then :
+
+$as_echo "#define HAVE_KRB5_PRINCIPAL_GET_REALM 1" >>confdefs.h
+
+fi
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for krb5_get_init_creds_opt_alloc in -lkrb5" >&5
+$as_echo_n "checking for krb5_get_init_creds_opt_alloc in -lkrb5... " >&6; }
+if ${ac_cv_lib_krb5_krb5_get_init_creds_opt_alloc+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lkrb5  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char krb5_get_init_creds_opt_alloc ();
+int
+main ()
+{
+return krb5_get_init_creds_opt_alloc ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_cxx_try_link "$LINENO"; then :
+  ac_cv_lib_krb5_krb5_get_init_creds_opt_alloc=yes
+else
+  ac_cv_lib_krb5_krb5_get_init_creds_opt_alloc=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_krb5_krb5_get_init_creds_opt_alloc" >&5
+$as_echo "$ac_cv_lib_krb5_krb5_get_init_creds_opt_alloc" >&6; }
+if test "x$ac_cv_lib_krb5_krb5_get_init_creds_opt_alloc" = xyes; then :
+
+$as_echo "#define HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC 1" >>confdefs.h
+
+fi
+
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking for krb5_get_init_creds_free requires krb5_context" >&5
+$as_echo_n "checking for krb5_get_init_creds_free requires krb5_context... " >&6; }
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+	#include <krb5.h>
+
+int
+main ()
+{
+krb5_context context;
+	 krb5_get_init_creds_opt *options;
+	 krb5_get_init_creds_opt_free(context, options)
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_cxx_try_compile "$LINENO"; then :
+
+
+$as_echo "#define HAVE_KRB5_GET_INIT_CREDS_FREE_CONTEXT 1" >>confdefs.h
+
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+  for ac_func in gss_map_name_to_any
+do :
+  ac_fn_cxx_check_func "$LINENO" "gss_map_name_to_any" "ac_cv_func_gss_map_name_to_any"
+if test "x$ac_cv_func_gss_map_name_to_any" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_GSS_MAP_NAME_TO_ANY 1
+_ACEOF
+
+$as_echo "#define HAVE_GSS_MAP_ANY_TO_ANY 1" >>confdefs.h
+
+fi
+done
+
+  for ac_func in gsskrb5_extract_authz_data_from_sec_context
+do :
+  ac_fn_cxx_check_func "$LINENO" "gsskrb5_extract_authz_data_from_sec_context" "ac_cv_func_gsskrb5_extract_authz_data_from_sec_context"
+if test "x$ac_cv_func_gsskrb5_extract_authz_data_from_sec_context" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT 1
+_ACEOF
+
+$as_echo "#define HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT 1" >>confdefs.h
+
+fi
+done
+
 
 
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking for memory cache" >&5
@@ -32882,7 +33095,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by Squid Web Proxy $as_me 3.4.0.1, which was
+This file was extended by Squid Web Proxy $as_me 3.4.0.2, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -32948,7 +33161,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-Squid Web Proxy config.status 3.4.0.1
+Squid Web Proxy config.status 3.4.0.2
 configured by $0, generated by GNU Autoconf 2.68,
   with options \\"\$ac_cs_config\\"
 
diff -u -r -N squid-3.4.0.1/configure.ac squid-3.4.0.2/configure.ac
--- squid-3.4.0.1/configure.ac	2013-07-29 10:46:52.000000000 +1200
+++ squid-3.4.0.2/configure.ac	2013-10-04 00:33:30.000000000 +1200
@@ -1,4 +1,4 @@
-AC_INIT([Squid Web Proxy],[3.4.0.1],[http://bugs.squid-cache.org/],[squid])
+AC_INIT([Squid Web Proxy],[3.4.0.2],[http://bugs.squid-cache.org/],[squid])
 AC_PREREQ(2.61)
 AC_CONFIG_HEADERS([include/autoconf.h])
 AC_CONFIG_AUX_DIR(cfgaux)
@@ -35,9 +35,22 @@
 AC_LANG([C++])
 AC_CANONICAL_HOST
 
-# Clang 3.2 on some CPUs requires -march-native to detect correctly
-# GCC 4.3+ can also produce faster executables when its used
-SQUID_CC_CHECK_ARGUMENT([squid_cv_check_marchnative],[-march=native])
+# Clang 3.2 on some CPUs requires -march-native to detect correctly.
+# GCC 4.3+ can also produce faster executables when its used.
+# But building inside a virtual machine environment has been found to
+# cause random Illegal Instruction errors due to mis-detection of CPU.
+AC_ARG_ENABLE(arch-native,
+  AS_HELP_STRING([--disable-arch-native],[Some compilers offer CPU-specific
+                 optimizations with the -march=native parameter.
+                 This flag disables the optimization. The default is to
+                 auto-detect compiler support and use where available.]), [
+  SQUID_YESNO([$enableval],
+    [Unrecognized argument to --disable-arch-native: $enableval])
+])
+AC_MSG_NOTICE([CPU -march=native optimization enabled: ${enable_arch_native:=auto}])
+if test "x${enable_arch_native}" != "xno"; then
+  SQUID_CC_CHECK_ARGUMENT([squid_cv_check_marchnative],[-march=native])
+fi
 
 # might be cross-compiling.
 if test "x$HOSTCXX" = "x"; then
@@ -71,7 +84,8 @@
 
 # Check for C++0x compiler support
 AX_CXX_COMPILE_STDCXX_0X
-if test "x$ax_cv_cxx_compile_cxx0x_cxx" = "xyes" ; then
+if test "x$ax_cv_cxx_compile_cxx0x_cxx" = "xyes" -a \
+  "x$squid_host_os" != "xmingw" ; then
     #BUG 3613: when clang -std=c++0x is used, it activates a "strict mode"
     # in the system libraries, which makes some c99 methods unavailable
     # (e.g. strtoll), yet configure detects them as avilable.
@@ -1906,6 +1920,10 @@
     AC_DEFINE(HAVE_KRB5_GET_ERROR_MESSAGE,1,
       [Define to 1 if you have krb5_get_error_message]),)
   AC_CHECK_DECLS(krb5_kt_free_entry,,,[#include <krb5.h>])
+  AC_CHECK_TYPE(krb5_pac,
+    AC_DEFINE(HAVE_KRB5_PAC,1,
+      [Define to 1 if you have krb5_pac]),,
+      [#include <krb5.h>])
   AC_CHECK_LIB(krb5,krb5_kt_free_entry,
     AC_DEFINE(HAVE_KRB5_KT_FREE_ENTRY,1,
       [Define to 1 if you have krb5_kt_free_entry]),)
@@ -1924,6 +1942,33 @@
   AC_CHECK_LIB(krb5,profile_release,
     AC_DEFINE(HAVE_PROFILE_RELEASE,1,
       [Define to 1 if you have profile_release]),)
+  AC_CHECK_LIB(krb5,krb5_get_renewed_creds,
+    AC_DEFINE(HAVE_KRB5_GET_RENEWED_CREDS,1,
+      [Define to 1 if you have krb5_get_renewed_creds]),)
+  AC_CHECK_LIB(krb5,krb5_principal_get_realm,
+    AC_DEFINE(HAVE_KRB5_PRINCIPAL_GET_REALM,1,
+      [Define to 1 if you have krb5_principal_get_realm]),)
+  AC_CHECK_LIB(krb5, krb5_get_init_creds_opt_alloc,
+    AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC,1,
+      [Define to 1 if you have krb5_get_init_creds_opt_alloc]),)
+  AC_MSG_CHECKING([for krb5_get_init_creds_free requires krb5_context])
+  AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+	#include <krb5.h>
+    ]],[[krb5_context context;
+	 krb5_get_init_creds_opt *options;
+	 krb5_get_init_creds_opt_free(context, options)]])],[
+	AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_FREE_CONTEXT,1,
+		  [Define to 1 if you krb5_get_init_creds_free requires krb5_context])
+	AC_MSG_RESULT(yes)
+    ],[AC_MSG_RESULT(no)],[AC_MSG_RESULT(no)])
+
+
+  AC_CHECK_FUNCS(gss_map_name_to_any,
+    AC_DEFINE(HAVE_GSS_MAP_ANY_TO_ANY,1,
+      [Define to 1 if you have gss_map_name_to_any]),)
+  AC_CHECK_FUNCS(gsskrb5_extract_authz_data_from_sec_context,
+    AC_DEFINE(HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT,1,
+      [Define to 1 if you have gsskrb5_extract_authz_data_from_sec_context]),)
 
   SQUID_CHECK_KRB5_CONTEXT_MEMORY_CACHE
   SQUID_DEFINE_BOOL(HAVE_KRB5_MEMORY_CACHE,$squid_cv_memory_cache,
diff -u -r -N squid-3.4.0.1/errors/af/error-details.txt squid-3.4.0.2/errors/af/error-details.txt
--- squid-3.4.0.1/errors/af/error-details.txt	2013-07-29 10:48:16.000000000 +1200
+++ squid-3.4.0.2/errors/af/error-details.txt	2013-10-04 00:34:54.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/ar/error-details.txt squid-3.4.0.2/errors/ar/error-details.txt
--- squid-3.4.0.1/errors/ar/error-details.txt	2013-07-29 10:48:37.000000000 +1200
+++ squid-3.4.0.2/errors/ar/error-details.txt	2013-10-04 00:35:14.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/az/error-details.txt squid-3.4.0.2/errors/az/error-details.txt
--- squid-3.4.0.1/errors/az/error-details.txt	2013-07-29 10:48:58.000000000 +1200
+++ squid-3.4.0.2/errors/az/error-details.txt	2013-10-04 00:35:37.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/bg/error-details.txt squid-3.4.0.2/errors/bg/error-details.txt
--- squid-3.4.0.1/errors/bg/error-details.txt	2013-07-29 10:49:19.000000000 +1200
+++ squid-3.4.0.2/errors/bg/error-details.txt	2013-10-04 00:35:58.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/ca/error-details.txt squid-3.4.0.2/errors/ca/error-details.txt
--- squid-3.4.0.1/errors/ca/error-details.txt	2013-07-29 10:49:40.000000000 +1200
+++ squid-3.4.0.2/errors/ca/error-details.txt	2013-10-04 00:36:23.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/cs/error-details.txt squid-3.4.0.2/errors/cs/error-details.txt
--- squid-3.4.0.1/errors/cs/error-details.txt	2013-07-29 10:50:03.000000000 +1200
+++ squid-3.4.0.2/errors/cs/error-details.txt	2013-10-04 00:36:44.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/da/error-details.txt squid-3.4.0.2/errors/da/error-details.txt
--- squid-3.4.0.1/errors/da/error-details.txt	2013-07-29 10:50:26.000000000 +1200
+++ squid-3.4.0.2/errors/da/error-details.txt	2013-10-04 00:37:05.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/de/error-details.txt squid-3.4.0.2/errors/de/error-details.txt
--- squid-3.4.0.1/errors/de/error-details.txt	2013-07-29 10:50:56.000000000 +1200
+++ squid-3.4.0.2/errors/de/error-details.txt	2013-10-04 00:37:25.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/el/error-details.txt squid-3.4.0.2/errors/el/error-details.txt
--- squid-3.4.0.1/errors/el/error-details.txt	2013-07-29 10:51:38.000000000 +1200
+++ squid-3.4.0.2/errors/el/error-details.txt	2013-10-04 00:37:46.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/en/error-details.txt squid-3.4.0.2/errors/en/error-details.txt
--- squid-3.4.0.1/errors/en/error-details.txt	2013-07-29 10:52:02.000000000 +1200
+++ squid-3.4.0.2/errors/en/error-details.txt	2013-10-04 00:38:06.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/es/error-details.txt squid-3.4.0.2/errors/es/error-details.txt
--- squid-3.4.0.1/errors/es/error-details.txt	2013-07-29 10:52:42.000000000 +1200
+++ squid-3.4.0.2/errors/es/error-details.txt	2013-10-04 00:38:27.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/et/error-details.txt squid-3.4.0.2/errors/et/error-details.txt
--- squid-3.4.0.1/errors/et/error-details.txt	2013-07-29 10:53:08.000000000 +1200
+++ squid-3.4.0.2/errors/et/error-details.txt	2013-10-04 00:38:47.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/fa/error-details.txt squid-3.4.0.2/errors/fa/error-details.txt
--- squid-3.4.0.1/errors/fa/error-details.txt	2013-07-29 10:53:34.000000000 +1200
+++ squid-3.4.0.2/errors/fa/error-details.txt	2013-10-04 00:39:08.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/fi/error-details.txt squid-3.4.0.2/errors/fi/error-details.txt
--- squid-3.4.0.1/errors/fi/error-details.txt	2013-07-29 10:54:00.000000000 +1200
+++ squid-3.4.0.2/errors/fi/error-details.txt	2013-10-04 00:39:28.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/fr/error-details.txt squid-3.4.0.2/errors/fr/error-details.txt
--- squid-3.4.0.1/errors/fr/error-details.txt	2013-07-29 10:54:23.000000000 +1200
+++ squid-3.4.0.2/errors/fr/error-details.txt	2013-10-04 00:39:49.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/he/error-details.txt squid-3.4.0.2/errors/he/error-details.txt
--- squid-3.4.0.1/errors/he/error-details.txt	2013-07-29 10:54:46.000000000 +1200
+++ squid-3.4.0.2/errors/he/error-details.txt	2013-10-04 00:40:09.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/hu/error-details.txt squid-3.4.0.2/errors/hu/error-details.txt
--- squid-3.4.0.1/errors/hu/error-details.txt	2013-07-29 10:55:08.000000000 +1200
+++ squid-3.4.0.2/errors/hu/error-details.txt	2013-10-04 00:40:30.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/hy/error-details.txt squid-3.4.0.2/errors/hy/error-details.txt
--- squid-3.4.0.1/errors/hy/error-details.txt	2013-07-29 10:55:28.000000000 +1200
+++ squid-3.4.0.2/errors/hy/error-details.txt	2013-10-04 00:40:50.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/id/error-details.txt squid-3.4.0.2/errors/id/error-details.txt
--- squid-3.4.0.1/errors/id/error-details.txt	2013-07-29 10:55:49.000000000 +1200
+++ squid-3.4.0.2/errors/id/error-details.txt	2013-10-04 00:41:11.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/it/error-details.txt squid-3.4.0.2/errors/it/error-details.txt
--- squid-3.4.0.1/errors/it/error-details.txt	2013-07-29 10:56:14.000000000 +1200
+++ squid-3.4.0.2/errors/it/error-details.txt	2013-10-04 00:41:32.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/ja/error-details.txt squid-3.4.0.2/errors/ja/error-details.txt
--- squid-3.4.0.1/errors/ja/error-details.txt	2013-07-29 10:56:40.000000000 +1200
+++ squid-3.4.0.2/errors/ja/error-details.txt	2013-10-04 00:41:53.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/ko/error-details.txt squid-3.4.0.2/errors/ko/error-details.txt
--- squid-3.4.0.1/errors/ko/error-details.txt	2013-07-29 10:57:01.000000000 +1200
+++ squid-3.4.0.2/errors/ko/error-details.txt	2013-10-04 00:42:13.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/lt/error-details.txt squid-3.4.0.2/errors/lt/error-details.txt
--- squid-3.4.0.1/errors/lt/error-details.txt	2013-07-29 10:57:22.000000000 +1200
+++ squid-3.4.0.2/errors/lt/error-details.txt	2013-10-04 00:42:34.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/lv/error-details.txt squid-3.4.0.2/errors/lv/error-details.txt
--- squid-3.4.0.1/errors/lv/error-details.txt	2013-07-29 10:57:42.000000000 +1200
+++ squid-3.4.0.2/errors/lv/error-details.txt	2013-10-04 00:42:55.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/ms/error-details.txt squid-3.4.0.2/errors/ms/error-details.txt
--- squid-3.4.0.1/errors/ms/error-details.txt	2013-07-29 10:58:02.000000000 +1200
+++ squid-3.4.0.2/errors/ms/error-details.txt	2013-10-04 00:43:15.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/nl/error-details.txt squid-3.4.0.2/errors/nl/error-details.txt
--- squid-3.4.0.1/errors/nl/error-details.txt	2013-07-29 10:58:23.000000000 +1200
+++ squid-3.4.0.2/errors/nl/error-details.txt	2013-10-04 00:43:36.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/oc/error-details.txt squid-3.4.0.2/errors/oc/error-details.txt
--- squid-3.4.0.1/errors/oc/error-details.txt	2013-07-29 10:58:44.000000000 +1200
+++ squid-3.4.0.2/errors/oc/error-details.txt	2013-10-04 00:43:56.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/pl/error-details.txt squid-3.4.0.2/errors/pl/error-details.txt
--- squid-3.4.0.1/errors/pl/error-details.txt	2013-07-29 10:59:05.000000000 +1200
+++ squid-3.4.0.2/errors/pl/error-details.txt	2013-10-04 00:44:17.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/pt/error-details.txt squid-3.4.0.2/errors/pt/error-details.txt
--- squid-3.4.0.1/errors/pt/error-details.txt	2013-07-29 10:59:46.000000000 +1200
+++ squid-3.4.0.2/errors/pt/error-details.txt	2013-10-04 00:44:59.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/pt-br/error-details.txt squid-3.4.0.2/errors/pt-br/error-details.txt
--- squid-3.4.0.1/errors/pt-br/error-details.txt	2013-07-29 10:59:26.000000000 +1200
+++ squid-3.4.0.2/errors/pt-br/error-details.txt	2013-10-04 00:44:38.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/ro/error-details.txt squid-3.4.0.2/errors/ro/error-details.txt
--- squid-3.4.0.1/errors/ro/error-details.txt	2013-07-29 11:00:09.000000000 +1200
+++ squid-3.4.0.2/errors/ro/error-details.txt	2013-10-04 00:45:20.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/ru/error-details.txt squid-3.4.0.2/errors/ru/error-details.txt
--- squid-3.4.0.1/errors/ru/error-details.txt	2013-07-29 11:00:30.000000000 +1200
+++ squid-3.4.0.2/errors/ru/error-details.txt	2013-10-04 00:45:40.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/sk/error-details.txt squid-3.4.0.2/errors/sk/error-details.txt
--- squid-3.4.0.1/errors/sk/error-details.txt	2013-07-29 11:00:51.000000000 +1200
+++ squid-3.4.0.2/errors/sk/error-details.txt	2013-10-04 00:46:01.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/sl/error-details.txt squid-3.4.0.2/errors/sl/error-details.txt
--- squid-3.4.0.1/errors/sl/error-details.txt	2013-07-29 11:01:17.000000000 +1200
+++ squid-3.4.0.2/errors/sl/error-details.txt	2013-10-04 00:46:22.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/sr-cyrl/error-details.txt squid-3.4.0.2/errors/sr-cyrl/error-details.txt
--- squid-3.4.0.1/errors/sr-cyrl/error-details.txt	2013-07-29 11:01:40.000000000 +1200
+++ squid-3.4.0.2/errors/sr-cyrl/error-details.txt	2013-10-04 00:46:42.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/sr-latn/error-details.txt squid-3.4.0.2/errors/sr-latn/error-details.txt
--- squid-3.4.0.1/errors/sr-latn/error-details.txt	2013-07-29 11:02:01.000000000 +1200
+++ squid-3.4.0.2/errors/sr-latn/error-details.txt	2013-10-04 00:47:03.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/sv/error-details.txt squid-3.4.0.2/errors/sv/error-details.txt
--- squid-3.4.0.1/errors/sv/error-details.txt	2013-07-29 11:02:22.000000000 +1200
+++ squid-3.4.0.2/errors/sv/error-details.txt	2013-10-04 00:47:23.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/templates/error-details.txt squid-3.4.0.2/errors/templates/error-details.txt
--- squid-3.4.0.1/errors/templates/error-details.txt	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/errors/templates/error-details.txt	2013-10-04 00:32:47.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/th/error-details.txt squid-3.4.0.2/errors/th/error-details.txt
--- squid-3.4.0.1/errors/th/error-details.txt	2013-07-29 11:02:43.000000000 +1200
+++ squid-3.4.0.2/errors/th/error-details.txt	2013-10-04 00:47:44.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/tr/error-details.txt squid-3.4.0.2/errors/tr/error-details.txt
--- squid-3.4.0.1/errors/tr/error-details.txt	2013-07-29 11:03:04.000000000 +1200
+++ squid-3.4.0.2/errors/tr/error-details.txt	2013-10-04 00:48:04.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/uk/error-details.txt squid-3.4.0.2/errors/uk/error-details.txt
--- squid-3.4.0.1/errors/uk/error-details.txt	2013-07-29 11:03:25.000000000 +1200
+++ squid-3.4.0.2/errors/uk/error-details.txt	2013-10-04 00:48:25.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/uz/error-details.txt squid-3.4.0.2/errors/uz/error-details.txt
--- squid-3.4.0.1/errors/uz/error-details.txt	2013-07-29 11:03:45.000000000 +1200
+++ squid-3.4.0.2/errors/uz/error-details.txt	2013-10-04 00:48:45.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/vi/error-details.txt squid-3.4.0.2/errors/vi/error-details.txt
--- squid-3.4.0.1/errors/vi/error-details.txt	2013-07-29 11:04:06.000000000 +1200
+++ squid-3.4.0.2/errors/vi/error-details.txt	2013-10-04 00:49:06.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/zh-cn/error-details.txt squid-3.4.0.2/errors/zh-cn/error-details.txt
--- squid-3.4.0.1/errors/zh-cn/error-details.txt	2013-07-29 11:04:27.000000000 +1200
+++ squid-3.4.0.2/errors/zh-cn/error-details.txt	2013-10-04 00:49:26.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/errors/zh-tw/error-details.txt squid-3.4.0.2/errors/zh-tw/error-details.txt
--- squid-3.4.0.1/errors/zh-tw/error-details.txt	2013-07-29 11:04:48.000000000 +1200
+++ squid-3.4.0.2/errors/zh-tw/error-details.txt	2013-10-04 00:49:46.000000000 +1200
@@ -1,3 +1,7 @@
+name: SQUID_X509_V_ERR_INFINITE_VALIDATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Cert validation infinite loop detected"
+
 name: SQUID_ERR_SSL_HANDSHAKE
 detail: "%ssl_error_descr: %ssl_lib_error"
 descr: "Handshake with SSL server failed"
@@ -130,6 +134,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.4.0.1/helpers/basic_auth/DB/basic_db_auth.8 squid-3.4.0.2/helpers/basic_auth/DB/basic_db_auth.8
--- squid-3.4.0.1/helpers/basic_auth/DB/basic_db_auth.8	2013-07-29 11:04:51.000000000 +1200
+++ squid-3.4.0.2/helpers/basic_auth/DB/basic_db_auth.8	2013-10-04 00:49:48.000000000 +1200
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BASIC_DB_AUTH 1"
-.TH BASIC_DB_AUTH 1 "2013-07-28" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH BASIC_DB_AUTH 1 "2013-10-03" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.0.1/helpers/basic_auth/MSNT/msntauth.cc squid-3.4.0.2/helpers/basic_auth/MSNT/msntauth.cc
--- squid-3.4.0.1/helpers/basic_auth/MSNT/msntauth.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/basic_auth/MSNT/msntauth.cc	2013-10-04 00:32:47.000000000 +1200
@@ -37,7 +37,6 @@
 #include <signal.h>
 #include <syslog.h>
 #include <string.h>
-#include <sys/time.h>
 
 #include "msntauth.h"
 
diff -u -r -N squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc
--- squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc	2013-10-04 00:32:47.000000000 +1200
@@ -65,7 +65,7 @@
 
 void clean_gd(struct gdstruct *gdsp);
 void clean_nd(struct ndstruct *ndsp);
-void clean_ls(struct ndstruct *lssp);
+void clean_ls(struct lsstruct *lssp);
 
 void
 clean_gd(struct gdstruct *gdsp)
@@ -78,22 +78,12 @@
             pp = p;
             p = p->next;
         }
-        if (p->group) {
-            xfree(p->group);
-            p->group = NULL;
-        }
-        if (p->domain) {
-            xfree(p->domain);
-            p->domain = NULL;
-        }
-        if (pp && pp->next) {
-            xfree(pp->next);
-            pp->next = NULL;
-        }
-        if (p == gdsp) {
-            xfree(gdsp);
-            gdsp = NULL;
-        }
+        safe_free(p->group);
+        safe_free(p->domain);
+        if (pp)
+            safe_free(pp->next);
+        if (p == gdsp)
+            safe_free(gdsp);
         p = gdsp;
     }
 }
@@ -109,22 +99,12 @@
             pp = p;
             p = p->next;
         }
-        if (p->netbios) {
-            xfree(p->netbios);
-            p->netbios = NULL;
-        }
-        if (p->domain) {
-            xfree(p->domain);
-            p->domain = NULL;
-        }
-        if (pp && pp->next) {
-            xfree(pp->next);
-            pp->next = NULL;
-        }
-        if (p == ndsp) {
-            xfree(ndsp);
-            ndsp = NULL;
-        }
+        safe_free(p->netbios);
+        safe_free(p->domain);
+        if (pp)
+            safe_free(pp->next);
+        if (p == ndsp)
+            safe_free(ndsp);
         p = ndsp;
     }
 }
@@ -140,22 +120,12 @@
             pp = p;
             p = p->next;
         }
-        if (p->lserver) {
-            xfree(p->lserver);
-            p->lserver = NULL;
-        }
-        if (p->domain) {
-            xfree(p->domain);
-            p->domain = NULL;
-        }
-        if (pp && pp->next) {
-            xfree(pp->next);
-            pp->next = NULL;
-        }
-        if (p == lssp) {
-            xfree(lssp);
-            lssp = NULL;
-        }
+        safe_free(p->lserver);
+        safe_free(p->domain);
+        if (pp)
+            safe_free(pp->next);
+        if (p == lssp)
+            safe_free(lssp);
         p = lssp;
     }
 }
@@ -163,50 +133,17 @@
 void
 clean_args(struct main_args *margs)
 {
-    if (margs->glist) {
-        xfree(margs->glist);
-        margs->glist = NULL;
-    }
-    if (margs->ulist) {
-        xfree(margs->ulist);
-        margs->ulist = NULL;
-    }
-    if (margs->tlist) {
-        xfree(margs->tlist);
-        margs->tlist = NULL;
-    }
-    if (margs->nlist) {
-        xfree(margs->nlist);
-        margs->nlist = NULL;
-    }
-    if (margs->llist) {
-        xfree(margs->llist);
-        margs->llist = NULL;
-    }
-    if (margs->luser) {
-        xfree(margs->luser);
-        margs->luser = NULL;
-    }
-    if (margs->lpass) {
-        xfree(margs->lpass);
-        margs->lpass = NULL;
-    }
-    if (margs->lbind) {
-        xfree(margs->lbind);
-        margs->lbind = NULL;
-    }
-    if (margs->lurl) {
-        xfree(margs->lurl);
-        margs->lurl = NULL;
-    }
-    if (margs->ssl) {
-        xfree(margs->ssl);
-        margs->ssl = NULL;
-    }
-    if (margs->ddomain) {
-        xfree(margs->ddomain);
-        margs->ddomain = NULL;
-    }
+    safe_free(margs->glist);
+    safe_free(margs->ulist);
+    safe_free(margs->tlist);
+    safe_free(margs->nlist);
+    safe_free(margs->llist);
+    safe_free(margs->luser);
+    safe_free(margs->lpass);
+    safe_free(margs->lbind);
+    safe_free(margs->lurl);
+    safe_free(margs->ssl);
+    safe_free(margs->ddomain);
     if (margs->groups) {
         clean_gd(margs->groups);
         margs->groups = NULL;
@@ -413,8 +350,8 @@
                 log((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM, up, np);
             domain = get_netbios_name(&margs, netbios);
             user = nuser;
-            xfree(up);
-            xfree(np);
+            safe_free(up);
+            safe_free(np);
         } else if (domain) {
             strup(domain);
             *domain = '\0';
@@ -436,8 +373,8 @@
         else
             log((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM, up, domain ? dp : "NULL");
 
-        xfree(up);
-        xfree(dp);
+        safe_free(up);
+        safe_free(dp);
         if (!strcmp(user, "QQ") && domain && !strcmp(domain, "QQ")) {
             clean_args(&margs);
             exit(-1);
@@ -477,7 +414,7 @@
 strup(char *s)
 {
     while (*s) {
-        *s = toupper((unsigned char) *s);
+        *s = (char)toupper((unsigned char) *s);
         ++s;
     }
 }
diff -u -r -N squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_group.cc squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_group.cc
--- squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_group.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_group.cc	2013-10-04 00:32:47.000000000 +1200
@@ -31,6 +31,7 @@
 #include "support.h"
 
 struct gdstruct *init_gd(void);
+void free_gd(struct gdstruct *gdsp);
 
 struct gdstruct *
 init_gd(void) {
@@ -59,7 +60,8 @@
 char *
 utf8dup(struct main_args *margs)
 {
-    int c = 0, s;
+    size_t c = 0;
+    unsigned char s;
     size_t n;
     char *src;
     unsigned char *p, *dupp;
@@ -79,7 +81,7 @@
                 *p = 194;
                 ++p;
                 *p = s;
-            } else if (s > 191 && s < 256) {
+            } else if (s > 191) {
                 *p = 195;
                 ++p;
                 *p = s - 64;
@@ -121,7 +123,7 @@
         return NULL;
 
     char *upd = strrchr(up, '@');
-    size_t a = (upd ? (upd - up) : strlen(up) );
+    size_t a = (upd ? (size_t)(upd - up) : strlen(up) );
 
     char *ul = (char *) xmalloc(strlen(up)+1);
     size_t n = 0;
@@ -174,17 +176,17 @@
         if (iUTF2) {
             if (iUTF2 == 0xC2 && ichar > 0x7F && ichar < 0xC0) {
                 iUTF2 = 0;
-                ul[nl - 1] = ichar;
+                ul[nl - 1] = (char)ichar;
             } else if (iUTF2 == 0xC3 && ichar > 0x7F && ichar < 0xC0) {
                 iUTF2 = 0;
-                ul[nl - 1] = ichar + 64;
+                ul[nl - 1] = (char)(ichar + 64);
             } else if (iUTF2 > 0xC3 && iUTF2 < 0xE0 && ichar > 0x7F && ichar < 0xC0) {
                 iUTF2 = 0;
-                ul[nl] = ichar;
+                ul[nl] = (char)ichar;
                 ++nl;
             } else {
                 iUTF2 = 0;
-                ul[nl] = ichar;
+                ul[nl] = (char)ichar;
                 ul[nl + 1] = '\0';
                 debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul);
                 xfree(ul);
@@ -193,27 +195,27 @@
         } else if (iUTF3) {
             if (iUTF3 == 0xE0 && ichar > 0x9F && ichar < 0xC0) {
                 iUTF3 = 1;
-                ul[nl] = ichar;
+                ul[nl] = (char)ichar;
                 ++nl;
             } else if (iUTF3 > 0xE0 && iUTF3 < 0xED && ichar > 0x7F && ichar < 0xC0) {
                 iUTF3 = 2;
-                ul[nl] = ichar;
+                ul[nl] = (char)ichar;
                 ++nl;
             } else if (iUTF3 == 0xED && ichar > 0x7F && ichar < 0xA0) {
                 iUTF3 = 3;
-                ul[nl] = ichar;
+                ul[nl] = (char)ichar;
                 ++nl;
             } else if (iUTF3 > 0xED && iUTF3 < 0xF0 && ichar > 0x7F && ichar < 0xC0) {
                 iUTF3 = 4;
-                ul[nl] = ichar;
+                ul[nl] = (char)ichar;
                 ++nl;
             } else if (iUTF3 > 0 && iUTF3 < 5 && ichar > 0x7F && ichar < 0xC0) {
                 iUTF3 = 0;
-                ul[nl] = ichar;
+                ul[nl] = (char)ichar;
                 ++nl;
             } else {
                 iUTF3 = 0;
-                ul[nl] = ichar;
+                ul[nl] = (char)ichar;
                 ul[nl + 1] = '\0';
                 debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul);
                 xfree(ul);
@@ -222,26 +224,26 @@
         } else if (iUTF4) {
             if (iUTF4 == 0xF0 && ichar > 0x8F && ichar < 0xC0) {
                 iUTF4 = 1;
-                ul[nl] = ichar;
+                ul[nl] = (char)ichar;
                 ++nl;
             } else if (iUTF4 > 0xF0 && iUTF3 < 0xF4 && ichar > 0x7F && ichar < 0xC0) {
                 iUTF4 = 2;
-                ul[nl] = ichar;
+                ul[nl] = (char)ichar;
                 ++nl;
             } else if (iUTF4 == 0xF4 && ichar > 0x7F && ichar < 0x90) {
                 iUTF4 = 3;
-                ul[nl] = ichar;
+                ul[nl] = (char)ichar;
                 ++nl;
             } else if (iUTF4 > 0 && iUTF4 < 5 && ichar > 0x7F && ichar < 0xC0) {
                 if (iUTF4 == 4)
                     iUTF4 = 0;
                 else
                     iUTF4 = 4;
-                ul[nl] = ichar;
+                ul[nl] = (char)ichar;
                 ++nl;
             } else {
                 iUTF4 = 0;
-                ul[nl] = ichar;
+                ul[nl] = (char)ichar;
                 ul[nl + 1] = '\0';
                 debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul);
                 xfree(ul);
@@ -249,25 +251,25 @@
             }
         } else if (ichar < 0x80) {
             /* UTF1 */
-            ul[nl] = ichar;
+            ul[nl] = (char)ichar;
             ++nl;
         } else if (ichar > 0xC1 && ichar < 0xE0) {
             /* UTF2 (Latin) */
             iUTF2 = ichar;
-            ul[nl] = ichar;
+            ul[nl] = (char)ichar;
             ++nl;
         } else if (ichar > 0xDF && ichar < 0xF0) {
             /* UTF3 */
             iUTF3 = ichar;
-            ul[nl] = ichar;
+            ul[nl] = (char)ichar;
             ++nl;
         } else if (ichar > 0xEF && ichar < 0xF5) {
             /* UTF4 */
             iUTF4 = ichar;
-            ul[nl] = ichar;
+            ul[nl] = (char)ichar;
             ++nl;
         } else {
-            ul[nl] = ichar;
+            ul[nl] = (char)ichar;
             ul[nl + 1] = '\0';
             debug((char *) "%s| %s: WARNING: Invalid UTF-8 sequence for Unicode %s\n", LogTime(), PROGRAM, ul);
             xfree(ul);
diff -u -r -N squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support.h squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support.h
--- squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support.h	2013-10-04 00:32:47.000000000 +1200
@@ -22,7 +22,7 @@
  * -----------------------------------------------------------------------------
  */
 
-#define KERBEROS_LDAP_GROUP_VERSION "1.3.0sq"
+#define KERBEROS_LDAP_GROUP_VERSION "1.3.1sq"
 
 #if HAVE_STRING_H
 #include <string.h>
@@ -156,13 +156,13 @@
 int create_ls(struct main_args *margs);
 
 #ifdef HAVE_KRB5
-int krb5_create_cache(struct main_args *margs, char *domain);
+int krb5_create_cache(char *domain);
 void krb5_cleanup(void);
 #endif
 
-int get_ldap_hostname_list(struct main_args *margs, struct hstruct **hlist, int nhosts, char *domain);
-int get_hostname_list(struct main_args *margs, struct hstruct **hlist, int nhosts, char *name);
-int free_hostname_list(struct hstruct **hlist, int nhosts);
+size_t get_ldap_hostname_list(struct main_args *margs, struct hstruct **hlist, size_t nhosts, char *domain);
+size_t get_hostname_list(struct hstruct **hlist, size_t nhosts, char *name);
+size_t free_hostname_list(struct hstruct **hlist, size_t nhosts);
 
 #if defined(HAVE_SASL_H) || defined(HAVE_SASL_SASL_H) || defined(HAVE_SASL_DARWIN)
 int tool_sasl_bind(LDAP * ld, char *binddn, char *ssl);
diff -u -r -N squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_krb5.cc squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_krb5.cc
--- squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_krb5.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_krb5.cc	2013-10-04 00:32:47.000000000 +1200
@@ -33,7 +33,9 @@
     krb5_context context;
     char *mem_cache_env;
     krb5_ccache cc;
-} kparam;
+};
+
+static struct kstruct kparam;
 
 #define KT_PATH_MAX 256
 
@@ -50,23 +52,20 @@
  * create Kerberos memory cache
  */
 int
-krb5_create_cache(struct main_args *margs, char *domain)
+krb5_create_cache(char *domain)
 {
 
     krb5_keytab keytab = 0;
     krb5_keytab_entry entry;
     krb5_kt_cursor cursor;
     krb5_creds *creds = NULL;
-    krb5_creds *tgt_creds = NULL;
     krb5_principal *principal_list = NULL;
     krb5_principal principal = NULL;
     char *service;
     char *keytab_name = NULL, *principal_name = NULL, *mem_cache = NULL;
     char buf[KT_PATH_MAX], *p;
-    int nprinc = 0;
-    int i;
+    size_t j,nprinc = 0;
     int retval = 0;
-    int found = 0;
     krb5_error_code code = 0;
 
     kparam.context = NULL;
@@ -112,6 +111,7 @@
 
     nprinc = 0;
     while ((code = krb5_kt_next_entry(kparam.context, keytab, &entry, &cursor)) == 0) {
+        int found = 0;
 
         principal_list = (krb5_principal *) xrealloc(principal_list, sizeof(krb5_principal) * (nprinc + 1));
         krb5_copy_principal(kparam.context, entry.principal, &principal_list[nprinc++]);
@@ -182,12 +182,14 @@
      * if no principal name found in keytab for domain use the prinipal name which can get a TGT
      */
     if (!principal_name) {
+        size_t i;
         debug((char *) "%s| %s: DEBUG: Did not find a principal in keytab for domain %s.\n", LogTime(), PROGRAM, domain);
         debug((char *) "%s| %s: DEBUG: Try to get principal of trusted domain.\n", LogTime(), PROGRAM);
-        creds = (krb5_creds *) xmalloc(sizeof(*creds));
-        memset(creds, 0, sizeof(*creds));
 
         for (i = 0; i < nprinc; ++i) {
+            krb5_creds *tgt_creds = NULL;
+            creds = (krb5_creds *) xmalloc(sizeof(*creds));
+            memset(creds, 0, sizeof(*creds));
             /*
              * get credentials
              */
@@ -205,8 +207,7 @@
             snprintf(service, strlen("krbtgt") + 2 * strlen(domain) + 3, "krbtgt/%s@%s", domain, domain);
             creds->client = principal_list[i];
             code = krb5_parse_name(kparam.context, service, &creds->server);
-            if (service)
-                xfree(service);
+            xfree(service);
             code = krb5_get_in_tkt_with_keytab(kparam.context, 0, NULL, NULL, NULL, keytab, NULL, creds, 0);
 #endif
             if (code) {
@@ -233,8 +234,7 @@
             snprintf(service, strlen("krbtgt") + strlen(domain) + strlen(krb5_princ_realm(kparam.context, principal_list[i])->data) + 3, "krbtgt/%s@%s", domain, krb5_princ_realm(kparam.context, principal_list[i])->data);
 #endif
             code = krb5_parse_name(kparam.context, service, &creds->server);
-            if (service)
-                xfree(service);
+            xfree(service);
             if (code) {
                 error((char *) "%s| %s: ERROR: Error while initialising TGT credentials : %s\n", LogTime(), PROGRAM, error_message(code));
                 goto loop_end;
@@ -245,19 +245,22 @@
                 goto loop_end;
             } else {
                 debug((char *) "%s| %s: DEBUG: Found trusted principal name: %s\n", LogTime(), PROGRAM, principal_name);
-                found = 1;
                 break;
             }
 
 loop_end:
-            if (principal_name)
-                xfree(principal_name);
-            principal_name = NULL;
+            safe_free(principal_name);
+            if (tgt_creds) {
+                krb5_free_creds(kparam.context, tgt_creds);
+                tgt_creds = NULL;
+            }
+            if (creds)
+                krb5_free_creds(kparam.context, creds);
+            creds = NULL;
+
         }
 
-        if (tgt_creds)
-            krb5_free_creds(kparam.context, tgt_creds);
-        tgt_creds = NULL;
+        safe_free(principal_name);
         if (creds)
             krb5_free_creds(kparam.context, creds);
         creds = NULL;
@@ -287,8 +290,7 @@
         snprintf(service, strlen("krbtgt") + 2 * strlen(domain) + 3, "krbtgt/%s@%s", domain, domain);
         creds->client = principal;
         code = krb5_parse_name(kparam.context, service, &creds->server);
-        if (service)
-            xfree(service);
+        xfree(service);
         code = krb5_get_in_tkt_with_keytab(kparam.context, 0, NULL, NULL, NULL, keytab, NULL, creds, 0);
 #endif
         if (code) {
@@ -316,20 +318,16 @@
 cleanup:
     if (keytab)
         krb5_kt_close(kparam.context, keytab);
-    if (keytab_name)
-        xfree(keytab_name);
-    if (principal_name)
-        xfree(principal_name);
-    if (mem_cache)
-        xfree(mem_cache);
+    xfree(keytab_name);
+    xfree(principal_name);
+    xfree(mem_cache);
     if (principal)
         krb5_free_principal(kparam.context, principal);
-    for (i = 0; i < nprinc; ++i) {
-        if (principal_list[i])
-            krb5_free_principal(kparam.context, principal_list[i]);
+    for (j = 0; j < nprinc; ++j) {
+        if (principal_list[j])
+            krb5_free_principal(kparam.context, principal_list[j]);
     }
-    if (principal_list)
-        xfree(principal_list);
+    xfree(principal_list);
     if (creds)
         krb5_free_creds(kparam.context, creds);
 
diff -u -r -N squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_ldap.cc squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_ldap.cc
--- squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_ldap.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_ldap.cc	2013-10-04 00:32:47.000000000 +1200
@@ -35,7 +35,7 @@
 char *convert_domain_to_bind_path(char *domain);
 char *escape_filter(char *filter);
 int check_AD(struct main_args *margs, LDAP * ld);
-int ldap_set_defaults(struct main_args *margs, LDAP * ld);
+int ldap_set_defaults(LDAP * ld);
 int ldap_set_ssl_defaults(struct main_args *margs);
 LDAP *tool_ldap_open(struct main_args *margs, char *host, int port, char *ssl);
 
@@ -51,7 +51,7 @@
 #define FILTER_AD "(samaccountname=%s)"
 #define ATTRIBUTE_AD "memberof"
 
-int get_attributes(struct main_args *margs, LDAP * ld, LDAPMessage * res, const char *attribute /* IN */ , char ***out_val /* OUT (caller frees) */ );
+size_t get_attributes(LDAP * ld, LDAPMessage * res, const char *attribute /* IN */ , char ***out_val /* OUT (caller frees) */ );
 int search_group_tree(struct main_args *margs, LDAP * ld, char *bindp, char *ldap_group, char *group, int depth);
 
 #if defined(HAVE_SUN_LDAP_SDK) || defined(HAVE_MOZILLA_LDAP_SDK)
@@ -210,7 +210,7 @@
 convert_domain_to_bind_path(char *domain)
 {
     char *dp, *bindp = NULL, *bp = NULL;
-    int i = 0;
+    size_t i = 0;
 
     if (!domain)
         return NULL;
@@ -243,8 +243,8 @@
 char *
 escape_filter(char *filter)
 {
-    int i;
     char *ldap_filter_esc, *ldf;
+    size_t i;
 
     i = 0;
     for (ldap_filter_esc = filter; *ldap_filter_esc; ++ldap_filter_esc) {
@@ -278,7 +278,7 @@
     *ldf = '\0';
 
     return ldap_filter_esc;
-};
+}
 
 int
 check_AD(struct main_args *margs, LDAP * ld)
@@ -286,8 +286,8 @@
     LDAPMessage *res;
     char **attr_value = NULL;
     struct timeval searchtime;
-    int max_attr = 0;
-    int j, rc = 0;
+    size_t max_attr = 0;
+    int rc = 0;
 
 #define FILTER_SCHEMA "(objectclass=*)"
 #define ATTRIBUTE_SCHEMA "schemaNamingContext"
@@ -301,7 +301,7 @@
                            NULL, NULL, &searchtime, 0, &res);
 
     if (rc == LDAP_SUCCESS)
-        max_attr = get_attributes(margs, ld, res, ATTRIBUTE_SCHEMA, &attr_value);
+        max_attr = get_attributes(ld, res, ATTRIBUTE_SCHEMA, &attr_value);
 
     if (max_attr == 1) {
         ldap_msgfree(res);
@@ -318,11 +318,11 @@
      * Cleanup
      */
     if (attr_value) {
+        size_t j;
         for (j = 0; j < max_attr; ++j) {
             xfree(attr_value[j]);
         }
-        xfree(attr_value);
-        attr_value = NULL;
+        safe_free(attr_value);
     }
     ldap_msgfree(res);
     return rc;
@@ -332,11 +332,10 @@
 {
     LDAPMessage *res = NULL;
     char **attr_value = NULL;
-    int max_attr = 0;
+    size_t max_attr = 0;
     char *filter = NULL;
     char *search_exp = NULL;
-    int j, rc = 0, retval = 0;
-    char *av = NULL, *avp = NULL;
+    int rc = 0, retval = 0;
     int ldepth;
     char *ldap_filter_esc = NULL;
     struct timeval searchtime;
@@ -378,20 +377,22 @@
     debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y");
 
     if (margs->AD)
-        max_attr = get_attributes(margs, ld, res, ATTRIBUTE_AD, &attr_value);
+        max_attr = get_attributes(ld, res, ATTRIBUTE_AD, &attr_value);
     else
-        max_attr = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value);
+        max_attr = get_attributes(ld, res, ATTRIBUTE, &attr_value);
 
     /*
      * Compare group names
      */
     retval = 0;
     ldepth = depth + 1;
-    for (j = 0; j < max_attr; ++j) {
+    for (size_t j = 0; j < max_attr; ++j) {
+        char *av = NULL;
 
         /* Compare first CN= value assuming it is the same as the group name itself */
         av = attr_value[j];
         if (!strncasecmp("CN=", av, 3)) {
+            char *avp = NULL;
             av += 3;
             if ((avp = strchr(av, ','))) {
                 *avp = '\0';
@@ -399,17 +400,17 @@
         }
         if (debug_enabled) {
             int n;
-            debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av);
+            debug((char *) "%s| %s: DEBUG: Entry %" PRIuSIZE " \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av);
             for (n = 0; av[n] != '\0'; ++n)
                 fprintf(stderr, "%02x", (unsigned char) av[n]);
             fprintf(stderr, "\n");
         }
         if (!strcasecmp(group, av)) {
             retval = 1;
-            debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
+            debug((char *) "%s| %s: DEBUG: Entry %" PRIuSIZE " \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
             break;
         } else
-            debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
+            debug((char *) "%s| %s: DEBUG: Entry %" PRIuSIZE " \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
         /*
          * Do recursive group search
          */
@@ -418,13 +419,14 @@
         if (search_group_tree(margs, ld, bindp, av, group, ldepth)) {
             retval = 1;
             if (!strncasecmp("CN=", av, 3)) {
+                char *avp = NULL;
                 av += 3;
                 if ((avp = strchr(av, ','))) {
                     *avp = '\0';
                 }
             }
             if (debug_enabled)
-                debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" is member of group named \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
+                debug((char *) "%s| %s: DEBUG: Entry %" PRIuSIZE " \"%s\" is member of group named \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
             else
                 break;
 
@@ -435,11 +437,10 @@
      * Cleanup
      */
     if (attr_value) {
-        for (j = 0; j < max_attr; ++j) {
+        for (size_t j = 0; j < max_attr; ++j) {
             xfree(attr_value[j]);
         }
-        xfree(attr_value);
-        attr_value = NULL;
+        safe_free(attr_value);
     }
     ldap_msgfree(res);
 
@@ -447,7 +448,7 @@
 }
 
 int
-ldap_set_defaults(struct main_args *margs, LDAP * ld)
+ldap_set_defaults(LDAP * ld)
 {
     int val, rc = 0;
 #ifdef LDAP_OPT_NETWORK_TIMEOUT
@@ -484,14 +485,14 @@
 #endif
 #ifdef HAVE_OPENLDAP
     int val;
-    char *ssl_cacertfile = NULL;
-    int free_path;
 #elif defined(HAVE_LDAPSSL_CLIENT_INIT)
     char *ssl_certdbpath = NULL;
 #endif
 
 #ifdef HAVE_OPENLDAP
     if (!margs->rc_allow) {
+        char *ssl_cacertfile = NULL;
+        int free_path;
         debug((char *) "%s| %s: DEBUG: Enable server certificate check for ldap server.\n", LogTime(), PROGRAM);
         val = LDAP_OPT_X_TLS_DEMAND;
         rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &val);
@@ -509,7 +510,6 @@
         rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ssl_cacertfile);
         if (ssl_cacertfile && free_path) {
             xfree(ssl_cacertfile);
-            ssl_cacertfile = NULL;
         }
         if (rc != LDAP_OPT_SUCCESS) {
             error((char *) "%s| %s: ERROR: Error while setting LDAP_OPT_X_TLS_CACERTFILE for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
@@ -543,10 +543,7 @@
         rc = ldapssl_advclientauth_init(ssl_certdbpath, NULL, 0, NULL, NULL, 0, NULL, 0);
         debug((char *) "%s| %s: DEBUG: Disable server certificate check for ldap server.\n", LogTime(), PROGRAM);
     }
-    if (ssl_certdbpath) {
-        xfree(ssl_certdbpath);
-        ssl_certdbpath = NULL;
-    }
+    xfree(ssl_certdbpath);
     if (rc != LDAP_SUCCESS) {
         error((char *) "%s| %s: ERROR: Error while setting SSL for ldap server: %s\n", LogTime(), PROGRAM, ldapssl_err2string(rc));
         return rc;
@@ -557,13 +554,13 @@
     return LDAP_SUCCESS;
 }
 
-int
-get_attributes(struct main_args *margs, LDAP * ld, LDAPMessage * res, const char *attribute, char ***ret_value)
+size_t
+get_attributes(LDAP * ld, LDAPMessage * res, const char *attribute, char ***ret_value)
 {
 
     LDAPMessage *msg;
     char **attr_value = NULL;
-    int max_attr = 0;
+    size_t max_attr = 0;
 
     attr_value = *ret_value;
     /*
@@ -588,15 +585,15 @@
                     if ((values = ldap_get_values_len(ld, msg, attr)) != NULL) {
                         for (il = 0; values[il] != NULL; ++il) {
 
-                            attr_value = (char **) xrealloc(attr_value, (il + 1) * sizeof(char *));
+                            attr_value = (char **) xrealloc(attr_value, (max_attr + 1) * sizeof(char *));
                             if (!attr_value)
                                 break;
 
-                            attr_value[il] = (char *) xmalloc(values[il]->bv_len + 1);
-                            memcpy(attr_value[il], values[il]->bv_val, values[il]->bv_len);
-                            attr_value[il][values[il]->bv_len] = 0;
+                            attr_value[max_attr] = (char *) xmalloc(values[il]->bv_len + 1);
+                            memcpy(attr_value[max_attr], values[il]->bv_val, values[il]->bv_len);
+                            attr_value[max_attr][values[il]->bv_len] = 0;
+                            max_attr++;
                         }
-                        max_attr = il;
                     }
                     ber_bvecfree(values);
                 }
@@ -615,7 +612,7 @@
         }
     }
 
-    debug((char *) "%s| %s: DEBUG: %d ldap entr%s found with attribute : %s\n", LogTime(), PROGRAM, max_attr, max_attr > 1 || max_attr == 0 ? "ies" : "y", attribute);
+    debug((char *) "%s| %s: DEBUG: %" PRIuSIZE " ldap entr%s found with attribute : %s\n", LogTime(), PROGRAM, max_attr, max_attr > 1 || max_attr == 0 ? "ies" : "y", attribute);
 
     *ret_value = attr_value;
     return max_attr;
@@ -661,13 +658,13 @@
     if (rc != LDAP_SUCCESS) {
         error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
         xfree(ldapuri);
-        xfree(url);
+        ldap_free_urldesc(url);
         return NULL;
     }
 #else
 #error "No URL parsing function"
 #endif
-    safe_free(url);
+    ldap_free_urldesc(url);
     rc = ldap_initialize(&ld, ldapuri);
     xfree(ldapuri);
     if (rc != LDAP_SUCCESS) {
@@ -679,7 +676,7 @@
 #else
     ld = ldap_init(host, port);
 #endif
-    rc = ldap_set_defaults(margs, ld);
+    rc = ldap_set_defaults(ld);
     if (rc != LDAP_SUCCESS) {
         error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
         ldap_unbind(ld);
@@ -726,13 +723,13 @@
             if (rc != LDAP_SUCCESS) {
                 error((char *) "%s| %s: ERROR: Error while parsing url: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
                 xfree(ldapuri);
-                xfree(url);
+                ldap_free_urldesc(url);
                 return NULL;
             }
 #else
 #error "No URL parsing function"
 #endif
-            safe_free(url);
+            ldap_free_urldesc(url);
             rc = ldap_initialize(&ld, ldapuri);
             xfree(ldapuri);
             if (rc != LDAP_SUCCESS) {
@@ -741,7 +738,7 @@
                 ld = NULL;
                 return NULL;
             }
-            rc = ldap_set_defaults(margs, ld);
+            rc = ldap_set_defaults(ld);
             if (rc != LDAP_SUCCESS) {
                 error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
                 ldap_unbind(ld);
@@ -757,7 +754,7 @@
             ld = NULL;
             return NULL;
         }
-        rc = ldap_set_defaults(margs, ld);
+        rc = ldap_set_defaults(ld);
         if (rc != LDAP_SUCCESS) {
             error((char *) "%s| %s: ERROR: Error while setting default options for ldap server: %s\n", LogTime(), PROGRAM, ldap_err2string(rc));
             ldap_unbind(ld);
@@ -787,18 +784,12 @@
     char *filter = NULL;
     char *search_exp;
     struct timeval searchtime;
-    int i, j, rc = 0, kc = 1;
+    int rc = 0, kc = 1;
     int retval;
     char **attr_value = NULL;
-    char *av = NULL, *avp = NULL;
-    int max_attr = 0;
+    size_t max_attr = 0;
     struct hstruct *hlist = NULL;
-    int nhosts = 0;
-    char *hostname;
-    char *host;
-    int port;
-    char *ssl = NULL;
-    char *p;
+    size_t nhosts = 0;
     char *ldap_filter_esc = NULL;
 
     searchtime.tv_sec = SEARCH_TIMEOUT;
@@ -810,7 +801,7 @@
         debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM);
 
 #ifdef HAVE_KRB5
-        kc = krb5_create_cache(margs, domain);
+        kc = krb5_create_cache(domain);
         if (kc) {
             error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM);
         }
@@ -847,8 +838,8 @@
          * Loop over list of ldap servers of users domain
          */
         nhosts = get_ldap_hostname_list(margs, &hlist, 0, domain);
-        for (i = 0; i < nhosts; ++i) {
-            port = 389;
+        for (size_t i = 0; i < nhosts; ++i) {
+            int port = 389;
             if (hlist[i].port != -1)
                 port = hlist[i].port;
             debug((char *) "%s| %s: DEBUG: Setting up connection to ldap server %s:%d\n", LogTime(), PROGRAM, hlist[i].host, port);
@@ -893,6 +884,11 @@
         bindp = convert_domain_to_bind_path(domain);
     }
     if ((!domain || !ld) && margs->lurl && strstr(margs->lurl, "://")) {
+        char *hostname;
+        char *host;
+        int port;
+        char *ssl = NULL;
+        char *p;
         /*
          * If username does not contain a domain and a url was given then try it
          */
@@ -912,9 +908,9 @@
             ++p;
             port = atoi(p);
         }
-        nhosts = get_hostname_list(margs, &hlist, 0, host);
-        safe_free(host);
-        for (i = 0; i < nhosts; ++i) {
+        nhosts = get_hostname_list(&hlist, 0, host);
+        xfree(host);
+        for (size_t i = 0; i < nhosts; ++i) {
 
             ld = tool_ldap_open(margs, hlist[i].host, port, ssl);
             if (!ld)
@@ -997,40 +993,41 @@
     if (ldap_count_entries(ld, res) != 0) {
 
         if (margs->AD)
-            max_attr = get_attributes(margs, ld, res, ATTRIBUTE_AD, &attr_value);
+            max_attr = get_attributes(ld, res, ATTRIBUTE_AD, &attr_value);
         else {
-            max_attr = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value);
+            max_attr = get_attributes(ld, res, ATTRIBUTE, &attr_value);
         }
 
         /*
          * Compare group names
          */
         retval = 0;
-        for (j = 0; j < max_attr; ++j) {
+        for (size_t k = 0; k < max_attr; ++k) {
+            char *av = NULL;
 
             /* Compare first CN= value assuming it is the same as the group name itself */
-            av = attr_value[j];
+            av = attr_value[k];
             if (!strncasecmp("CN=", av, 3)) {
+                char *avp = NULL;
                 av += 3;
                 if ((avp = strchr(av, ','))) {
                     *avp = '\0';
                 }
             }
             if (debug_enabled) {
-                int n;
-                debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, j + 1, av);
-                for (n = 0; av[n] != '\0'; ++n)
+                debug((char *) "%s| %s: DEBUG: Entry %" PRIuSIZE " \"%s\" in hex UTF-8 is ", LogTime(), PROGRAM, k + 1, av);
+                for (unsigned int n = 0; av[n] != '\0'; ++n)
                     fprintf(stderr, "%02x", (unsigned char) av[n]);
                 fprintf(stderr, "\n");
             }
             if (!strcasecmp(group, av)) {
                 retval = 1;
                 if (debug_enabled)
-                    debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
+                    debug((char *) "%s| %s: DEBUG: Entry %" PRIuSIZE " \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, k + 1, av, group);
                 else
                     break;
             } else
-                debug((char *) "%s| %s: DEBUG: Entry %d \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
+                debug((char *) "%s| %s: DEBUG: Entry %" PRIuSIZE " \"%s\" does not match group name \"%s\"\n", LogTime(), PROGRAM, k + 1, av, group);
         }
         /*
          * Do recursive group search for AD only since posixgroups can not contain other groups
@@ -1039,19 +1036,21 @@
             if (debug_enabled && max_attr > 0) {
                 debug((char *) "%s| %s: DEBUG: Perform recursive group search\n", LogTime(), PROGRAM);
             }
-            for (j = 0; j < max_attr; ++j) {
+            for (size_t j = 0; j < max_attr; ++j) {
+                char *av = NULL;
 
                 av = attr_value[j];
                 if (search_group_tree(margs, ld, bindp, av, group, 1)) {
                     retval = 1;
                     if (!strncasecmp("CN=", av, 3)) {
+                        char *avp = NULL;
                         av += 3;
                         if ((avp = strchr(av, ','))) {
                             *avp = '\0';
                         }
                     }
                     if (debug_enabled)
-                        debug((char *) "%s| %s: DEBUG: Entry %d group \"%s\" is (in)direct member of group \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
+                        debug((char *) "%s| %s: DEBUG: Entry %" PRIuSIZE " group \"%s\" is (in)direct member of group \"%s\"\n", LogTime(), PROGRAM, j + 1, av, group);
                     else
                         break;
                 }
@@ -1061,11 +1060,10 @@
          * Cleanup
          */
         if (attr_value) {
-            for (j = 0; j < max_attr; ++j) {
+            for (size_t j = 0; j < max_attr; ++j) {
                 xfree(attr_value[j]);
             }
-            xfree(attr_value);
-            attr_value = NULL;
+            safe_free(attr_value);
         }
         ldap_msgfree(res);
     } else if (ldap_count_entries(ld, res) == 0 && margs->AD) {
@@ -1101,11 +1099,11 @@
 
         debug((char *) "%s| %s: DEBUG: Found %d ldap entr%s\n", LogTime(), PROGRAM, ldap_count_entries(ld, res), ldap_count_entries(ld, res) > 1 || ldap_count_entries(ld, res) == 0 ? "ies" : "y");
 
-        max_attr = get_attributes(margs, ld, res, ATTRIBUTE_GID, &attr_value);
+        max_attr = get_attributes(ld, res, ATTRIBUTE_GID, &attr_value);
 
         if (max_attr == 1) {
             char **attr_value_2 = NULL;
-            int max_attr_2 = 0;
+            size_t max_attr_2 = 0;
 
             ldap_msgfree(res);
             filter = (char *) FILTER_GID;
@@ -1123,15 +1121,14 @@
                                    NULL, NULL, &searchtime, 0, &res);
             xfree(search_exp);
 
-            max_attr_2 = get_attributes(margs, ld, res, ATTRIBUTE, &attr_value_2);
+            max_attr_2 = get_attributes(ld, res, ATTRIBUTE, &attr_value_2);
             /*
              * Compare group names
              */
             retval = 0;
             if (max_attr_2 == 1) {
-
                 /* Compare first CN= value assuming it is the same as the group name itself */
-                av = attr_value_2[0];
+                char *av = attr_value_2[0];
                 if (!strcasecmp(group, av)) {
                     retval = 1;
                     debug((char *) "%s| %s: DEBUG: \"%s\" matches group name \"%s\"\n", LogTime(), PROGRAM, av, group);
@@ -1143,11 +1140,11 @@
              * Cleanup
              */
             if (attr_value_2) {
+                size_t j;
                 for (j = 0; j < max_attr_2; ++j) {
                     xfree(attr_value_2[j]);
                 }
-                xfree(attr_value_2);
-                attr_value_2 = NULL;
+                safe_free(attr_value_2);
             }
             ldap_msgfree(res);
 
@@ -1161,11 +1158,10 @@
          * Cleanup
          */
         if (attr_value) {
-            for (j = 0; j < max_attr; ++j) {
+            for (size_t j = 0; j < max_attr; ++j) {
                 xfree(attr_value[j]);
             }
-            xfree(attr_value);
-            attr_value = NULL;
+            safe_free(attr_value);
         }
     }
     rc = ldap_unbind(ld);
diff -u -r -N squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_log.cc squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_log.cc
--- squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_log.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_log.cc	2013-10-04 00:32:47.000000000 +1200
@@ -34,13 +34,13 @@
 const char *
 LogTime()
 {
-    struct tm *tm;
-    struct timeval now;
     static time_t last_t = 0;
+    struct timeval now;
     static char buf[128];
 
     gettimeofday(&now, NULL);
     if (now.tv_sec != last_t) {
+        struct tm *tm;
         time_t tmp = now.tv_sec;
         tm = localtime(&tmp);
         strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
diff -u -r -N squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_lserver.cc squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_lserver.cc
--- squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_lserver.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_lserver.cc	2013-10-04 00:32:47.000000000 +1200
@@ -29,6 +29,7 @@
 
 #include "support.h"
 struct lsstruct *init_ls(void);
+void free_ls(struct lsstruct *lssp);
 
 struct lsstruct *
 init_ls(void) {
diff -u -r -N squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_netbios.cc squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_netbios.cc
--- squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_netbios.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_netbios.cc	2013-10-04 00:32:47.000000000 +1200
@@ -30,6 +30,7 @@
 #include "support.h"
 
 struct ndstruct *init_nd(void);
+void free_nd(struct ndstruct *ndsp);
 
 struct ndstruct *
 init_nd(void) {
diff -u -r -N squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_resolv.cc squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_resolv.cc
--- squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_resolv.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_resolv.cc	2013-10-04 00:32:47.000000000 +1200
@@ -95,10 +95,10 @@
 sort(struct hstruct *array, int nitems, int (*cmp) (struct hstruct *, struct hstruct *), int begin, int end)
 {
     if (end > begin) {
-        int pivot = begin;
         int l = begin + 1;
         int r = end;
         while (l < r) {
+            int pivot = begin;
             if (cmp(&array[l], &array[pivot]) <= 0) {
                 l += 1;
             } else {
@@ -116,7 +116,7 @@
 static void
 msort(struct hstruct *array, size_t nitems, int (*cmp) (struct hstruct *, struct hstruct *))
 {
-    sort(array, nitems, cmp, 0, nitems - 1);
+    sort(array, (int)nitems, cmp, 0, (int)(nitems - 1));
 }
 
 static int
@@ -145,33 +145,25 @@
     return 0;
 }
 
-int
-free_hostname_list(struct hstruct **hlist, int nhosts)
+size_t
+free_hostname_list(struct hstruct **hlist, size_t nhosts)
 {
     struct hstruct *hp = NULL;
-    int i;
+    size_t i;
 
     hp = *hlist;
     for (i = 0; i < nhosts; ++i) {
-        if (hp[i].host)
-            xfree(hp[i].host);
-        hp[i].host = NULL;
+        xfree(hp[i].host);
     }
 
-    if (hp)
-        xfree(hp);
-    hp = NULL;
+    safe_free(hp);
     *hlist = hp;
     return 0;
 }
 
-int
-get_hostname_list(struct main_args *margs, struct hstruct **hlist, int nhosts, char *name)
+size_t
+get_hostname_list(struct hstruct **hlist, size_t nhosts, char *name)
 {
-    /*
-     * char host[sysconf(_SC_HOST_NAME_MAX)];
-     */
-    char host[1024];
     struct addrinfo *hres = NULL, *hres_list;
     int rc, count;
     struct hstruct *hp = NULL;
@@ -194,6 +186,10 @@
     hres_list = hres;
     count = 0;
     while (hres_list) {
+        /*
+         * char host[sysconf(_SC_HOST_NAME_MAX)];
+         */
+        char host[1024];
         rc = getnameinfo(hres_list->ai_addr, hres_list->ai_addrlen, host, sizeof(host), NULL, 0, 0);
         if (rc != 0) {
             error((char *) "%s| %s: ERROR: Error while resolving ip address with getnameinfo: %s\n", LogTime(), PROGRAM, gai_strerror(rc));
@@ -219,24 +215,21 @@
     return (nhosts);
 }
 
-int
-get_ldap_hostname_list(struct main_args *margs, struct hstruct **hlist, int nh, char *domain)
+size_t
+get_ldap_hostname_list(struct main_args *margs, struct hstruct **hlist, size_t nh, char *domain)
 {
 
     /*
      * char name[sysconf(_SC_HOST_NAME_MAX)];
      */
     char name[1024];
-    char host[NS_MAXDNAME];
     char *service = NULL;
     struct hstruct *hp = NULL;
     struct lsstruct *ls = NULL;
-    int nhosts = 0;
+    size_t nhosts = 0;
     int size;
-    int type, rdlength;
-    int priority, weight, port;
     int len, olen;
-    int i, j, k;
+    size_t i, j, k;
     u_char *buffer = NULL;
     u_char *p;
 
@@ -305,7 +298,7 @@
     }
     if (len > PACKETSZ_MULT * NS_PACKETSZ) {
         olen = len;
-        buffer = (u_char *) xrealloc(buffer, len);
+        buffer = (u_char *) xrealloc(buffer, (size_t)len);
         if ((len = res_search(service, ns_c_in, ns_t_srv, (u_char *) buffer, len)) < 0) {
             error((char *) "%s| %s: ERROR: Error while resolving service record %s with res_search\n", LogTime(), PROGRAM, service);
             nsError(h_errno, service);
@@ -322,7 +315,7 @@
         error((char *) "%s| %s: ERROR: Message to small: %d < header size\n", LogTime(), PROGRAM, len);
         goto finalise;
     }
-    if ((size = dn_expand(buffer, buffer + len, p, name, sysconf(_SC_HOST_NAME_MAX))) < 0) {
+    if ((size = dn_expand(buffer, buffer + len, p, name, sizeof(name))) < 0) {
         error((char *) "%s| %s: ERROR: Error while expanding query name with dn_expand:  %s\n", LogTime(), PROGRAM, strerror(errno));
         goto finalise;
     }
@@ -333,7 +326,8 @@
         goto finalise;
     }
     while (p < buffer + len) {
-        if ((size = dn_expand(buffer, buffer + len, p, name, sysconf(_SC_HOST_NAME_MAX))) < 0) {
+        int type, rdlength;
+        if ((size = dn_expand(buffer, buffer + len, p, name, sizeof(name))) < 0) {
             error((char *) "%s| %s: ERROR: Error while expanding answer name with dn_expand:  %s\n", LogTime(), PROGRAM, strerror(errno));
             goto finalise;
         }
@@ -351,6 +345,8 @@
         NS_GET16(rdlength, p);	/* RR data length (16bit) */
 
         if (type == ns_t_srv) {	/* SRV record */
+            int priority, weight, port;
+            char host[NS_MAXDNAME];
             if (p > buffer + len) {
                 error((char *) "%s| %s: ERROR: Message to small: %d < header + query name,type,class + answer name + RR type,class,ttl + RR data length\n", LogTime(), PROGRAM, len);
                 goto finalise;
@@ -400,7 +396,7 @@
     }
 
 finalise:
-    nhosts = get_hostname_list(margs, &hp, nh, domain);
+    nhosts = get_hostname_list(&hp, nh, domain);
 
     debug("%s| %s: DEBUG: Adding %s to list\n", LogTime(), PROGRAM, domain);
 
@@ -435,7 +431,7 @@
     }
 
     /* Sort by Priority / Weight */
-    msort(hp, nhosts, compare_hosts);
+    msort(hp, (size_t)nhosts, compare_hosts);
 
     if (debug_enabled) {
         debug((char *) "%s| %s: DEBUG: Sorted ldap server names for domain %s:\n", LogTime(), PROGRAM, domain);
@@ -443,10 +439,8 @@
             debug((char *) "%s| %s: DEBUG: Host: %s Port: %d Priority: %d Weight: %d\n", LogTime(), PROGRAM, hp[i].host, hp[i].port, hp[i].priority, hp[i].weight);
         }
     }
-    if (buffer)
-        xfree(buffer);
-    if (service)
-        xfree(service);
+    xfree(buffer);
+    xfree(service);
     *hlist = hp;
     return (nhosts);
 }
diff -u -r -N squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_sasl.cc squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_sasl.cc
--- squid-3.4.0.1/helpers/external_acl/kerberos_ldap_group/support_sasl.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/external_acl/kerberos_ldap_group/support_sasl.cc	2013-10-04 00:32:47.000000000 +1200
@@ -196,18 +196,12 @@
 {
     lutilSASLdefaults *defs = (lutilSASLdefaults *) defaults;
 
-    if (defs->mech)
-        xfree(defs->mech);
-    if (defs->realm)
-        xfree(defs->realm);
-    if (defs->authcid)
-        xfree(defs->authcid);
-    if (defs->passwd)
-        xfree(defs->passwd);
-    if (defs->authzid)
-        xfree(defs->authzid);
-    if (defs->resps)
-        xfree(defs->resps);
+    xfree(defs->mech);
+    xfree(defs->realm);
+    xfree(defs->authcid);
+    xfree(defs->passwd);
+    xfree(defs->authzid);
+    xfree(defs->resps);
 
     xfree(defs);
 }
diff -u -r -N squid-3.4.0.1/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc squid-3.4.0.2/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc
--- squid-3.4.0.1/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc	2013-10-04 00:32:47.000000000 +1200
@@ -89,10 +89,6 @@
 
 #endif
 
-#if defined(LDAP_OPT_NETWORK_TIMEOUT)
-#include <sys/time.h>
-#endif
-
 #define PROGRAM_NAME "ext_ldap_group_acl"
 #define PROGRAM_VERSION "2.17"
 
diff -u -r -N squid-3.4.0.1/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.4.0.2/helpers/external_acl/SQL_session/ext_sql_session_acl.8
--- squid-3.4.0.1/helpers/external_acl/SQL_session/ext_sql_session_acl.8	2013-07-29 11:04:54.000000000 +1200
+++ squid-3.4.0.2/helpers/external_acl/SQL_session/ext_sql_session_acl.8	2013-10-04 00:49:50.000000000 +1200
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_SQL_SESSION_ACL 1"
-.TH EXT_SQL_SESSION_ACL 1 "2013-07-28" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH EXT_SQL_SESSION_ACL 1 "2013-10-03" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.0.1/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.4.0.2/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8
--- squid-3.4.0.1/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8	2013-07-29 11:04:55.000000000 +1200
+++ squid-3.4.0.2/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8	2013-10-04 00:49:50.000000000 +1200
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1"
-.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-07-28" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-10-03" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.0.1/helpers/log_daemon/DB/log_db_daemon.8 squid-3.4.0.2/helpers/log_daemon/DB/log_db_daemon.8
--- squid-3.4.0.1/helpers/log_daemon/DB/log_db_daemon.8	2013-07-29 11:04:55.000000000 +1200
+++ squid-3.4.0.2/helpers/log_daemon/DB/log_db_daemon.8	2013-10-04 00:49:51.000000000 +1200
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "LOG_DB_DAEMON 1"
-.TH LOG_DB_DAEMON 1 "2013-07-28" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH LOG_DB_DAEMON 1 "2013-10-03" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.0.1/helpers/negotiate_auth/kerberos/Makefile.am squid-3.4.0.2/helpers/negotiate_auth/kerberos/Makefile.am
--- squid-3.4.0.1/helpers/negotiate_auth/kerberos/Makefile.am	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/negotiate_auth/kerberos/Makefile.am	2013-10-04 00:32:47.000000000 +1200
@@ -7,7 +7,7 @@
 
 AM_CPPFLAGS = $(INCLUDES) -I$(srcdir)
 
-negotiate_kerberos_auth_SOURCES = negotiate_kerberos_auth.cc
+negotiate_kerberos_auth_SOURCES = negotiate_kerberos_auth.cc negotiate_kerberos_pac.cc negotiate_kerberos.h
 negotiate_kerberos_auth_LDFLAGS = 
 negotiate_kerberos_auth_LDADD = \
 	$(top_builddir)/lib/libmiscencoding.la \
diff -u -r -N squid-3.4.0.1/helpers/negotiate_auth/kerberos/Makefile.in squid-3.4.0.2/helpers/negotiate_auth/kerberos/Makefile.in
--- squid-3.4.0.1/helpers/negotiate_auth/kerberos/Makefile.in	2013-07-29 10:46:36.000000000 +1200
+++ squid-3.4.0.2/helpers/negotiate_auth/kerberos/Makefile.in	2013-10-04 00:33:15.000000000 +1200
@@ -108,7 +108,8 @@
 am__installdirs = "$(DESTDIR)$(libexecdir)" "$(DESTDIR)$(man8dir)"
 PROGRAMS = $(libexec_PROGRAMS)
 am_negotiate_kerberos_auth_OBJECTS =  \
-	negotiate_kerberos_auth.$(OBJEXT)
+	negotiate_kerberos_auth.$(OBJEXT) \
+	negotiate_kerberos_pac.$(OBJEXT)
 negotiate_kerberos_auth_OBJECTS =  \
 	$(am_negotiate_kerberos_auth_OBJECTS)
 @ENABLE_XPROF_STATS_TRUE@am__DEPENDENCIES_1 = $(top_builddir)/lib/profiler/libprofiler.la
@@ -145,6 +146,15 @@
 CXXLINK = $(LIBTOOL) --tag=CXX $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	--mode=link $(CXXLD) $(AM_CXXFLAGS) $(CXXFLAGS) $(AM_LDFLAGS) \
 	$(LDFLAGS) -o $@
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
 SOURCES = $(negotiate_kerberos_auth_SOURCES) \
 	$(negotiate_kerberos_auth_test_SOURCES)
 DIST_SOURCES = $(negotiate_kerberos_auth_SOURCES) \
@@ -442,7 +452,7 @@
 EXTRA_DIST = README COPYING required.m4 negotiate_kerberos_auth.8
 SUBDIRS = 
 AM_CPPFLAGS = $(INCLUDES) -I$(srcdir)
-negotiate_kerberos_auth_SOURCES = negotiate_kerberos_auth.cc
+negotiate_kerberos_auth_SOURCES = negotiate_kerberos_auth.cc negotiate_kerberos_pac.cc negotiate_kerberos.h
 negotiate_kerberos_auth_LDFLAGS = 
 negotiate_kerberos_auth_LDADD = \
 	$(top_builddir)/lib/libmiscencoding.la \
@@ -560,6 +570,7 @@
 
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/negotiate_kerberos_auth.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/negotiate_kerberos_auth_test.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/negotiate_kerberos_pac.Po@am__quote@
 
 .cc.o:
 @am__fastdepCXX_TRUE@	$(CXXCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
diff -u -r -N squid-3.4.0.1/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc squid-3.4.0.2/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
--- squid-3.4.0.1/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc	2013-10-04 00:32:47.000000000 +1200
@@ -36,79 +36,7 @@
 
 #if HAVE_GSSAPI
 
-#if HAVE_STRING_H
-#include <string.h>
-#endif
-#if HAVE_STDOI_H
-#include <stdio.h>
-#endif
-#if HAVE_NETDB_H
-#include <netdb.h>
-#endif
-#if HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#if HAVE_TIME_H
-#include <time.h>
-#endif
-
-#include "util.h"
-#include "base64.h"
-
-#if HAVE_GSSAPI_GSSAPI_H
-#include <gssapi/gssapi.h>
-#elif HAVE_GSSAPI_H
-#include <gssapi.h>
-#endif
-
-#if !HAVE_HEIMDAL_KERBEROS
-#if HAVE_GSSAPI_GSSAPI_KRB5_H
-#include <gssapi/gssapi_krb5.h>
-#endif
-#if HAVE_GSSAPI_GSSAPI_GENERIC_H
-#include <gssapi/gssapi_generic.h>
-#endif
-#if HAVE_GSSAPI_GSSAPI_EXT_H
-#include <gssapi/gssapi_ext.h>
-#endif
-#endif
-
-#ifndef gss_nt_service_name
-#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
-#endif
-
-#define PROGRAM "negotiate_kerberos_auth"
-
-#ifndef MAX_AUTHTOKEN_LEN
-#define MAX_AUTHTOKEN_LEN   65535
-#endif
-#ifndef SQUID_KERB_AUTH_VERSION
-#define SQUID_KERB_AUTH_VERSION "3.0.4sq"
-#endif
-
-int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
-                  const char *function, int log);
-char *gethost_name(void);
-static const char *LogTime(void);
-
-static const unsigned char ntlmProtocol[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
-
-static const char *
-LogTime()
-{
-    struct tm *tm;
-    struct timeval now;
-    static time_t last_t = 0;
-    static char buf[128];
-
-    gettimeofday(&now, NULL);
-    if (now.tv_sec != last_t) {
-        tm = localtime((time_t *) & now.tv_sec);
-        strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
-        last_t = now.tv_sec;
-    }
-    return buf;
-}
+#include "negotiate_kerberos.h"
 
 char *
 gethost_name(void)
@@ -155,7 +83,7 @@
 
 int
 check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
-              const char *function, int log)
+              const char *function, int log, int sout)
 {
     if (GSS_ERROR(major_status)) {
         OM_uint32 maj_stat, min_stat;
@@ -198,7 +126,8 @@
             gss_release_buffer(&min_stat, &status_string);
         } while (msg_ctx);
         debug((char *) "%s| %s: ERROR: %s failed: %s\n", LogTime(), PROGRAM, function, buf);
-        fprintf(stdout, "BH %s failed: %s\n", function, buf);
+        if (sout)
+            fprintf(stdout, "BH %s failed: %s\n", function, buf);
         if (log)
             fprintf(stderr, "%s| %s: INFO: User not authenticated\n", LogTime(),
                     PROGRAM);
@@ -213,7 +142,20 @@
     char buf[MAX_AUTHTOKEN_LEN];
     char *c, *p;
     char *user = NULL;
-    int length = 0;
+    char *rfc_user = NULL;
+#if HAVE_PAC_SUPPORT
+    char ad_groups[MAX_PAC_GROUP_SIZE];
+    char *ag=NULL;
+    krb5_context context = NULL;
+    krb5_error_code ret;
+    krb5_pac pac;
+#if HAVE_HEIMDAL_KERBEROS
+    gss_buffer_desc data_set = GSS_C_EMPTY_BUFFER;
+#else
+    gss_buffer_desc type_id = GSS_C_EMPTY_BUFFER;
+#endif
+#endif
+    long length = 0;
     static int err = 0;
     int opt, log = 0, norealm = 0;
     OM_uint32 ret_flags = 0, spnego_flag = 0;
@@ -284,6 +226,7 @@
         snprintf((char *) service.value, strlen(service_name) + strlen(host_name) + 2,
                  "%s@%s", service_name, host_name);
         service.length = strlen((char *) service.value);
+        xfree(host_name);
     }
 
     while (1) {
@@ -312,7 +255,7 @@
             err = 0;
             continue;
         }
-        debug((char *) "%s| %s: DEBUG: Got '%s' from squid (length: %d).\n", LogTime(), PROGRAM, buf, length);
+        debug((char *) "%s| %s: DEBUG: Got '%s' from squid (length: %ld).\n", LogTime(), PROGRAM, buf, length);
 
         if (buf[0] == '\0') {
             debug((char *) "%s| %s: ERROR: Invalid request\n", LogTime(), PROGRAM);
@@ -338,23 +281,13 @@
             if (kerberosToken) {
                 /* Allocated by parseNegTokenInit, but no matching free function exists.. */
                 if (!spnego_flag)
-                    xfree((char *) kerberosToken);
-                kerberosToken = NULL;
+                    xfree(kerberosToken);
             }
             if (spnego_flag) {
                 /* Allocated by makeNegTokenTarg, but no matching free function exists.. */
-                if (spnegoToken)
-                    xfree((char *) spnegoToken);
-                spnegoToken = NULL;
-            }
-            if (token) {
-                xfree(token);
-                token = NULL;
-            }
-            if (host_name) {
-                xfree(host_name);
-                host_name = NULL;
+                xfree(spnegoToken);
             }
+            xfree(token);
             fprintf(stdout, "BH quit command\n");
             exit(0);
         }
@@ -373,12 +306,12 @@
             fprintf(stdout, "BH Invalid negotiate request\n");
             continue;
         }
-        input_token.length = base64_decode_len(buf+3);
+        input_token.length = (size_t)base64_decode_len(buf+3);
         debug((char *) "%s| %s: DEBUG: Decode '%s' (decoded length: %d).\n",
               LogTime(), PROGRAM, buf + 3, (int) input_token.length);
         input_token.value = xmalloc(input_token.length);
 
-        input_token.length = base64_decode((char *) input_token.value, input_token.length, buf+3);
+        input_token.length = (size_t)base64_decode((char *) input_token.value, (unsigned int)input_token.length, buf+3);
 
         if ((input_token.length >= sizeof ntlmProtocol + 1) &&
                 (!memcmp(input_token.value, ntlmProtocol, sizeof ntlmProtocol))) {
@@ -399,19 +332,20 @@
             } else {
                 server_name = GSS_C_NO_NAME;
                 major_status = GSS_S_COMPLETE;
+                minor_status = 0;
             }
         } else {
             major_status = gss_import_name(&minor_status, &service,
                                            gss_nt_service_name, &server_name);
         }
 
-        if (check_gss_err(major_status, minor_status, "gss_import_name()", log))
+        if (check_gss_err(major_status, minor_status, "gss_import_name()", log, 1))
             goto cleanup;
 
         major_status =
             gss_acquire_cred(&minor_status, server_name, GSS_C_INDEFINITE,
                              GSS_C_NO_OID_SET, GSS_C_ACCEPT, &server_creds, NULL, NULL);
-        if (check_gss_err(major_status, minor_status, "gss_acquire_cred()", log))
+        if (check_gss_err(major_status, minor_status, "gss_acquire_cred()", log, 1))
             goto cleanup;
 
         major_status = gss_accept_sec_context(&minor_status,
@@ -424,16 +358,16 @@
         if (output_token.length) {
             spnegoToken = (const unsigned char *) output_token.value;
             spnegoTokenLength = output_token.length;
-            token = (char *) xmalloc(base64_encode_len(spnegoTokenLength));
+            token = (char *) xmalloc((size_t)base64_encode_len((int)spnegoTokenLength));
             if (token == NULL) {
                 debug((char *) "%s| %s: ERROR: Not enough memory\n", LogTime(), PROGRAM);
                 fprintf(stdout, "BH Not enough memory\n");
                 goto cleanup;
             }
-            base64_encode_str(token, base64_encode_len(spnegoTokenLength),
-                              (const char *) spnegoToken, spnegoTokenLength);
+            base64_encode_str(token, base64_encode_len((int)spnegoTokenLength),
+                              (const char *) spnegoToken, (int)spnegoTokenLength);
 
-            if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log))
+            if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log, 1))
                 goto cleanup;
             if (major_status & GSS_S_CONTINUE_NEEDED) {
                 debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM);
@@ -445,7 +379,7 @@
                 gss_display_name(&minor_status, client_name, &output_token,
                                  NULL);
 
-            if (check_gss_err(major_status, minor_status, "gss_display_name()", log))
+            if (check_gss_err(major_status, minor_status, "gss_display_name()", log, 1))
                 goto cleanup;
             user = (char *) xmalloc(output_token.length + 1);
             if (user == NULL) {
@@ -458,14 +392,49 @@
             if (norealm && (p = strchr(user, '@')) != NULL) {
                 *p = '\0';
             }
+
+#if HAVE_PAC_SUPPORT
+            ret = krb5_init_context(&context);
+            if (!check_k5_err(context, "krb5_init_context", ret)) {
+#if HAVE_HEIMDAL_KERBEROS
+#define ADWIN2KPAC 128
+                major_status = gsskrb5_extract_authz_data_from_sec_context(&minor_status,
+                               gss_context, ADWIN2KPAC, &data_set);
+                if (!check_gss_err(major_status, minor_status,
+                                   "gsskrb5_extract_authz_data_from_sec_context()", log, 0)) {
+                    ret = krb5_pac_parse(context, data_set.value, data_set.length, &pac);
+                    gss_release_buffer(&minor_status, &data_set);
+                    if (!check_k5_err(context, "krb5_pac_parse", ret)) {
+                        ag = get_ad_groups((char *)&ad_groups, context, pac);
+                        krb5_pac_free(context, pac);
+                    }
+                    krb5_free_context(context);
+                }
+#else
+                type_id.value = (void *)"mspac";
+                type_id.length = strlen((char *)type_id.value);
+#define KRB5PACLOGONINFO        1
+                major_status = gss_map_name_to_any(&minor_status, client_name, KRB5PACLOGONINFO, &type_id, (gss_any_t *)&pac);
+                if (!check_gss_err(major_status, minor_status, "gss_map_name_to_any()", log, 0)) {
+                    ag = get_ad_groups((char *)&ad_groups,context, pac);
+                }
+                (void)gss_release_any_name_mapping(&minor_status, client_name, &type_id, (gss_any_t *)&pac);
+                krb5_free_context(context);
+#endif
+            }
+            if (ag) {
+                debug((char *) "%s| %s: DEBUG: Groups %s\n", LogTime(), PROGRAM, ag);
+            }
+#endif
             fprintf(stdout, "AF %s %s\n", token, user);
-            debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, rfc1738_escape(user));
+            rfc_user = rfc1738_escape(user);
+            debug((char *) "%s| %s: DEBUG: AF %s %s\n", LogTime(), PROGRAM, token, rfc_user);
             if (log)
                 fprintf(stderr, "%s| %s: INFO: User %s authenticated\n", LogTime(),
                         PROGRAM, rfc1738_escape(user));
             goto cleanup;
         } else {
-            if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log))
+            if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log, 1))
                 goto cleanup;
             if (major_status & GSS_S_CONTINUE_NEEDED) {
                 debug((char *) "%s| %s: INFO: continuation needed\n", LogTime(), PROGRAM);
@@ -477,7 +446,7 @@
                 gss_display_name(&minor_status, client_name, &output_token,
                                  NULL);
 
-            if (check_gss_err(major_status, minor_status, "gss_display_name()", log))
+            if (check_gss_err(major_status, minor_status, "gss_display_name()", log, 1))
                 goto cleanup;
             /*
              *  Return dummy token AA. May need an extra return tag then AF
@@ -511,23 +480,14 @@
         if (kerberosToken) {
             /* Allocated by parseNegTokenInit, but no matching free function exists.. */
             if (!spnego_flag)
-                xfree((char *) kerberosToken);
-            kerberosToken = NULL;
+                safe_free(kerberosToken);
         }
         if (spnego_flag) {
             /* Allocated by makeNegTokenTarg, but no matching free function exists.. */
-            if (spnegoToken)
-                xfree((char *) spnegoToken);
-            spnegoToken = NULL;
-        }
-        if (token) {
-            xfree(token);
-            token = NULL;
-        }
-        if (user) {
-            xfree(user);
-            user = NULL;
+            safe_free(spnegoToken);
         }
+        safe_free(token);
+        safe_free(user);
         continue;
     }
 }
diff -u -r -N squid-3.4.0.1/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc squid-3.4.0.2/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc
--- squid-3.4.0.1/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth_test.cc	2013-10-04 00:32:47.000000000 +1200
@@ -196,9 +196,9 @@
         goto cleanup;
 
     if (output_token.length) {
-        token = (char *) xmalloc(base64_encode_len(output_token.length));
-        base64_encode_str(token, base64_encode_len(output_token.length),
-                          (const char *) output_token.value, output_token.length);
+        token = (char *) xmalloc((size_t)base64_encode_len((int)output_token.length));
+        base64_encode_str(token, base64_encode_len((int)output_token.length),
+                          (const char *) output_token.value, (int)output_token.length);
     }
 cleanup:
     gss_delete_sec_context(&minor_status, &gss_context, NULL);
diff -u -r -N squid-3.4.0.1/helpers/negotiate_auth/kerberos/negotiate_kerberos.h squid-3.4.0.2/helpers/negotiate_auth/kerberos/negotiate_kerberos.h
--- squid-3.4.0.1/helpers/negotiate_auth/kerberos/negotiate_kerberos.h	1970-01-01 12:00:00.000000000 +1200
+++ squid-3.4.0.2/helpers/negotiate_auth/kerberos/negotiate_kerberos.h	2013-10-04 00:32:47.000000000 +1200
@@ -0,0 +1,154 @@
+/*
+ * -----------------------------------------------------------------------------
+ *
+ * Author: Markus Moeller (markus_moeller at compuserve.com)
+ *
+ * Copyright (C) 2013 Markus Moeller. All rights reserved.
+ *
+ *   This program is free software; you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation; either version 2 of the License, or
+ *   (at your option) any later version.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, write to the Free Software
+ *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
+ *
+ *   As a special exemption, M Moeller gives permission to link this program
+ *   with MIT, Heimdal or other GSS/Kerberos libraries, and distribute
+ *   the resulting executable, without including the source code for
+ *   the Libraries in the source distribution.
+ *
+ * -----------------------------------------------------------------------------
+ */
+
+#if HAVE_STRING_H
+#include <string.h>
+#endif
+#if HAVE_STDIO_H
+#include <stdio.h>
+#endif
+#if HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#if HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#if HAVE_TIME_H
+#include <time.h>
+#endif
+
+#include "util.h"
+#include "base64.h"
+
+#if HAVE_KRB5_H
+#if HAVE_BROKEN_SOLARIS_KRB5_H
+#warn "Warning! You have a broken Solaris <krb5.h> system header"
+#warn "http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6837512"
+#if defined(__cplusplus)
+#define KRB5INT_BEGIN_DECLS     extern "C" {
+#define KRB5INT_END_DECLS
+KRB5INT_BEGIN_DECLS
+#endif
+#endif /* HAVE_BROKEN_SOLARIS_KRB5_H */
+#if HAVE_BROKEN_HEIMDAL_KRB5_H
+extern "C" {
+#include <krb5.h>
+}
+#else
+#include <krb5.h>
+#endif
+#endif /* HAVE_KRB5_H */
+
+#if HAVE_GSSAPI_GSSAPI_H
+#include <gssapi/gssapi.h>
+#elif HAVE_GSSAPI_H
+#include <gssapi.h>
+#endif
+
+#if !HAVE_HEIMDAL_KERBEROS
+#if HAVE_GSSAPI_GSSAPI_KRB5_H
+#include <gssapi/gssapi_krb5.h>
+#endif
+#if HAVE_GSSAPI_GSSAPI_GENERIC_H
+#include <gssapi/gssapi_generic.h>
+#endif
+#if HAVE_GSSAPI_GSSAPI_EXT_H
+#include <gssapi/gssapi_ext.h>
+#endif
+#else
+#if HAVE_GSSAPI_GSSAPI_KRB5_H
+#include <gssapi/gssapi_krb5.h>
+#endif
+#endif
+
+#ifndef gss_nt_service_name
+#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE
+#endif
+
+#define PROGRAM "negotiate_kerberos_auth"
+
+#ifndef MAX_AUTHTOKEN_LEN
+#define MAX_AUTHTOKEN_LEN   65535
+#endif
+#ifndef SQUID_KERB_AUTH_VERSION
+#define SQUID_KERB_AUTH_VERSION "3.0.4sq"
+#endif
+
+char *gethost_name(void);
+
+static const unsigned char ntlmProtocol[] = {'N', 'T', 'L', 'M', 'S', 'S', 'P', 0};
+
+inline const char *
+LogTime()
+{
+    struct tm *tm;
+    struct timeval now;
+    static time_t last_t = 0;
+    static char buf[128];
+
+    gettimeofday(&now, NULL);
+    if (now.tv_sec != last_t) {
+        tm = localtime((time_t *) & now.tv_sec);
+        strftime(buf, 127, "%Y/%m/%d %H:%M:%S", tm);
+        last_t = now.tv_sec;
+    }
+    return buf;
+}
+
+int check_gss_err(OM_uint32 major_status, OM_uint32 minor_status,
+                  const char *function, int log, int sout);
+
+char *gethost_name(void);
+
+#if (defined(HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT) || defined(HAVE_GSS_MAP_NAME_TO_ANY)) && HAVE_KRB5_PAC
+#define HAVE_PAC_SUPPORT 1
+#define MAX_PAC_GROUP_SIZE 200*60
+typedef struct {
+    uint16_t length;
+    uint16_t maxlength;
+    uint32_t pointer;
+} RPC_UNICODE_STRING;
+
+int check_k5_err(krb5_context context, const char *msg, krb5_error_code code);
+void align(int n);
+void getustr(RPC_UNICODE_STRING *string);
+char **getgids(char **Rids, uint32_t GroupIds, uint32_t GroupCount);
+char *getdomaingids(char *ad_groups, uint32_t DomainLogonId, char **Rids, uint32_t  GroupCount);
+char *getextrasids(char *ad_groups, uint32_t ExtraSids, uint32_t SidCount);
+uint64_t get6byt_be(void);
+uint32_t get4byt(void);
+uint16_t get2byt(void);
+uint8_t get1byt(void);
+char *xstrcpy( char *src, const char*dst);
+char *xstrcat( char *src, const char*dst);
+int checkustr(RPC_UNICODE_STRING *string);
+char *get_ad_groups(char *ad_groups, krb5_context context, krb5_pac pac);
+#else
+#define HAVE_PAC_SUPPORT 0
+#endif
diff -u -r -N squid-3.4.0.1/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc squid-3.4.0.2/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc
--- squid-3.4.0.1/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc	1970-01-01 12:00:00.000000000 +1200
+++ squid-3.4.0.2/helpers/negotiate_auth/kerberos/negotiate_kerberos_pac.cc	2013-10-04 00:32:47.000000000 +1200
@@ -0,0 +1,467 @@
+/*
+ * -----------------------------------------------------------------------------
+ *
+ * Author: Markus Moeller (markus_moeller at compuserve.com)
+ *
+ * Copyright (C) 2007 Markus Moeller. All rights reserved.
+ *
+ *   This program is free software; you can redistribute it and/or modify
+ *   it under the terms of the GNU General Public License as published by
+ *   the Free Software Foundation; either version 2 of the License, or
+ *   (at your option) any later version.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, write to the Free Software
+ *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
+ *
+ *   As a special exemption, M Moeller gives permission to link this program
+ *   with MIT, Heimdal or other GSS/Kerberos libraries, and distribute
+ *   the resulting executable, without including the source code for
+ *   the Libraries in the source distribution.
+ *
+ * -----------------------------------------------------------------------------
+ */
+
+#include "squid.h"
+#include "rfc1738.h"
+#include "compat/getaddrinfo.h"
+#include "compat/getnameinfo.h"
+
+#include "negotiate_kerberos.h"
+
+#if HAVE_PAC_SUPPORT
+
+static int bpos;
+static krb5_data *ad_data;
+static unsigned char *p;
+
+int
+check_k5_err(krb5_context context, const char *function, krb5_error_code code)
+{
+    const char *errmsg;
+
+    if (code) {
+        errmsg = krb5_get_error_message(context, code);
+        debug((char *) "%s| %s: ERROR: %s failed: %s\n", LogTime(), PROGRAM, function, errmsg);
+        fprintf(stderr, "%s| %s: ERROR: %s: %s\n", LogTime(), PROGRAM, function, errmsg);
+        krb5_free_error_message(context, errmsg);
+    }
+    return code;
+}
+
+void
+align(int n)
+{
+    if ( bpos % n != 0 ) {
+        int al;
+        al = (bpos/n);
+        bpos = bpos+(bpos-n*al);
+    }
+}
+
+void
+getustr(RPC_UNICODE_STRING *string)
+{
+
+    string->length = (uint16_t)((p[bpos]<<0) | (p[bpos+1]<<8));
+    string->maxlength = (uint16_t)((p[bpos+2]<<0) | (p[bpos+2+1]<<8));
+    string->pointer = (uint32_t)((p[bpos+4]<<0) | (p[bpos+4+1]<<8) | (p[bpos+4+2]<<16) | (p[bpos+4+3]<<24));
+    bpos = bpos+8;
+
+}
+
+uint64_t
+get6byt_be(void)
+{
+    uint64_t var;
+
+    var = ((uint64_t)p[bpos+5]<<0) | ((uint64_t)p[bpos+4]<<8) | ((uint64_t)p[bpos+3]<<16) | ((uint64_t)p[bpos+2]<<24) | ((uint64_t)p[bpos+1]<<32) | ((uint64_t)p[bpos]<<40);
+    bpos = bpos+6;
+
+    return var;
+}
+
+uint32_t
+get4byt(void)
+{
+    uint32_t var;
+
+    var=(uint32_t)((p[bpos]<<0) | (p[bpos+1]<<8) | (p[bpos+2]<<16) | (p[bpos+3]<<24));
+    bpos = bpos+4;
+
+    return var;
+}
+
+uint16_t
+get2byt(void)
+{
+    uint16_t var;
+
+    var=(uint16_t)((p[bpos]<<0) | (p[bpos+1]<<8));
+    bpos = bpos+2;
+
+    return var;
+}
+
+uint8_t
+get1byt(void)
+{
+    uint8_t var;
+
+    var=(uint8_t)((p[bpos]<<0));
+    bpos = bpos+1;
+
+    return var;
+}
+
+char *
+xstrcpy( char *src, const char *dst)
+{
+    if (dst) {
+        if (strlen(dst)>MAX_PAC_GROUP_SIZE)
+            return NULL;
+        else
+            return strcpy(src,dst);
+    } else
+        return src;
+}
+
+char *
+xstrcat( char *src, const char *dst)
+{
+    if (dst) {
+        if (strlen(src)+strlen(dst)+1>MAX_PAC_GROUP_SIZE)
+            return NULL;
+        else
+            return strcat(src,dst);
+    } else
+        return src;
+}
+
+int
+checkustr(RPC_UNICODE_STRING *string)
+{
+    uint32_t size,off,len;
+
+    if (string->pointer != 0) {
+        align(4);
+        size = (uint32_t)((p[bpos]<<0) | (p[bpos+1]<<8) | (p[bpos+2]<<16) | (p[bpos+3]<<24));
+        bpos = bpos+4;
+        off = (uint32_t)((p[bpos]<<0) | (p[bpos+1]<<8) | (p[bpos+2]<<16) | (p[bpos+3]<<24));
+        bpos = bpos+4;
+        len = (uint32_t)((p[bpos]<<0) | (p[bpos+1]<<8) | (p[bpos+2]<<16) | (p[bpos+3]<<24));
+        bpos = bpos+4;
+        if (len > size || off != 0 ||
+                string->length > string->maxlength || len != string->length/2) {
+            debug((char *) "%s| %s: ERROR: RPC_UNICODE_STRING encoding error => size: %d len: %d/%d maxlength: %d offset: %d\n",
+                  LogTime(), PROGRAM, size, len, string->length, string->maxlength, off);
+            return -1;
+        }
+        /* UNICODE string */
+        bpos = bpos+string->length;
+    }
+    return 0;
+}
+
+char **
+getgids(char **Rids, uint32_t GroupIds, uint32_t  GroupCount)
+{
+    if (GroupIds!= 0) {
+        uint32_t ngroup;
+        uint32_t sauth;
+        int l;
+
+        align(4);
+        ngroup = get4byt();
+        if ( ngroup != GroupCount) {
+            debug((char *) "%s| %s: ERROR: Group encoding error => GroupCount: %d Array size: %d\n",
+                  LogTime(), PROGRAM, GroupCount, ngroup);
+            return NULL;
+        }
+        debug((char *) "%s| %s: INFO: Found %d rids\n", LogTime(), PROGRAM, GroupCount);
+
+        Rids=(char **)xcalloc(GroupCount*sizeof(char*),1);
+        for ( l=0; l<(int)GroupCount; l++) {
+            Rids[l]=(char *)xcalloc(4*sizeof(char),1);
+            memcpy((void *)Rids[l],(void *)&p[bpos],4);
+            sauth = get4byt();
+            debug((char *) "%s| %s: Info: Got rid: %u\n", LogTime(), PROGRAM, sauth);
+            /* attribute */
+            bpos = bpos+4;
+        }
+    }
+    return Rids;
+}
+
+char *
+getdomaingids(char *ad_groups, uint32_t DomainLogonId, char **Rids, uint32_t GroupCount)
+{
+    if (DomainLogonId!= 0) {
+        uint32_t nauth;
+        uint8_t rev;
+        uint64_t idauth;
+        uint32_t sauth;
+        char dli[256];
+        char *ag;
+        size_t length;
+        int l;
+
+        align(4);
+
+        nauth = get4byt();
+
+        /* prepend rids with DomainID */
+        length=1+1+6+nauth*4;
+        for (l=0; l<(int)GroupCount; l++) {
+            ag=(char *)xcalloc((length+4)*sizeof(char),1);
+            memcpy((void *)ag,(const void*)&p[bpos],1);
+            memcpy((void *)&ag[1],(const void*)&p[bpos+1],1);
+            ag[1] = ag[1]+1;
+            memcpy((void *)&ag[2],(const void*)&p[bpos+2],6+nauth*4);
+            memcpy((void *)&ag[length],(const void*)Rids[l],4);
+            if (l==0) {
+                if (!xstrcpy(ad_groups,"group=")) {
+                    debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n",
+                          LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups);
+                }
+            } else {
+                if (!xstrcat(ad_groups," group=")) {
+                    debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n",
+                          LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups);
+                }
+            }
+            if (!xstrcat(ad_groups,base64_encode_bin(ag, (int)(length+4)))) {
+                debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n",
+                      LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups);
+            }
+            xfree(ag);
+        }
+
+        /* mainly for debug only */
+        rev = get1byt();
+        bpos = bpos + 1; /*nsub*/
+        idauth = get6byt_be();
+
+        snprintf(dli,sizeof(dli),"S-%d-%lu",rev,(long unsigned int)idauth);
+        for ( l=0; l<(int)nauth; l++ ) {
+            sauth = get4byt();
+            snprintf((char *)&dli[strlen(dli)],sizeof(dli)-strlen(dli),"-%u",sauth);
+        }
+        debug((char *) "%s| %s: INFO: Got DomainLogonId %s\n", LogTime(), PROGRAM, dli);
+    }
+    return ad_groups;
+}
+
+char *
+getextrasids(char *ad_groups, uint32_t ExtraSids, uint32_t SidCount)
+{
+    if (ExtraSids!= 0) {
+        uint32_t ngroup;
+        uint32_t *pa;
+        char *ag;
+        size_t length;
+        int l;
+
+        align(4);
+        ngroup = get4byt();
+        if ( ngroup != SidCount) {
+            debug((char *) "%s| %s: ERROR: Group encoding error => SidCount: %d Array size: %d\n",
+                  LogTime(), PROGRAM, SidCount, ngroup);
+            return NULL;
+        }
+        debug((char *) "%s| %s: INFO: Found %d ExtraSIDs\n", LogTime(), PROGRAM, SidCount);
+
+        pa=(uint32_t *)xmalloc(SidCount*sizeof(uint32_t));
+        for ( l=0; l < (int)SidCount; l++ ) {
+            pa[l] = get4byt();
+            bpos = bpos+4; /* attr */
+        }
+
+        for ( l=0; l<(int)SidCount; l++ ) {
+            char es[256];
+            uint32_t nauth;
+            uint8_t rev;
+            uint64_t idauth;
+            uint32_t sauth;
+            int k;
+
+            if (pa[l] != 0) {
+                nauth = get4byt();
+
+                length = 1+1+6+nauth*4;
+                ag = (char *)xcalloc((length)*sizeof(char),1);
+                memcpy((void *)ag,(const void*)&p[bpos],length);
+                if (!ad_groups) {
+                    if (!xstrcpy(ad_groups,"group=")) {
+                        debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n",
+                              LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups);
+                    }
+                } else {
+                    if (!xstrcat(ad_groups," group=")) {
+                        debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n",
+                              LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups);
+                    }
+                }
+                if (!xstrcat(ad_groups,base64_encode_bin(ag, (int)length))) {
+                    debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n",
+                          LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups);
+                }
+                xfree(ag);
+
+                rev = get1byt();
+                bpos = bpos + 1; /* nsub */
+                idauth = get6byt_be();
+
+                snprintf(es,sizeof(es),"S-%d-%lu",rev,(long unsigned int)idauth);
+                for ( k=0; k<(int)nauth; k++ ) {
+                    sauth = get4byt();
+                    snprintf((char *)&es[strlen(es)],sizeof(es)-strlen(es),"-%u",sauth);
+                }
+                debug((char *) "%s| %s: INFO: Got ExtraSid %s\n", LogTime(), PROGRAM, es);
+            }
+        }
+        xfree(pa);
+    }
+    return ad_groups;
+}
+
+char *
+get_ad_groups(char *ad_groups, krb5_context context, krb5_pac pac)
+{
+    krb5_error_code ret;
+    RPC_UNICODE_STRING EffectiveName;
+    RPC_UNICODE_STRING FullName;
+    RPC_UNICODE_STRING LogonScript;
+    RPC_UNICODE_STRING ProfilePath;
+    RPC_UNICODE_STRING HomeDirectory;
+    RPC_UNICODE_STRING HomeDirectoryDrive;
+    RPC_UNICODE_STRING LogonServer;
+    RPC_UNICODE_STRING LogonDomainName;
+    uint32_t GroupCount=0;
+    uint32_t GroupIds=0;
+    uint32_t LogonDomainId=0;
+    uint32_t SidCount=0;
+    uint32_t ExtraSids=0;
+    /*
+    uint32_t ResourceGroupDomainSid=0;
+    uint32_t ResourceGroupCount=0;
+    uint32_t ResourceGroupIds=0;
+    */
+    char **Rids=NULL;
+    int l=0;
+
+    ad_data = (krb5_data *)xmalloc(sizeof(krb5_data));
+
+#define KERB_LOGON_INFO 1
+    ret = krb5_pac_get_buffer(context, pac, KERB_LOGON_INFO, ad_data);
+    if (check_k5_err(context, "krb5_pac_get_buffer", ret))
+        goto k5clean;
+
+    p = (unsigned char *)ad_data->data;
+
+    debug((char *) "%s| %s: INFO: Got PAC data of lengh %d\n",
+          LogTime(), PROGRAM, (int)ad_data->length);
+
+    /* Skip 16 bytes icommon RPC header
+     * Skip 4 bytes RPC unique pointer referent
+     * http://msdn.microsoft.com/en-gb/library/cc237933.aspx
+     */
+    /* Some data are pointers to data which follows the main KRB5 LOGON structure =>
+     *         So need to read the data
+     * some logical consistency checks are done when analysineg the pointer data
+     */
+    bpos = 20;
+    /* 8 bytes LogonTime
+     * 8 bytes LogoffTime
+     * 8 bytes KickOffTime
+     * 8 bytes PasswordLastSet
+     * 8 bytes PasswordCanChange
+     * 8 bytes PasswordMustChange
+     */
+    bpos = bpos+48;
+    getustr(&EffectiveName);
+    getustr(&FullName);
+    getustr(&LogonScript);
+    getustr(&ProfilePath);
+    getustr(&HomeDirectory);
+    getustr(&HomeDirectoryDrive);
+    /* 2 bytes LogonCount
+     * 2 bytes BadPasswordCount
+     * 4 bytes UserID
+     * 4 bytes PrimaryGroupId
+     */
+    bpos = bpos+12;
+    GroupCount = get4byt();
+    GroupIds = get4byt();
+    /* 4 bytes UserFlags
+     * 16 bytes UserSessionKey
+     */
+    bpos = bpos+20;
+    getustr(&LogonServer);
+    getustr(&LogonDomainName);
+    LogonDomainId = get4byt();
+    /* 8 bytes Reserved1
+     * 4 bytes UserAccountControl
+     * 4 bytes SubAuthStatus
+     * 8 bytes LastSuccessfullLogon
+     * 8 bytes LastFailedLogon
+     * 4 bytes FailedLogonCount
+     * 4 bytes Reserved2
+     */
+    bpos = bpos+40;
+    SidCount = get4byt();
+    ExtraSids = get4byt();
+    /* 4 bytes ResourceGroupDomainSid
+     * 4 bytes ResourceGroupCount
+     * 4 bytes ResourceGroupIds
+     */
+    bpos = bpos+12;
+    /*
+     * Read all data from structure => Now check pointers
+     */
+    if (checkustr(&EffectiveName)<0)
+        goto k5clean;
+    if (checkustr(&FullName)<0)
+        goto k5clean;
+    if (checkustr(&LogonScript)<0)
+        goto k5clean;
+    if (checkustr(&ProfilePath)<0)
+        goto k5clean;
+    if (checkustr(&HomeDirectory)<0)
+        goto k5clean;
+    if (checkustr(&HomeDirectoryDrive)<0)
+        goto k5clean;
+    Rids = getgids(Rids,GroupIds,GroupCount);
+    if (checkustr(&LogonServer)<0)
+        goto k5clean;
+    if (checkustr(&LogonDomainName)<0)
+        goto k5clean;
+    ad_groups = getdomaingids(ad_groups,LogonDomainId,Rids,GroupCount);
+    if ((ad_groups = getextrasids(ad_groups,ExtraSids,SidCount))==NULL)
+        goto k5clean;
+
+    debug((char *) "%s| %s: INFO: Read %d of %d bytes \n", LogTime(), PROGRAM, bpos, (int)ad_data->length);
+    if (Rids) {
+        for ( l=0; l<(int)GroupCount; l++) {
+            xfree(Rids[l]);
+        }
+        xfree(Rids);
+    }
+    krb5_free_data(context, ad_data);
+    return ad_groups;
+k5clean:
+    if (Rids) {
+        for ( l=0; l<(int)GroupCount; l++) {
+            xfree(Rids[l]);
+        }
+        xfree(Rids);
+    }
+    krb5_free_data(context, ad_data);
+    return NULL;
+}
+#endif
diff -u -r -N squid-3.4.0.1/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc squid-3.4.0.2/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc
--- squid-3.4.0.1/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc	2013-10-04 00:32:47.000000000 +1200
@@ -46,9 +46,6 @@
 #if HAVE_TIME_H
 #include <time.h>
 #endif
-#if HAVE_SYS_TIME_H
-#include <sys/time.h>
-#endif
 #if HAVE_ERRNO_H
 #include <errno.h>
 #endif
diff -u -r -N squid-3.4.0.1/helpers/storeid_rewrite/file/storeid_file_rewrite.8 squid-3.4.0.2/helpers/storeid_rewrite/file/storeid_file_rewrite.8
--- squid-3.4.0.1/helpers/storeid_rewrite/file/storeid_file_rewrite.8	2013-07-29 11:04:56.000000000 +1200
+++ squid-3.4.0.2/helpers/storeid_rewrite/file/storeid_file_rewrite.8	2013-10-04 00:49:52.000000000 +1200
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "STOREID_FILE_REWRITE 1"
-.TH STOREID_FILE_REWRITE 1 "2013-07-28" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH STOREID_FILE_REWRITE 1 "2013-10-03" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.4.0.1/include/autoconf.h.in squid-3.4.0.2/include/autoconf.h.in
--- squid-3.4.0.1/include/autoconf.h.in	2013-07-29 10:46:25.000000000 +1200
+++ squid-3.4.0.2/include/autoconf.h.in	2013-10-04 00:33:05.000000000 +1200
@@ -320,6 +320,16 @@
 /* Define to 1 if you have the <gssapi.h> header file. */
 #undef HAVE_GSSAPI_H
 
+/* Define to 1 if you have the `gsskrb5_extract_authz_data_from_sec_context'
+   function. */
+#undef HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
+
+/* Define to 1 if you have gss_map_name_to_any */
+#undef HAVE_GSS_MAP_ANY_TO_ANY
+
+/* Define to 1 if you have the `gss_map_name_to_any' function. */
+#undef HAVE_GSS_MAP_NAME_TO_ANY
+
 /* Define to 1 if you have Heimdal Kerberos */
 #undef HAVE_HEIMDAL_KERBEROS
 
@@ -386,12 +396,21 @@
 /* Define to 1 if you have krb5_get_err_text */
 #undef HAVE_KRB5_GET_ERR_TEXT
 
+/* Define to 1 if you krb5_get_init_creds_free requires krb5_context */
+#undef HAVE_KRB5_GET_INIT_CREDS_FREE_CONTEXT
+
+/* Define to 1 if you have krb5_get_init_creds_opt_alloc */
+#undef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
+
 /* Define to 1 if you have krb5_get_max_time_skew */
 #undef HAVE_KRB5_GET_MAX_TIME_SKEW
 
 /* Define to 1 if you have krb5_get_profile */
 #undef HAVE_KRB5_GET_PROFILE
 
+/* Define to 1 if you have krb5_get_renewed_creds */
+#undef HAVE_KRB5_GET_RENEWED_CREDS
+
 /* Define to 1 if you have the <krb5.h> header file. */
 #undef HAVE_KRB5_H
 
@@ -401,6 +420,12 @@
 /* Define if kerberos has MEMORY: cache support */
 #undef HAVE_KRB5_MEMORY_CACHE
 
+/* Define to 1 if you have krb5_pac */
+#undef HAVE_KRB5_PAC
+
+/* Define to 1 if you have krb5_principal_get_realm */
+#undef HAVE_KRB5_PRINCIPAL_GET_REALM
+
 /* Define to 1 if you have the <lber.h> header file. */
 #undef HAVE_LBER_H
 
diff -u -r -N squid-3.4.0.1/include/version.h squid-3.4.0.2/include/version.h
--- squid-3.4.0.1/include/version.h	2013-07-29 10:46:52.000000000 +1200
+++ squid-3.4.0.2/include/version.h	2013-10-04 00:33:30.000000000 +1200
@@ -7,7 +7,7 @@
  */
 
 #ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1375051560
+#define SQUID_RELEASE_TIME 1380803565
 #endif
 
 #ifndef APP_SHORTNAME
diff -u -r -N squid-3.4.0.1/lib/getopt.c squid-3.4.0.2/lib/getopt.c
--- squid-3.4.0.1/lib/getopt.c	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/lib/getopt.c	2013-10-04 00:32:47.000000000 +1200
@@ -45,7 +45,7 @@
 
 #define	BADCH	(int)'?'
 #define	BADARG	(int)':'
-#define	EMSG	""
+#define	EMSG	(char*)""
 
 /*
  * getopt --
diff -u -r -N squid-3.4.0.1/lib/rfcnb/rfcnb-common.h squid-3.4.0.2/lib/rfcnb/rfcnb-common.h
--- squid-3.4.0.1/lib/rfcnb/rfcnb-common.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/lib/rfcnb/rfcnb-common.h	2013-10-04 00:32:47.000000000 +1200
@@ -26,7 +26,7 @@
 #ifndef _RFCNB_RFCNB_COMMON_H
 #define _RFCNB_RFCNB_COMMON_H
 
-#ifdef __cplusplus
+#if defined(__cplusplus)
 extern "C" {
 #endif
 
@@ -40,8 +40,7 @@
 
     } RFCNB_Pkt;
 
-#ifdef __cplusplus
+#if defined(__cplusplus)
 }
-
 #endif
-#endif                          /* _RFCNB_RFCNB_COMMON_H */
+#endif /* _RFCNB_RFCNB_COMMON_H */
diff -u -r -N squid-3.4.0.1/lib/rfcnb/rfcnb.h squid-3.4.0.2/lib/rfcnb/rfcnb.h
--- squid-3.4.0.1/lib/rfcnb/rfcnb.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/lib/rfcnb/rfcnb.h	2013-10-04 00:32:47.000000000 +1200
@@ -28,8 +28,8 @@
 
 /* Error responses */
 
-#include "rfcnb/rfcnb-error.h"
 #include "rfcnb/rfcnb-common.h"
+#include "rfcnb/rfcnb-error.h"
 
 #ifdef __cplusplus
 extern "C" {
diff -u -r -N squid-3.4.0.1/lib/rfcnb/rfcnb-io.c squid-3.4.0.2/lib/rfcnb/rfcnb-io.c
--- squid-3.4.0.1/lib/rfcnb/rfcnb-io.c	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/lib/rfcnb/rfcnb-io.c	2013-10-04 00:32:47.000000000 +1200
@@ -25,10 +25,10 @@
  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  */
 
-#include "rfcnb/std-includes.h"
+#include "rfcnb/rfcnb-io.h"
 #include "rfcnb/rfcnb-priv.h"
 #include "rfcnb/rfcnb-util.h"
-#include "rfcnb/rfcnb-io.h"
+#include "rfcnb/std-includes.h"
 #include <sys/uio.h>
 #include <sys/signal.h>
 
diff -u -r -N squid-3.4.0.1/lib/rfcnb/rfcnb-io.h squid-3.4.0.2/lib/rfcnb/rfcnb-io.h
--- squid-3.4.0.1/lib/rfcnb/rfcnb-io.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/lib/rfcnb/rfcnb-io.h	2013-10-04 00:32:47.000000000 +1200
@@ -1,3 +1,6 @@
+#ifndef _SQUID__LIB_RFCNB_RFCNB_IO_H
+#define _SQUID__LIB_RFCNB_RFCNB_IO_H
+
 /* UNIX RFCNB (RFC1001/RFC1002) NetBIOS implementation
  *
  * Version 1.0
@@ -23,6 +26,10 @@
  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  */
 
+#include "rfcnb/rfcnb.h"
+
 int RFCNB_Put_Pkt(struct RFCNB_Con *con, struct RFCNB_Pkt *pkt, int len);
 
 int RFCNB_Get_Pkt(struct RFCNB_Con *con, struct RFCNB_Pkt *pkt, int len);
+
+#endif
diff -u -r -N squid-3.4.0.1/lib/rfcnb/rfcnb-priv.h squid-3.4.0.2/lib/rfcnb/rfcnb-priv.h
--- squid-3.4.0.1/lib/rfcnb/rfcnb-priv.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/lib/rfcnb/rfcnb-priv.h	2013-10-04 00:32:47.000000000 +1200
@@ -32,9 +32,13 @@
 
 #define GLOBAL extern
 
-#include "rfcnb/rfcnb-error.h"
-#include "rfcnb/rfcnb-common.h"
 #include "rfcnb/byteorder.h"
+#include "rfcnb/rfcnb-common.h"
+#include "rfcnb/rfcnb-error.h"
+
+#if HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
 
 #ifdef RFCNB_PORT
 #define RFCNB_Default_Port RFCNB_PORT
diff -u -r -N squid-3.4.0.1/lib/rfcnb/rfcnb-util.c squid-3.4.0.2/lib/rfcnb/rfcnb-util.c
--- squid-3.4.0.1/lib/rfcnb/rfcnb-util.c	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/lib/rfcnb/rfcnb-util.c	2013-10-04 00:32:47.000000000 +1200
@@ -25,11 +25,11 @@
  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  */
 
-#include "rfcnb/rfcnb.h"
-#include "rfcnb/std-includes.h"
+#include "rfcnb/rfcnb-io.h"
 #include "rfcnb/rfcnb-priv.h"
 #include "rfcnb/rfcnb-util.h"
-#include "rfcnb/rfcnb-io.h"
+#include "rfcnb/rfcnb.h"
+#include "rfcnb/std-includes.h"
 
 #if HAVE_ARPA_INET_H
 #include <arpa/inet.h>
diff -u -r -N squid-3.4.0.1/lib/rfcnb/rfcnb-util.h squid-3.4.0.2/lib/rfcnb/rfcnb-util.h
--- squid-3.4.0.1/lib/rfcnb/rfcnb-util.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/lib/rfcnb/rfcnb-util.h	2013-10-04 00:32:47.000000000 +1200
@@ -1,3 +1,6 @@
+#ifndef _RFCNB_RFCNB_UTIL_H
+#define _RFCNB_RFCNB_UTIL_H
+
 /* UNIX RFCNB (RFC1001/RFC1002) NetBIOS implementation
  *
  * Version 1.0
@@ -23,6 +26,8 @@
  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  */
 
+#include "rfcnb/std-includes.h"
+
 void RFCNB_CvtPad_Name(char *name1, char *name2);
 
 void RFCNB_AName_To_NBName(char *AName, char *NBName);
@@ -48,3 +53,5 @@
 
 typedef void RFCNB_Prot_Print_Routine(FILE * fd, int dir, struct RFCNB_Pkt *pkt, int header, int payload);
 extern RFCNB_Prot_Print_Routine *Prot_Print_Routine;
+
+#endif /* _RFCNB_RFCNB_UTIL_H */
diff -u -r -N squid-3.4.0.1/lib/rfcnb/session.c squid-3.4.0.2/lib/rfcnb/session.c
--- squid-3.4.0.1/lib/rfcnb/session.c	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/lib/rfcnb/session.c	2013-10-04 00:32:47.000000000 +1200
@@ -31,10 +31,10 @@
 
 #include "rfcnb/std-includes.h"
 #include <netinet/tcp.h>
-#include "rfcnb/rfcnb.h"
-#include "rfcnb/rfcnb-priv.h"
 #include "rfcnb/rfcnb-io.h"
+#include "rfcnb/rfcnb-priv.h"
 #include "rfcnb/rfcnb-util.h"
+#include "rfcnb/rfcnb.h"
 
 #if HAVE_STRING_H
 #include <string.h>
@@ -84,7 +84,7 @@
     /* Resolve that name into an IP address */
 
     Service_Address = Called_Name;
-    if (strcmp(Called_Address, "") != 0) {      /* If the Called Address = "" */
+    if (strlen(Called_Address) != 0) {      /* If the Called Address = "" */
         Service_Address = Called_Address;
     }
     if ((errno = RFCNB_Name_To_IP(Service_Address, &Dest_IP)) < 0) {    /* Error */
diff -u -r -N squid-3.4.0.1/lib/smblib/smblib.c squid-3.4.0.2/lib/smblib/smblib.c
--- squid-3.4.0.1/lib/smblib/smblib.c	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/lib/smblib/smblib.c	2013-10-04 00:32:47.000000000 +1200
@@ -152,7 +152,7 @@
 
     calling[strlen(con -> myname)] = 0;    /* Make it a string */
 
-    if (strcmp(con -> address, "") == 0)
+    if (strlen(con -> address) == 0)
         address = con -> desthost;
     else
         address = con -> address;
@@ -268,7 +268,7 @@
 
     calling[strlen(con -> myname)] = 0;    /* Make it a string */
 
-    if (strcmp(con -> address, "") == 0)
+    if (strlen(con -> address) == 0)
         address = con -> desthost;
     else
         address = con -> address;
diff -u -r -N squid-3.4.0.1/RELEASENOTES.html squid-3.4.0.2/RELEASENOTES.html
--- squid-3.4.0.1/RELEASENOTES.html	2013-07-29 11:05:10.000000000 +1200
+++ squid-3.4.0.2/RELEASENOTES.html	2013-10-04 00:49:57.000000000 +1200
@@ -2,10 +2,10 @@
 <HTML>
 <HEAD>
  <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
- <TITLE>Squid 3.4.0.1 release notes</TITLE>
+ <TITLE>Squid 3.4.0.2 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 3.4.0.1 release notes</H1>
+<H1>Squid 3.4.0.2 release notes</H1>
 
 <H2>Squid Developers</H2>
 <HR>
@@ -57,7 +57,7 @@
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
 
-<P>The Squid Team are pleased to announce the release of Squid-3.4.0.1 for testing.</P>
+<P>The Squid Team are pleased to announce the release of Squid-3.4.0.2 for testing.</P>
 <P>This new release is available for download from 
 <A HREF="http://www.squid-cache.org/Versions/v3/3.4/">http://www.squid-cache.org/Versions/v3/3.4/</A> or the
 <A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
@@ -243,14 +243,16 @@
 <H2><A NAME="ss2.6">2.6</A> <A HREF="#toc2.6">Multicast DNS</A>
 </H2>
 
-<P>The internal DNS component fof Squid now supports multicast DNS (mDNS) resolution in
+<P>The internal DNS component of Squid now supports multicast DNS (mDNS) resolution in
 accordance with RFC 6762.</P>
 
-<P>There is no additional or special configuration required. The multicast DNS group IP
-addresses for IPv4 and IPv6 resolving are added to the set of available DNS resolvers
-and used automatically for domain names ending in <EM>.local</EM> before attempting a
-secondary resolution on the configured resolvers. Domains without <EM>.local</EM> are
-resolved using only the configured DNS resolvers.</P>
+<P>The <EM>dns_multicast_local</EM> directive must be set to <EM>on</EM> to enable this
+feature. </P>
+
+<P>The multicast DNS group IP addresses for IPv4 and IPv6 resolving are added to the set
+of available DNS resolvers and used automatically for domain names ending in <EM>.local</EM>
+and reverse-DNS lookups before attempting a secondary resolution on the configured
+resolvers. Domains without <EM>.local</EM> are resolved using only the configured resolvers.</P>
 
 <P>Statistics for multicast DNS resolution can be found on the <EM>idns</EM> cache manager
 report.</P>
@@ -288,7 +290,12 @@
 <DL>
 <DT><B>configuration_includes_quoted_values</B><DD>
 <P>Whether Squid supports directive parameters with spaces, quotes, and other
-special characters. Surround such parameters with "double quotes".</P>
+special characters. Surround such parameters with "double quotes" and
+also set this directive on/off around the relevant squid.conf line(s)
+making use of such quoting.</P>
+
+<DT><B>dns_multicast_local</B><DD>
+<P>Use multicast DNS for <EM>.local</EM> domains and reverse-DNS resolution.</P>
 
 <DT><B>note</B><DD>
 <P>Use ACLs to annotate a transaction with customized annotations
@@ -461,6 +468,13 @@
 omit to get all helper auto-detected.</P>
 <P>Currenly only a helper using <EM>file</EM> for backend is provided.</P>
 
+<DT><B>--disable-arch-native</B><DD>
+<P>New option to disable use of -march=native compiler flag.</P>
+<P>The new flag auto-enables CPU-specific optimizations in GCC and is
+required by Clang++ v3.2 for correct 64-bit environment detection.
+It does not always work well however, so this build option is provided
+to remove it when necessary.</P>
+
 <DT><B>--with-nat-devpf</B><DD>
 <P>New option to alter the behaviour of <EM>http_port ... intercept</EM> option
 in squid.conf.</P>
diff -u -r -N squid-3.4.0.1/SPONSORS squid-3.4.0.2/SPONSORS
--- squid-3.4.0.1/SPONSORS	2013-07-29 10:46:52.000000000 +1200
+++ squid-3.4.0.2/SPONSORS	2013-10-04 00:33:30.000000000 +1200
@@ -3,23 +3,6 @@
 the Squid Project:
 
 
-Netbox Blue Pty (http://netboxblue.com/)
-
-	Netbox Blue Pty. contributed development resources towards
-	testing and stabilizing of authentication systems in Squid-3.2
-	and Squid-3.3.
-
-
-iiNet Ltd - http://www.iinet.net.au/
-
-	iiNet Ltd contributed significant development resources to
-	Squid during its early stages and was instrumental in its
-	early adoption in the local internet community.
-	In Squid-2.6 and 3.0 iiNet supplied equipment to help develop
-	and test the WCCPv2 implementation.
-	In Squid-3.2 iiNet sponsored development time to resolve
-	authentication problems.
-
 LaunchPad - http://launchpad.net/
 
 	Provide Bazaar mirroring services and host the Squid-3 developer
@@ -30,10 +13,6 @@
 	Messagenet donated hardware and bandwidth for the wiki server
 	and most continuous integration testing.
 
-Palisade Systems - http://www.palisadesys.com/
-
-	Palisade Systems funded SSL Bump feature development in Squid3.
-
 The Measurement Factory - http://www.measurement-factory.com/
 
 	Measurement Factory has constributed significant resources
@@ -46,6 +25,33 @@
 	gateways and CDN.
 
 
+iCelero - http://icelero.com/
+
+	iCelero.com contributed development resources towards
+	testing and stabilization of Squid-3.3 on Windows.
+
+Netbox Blue Pty - http://netboxblue.com/
+
+	Netbox Blue Pty. contributed development resources towards
+	testing and stabilizing of authentication systems in Squid-3.2
+	and Squid-3.3.
+
+
+iiNet Ltd - http://www.iinet.net.au/
+
+	iiNet Ltd contributed significant development resources to
+	Squid during its early stages and was instrumental in its
+	early adoption in the local internet community.
+	In Squid-2.6 and 3.0 iiNet supplied equipment to help develop
+	and test the WCCPv2 implementation.
+	In Squid-3.2 iiNet sponsored development time to resolve
+	authentication problems.
+
+Palisade Systems - http://www.palisadesys.com/
+
+	Palisade Systems funded SSL Bump feature development in Squid3.
+
+
 Barefruit - http://www.barefruit.com/
 
 	Barefruit has funded Squid-3.0 and 3.1 development and maintenance,
diff -u -r -N squid-3.4.0.1/src/acl/Acl.cc squid-3.4.0.2/src/acl/Acl.cc
--- squid-3.4.0.1/src/acl/Acl.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/acl/Acl.cc	2013-10-04 00:32:47.000000000 +1200
@@ -73,10 +73,10 @@
 
     /*Regex code needs to parse -i file*/
     if ( isSet(ACL_F_REGEX_CASE))
-        ConfigParser::TokenPutBack("-i");
+        ConfigParser::strtokFilePutBack("-i");
 
     if (nextToken != NULL && strcmp(nextToken, "--") != 0 )
-        ConfigParser::TokenUndo();
+        ConfigParser::strtokFileUndo();
 }
 
 const char *
@@ -200,7 +200,7 @@
 
     /* snarf the ACL name */
 
-    if ((t = ConfigParser::NextToken()) == NULL) {
+    if ((t = strtok(NULL, w_space)) == NULL) {
         debugs(28, DBG_CRITICAL, "aclParseAclLine: missing ACL name.");
         parser.destruct();
         return;
@@ -217,7 +217,7 @@
     /* snarf the ACL type */
     const char *theType;
 
-    if ((theType = ConfigParser::NextToken()) == NULL) {
+    if ((theType = strtok(NULL, w_space)) == NULL) {
         debugs(28, DBG_CRITICAL, "aclParseAclLine: missing ACL type.");
         parser.destruct();
         return;
@@ -401,6 +401,14 @@
     AclMatchedName = NULL; // in case it was pointing to our name
 }
 
+/// Temporary hack to allow old ACL code to handle quoted values without
+/// replacing every strtok() call.
+char *
+ACL::strtok(char *str, const char *delimiters)
+{
+    return xstrtok(str, delimiters);
+}
+
 ACL::Prototype::Prototype() : prototype (NULL), typeString (NULL) {}
 
 ACL::Prototype::Prototype (ACL const *aPrototype, char const *aType) : prototype (aPrototype), typeString (aType)
diff -u -r -N squid-3.4.0.1/src/acl/Acl.h squid-3.4.0.2/src/acl/Acl.h
--- squid-3.4.0.1/src/acl/Acl.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/acl/Acl.h	2013-10-04 00:32:47.000000000 +1200
@@ -171,6 +171,9 @@
     virtual bool requiresRequest() const;
     /// whether our (i.e. shallow) match() requires checklist to have a reply
     virtual bool requiresReply() const;
+
+protected:
+    static char *strtok(char *str, const char *delimiters);
 };
 
 /// \ingroup ACLAPI
diff -u -r -N squid-3.4.0.1/src/acl/Data.h squid-3.4.0.2/src/acl/Data.h
--- squid-3.4.0.1/src/acl/Data.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/acl/Data.h	2013-10-04 00:32:47.000000000 +1200
@@ -33,6 +33,7 @@
 #define SQUID_ACLDATA_H
 
 class wordlist;
+extern char *xstrtok(char *str, const char *delimiters);
 
 /// \ingroup ACLAPI
 template <class M>
@@ -50,6 +51,10 @@
     virtual void prepareForUse() {}
 
     virtual bool empty() const =0;
+
+    /// XXX: Temporary hack to allow old ACL code to handle quoted values without
+    /// replacing every strtok() call.
+    char *strtok(char *str, const char *dels) { return xstrtok(str, dels); }
 };
 
 #endif /* SQUID_ACLDATA_H */
diff -u -r -N squid-3.4.0.1/src/acl/Gadgets.cc squid-3.4.0.2/src/acl/Gadgets.cc
--- squid-3.4.0.1/src/acl/Gadgets.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/acl/Gadgets.cc	2013-10-04 00:32:47.000000000 +1200
@@ -120,7 +120,7 @@
 
     /* first expect a page name */
 
-    if ((t = ConfigParser::NextToken()) == NULL) {
+    if ((t = strtok(NULL, w_space)) == NULL) {
         debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
         debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: missing 'error page' parameter.");
         return;
@@ -133,7 +133,7 @@
     /* next expect a list of ACL names */
     Tail = &A->acl_list;
 
-    while ((t = ConfigParser::NextToken())) {
+    while ((t = strtok(NULL, w_space))) {
         L = (AclNameList *)memAllocate(MEM_ACL_NAME_LIST);
         xstrncpy(L->name, t, ACL_NAME_SZ-1);
         *Tail = L;
@@ -157,7 +157,7 @@
 aclParseAccessLine(const char *directive, ConfigParser &, acl_access **treep)
 {
     /* first expect either 'allow' or 'deny' */
-    const char *t = ConfigParser::NextToken();
+    const char *t = ConfigParser::strtokFile();
 
     if (!t) {
         debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
diff -u -r -N squid-3.4.0.1/src/adaptation/Config.cc squid-3.4.0.2/src/adaptation/Config.cc
--- squid-3.4.0.1/src/adaptation/Config.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/adaptation/Config.cc	2013-10-04 00:32:47.000000000 +1200
@@ -264,7 +264,8 @@
 void
 Adaptation::Config::ParseAccess(ConfigParser &parser)
 {
-    String groupId = ConfigParser::NextToken();
+    String groupId;
+    ConfigParser::ParseString(&groupId);
     AccessRule *r;
     if (!(r=FindRuleByGroupId(groupId))) {
         r = new AccessRule(groupId);
diff -u -r -N squid-3.4.0.1/src/adaptation/ServiceConfig.cc squid-3.4.0.2/src/adaptation/ServiceConfig.cc
--- squid-3.4.0.1/src/adaptation/ServiceConfig.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/adaptation/ServiceConfig.cc	2013-10-04 00:32:47.000000000 +1200
@@ -61,8 +61,10 @@
 bool
 Adaptation::ServiceConfig::parse()
 {
-    key = ConfigParser::NextToken();
-    String method_point = ConfigParser::NextToken();
+    String method_point;
+
+    ConfigParser::ParseString(&key);
+    ConfigParser::ParseString(&method_point);
     method = parseMethod(method_point.termedBuf());
     point = parseVectPoint(method_point.termedBuf());
 
@@ -74,7 +76,7 @@
     bool onOverloadSet = false;
     std::set<std::string> options;
 
-    while (char *option = ConfigParser::NextToken()) {
+    while (char *option = strtok(NULL, w_space)) {
         const char *name = option;
         const char *value = "";
         if (strcmp(option, "0") == 0) { // backward compatibility
diff -u -r -N squid-3.4.0.1/src/adaptation/ServiceGroups.cc squid-3.4.0.2/src/adaptation/ServiceGroups.cc
--- squid-3.4.0.1/src/adaptation/ServiceGroups.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/adaptation/ServiceGroups.cc	2013-10-04 00:32:47.000000000 +1200
@@ -23,7 +23,7 @@
 void
 Adaptation::ServiceGroup::parse()
 {
-    id = ConfigParser::NextToken();
+    ConfigParser::ParseString(&id);
 
     wordlist *names = NULL;
     ConfigParser::ParseWordList(&names);
diff -u -r -N squid-3.4.0.1/src/auth/digest/auth_digest.cc squid-3.4.0.2/src/auth/digest/auth_digest.cc
--- squid-3.4.0.1/src/auth/digest/auth_digest.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/auth/digest/auth_digest.cc	2013-10-04 00:32:47.000000000 +1200
@@ -816,7 +816,7 @@
             vlen = 0;
         }
 
-        StringArea keyName(item, nlen-1);
+        StringArea keyName(item, nlen);
         String value;
 
         if (vlen > 0) {
diff -u -r -N squid-3.4.0.1/src/auth/ntlm/UserRequest.cc squid-3.4.0.2/src/auth/ntlm/UserRequest.cc
--- squid-3.4.0.1/src/auth/ntlm/UserRequest.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/auth/ntlm/UserRequest.cc	2013-10-04 00:32:47.000000000 +1200
@@ -255,6 +255,13 @@
     case HelperReply::Okay: {
         /* we're finished, release the helper */
         const char *userLabel = reply.notes.findFirst("user");
+        if (!userLabel) {
+            auth_user_request->user()->credentials(Auth::Failed);
+            safe_free(lm_request->server_blob);
+            lm_request->releaseAuthServer();
+            debugs(29, DBG_CRITICAL, "ERROR: NTLM Authentication helper returned no username. Result: " << reply);
+            break;
+        }
         auth_user_request->user()->username(userLabel);
         auth_user_request->denyMessage("Login successful");
         safe_free(lm_request->server_blob);
diff -u -r -N squid-3.4.0.1/src/cache_cf.cc squid-3.4.0.2/src/cache_cf.cc
--- squid-3.4.0.1/src/cache_cf.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/cache_cf.cc	2013-10-04 00:32:47.000000000 +1200
@@ -1023,7 +1023,7 @@
     if ((u = parseTimeUnits(units, allowMsec)) == 0)
         self_destruct();
 
-    if ((token = ConfigParser::NextToken()) == NULL)
+    if ((token = strtok(NULL, w_space)) == NULL)
         self_destruct();
 
     d = xatof(token);
@@ -1032,7 +1032,7 @@
 
     if (0 == d)
         (void) 0;
-    else if ((token = ConfigParser::NextToken()) == NULL)
+    else if ((token = strtok(NULL, w_space)) == NULL)
         debugs(3, DBG_CRITICAL, "WARNING: No units on '" <<
                config_input_line << "', assuming " <<
                d << " " << units  );
@@ -1099,7 +1099,7 @@
         return;
     }
 
-    if ((token = ConfigParser::NextToken()) == NULL) {
+    if ((token = strtok(NULL, w_space)) == NULL) {
         self_destruct();
         return;
     }
@@ -1115,7 +1115,7 @@
 
     if (0.0 == d)
         (void) 0;
-    else if ((token = ConfigParser::NextToken()) == NULL)
+    else if ((token = strtok(NULL, w_space)) == NULL)
         debugs(3, DBG_CRITICAL, "WARNING: No units on '" <<
                config_input_line << "', assuming " <<
                d << " " <<  units  );
@@ -1146,7 +1146,7 @@
         return;
     }
 
-    if ((token = ConfigParser::NextToken()) == NULL) {
+    if ((token = strtok(NULL, w_space)) == NULL) {
         self_destruct();
         return;
     }
@@ -1162,7 +1162,7 @@
 
     if (0.0 == d)
         (void) 0;
-    else if ((token = ConfigParser::NextToken()) == NULL)
+    else if ((token = strtok(NULL, w_space)) == NULL)
         debugs(3, DBG_CRITICAL, "WARNING: No units on '" <<
                config_input_line << "', assuming " <<
                d << " " <<  units  );
@@ -1194,7 +1194,7 @@
         return;
     }
 
-    if ((token = ConfigParser::NextToken()) == NULL) {
+    if ((token = strtok(NULL, w_space)) == NULL) {
         self_destruct();
         return;
     }
@@ -1210,7 +1210,7 @@
 
     if (0.0 == d)
         (void) 0;
-    else if ((token = ConfigParser::NextToken()) == NULL)
+    else if ((token = strtok(NULL, w_space)) == NULL)
         debugs(3, DBG_CRITICAL, "WARNING: No units on '" <<
                config_input_line << "', assuming " <<
                d << " " <<  units  );
@@ -1293,6 +1293,7 @@
 dump_wordlist(StoreEntry * entry, wordlist *words)
 {
     for (wordlist *word = words; word; word = word->next)
+        // XXX: use something like ConfigParser::QuoteString() here
         storeAppendPrintf(entry, "%s ", word->key);
 }
 
@@ -1367,7 +1368,7 @@
 static void
 parse_address(Ip::Address *addr)
 {
-    char *token = ConfigParser::NextToken();
+    char *token = strtok(NULL, w_space);
 
     if (!token) {
         self_destruct();
@@ -1380,8 +1381,12 @@
         addr->setNoAddr();
     else if ( (*addr = token) ) // try parse numeric/IPA
         (void) 0;
-    else
-        addr->GetHostByName(token); // dont use ipcache
+    else if (addr->GetHostByName(token)) // dont use ipcache
+        (void) 0;
+    else { // not an IP and not a hostname
+        debugs(3, DBG_CRITICAL, "FATAL: invalid IP address or domain name '" << token << "'");
+        self_destruct();
+    }
 }
 
 static void
@@ -1475,7 +1480,7 @@
     acl_tos *l;
     acl_tos **tail = head;	/* sane name below */
     unsigned int tos;           /* Initially uint for strtoui. Casted to tos_t before return */
-    char *token = ConfigParser::NextToken();
+    char *token = strtok(NULL, w_space);
 
     if (!token) {
         self_destruct();
@@ -1546,7 +1551,7 @@
     acl_nfmark *l;
     acl_nfmark **tail = head;	/* sane name below */
     nfmark_t mark;
-    char *token = ConfigParser::NextToken();
+    char *token = strtok(NULL, w_space);
 
     if (!token) {
         self_destruct();
@@ -1748,7 +1753,7 @@
 {
     char *t = NULL;
 
-    if ((t = ConfigParser::NextToken()) == NULL) {
+    if ((t = strtok(NULL, w_space)) == NULL) {
         debugs(3, DBG_CRITICAL, "" << cfg_filename << " line " << config_lineno << ": " << config_input_line);
         debugs(3, DBG_CRITICAL, "parse_http_header_access: missing header name.");
         return;
@@ -1787,7 +1792,7 @@
 {
     char *t = NULL;
 
-    if ((t = ConfigParser::NextToken()) == NULL) {
+    if ((t = strtok(NULL, w_space)) == NULL) {
         debugs(3, DBG_CRITICAL, "" << cfg_filename << " line " << config_lineno << ": " << config_input_line);
         debugs(3, DBG_CRITICAL, "parse_http_header_replace: missing header name.");
         return;
@@ -1832,10 +1837,10 @@
     char *type_str;
     char *param_str;
 
-    if ((type_str = ConfigParser::NextToken()) == NULL)
+    if ((type_str = strtok(NULL, w_space)) == NULL)
         self_destruct();
 
-    if ((param_str = ConfigParser::NextToken()) == NULL)
+    if ((param_str = strtok(NULL, w_space)) == NULL)
         self_destruct();
 
     /* find a configuration for the scheme in the currently parsed configs... */
@@ -1906,10 +1911,10 @@
     int i;
     int fs;
 
-    if ((type_str = ConfigParser::NextToken()) == NULL)
+    if ((type_str = strtok(NULL, w_space)) == NULL)
         self_destruct();
 
-    if ((path_str = ConfigParser::NextToken()) == NULL)
+    if ((path_str = strtok(NULL, w_space)) == NULL)
         self_destruct();
 
     fs = find_fstype(type_str);
@@ -2064,7 +2069,7 @@
 {
     struct servent *port = NULL;
     /** Parses a port number or service name from the squid.conf */
-    char *token = ConfigParser::NextToken();
+    char *token = strtok(NULL, w_space);
     if (token == NULL) {
         self_destruct();
         return 0; /* NEVER REACHED */
@@ -2112,14 +2117,14 @@
     p->basetime = 0;
     p->stats.logged_state = PEER_ALIVE;
 
-    if ((token = ConfigParser::NextToken()) == NULL)
+    if ((token = strtok(NULL, w_space)) == NULL)
         self_destruct();
 
     p->host = xstrdup(token);
 
     p->name = xstrdup(token);
 
-    if ((token = ConfigParser::NextToken()) == NULL)
+    if ((token = strtok(NULL, w_space)) == NULL)
         self_destruct();
 
     p->type = parseNeighborType(token);
@@ -2137,7 +2142,7 @@
     p->icp.port = GetUdpService();
     p->connection_auth = 2;    /* auto */
 
-    while ((token = ConfigParser::NextToken())) {
+    while ((token = strtok(NULL, w_space))) {
         if (!strcmp(token, "proxy-only")) {
             p->options.proxy_only = true;
         } else if (!strcmp(token, "no-query")) {
@@ -2521,7 +2526,7 @@
     char *host = NULL;
     CachePeer *p;
 
-    if (!(host = ConfigParser::NextToken()))
+    if (!(host = strtok(NULL, w_space)))
         self_destruct();
 
     if ((p = peerFindByName(host)) == NULL) {
@@ -2540,10 +2545,10 @@
     char *host = NULL;
     char *domain = NULL;
 
-    if (!(host = ConfigParser::NextToken()))
+    if (!(host = strtok(NULL, w_space)))
         self_destruct();
 
-    while ((domain = ConfigParser::NextToken())) {
+    while ((domain = strtok(NULL, list_sep))) {
         CachePeerDomainList *l = NULL;
         CachePeerDomainList **L = NULL;
         CachePeer *p;
@@ -2575,13 +2580,13 @@
     char *type = NULL;
     char *domain = NULL;
 
-    if (!(host = ConfigParser::NextToken()))
+    if (!(host = strtok(NULL, w_space)))
         self_destruct();
 
-    if (!(type = ConfigParser::NextToken()))
+    if (!(type = strtok(NULL, w_space)))
         self_destruct();
 
-    while ((domain = ConfigParser::NextToken())) {
+    while ((domain = strtok(NULL, list_sep))) {
         NeighborTypeDomainList *l = NULL;
         NeighborTypeDomainList **L = NULL;
         CachePeer *p;
@@ -2629,7 +2634,7 @@
 void
 parse_onoff(int *var)
 {
-    char *token = ConfigParser::NextToken();
+    char *token = strtok(NULL, w_space);
 
     if (token == NULL)
         self_destruct();
@@ -2670,7 +2675,7 @@
 static void
 parse_tristate(int *var)
 {
-    char *token = ConfigParser::NextToken();
+    char *token = strtok(NULL, w_space);
 
     if (token == NULL)
         self_destruct();
@@ -2710,7 +2715,7 @@
         debugs(0, DBG_PARSE_NOTE(2), "WARNING: 'pipeline_prefetch off' is deprecated. Please update to use '0'.");
         *var = 0;
     } else {
-        ConfigParser::TokenUndo();
+        ConfigParser::strtokFileUndo();
         parse_int(var);
     }
 }
@@ -2803,20 +2808,21 @@
     int errcode;
     int flags = REG_EXTENDED | REG_NOSUB;
 
-    if ((token = ConfigParser::NextToken()) == NULL) {
+    if ((token = strtok(NULL, w_space)) == NULL) {
         self_destruct();
         return;
     }
 
     if (strcmp(token, "-i") == 0) {
         flags |= REG_ICASE;
-        token = ConfigParser::NextToken();
+        token = strtok(NULL, w_space);
     } else if (strcmp(token, "+i") == 0) {
         flags &= ~REG_ICASE;
-        token = ConfigParser::NextToken();
+        token = strtok(NULL, w_space);
     }
 
     if (token == NULL) {
+        debugs(3, DBG_CRITICAL, "FATAL: refresh_pattern missing the regex pattern parameter");
         self_destruct();
         return;
     }
@@ -2856,7 +2862,7 @@
     max = (time_t) (i * 60);	/* convert minutes to seconds */
 
     /* Options */
-    while ((token = ConfigParser::NextToken()) != NULL) {
+    while ((token = strtok(NULL, w_space)) != NULL) {
         if (!strcmp(token, "refresh-ims")) {
             refresh_ims = 1;
         } else if (!strcmp(token, "store-stale")) {
@@ -2898,6 +2904,7 @@
         regerror(errcode, &comp, errbuf, sizeof errbuf);
         debugs(22, DBG_CRITICAL, "" << cfg_filename << " line " << config_lineno << ": " << config_input_line);
         debugs(22, DBG_CRITICAL, "refreshAddToList: Invalid regular expression '" << pattern << "': " << errbuf);
+        xfree(pattern);
         return;
     }
 
@@ -2987,7 +2994,7 @@
 static void
 parse_string(char **var)
 {
-    char *token = ConfigParser::NextToken();
+    char *token = strtok(NULL, w_space);
     safe_free(*var);
 
     if (token == NULL)
@@ -2996,6 +3003,23 @@
     *var = xstrdup(token);
 }
 
+void
+ConfigParser::ParseString(char **var)
+{
+    parse_string(var);
+}
+
+void
+ConfigParser::ParseString(String *var)
+{
+    char *token = strtok(NULL, w_space);
+
+    if (token == NULL)
+        self_destruct();
+
+    var->reset(token);
+}
+
 static void
 free_string(char **var)
 {
@@ -3010,7 +3034,7 @@
         return;
     }
 
-    unsigned char *token = (unsigned char *) ConfigParser::NextQuotedOrToEol();
+    unsigned char *token = (unsigned char *) strtok(NULL, null_string);
     safe_free(*var);
 
     if (!token) {
@@ -3244,7 +3268,9 @@
 parse_wordlist(wordlist ** list)
 {
     char *token;
-    while ((token = ConfigParser::NextToken()))
+    char *t = strtok(NULL, "");
+
+    while ((token = strwordtok(NULL, &t)))
         wordlistAdd(list, token);
 }
 
@@ -3269,7 +3295,7 @@
 static void
 parse_uri_whitespace(int *var)
 {
-    char *token = ConfigParser::NextToken();
+    char *token = strtok(NULL, w_space);
 
     if (token == NULL)
         self_destruct();
@@ -3382,7 +3408,7 @@
 static void
 parse_memcachemode(SquidConfig * config)
 {
-    char *token = ConfigParser::NextToken();
+    char *token = strtok(NULL, w_space);
     if (!token)
         self_destruct();
 
@@ -3452,7 +3478,7 @@
     Ip::Address_list *s;
     Ip::Address ipa;
 
-    while ((token = ConfigParser::NextToken())) {
+    while ((token = strtok(NULL, w_space))) {
         if (GetHostWithPort(token, &ipa)) {
 
             while (*head)
@@ -3793,7 +3819,7 @@
         return;
     }
 
-    char *token = ConfigParser::NextToken();
+    char *token = strtok(NULL, w_space);
 
     if (!token) {
         self_destruct();
@@ -3804,7 +3830,7 @@
     parsePortSpecification(s, token);
 
     /* parse options ... */
-    while ((token = ConfigParser::NextToken())) {
+    while ((token = strtok(NULL, w_space))) {
         parse_port_option(s, token);
     }
 
@@ -4052,7 +4078,7 @@
 
     /* determine configuration style */
 
-    const char *filename = ConfigParser::NextToken();
+    const char *filename = strtok(NULL, w_space);
     if (!filename) {
         self_destruct();
         return;
@@ -4077,7 +4103,7 @@
         // if logformat name is not recognized,
         // put back the token; it must be an ACL name
         if (!setLogformat(cl, token, false))
-            ConfigParser::TokenUndo();
+            ConfigParser::strtokFileUndo();
     } else { // style #4
         do {
             if (strncasecmp(token, "on-error=", 9) == 0) {
@@ -4096,7 +4122,7 @@
                 setLogformat(cl, token+10, true);
             } else if (!strchr(token, '=')) {
                 // put back the token; it must be an ACL name
-                ConfigParser::TokenUndo();
+                ConfigParser::strtokFileUndo();
                 break; // done with name=value options, now to ACLs
             } else {
                 debugs(3, DBG_CRITICAL, "Unknown access_log option " << token);
@@ -4289,8 +4315,8 @@
     if (!*cpuAffinityMap)
         *cpuAffinityMap = new CpuAffinityMap;
 
-    const char *const pToken = ConfigParser::NextToken();
-    const char *const cToken = ConfigParser::NextToken();
+    const char *const pToken = strtok(NULL, w_space);
+    const char *const cToken = strtok(NULL, w_space);
     Vector<int> processes, cores;
     if (!parseNamedIntList(pToken, "process_numbers", processes)) {
         debugs(3, DBG_CRITICAL, "FATAL: bad 'process_numbers' parameter " <<
@@ -4422,7 +4448,7 @@
     time_t m;
     cfg->service_failure_limit = GetInteger();
 
-    if ((token = ConfigParser::NextToken()) == NULL)
+    if ((token = strtok(NULL, w_space)) == NULL)
         return;
 
     if (strcmp(token,"in") != 0) {
@@ -4430,7 +4456,7 @@
         self_destruct();
     }
 
-    if ((token = ConfigParser::NextToken()) == NULL) {
+    if ((token = strtok(NULL, w_space)) == NULL) {
         self_destruct();
     }
 
@@ -4440,7 +4466,7 @@
 
     if (0 == d)
         (void) 0;
-    else if ((token = ConfigParser::NextToken()) == NULL) {
+    else if ((token = strtok(NULL, w_space)) == NULL) {
         debugs(3, DBG_CRITICAL, "No time-units on '" << config_input_line << "'");
         self_destruct();
     } else if ((m = parseTimeUnits(token, false)) == 0)
@@ -4470,7 +4496,7 @@
 {
     char *al;
     sslproxy_cert_adapt *ca = (sslproxy_cert_adapt *) xcalloc(1, sizeof(sslproxy_cert_adapt));
-    if ((al = ConfigParser::NextToken()) == NULL) {
+    if ((al = strtok(NULL, w_space)) == NULL) {
         self_destruct();
         return;
     }
@@ -4548,7 +4574,7 @@
 {
     char *al;
     sslproxy_cert_sign *cs = (sslproxy_cert_sign *) xcalloc(1, sizeof(sslproxy_cert_sign));
-    if ((al = ConfigParser::NextToken()) == NULL) {
+    if ((al = strtok(NULL, w_space)) == NULL) {
         self_destruct();
         return;
     }
@@ -4640,7 +4666,7 @@
     static BumpCfgStyle bumpCfgStyleLast = bcsNone;
     BumpCfgStyle bumpCfgStyleNow = bcsNone;
     char *bm;
-    if ((bm = ConfigParser::NextToken()) == NULL) {
+    if ((bm = strtok(NULL, w_space)) == NULL) {
         self_destruct();
         return;
     }
@@ -4742,7 +4768,7 @@
     if (!*headers) {
         *headers = new HeaderWithAclList;
     }
-    if ((fn = ConfigParser::NextToken()) == NULL) {
+    if ((fn = strtok(NULL, w_space)) == NULL) {
         self_destruct();
         return;
     }
@@ -4752,20 +4778,20 @@
     if (hwa.fieldId == HDR_BAD_HDR)
         hwa.fieldId = HDR_OTHER;
 
-    Format::Format *nlf =  new ::Format::Format("hdrWithAcl");
-    ConfigParser::EnableMacros();
-    String buf = ConfigParser::NextToken();
-    ConfigParser::DisableMacros();
+    String buf;
+    bool wasQuoted;
+    ConfigParser::ParseQuotedString(&buf, &wasQuoted);
     hwa.fieldValue = buf.termedBuf();
-    hwa.quoted = ConfigParser::LastTokenWasQuoted();
+    hwa.quoted = wasQuoted;
     if (hwa.quoted) {
+        Format::Format *nlf =  new ::Format::Format("hdrWithAcl");
         if (!nlf->parse(hwa.fieldValue.c_str())) {
             self_destruct();
             return;
         }
         hwa.valueFormat = nlf;
-    } else
-        delete nlf;
+    }
+
     aclParseAclList(LegacyParser, &hwa.aclList, (hwa.fieldName + ':' + hwa.fieldValue).c_str());
     (*headers)->push_back(hwa);
 }
diff -u -r -N squid-3.4.0.1/src/cbdata.h squid-3.4.0.2/src/cbdata.h
--- squid-3.4.0.1/src/cbdata.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/cbdata.h	2013-10-04 00:32:47.000000000 +1200
@@ -224,14 +224,12 @@
 
 /**
  *\ingroup CBDATAAPI
- * cbdata types. similar to the MEM_* types above, but managed
- * in cbdata.c. A big difference is that these types are dynamically
- * allocated. This list is only a list of predefined types. Other types
- * are added runtime
+ * cbdata types. Similar to the MEM_* types, but managed in cbdata.cc
+ * A big difference is that cbdata types are dynamically allocated.
+ * Initially only UNKNOWN type is predefined. Other types are added runtime.
  */
-typedef enum {
-    CBDATA_UNKNOWN = 0
-} cbdata_type;
+typedef int cbdata_type;
+static const cbdata_type CBDATA_UNKNOWN = 0;
 
 /// \ingroup CBDATAAPI
 void cbdataRegisterWithCacheManager(void);
diff -u -r -N squid-3.4.0.1/src/cf.data.pre squid-3.4.0.2/src/cf.data.pre
--- squid-3.4.0.1/src/cf.data.pre	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/cf.data.pre	2013-10-04 00:32:47.000000000 +1200
@@ -72,11 +72,12 @@
 	the configuration_includes_quoted_values directive to enable or
 	disable that support.
 
-	Squid supports reading configuration option parameters from external
-	files using the syntax:
-		parameters("/path/filename")
-	For example:
-		acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
+	For example;
+
+		configuration_includes_quoted_values on
+		acl group external groupCheck Administrators "Internet Users" Guest
+		configuration_includes_quoted_values off
+
 
   Conditional configuration
 
@@ -2450,6 +2451,9 @@
 	Without this option, all server certificate validation errors
 	terminate the transaction to protect Squid and the client.
 
+	SQUID_X509_V_ERR_INFINITE_VALIDATION error cannot be bypassed
+	but should not happen unless your OpenSSL library is buggy.
+
 	SECURITY WARNING:
 		Bypassing validation errors is dangerous because an
 		error usually implies that the server cannot be trusted
@@ -8326,6 +8330,19 @@
 	Squid to handle single-component names, enable this option.
 DOC_END
 
+NAME: dns_multicast_local
+COMMENT: on|off
+TYPE: onoff
+DEFAULT: off
+DEFAULT_DOC: Search for .local and .arpa names is disabled.
+LOC: Config.onoff.dns_mdns
+DOC_START
+	When set to on, Squid sends multicast DNS lookups on the local
+	network for domains ending in .local and .arpa.
+	This enables local servers and devices to be contacted in an
+	ad-hoc or zero-configuration network environment.
+DOC_END
+
 NAME: dns_nameservers
 TYPE: wordlist
 DEFAULT: none
@@ -8467,11 +8484,27 @@
 DEFAULT: off
 LOC: ConfigParser::RecognizeQuotedValues
 DOC_START
-	If set, Squid will recognize each "quoted string" after a configuration
-	directive as a single parameter. The quotes are stripped before the
-	parameter value is interpreted or used.
-	See "Values with spaces, quotes, and other special characters"
-	section for more details.
+	Previous Squid versions have defined "quoted/string" as syntax for
+	ACL to signifiy the value is an included file containing values and
+	has treated the " characters in other places of the configuration file
+	as part of the parameter value it was used for.
+
+	For compatibility with existing installations that behaviour
+	remains the default.
+
+	If this directive is set to 'on', Squid will start parsing each
+	"quoted string" as a single configuration directive parameter. The
+	quotes are stripped before the parameter value is interpreted or use.
+
+	That will continue for all lines until this directive is set to 'off',
+	where Squid will return to the default configuration parsing.
+
+	For example;
+
+		configuration_includes_quoted_values on
+		acl group external groupCheck Administrators "Internet Users" Guest
+		configuration_includes_quoted_values off
+
 DOC_END
 
 NAME: memory_pools
diff -u -r -N squid-3.4.0.1/src/cf_gen.cc squid-3.4.0.2/src/cf_gen.cc
--- squid-3.4.0.1/src/cf_gen.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/cf_gen.cc	2013-10-04 00:32:47.000000000 +1200
@@ -681,8 +681,7 @@
     "{\n"
     "\tchar\t*token;\n"
     "\tif ((token = strtok(buff, w_space)) == NULL) \n"
-    "\t\treturn 1;\t/* ignore empty lines */\n"
-    "\tConfigParser::SetCfgLine(strtok(NULL, \"\"));\n";
+    "\t\treturn 1;\t/* ignore empty lines */\n";
 
     for (EntryList::const_iterator e = head.begin(); e != head.end(); ++e)
         e->genParse(fout);
diff -u -r -N squid-3.4.0.1/src/client_side.cc squid-3.4.0.2/src/client_side.cc
--- squid-3.4.0.1/src/client_side.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/client_side.cc	2013-10-04 00:32:47.000000000 +1200
@@ -3938,8 +3938,18 @@
     // Try to add generated ssl context to storage.
     if (port->generateHostCertificates && isNew) {
 
-        if (signAlgorithm == Ssl::algSignTrusted)
+        if (signAlgorithm == Ssl::algSignTrusted) {
+            // Add signing certificate to the certificates chain
+            X509 *cert = port->signingCert.get();
+            if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) {
+                // increase the certificate lock
+                CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
+            } else {
+                const int ssl_error = ERR_get_error();
+                debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
+            }
             Ssl::addChainToSslContext(sslContext, port->certsToChain.get());
+        }
         //else it is self-signed or untrusted do not attrach any certificate
 
         Ssl::LocalContextStorage & ssl_ctx_cache(Ssl::TheGlobalContextStorage.getLocalStorage(port->s));
@@ -4483,7 +4493,7 @@
     pinning.closeHandler = NULL; // Comm unregisters handlers before calling
     const bool sawZeroReply = pinning.zeroReply; // reset when unpinning
     unpinConnection();
-    if (sawZeroReply) {
+    if (sawZeroReply && clientConnection != NULL) {
         debugs(33, 3, "Closing client connection on pinned zero reply.");
         clientConnection->close();
     }
@@ -4495,8 +4505,10 @@
     char desc[FD_DESC_SZ];
 
     if (Comm::IsConnOpen(pinning.serverConnection)) {
-        if (pinning.serverConnection->fd == pinServer->fd)
+        if (pinning.serverConnection->fd == pinServer->fd) {
+            startPinnedConnectionMonitoring();
             return;
+        }
     }
 
     unpinConnection(); // closes pinned connection, if any, and resets fields
@@ -4533,6 +4545,57 @@
     Params &params = GetCommParams<Params>(pinning.closeHandler);
     params.conn = pinning.serverConnection;
     comm_add_close_handler(pinning.serverConnection->fd, pinning.closeHandler);
+
+    startPinnedConnectionMonitoring();
+}
+
+/// Assign a read handler to an idle pinned connection so that we can detect connection closures.
+void
+ConnStateData::startPinnedConnectionMonitoring()
+{
+    if (pinning.readHandler != NULL)
+        return; // already monitoring
+
+    typedef CommCbMemFunT<ConnStateData, CommIoCbParams> Dialer;
+    pinning.readHandler = JobCallback(33, 3,
+                                      Dialer, this, ConnStateData::clientPinnedConnectionRead);
+    static char unusedBuf[8];
+    comm_read(pinning.serverConnection, unusedBuf, sizeof(unusedBuf), pinning.readHandler);
+}
+
+void
+ConnStateData::stopPinnedConnectionMonitoring()
+{
+    if (pinning.readHandler != NULL) {
+        comm_read_cancel(pinning.serverConnection->fd, pinning.readHandler);
+        pinning.readHandler = NULL;
+    }
+}
+
+/// Our read handler called by Comm when the server either closes an idle pinned connection or
+/// perhaps unexpectedly sends something on that idle (from Squid p.o.v.) connection.
+void
+ConnStateData::clientPinnedConnectionRead(const CommIoCbParams &io)
+{
+    pinning.readHandler = NULL; // Comm unregisters handlers before calling
+
+    if (io.flag == COMM_ERR_CLOSING)
+        return; // close handler will clean up
+
+    // We could use getConcurrentRequestCount(), but this may be faster.
+    const bool clientIsIdle = !getCurrentContext();
+
+    debugs(33, 3, "idle pinned " << pinning.serverConnection << " read " <<
+           io.size << (clientIsIdle ? " with idle client" : ""));
+
+    assert(pinning.serverConnection == io.conn);
+    pinning.serverConnection->close();
+
+    // If we are still sending data to the client, do not close now. When we are done sending,
+    // ClientSocketContext::keepaliveNextRequest() checks pinning.serverConnection and will close.
+    // However, if we are idle, then we must close to inform the idle client and minimize races.
+    if (clientIsIdle && clientConnection != NULL)
+        clientConnection->close();
 }
 
 const Comm::ConnectionPointer
diff -u -r -N squid-3.4.0.1/src/client_side.h squid-3.4.0.2/src/client_side.h
--- squid-3.4.0.1/src/client_side.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/client_side.h	2013-10-04 00:32:47.000000000 +1200
@@ -267,6 +267,7 @@
         bool auth;               /* pinned for www authentication */
         bool zeroReply; ///< server closed w/o response (ERR_ZERO_SIZE_OBJECT)
         CachePeer *peer;             /* CachePeer the connection goes via */
+        AsyncCall::Pointer readHandler; ///< detects serverConnection closure
         AsyncCall::Pointer closeHandler; /*The close handler for pinned server side connection*/
     } pinning;
 
@@ -333,6 +334,9 @@
     /// the client-side-detected error response instead of getting stuck.
     void quitAfterError(HttpRequest *request); // meant to be private
 
+    /// The caller assumes responsibility for connection closure detection.
+    void stopPinnedConnectionMonitoring();
+
 #if USE_SSL
     /// called by FwdState when it is done bumping the server
     void httpsPeeked(Comm::ConnectionPointer serverConnection);
@@ -380,6 +384,9 @@
     void abortChunkedRequestBody(const err_type error);
     err_type handleChunkedRequestBody(size_t &putSize);
 
+    void startPinnedConnectionMonitoring();
+    void clientPinnedConnectionRead(const CommIoCbParams &io);
+
 private:
     int connReadWasError(comm_err_t flag, int size, int xerrno);
     int connFinishedWithConn(int size);
diff -u -r -N squid-3.4.0.1/src/client_side_request.cc squid-3.4.0.2/src/client_side_request.cc
--- squid-3.4.0.1/src/client_side_request.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/client_side_request.cc	2013-10-04 00:32:47.000000000 +1200
@@ -1521,7 +1521,7 @@
 #endif
         logType = LOG_TCP_MISS;
         getConn()->stopReading(); // tunnels read for themselves
-        tunnelStart(this, &out.size, &al->http.code);
+        tunnelStart(this, &out.size, &al->http.code, al);
         return;
     }
 
diff -u -r -N squid-3.4.0.1/src/client_side_request.h squid-3.4.0.2/src/client_side_request.h
--- squid-3.4.0.1/src/client_side_request.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/client_side_request.h	2013-10-04 00:32:47.000000000 +1200
@@ -202,7 +202,7 @@
 void clientAccessCheck(ClientHttpRequest *);
 
 /* ones that should be elsewhere */
-void tunnelStart(ClientHttpRequest *, int64_t *, int *);
+void tunnelStart(ClientHttpRequest *, int64_t *, int *, const AccessLogEntry::Pointer &al);
 
 #if _USE_INLINE_
 #include "Store.h"
diff -u -r -N squid-3.4.0.1/src/comm/ConnOpener.cc squid-3.4.0.2/src/comm/ConnOpener.cc
--- squid-3.4.0.1/src/comm/ConnOpener.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/comm/ConnOpener.cc	2013-10-04 00:32:47.000000000 +1200
@@ -339,7 +339,7 @@
 
         if (failRetries_ < Config.connect_retries) {
             debugs(5, 5, HERE << conn_ << ": * - try again");
-            sleep();
+            retrySleep();
             return;
         } else {
             // send ERROR back to the upper layer.
@@ -352,7 +352,7 @@
 
 /// Close and wait a little before trying to open and connect again.
 void
-Comm::ConnOpener::sleep()
+Comm::ConnOpener::retrySleep()
 {
     Must(!calls_.sleep_);
     closeFd();
diff -u -r -N squid-3.4.0.1/src/comm/ConnOpener.h squid-3.4.0.2/src/comm/ConnOpener.h
--- squid-3.4.0.1/src/comm/ConnOpener.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/comm/ConnOpener.h	2013-10-04 00:32:47.000000000 +1200
@@ -47,7 +47,7 @@
     void connected();
     void lookupLocalAddress();
 
-    void sleep();
+    void retrySleep();
     void restart();
 
     bool createFd();
diff -u -r -N squid-3.4.0.1/src/ConfigParser.cc squid-3.4.0.2/src/ConfigParser.cc
--- squid-3.4.0.1/src/ConfigParser.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/ConfigParser.cc	2013-10-04 00:32:47.000000000 +1200
@@ -38,98 +38,84 @@
 #include "fatal.h"
 #include "globals.h"
 
+char *ConfigParser::lastToken = NULL;
+std::queue<std::string> ConfigParser::undo;
+
 int ConfigParser::RecognizeQuotedValues = true;
-std::stack<ConfigParser::CfgFile *> ConfigParser::CfgFiles;
-ConfigParser::TokenType ConfigParser::LastTokenType = ConfigParser::SimpleToken;
-char *ConfigParser::LastToken = NULL;
-char *ConfigParser::CfgLine = NULL;
-char *ConfigParser::CfgPos = NULL;
-std::queue<std::string> ConfigParser::Undo_;
-bool ConfigParser::AllowMacros_ = false;
 
 void
 ConfigParser::destruct()
 {
     shutting_down = 1;
-    if (!CfgFiles.empty()) {
-        std::ostringstream message;
-        CfgFile *f = CfgFiles.top();
-        message << "Bungled " << f->filePath << " line " << f->lineNo <<
-        ": " << f->currentLine << std::endl;
-        CfgFiles.pop();
-        delete f;
-        while (!CfgFiles.empty()) {
-            f = CfgFiles.top();
-            message << " included from " << f->filePath << " line " <<
-            f->lineNo << ": " << f->currentLine << std::endl;
-            CfgFiles.pop();
-            delete f;
-        }
-        message << " included from " <<  cfg_filename << " line " <<
-        config_lineno << ": " << config_input_line << std::endl;
-        std::string msg = message.str();
-        fatalf("%s", msg.c_str());
-    } else
-        fatalf("Bungled %s line %d: %s",
-               cfg_filename, config_lineno, config_input_line);
+    fatalf("Bungled %s line %d: %s",
+           cfg_filename, config_lineno, config_input_line);
 }
 
 void
-ConfigParser::TokenUndo()
+ConfigParser::strtokFileUndo()
 {
-    assert(LastToken);
-    Undo_.push(LastToken);
+    assert(lastToken);
+    undo.push(lastToken);
 }
 
 void
-ConfigParser::TokenPutBack(const char *tok)
+ConfigParser::strtokFilePutBack(const char *tok)
 {
     assert(tok);
-    Undo_.push(tok);
+    undo.push(tok);
 }
 
 char *
-ConfigParser::Undo()
+xstrtok(char *str, const char *delimiters)
 {
-    LOCAL_ARRAY(char, undoToken, CONFIG_LINE_LIMIT);
-    if (!Undo_.empty()) {
-        strncpy(undoToken, Undo_.front().c_str(), sizeof(undoToken));
-        undoToken[sizeof(undoToken) - 1] = '\0';
-        Undo_.pop();
-        return undoToken;
-    }
-    return NULL;
+    assert(!str); // we are parsing the configuration file
+    // no support unless enabled in the configuration and
+    // no support for other delimiters (they may need to be eradicated!)
+    return (ConfigParser::RecognizeQuotedValues &&
+            strcmp(delimiters, " \t\n\r") == 0) ?
+           ConfigParser::NextToken() : ::strtok(str, delimiters);
 }
 
 char *
-ConfigParser::strtokFile()
+ConfigParser::strtokFile(void)
 {
-    if (RecognizeQuotedValues)
-        return ConfigParser::NextToken();
-
     static int fromFile = 0;
     static FILE *wordFile = NULL;
+    LOCAL_ARRAY(char, undoToken, CONFIG_LINE_LIMIT);
 
-    char *t;
+    char *t, *fn;
     LOCAL_ARRAY(char, buf, CONFIG_LINE_LIMIT);
 
-    if ((LastToken = ConfigParser::Undo()))
-        return LastToken;
+    if (!undo.empty()) {
+        strncpy(undoToken, undo.front().c_str(), sizeof(undoToken));
+        undoToken[sizeof(undoToken) - 1] = '\0';
+        undo.pop();
+        return lastToken = undoToken;
+    }
 
+    if (RecognizeQuotedValues)
+        return lastToken = ConfigParser::NextToken();
+
+    lastToken = NULL;
     do {
 
         if (!fromFile) {
-            ConfigParser::TokenType tokenType;
-            t = ConfigParser::NextElement(tokenType, true);
-            if (!t) {
+            t = (strtok(NULL, w_space));
+
+            if (!t || *t == '#') {
                 return NULL;
-            } else if (tokenType == ConfigParser::QuotedToken) {
+            } else if (*t == '\"' || *t == '\'') {
                 /* quote found, start reading from file */
-                debugs(3, 8,"Quoted token found : " << t);
+                fn = ++t;
+
+                while (*t && *t != '\"' && *t != '\'')
+                    ++t;
 
-                if ((wordFile = fopen(t, "r")) == NULL) {
-                    debugs(3, DBG_CRITICAL, "Can not open file " << t << " for reading");
-                    return NULL;
+                *t = '\0';
+
+                if ((wordFile = fopen(fn, "r")) == NULL) {
+                    debugs(28, DBG_CRITICAL, "strtokFile: " << fn << " not found");
+                    return (NULL);
                 }
 
 #if _SQUID_WINDOWS_
@@ -138,7 +124,7 @@
 
                 fromFile = 1;
             } else {
-                return LastToken = t;
+                return lastToken = t;
             }
         }
 
@@ -169,182 +155,91 @@
         /* skip blank lines */
     } while ( *t == '#' || !*t );
 
-    return LastToken = t;
+    return lastToken = t;
 }
 
+/// returns token after stripping any comments
+/// must be called in non-quoted context only
 char *
-ConfigParser::UnQuote(char *token, char **end)
+ConfigParser::StripComment(char *token)
 {
-    char quoteChar = *token;
-    assert(quoteChar == '"' || quoteChar == '\'');
-    char  *s = token + 1;
-    /* scan until the end of the quoted string, unescaping " and \  */
-    while (*s && *s != quoteChar) {
-        if (*s == '\\' && isalnum(*( s + 1))) {
-            debugs(3, DBG_CRITICAL, "Unsupported escape sequence: " << s);
-            self_destruct();
-        } else if (*s == '$' && quoteChar == '"') {
-            debugs(3, DBG_CRITICAL, "Unsupported cfg macro: " << s);
-            self_destruct();
-        } else if (*s == '%' && quoteChar == '"' && (!AllowMacros_ )) {
-            debugs(3, DBG_CRITICAL, "Macros are not supported here: " << s);
-            self_destruct();
-        } else if (*s == '\\') {
-            const char * next = s+1; // may point to 0
-            memmove(s, next, strlen(next) + 1);
-        }
-        ++s;
-    }
+    if (!token)
+        return NULL;
 
-    if (*s != quoteChar) {
-        debugs(3, DBG_CRITICAL, "missing '" << quoteChar << "' at the end of quoted string: " << (s-1));
-        self_destruct();
+    // we are outside the quoted string context
+    // assume that anything starting with a '#' is a comment
+    if (char *comment = strchr(token, '#')) {
+        *comment = '\0'; // remove the comment from this token
+        (void)strtok(NULL, ""); // remove the comment from the current line
+        if (!*token)
+            return NULL; // token was a comment
     }
-    *end = s;
-    return (token+1);
-}
 
-void
-ConfigParser::SetCfgLine(char *line)
-{
-    CfgLine = line;
-    CfgPos = line;
+    return token;
 }
 
-char *
-ConfigParser::TokenParse(char * &nextToken, ConfigParser::TokenType &type, bool legacy)
+void
+ConfigParser::ParseQuotedString(char **var, bool *wasQuoted)
 {
-    if (!nextToken || *nextToken == '\0')
-        return NULL;
-    type = ConfigParser::SimpleToken;
-    nextToken += strspn(nextToken, w_space);
-    if (*nextToken == '"' || *nextToken == '\'') {
-        type = ConfigParser::QuotedToken;
-        char *token = UnQuote(nextToken, &nextToken);
-        *nextToken = '\0';
-        ++nextToken;
-        return token;
-    }
-
-    char *token = nextToken;
-    if (char *t = strchr(nextToken, '#'))
-        *t = '\0';
-    const char *sep;
-    if (legacy)
-        sep = w_space;
-    else
-        sep = w_space "(";
-    nextToken += strcspn(nextToken, sep);
-
-    if (!legacy && *nextToken == '(')
-        type = ConfigParser::FunctionNameToken;
+    if (const char *phrase = NextElement(wasQuoted))
+        *var = xstrdup(phrase);
     else
-        type = ConfigParser::SimpleToken;
-
-    if (*nextToken != '\0') {
-        *nextToken = '\0';
-        ++nextToken;
-    }
-
-    if (*token == '\0')
-        return NULL;
-
-    return token;
+        self_destruct();
 }
 
-char *
-ConfigParser::NextElement(ConfigParser::TokenType &type, bool legacy)
+void
+ConfigParser::ParseQuotedString(String *var, bool *wasQuoted)
 {
-    char *token = TokenParse(CfgPos, type, legacy);
-    return token;
+    if (const char *phrase = NextElement(wasQuoted))
+        var->reset(phrase);
+    else
+        self_destruct();
 }
 
 char *
-ConfigParser::NextToken()
+ConfigParser::NextElement(bool *wasQuoted)
 {
-    if ((LastToken = ConfigParser::Undo()))
-        return LastToken;
+    if (wasQuoted)
+        *wasQuoted = false;
 
-    char *token = NULL;
-    do {
-        while (token == NULL && !CfgFiles.empty()) {
-            ConfigParser::CfgFile *wordfile = CfgFiles.top();
-            token = wordfile->parse(LastTokenType);
-            if (!token) {
-                assert(!wordfile->isOpen());
-                CfgFiles.pop();
-                delete wordfile;
-            }
-        }
-
-        if (!token)
-            token = NextElement(LastTokenType);
+    // Get all of the remaining string
+    char *token = strtok(NULL, "");
+    if (token == NULL)
+        return NULL;
 
-        if (token &&  LastTokenType == ConfigParser::FunctionNameToken && strcmp("parameters", token) == 0) {
-            char *path = NextToken();
-            if (LastTokenType != ConfigParser::QuotedToken) {
-                debugs(3, DBG_CRITICAL, "Quoted filename missing: " << token);
-                self_destruct();
-                return NULL;
-            }
+    // skip leading whitespace (may skip the entire token that way)
+    while (xisspace(*token)) ++token;
 
-            // The next token in current cfg file line must be a ")"
-            char *end = NextToken();
-            if (LastTokenType != ConfigParser::SimpleToken || strcmp(end, ")") != 0) {
-                debugs(3, DBG_CRITICAL, "missing ')' after " << token << "(\"" << path << "\"");
-                self_destruct();
-                return NULL;
-            }
+    if (*token != '"')
+        return StripComment(strtok(token, w_space));
 
-            if (CfgFiles.size() > 16) {
-                debugs(3, DBG_CRITICAL, "WARNING: can't open %s for reading parameters: includes are nested too deeply (>16)!\n" << path);
-                self_destruct();
-                return NULL;
-            }
+    if (wasQuoted)
+        *wasQuoted = true;
 
-            ConfigParser::CfgFile *wordfile = new ConfigParser::CfgFile();
-            if (!path || !wordfile->startParse(path)) {
-                debugs(3, DBG_CRITICAL, "Error opening config file: " << token);
-                delete wordfile;
-                self_destruct();
-                return NULL;
-            }
-            CfgFiles.push(wordfile);
-            token = NULL;
-        } else if (token &&  LastTokenType == ConfigParser::FunctionNameToken) {
-            debugs(3, DBG_CRITICAL, "Unknown cfg function: " << token);
-            self_destruct();
-            return NULL;
+    char  *s = token + 1;
+    /* scan until the end of the quoted string, unescaping " and \  */
+    while (*s && *s != '"') {
+        if (*s == '\\') {
+            const char * next = s+1; // may point to 0
+            memmove(s, next, strlen(next) + 1);
         }
-    } while (token == NULL && !CfgFiles.empty());
-
-    return (LastToken = token);
-}
-
-char *
-ConfigParser::NextQuotedOrToEol()
-{
-    char *token;
+        ++s;
+    }
 
-    if ((token = CfgPos) == NULL) {
-        debugs(3, DBG_CRITICAL, "token is missing");
+    if (*s != '"') {
+        debugs(3, DBG_CRITICAL, "missing '\"' at the end of quoted string" );
         self_destruct();
-        return NULL;
     }
-    token += strspn(token, w_space);
+    strtok(s-1, "\""); /*Reset the strtok to point after the "  */
+    *s = '\0';
 
-    if (*token == '\"' || *token == '\'') {
-        //TODO: eat the spaces at the end and check if it is untill the end of file.
-        char *end;
-        token = UnQuote(token, &end);
-        *end = '\0';
-        CfgPos = end + 1;
-        LastTokenType = ConfigParser::QuotedToken;
-    } else
-        LastTokenType = ConfigParser::SimpleToken;
+    return (token+1);
+}
 
-    CfgPos = NULL;
-    return (LastToken = token);
+char *
+ConfigParser::NextToken()
+{
+    return NextElement(NULL);
 }
 
 const char *
@@ -370,66 +265,3 @@
     quotedStr.append('"');
     return quotedStr.termedBuf();
 }
-
-bool
-ConfigParser::CfgFile::startParse(char *path)
-{
-    assert(wordFile == NULL);
-    if ((wordFile = fopen(path, "r")) == NULL) {
-        debugs(3, DBG_CRITICAL, "file :" << path << " not found");
-        return false;
-    }
-
-#if _SQUID_WINDOWS_
-    setmode(fileno(wordFile), O_TEXT);
-#endif
-
-    filePath = path;
-    return getFileLine();
-}
-
-bool
-ConfigParser::CfgFile::getFileLine()
-{
-    // Else get the next line
-    if (fgets(parseBuffer, CONFIG_LINE_LIMIT, wordFile) == NULL) {
-        /* stop reading from file */
-        fclose(wordFile);
-        wordFile = NULL;
-        parseBuffer[0] = '\0';
-        return false;
-    }
-    parsePos = parseBuffer;
-    currentLine = parseBuffer;
-    lineNo++;
-    return true;
-}
-
-char *
-ConfigParser::CfgFile::parse(ConfigParser::TokenType &type)
-{
-    if (!wordFile)
-        return NULL;
-
-    if (!*parseBuffer)
-        return NULL;
-
-    char *token;
-    while (!(token = nextElement(type))) {
-        if (!getFileLine())
-            return NULL;
-    }
-    return token;
-}
-
-char *
-ConfigParser::CfgFile::nextElement(ConfigParser::TokenType &type)
-{
-    return TokenParse(parsePos, type);
-}
-
-ConfigParser::CfgFile::~CfgFile()
-{
-    if (wordFile)
-        fclose(wordFile);
-}
diff -u -r -N squid-3.4.0.1/src/ConfigParser.h squid-3.4.0.2/src/ConfigParser.h
--- squid-3.4.0.1/src/ConfigParser.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/ConfigParser.h	2013-10-04 00:32:47.000000000 +1200
@@ -36,7 +36,6 @@
 
 #include "SquidString.h"
 #include <queue>
-#include <stack>
 #if HAVE_STRING
 #include <string>
 #endif
@@ -66,145 +65,48 @@
 {
 
 public:
-    /**
-     * Parsed tokens type: simple tokens, quoted tokens or function
-     * like parameters.
-     */
-    enum TokenType {SimpleToken, QuotedToken, FunctionNameToken};
-
     void destruct();
     static void ParseUShort(unsigned short *var);
     static void ParseBool(bool *var);
+    static void ParseString(char **var);
+    static void ParseString(String *var);
+    /// Parse an unquoted token (no spaces) or a "quoted string" that
+    /// may include spaces. In some contexts, quotes strings may also
+    /// include macros. Quoted strings may escape any character with
+    /// a backslash (\), which is currently only useful for inner
+    /// quotes. TODO: support quoted strings anywhere a token is accepted.
+    static void ParseQuotedString(char **var, bool *wasQuoted = NULL);
+    static void ParseQuotedString(String *var, bool *wasQuoted = NULL);
     static const char *QuoteString(const String &var);
     static void ParseWordList(wordlist **list);
-
-    /**
-     * Backward compatibility wrapper for the ConfigParser::NextToken method.
-     * If the configuration_includes_quoted_values configuration parameter is
-     * set to 'off' this interprets the quoted tokens as filenames.
-     */
     static char * strtokFile();
+    static void strtokFileUndo();
+    static void strtokFilePutBack(const char *);
 
     /**
-     * Returns the body of the next element. The element is either a token or
-     * a quoted string with optional escape sequences and/or macros. The body
-     * of a quoted string element does not include quotes or escape sequences.
-     * Future code will want to see Elements and not just their bodies.
-     */
+      Returns the body of the next element. The element is either a token or
+      a quoted string with optional escape sequences and/or macros. The body
+      of a quoted string element does not include quotes or escape sequences.
+      Future code will want to see Elements and not just their bodies.
+    */
     static char *NextToken();
 
-    /// \return true if the last parsed token was quoted
-    static bool LastTokenWasQuoted() {return (LastTokenType == ConfigParser::QuotedToken);}
-
-    /**
-     * \return the next quoted string or the raw string data until the end of line.
-     * This method allows %macros in unquoted strings to keep compatibility
-     * for the logformat option.
-     */
-    static char *NextQuotedOrToEol();
-
-    /**
-     * Undo last NextToken call. The next call to NextToken() method will return
-     * again the last parsed element.
-     * Can not be called repeatedly to undo multiple NextToken calls. In this case
-     * the behaviour is undefined.
-     */
-    static void TokenUndo();
-
-    /**
-     * The next NextToken call will return the token as next element
-     * It can be used repeatedly to add more than one tokens in a FIFO list.
-     */
-    static void TokenPutBack(const char *token);
-
-    /// Set the configuration file line to parse.
-    static void SetCfgLine(char *line);
-
-    /// Allow %macros inside quoted strings
-    static void EnableMacros() {AllowMacros_ = true;}
-
-    /// Do not allow %macros inside quoted strings
-    static void DisableMacros() {AllowMacros_ = false;}
-
     /// configuration_includes_quoted_values in squid.conf
     static int RecognizeQuotedValues;
 
 protected:
-    /**
-     * Class used to store required information for the current
-     * configuration file.
-     */
-    class CfgFile
-    {
-    public:
-        CfgFile(): wordFile(NULL), parsePos(NULL), lineNo(0) { parseBuffer[0] = '\0';}
-        ~CfgFile();
-        /// True if the configuration file is open
-        bool isOpen() {return wordFile != NULL;}
-
-        /**
-         * Open the file given by 'path' and initializes the CfgFile object
-         * to start parsing
-         */
-        bool startParse(char *path);
-
-        /**
-         * Do the next parsing step:
-         * reads the next line from file if required.
-         * \return the body of next element or a NULL pointer if there are no more token elements in the file.
-         * \param type will be filled with the ConfigParse::TokenType for any element found, or left unchanged if NULL is returned.
-         */
-        char *parse(TokenType &type);
-
-    private:
-        bool getFileLine();   ///< Read the next line from the file
-        /**
-         * Return the body of the next element. If the wasQuoted is given
-         * set to true if the element was quoted.
-         */
-        char *nextElement(TokenType &type);
-        FILE *wordFile; ///< Pointer to the file.
-        char parseBuffer[CONFIG_LINE_LIMIT]; ///< Temporary buffer to store data to parse
-        char *parsePos; ///< The next element position in parseBuffer string
-    public:
-        std::string filePath; ///< The file path
-        std::string currentLine; ///< The current line to parse
-        int lineNo; ///< Current line number
-    };
-
-    /**
-     * Return the last TokenUndo() or TokenPutBack() queued element, or NULL
-     * if none exist
-     */
-    static char *Undo();
-
-    /**
-     * Unquotes the token, which must be quoted.
-     * \param end if it is not NULL, it is set to the end of token.
-     */
-    static char *UnQuote(char *token, char **end = NULL);
+    static char *NextElement(bool *wasQuoted);
+    static char *StripComment(char *token);
 
-    /**
-     * Does the real tokens parsing job: Ignore comments, unquote an
-     * element if required.
-     * \return the next token, or NULL if there are no available tokens in the nextToken string.
-     * \param nextToken updated to point to the pos after parsed token.
-     * \param type      The token type
-     * \param legacy    If it is true function-like parameters are not allowed
-     */
-    static char *TokenParse(char * &nextToken, TokenType &type, bool legacy = false);
-
-    /// Wrapper method for TokenParse.
-    static char *NextElement(TokenType &type, bool legacy = false);
-    static std::stack<CfgFile *> CfgFiles; ///< The stack of open cfg files
-    static TokenType LastTokenType; ///< The type of last parsed element
-    static char *LastToken; ///< Points to the last parsed token
-    static char *CfgLine; ///< The current line to parse
-    static char *CfgPos; ///< Pointer to the next element in cfgLine string
-    static std::queue<std::string> Undo_; ///< The list with TokenUndo() or TokenPutBack() queued elements
-    static bool AllowMacros_;
+private:
+    static char *lastToken;
+    static std::queue<std::string> undo;
 };
 
 int parseConfigFile(const char *file_name);
 
+/// Used for temporary hacks to allow old code to handle quoted values
+/// without replacing every strtok() call.
+extern char *xstrtok(char *str, const char *delimiters);
+
 #endif /* SQUID_CONFIGPARSER_H */
diff -u -r -N squid-3.4.0.1/src/DiskIO/AIO/AIODiskIOModule.cc squid-3.4.0.2/src/DiskIO/AIO/AIODiskIOModule.cc
--- squid-3.4.0.1/src/DiskIO/AIO/AIODiskIOModule.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/AIO/AIODiskIOModule.cc	2013-10-04 00:32:47.000000000 +1200
@@ -50,7 +50,7 @@
 {}
 
 void
-AIODiskIOModule::shutdown()
+AIODiskIOModule::gracefulShutdown()
 {}
 
 DiskIOStrategy *
diff -u -r -N squid-3.4.0.1/src/DiskIO/AIO/AIODiskIOModule.h squid-3.4.0.2/src/DiskIO/AIO/AIODiskIOModule.h
--- squid-3.4.0.1/src/DiskIO/AIO/AIODiskIOModule.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/AIO/AIODiskIOModule.h	2013-10-04 00:32:47.000000000 +1200
@@ -42,7 +42,7 @@
     static AIODiskIOModule &GetInstance();
     AIODiskIOModule();
     virtual void init();
-    virtual void shutdown();
+    virtual void gracefulShutdown();
     virtual char const *type () const;
     virtual DiskIOStrategy* createStrategy();
 
diff -u -r -N squid-3.4.0.1/src/DiskIO/AIO/aio_win32.cc squid-3.4.0.2/src/DiskIO/AIO/aio_win32.cc
--- squid-3.4.0.1/src/DiskIO/AIO/aio_win32.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/AIO/aio_win32.cc	2013-10-04 00:32:47.000000000 +1200
@@ -32,8 +32,11 @@
  */
 
 #include "squid.h"
+#include "DiskIO/AIO/aio_win32.h"
 #include "comm.h"
-#include "aio_win32.h"
+#include "fd.h"
+#include "StatCounters.h"
+#include "win32.h"
 
 #if HAVE_ERRNO_H
 #include <errno.h>
diff -u -r -N squid-3.4.0.1/src/DiskIO/Blocking/BlockingDiskIOModule.cc squid-3.4.0.2/src/DiskIO/Blocking/BlockingDiskIOModule.cc
--- squid-3.4.0.1/src/DiskIO/Blocking/BlockingDiskIOModule.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/Blocking/BlockingDiskIOModule.cc	2013-10-04 00:32:47.000000000 +1200
@@ -49,7 +49,7 @@
 {}
 
 void
-BlockingDiskIOModule::shutdown()
+BlockingDiskIOModule::gracefulShutdown()
 {}
 
 DiskIOStrategy*
diff -u -r -N squid-3.4.0.1/src/DiskIO/Blocking/BlockingDiskIOModule.h squid-3.4.0.2/src/DiskIO/Blocking/BlockingDiskIOModule.h
--- squid-3.4.0.1/src/DiskIO/Blocking/BlockingDiskIOModule.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/Blocking/BlockingDiskIOModule.h	2013-10-04 00:32:47.000000000 +1200
@@ -41,7 +41,7 @@
     static BlockingDiskIOModule &GetInstance();
     BlockingDiskIOModule();
     virtual void init();
-    virtual void shutdown();
+    virtual void gracefulShutdown();
     virtual char const *type () const;
     virtual DiskIOStrategy* createStrategy();
 
diff -u -r -N squid-3.4.0.1/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.cc squid-3.4.0.2/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.cc
--- squid-3.4.0.1/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.cc	2013-10-04 00:32:47.000000000 +1200
@@ -79,7 +79,7 @@
 }
 
 void
-DiskDaemonDiskIOModule::shutdown()
+DiskDaemonDiskIOModule::gracefulShutdown()
 {
     initialised = false;
 }
diff -u -r -N squid-3.4.0.1/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.h squid-3.4.0.2/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.h
--- squid-3.4.0.1/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.h	2013-10-04 00:32:47.000000000 +1200
@@ -41,7 +41,7 @@
     static DiskDaemonDiskIOModule &GetInstance();
     DiskDaemonDiskIOModule();
     virtual void init();
-    virtual void shutdown();
+    virtual void gracefulShutdown();
     virtual char const *type () const;
     virtual DiskIOStrategy* createStrategy();
 
diff -u -r -N squid-3.4.0.1/src/DiskIO/DiskIOModule.cc squid-3.4.0.2/src/DiskIO/DiskIOModule.cc
--- squid-3.4.0.1/src/DiskIO/DiskIOModule.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/DiskIOModule.cc	2013-10-04 00:32:47.000000000 +1200
@@ -95,7 +95,7 @@
     while (GetModules().size()) {
         DiskIOModule *fs = GetModules().back();
         GetModules().pop_back();
-        fs->shutdown();
+        fs->gracefulShutdown();
     }
 }
 
diff -u -r -N squid-3.4.0.1/src/DiskIO/DiskIOModule.h squid-3.4.0.2/src/DiskIO/DiskIOModule.h
--- squid-3.4.0.1/src/DiskIO/DiskIOModule.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/DiskIOModule.h	2013-10-04 00:32:47.000000000 +1200
@@ -65,7 +65,7 @@
 
     virtual void init() = 0;
     //virtual void registerWithCacheManager(void);
-    virtual void shutdown() = 0;
+    virtual void gracefulShutdown() = 0;
     virtual DiskIOStrategy *createStrategy() = 0;
 
     virtual char const *type () const = 0;
diff -u -r -N squid-3.4.0.1/src/DiskIO/DiskThreads/aiops_win32.cc squid-3.4.0.2/src/DiskIO/DiskThreads/aiops_win32.cc
--- squid-3.4.0.1/src/DiskIO/DiskThreads/aiops_win32.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/DiskThreads/aiops_win32.cc	2013-10-04 00:32:47.000000000 +1200
@@ -35,6 +35,7 @@
 #include "squid.h"
 #include "DiskIO/DiskThreads/CommIO.h"
 #include "DiskThreads.h"
+#include "fd.h"
 #include "SquidConfig.h"
 #include "SquidTime.h"
 #include "Store.h"
@@ -209,7 +210,7 @@
     MemAllocator *pool;
 
     if ((pool = squidaio_get_pool(size)) != NULL) {
-        pool->free(p);
+        pool->freeOne(p);
     } else
         xfree(p);
 }
@@ -221,7 +222,7 @@
     int len = strlen(str) + 1;
 
     if ((pool = squidaio_get_pool(len)) != NULL) {
-        pool->free(str);
+        pool->freeOne(str);
     } else
         xfree(str);
 }
@@ -295,7 +296,9 @@
 
     done_queue.blocked = 0;
 
-    CommIO::NotifyIOCompleted();
+    // Initialize the thread I/O pipes before creating any threads
+    // see bug 3189 comment 5 about race conditions.
+    CommIO::Initialize();
 
     /* Create threads and get them to sit in their wait loop */
     squidaio_thread_pool = memPoolCreate("aio_thread", sizeof(squidaio_thread_t));
@@ -715,7 +718,7 @@
         resultp->aio_errno = requestp->err;
     }
 
-    squidaio_request_pool->free(requestp);
+    squidaio_request_pool->freeOne(requestp);
 }				/* squidaio_cleanup_request */
 
 int
diff -u -r -N squid-3.4.0.1/src/DiskIO/DiskThreads/CommIO.cc squid-3.4.0.2/src/DiskIO/DiskThreads/CommIO.cc
--- squid-3.4.0.1/src/DiskIO/DiskThreads/CommIO.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/DiskThreads/CommIO.cc	2013-10-04 00:32:47.000000000 +1200
@@ -37,6 +37,7 @@
 #include "DiskIO/DiskThreads/CommIO.h"
 #include "fd.h"
 #include "globals.h"
+#include "win32.h"
 
 void
 CommIO::Initialize()
diff -u -r -N squid-3.4.0.1/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.cc squid-3.4.0.2/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.cc
--- squid-3.4.0.1/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.cc	2013-10-04 00:32:47.000000000 +1200
@@ -52,7 +52,7 @@
 }
 
 void
-DiskThreadsDiskIOModule::shutdown()
+DiskThreadsDiskIOModule::gracefulShutdown()
 {
     DiskThreadsIOStrategy::Instance.done();
 }
diff -u -r -N squid-3.4.0.1/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.h squid-3.4.0.2/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.h
--- squid-3.4.0.1/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.h	2013-10-04 00:32:47.000000000 +1200
@@ -42,7 +42,7 @@
     DiskThreadsDiskIOModule();
     virtual void init();
     //virtual void registerWithCacheManager(void);
-    virtual void shutdown();
+    virtual void gracefulShutdown();
     virtual char const *type () const;
     virtual DiskIOStrategy* createStrategy();
 
diff -u -r -N squid-3.4.0.1/src/DiskIO/IpcIo/IpcIoDiskIOModule.cc squid-3.4.0.2/src/DiskIO/IpcIo/IpcIoDiskIOModule.cc
--- squid-3.4.0.1/src/DiskIO/IpcIo/IpcIoDiskIOModule.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/IpcIo/IpcIoDiskIOModule.cc	2013-10-04 00:32:47.000000000 +1200
@@ -18,7 +18,7 @@
 {}
 
 void
-IpcIoDiskIOModule::shutdown()
+IpcIoDiskIOModule::gracefulShutdown()
 {}
 
 DiskIOStrategy*
diff -u -r -N squid-3.4.0.1/src/DiskIO/IpcIo/IpcIoDiskIOModule.h squid-3.4.0.2/src/DiskIO/IpcIo/IpcIoDiskIOModule.h
--- squid-3.4.0.1/src/DiskIO/IpcIo/IpcIoDiskIOModule.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/IpcIo/IpcIoDiskIOModule.h	2013-10-04 00:32:47.000000000 +1200
@@ -10,7 +10,7 @@
     static IpcIoDiskIOModule &GetInstance();
     IpcIoDiskIOModule();
     virtual void init();
-    virtual void shutdown();
+    virtual void gracefulShutdown();
     virtual char const *type () const;
     virtual DiskIOStrategy* createStrategy();
 
diff -u -r -N squid-3.4.0.1/src/DiskIO/Mmapped/MmappedDiskIOModule.cc squid-3.4.0.2/src/DiskIO/Mmapped/MmappedDiskIOModule.cc
--- squid-3.4.0.1/src/DiskIO/Mmapped/MmappedDiskIOModule.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/Mmapped/MmappedDiskIOModule.cc	2013-10-04 00:32:47.000000000 +1200
@@ -18,7 +18,7 @@
 {}
 
 void
-MmappedDiskIOModule::shutdown()
+MmappedDiskIOModule::gracefulShutdown()
 {}
 
 DiskIOStrategy*
diff -u -r -N squid-3.4.0.1/src/DiskIO/Mmapped/MmappedDiskIOModule.h squid-3.4.0.2/src/DiskIO/Mmapped/MmappedDiskIOModule.h
--- squid-3.4.0.1/src/DiskIO/Mmapped/MmappedDiskIOModule.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/DiskIO/Mmapped/MmappedDiskIOModule.h	2013-10-04 00:32:47.000000000 +1200
@@ -10,7 +10,7 @@
     static MmappedDiskIOModule &GetInstance();
     MmappedDiskIOModule();
     virtual void init();
-    virtual void shutdown();
+    virtual void gracefulShutdown();
     virtual char const *type () const;
     virtual DiskIOStrategy* createStrategy();
 
diff -u -r -N squid-3.4.0.1/src/dns_internal.cc squid-3.4.0.2/src/dns_internal.cc
--- squid-3.4.0.1/src/dns_internal.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/dns_internal.cc	2013-10-04 00:32:47.000000000 +1200
@@ -268,6 +268,9 @@
 static void
 idnsCheckMDNS(idns_query *q)
 {
+    if (!Config.onoff.dns_mdns || q->permit_mdns)
+        return;
+
     size_t slen = strlen(q->name);
     if (slen > 6 && memcmp(q->name +(slen-6),".local", 6) == 0) {
         q->permit_mdns = true;
@@ -279,6 +282,10 @@
 {
     nns_mdns_count=0;
 
+    // mDNS is disabled
+    if (!Config.onoff.dns_mdns)
+        return;
+
     // mDNS resolver addresses are explicit multicast group IPs
     if (Ip::EnableIpv6) {
         idnsAddNameserver("FF02::FB");
@@ -717,21 +724,23 @@
     storeAppendPrintf(sentry, "Internal DNS Statistics:\n");
     storeAppendPrintf(sentry, "\nThe Queue:\n");
     storeAppendPrintf(sentry, "                       DELAY SINCE\n");
-    storeAppendPrintf(sentry, "  ID   SIZE SENDS FIRST SEND LAST SEND\n");
-    storeAppendPrintf(sentry, "------ ---- ----- ---------- ---------\n");
+    storeAppendPrintf(sentry, "  ID   SIZE SENDS FIRST SEND LAST SEND M FQDN\n");
+    storeAppendPrintf(sentry, "------ ---- ----- ---------- --------- - ----\n");
 
     for (n = lru_list.head; n; n = n->next) {
         q = (idns_query *)n->data;
-        storeAppendPrintf(sentry, "%#06x %4d %5d %10.3f %9.3f\n",
+        storeAppendPrintf(sentry, "%#06x %4d %5d %10.3f %9.3f %c %s\n",
                           (int) q->query_id, (int) q->sz, q->nsends,
                           tvSubDsec(q->start_t, current_time),
-                          tvSubDsec(q->sent_t, current_time));
+                          tvSubDsec(q->sent_t, current_time),
+                          (q->permit_mdns? 'M':' '),
+                          q->name);
     }
 
     if (Config.dns.packet_max > 0)
-        storeAppendPrintf(sentry, "DNS jumbo-grams: %zd Bytes\n", Config.dns.packet_max);
+        storeAppendPrintf(sentry, "\nDNS jumbo-grams: %zd Bytes\n", Config.dns.packet_max);
     else
-        storeAppendPrintf(sentry, "DNS jumbo-grams: not working\n");
+        storeAppendPrintf(sentry, "\nDNS jumbo-grams: not working\n");
 
     storeAppendPrintf(sentry, "\nNameservers:\n");
     storeAppendPrintf(sentry, "IP ADDRESS                                     # QUERIES # REPLIES Type\n");
@@ -1603,6 +1612,8 @@
 #endif
 
         debugs(78, DBG_IMPORTANT, "or use the 'dns_nameservers' option in squid.conf.");
+        if (Ip::EnableIpv6)
+            idnsAddNameserver("::1");
         idnsAddNameserver("127.0.0.1");
     }
 
@@ -1816,7 +1827,7 @@
     debugs(78, 3, "idnsPTRLookup: buf is " << q->sz << " bytes for " << ip <<
            ", id = 0x" << std::hex << q->query_id);
 
-    q->permit_mdns = true;
+    q->permit_mdns = Config.onoff.dns_mdns;
     idnsStartQuery(q, callback, data);
 }
 
diff -u -r -N squid-3.4.0.1/src/external_acl.cc squid-3.4.0.2/src/external_acl.cc
--- squid-3.4.0.1/src/external_acl.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/external_acl.cc	2013-10-04 00:32:47.000000000 +1200
@@ -44,7 +44,6 @@
 #include "cache_cf.h"
 #include "client_side.h"
 #include "comm/Connection.h"
-#include "ConfigParser.h"
 #include "ExternalACL.h"
 #include "ExternalACLEntry.h"
 #include "fde.h"
@@ -331,16 +330,14 @@
     a->local_addr.setLocalhost();
     a->quote = external_acl::QUOTE_METHOD_URL;
 
-    token = ConfigParser::NextToken();
+    token = strtok(NULL, w_space);
 
     if (!token)
         self_destruct();
 
     a->name = xstrdup(token);
 
-    // Allow supported %macros inside quoted tokens
-    ConfigParser::EnableMacros();
-    token = ConfigParser::NextToken();
+    token = strtok(NULL, w_space);
 
     /* Parse options */
     while (token) {
@@ -389,9 +386,8 @@
             break;
         }
 
-        token = ConfigParser::NextToken();
+        token = strtok(NULL, w_space);
     }
-    ConfigParser::DisableMacros();
 
     /* check that child startup value is sane. */
     if (a->children.n_startup > a->children.n_max)
@@ -507,7 +503,7 @@
 
         *p = format;
         p = &format->next;
-        token = ConfigParser::NextToken();
+        token = strtok(NULL, w_space);
     }
 
     /* There must be at least one format token */
diff -u -r -N squid-3.4.0.1/src/fd.cc squid-3.4.0.2/src/fd.cc
--- squid-3.4.0.1/src/fd.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/fd.cc	2013-10-04 00:32:47.000000000 +1200
@@ -369,6 +369,7 @@
     if (Squid_MaxFD - newReserve < min(256, Squid_MaxFD / 2))
         fatalf("Too few filedescriptors available in the system (%d usable of %d).\n", Squid_MaxFD - newReserve, Squid_MaxFD);
 
-    debugs(51, DBG_CRITICAL, "Reserved FD adjusted from " << RESERVED_FD << " to " << newReserve << " due to failures");
+    debugs(51, DBG_CRITICAL, "Reserved FD adjusted from " << RESERVED_FD << " to " << newReserve <<
+           " due to failures (" << (Squid_MaxFD - newReserve) << "/" << Squid_MaxFD << " file descriptors available)");
     RESERVED_FD = newReserve;
 }
diff -u -r -N squid-3.4.0.1/src/format/Config.cc squid-3.4.0.2/src/format/Config.cc
--- squid-3.4.0.1/src/format/Config.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/format/Config.cc	2013-10-04 00:32:47.000000000 +1200
@@ -1,5 +1,4 @@
 #include "squid.h"
-#include "ConfigParser.h"
 #include "cache_cf.h"
 #include "Debug.h"
 #include "format/Config.h"
@@ -12,10 +11,10 @@
 {
     char *name, *def;
 
-    if ((name = ConfigParser::NextToken()) == NULL)
+    if ((name = strtok(NULL, w_space)) == NULL)
         self_destruct();
 
-    if ((def = ConfigParser::NextQuotedOrToEol()) == NULL) {
+    if ((def = strtok(NULL, "\r\n")) == NULL) {
         self_destruct();
         return;
     }
diff -u -r -N squid-3.4.0.1/src/format/Format.h squid-3.4.0.2/src/format/Format.h
--- squid-3.4.0.1/src/format/Format.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/format/Format.h	2013-10-04 00:32:47.000000000 +1200
@@ -2,7 +2,6 @@
 #define _SQUID_FORMAT_FORMAT_H
 
 #include "base/RefCount.h"
-#include "ConfigParser.h"
 /*
  * Squid configuration allows users to define custom formats in
  * several components.
@@ -30,7 +29,7 @@
 {
 public:
     Format(const char *name);
-    virtual ~Format();
+    ~Format();
 
     /* very inefficent parser, but who cares, this needs to be simple */
     /* First off, let's tokenize, we'll optimize in a second pass.
diff -u -r -N squid-3.4.0.1/src/FwdState.cc squid-3.4.0.2/src/FwdState.cc
--- squid-3.4.0.1/src/FwdState.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/FwdState.cc	2013-10-04 00:32:47.000000000 +1200
@@ -1100,7 +1100,7 @@
         ctimeout = ftimeout;
 
     if (serverDestinations[0]->getPeer() && request->flags.sslBumped) {
-        debugs(50, 4, "fwdConnectStart: Ssl bumped connections through parrent proxy are not allowed");
+        debugs(50, 4, "fwdConnectStart: Ssl bumped connections through parent proxy are not allowed");
         ErrorState *anErr = new ErrorState(ERR_CANNOT_FORWARD, Http::scServiceUnavailable, request);
         fail(anErr);
         self = NULL; // refcounted
@@ -1119,9 +1119,11 @@
         else
             serverConn = NULL;
         if (Comm::IsConnOpen(serverConn)) {
+            pinned_connection->stopPinnedConnectionMonitoring();
             flags.connected_okay = true;
             ++n_tries;
             request->flags.pinned = true;
+            request->hier.note(serverConn, pinned_connection->pinning.host);
             if (pinned_connection->pinnedAuth())
                 request->flags.auth = true;
             comm_add_close_handler(serverConn->fd, fwdServerClosedWrapper, this);
diff -u -r -N squid-3.4.0.1/src/globals.h squid-3.4.0.2/src/globals.h
--- squid-3.4.0.1/src/globals.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/globals.h	2013-10-04 00:32:47.000000000 +1200
@@ -137,6 +137,7 @@
 extern int ssl_ex_index_ssl_peeked_cert;      /* -1 */
 extern int ssl_ex_index_ssl_errors;   /* -1 */
 extern int ssl_ex_index_ssl_cert_chain;  /* -1 */
+extern int ssl_ex_index_ssl_validation_counter;  /* -1 */
 
 extern const char *external_acl_message;      /* NULL */
 extern int opt_send_signal;	/* -1 */
diff -u -r -N squid-3.4.0.1/src/HelperChildConfig.cc squid-3.4.0.2/src/HelperChildConfig.cc
--- squid-3.4.0.1/src/HelperChildConfig.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/HelperChildConfig.cc	2013-10-04 00:32:47.000000000 +1200
@@ -1,6 +1,5 @@
 #include "squid.h"
 #include "cache_cf.h"
-#include "ConfigParser.h"
 #include "Debug.h"
 #include "HelperChildConfig.h"
 #include "globals.h"
@@ -45,7 +44,7 @@
 void
 HelperChildConfig::parseConfig()
 {
-    char const *token = ConfigParser::NextToken();
+    char const *token = strtok(NULL, w_space);
 
     if (!token)
         self_destruct();
@@ -59,7 +58,7 @@
     }
 
     /* Parse extension options */
-    for (; (token = ConfigParser::NextToken()) ;) {
+    for (; (token = strtok(NULL, w_space)) ;) {
         if (strncmp(token, "startup=", 8) == 0) {
             n_startup = xatoui(token + 8);
         } else if (strncmp(token, "idle=", 5) == 0) {
diff -u -r -N squid-3.4.0.1/src/HttpHeader.cc squid-3.4.0.2/src/HttpHeader.cc
--- squid-3.4.0.1/src/HttpHeader.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/HttpHeader.cc	2013-10-04 00:32:47.000000000 +1200
@@ -107,6 +107,7 @@
     {"Expires", HDR_EXPIRES, ftDate_1123},
     {"From", HDR_FROM, ftStr},
     {"Host", HDR_HOST, ftStr},
+    {"HTTP2-Settings", HDR_HTTP2_SETTINGS, ftStr}, /* for now */
     {"If-Match", HDR_IF_MATCH, ftStr},	/* for now */
     {"If-Modified-Since", HDR_IF_MODIFIED_SINCE, ftDate_1123},
     {"If-None-Match", HDR_IF_NONE_MATCH, ftStr},	/* for now */
@@ -254,6 +255,7 @@
 static HttpHeaderMask RequestHeadersMask;	/* set run-time using RequestHeaders */
 static http_hdr_type RequestHeadersArr[] = {
     HDR_AUTHORIZATION, HDR_FROM, HDR_HOST,
+    HDR_HTTP2_SETTINGS,
     HDR_IF_MATCH, HDR_IF_MODIFIED_SINCE, HDR_IF_NONE_MATCH,
     HDR_IF_RANGE, HDR_MAX_FORWARDS,
     HDR_ORIGIN,
@@ -264,7 +266,7 @@
 
 static HttpHeaderMask HopByHopHeadersMask;
 static http_hdr_type HopByHopHeadersArr[] = {
-    HDR_CONNECTION, HDR_KEEP_ALIVE, /*HDR_PROXY_AUTHENTICATE,*/ HDR_PROXY_AUTHORIZATION,
+    HDR_CONNECTION, HDR_HTTP2_SETTINGS, HDR_KEEP_ALIVE, /*HDR_PROXY_AUTHENTICATE,*/ HDR_PROXY_AUTHORIZATION,
     HDR_TE, HDR_TRAILER, HDR_TRANSFER_ENCODING, HDR_UPGRADE, HDR_PROXY_CONNECTION
 };
 
diff -u -r -N squid-3.4.0.1/src/HttpHeader.h squid-3.4.0.2/src/HttpHeader.h
--- squid-3.4.0.1/src/HttpHeader.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/HttpHeader.h	2013-10-04 00:32:47.000000000 +1200
@@ -83,6 +83,7 @@
     HDR_EXPIRES,                        /**< RFC 2608, 2616 */
     HDR_FROM,                           /**< RFC 2608, 2616 */
     HDR_HOST,                           /**< RFC 2608, 2616 */
+    HDR_HTTP2_SETTINGS,                 /**< HTTP/2.0 upgrade header. see draft-ietf-httpbis-http2-04 */
     /*HDR_IF,*/                         /* RFC 2518 */
     HDR_IF_MATCH,                       /**< RFC 2608, 2616 */
     HDR_IF_MODIFIED_SINCE,              /**< RFC 2608, 2616 */
diff -u -r -N squid-3.4.0.1/src/HttpRequest.cc squid-3.4.0.2/src/HttpRequest.cc
--- squid-3.4.0.1/src/HttpRequest.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/HttpRequest.cc	2013-10-04 00:32:47.000000000 +1200
@@ -228,7 +228,6 @@
     copy->vary_headers = vary_headers ? xstrdup(vary_headers) : NULL;
     // XXX: what to do with copy->peer_domain?
 
-    copy->myportname = myportname;
     copy->tag = tag;
     copy->extacl_log = extacl_log;
     copy->extacl_message = extacl_message;
@@ -273,6 +272,8 @@
     extacl_passwd = aReq->extacl_passwd;
 #endif
 
+    myportname = aReq->myportname;
+
     // main property is which connection the request was received on (if any)
     clientConnectionManager = aReq->clientConnectionManager;
 
diff -u -r -N squid-3.4.0.1/src/ip/QosConfig.cc squid-3.4.0.2/src/ip/QosConfig.cc
--- squid-3.4.0.1/src/ip/QosConfig.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/ip/QosConfig.cc	2013-10-04 00:32:47.000000000 +1200
@@ -209,7 +209,7 @@
     self_destruct();
 #endif
 
-    while ( (token = ConfigParser::NextToken()) ) {
+    while ( (token = strtok(NULL, w_space)) ) {
 
         // Work out TOS or mark. Default to TOS for backwards compatibility
         if (!(mark || tos)) {
diff -u -r -N squid-3.4.0.1/src/log/Config.cc squid-3.4.0.2/src/log/Config.cc
--- squid-3.4.0.1/src/log/Config.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/log/Config.cc	2013-10-04 00:32:47.000000000 +1200
@@ -1,6 +1,5 @@
 #include "squid.h"
 #include "cache_cf.h"
-#include "ConfigParser.h"
 #include "Debug.h"
 #include "log/Config.h"
 
@@ -11,20 +10,18 @@
 {
     char *name, *def;
 
-    if ((name = ConfigParser::NextToken()) == NULL)
+    if ((name = strtok(NULL, w_space)) == NULL)
         self_destruct();
 
-    ::Format::Format *nlf = new ::Format::Format(name);
-
-    ConfigParser::EnableMacros();
-    if ((def = ConfigParser::NextQuotedOrToEol()) == NULL) {
+    if ((def = strtok(NULL, "\r\n")) == NULL) {
         self_destruct();
         return;
     }
-    ConfigParser::DisableMacros();
 
     debugs(3, 2, "Log Format for '" << name << "' is '" << def << "'");
 
+    ::Format::Format *nlf = new ::Format::Format(name);
+
     if (!nlf->parse(def)) {
         self_destruct();
         return;
diff -u -r -N squid-3.4.0.1/src/main.cc squid-3.4.0.2/src/main.cc
--- squid-3.4.0.1/src/main.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/main.cc	2013-10-04 00:32:47.000000000 +1200
@@ -163,10 +163,6 @@
 void WINAPI WIN32_svcHandler(DWORD);
 #endif
 
-#if !defined(SQUID_BUILD_INFO)
-#define SQUID_BUILD_INFO ""
-#endif
-
 static char *opt_syslog_facility = NULL;
 static int icpPortNumOverride = 1;	/* Want to detect "-u 0" */
 static int configured_once = 0;
@@ -808,7 +804,7 @@
     if (oldWorkers != Config.workers) {
         debugs(1, DBG_CRITICAL, "WARNING: Changing 'workers' (from " <<
                oldWorkers << " to " << Config.workers <<
-               ") is not supported and ignored");
+               ") requires a full restart. It has been ignored by reconfigure.");
         Config.workers = oldWorkers;
     }
 
diff -u -r -N squid-3.4.0.1/src/mgr/CountersAction.h squid-3.4.0.2/src/mgr/CountersAction.h
--- squid-3.4.0.1/src/mgr/CountersAction.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/mgr/CountersAction.h	2013-10-04 00:32:47.000000000 +1200
@@ -7,7 +7,6 @@
 #define SQUID_MGR_COUNTERS_ACTION_H
 
 #include "mgr/Action.h"
-#include <sys/time.h>
 
 namespace Mgr
 {
diff -u -r -N squid-3.4.0.1/src/mgr/InfoAction.h squid-3.4.0.2/src/mgr/InfoAction.h
--- squid-3.4.0.1/src/mgr/InfoAction.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/mgr/InfoAction.h	2013-10-04 00:32:47.000000000 +1200
@@ -8,7 +8,6 @@
 
 #include "mgr/Action.h"
 #include "StoreStats.h"
-#include <sys/time.h>
 
 namespace Mgr
 {
diff -u -r -N squid-3.4.0.1/src/mgr/IntervalAction.h squid-3.4.0.2/src/mgr/IntervalAction.h
--- squid-3.4.0.1/src/mgr/IntervalAction.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/mgr/IntervalAction.h	2013-10-04 00:32:47.000000000 +1200
@@ -7,7 +7,6 @@
 #define SQUID_MGR_INTERVAL_ACTION_H
 
 #include "mgr/Action.h"
-#include <sys/time.h>
 
 namespace Mgr
 {
diff -u -r -N squid-3.4.0.1/src/neighbors.cc squid-3.4.0.2/src/neighbors.cc
--- squid-3.4.0.1/src/neighbors.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/neighbors.cc	2013-10-04 00:32:47.000000000 +1200
@@ -204,8 +204,6 @@
         return do_ping;
 
     ACLFilledChecklist checklist(p->access, request, NULL);
-    checklist.src_addr = request->client_addr;
-    checklist.my_addr = request->my_addr;
 
     return (checklist.fastCheck() == ACCESS_ALLOWED);
 }
diff -u -r -N squid-3.4.0.1/src/Notes.cc squid-3.4.0.2/src/Notes.cc
--- squid-3.4.0.1/src/Notes.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/Notes.cc	2013-10-04 00:32:47.000000000 +1200
@@ -92,8 +92,9 @@
 Note::Pointer
 Notes::parse(ConfigParser &parser)
 {
-    String key = ConfigParser::NextToken();
-    String value = ConfigParser::NextToken();
+    String key, value;
+    ConfigParser::ParseString(&key);
+    ConfigParser::ParseQuotedString(&value);
     Note::Pointer note = add(key);
     Note::Value::Pointer noteValue = note->addValue(value);
 
diff -u -r -N squid-3.4.0.1/src/Parsing.cc squid-3.4.0.2/src/Parsing.cc
--- squid-3.4.0.1/src/Parsing.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/Parsing.cc	2013-10-04 00:32:47.000000000 +1200
@@ -147,7 +147,7 @@
 int64_t
 GetInteger64(void)
 {
-    char *token = ConfigParser::NextToken();
+    char *token = strtok(NULL, w_space);
 
     if (token == NULL)
         self_destruct();
@@ -162,7 +162,7 @@
 int
 GetInteger(void)
 {
-    char *token = ConfigParser::NextToken();
+    char *token = ConfigParser::strtokFile();
     int i;
 
     if (token == NULL)
@@ -216,7 +216,7 @@
 unsigned short
 GetShort(void)
 {
-    char *token = ConfigParser::NextToken();
+    char *token = strtok(NULL, w_space);
 
     if (token == NULL)
         self_destruct();
diff -u -r -N squid-3.4.0.1/src/peer_proxy_negotiate_auth.cc squid-3.4.0.2/src/peer_proxy_negotiate_auth.cc
--- squid-3.4.0.1/src/peer_proxy_negotiate_auth.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/peer_proxy_negotiate_auth.cc	2013-10-04 00:32:47.000000000 +1200
@@ -210,21 +210,29 @@
         static krb5_keytab_entry entry;
         static krb5_kt_cursor cursor;
         static krb5_creds *creds = NULL;
-#if HAVE_HEIMDAL_KERBEROS
+#if HAVE_HEIMDAL_KERBEROS && !HAVE_KRB5_GET_RENEWED_CREDS
         static krb5_creds creds2;
 #endif
         static krb5_principal principal = NULL;
         static krb5_deltat skew;
 
+#if HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
+        krb5_get_init_creds_opt *options;
+#else
         krb5_get_init_creds_opt options;
+#endif
         krb5_error_code code = 0;
         krb5_deltat rlife;
 #if HAVE_PROFILE_H && HAVE_KRB5_GET_PROFILE && HAVE_PROFILE_GET_INTEGER && HAVE_PROFILE_RELEASE
         profile_t profile;
 #endif
-#if HAVE_HEIMDAL_KERBEROS
+#if HAVE_HEIMDAL_KERBEROS && !HAVE_KRB5_GET_RENEWED_CREDS
         krb5_kdc_flags flags;
-        krb5_realm *client_realm;
+#if HAVE_KRB5_PRINCIPAL_GET_REALM
+        const char *client_realm;
+#else
+        krb5_realm client_realm;
+#endif
 #endif
         char *mem_cache;
 
@@ -236,7 +244,7 @@
                 (creds->times.endtime - time(0) > skew) &&
                 (creds->times.renew_till - time(0) > 2 * skew)) {
             if (creds->times.endtime - time(0) < 2 * skew) {
-#if !HAVE_HEIMDAL_KERBEROS
+#if HAVE_KRB5_GET_RENEWED_CREDS
                 /* renew ticket */
                 code =
                     krb5_get_renewed_creds(kparam.context, creds, principal,
@@ -256,10 +264,15 @@
                            << error_message(code));
                     return (1);
                 }
+#if HAVE_KRB5_PRINCIPAL_GET_REALM
+                client_realm = krb5_principal_get_realm(kparam.context, principal);
+#else
                 client_realm = krb5_princ_realm(kparam.context, creds2.client);
+#endif
                 code =
                     krb5_make_principal(kparam.context, &creds2.server,
-                                        *client_realm, KRB5_TGS_NAME, *client_realm, NULL);
+                                        (krb5_const_realm)&client_realm, KRB5_TGS_NAME,
+                                        (krb5_const_realm)&client_realm, NULL);
                 if (code) {
                     debugs(11, 5,
                            HERE << "Error while getting krbtgt principal : " <<
@@ -400,7 +413,11 @@
 
             creds = (krb5_creds *) xmalloc(sizeof(*creds));
             memset(creds, 0, sizeof(*creds));
+#if HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
+            krb5_get_init_creds_opt_alloc(kparam.context, &options);
+#else
             krb5_get_init_creds_opt_init(&options);
+#endif
             code = krb5_string_to_deltat((char *) MAX_RENEW_TIME, &rlife);
             if (code != 0 || rlife == 0) {
                 debugs(11, 5,
@@ -408,11 +425,22 @@
                        " : " << error_message(code));
                 return (1);
             }
+#if HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
+            krb5_get_init_creds_opt_set_renew_life(options, rlife);
+            code =
+                krb5_get_init_creds_keytab(kparam.context, creds, principal,
+                                           keytab, 0, NULL, options);
+#if HAVE_KRB5_GET_INIT_CREDS_FREE_CONTEXT
+            krb5_get_init_creds_opt_free(kparam.context, options);
+#else
+            krb5_get_init_creds_opt_free(options);
+#endif
+#else
             krb5_get_init_creds_opt_set_renew_life(&options, rlife);
-
             code =
                 krb5_get_init_creds_keytab(kparam.context, creds, principal,
                                            keytab, 0, NULL, &options);
+#endif
             if (code) {
                 debugs(11, 5,
                        HERE <<
diff -u -r -N squid-3.4.0.1/src/SquidConfig.h squid-3.4.0.2/src/SquidConfig.h
--- squid-3.4.0.1/src/SquidConfig.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/SquidConfig.h	2013-10-04 00:32:47.000000000 +1200
@@ -355,6 +355,7 @@
         int memory_cache_disk;
         int hostStrictVerify;
         int client_dst_passthru;
+        int dns_mdns;
     } onoff;
 
     int pipeline_max_prefetch;
diff -u -r -N squid-3.4.0.1/src/ssl/ErrorDetail.cc squid-3.4.0.2/src/ssl/ErrorDetail.cc
--- squid-3.4.0.1/src/ssl/ErrorDetail.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/ssl/ErrorDetail.cc	2013-10-04 00:32:47.000000000 +1200
@@ -19,8 +19,10 @@
 SslErrors TheSslErrors;
 
 static SslErrorEntry TheSslErrorArray[] = {
+    {SQUID_X509_V_ERR_INFINITE_VALIDATION,
+        "SQUID_X509_V_ERR_INFINITE_VALIDATION"},
     {SQUID_X509_V_ERR_CERT_CHANGE,
-        "SQUID_X509_V_ERR_CERT_CHANGE"},
+     "SQUID_X509_V_ERR_CERT_CHANGE"},
     {SQUID_ERR_SSL_HANDSHAKE,
      "SQUID_ERR_SSL_HANDSHAKE"},
     {SQUID_X509_V_ERR_DOMAIN_MISMATCH,
@@ -87,6 +89,132 @@
      "X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH"},
     {X509_V_ERR_KEYUSAGE_NO_CERTSIGN,
      "X509_V_ERR_KEYUSAGE_NO_CERTSIGN"},
+#if defined(X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER)
+    {
+        X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, //33
+        "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER"
+    },
+#endif
+#if defined(X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION)
+    {
+        X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION, //34
+        "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION"
+    },
+#endif
+#if defined(X509_V_ERR_KEYUSAGE_NO_CRL_SIGN)
+    {
+        X509_V_ERR_KEYUSAGE_NO_CRL_SIGN, //35
+        "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN"
+    },
+#endif
+#if defined(X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION)
+    {
+        X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION, //36
+        "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION"
+    },
+#endif
+#if defined(X509_V_ERR_INVALID_NON_CA)
+    {
+        X509_V_ERR_INVALID_NON_CA, //37
+        "X509_V_ERR_INVALID_NON_CA"
+    },
+#endif
+#if defined(X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED)
+    {
+        X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED, //38
+        "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED"
+    },
+#endif
+#if defined(X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE)
+    {
+        X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE, //39
+        "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE"
+    },
+#endif
+#if defined(X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED)
+    {
+        X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, //40
+        "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED"
+    },
+#endif
+#if defined(X509_V_ERR_INVALID_EXTENSION)
+    {
+        X509_V_ERR_INVALID_EXTENSION, //41
+        "X509_V_ERR_INVALID_EXTENSION"
+    },
+#endif
+#if defined(X509_V_ERR_INVALID_POLICY_EXTENSION)
+    {
+        X509_V_ERR_INVALID_POLICY_EXTENSION, //42
+        "X509_V_ERR_INVALID_POLICY_EXTENSION"
+    },
+#endif
+#if defined(X509_V_ERR_NO_EXPLICIT_POLICY)
+    {
+        X509_V_ERR_NO_EXPLICIT_POLICY, //43
+        "X509_V_ERR_NO_EXPLICIT_POLICY"
+    },
+#endif
+#if defined(X509_V_ERR_DIFFERENT_CRL_SCOPE)
+    {
+        X509_V_ERR_DIFFERENT_CRL_SCOPE, //44
+        "X509_V_ERR_DIFFERENT_CRL_SCOPE"
+    },
+#endif
+#if defined(X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE)
+    {
+        X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE, //45
+        "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE"
+    },
+#endif
+#if defined(X509_V_ERR_UNNESTED_RESOURCE)
+    {
+        X509_V_ERR_UNNESTED_RESOURCE, //46
+        "X509_V_ERR_UNNESTED_RESOURCE"
+    },
+#endif
+#if defined(X509_V_ERR_PERMITTED_VIOLATION)
+    {
+        X509_V_ERR_PERMITTED_VIOLATION, //47
+        "X509_V_ERR_PERMITTED_VIOLATION"
+    },
+#endif
+#if defined(X509_V_ERR_EXCLUDED_VIOLATION)
+    {
+        X509_V_ERR_EXCLUDED_VIOLATION, //48
+        "X509_V_ERR_EXCLUDED_VIOLATION"
+    },
+#endif
+#if defined(X509_V_ERR_SUBTREE_MINMAX)
+    {
+        X509_V_ERR_SUBTREE_MINMAX, //49
+        "X509_V_ERR_SUBTREE_MINMAX"
+    },
+#endif
+#if defined(X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE)
+    {
+        X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, //51
+        "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE"
+    },
+#endif
+#if defined(X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX)
+    {
+        X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX, //52
+        "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX"
+    },
+#endif
+#if defined(X509_V_ERR_UNSUPPORTED_NAME_SYNTAX)
+    {
+        X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, //53
+        "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX"
+    },
+#endif
+#if defined(X509_V_ERR_CRL_PATH_VALIDATION_ERROR)
+    {
+        X509_V_ERR_CRL_PATH_VALIDATION_ERROR, //54
+        "X509_V_ERR_CRL_PATH_VALIDATION_ERROR"
+    },
+#endif
     {X509_V_ERR_APPLICATION_VERIFICATION,
      "X509_V_ERR_APPLICATION_VERIFICATION"},
     { SSL_ERROR_NONE, "SSL_ERROR_NONE"},
diff -u -r -N squid-3.4.0.1/src/ssl/gadgets.cc squid-3.4.0.2/src/ssl/gadgets.cc
--- squid-3.4.0.1/src/ssl/gadgets.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/ssl/gadgets.cc	2013-10-04 00:32:47.000000000 +1200
@@ -410,7 +410,7 @@
     serial = BN_bin2bn(md, n, NULL);
 
     // if the serial is "0" set it to '1'
-    if (BN_is_zero(serial))
+    if (BN_is_zero(serial) == true)
         BN_one(serial);
 
     // serial size does not exceed 20 bytes
diff -u -r -N squid-3.4.0.1/src/ssl/support.cc squid-3.4.0.2/src/ssl/support.cc
--- squid-3.4.0.1/src/ssl/support.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/ssl/support.cc	2013-10-04 00:32:47.000000000 +1200
@@ -239,6 +239,23 @@
     X509_NAME_oneline(X509_get_subject_name(peer_cert), buffer,
                       sizeof(buffer));
 
+    // detect infinite loops
+    uint32_t *validationCounter = static_cast<uint32_t *>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_validation_counter));
+    if (!validationCounter) {
+        validationCounter = new uint32_t(1);
+        SSL_set_ex_data(ssl, ssl_ex_index_ssl_validation_counter, validationCounter);
+    } else {
+        // overflows allowed if SQUID_CERT_VALIDATION_ITERATION_MAX >= UINT32_MAX
+        (*validationCounter)++;
+    }
+
+    if ((*validationCounter) >= SQUID_CERT_VALIDATION_ITERATION_MAX) {
+        ok = 0; // or the validation loop will never stop
+        error_no = SQUID_X509_V_ERR_INFINITE_VALIDATION;
+        debugs(83, 2, "SQUID_X509_V_ERR_INFINITE_VALIDATION: " <<
+               *validationCounter << " iterations while checking " << buffer);
+    }
+
     if (ok) {
         debugs(83, 5, "SSL Certificate signature OK: " << buffer);
 
@@ -282,30 +299,34 @@
         else
             debugs(83, DBG_IMPORTANT, "SSL unknown certificate error " << error_no << " in " << buffer);
 
-        if (check) {
-            ACLFilledChecklist *filledCheck = Filled(check);
-            assert(!filledCheck->sslErrors);
-            filledCheck->sslErrors = new Ssl::CertErrors(Ssl::CertError(error_no, broken_cert));
-            filledCheck->serverCert.resetAndLock(peer_cert);
-            if (check->fastCheck() == ACCESS_ALLOWED) {
-                debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer);
-                ok = 1;
-            } else {
-                debugs(83, 5, "confirming SSL error " << error_no);
+        // Check if the certificate error can be bypassed.
+        // Infinity validation loop errors can not bypassed.
+        if (error_no != SQUID_X509_V_ERR_INFINITE_VALIDATION) {
+            if (check) {
+                ACLFilledChecklist *filledCheck = Filled(check);
+                assert(!filledCheck->sslErrors);
+                filledCheck->sslErrors = new Ssl::CertErrors(Ssl::CertError(error_no, broken_cert));
+                filledCheck->serverCert.resetAndLock(peer_cert);
+                if (check->fastCheck() == ACCESS_ALLOWED) {
+                    debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer);
+                    ok = 1;
+                } else {
+                    debugs(83, 5, "confirming SSL error " << error_no);
+                }
+                delete filledCheck->sslErrors;
+                filledCheck->sslErrors = NULL;
+                filledCheck->serverCert.reset(NULL);
             }
-            delete filledCheck->sslErrors;
-            filledCheck->sslErrors = NULL;
-            filledCheck->serverCert.reset(NULL);
-        }
-        // If the certificate validator is used then we need to allow all errors and
-        // pass them to certficate validator for more processing
-        else if (Ssl::TheConfig.ssl_crt_validator) {
-            ok = 1;
-            // Check if we have stored certificates chain. Store if not.
-            if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_cert_chain)) {
-                STACK_OF(X509) *certStack = X509_STORE_CTX_get1_chain(ctx);
-                if (certStack && !SSL_set_ex_data(ssl, ssl_ex_index_ssl_cert_chain, certStack))
-                    sk_X509_pop_free(certStack, X509_free);
+            // If the certificate validator is used then we need to allow all errors and
+            // pass them to certficate validator for more processing
+            else if (Ssl::TheConfig.ssl_crt_validator) {
+                ok = 1;
+                // Check if we have stored certificates chain. Store if not.
+                if (!SSL_get_ex_data(ssl, ssl_ex_index_ssl_cert_chain)) {
+                    STACK_OF(X509) *certStack = X509_STORE_CTX_get1_chain(ctx);
+                    if (certStack && !SSL_set_ex_data(ssl, ssl_ex_index_ssl_cert_chain, certStack))
+                        sk_X509_pop_free(certStack, X509_free);
+                }
             }
         }
     }
@@ -651,6 +672,15 @@
     delete errs;
 }
 
+// "free" function for SSL_get_ex_new_index("ssl_ex_index_ssl_validation_counter")
+static void
+ssl_free_int(void *, void *ptr, CRYPTO_EX_DATA *,
+             int, long, void *)
+{
+    uint32_t *counter = static_cast <uint32_t *>(ptr);
+    delete counter;
+}
+
 /// \ingroup ServerProtocolSSLInternal
 /// Callback handler function to release STACK_OF(X509) "ex" data stored
 /// in an SSL object.
@@ -713,6 +743,7 @@
     ssl_ex_index_ssl_peeked_cert  = SSL_get_ex_new_index(0, (void *) "ssl_peeked_cert", NULL, NULL, &ssl_free_X509);
     ssl_ex_index_ssl_errors =  SSL_get_ex_new_index(0, (void *) "ssl_errors", NULL, NULL, &ssl_free_SslErrors);
     ssl_ex_index_ssl_cert_chain = SSL_get_ex_new_index(0, (void *) "ssl_cert_chain", NULL, NULL, &ssl_free_CertChain);
+    ssl_ex_index_ssl_validation_counter = SSL_get_ex_new_index(0, (void *) "ssl_validation_counter", NULL, NULL, &ssl_free_int);
 }
 
 /// \ingroup ServerProtocolSSLInternal
@@ -1553,11 +1584,7 @@
         if (X509_check_issued(certificate, certificate) == X509_V_OK)
             debugs(83, 5, "Certificate is self-signed, will not be chained");
         else {
-            if (sk_X509_push(chain, certificate))
-                CRYPTO_add(&(certificate->references), 1, CRYPTO_LOCK_X509);
-            else
-                debugs(83, DBG_IMPORTANT, "WARNING: unable to add signing certificate to cert chain");
-            // and add to the chain any certificate loaded from the file
+            // and add to the chain any other certificate exist in the file
             while (X509 *ca = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL)) {
                 if (!sk_X509_push(chain, ca))
                     debugs(83, DBG_IMPORTANT, "WARNING: unable to add CA certificate to cert chain");
diff -u -r -N squid-3.4.0.1/src/ssl/support.h squid-3.4.0.2/src/ssl/support.h
--- squid-3.4.0.1/src/ssl/support.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/ssl/support.h	2013-10-04 00:32:47.000000000 +1200
@@ -55,6 +55,7 @@
  */
 
 // Custom SSL errors; assumes all official errors are positive
+#define SQUID_X509_V_ERR_INFINITE_VALIDATION -4
 #define SQUID_X509_V_ERR_CERT_CHANGE -3
 #define SQUID_ERR_SSL_HANDSHAKE -2
 #define SQUID_X509_V_ERR_DOMAIN_MISMATCH -1
@@ -62,6 +63,14 @@
 #define SQUID_SSL_ERROR_MIN SQUID_X509_V_ERR_CERT_CHANGE
 #define SQUID_SSL_ERROR_MAX INT_MAX
 
+// Maximum certificate validation callbacks. OpenSSL versions exceeding this
+// limit are deemed stuck in an infinite validation loop (OpenSSL bug #3090)
+// and will trigger the SQUID_X509_V_ERR_INFINITE_VALIDATION error.
+// Can be set to a number up to UINT32_MAX
+#ifndef SQUID_CERT_VALIDATION_ITERATION_MAX
+#define SQUID_CERT_VALIDATION_ITERATION_MAX 16384
+#endif
+
 namespace AnyP
 {
 class PortCfg;
diff -u -r -N squid-3.4.0.1/src/stat.cc squid-3.4.0.2/src/stat.cc
--- squid-3.4.0.1/src/stat.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/stat.cc	2013-10-04 00:32:47.000000000 +1200
@@ -673,6 +673,8 @@
     storeAppendPrintf(sentry, "Squid Object Cache: Version %s\n",
                       version_string);
 
+    storeAppendPrintf(sentry, "Build Info: " SQUID_BUILD_INFO "\n");
+
 #if _SQUID_WINDOWS_
     if (WIN32_run_mode == _WIN_SQUID_RUN_MODE_SERVICE) {
         storeAppendPrintf(sentry,"\nRunning as %s Windows System Service on %s\n",
diff -u -r -N squid-3.4.0.1/src/store_client.cc squid-3.4.0.2/src/store_client.cc
--- squid-3.4.0.1/src/store_client.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/store_client.cc	2013-10-04 00:32:47.000000000 +1200
@@ -808,7 +808,7 @@
     }
 
     if (curlen > expectlen) {
-        debugs(90, 3, "quick-abort? YES bad content length");
+        debugs(90, 3, "quick-abort? YES bad content length (" << curlen << " of " << expectlen << " bytes received)");
         return true;
     }
 
diff -u -r -N squid-3.4.0.1/src/SwapDir.cc squid-3.4.0.2/src/SwapDir.cc
--- squid-3.4.0.1/src/SwapDir.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/SwapDir.cc	2013-10-04 00:32:47.000000000 +1200
@@ -34,7 +34,6 @@
 #include "cache_cf.h"
 #include "compat/strtoll.h"
 #include "ConfigOption.h"
-#include "ConfigParser.h"
 #include "globals.h"
 #include "Parsing.h"
 #include "SquidConfig.h"
@@ -277,7 +276,7 @@
 
     ConfigOption *newOption = getOptionTree();
 
-    while ((name = ConfigParser::NextToken()) != NULL) {
+    while ((name = strtok(NULL, w_space)) != NULL) {
         value = strchr(name, '=');
 
         if (value) {
diff -u -r -N squid-3.4.0.1/src/tests/stub_cache_cf.cc squid-3.4.0.2/src/tests/stub_cache_cf.cc
--- squid-3.4.0.1/src/tests/stub_cache_cf.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/tests/stub_cache_cf.cc	2013-10-04 00:32:47.000000000 +1200
@@ -48,6 +48,7 @@
 void parse_time_t(time_t * var) STUB
 char * strtokFile(void) STUB_RETVAL(NULL)
 void ConfigParser::ParseUShort(unsigned short *var) STUB
+void ConfigParser::ParseString(String*) STUB
 void dump_acl_access(StoreEntry * entry, const char *name, acl_access * head) STUB
 void dump_acl_list(StoreEntry*, ACLList*) STUB
 YesNoNone::operator void*() const { STUB_NOP; return NULL; }
diff -u -r -N squid-3.4.0.1/src/tests/testACLMaxUserIP.cc squid-3.4.0.2/src/tests/testACLMaxUserIP.cc
--- squid-3.4.0.1/src/tests/testACLMaxUserIP.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/tests/testACLMaxUserIP.cc	2013-10-04 00:32:47.000000000 +1200
@@ -6,7 +6,6 @@
 
 #include "testACLMaxUserIP.h"
 #include "auth/AclMaxUserIp.h"
-#include "ConfigParser.h"
 
 #if HAVE_STDEXCEPT
 #include <stdexcept>
@@ -30,9 +29,9 @@
 testACLMaxUserIP::testParseLine()
 {
     /* a config line to pass with a lead-in token to seed the parser. */
-    char * line = xstrdup("-s 1");
+    char * line = xstrdup("token -s 1");
     /* seed the parser */
-    ConfigParser::SetCfgLine(line);
+    strtok(line, w_space);
     ACLMaxUserIP anACL("max_user_ip");
     anACL.parse();
     /* we want a maximum of one, and strict to be true */
diff -u -r -N squid-3.4.0.1/src/tests/testConfigParser.cc squid-3.4.0.2/src/tests/testConfigParser.cc
--- squid-3.4.0.1/src/tests/testConfigParser.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/tests/testConfigParser.cc	2013-10-04 00:32:47.000000000 +1200
@@ -21,15 +21,24 @@
 {
     char cfgline[2048];
     char cfgparam[2048];
-    snprintf(cfgline, 2048, "%s", s);
+    snprintf(cfgline, 2048, "Config %s", s);
+
+    // Points to the start of quoted string
+    const char *tmp = strchr(cfgline, ' ');
+
+    if (tmp == NULL) {
+        fprintf(stderr, "Invalid config line: %s\n", s);
+        return false;
+    }
 
     // Keep the initial value on cfgparam. The ConfigParser  methods will write on cfgline
-    strncpy(cfgparam, cfgline, sizeof(cfgparam)-1);
+    strncpy(cfgparam, tmp+1, sizeof(cfgparam)-1);
     cfgparam[sizeof(cfgparam)-1] = '\0';
 
     // Initialize parser to point to the start of quoted string
-    ConfigParser::SetCfgLine(cfgline);
-    String unEscaped = ConfigParser::NextToken();
+    strtok(cfgline, w_space);
+    String unEscaped;
+    ConfigParser::ParseQuotedString(&unEscaped);
 
     const bool interpOk = (unEscaped.cmp(expectInterp) == 0);
     if (!interpOk) {
diff -u -r -N squid-3.4.0.1/src/tests/testCoss.cc squid-3.4.0.2/src/tests/testCoss.cc
--- squid-3.4.0.1/src/tests/testCoss.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/tests/testCoss.cc	2013-10-04 00:32:47.000000000 +1200
@@ -1,6 +1,5 @@
 #define SQUID_UNIT_TEST 1
 #include "squid.h"
-#include "ConfigParser.h"
 #include "testCoss.h"
 #include "Store.h"
 #include "SwapDir.h"
@@ -92,9 +91,9 @@
 
     char *path=xstrdup(TESTDIR);
 
-    char *config_line=xstrdup("100 max-size=102400 block-size=512 IOEngine=Blocking");
+    char *config_line=xstrdup("foo 100 max-size=102400 block-size=512 IOEngine=Blocking");
 
-    ConfigParser::SetCfgLine(config_line);
+    strtok(config_line, w_space);
 
     aStore->parse(0, path);
 
@@ -156,9 +155,9 @@
 
     char *path=xstrdup(TESTDIR);
 
-    char *config_line=xstrdup("100 max-size=102400 block-size=512 IOEngine=Blocking");
+    char *config_line=xstrdup("foo 100 max-size=102400 block-size=512 IOEngine=Blocking");
 
-    ConfigParser::SetCfgLine(config_line);
+    strtok(config_line, w_space);
 
     aStore->parse(0, path);
 
@@ -284,8 +283,8 @@
     commonInit();
 
     char *path=xstrdup(TESTDIR);
-    char *config_line=xstrdup("100 max-size=102400 block-size=512");
-    ConfigParser::SetCfgLine(config_line);
+    char *config_line=xstrdup("foo 100 max-size=102400 block-size=512");
+    strtok(config_line, w_space);
     aStore->parse(0, path);
     safe_free(path);
     safe_free(config_line);
diff -u -r -N squid-3.4.0.1/src/tests/testHttpReply.cc squid-3.4.0.2/src/tests/testHttpReply.cc
--- squid-3.4.0.1/src/tests/testHttpReply.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/tests/testHttpReply.cc	2013-10-04 00:32:47.000000000 +1200
@@ -188,7 +188,7 @@
     error = Http::scNone;
 
     // status line with nul-byte
-    input.append("HTTP/1.1\0200 Okay\n\n", 19); /* real case seen */
+    input.append("HTTP/1.1" "\0" "200 Okay\n\n", 19); /* real case seen */
     hdr_len = headersEnd(input.content(),input.contentSize());
     CPPUNIT_ASSERT(!engine.sanityCheckStartLine(&input, hdr_len, &error) );
     CPPUNIT_ASSERT_EQUAL(error, Http::scInvalidHeader);
diff -u -r -N squid-3.4.0.1/src/tests/testRock.cc squid-3.4.0.2/src/tests/testRock.cc
--- squid-3.4.0.1/src/tests/testRock.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/tests/testRock.cc	2013-10-04 00:32:47.000000000 +1200
@@ -1,7 +1,6 @@
 #define SQUID_UNIT_TEST 1
 #include "squid.h"
 
-#include "ConfigParser.h"
 #include "DiskIO/DiskIOModule.h"
 #include "fs/rock/RockSwapDir.h"
 #include "globals.h"
@@ -67,9 +66,9 @@
 
     char *path=xstrdup(TESTDIR);
 
-    char *config_line=xstrdup("10 max-size=16384");
+    char *config_line=xstrdup("foo 10 max-size=16384");
 
-    ConfigParser::SetCfgLine(config_line);
+    strtok(config_line, w_space);
 
     store->parse(0, path);
     store_maxobjsize = 1024*1024*2;
diff -u -r -N squid-3.4.0.1/src/tests/testUfs.cc squid-3.4.0.2/src/tests/testUfs.cc
--- squid-3.4.0.1/src/tests/testUfs.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/tests/testUfs.cc	2013-10-04 00:32:47.000000000 +1200
@@ -104,11 +104,11 @@
 
     char *path=xstrdup(TESTDIR);
 
-    char *config_line=xstrdup("100 1 1");
+    char *config_line=xstrdup("foo 100 1 1");
 
     visible_appname_string = xstrdup(PACKAGE "/" VERSION);
 
-    ConfigParser::SetCfgLine(config_line);
+    strtok(config_line, w_space);
 
     aStore->parse(0, path);
     store_maxobjsize = 1024*1024*2;
@@ -244,8 +244,8 @@
     mem_policy = createRemovalPolicy(Config.replPolicy);
 
     char *path=xstrdup(TESTDIR);
-    char *config_line=xstrdup("100 1 1");
-    ConfigParser::SetCfgLine(config_line);
+    char *config_line=xstrdup("foo 100 1 1");
+    strtok(config_line, w_space);
     aStore->parse(0, path);
     safe_free(path);
     safe_free(config_line);
diff -u -r -N squid-3.4.0.1/src/tunnel.cc squid-3.4.0.2/src/tunnel.cc
--- squid-3.4.0.1/src/tunnel.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/tunnel.cc	2013-10-04 00:32:47.000000000 +1200
@@ -100,6 +100,7 @@
     bool noConnections() const;
     char *url;
     HttpRequest::Pointer request;
+    AccessLogEntryPointer al;
     Comm::ConnectionList serverDestinations;
 
     const char * getHost() const {
@@ -845,7 +846,7 @@
 nfmark_t GetNfmarkToServer(HttpRequest * request);
 
 void
-tunnelStart(ClientHttpRequest * http, int64_t * size_ptr, int *status_ptr)
+tunnelStart(ClientHttpRequest * http, int64_t * size_ptr, int *status_ptr, const AccessLogEntryPointer &al)
 {
     debugs(26, 3, HERE);
     /* Create state structure. */
@@ -890,6 +891,7 @@
     tunnelState->server.size_ptr = size_ptr;
     tunnelState->status_ptr = status_ptr;
     tunnelState->client.conn = http->getConn()->clientConnection;
+    tunnelState->al = al;
 
     comm_add_close_handler(tunnelState->client.conn->fd,
                            tunnelClientClosed,
@@ -921,7 +923,7 @@
     mb.Printf("CONNECT %s HTTP/1.1\r\n", tunnelState->url);
     HttpStateData::httpBuildRequestHeader(tunnelState->request.getRaw(),
                                           NULL,			/* StoreEntry */
-                                          NULL,			/* AccessLogEntry */
+                                          tunnelState->al,			/* AccessLogEntry */
                                           &hdr_out,
                                           flags);			/* flags */
     packerToMemInit(&p, &mb);
diff -u -r -N squid-3.4.0.1/src/wccp2.cc squid-3.4.0.2/src/wccp2.cc
--- squid-3.4.0.1/src/wccp2.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/wccp2.cc	2013-10-04 00:32:47.000000000 +1200
@@ -39,7 +39,6 @@
 #include "comm/Connection.h"
 #include "comm/Loops.h"
 #include "compat/strsep.h"
-#include "ConfigParser.h"
 #include "event.h"
 #include "ip/Address.h"
 #include "md5.h"
@@ -2014,7 +2013,7 @@
     char *t;
 
     /* Snarf the method */
-    if ((t = ConfigParser::NextToken()) == NULL) {
+    if ((t = strtok(NULL, w_space)) == NULL) {
         debugs(80, DBG_CRITICAL, "wccp2_*_method: missing setting.");
         self_destruct();
     }
@@ -2061,7 +2060,7 @@
     char *t;
 
     /* Snarf the method */
-    if ((t = ConfigParser::NextToken()) == NULL) {
+    if ((t = strtok(NULL, w_space)) == NULL) {
         debugs(80, DBG_CRITICAL, "wccp2_assignment_method: missing setting.");
         self_destruct();
     }
@@ -2117,7 +2116,7 @@
     }
 
     /* Snarf the type */
-    if ((t = ConfigParser::NextToken()) == NULL) {
+    if ((t = strtok(NULL, w_space)) == NULL) {
         debugs(80, DBG_CRITICAL, "wccp2ParseServiceInfo: missing service info type (standard|dynamic)");
         self_destruct();
     }
@@ -2142,7 +2141,7 @@
     memset(wccp_password, 0, sizeof(wccp_password));
     /* Handle password, if any */
 
-    if ((t = ConfigParser::NextToken()) != NULL) {
+    if ((t = strtok(NULL, w_space)) != NULL) {
         if (strncmp(t, "password=", 9) == 0) {
             security_type = WCCP2_MD5_SECURITY;
             strncpy(wccp_password, t + 9, WCCP2_PASSWORD_LEN);
@@ -2318,7 +2317,7 @@
     }
 
     /* Next: loop until we don't have any more tokens */
-    while ((t = ConfigParser::NextToken()) != NULL) {
+    while ((t = strtok(NULL, w_space)) != NULL) {
         if (strncmp(t, "flags=", 6) == 0) {
             /* XXX eww, string pointer math */
             flags = parse_wccp2_service_flags(t + 6);
diff -u -r -N squid-3.4.0.1/src/win32.h squid-3.4.0.2/src/win32.h
--- squid-3.4.0.1/src/win32.h	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/src/win32.h	2013-10-04 00:32:47.000000000 +1200
@@ -35,13 +35,6 @@
 
 #if _SQUID_WINDOWS_
 
-#if HAVE_SYS_TIME_H
-#include <sys/time.h>
-#endif
-#if HAVE_SYS_RESOURCE_H
-#include <sys/resource.h>
-#endif
-
 void WIN32_ExceptionHandlerInit(void);
 
 int Win32__WSAFDIsSet(int fd, fd_set* set);
diff -u -r -N squid-3.4.0.1/tools/purge/conffile.cc squid-3.4.0.2/tools/purge/conffile.cc
--- squid-3.4.0.1/tools/purge/conffile.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/tools/purge/conffile.cc	2013-10-04 00:32:47.000000000 +1200
@@ -34,10 +34,6 @@
 // Initial revision
 //
 //
-#if (defined(__GNUC__) || defined(__GNUG__)) && !defined(__clang__)
-#pragma implementation
-#endif
-
 #include "conffile.hh"
 #include <sys/types.h>
 #include <errno.h>
diff -u -r -N squid-3.4.0.1/tools/purge/conffile.hh squid-3.4.0.2/tools/purge/conffile.hh
--- squid-3.4.0.1/tools/purge/conffile.hh	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/tools/purge/conffile.hh	2013-10-04 00:32:47.000000000 +1200
@@ -39,16 +39,12 @@
 #define _CONFFILE_HH
 
 #if !defined(__cplusplus)
-#if defined(__GNUC__) || defined(__GNUG__)
-#pragma interface
-#else
 #ifndef HAVE_BOOL
 #define HAVE_BOOL
 typedef int bool;
 #define false 0
 #define true  1
 #endif
-#endif
 #endif /* __cplusplus */
 
 
diff -u -r -N squid-3.4.0.1/tools/purge/convert.cc squid-3.4.0.2/tools/purge/convert.cc
--- squid-3.4.0.1/tools/purge/convert.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/tools/purge/convert.cc	2013-10-04 00:32:47.000000000 +1200
@@ -40,9 +40,6 @@
 // Initial revision
 //
 //
-#if (defined(__GNUC__) || defined(__GNUG__)) && !defined(__clang__) && !defined(__INTEL_COMPILER)
-#pragma implementation
-#endif
 
 #include "convert.hh"
 #include <string.h>
diff -u -r -N squid-3.4.0.1/tools/purge/convert.hh squid-3.4.0.2/tools/purge/convert.hh
--- squid-3.4.0.1/tools/purge/convert.hh	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/tools/purge/convert.hh	2013-10-04 00:32:47.000000000 +1200
@@ -39,16 +39,12 @@
 #define _CONVERT_HH
 
 #if !defined(__cplusplus)
-#if defined(__GNUC__) || defined(__GNUG__)
-#pragma interface
-#else
 #ifndef HAVE_BOOL
 #define HAVE_BOOL 1
 typedef char bool;
 #define false 0
 #define true  1
 #endif
-#endif
 #endif /* __cplusplus */
 
 #include <sys/types.h>
diff -u -r -N squid-3.4.0.1/tools/purge/copyout.cc squid-3.4.0.2/tools/purge/copyout.cc
--- squid-3.4.0.1/tools/purge/copyout.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/tools/purge/copyout.cc	2013-10-04 00:32:47.000000000 +1200
@@ -35,10 +35,6 @@
 // Initial revision
 //
 //
-#if (defined(__GNUC__) || defined(__GNUG__)) && !defined(__clang__)
-#pragma implementation
-#endif
-
 #include "squid.h"
 #include "copyout.hh"
 
diff -u -r -N squid-3.4.0.1/tools/purge/copyout.hh squid-3.4.0.2/tools/purge/copyout.hh
--- squid-3.4.0.1/tools/purge/copyout.hh	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/tools/purge/copyout.hh	2013-10-04 00:32:47.000000000 +1200
@@ -35,16 +35,12 @@
 #define _COPYOUT_HH
 
 #if !defined(__cplusplus)
-#if defined(__GNUC__) || defined(__GNUG__)
-#pragma interface
-#else
 #ifndef HAVE_BOOL
 #define HAVE_BOOL
 typedef int bool;
 #define false 0
 #define true  1
 #endif
-#endif
 #endif /* __cplusplus */
 
 int
diff -u -r -N squid-3.4.0.1/tools/purge/purge.cc squid-3.4.0.2/tools/purge/purge.cc
--- squid-3.4.0.1/tools/purge/purge.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/tools/purge/purge.cc	2013-10-04 00:32:47.000000000 +1200
@@ -90,10 +90,6 @@
 // Initial revision
 //
 //
-#if (defined(__GNUC__) || defined(__GNUG__)) && !defined(__clang__)
-#pragma implementation
-#endif
-
 #include "squid.h"
 #include "util.h"
 
diff -u -r -N squid-3.4.0.1/tools/purge/signal.cc squid-3.4.0.2/tools/purge/signal.cc
--- squid-3.4.0.1/tools/purge/signal.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/tools/purge/signal.cc	2013-10-04 00:32:47.000000000 +1200
@@ -41,11 +41,6 @@
 // Initial revision
 //
 //
-
-#if (defined(__GNUC__) || defined(__GNUG__)) && !defined(__clang__)
-#pragma implementation
-#endif
-
 #include "squid.h"
 #include "signal.hh"
 
diff -u -r -N squid-3.4.0.1/tools/purge/signal.hh squid-3.4.0.2/tools/purge/signal.hh
--- squid-3.4.0.1/tools/purge/signal.hh	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/tools/purge/signal.hh	2013-10-04 00:32:47.000000000 +1200
@@ -55,16 +55,12 @@
 #endif
 
 #if !defined(__cplusplus)
-#if defined(__GNUC__) || defined(__GNUG__)
-#pragma interface
-#else
 #ifndef HAVE_BOOL
 #define HAVE_BOOL
 typedef int bool;
 #define false 0
 #define true  1
 #endif
-#endif
 #endif /* __cplusplus */
 
 #if 1 // so far, all systems I know use void
diff -u -r -N squid-3.4.0.1/tools/purge/socket.cc squid-3.4.0.2/tools/purge/socket.cc
--- squid-3.4.0.1/tools/purge/socket.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/tools/purge/socket.cc	2013-10-04 00:32:47.000000000 +1200
@@ -42,10 +42,6 @@
 // Initial revision
 //
 //
-#if (defined(__GNUC__) || defined(__GNUG__)) && !defined(__clang__) && !defined(__INTEL_COMPILER)
-#pragma implementation
-#endif
-
 #include "socket.hh"
 #include <netinet/tcp.h>
 #include <arpa/inet.h>
diff -u -r -N squid-3.4.0.1/tools/purge/socket.hh squid-3.4.0.2/tools/purge/socket.hh
--- squid-3.4.0.1/tools/purge/socket.hh	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/tools/purge/socket.hh	2013-10-04 00:32:47.000000000 +1200
@@ -45,16 +45,12 @@
 #define _SOCKET_HH
 
 #if !defined(__cplusplus)
-#if defined(__GNUC__) || defined(__GNUG__)
-#pragma interface
-#else
 #ifndef HAVE_BOOL
 #define HAVE_BOOL
 typedef int bool;
 #define false 0
 #define true  1
 #endif
-#endif
 #endif /* __cplusplus */
 
 #include <sys/types.h>
diff -u -r -N squid-3.4.0.1/tools/purge/squid-tlv.cc squid-3.4.0.2/tools/purge/squid-tlv.cc
--- squid-3.4.0.1/tools/purge/squid-tlv.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/tools/purge/squid-tlv.cc	2013-10-04 00:32:47.000000000 +1200
@@ -32,10 +32,6 @@
 // Initial revision
 //
 //
-#if (defined(__GNUC__) || defined(__GNUG__)) && !defined(__clang__)
-#pragma implementation
-#endif
-
 #include "squid.h"
 //#include <assert.h>
 #include "squid-tlv.hh"
diff -u -r -N squid-3.4.0.1/tools/purge/squid-tlv.hh squid-3.4.0.2/tools/purge/squid-tlv.hh
--- squid-3.4.0.1/tools/purge/squid-tlv.hh	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/tools/purge/squid-tlv.hh	2013-10-04 00:32:47.000000000 +1200
@@ -35,16 +35,12 @@
 #define SQUID_TLV_HH
 
 #if !defined(__cplusplus)
-#if defined(__GNUC__) || defined(__GNUG__)
-#pragma interface
-#else
 #ifndef HAVE_BOOL
 #define HAVE_BOOL
 typedef int bool;
 #define false 0
 #define true  1
 #endif
-#endif
 #endif /* __cplusplus */
 
 #include <sys/types.h>
diff -u -r -N squid-3.4.0.1/tools/squidclient.cc squid-3.4.0.2/tools/squidclient.cc
--- squid-3.4.0.1/tools/squidclient.cc	2013-07-29 10:46:02.000000000 +1200
+++ squid-3.4.0.2/tools/squidclient.cc	2013-10-04 00:32:47.000000000 +1200
@@ -211,7 +211,8 @@
 main(int argc, char *argv[])
 {
     int conn, c, len, bytesWritten;
-    int port, to_stdout, reload;
+    uint16_t port;
+    bool to_stdout, reload;
     int ping, pcount;
     int keep_alive = 0;
     int opt_noaccept = 0;
@@ -245,8 +246,8 @@
     localhost = NULL;
     extra_hdrs[0] = '\0';
     port = CACHE_HTTP_PORT;
-    to_stdout = 1;
-    reload = 0;
+    to_stdout = true;
+    reload = false;
     ping = 0;
     pcount = 0;
     ping_int = 1 * 1000;
@@ -292,7 +293,7 @@
                 break;
 
             case 's':		/* silent */
-                to_stdout = 0;
+                to_stdout = false;
                 break;
 
             case 'k':		/* backward compat */
@@ -300,11 +301,11 @@
                 break;
 
             case 'r':		/* reload */
-                reload = 1;
+                reload = true;
                 break;
 
             case 'p':		/* port number */
-                sscanf(optarg, "%d", &port);
+                sscanf(optarg, "%hd", &port);
                 if (port < 1)
                     port = CACHE_HTTP_PORT;	/* default */
                 break;