cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14100.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14101.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14102.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14103.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14104.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14105.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14106.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14107.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14108.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14109.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14110.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14111.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14112.patch
+ cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14113.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.22-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi
--- /dev/null
+------------------------------------------------------------
+revno: 14103
+revision-id: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
+parent: squid3@treenet.co.nz-20161025082530-do632qnr9bwyk5et
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4627
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Sun 2016-10-30 12:26:28 +1300
+message:
+ Bug 4627: fix generate-host-certificates and dynamic_cert_mem_cache_size docs
+
+ For Squid-3 the fix is just to update the documentation.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: ea728cefc977ea5489da01b7a742821121c29476
+# timestamp: 2016-10-29 23:51:13 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161025082530-\
+# do632qnr9bwyk5et
+#
+# Begin patch
+=== modified file 'src/cf.data.pre'
+--- src/cf.data.pre 2016-10-25 08:23:49 +0000
++++ src/cf.data.pre 2016-10-29 23:26:28 +0000
+@@ -1787,13 +1787,12 @@
+ certificate equals lifetime of the CA certificate. If
+ generated certificate is selfsigned lifetime is three
+ years.
+- This option is enabled by default when ssl-bump is used.
+- See the ssl-bump option above for more information.
++ This option is disabled by default. See the ssl-bump
++ option above for more information.
+
+ dynamic_cert_mem_cache_size=SIZE
+ Approximate total RAM size spent on cached generated
+- certificates. If set to zero, caching is disabled. The
+- default value is 4MB.
++ certificates. If set to zero, caching is disabled.
+
+ TLS / SSL Options:
+
+@@ -2063,13 +2062,12 @@
+ certificate equals lifetime of CA certificate. If
+ generated certificate is selfsigned lifetime is three
+ years.
+- This option is enabled by default when SslBump is used.
+- See the sslBump option above for more information.
++ This option is disabled by default. See the ssl-bump
++ option above for more information.
+
+ dynamic_cert_mem_cache_size=SIZE
+ Approximate total RAM size spent on cached generated
+- certificates. If set to zero, caching is disabled. The
+- default value is 4MB.
++ certificates. If set to zero, caching is disabled.
+
+ See http_port for a list of available options.
+ DOC_END
+
--- /dev/null
+------------------------------------------------------------
+revno: 14104
+revision-id: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
+parent: squid3@treenet.co.nz-20161029232628-1y2u918re62uqs3v
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:38:16 +1300
+message:
+ Copyright: add some missing blurbs and contributor details
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8d44709a8f9c34926ce569e58aef82603a3d514b
+# timestamp: 2016-10-30 09:40:44 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161029232628-\
+# 1y2u918re62uqs3v
+#
+# Begin patch
+=== modified file 'CONTRIBUTORS'
+--- CONTRIBUTORS 2016-01-06 14:27:36 +0000
++++ CONTRIBUTORS 2016-10-30 09:38:16 +0000
+@@ -211,6 +211,8 @@
+ Joe Ramey <ramey@jello.csc.ti.com>
+ Joerg Lehrke <jlehrke@noc.de>
+ Johnathan Conley <johnathan.conley@gmail.com>
++ John@MCC.ac.uk
++ John@Pharmweb.NET
+ John Dilley <jad@hpl.hp.com>
+ John M Cooper <john.cooper@yourcommunications.co.uk>
+ John Saunders <johns@rd.scitec.com.au>
+
+=== modified file 'contrib/url-normalizer.pl'
+--- contrib/url-normalizer.pl 1996-12-07 00:54:31 +0000
++++ contrib/url-normalizer.pl 2016-10-30 09:38:16 +0000
+@@ -1,4 +1,11 @@
+ #!/usr/local/bin/perl -Tw
++#
++# * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
++# *
++# * Squid software is distributed under GPLv2+ license and includes
++# * contributions from numerous individuals and organizations.
++# * Please see the COPYING and CONTRIBUTORS files for details.
++#
+
+ # From: Markus Gyger <mgyger@itr.ch>
+ #
+
+=== modified file 'contrib/user-agents.pl'
+--- contrib/user-agents.pl 1996-12-07 00:28:56 +0000
++++ contrib/user-agents.pl 2016-10-30 09:38:16 +0000
+@@ -1,5 +1,13 @@
+ #!/usr/bin/perl
+ #
++# * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
++# *
++# * Squid software is distributed under GPLv2+ license and includes
++# * contributions from numerous individuals and organizations.
++# * Please see the COPYING and CONTRIBUTORS files for details.
++#
++
++#
+ # John@MCC.ac.uk
+ # John@Pharmweb.NET
+
--- /dev/null
+------------------------------------------------------------
+revno: 14105
+revision-id: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
+parent: squid3@treenet.co.nz-20161030093816-7vwnk5zrrql2p5ks
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4567
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:39:20 +1300
+message:
+ Bug 4567: Strange IPv6 shown in access.log
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8dbae4e7fc5fb80afc6eee6800743abd1b1eaa47
+# timestamp: 2016-10-30 09:40:47 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030093816-\
+# 7vwnk5zrrql2p5ks
+#
+# Begin patch
+=== modified file 'src/AccessLogEntry.cc'
+--- src/AccessLogEntry.cc 2016-01-01 00:14:27 +0000
++++ src/AccessLogEntry.cc 2016-10-30 09:39:20 +0000
+@@ -30,14 +30,17 @@
+ log_ip = request->indirect_client_addr;
+ else
+ #endif
+- if (tcpClient != NULL)
++ if (tcpClient)
+ log_ip = tcpClient->remote;
+- else if (cache.caddr.isNoAddr()) { // e.g., ICAP OPTIONS lack client
+- strncpy(buf, "-", bufsz);
+- return;
+- } else
++ else
+ log_ip = cache.caddr;
+
++ // internally generated requests (and some ICAP) lack client IP
++ if (log_ip.isNoAddr()) {
++ strncpy(buf, "-", bufsz);
++ return;
++ }
++
+ // Apply so-called 'privacy masking' to IPv4 clients
+ // - localhost IP is always shown in full
+ // - IPv4 clients masked with client_netmask
+
--- /dev/null
+------------------------------------------------------------
+revno: 14106
+revision-id: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
+parent: squid3@treenet.co.nz-20161030093920-5f7f2px9ea08rxlq
+author: Garri Djavadyan <garryd@comnet.uz>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:40:25 +1300
+message:
+ Fix debug message in ACLChecklist::bannedAction()
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 4fd7942b294096f5c27e3d460b6d4c79580443e1
+# timestamp: 2016-10-30 09:40:49 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030093920-\
+# 5f7f2px9ea08rxlq
+#
+# Begin patch
+=== modified file 'src/acl/Checklist.cc'
+--- src/acl/Checklist.cc 2016-01-01 00:14:27 +0000
++++ src/acl/Checklist.cc 2016-10-30 09:40:25 +0000
+@@ -397,7 +397,7 @@
+ ACLChecklist::bannedAction(const allow_t &action) const
+ {
+ const bool found = std::find(bannedActions_.begin(), bannedActions_.end(), action) != bannedActions_.end();
+- debugs(28, 5, "Action '" << action << "/" << action.kind << (found ? " is " : "is not") << " banned");
++ debugs(28, 5, "Action '" << action << "/" << action.kind << (found ? "' is " : "' is not") << " banned");
+ return found;
+ }
+
+
--- /dev/null
+------------------------------------------------------------
+revno: 14107
+revision-id: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
+parent: squid3@treenet.co.nz-20161030094025-l4b8fdahoru8h16d
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Sun 2016-10-30 22:45:03 +1300
+message:
+ HTTP/1.1: make Vary:* objects cacheable
+
+ Under new clauses from RFC 7231 section 7.1.4 and HTTP response
+ containing header Vary:* (wifcard variant) can be cached, but
+ requires revalidation with server before each use.
+
+ Use the new mandatory revalidation flags to allow storing of any
+ wildcard Vary:* response.
+
+ Note that responses with headers like Vary:A,B,C,* are equivalent
+ to Vary:*. The cache key string for these objects is normalized.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 2652a5a689745e31fc450e0dfd1c5c472f6d68d6
+# timestamp: 2016-10-30 09:45:47 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030094025-\
+# l4b8fdahoru8h16d
+#
+# Begin patch
+=== modified file 'src/http.cc'
+--- src/http.cc 2016-10-09 19:47:26 +0000
++++ src/http.cc 2016-10-30 09:45:03 +0000
+@@ -594,7 +594,7 @@
+ while (strListGetItem(&vary, ',', &item, &ilen, &pos)) {
+ SBuf name(item, ilen);
+ if (name == asterisk) {
+- vstr.clear();
++ vstr = asterisk;
+ break;
+ }
+ name.toLower();
+@@ -917,6 +917,12 @@
+ varyFailure = true;
+ } else {
+ entry->mem_obj->vary_headers = vary;
++
++ // RFC 7231 section 7.1.4
++ // Vary:* can be cached, but has mandatory revalidation
++ static const SBuf asterisk("*");
++ if (vary == asterisk)
++ EBIT_SET(entry->flags, ENTRY_REVALIDATE_ALWAYS);
+ }
+ }
+
+
--- /dev/null
+------------------------------------------------------------
+revno: 14108
+revision-id: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+parent: squid3@treenet.co.nz-20161030094503-rwdft21ffff44rns
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Wed 2016-11-02 00:22:31 +1300
+message:
+ Fix build issue after rev.14105
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: fea1ede525ccb3ad7bf50e8de8f125a86a8dc016
+# timestamp: 2016-11-01 11:51:06 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161030094503-\
+# rwdft21ffff44rns
+#
+# Begin patch
+=== modified file 'src/AccessLogEntry.cc'
+--- src/AccessLogEntry.cc 2016-10-30 09:39:20 +0000
++++ src/AccessLogEntry.cc 2016-11-01 11:22:31 +0000
+@@ -30,7 +30,7 @@
+ log_ip = request->indirect_client_addr;
+ else
+ #endif
+- if (tcpClient)
++ if (tcpClient != NULL)
+ log_ip = tcpClient->remote;
+ else
+ log_ip = cache.caddr;
+
--- /dev/null
+------------------------------------------------------------
+revno: 14109
+revision-id: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+parent: squid3@treenet.co.nz-20161101112231-k77st4up2sekl5zx
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3379
+author: Garri Djavadyan <garryd@comnet.uz>, Amos Jeffries <squid3@treenet.co.nz>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Fri 2016-11-11 19:03:25 +1300
+message:
+ Bug 3379: Combination of If-Match and a Cache Hit result in TCP Connection Failure
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 50d66878a765925d9a64569b3c226bebdee1f736
+# timestamp: 2016-11-11 06:10:37 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161101112231-\
+# k77st4up2sekl5zx
+#
+# Begin patch
+=== modified file 'src/client_side_reply.cc'
+--- src/client_side_reply.cc 2016-10-09 19:47:26 +0000
++++ src/client_side_reply.cc 2016-11-11 06:03:25 +0000
+@@ -589,6 +589,7 @@
+ debugs(88, 5, "negative-HIT");
+ http->logType = LOG_TCP_NEGATIVE_HIT;
+ sendMoreData(result);
++ return;
+ } else if (blockedHit()) {
+ debugs(88, 5, "send_hit forces a MISS");
+ http->logType = LOG_TCP_MISS;
+@@ -641,27 +642,29 @@
+ http->logType = LOG_TCP_MISS;
+ processMiss();
+ }
++ return;
+ } else if (r->conditional()) {
+ debugs(88, 5, "conditional HIT");
+- processConditional(result);
+- } else {
+- /*
+- * plain ol' cache hit
+- */
+- debugs(88, 5, "plain old HIT");
++ if (processConditional(result))
++ return;
++ }
++
++ /*
++ * plain ol' cache hit
++ */
++ debugs(88, 5, "plain old HIT");
+
+ #if USE_DELAY_POOLS
+- if (e->store_status != STORE_OK)
+- http->logType = LOG_TCP_MISS;
+- else
++ if (e->store_status != STORE_OK)
++ http->logType = LOG_TCP_MISS;
++ else
+ #endif
+- if (e->mem_status == IN_MEMORY)
+- http->logType = LOG_TCP_MEM_HIT;
+- else if (Config.onoff.offline)
+- http->logType = LOG_TCP_OFFLINE_HIT;
++ if (e->mem_status == IN_MEMORY)
++ http->logType = LOG_TCP_MEM_HIT;
++ else if (Config.onoff.offline)
++ http->logType = LOG_TCP_OFFLINE_HIT;
+
+- sendMoreData(result);
+- }
++ sendMoreData(result);
+ }
+
+ /**
+@@ -755,17 +758,16 @@
+ }
+
+ /// process conditional request from client
+-void
++bool
+ clientReplyContext::processConditional(StoreIOBuffer &result)
+ {
+ StoreEntry *const e = http->storeEntry();
+
+ if (e->getReply()->sline.status() != Http::scOkay) {
+- debugs(88, 4, "clientReplyContext::processConditional: Reply code " <<
+- e->getReply()->sline.status() << " != 200");
++ debugs(88, 4, "Reply code " << e->getReply()->sline.status() << " != 200");
+ http->logType = LOG_TCP_MISS;
+ processMiss();
+- return;
++ return true;
+ }
+
+ HttpRequest &r = *http->request;
+@@ -773,7 +775,7 @@
+ if (r.header.has(HDR_IF_MATCH) && !e->hasIfMatchEtag(r)) {
+ // RFC 2616: reply with 412 Precondition Failed if If-Match did not match
+ sendPreconditionFailedError();
+- return;
++ return true;
+ }
+
+ bool matchedIfNoneMatch = false;
+@@ -786,14 +788,14 @@
+ r.header.delById(HDR_IF_MODIFIED_SINCE);
+ http->logType = LOG_TCP_MISS;
+ sendMoreData(result);
+- return;
++ return true;
+ }
+
+ if (!r.flags.ims) {
+ // RFC 2616: if If-None-Match matched and there is no IMS,
+ // reply with 304 Not Modified or 412 Precondition Failed
+ sendNotModifiedOrPreconditionFailedError();
+- return;
++ return true;
+ }
+
+ // otherwise check IMS below to decide if we reply with 304 or 412
+@@ -805,19 +807,20 @@
+ if (e->modifiedSince(r.ims, r.imslen)) {
+ http->logType = LOG_TCP_IMS_HIT;
+ sendMoreData(result);
+- return;
+- }
+
+- if (matchedIfNoneMatch) {
++ } else if (matchedIfNoneMatch) {
+ // If-None-Match matched, reply with 304 Not Modified or
+ // 412 Precondition Failed
+ sendNotModifiedOrPreconditionFailedError();
+- return;
++
++ } else {
++ // otherwise reply with 304 Not Modified
++ sendNotModified();
+ }
+-
+- // otherwise reply with 304 Not Modified
+- sendNotModified();
++ return true;
+ }
++
++ return false;
+ }
+
+ /// whether squid.conf send_hit prevents us from serving this hit
+
+=== modified file 'src/client_side_reply.h'
+--- src/client_side_reply.h 2016-09-23 15:28:42 +0000
++++ src/client_side_reply.h 2016-11-11 06:03:25 +0000
+@@ -114,7 +114,7 @@
+ bool alwaysAllowResponse(Http::StatusCode sline) const;
+ int checkTransferDone();
+ void processOnlyIfCachedMiss();
+- void processConditional(StoreIOBuffer &result);
++ bool processConditional(StoreIOBuffer &result);
+ void cacheHit(StoreIOBuffer result);
+ void handleIMSReply(StoreIOBuffer result);
+ void sendMoreData(StoreIOBuffer result);
+
--- /dev/null
+------------------------------------------------------------
+revno: 14110
+revision-id: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
+parent: squid3@treenet.co.nz-20161111060325-yh8chavvnzuvfh3h
+author: Christos Tsantilas <chtsanti@users.sourceforge.net>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2016-11-14 23:51:24 +1300
+message:
+ Fix ssl::server_name ACL badly broken since inception.
+
+ The original server_name code mishandled all SNI checks and some rare
+ host checks:
+
+ * The SNI-derived value was pointing to an already freed memory storage.
+ * Missing host-derived values were not detected (host() is never nil).
+ * Mismatches were re-checked with an undocumented "none" value
+ instead of being treated as mismatches.
+
+ Same for ssl::server_name_regex.
+
+ Also set SNI for more server-first and client-first transactions.
+
+ This is a Measurement Factory project.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 46aadc410b46d91d597218961dbf1c634fb834fb
+# timestamp: 2016-11-14 10:56:00 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161111060325-\
+# yh8chavvnzuvfh3h
+#
+# Begin patch
+=== modified file 'src/acl/ServerName.cc'
+--- src/acl/ServerName.cc 2016-09-08 12:27:06 +0000
++++ src/acl/ServerName.cc 2016-11-14 10:51:24 +0000
+@@ -90,27 +90,28 @@
+ {
+ assert(checklist != NULL && checklist->request != NULL);
+
+- if (checklist->conn() && checklist->conn()->serverBump()) {
+- if (X509 *peer_cert = checklist->conn()->serverBump()->serverCert.get()) {
+- if (Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain<MatchType>))
+- return 1;
+- }
+- }
+-
+ const char *serverName = NULL;
+- if (checklist->conn() && !checklist->conn()->sslCommonName().isEmpty()) {
+- SBuf scn = checklist->conn()->sslCommonName();
+- serverName = scn.c_str();
+- }
+-
+- if (serverName == NULL)
+- serverName = checklist->request->GetHost();
+-
+- if (serverName && data->match(serverName)) {
+- return 1;
+- }
+-
+- return data->match("none");
++ SBuf serverNameKeeper; // because c_str() is not constant
++ if (ConnStateData *conn = checklist->conn()) {
++ if (conn->serverBump()) {
++ if (X509 *peer_cert = conn->serverBump()->serverCert.get())
++ return Ssl::matchX509CommonNames(peer_cert, (void *)data, check_cert_domain<MatchType>);
++ }
++
++ if (conn->sslCommonName().isEmpty()) {
++ const char *host = checklist->request->GetHost();
++ if (host && *host) // paranoid first condition: host() is never nil
++ serverName = host;
++ } else {
++ serverNameKeeper = conn->sslCommonName();
++ serverName = serverNameKeeper.c_str();
++ }
++ }
++
++ if (!serverName)
++ serverName = "none";
++
++ return data->match(serverName);
+ }
+
+ ACLServerNameStrategy *
+
+=== modified file 'src/cf.data.pre'
+--- src/cf.data.pre 2016-10-29 23:26:28 +0000
++++ src/cf.data.pre 2016-11-14 10:51:24 +0000
+@@ -1167,6 +1167,9 @@
+ # During each Ssl-Bump step, Squid may improve its understanding of a
+ # "true server name". Unlike dstdomain, this ACL does not perform
+ # DNS lookups.
++ # The "none" name can be used to match transactions where Squid
++ # could not compute the server name using any information source
++ # already available at the ACL evaluation time.
+
+ acl aclname ssl::server_name_regex [-i] \.foo\.com ...
+ # regex matches server name obtained from various sources [fast]
+
--- /dev/null
+------------------------------------------------------------
+revno: 14111
+revision-id: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
+parent: squid3@treenet.co.nz-20161114105124-46hmtnsg8uj4owxz
+author: Garri Djavadyan <garryd@comnet.uz>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2016-11-14 23:54:34 +1300
+message:
+ Fix spelling for digest nonce cache maintenance event
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 8c91678868beb689db5e0e6eaa6911c44f503ac8
+# timestamp: 2016-11-14 10:56:03 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161114105124-\
+# 46hmtnsg8uj4owxz
+#
+# Begin patch
+=== modified file 'src/auth/digest/Config.cc'
+--- src/auth/digest/Config.cc 2016-01-01 00:14:27 +0000
++++ src/auth/digest/Config.cc 2016-11-14 10:54:34 +0000
+@@ -204,7 +204,7 @@
+ if (!digest_nonce_cache) {
+ digest_nonce_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
+ assert(digest_nonce_cache);
+- eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->nonceGCInterval, 1);
++ eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->nonceGCInterval, 1);
+ }
+ }
+
+@@ -268,7 +268,7 @@
+ debugs(29, 3, "Finished cleaning the nonce cache.");
+
+ if (static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->active())
+- eventAdd("Digest none cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->nonceGCInterval, 1);
++ eventAdd("Digest nonce cache maintenance", authenticateDigestNonceCacheCleanup, NULL, static_cast<Auth::Digest::Config*>(Auth::Config::Find("digest"))->nonceGCInterval, 1);
+ }
+
+ static void
+
--- /dev/null
+------------------------------------------------------------
+revno: 14112
+revision-id: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
+parent: squid3@treenet.co.nz-20161114105434-f1uvw2lu8l4lpgay
+author: Alex Rousskov <rousskov@measurement-factory.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Tue 2016-11-15 01:40:51 +1300
+message:
+ Honor SBufReservationRequirements::minSize regardless of idealSize.
+
+ In a fully specified SBufReservationRequirements, idealSize would
+ naturally match or exceed minSize. However, the idealSize default value
+ (zero) may not. We should honor minSize regardless of idealSize, just as
+ the API documentation promises to do.
+
+ No runtime changes expected right now because the only existing user of
+ SBufReservationRequirements sets .idealSize to CLIENT_REQ_BUF_SZ (4096)
+ and .minSize to 1024.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: fb0969aa035352582364b529a70286cbfd89564a
+# timestamp: 2016-11-14 12:43:10 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161114105434-\
+# f1uvw2lu8l4lpgay
+#
+# Begin patch
+=== modified file 'src/SBuf.cc'
+--- src/SBuf.cc 2016-06-18 13:36:07 +0000
++++ src/SBuf.cc 2016-11-14 12:40:51 +0000
+@@ -178,7 +178,8 @@
+ if (!mustRealloc && len_ >= req.maxCapacity)
+ return spaceSize(); // but we cannot reallocate
+
+- const size_type newSpace = std::min(req.idealSpace, maxSize - len_);
++ const size_type desiredSpace = std::max(req.minSpace, req.idealSpace);
++ const size_type newSpace = std::min(desiredSpace, maxSize - len_);
+ reserveCapacity(std::min(len_ + newSpace, req.maxCapacity));
+ debugs(24, 7, id << " now: " << off_ << '+' << len_ << '+' << spaceSize() <<
+ '=' << store_->capacity);
+
+=== modified file 'src/SBuf.h'
+--- src/SBuf.h 2016-06-18 13:36:07 +0000
++++ src/SBuf.h 2016-11-14 12:40:51 +0000
+@@ -635,9 +635,10 @@
+ /*
+ * Parameters are listed in the reverse order of importance: Satisfaction of
+ * the lower-listed requirements may violate the higher-listed requirements.
++ * For example, idealSpace has no effect unless it exceeds minSpace.
+ */
+ size_type idealSpace; ///< if allocating anyway, provide this much space
+- size_type minSpace; ///< allocate if spaceSize() is smaller
++ size_type minSpace; ///< allocate [at least this much] if spaceSize() is smaller
+ size_type maxCapacity; ///< do not allocate more than this
+ bool allowShared; ///< whether sharing our storage with others is OK
+ };
+
--- /dev/null
+------------------------------------------------------------
+revno: 14113
+revision-id: squid3@treenet.co.nz-20161115075728-2xj2621oh5bwn8wn
+parent: squid3@treenet.co.nz-20161114124051-s0vzoj5exv5g8w56
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.5
+timestamp: Tue 2016-11-15 20:57:28 +1300
+message:
+ TLS: Make key= before cert= an error instead of quietly hiding the issue
+
+ This squid.conf setup is fatal in Squid-4. So best to fix these installations.
+ Even though Squdi-3 can cope with it.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20161115075728-2xj2621oh5bwn8wn
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: a18738f4cbf0c1bd368e61d4b19c5d6f5005b919
+# timestamp: 2016-11-15 07:58:39 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3@treenet.co.nz-20161114124051-\
+# s0vzoj5exv5g8w56
+#
+# Begin patch
+=== modified file 'src/cache_cf.cc'
+--- src/cache_cf.cc 2016-09-23 11:11:48 +0000
++++ src/cache_cf.cc 2016-11-15 07:57:28 +0000
+@@ -2257,6 +2257,9 @@
+ safe_free(p->sslcert);
+ p->sslcert = xstrdup(token + 8);
+ } else if (strncmp(token, "sslkey=", 7) == 0) {
++ if (!p->sslcert) {
++ debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": sslcert= option must be set before sslkey= is used.");
++ }
+ safe_free(p->sslkey);
+ p->sslkey = xstrdup(token + 7);
+ } else if (strncmp(token, "sslversion=", 11) == 0) {
+@@ -3729,6 +3732,9 @@
+ safe_free(s->cert);
+ s->cert = xstrdup(token + 5);
+ } else if (strncmp(token, "key=", 4) == 0) {
++ if (!s->cert) {
++ debugs(3, DBG_CRITICAL, "ERROR: " << cfg_directive << ": cert= option must be set before key= is used.");
++ }
+ safe_free(s->key);
+ s->key = xstrdup(token + 4);
+ } else if (strncmp(token, "version=", 8) == 0) {
+