diff -u -r -N squid-3.3.10/ChangeLog squid-3.3.11/ChangeLog
--- squid-3.3.10/ChangeLog	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/ChangeLog	2013-12-01 02:55:13.000000000 +1300
@@ -1,4 +1,19 @@
 
+Changes to squid-3.3.11 (01 Dec 2013):
+
+	- Regression Bug 3936: error-details.txt parse error with OpenSSL since 3.3.9
+	- Bug 3972: Segfault when getting the deny_info page ID after a reconfigure
+	- Bug 3970: max_filedescriptors disabled due to missing setrlimit
+	- Bug 3967: ipc/Kid.cc compilation failure: 'time' was not declared in this scope
+	- Bug 3960: DEAD cache_peer are not revived
+	- Bug 3956: xstrndup: tried to dup a NULL pointer
+	- Bug 3906: Filedescriptor leaks in SNMP
+	- Bug 3782: Digest authentication not obeying nonce_max_count
+	- HTTP/1.1: Make header parser obey relaxed_header_parser
+	- HTTP/1.1: Re-compute Range response content offset after an FTP response was adapted
+	- SMP: Replace blocking sleep(3) and close UDS socket on failures
+	- Windows: fix several compile errors
+
 Changes to squid-3.3.10 (03 Nov 2013):
 
 	- Bug 3929: request_header_add not working for tunnel requests
diff -u -r -N squid-3.3.10/configure squid-3.3.11/configure
--- squid-3.3.10/configure	2013-11-04 00:08:19.000000000 +1300
+++ squid-3.3.11/configure	2013-12-01 02:56:05.000000000 +1300
@@ -1,7 +1,7 @@
 #! /bin/sh
 # From configure.ac Revision.
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.3.10.
+# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.3.11.
 #
 # Report bugs to <http://bugs.squid-cache.org/>.
 #
@@ -575,8 +575,8 @@
 # Identity of this package.
 PACKAGE_NAME='Squid Web Proxy'
 PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='3.3.10'
-PACKAGE_STRING='Squid Web Proxy 3.3.10'
+PACKAGE_VERSION='3.3.11'
+PACKAGE_STRING='Squid Web Proxy 3.3.11'
 PACKAGE_BUGREPORT='http://bugs.squid-cache.org/'
 PACKAGE_URL=''
 
@@ -1574,7 +1574,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures Squid Web Proxy 3.3.10 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 3.3.11 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1644,7 +1644,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Squid Web Proxy 3.3.10:";;
+     short | recursive ) echo "Configuration of Squid Web Proxy 3.3.11:";;
    esac
   cat <<\_ACEOF
 
@@ -2018,7 +2018,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-Squid Web Proxy configure 3.3.10
+Squid Web Proxy configure 3.3.11
 generated by GNU Autoconf 2.68
 
 Copyright (C) 2010 Free Software Foundation, Inc.
@@ -3114,7 +3114,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Squid Web Proxy $as_me 3.3.10, which was
+It was created by Squid Web Proxy $as_me 3.3.11, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   $ $0 $@
@@ -3933,7 +3933,7 @@
 
 # Define the identity of the package.
  PACKAGE='squid'
- VERSION='3.3.10'
+ VERSION='3.3.11'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -27565,13 +27565,14 @@
 esac
 
 
-
 # Check whether --with-maxfd was given.
 if test "${with_maxfd+set}" = set; then :
   withval=$with_maxfd;
   case ${withval} in
     [0-9]*)
       squid_filedescriptors_num=$withval
+      { $as_echo "$as_me:${as_lineno-$LINENO}: forcing default of $squid_filedescriptors_num filedescriptors (user-forced)" >&5
+$as_echo "$as_me: forcing default of $squid_filedescriptors_num filedescriptors (user-forced)" >&6;}
       ;;
     *)
       as_fn_error $? "--with-maxfd expects a numeric argument" "$LINENO" 5
@@ -27588,6 +27589,8 @@
   case ${withval} in
     [0-9]*)
       squid_filedescriptors_num=$withval
+      { $as_echo "$as_me:${as_lineno-$LINENO}: forcing default of $squid_filedescriptors_num filedescriptors (user-forced)" >&5
+$as_echo "$as_me: forcing default of $squid_filedescriptors_num filedescriptors (user-forced)" >&6;}
       ;;
     *)
       as_fn_error $? "--with-filedescriptors expects a numeric argument" "$LINENO" 5
@@ -27653,7 +27656,6 @@
 _ACEOF
 
 
-if test "x$squid_filedescriptors_num" = "x"; then
 
 for ac_func in setrlimit
 do :
@@ -27807,9 +27809,9 @@
 $as_echo "$as_me: WARNING: $squid_filedescriptors_num is not an multiple of 64. This may cause issues on certain platforms." >&2;}
 fi
 
-else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: forcing use of $squid_filedescriptors_num filedescriptors (user-forced)" >&5
-$as_echo "$as_me: forcing use of $squid_filedescriptors_num filedescriptors (user-forced)" >&6;}
+if test "x$squid_filedescriptors_num" != "x"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: Default number of fieldescriptors: $squid_filedescriptors_num" >&5
+$as_echo "$as_me: Default number of fieldescriptors: $squid_filedescriptors_num" >&6;}
 fi
 if test "$squid_filedescriptors_num" -lt 512 ; then
     { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $squid_filedescriptors_num may not be enough filedescriptors if your" >&5
@@ -31861,7 +31863,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by Squid Web Proxy $as_me 3.3.10, which was
+This file was extended by Squid Web Proxy $as_me 3.3.11, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -31927,7 +31929,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-Squid Web Proxy config.status 3.3.10
+Squid Web Proxy config.status 3.3.11
 configured by $0, generated by GNU Autoconf 2.68,
   with options \\"\$ac_cs_config\\"
 
diff -u -r -N squid-3.3.10/configure.ac squid-3.3.11/configure.ac
--- squid-3.3.10/configure.ac	2013-11-04 00:08:19.000000000 +1300
+++ squid-3.3.11/configure.ac	2013-12-01 02:56:05.000000000 +1300
@@ -1,4 +1,4 @@
-AC_INIT([Squid Web Proxy],[3.3.10],[http://bugs.squid-cache.org/],[squid])
+AC_INIT([Squid Web Proxy],[3.3.11],[http://bugs.squid-cache.org/],[squid])
 AC_PREREQ(2.61)
 AC_CONFIG_HEADERS([include/autoconf.h])
 AC_CONFIG_AUX_DIR(cfgaux)
@@ -2711,7 +2711,6 @@
     ;;
 esac
 
-
 dnl --with-maxfd present for compatibility with Squid-2.
 dnl undocumented in ./configure --help  to encourage using the Squid-3 directive
 AC_ARG_WITH(maxfd,,
@@ -2719,6 +2718,7 @@
   case ${withval} in
     [[0-9]]*)
       squid_filedescriptors_num=$withval
+      AC_MSG_NOTICE([forcing default of $squid_filedescriptors_num filedescriptors (user-forced)])
       ;;
     *)
       AC_MSG_ERROR(--with-maxfd expects a numeric argument)
@@ -2733,6 +2733,7 @@
   case ${withval} in
     [[0-9]]*)
       squid_filedescriptors_num=$withval
+      AC_MSG_NOTICE([forcing default of $squid_filedescriptors_num filedescriptors (user-forced)])
       ;;
     *)
       AC_MSG_ERROR(--with-filedescriptors expects a numeric argument)
@@ -2741,10 +2742,9 @@
 ])
 
 SQUID_CHECK_DEFAULT_FD_SETSIZE
-if test "x$squid_filedescriptors_num" = "x"; then
-  SQUID_CHECK_MAXFD
-else
-  AC_MSG_NOTICE([forcing use of $squid_filedescriptors_num filedescriptors (user-forced)])
+SQUID_CHECK_MAXFD
+if test "x$squid_filedescriptors_num" != "x"; then
+  AC_MSG_NOTICE([Default number of fieldescriptors: $squid_filedescriptors_num])
 fi
 if test "$squid_filedescriptors_num" -lt 512 ; then
     AC_MSG_WARN([$squid_filedescriptors_num may not be enough filedescriptors if your])
@@ -3567,93 +3567,93 @@
 dnl Clean up after OSF/1 core dump bug
 rm -f core 
 
-AC_CONFIG_FILES([\
-	Makefile \
-	compat/Makefile \
-	lib/Makefile \
-	lib/ntlmauth/Makefile \
-	lib/profiler/Makefile \
-	lib/rfcnb/Makefile \
-	lib/smblib/Makefile \
-	scripts/Makefile \
-	src/Makefile \
-	src/anyp/Makefile \
-	src/base/Makefile \
-	src/acl/Makefile \
-	src/fs/Makefile \
-	src/repl/Makefile \
-	src/auth/Makefile \
-	src/auth/basic/Makefile \
-	src/auth/digest/Makefile \
-	src/auth/negotiate/Makefile \
-	src/auth/ntlm/Makefile \
-	src/adaptation/Makefile \
-	src/adaptation/icap/Makefile \
-	src/adaptation/ecap/Makefile \
-	src/comm/Makefile \
-	src/esi/Makefile \
-	src/eui/Makefile \
-	src/format/Makefile \
-	src/icmp/Makefile \
-	src/ident/Makefile \
-	src/ip/Makefile \
-	src/log/Makefile \
-	src/ipc/Makefile \
-	src/ssl/Makefile \
-	src/mgr/Makefile \
-	src/snmp/Makefile \
-	contrib/Makefile \
-	snmplib/Makefile \
-	icons/Makefile \
-	errors/Makefile \
-	test-suite/Makefile \
-	doc/Makefile \
-	doc/manuals/Makefile \
-	helpers/Makefile \
-	helpers/basic_auth/Makefile \
-	helpers/basic_auth/DB/Makefile \
-	helpers/basic_auth/fake/Makefile \
-	helpers/basic_auth/getpwnam/Makefile \
-	helpers/basic_auth/LDAP/Makefile \
-	helpers/basic_auth/MSNT/Makefile \
-	helpers/basic_auth/MSNT-multi-domain/Makefile \
-	helpers/basic_auth/NCSA/Makefile \
-	helpers/basic_auth/NIS/Makefile \
-	helpers/basic_auth/PAM/Makefile \
-	helpers/basic_auth/POP3/Makefile \
-	helpers/basic_auth/RADIUS/Makefile \
-	helpers/basic_auth/SASL/Makefile \
-	helpers/basic_auth/SMB/Makefile \
-	helpers/basic_auth/SSPI/Makefile \
-	helpers/digest_auth/Makefile \
-	helpers/digest_auth/eDirectory/Makefile \
-	helpers/digest_auth/file/Makefile \
-	helpers/digest_auth/LDAP/Makefile \
-	helpers/ntlm_auth/Makefile \
-	helpers/ntlm_auth/fake/Makefile \
-	helpers/ntlm_auth/smb_lm/Makefile \
-	helpers/ntlm_auth/SSPI/Makefile \
-	helpers/negotiate_auth/Makefile \
-	helpers/negotiate_auth/kerberos/Makefile \
-	helpers/negotiate_auth/SSPI/Makefile \
-	helpers/negotiate_auth/wrapper/Makefile \
-	helpers/external_acl/Makefile \
-	helpers/external_acl/AD_group/Makefile \
-	helpers/external_acl/eDirectory_userip/Makefile \
-	helpers/external_acl/file_userip/Makefile \
-	helpers/external_acl/kerberos_ldap_group/Makefile \
-	helpers/external_acl/LDAP_group/Makefile \
-	helpers/external_acl/LM_group/Makefile \
-	helpers/external_acl/session/Makefile \
-	helpers/external_acl/SQL_session/Makefile \
-	helpers/external_acl/unix_group/Makefile \
-	helpers/external_acl/wbinfo_group/Makefile \
-	helpers/external_acl/time_quota/Makefile \
-	helpers/log_daemon/Makefile \
-	helpers/log_daemon/DB/Makefile \
-	helpers/log_daemon/file/Makefile \
-	helpers/url_rewrite/Makefile \
-	helpers/url_rewrite/fake/Makefile \
+AC_CONFIG_FILES([
+	Makefile
+	compat/Makefile
+	lib/Makefile
+	lib/ntlmauth/Makefile
+	lib/profiler/Makefile
+	lib/rfcnb/Makefile
+	lib/smblib/Makefile
+	scripts/Makefile
+	src/Makefile
+	src/anyp/Makefile
+	src/base/Makefile
+	src/acl/Makefile
+	src/fs/Makefile
+	src/repl/Makefile
+	src/auth/Makefile
+	src/auth/basic/Makefile
+	src/auth/digest/Makefile
+	src/auth/negotiate/Makefile
+	src/auth/ntlm/Makefile
+	src/adaptation/Makefile
+	src/adaptation/icap/Makefile
+	src/adaptation/ecap/Makefile
+	src/comm/Makefile
+	src/esi/Makefile
+	src/eui/Makefile
+	src/format/Makefile
+	src/icmp/Makefile
+	src/ident/Makefile
+	src/ip/Makefile
+	src/log/Makefile
+	src/ipc/Makefile
+	src/ssl/Makefile
+	src/mgr/Makefile
+	src/snmp/Makefile
+	contrib/Makefile
+	snmplib/Makefile
+	icons/Makefile
+	errors/Makefile
+	test-suite/Makefile
+	doc/Makefile
+	doc/manuals/Makefile
+	helpers/Makefile
+	helpers/basic_auth/Makefile
+	helpers/basic_auth/DB/Makefile
+	helpers/basic_auth/fake/Makefile
+	helpers/basic_auth/getpwnam/Makefile
+	helpers/basic_auth/LDAP/Makefile
+	helpers/basic_auth/MSNT/Makefile
+	helpers/basic_auth/MSNT-multi-domain/Makefile
+	helpers/basic_auth/NCSA/Makefile
+	helpers/basic_auth/NIS/Makefile
+	helpers/basic_auth/PAM/Makefile
+	helpers/basic_auth/POP3/Makefile
+	helpers/basic_auth/RADIUS/Makefile
+	helpers/basic_auth/SASL/Makefile
+	helpers/basic_auth/SMB/Makefile
+	helpers/basic_auth/SSPI/Makefile
+	helpers/digest_auth/Makefile
+	helpers/digest_auth/eDirectory/Makefile
+	helpers/digest_auth/file/Makefile
+	helpers/digest_auth/LDAP/Makefile
+	helpers/ntlm_auth/Makefile
+	helpers/ntlm_auth/fake/Makefile
+	helpers/ntlm_auth/smb_lm/Makefile
+	helpers/ntlm_auth/SSPI/Makefile
+	helpers/negotiate_auth/Makefile
+	helpers/negotiate_auth/kerberos/Makefile
+	helpers/negotiate_auth/SSPI/Makefile
+	helpers/negotiate_auth/wrapper/Makefile
+	helpers/external_acl/Makefile
+	helpers/external_acl/AD_group/Makefile
+	helpers/external_acl/eDirectory_userip/Makefile
+	helpers/external_acl/file_userip/Makefile
+	helpers/external_acl/kerberos_ldap_group/Makefile
+	helpers/external_acl/LDAP_group/Makefile
+	helpers/external_acl/LM_group/Makefile
+	helpers/external_acl/session/Makefile
+	helpers/external_acl/SQL_session/Makefile
+	helpers/external_acl/unix_group/Makefile
+	helpers/external_acl/wbinfo_group/Makefile
+	helpers/external_acl/time_quota/Makefile
+	helpers/log_daemon/Makefile
+	helpers/log_daemon/DB/Makefile
+	helpers/log_daemon/file/Makefile
+	helpers/url_rewrite/Makefile
+	helpers/url_rewrite/fake/Makefile
 	tools/Makefile
 	tools/purge/Makefile
 ])
diff -u -r -N squid-3.3.10/helpers/basic_auth/DB/basic_db_auth.8 squid-3.3.11/helpers/basic_auth/DB/basic_db_auth.8
--- squid-3.3.10/helpers/basic_auth/DB/basic_db_auth.8	2013-11-04 00:26:39.000000000 +1300
+++ squid-3.3.11/helpers/basic_auth/DB/basic_db_auth.8	2013-12-01 03:12:16.000000000 +1300
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BASIC_DB_AUTH 1"
-.TH BASIC_DB_AUTH 1 "2013-11-03" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH BASIC_DB_AUTH 1 "2013-11-30" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.3.10/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.3.11/helpers/external_acl/SQL_session/ext_sql_session_acl.8
--- squid-3.3.10/helpers/external_acl/SQL_session/ext_sql_session_acl.8	2013-11-04 00:27:22.000000000 +1300
+++ squid-3.3.11/helpers/external_acl/SQL_session/ext_sql_session_acl.8	2013-12-01 03:12:18.000000000 +1300
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_SQL_SESSION_ACL 1"
-.TH EXT_SQL_SESSION_ACL 1 "2013-11-03" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH EXT_SQL_SESSION_ACL 1 "2013-11-30" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.3.10/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.3.11/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8
--- squid-3.3.10/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8	2013-11-04 00:27:24.000000000 +1300
+++ squid-3.3.11/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8	2013-12-01 03:12:18.000000000 +1300
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1"
-.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-11-03" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-11-30" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.3.10/helpers/log_daemon/DB/log_db_daemon.8 squid-3.3.11/helpers/log_daemon/DB/log_db_daemon.8
--- squid-3.3.10/helpers/log_daemon/DB/log_db_daemon.8	2013-11-04 00:27:28.000000000 +1300
+++ squid-3.3.11/helpers/log_daemon/DB/log_db_daemon.8	2013-12-01 03:12:18.000000000 +1300
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "LOG_DB_DAEMON 1"
-.TH LOG_DB_DAEMON 1 "2013-11-03" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH LOG_DB_DAEMON 1 "2013-11-30" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.3.10/include/version.h squid-3.3.11/include/version.h
--- squid-3.3.10/include/version.h	2013-11-04 00:08:20.000000000 +1300
+++ squid-3.3.11/include/version.h	2013-12-01 02:56:05.000000000 +1300
@@ -7,7 +7,7 @@
  */
 
 #ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1383476793
+#define SQUID_RELEASE_TIME 1385819711
 #endif
 
 #ifndef APP_SHORTNAME
diff -u -r -N squid-3.3.10/lib/encrypt.c squid-3.3.11/lib/encrypt.c
--- squid-3.3.10/lib/encrypt.c	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/lib/encrypt.c	2013-12-01 02:55:13.000000000 +1300
@@ -148,7 +148,7 @@
 int n;
 {
     for (; n--; pc++, a++)
-        *a = e[*pc];
+        *a = e[(int)*pc];
 }
 
 static void
@@ -164,7 +164,7 @@
 
     for (i = 0; i < 8; i++) {
         for (j = 0, sbval = 0; j < 6; j++)
-            sbval = (sbval << 1) | (nachr_r[*e++] ^ *schl++);
+            sbval = (sbval << 1) | (nachr_r[(int)*e++] ^ *schl++);
         sbval = S_BOX[i][sbval];
         for (tp += 4, j = 4; j--; sbval >>= 1)
             *--tp = sbval & 1;
@@ -173,7 +173,7 @@
 
     e = PERM;
     for (i = 0; i < BS2; i++)
-        *nachr_l++ ^= tmp[*e++];
+        *nachr_l++ ^= tmp[(int)*e++];
 }
 
 void
diff -u -r -N squid-3.3.10/RELEASENOTES.html squid-3.3.11/RELEASENOTES.html
--- squid-3.3.10/RELEASENOTES.html	2013-11-04 00:30:54.000000000 +1300
+++ squid-3.3.11/RELEASENOTES.html	2013-12-01 03:12:23.000000000 +1300
@@ -2,10 +2,10 @@
 <HTML>
 <HEAD>
  <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
- <TITLE>Squid 3.3.10 release notes</TITLE>
+ <TITLE>Squid 3.3.11 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 3.3.10 release notes</H1>
+<H1>Squid 3.3.11 release notes</H1>
 
 <H2>Squid Developers</H2>
 <HR>
@@ -56,7 +56,7 @@
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
 
-<P>The Squid Team are pleased to announce the release of Squid-3.3.10.</P>
+<P>The Squid Team are pleased to announce the release of Squid-3.3.11.</P>
 <P>This new release is available for download from 
 <A HREF="http://www.squid-cache.org/Versions/v3/3.3/">http://www.squid-cache.org/Versions/v3/3.3/</A> or the 
 <A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
diff -u -r -N squid-3.3.10/src/acl/Gadgets.cc squid-3.3.11/src/acl/Gadgets.cc
--- squid-3.3.10/src/acl/Gadgets.cc	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/acl/Gadgets.cc	2013-12-01 02:55:13.000000000 +1300
@@ -53,6 +53,11 @@
 err_type
 aclGetDenyInfoPage(AclDenyInfoList ** head, const char *name, int redirect_allowed)
 {
+    if (!name) {
+        debugs(28, 3, "ERR_NONE due to a NULL name");
+        return ERR_NONE;
+    }
+
     AclDenyInfoList *A = NULL;
 
     debugs(28, 8, HERE << "got called for " << name);
@@ -82,10 +87,12 @@
 int
 aclIsProxyAuth(const char *name)
 {
-    debugs(28, 5, "aclIsProxyAuth: called for " << name);
-
-    if (NULL == name)
+    if (!name) {
+        debugs(28, 3, "false due to a NULL name");
         return false;
+    }
+
+    debugs(28, 5, "aclIsProxyAuth: called for " << name);
 
     ACL *a;
 
diff -u -r -N squid-3.3.10/src/auth/digest/auth_digest.cc squid-3.3.11/src/auth/digest/auth_digest.cc
--- squid-3.3.10/src/auth/digest/auth_digest.cc	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/auth/digest/auth_digest.cc	2013-12-01 02:55:13.000000000 +1300
@@ -857,37 +857,43 @@
         switch (type) {
         case DIGEST_USERNAME:
             safe_free(username);
-            username = xstrndup(value.rawBuf(), value.size() + 1);
+            if (value.size() != 0)
+                username = xstrndup(value.rawBuf(), value.size() + 1);
             debugs(29, 9, HERE << "Found Username '" << username << "'");
             break;
 
         case DIGEST_REALM:
             safe_free(digest_request->realm);
-            digest_request->realm = xstrndup(value.rawBuf(), value.size() + 1);
+            if (value.size() != 0)
+                digest_request->realm = xstrndup(value.rawBuf(), value.size() + 1);
             debugs(29, 9, HERE << "Found realm '" << digest_request->realm << "'");
             break;
 
         case DIGEST_QOP:
             safe_free(digest_request->qop);
-            digest_request->qop = xstrndup(value.rawBuf(), value.size() + 1);
+            if (value.size() != 0)
+                digest_request->qop = xstrndup(value.rawBuf(), value.size() + 1);
             debugs(29, 9, HERE << "Found qop '" << digest_request->qop << "'");
             break;
 
         case DIGEST_ALGORITHM:
             safe_free(digest_request->algorithm);
-            digest_request->algorithm = xstrndup(value.rawBuf(), value.size() + 1);
+            if (value.size() != 0)
+                digest_request->algorithm = xstrndup(value.rawBuf(), value.size() + 1);
             debugs(29, 9, HERE << "Found algorithm '" << digest_request->algorithm << "'");
             break;
 
         case DIGEST_URI:
             safe_free(digest_request->uri);
-            digest_request->uri = xstrndup(value.rawBuf(), value.size() + 1);
+            if (value.size() != 0)
+                digest_request->uri = xstrndup(value.rawBuf(), value.size() + 1);
             debugs(29, 9, HERE << "Found uri '" << digest_request->uri << "'");
             break;
 
         case DIGEST_NONCE:
             safe_free(digest_request->nonceb64);
-            digest_request->nonceb64 = xstrndup(value.rawBuf(), value.size() + 1);
+            if (value.size() != 0)
+                digest_request->nonceb64 = xstrndup(value.rawBuf(), value.size() + 1);
             debugs(29, 9, HERE << "Found nonce '" << digest_request->nonceb64 << "'");
             break;
 
@@ -901,13 +907,15 @@
 
         case DIGEST_CNONCE:
             safe_free(digest_request->cnonce);
-            digest_request->cnonce = xstrndup(value.rawBuf(), value.size() + 1);
+            if (value.size() != 0)
+                digest_request->cnonce = xstrndup(value.rawBuf(), value.size() + 1);
             debugs(29, 9, HERE << "Found cnonce '" << digest_request->cnonce << "'");
             break;
 
         case DIGEST_RESPONSE:
             safe_free(digest_request->response);
-            digest_request->response = xstrndup(value.rawBuf(), value.size() + 1);
+            if (value.size() != 0)
+                digest_request->response = xstrndup(value.rawBuf(), value.size() + 1);
             debugs(29, 9, HERE << "Found response '" << digest_request->response << "'");
             break;
 
diff -u -r -N squid-3.3.10/src/auth/digest/UserRequest.cc squid-3.3.11/src/auth/digest/UserRequest.cc
--- squid-3.3.10/src/auth/digest/UserRequest.cc	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/auth/digest/UserRequest.cc	2013-12-01 02:55:13.000000000 +1300
@@ -149,14 +149,14 @@
             digest_request->setDenyMessage("Incorrect password");
             return;
         }
+    }
 
-        /* check for stale nonce */
-        if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) {
-            debugs(29, 3, HERE << "user '" << auth_user->username() << "' validated OK but nonce stale");
-            auth_user->credentials(Auth::Failed);
-            digest_request->setDenyMessage("Stale nonce");
-            return;
-        }
+    /* check for stale nonce */
+    if (!authDigestNonceIsValid(digest_request->nonce, digest_request->nc)) {
+        debugs(29, 3, "user '" << auth_user->username() << "' validated OK but nonce stale");
+        auth_user->credentials(Auth::Failed);
+        digest_request->setDenyMessage("Stale nonce");
+        return;
     }
 
     auth_user->credentials(Auth::Ok);
diff -u -r -N squid-3.3.10/src/http.cc squid-3.3.11/src/http.cc
--- squid-3.3.10/src/http.cc	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/http.cc	2013-12-01 02:55:13.000000000 +1300
@@ -924,10 +924,6 @@
     Ctx ctx = ctx_enter(entry->mem_obj->url);
     HttpReply *rep = finalReply();
 
-    if (rep->sline.status == HTTP_PARTIAL_CONTENT &&
-            rep->content_range)
-        currentOffset = rep->content_range->spec.offset;
-
     entry->timestampsSet();
 
     /* Check if object is cacheable or not based on reply code */
diff -u -r -N squid-3.3.10/src/HttpHeader.cc squid-3.3.11/src/HttpHeader.cc
--- squid-3.3.10/src/HttpHeader.cc	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/HttpHeader.cc	2013-12-01 02:55:13.000000000 +1300
@@ -546,6 +546,7 @@
 {
     const char *field_ptr = header_start;
     HttpHeaderEntry *e, *e2;
+    bool warnOnError = (Config.onoff.relaxed_header_parser <= 0 ? DBG_IMPORTANT : 2);
 
     PROF_start(HttpHeaderParse);
 
@@ -587,7 +588,7 @@
                             cr_only = false;
                     }
                     if (cr_only) {
-                        debugs(55, DBG_IMPORTANT, "WARNING: Rejecting HTTP request with a CR+ "
+                        debugs(55, DBG_IMPORTANT, "SECURITY WARNING: Rejecting HTTP request with a CR+ "
                                "header field to prevent request smuggling attacks: {" <<
                                getStringPrefix(header_start, header_end) << "}");
                         goto reset;
@@ -597,7 +598,7 @@
 
             /* Barf on stray CR characters */
             if (memchr(this_line, '\r', field_end - this_line)) {
-                debugs(55, DBG_IMPORTANT, "WARNING: suspicious CR characters in HTTP header {" <<
+                debugs(55, warnOnError, "WARNING: suspicious CR characters in HTTP header {" <<
                        getStringPrefix(field_start, field_end) << "}");
 
                 if (Config.onoff.relaxed_header_parser) {
@@ -612,7 +613,7 @@
             }
 
             if (this_line + 1 == field_end && this_line > field_start) {
-                debugs(55, DBG_IMPORTANT, "WARNING: Blank continuation line in HTTP header {" <<
+                debugs(55, warnOnError, "WARNING: Blank continuation line in HTTP header {" <<
                        getStringPrefix(header_start, header_end) << "}");
                 goto reset;
             }
@@ -620,7 +621,7 @@
 
         if (field_start == field_end) {
             if (field_ptr < header_end) {
-                debugs(55, DBG_IMPORTANT, "WARNING: unparseable HTTP header field near {" <<
+                debugs(55, warnOnError, "WARNING: unparseable HTTP header field near {" <<
                        getStringPrefix(field_start, header_end) << "}");
                 goto reset;
             }
@@ -629,23 +630,21 @@
         }
 
         if ((e = HttpHeaderEntry::parse(field_start, field_end)) == NULL) {
-            debugs(55, DBG_IMPORTANT, "WARNING: unparseable HTTP header field {" <<
+            debugs(55, warnOnError, "WARNING: unparseable HTTP header field {" <<
                    getStringPrefix(field_start, field_end) << "}");
-            debugs(55, Config.onoff.relaxed_header_parser <= 0 ? 1 : 2,
-                   " in {" << getStringPrefix(header_start, header_end) << "}");
+            debugs(55, warnOnError, " in {" << getStringPrefix(header_start, header_end) << "}");
 
             if (Config.onoff.relaxed_header_parser)
                 continue;
-            else
-                goto reset;
+
+            goto reset;
         }
 
         if (e->id == HDR_CONTENT_LENGTH && (e2 = findEntry(e->id)) != NULL) {
-//            if (e->value.cmp(e2->value.termedBuf()) != 0) {
             if (e->value != e2->value) {
                 int64_t l1, l2;
-                debugs(55, Config.onoff.relaxed_header_parser <= 0 ? 1 : 2,
-                       "WARNING: found two conflicting content-length headers in {" << getStringPrefix(header_start, header_end) << "}");
+                debugs(55, warnOnError, "WARNING: found two conflicting content-length headers in {" <<
+                       getStringPrefix(header_start, header_end) << "}");
 
                 if (!Config.onoff.relaxed_header_parser) {
                     delete e;
@@ -666,22 +665,18 @@
                     continue;
                 }
             } else {
-                debugs(55, Config.onoff.relaxed_header_parser <= 0 ? 1 : 2,
-                       "NOTICE: found double content-length header");
+                debugs(55, warnOnError, "NOTICE: found double content-length header");
+                delete e;
 
-                if (Config.onoff.relaxed_header_parser) {
-                    delete e;
+                if (Config.onoff.relaxed_header_parser)
                     continue;
-                } else {
-                    delete e;
-                    goto reset;
-                }
+
+                goto reset;
             }
         }
 
         if (e->id == HDR_OTHER && stringHasWhitespace(e->name.termedBuf())) {
-            debugs(55, Config.onoff.relaxed_header_parser <= 0 ? 1 : 2,
-                   "WARNING: found whitespace in HTTP header name {" <<
+            debugs(55, warnOnError, "WARNING: found whitespace in HTTP header name {" <<
                    getStringPrefix(field_start, field_end) << "}");
 
             if (!Config.onoff.relaxed_header_parser) {
diff -u -r -N squid-3.3.10/src/ipc/Kid.cc squid-3.3.11/src/ipc/Kid.cc
--- squid-3.3.10/src/ipc/Kid.cc	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/ipc/Kid.cc	2013-12-01 02:55:13.000000000 +1300
@@ -7,6 +7,10 @@
 #include "globals.h"
 #include "ipc/Kid.h"
 
+#if HAVE_TIME_H
+#include <time.h>
+#endif
+
 #if HAVE_SYS_WAIT_H
 #include <sys/wait.h>
 #endif
diff -u -r -N squid-3.3.10/src/ipc/TypedMsgHdr.cc squid-3.3.11/src/ipc/TypedMsgHdr.cc
--- squid-3.3.10/src/ipc/TypedMsgHdr.cc	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/ipc/TypedMsgHdr.cc	2013-12-01 02:55:13.000000000 +1300
@@ -167,10 +167,20 @@
     }
 }
 
+bool
+Ipc::TypedMsgHdr::hasFd() const
+{
+    struct cmsghdr *cmsg = CMSG_FIRSTHDR(this);
+    return cmsg &&
+           cmsg->cmsg_level == SOL_SOCKET &&
+           cmsg->cmsg_type == SCM_RIGHTS;
+}
+
 void
 Ipc::TypedMsgHdr::putFd(int fd)
 {
     Must(fd >= 0);
+    Must(!hasFd());
     allocControl();
 
     const int fdCount = 1;
@@ -183,12 +193,15 @@
     int *fdStore = reinterpret_cast<int*>(CMSG_DATA(cmsg));
     memcpy(fdStore, &fd, fdCount * sizeof(int));
     msg_controllen = cmsg->cmsg_len;
+
+    Must(hasFd());
 }
 
 int
 Ipc::TypedMsgHdr::getFd() const
 {
     Must(msg_control && msg_controllen);
+    Must(hasFd());
 
     struct cmsghdr *cmsg = CMSG_FIRSTHDR(this);
     Must(cmsg->cmsg_level == SOL_SOCKET);
diff -u -r -N squid-3.3.10/src/ipc/TypedMsgHdr.h squid-3.3.11/src/ipc/TypedMsgHdr.h
--- squid-3.3.10/src/ipc/TypedMsgHdr.h	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/ipc/TypedMsgHdr.h	2013-12-01 02:55:13.000000000 +1300
@@ -59,7 +59,8 @@
 
     /* access to a "file" descriptor that can be passed between processes */
     void putFd(int aFd); ///< stores descriptor
-    int getFd() const; ///< returns descriptor
+    int getFd() const; ///< returns stored descriptor
+    bool hasFd() const; ///< whether the message has a descriptor stored
 
     /* raw, type-independent access for I/O */
     void prepForReading(); ///< reset and provide all buffers
diff -u -r -N squid-3.3.10/src/ipc/UdsOp.cc squid-3.3.11/src/ipc/UdsOp.cc
--- squid-3.3.10/src/ipc/UdsOp.cc	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/ipc/UdsOp.cc	2013-12-01 02:55:13.000000000 +1300
@@ -81,11 +81,21 @@
         message(aMessage),
         retries(10), // TODO: make configurable?
         timeout(10), // TODO: make configurable?
+        sleeping(false),
         writing(false)
 {
     message.address(address);
 }
 
+void Ipc::UdsSender::swanSong()
+{
+    // did we abort while waiting between retries?
+    if (sleeping)
+        cancelSleep();
+
+    UdsOp::swanSong();
+}
+
 void Ipc::UdsSender::start()
 {
     UdsOp::start();
@@ -96,7 +106,7 @@
 
 bool Ipc::UdsSender::doneAll() const
 {
-    return !writing && UdsOp::doneAll();
+    return !writing && !sleeping && UdsOp::doneAll();
 }
 
 void Ipc::UdsSender::write()
@@ -114,8 +124,53 @@
     debugs(54, 5, HERE << params.conn << " flag " << params.flag << " retries " << retries << " [" << this << ']');
     writing = false;
     if (params.flag != COMM_OK && retries-- > 0) {
-        sleep(1); // do not spend all tries at once; XXX: use an async timed event instead of blocking here; store the time when we started writing so that we do not sleep if not needed?
-        write(); // XXX: should we close on error so that conn() reopens?
+        // perhaps a fresh connection and more time will help?
+        conn()->close();
+        sleep();
+    }
+}
+
+/// pause for a while before resending the message
+void Ipc::UdsSender::sleep()
+{
+    Must(!sleeping);
+    sleeping = true;
+    eventAdd("Ipc::UdsSender::DelayedRetry",
+             Ipc::UdsSender::DelayedRetry,
+             new Pointer(this), 1, 0, false); // TODO: Use Fibonacci increments
+}
+
+/// stop sleeping (or do nothing if we were not)
+void Ipc::UdsSender::cancelSleep()
+{
+    if (sleeping) {
+        // Why not delete the event? See Comm::ConnOpener::cancelSleep().
+        sleeping = false;
+        debugs(54, 9, "stops sleeping");
+    }
+}
+
+/// legacy wrapper for Ipc::UdsSender::delayedRetry()
+void Ipc::UdsSender::DelayedRetry(void *data)
+{
+    Pointer *ptr = static_cast<Pointer*>(data);
+    assert(ptr);
+    if (UdsSender *us = dynamic_cast<UdsSender*>(ptr->valid())) {
+        // get back inside AsyncJob protection by scheduling an async job call
+        typedef NullaryMemFunT<Ipc::UdsSender> Dialer;
+        AsyncCall::Pointer call = JobCallback(54, 4, Dialer, us, Ipc::UdsSender::delayedRetry);
+        ScheduleCallHere(call);
+    }
+    delete ptr;
+}
+
+/// make another sending attempt after a pause
+void Ipc::UdsSender::delayedRetry()
+{
+    debugs(54, 5, HERE << sleeping);
+    if (sleeping) {
+        sleeping = false;
+        write(); // reopens the connection if needed
     }
 }
 
diff -u -r -N squid-3.3.10/src/ipc/UdsOp.h squid-3.3.11/src/ipc/UdsOp.h
--- squid-3.3.10/src/ipc/UdsOp.h	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/ipc/UdsOp.h	2013-12-01 02:55:13.000000000 +1300
@@ -65,11 +65,17 @@
     UdsSender(const String& pathAddr, const TypedMsgHdr& aMessage);
 
 protected:
+    virtual void swanSong(); // UdsOp (AsyncJob) API
     virtual void start(); // UdsOp (AsyncJob) API
     virtual bool doneAll() const; // UdsOp (AsyncJob) API
     virtual void timedout(); // UdsOp API
 
 private:
+    void sleep();
+    void cancelSleep();
+    static void DelayedRetry(void *data);
+    void delayedRetry();
+
     void write(); ///< schedule writing
     void wrote(const CommIoCbParams& params); ///< done writing or error
 
@@ -77,6 +83,7 @@
     TypedMsgHdr message; ///< what to send
     int retries; ///< how many times to try after a write error
     int timeout; ///< total time to send the message
+    bool sleeping; ///< whether we are waiting to retry a failed write
     bool writing; ///< whether Comm started and did not finish writing
 
 private:
diff -u -r -N squid-3.3.10/src/neighbors.cc squid-3.3.11/src/neighbors.cc
--- squid-3.3.10/src/neighbors.cc	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/neighbors.cc	2013-12-01 02:55:13.000000000 +1300
@@ -1316,6 +1316,7 @@
         Comm::ConnectionPointer conn = new Comm::Connection;
         conn->remote = p->addresses[i];
         conn->remote.SetPort(p->http_port);
+        conn->setPeer(p);
         getOutgoingAddress(NULL, conn);
 
         ++ p->testing_now;
diff -u -r -N squid-3.3.10/src/Server.cc squid-3.3.11/src/Server.cc
--- squid-3.3.10/src/Server.cc	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/Server.cc	2013-12-01 02:55:13.000000000 +1300
@@ -39,6 +39,7 @@
 #include "fd.h"
 #include "err_detail_type.h"
 #include "errorpage.h"
+#include "HttpHdrContRange.h"
 #include "HttpReply.h"
 #include "HttpRequest.h"
 #include "Server.h"
@@ -522,6 +523,11 @@
 {
     Must(theFinalReply);
     maybePurgeOthers();
+
+    // adaptation may overwrite old offset computed using the virgin response
+    const bool partial = theFinalReply->content_range &&
+                         theFinalReply->sline.status == HTTP_PARTIAL_CONTENT;
+    currentOffset = partial ? theFinalReply->content_range->spec.offset : 0;
 }
 
 HttpRequest *
diff -u -r -N squid-3.3.10/src/snmp/Inquirer.cc squid-3.3.11/src/snmp/Inquirer.cc
--- squid-3.3.10/src/snmp/Inquirer.cc	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/snmp/Inquirer.cc	2013-12-01 02:55:13.000000000 +1300
@@ -28,6 +28,10 @@
     closer = asyncCall(49, 5, "Snmp::Inquirer::noteCommClosed",
                        CommCbMemFunT<Inquirer, CommCloseCbParams>(this, &Inquirer::noteCommClosed));
     comm_add_close_handler(conn->fd, closer);
+
+    // forget client FD to avoid sending it to strands that may forget to close
+    if (Request *snmpRequest = dynamic_cast<Request*>(request.getRaw()))
+        snmpRequest->fd = -1;
 }
 
 /// closes our copy of the client connection socket
diff -u -r -N squid-3.3.10/src/snmp/Request.cc squid-3.3.11/src/snmp/Request.cc
--- squid-3.3.10/src/snmp/Request.cc	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/snmp/Request.cc	2013-12-01 02:55:13.000000000 +1300
@@ -33,7 +33,8 @@
     session.unpack(msg);
     msg.getPod(address);
 
-    fd = msg.getFd();
+    // Requests from strands have FDs. Requests from Coordinator do not.
+    fd = msg.hasFd() ? msg.getFd() : -1;
 }
 
 void
@@ -46,7 +47,9 @@
     session.pack(msg);
     msg.putPod(address);
 
-    msg.putFd(fd);
+    // Requests sent to Coordinator have FDs. Requests sent to strands do not.
+    if (fd >= 0)
+        msg.putFd(fd);
 }
 
 Ipc::Request::Pointer
diff -u -r -N squid-3.3.10/src/ssl/ErrorDetail.cc squid-3.3.11/src/ssl/ErrorDetail.cc
--- squid-3.3.10/src/ssl/ErrorDetail.cc	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/ssl/ErrorDetail.cc	2013-12-01 02:55:13.000000000 +1300
@@ -219,6 +219,31 @@
     {SSL_ERROR_NONE, NULL}
 };
 
+static const char *OptionalSslErrors[] = {
+    "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER",
+    "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION",
+    "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN",
+    "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION",
+    "X509_V_ERR_INVALID_NON_CA",
+    "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED",
+    "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE",
+    "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED",
+    "X509_V_ERR_INVALID_EXTENSION",
+    "X509_V_ERR_INVALID_POLICY_EXTENSION",
+    "X509_V_ERR_NO_EXPLICIT_POLICY",
+    "X509_V_ERR_DIFFERENT_CRL_SCOPE",
+    "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE",
+    "X509_V_ERR_UNNESTED_RESOURCE",
+    "X509_V_ERR_PERMITTED_VIOLATION",
+    "X509_V_ERR_EXCLUDED_VIOLATION",
+    "X509_V_ERR_SUBTREE_MINMAX",
+    "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE",
+    "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX",
+    "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX",
+    "X509_V_ERR_CRL_PATH_VALIDATION_ERROR",
+    NULL
+};
+
 struct SslErrorAlias {
     const char *name;
     const Ssl::ssl_error_t *errors;
@@ -329,6 +354,16 @@
     return NULL;
 }
 
+bool
+Ssl::ErrorIsOptional(const char *name)
+{
+    for (int i = 0; OptionalSslErrors[i] != NULL; ++i) {
+        if (strcmp(name, OptionalSslErrors[i]) == 0)
+            return true;
+    }
+    return false;
+}
+
 const char *
 Ssl::GetErrorDescr(Ssl::ssl_error_t value)
 {
diff -u -r -N squid-3.3.10/src/ssl/ErrorDetail.h squid-3.3.11/src/ssl/ErrorDetail.h
--- squid-3.3.10/src/ssl/ErrorDetail.h	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/ssl/ErrorDetail.h	2013-12-01 02:55:13.000000000 +1300
@@ -42,6 +42,14 @@
 
 /**
    \ingroup ServerProtocolSSLAPI
+   * Return true if the SSL error is optional and may not supported
+   * by current squid version
+ */
+
+bool ErrorIsOptional(const char *name);
+
+/**
+   \ingroup ServerProtocolSSLAPI
  * Used to pass SSL error details to the error pages returned to the
  * end user.
  */
diff -u -r -N squid-3.3.10/src/ssl/ErrorDetailManager.cc squid-3.3.11/src/ssl/ErrorDetailManager.cc
--- squid-3.3.10/src/ssl/ErrorDetailManager.cc	2013-11-04 00:06:37.000000000 +1300
+++ squid-3.3.11/src/ssl/ErrorDetailManager.cc	2013-12-01 02:55:13.000000000 +1300
@@ -218,32 +218,35 @@
             }
 
             Ssl::ssl_error_t ssl_error = Ssl::GetErrorCode(errorName.termedBuf());
-            if (ssl_error == SSL_ERROR_NONE) {
-                debugs(83, DBG_IMPORTANT, HERE <<
-                       "WARNING! invalid error detail name: " << errorName);
-                return false;
-            }
+            if (ssl_error != SSL_ERROR_NONE) {
 
-            if (theDetails->getErrorDetail(ssl_error)) {
-                debugs(83, DBG_IMPORTANT, HERE <<
-                       "WARNING! duplicate entry: " << errorName);
-                return false;
-            }
+                if (theDetails->getErrorDetail(ssl_error)) {
+                    debugs(83, DBG_IMPORTANT, HERE <<
+                           "WARNING! duplicate entry: " << errorName);
+                    return false;
+                }
+
+                ErrorDetailEntry &entry = theDetails->theList[ssl_error];
+                entry.error_no = ssl_error;
+                entry.name = errorName;
+                String tmp = parser.getByName("detail");
+                httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.detail);
+                tmp = parser.getByName("descr");
+                httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.descr);
+                bool parseOK = entry.descr.defined() && entry.detail.defined();
 
-            ErrorDetailEntry &entry = theDetails->theList[ssl_error];
-            entry.error_no = ssl_error;
-            entry.name = errorName;
-            String tmp = parser.getByName("detail");
-            httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.detail);
-            tmp = parser.getByName("descr");
-            httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.descr);
-            bool parseOK = entry.descr.defined() && entry.detail.defined();
+                if (!parseOK) {
+                    debugs(83, DBG_IMPORTANT, HERE <<
+                           "WARNING! missing important field for detail error: " <<  errorName);
+                    return false;
+                }
 
-            if (!parseOK) {
+            } else if (!Ssl::ErrorIsOptional(errorName.termedBuf())) {
                 debugs(83, DBG_IMPORTANT, HERE <<
-                       "WARNING! missing imporant field for detail error: " <<  errorName);
+                       "WARNING! invalid error detail name: " << errorName);
                 return false;
             }
+
         }// else {only spaces and black lines; just ignore}
 
         buf.consume(size);
