diff -u -r -N squid-3.3.8/acinclude/compiler-flags.m4 squid-3.3.9/acinclude/compiler-flags.m4
--- squid-3.3.8/acinclude/compiler-flags.m4	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/acinclude/compiler-flags.m4	2013-09-11 16:08:38.000000000 +1200
@@ -170,8 +170,8 @@
    squid_cv_cc_arg_pipe=""
    ;;
   clang) 
-   squid_cv_cxx_option_werror="-Werror -Wno-error=parentheses-equality"
-   squid_cv_cc_option_werror="$squid_cv_cxx_option_werror" 
+   squid_cv_cxx_option_werror="-Werror -Qunused-arguments"
+   squid_cv_cc_option_werror="$squid_cv_cxx_option_werror"
    squid_cv_cc_option_wall="-Wall"
    squid_cv_cc_option_optimize="-O2"
    squid_cv_cc_arg_pipe=""
diff -u -r -N squid-3.3.8/ChangeLog squid-3.3.9/ChangeLog
--- squid-3.3.8/ChangeLog	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/ChangeLog	2013-09-11 16:08:38.000000000 +1200
@@ -1,4 +1,23 @@
 
+Changes to squid-3.3.9 (11 Sep 2013):
+
+	- Regression Bug 3077: off-by-one error in Digest header decoding
+	- Bug 3895: fix acl_uses_indirect_client and cache_peer_access
+	- Bug 3879: assertion failed ConnStateData::validatePinnedConnection
+	- Bug 3863: myportname acl causes segmentation fault
+	- Bug 3849: Duplicate certificate sent when using https_port
+	- Bug 2287: Better fix for unsupported HTTP version handling
+	- Bug 2112: Reload into If-None-Match
+	- Fix several assert with side effects in ICAP/eCAP response handling
+	- Fix myportname ACL on ICAP/eCAP transactions
+	- Fix external ACL user:pass detail logging after adaptation
+	- Fix SMP mgr:info report 'Largest file desc currently in use'
+	- Improved compatibility with gcc 4.8, clang and icc
+	- Show number of available filedescriptors when reserved FD changes
+	- Sync with newest OpenSSL error codes
+	- Register Http2-Settings header
+	- ... and many Windows portability fixes
+
 Changes to squid-3.3.8 (13 Jul 2013):
 
 	- Bug 3869: assertion failed: MemBuf.cc:272: size < capacity
diff -u -r -N squid-3.3.8/compat/cmsg.h squid-3.3.9/compat/cmsg.h
--- squid-3.3.8/compat/cmsg.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/compat/cmsg.h	2013-09-11 16:08:38.000000000 +1200
@@ -9,6 +9,12 @@
 #include <sys/socket.h>
 #endif
 
+// WinSock2.h defines these for Windows
+#if HAVE_WINSOCK2_H
+#include <winsock2.h>
+#define CMSG_H_ // prevent re-definition
+#endif
+
 #ifndef CMSG_H_
 #define CMSG_H_
 
diff -u -r -N squid-3.3.8/compat/getnameinfo.c squid-3.3.9/compat/getnameinfo.c
--- squid-3.3.8/compat/getnameinfo.c	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/compat/getnameinfo.c	2013-09-11 16:08:38.000000000 +1200
@@ -112,7 +112,7 @@
 #include <inttypes.h>
 #endif
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 #undef IN_ADDR
 #include <ws2tcpip.h>
 #endif
@@ -158,7 +158,6 @@
     int family, i;
     const char *addr;
     uint32_t v4a;
-    int h_error;
     char numserv[512];
 
     if (sa == NULL)
@@ -260,14 +259,17 @@
         goto numeric;
     } else {
 #if USE_GETIPNODEBY
+        int h_error = 0;
         hp = getipnodebyaddr(addr, afd->a_addrlen, afd->a_af, &h_error);
 #else
         hp = gethostbyaddr(addr, afd->a_addrlen, afd->a_af);
+#if 0 // getnameinfo.c:161:9: error: variable 'h_error' set but not used
 #if HAVE_H_ERRNO
         h_error = h_errno;
 #else
         h_error = EINVAL;
 #endif
+#endif /* 0 */
 #endif
 
         if (hp) {
diff -u -r -N squid-3.3.8/compat/GnuRegex.c squid-3.3.9/compat/GnuRegex.c
--- squid-3.3.8/compat/GnuRegex.c	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/compat/GnuRegex.c	2013-09-11 16:08:38.000000000 +1200
@@ -90,8 +90,6 @@
 
 #endif /* not SYNTAX_TABLE */
 
-#define SYNTAX(c) re_syntax_table[c]
-
 /* Get the interface, including the syntax bits.  */
 #include "compat/GnuRegex.h"
 
@@ -889,9 +887,6 @@
 
 #define INIT_COMPILE_STACK_SIZE 32
 
-#define COMPILE_STACK_EMPTY  (compile_stack.avail == 0)
-#define COMPILE_STACK_FULL  (compile_stack.avail == compile_stack.size)
-
 /* The next available element.  */
 #define COMPILE_STACK_TOP (compile_stack.stack[compile_stack.avail])
 
@@ -1420,7 +1415,7 @@
                 bufp->re_nsub++;
                 regnum++;
 
-                if (COMPILE_STACK_FULL) {
+                if (compile_stack.avail == compile_stack.size) {
                     RETALLOC(compile_stack.stack, compile_stack.size << 1,
                              compile_stack_elt_t);
                     if (compile_stack.stack == NULL)
@@ -1461,7 +1456,7 @@
                 if (syntax & RE_NO_BK_PARENS)
                     goto normal_backslash;
 
-                if (COMPILE_STACK_EMPTY) {
+                if (compile_stack.avail == 0) {
                     if (syntax & RE_UNMATCHED_RIGHT_PAREN_ORD)
                         goto normal_backslash;
                     else
@@ -1479,7 +1474,7 @@
                     STORE_JUMP(jump_past_alt, fixup_alt_jump, b - 1);
                 }
                 /* See similar code for backslashed left paren above.  */
-                if (COMPILE_STACK_EMPTY) {
+                if (compile_stack.avail == 0) {
                     if (syntax & RE_UNMATCHED_RIGHT_PAREN_ORD)
                         goto normal_char;
                     else
@@ -1832,7 +1827,7 @@
     if (fixup_alt_jump)
         STORE_JUMP(jump_past_alt, fixup_alt_jump, b);
 
-    if (!COMPILE_STACK_EMPTY)
+    if (compile_stack.avail != 0)
         return REG_EPAREN;
 
     free(compile_stack.stack);
@@ -2374,13 +2369,13 @@
 
         case wordchar:
             for (j = 0; j < (1 << BYTEWIDTH); j++)
-                if (SYNTAX(j) == Sword)
+                if (re_syntax_table[j] == Sword)
                     fastmap[j] = 1;
             break;
 
         case notwordchar:
             for (j = 0; j < (1 << BYTEWIDTH); j++)
-                if (SYNTAX(j) != Sword)
+                if (re_syntax_table[j] != Sword)
                     fastmap[j] = 1;
             break;
 
@@ -2732,21 +2727,31 @@
 /* Test if at very beginning or at very end of the virtual concatenation
  * of `string1' and `string2'.  If only one string, it's `string2'.  */
 #define AT_STRINGS_BEG(d) ((d) == (size1 ? string1 : string2) || !size2)
-#define AT_STRINGS_END(d) ((d) == end2)
+static int at_strings_end(const char *d, const char *end2)
+{
+    return d == end2;
+}
 
 /* Test if D points to a character which is word-constituent.  We have
  * two special cases to check for: if past the end of string1, look at
  * the first character in string2; and if before the beginning of
  * string2, look at the last character in string1.  */
 #define WORDCHAR_P(d)							\
-  (SYNTAX ((d) == end1 ? *string2					\
-           : (d) == string2 - 1 ? *(end1 - 1) : *(d))			\
+  (re_syntax_table[(d) == end1 ? *string2					\
+           : (d) == string2 - 1 ? *(end1 - 1) : *(d)]			\
    == Sword)
+static int
+wordchar_p(const char *d, const char *end1, const char *string2)
+{
+    return re_syntax_table[(d) == end1 ? *string2
+                           : (d) == string2 - 1 ? *(end1 - 1) : *(d)]
+           == Sword;
+}
 
 /* Test if the character before D and the one at D differ with respect
  * to being word-constituent.  */
 #define AT_WORD_BOUNDARY(d)						\
-  (AT_STRINGS_BEG (d) || AT_STRINGS_END (d)				\
+  (AT_STRINGS_BEG (d) || at_strings_end(d,end2)				\
    || WORDCHAR_P (d - 1) != WORDCHAR_P (d))
 
 /* Free everything we malloc.  */
@@ -3440,7 +3445,7 @@
         case endline:
             DEBUG_PRINT1("EXECUTING endline.\n");
 
-            if (AT_STRINGS_END(d)) {
+            if (at_strings_end(d,end2)) {
                 if (!bufp->not_eol)
                     break;
             }
@@ -3461,7 +3466,7 @@
             /* Match at the very end of the data.  */
         case endbuf:
             DEBUG_PRINT1("EXECUTING endbuf.\n");
-            if (AT_STRINGS_END(d))
+            if (at_strings_end(d,end2))
                 break;
             goto fail;
 
@@ -3739,21 +3744,21 @@
 
         case wordbeg:
             DEBUG_PRINT1("EXECUTING wordbeg.\n");
-            if (WORDCHAR_P(d) && (AT_STRINGS_BEG(d) || !WORDCHAR_P(d - 1)))
+            if (wordchar_p(d,end1,string2) && (AT_STRINGS_BEG(d) || !WORDCHAR_P(d - 1)))
                 break;
             goto fail;
 
         case wordend:
             DEBUG_PRINT1("EXECUTING wordend.\n");
             if (!AT_STRINGS_BEG(d) && WORDCHAR_P(d - 1)
-                    && (!WORDCHAR_P(d) || AT_STRINGS_END(d)))
+                    && (!wordchar_p(d,end1,string2) || at_strings_end(d,end2)))
                 break;
             goto fail;
 
         case wordchar:
             DEBUG_PRINT1("EXECUTING non-Emacs wordchar.\n");
             PREFETCH();
-            if (!WORDCHAR_P(d))
+            if (!wordchar_p(d,end1,string2))
                 goto fail;
             SET_REGS_MATCHED();
             d++;
@@ -3762,7 +3767,7 @@
         case notwordchar:
             DEBUG_PRINT1("EXECUTING non-Emacs notwordchar.\n");
             PREFETCH();
-            if (WORDCHAR_P(d))
+            if (wordchar_p(d,end1,string2))
                 goto fail;
             SET_REGS_MATCHED();
             d++;
diff -u -r -N squid-3.3.8/compat/mswin.cc squid-3.3.9/compat/mswin.cc
--- squid-3.3.8/compat/mswin.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/compat/mswin.cc	2013-09-11 16:08:38.000000000 +1200
@@ -37,7 +37,7 @@
 
 /* The following code section is part of an EXPERIMENTAL native */
 /* Windows NT/2000 Squid port - Compiles only on MS Visual C++ or MinGW */
-#if _SQUID_MSWIN_ || _SQUID_MINGW_
+#if _SQUID_WINDOWS_ && !_SQUID_CYGWIN_
 
 #undef strerror
 #define sys_nerr _sys_nerr
@@ -296,7 +296,7 @@
     return &grp;
 }
 
-#if defined(__MINGW32__)	/* MinGW environment */
+#if _SQUID_MINGW_
 int
 _free_osfhnd(int filehandle)
 {
diff -u -r -N squid-3.3.8/compat/os/mswin.h squid-3.3.9/compat/os/mswin.h
--- squid-3.3.8/compat/os/mswin.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/compat/os/mswin.h	2013-09-11 16:08:38.000000000 +1200
@@ -51,6 +51,11 @@
 #define NOMINMAX
 #endif
 
+/// some builds of MinGW do not define IPV6_V6ONLY socket option
+#if !defined(IPV6_V6ONLY)
+#define IPV6_V6ONLY 27
+#endif
+
 #if defined _FILE_OFFSET_BITS && _FILE_OFFSET_BITS == 64
 # define __USE_FILE_OFFSET64	1
 #endif
@@ -103,6 +108,9 @@
 #define mkdir(p,F) _mkdir((p))
 #define mktemp _mktemp
 #endif
+#if _SQUID_MINGW_
+#define mkdir(p,F) mkdir((p))
+#endif
 #define pclose _pclose
 #define pipe WIN32_pipe
 #define popen _popen
@@ -340,7 +348,7 @@
 SQUIDCEXTERN _CRTIMP ioinfo * __pioinfo[];
 SQUIDCEXTERN int __cdecl _free_osfhnd(int);
 
-#elif defined(__MINGW32__) /* MinGW environment */
+#elif _SQUID_MINGW_	/* MinGW environment */
 
 __MINGW_IMPORT ioinfo * __pioinfo[];
 SQUIDCEXTERN int _free_osfhnd(int);
@@ -428,6 +436,18 @@
 {
 /** \endcond */
 
+/*
+ * Each of these functions is defined in the Squid namespace so as not to
+ * clash with the winsock.h and winsock2.h definitions.
+ * It is then paired with a #define to cause these wrappers to be used by
+ * the main code instead of those system definitions.
+ *
+ * We do this wrapper in order to:
+ * - cast the parameter types in only one place, and
+ * - record errors in POSIX errno variable, and
+ * - map the FD value used by Squid to the socket handes used by Windows.
+ */
+
 inline
 int accept(int s, struct sockaddr * a, size_t * l)
 {
@@ -658,6 +678,7 @@
     } else
         return 0;
 }
+#define WSAAsyncSelect(s,h,w,e) Squid::WSAAsyncSelect(s,h,w,e)
 
 #undef WSADuplicateSocket
 inline
@@ -673,6 +694,7 @@
     } else
         return 0;
 }
+#define WSADuplicateSocket(s,n,l) Squid::WSADuplicateSocket(s,n,l)
 
 #undef WSASocket
 inline
@@ -690,6 +712,7 @@
     } else
         return _open_osfhandle(result, 0);
 }
+#define WSASocket(a,t,p,i,g,f) Squid::WSASocket(a,t,p,i,g,f)
 
 } /* namespace Squid */
 
diff -u -r -N squid-3.3.8/compat/osdetect.h squid-3.3.9/compat/osdetect.h
--- squid-3.3.8/compat/osdetect.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/compat/osdetect.h	2013-09-11 16:08:38.000000000 +1200
@@ -73,10 +73,6 @@
 #define _SQUID_WINDOWS_ 1
 
 #elif defined(WIN32) || defined(WINNT) || defined(__WIN32__) || defined(__WIN32)
-/* We are using _SQUID_MSWIN_ define in cf.data.pre, so
-   it must be defined to 1 to avoid the build failure of cfgen.
- */
-#define _SQUID_MSWIN_ 1
 #define _SQUID_WINDOWS_ 1
 
 #elif defined(__APPLE__)
diff -u -r -N squid-3.3.8/compat/types.h squid-3.3.9/compat/types.h
--- squid-3.3.8/compat/types.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/compat/types.h	2013-09-11 16:08:38.000000000 +1200
@@ -91,7 +91,7 @@
  * "%lx" instead of "%llx"
  */
 #ifndef PRId64
-#if _SQUID_MSWIN_		/* Windows native port using MSVCRT */
+#if _SQUID_WINDOWS_
 #define PRId64 "I64d"
 #elif SIZEOF_INT64_T > SIZEOF_LONG
 #define PRId64 "lld"
@@ -101,7 +101,7 @@
 #endif
 
 #ifndef PRIu64
-#if _SQUID_MSWIN_		/* Windows native port using MSVCRT */
+#if _SQUID_WINDOWS_
 #define PRIu64 "I64u"
 #elif SIZEOF_INT64_T > SIZEOF_LONG
 #define PRIu64 "llu"
@@ -111,7 +111,7 @@
 #endif
 
 #ifndef PRIX64
-#if _SQUID_MSWIN_		/* Windows native port using MSVCRT */
+#if _SQUID_WINDOWS_
 #define PRIX64 "I64X"
 #elif SIZEOF_INT64_T > SIZEOF_LONG
 #define PRIX64 "llX"
diff -u -r -N squid-3.3.8/configure squid-3.3.9/configure
--- squid-3.3.8/configure	2013-07-14 01:26:28.000000000 +1200
+++ squid-3.3.9/configure	2013-09-11 16:09:44.000000000 +1200
@@ -1,7 +1,7 @@
 #! /bin/sh
 # From configure.ac Revision.
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.3.8.
+# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.3.9.
 #
 # Report bugs to <http://bugs.squid-cache.org/>.
 #
@@ -575,8 +575,8 @@
 # Identity of this package.
 PACKAGE_NAME='Squid Web Proxy'
 PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='3.3.8'
-PACKAGE_STRING='Squid Web Proxy 3.3.8'
+PACKAGE_VERSION='3.3.9'
+PACKAGE_STRING='Squid Web Proxy 3.3.9'
 PACKAGE_BUGREPORT='http://bugs.squid-cache.org/'
 PACKAGE_URL=''
 
@@ -1570,7 +1570,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures Squid Web Proxy 3.3.8 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 3.3.9 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1640,7 +1640,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Squid Web Proxy 3.3.8:";;
+     short | recursive ) echo "Configuration of Squid Web Proxy 3.3.9:";;
    esac
   cat <<\_ACEOF
 
@@ -2014,7 +2014,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-Squid Web Proxy configure 3.3.8
+Squid Web Proxy configure 3.3.9
 generated by GNU Autoconf 2.68
 
 Copyright (C) 2010 Free Software Foundation, Inc.
@@ -3110,7 +3110,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Squid Web Proxy $as_me 3.3.8, which was
+It was created by Squid Web Proxy $as_me 3.3.9, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   $ $0 $@
@@ -3929,7 +3929,7 @@
 
 # Define the identity of the package.
  PACKAGE='squid'
- VERSION='3.3.8'
+ VERSION='3.3.9'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -18546,7 +18546,7 @@
    squid_cv_cc_arg_pipe=""
    ;;
   clang)
-   squid_cv_cxx_option_werror="-Werror -Wno-error=parentheses-equality"
+   squid_cv_cxx_option_werror="-Werror -Qunused-arguments"
    squid_cv_cc_option_werror="$squid_cv_cxx_option_werror"
    squid_cv_cc_option_wall="-Wall"
    squid_cv_cc_option_optimize="-O2"
@@ -18948,9 +18948,15 @@
 # to be used by sub-commands
 export enable_inline
 
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for atomic operations support" >&5
-$as_echo_n "checking for atomic operations support... " >&6; }
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU atomic operations support" >&5
+$as_echo_n "checking for GNU atomic operations support... " >&6; }
+if test "$cross_compiling" = yes; then :
+  { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "cannot run test program while cross compiling
+See \`config.log' for more details" "$LINENO" 5; }
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
     int n = 0;
@@ -18970,7 +18976,7 @@
   return 0;
 }
 _ACEOF
-if ac_fn_cxx_try_compile "$LINENO"; then :
+if ac_fn_cxx_try_run "$LINENO"; then :
 
 
 $as_echo "#define HAVE_ATOMIC_OPS 1" >>confdefs.h
@@ -18984,7 +18990,10 @@
 $as_echo "no" >&6; }
 
 fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
 
 
 # Check whether --enable-debug-cbdata was given.
@@ -20803,12 +20812,18 @@
   esac
   #Iphlpapi.h check delayed after winsock2.h
   for ac_header in \
+    windows.h \
     sys/sockio.h \
     sys/param.h
-
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
-ac_fn_cxx_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
+ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "
+#if HAVE_WINDOWS_H
+include <windows.h>
+#endif
+
+
+"
 if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
   cat >>confdefs.h <<_ACEOF
 #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
@@ -27212,16 +27227,23 @@
 
 
 
-  for ac_header in Iphlpapi.h
+  for ac_header in \
+    windows.h \
+    ws2tcpip.h \
+    Iphlpapi.h
 do :
-  ac_fn_cxx_check_header_compile "$LINENO" "Iphlpapi.h" "ac_cv_header_Iphlpapi_h" "
+  as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
+ac_fn_cxx_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "
+#if HAVE_WINDOWS_H
+#include <windows.h>
+#endif
 #if HAVE_WINSOCK2_H
 #include <winsock2.h>
 #endif
 "
-if test "x$ac_cv_header_Iphlpapi_h" = xyes; then :
+if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
   cat >>confdefs.h <<_ACEOF
-#define HAVE_IPHLPAPI_H 1
+#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
 _ACEOF
 
 fi
@@ -31810,7 +31832,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by Squid Web Proxy $as_me 3.3.8, which was
+This file was extended by Squid Web Proxy $as_me 3.3.9, which was
 generated by GNU Autoconf 2.68.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -31876,7 +31898,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-Squid Web Proxy config.status 3.3.8
+Squid Web Proxy config.status 3.3.9
 configured by $0, generated by GNU Autoconf 2.68,
   with options \\"\$ac_cs_config\\"
 
diff -u -r -N squid-3.3.8/configure.ac squid-3.3.9/configure.ac
--- squid-3.3.8/configure.ac	2013-07-14 01:26:28.000000000 +1200
+++ squid-3.3.9/configure.ac	2013-09-11 16:09:44.000000000 +1200
@@ -1,4 +1,4 @@
-AC_INIT([Squid Web Proxy],[3.3.8],[http://bugs.squid-cache.org/],[squid])
+AC_INIT([Squid Web Proxy],[3.3.9],[http://bugs.squid-cache.org/],[squid])
 AC_PREREQ(2.61)
 AC_CONFIG_HEADERS([include/autoconf.h])
 AC_CONFIG_AUX_DIR(cfgaux)
@@ -391,8 +391,8 @@
 dnl
 dnl Check for atomic operations support in the compiler
 dnl
-AC_MSG_CHECKING([for atomic operations support])
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+AC_MSG_CHECKING([for GNU atomic operations support])
+AC_RUN_IFELSE([AC_LANG_PROGRAM([[
     int n = 0;
 ]],[[
     __sync_add_and_fetch(&n, 10); // n becomes 10
@@ -403,8 +403,7 @@
     return (n == 200) ? 0 : -1;
 ]])],
 [
-    AC_DEFINE(HAVE_ATOMIC_OPS,1,
-        [Define to 1 if you have __sync_add_and_fetch() and such])
+    AC_DEFINE(HAVE_ATOMIC_OPS,1,[Define to 1 if you have __sync_add_and_fetch() and such])
     AC_MSG_RESULT(yes)
 ],[
     AC_MSG_RESULT(no)
@@ -1158,8 +1157,14 @@
   esac
   #Iphlpapi.h check delayed after winsock2.h
   AC_CHECK_HEADERS( \
+    windows.h \
     sys/sockio.h \
-    sys/param.h
+    sys/param.h,
+  [], [], [[
+#if HAVE_WINDOWS_H
+include <windows.h>
+#endif
+]]
   )
   AC_CHECK_HEADERS( \
     net/if_arp.h \
@@ -2653,7 +2658,13 @@
 dnl Check for Winsock only on MinGW, on Cygwin we must use emulated BSD socket API
 if test "x$squid_host_os" = "xmingw" ; then
   SQUID_CHECK_WINSOCK_LIB
-  AC_CHECK_HEADERS(Iphlpapi.h,,,[
+  AC_CHECK_HEADERS( \
+    windows.h \
+    ws2tcpip.h \
+    Iphlpapi.h ,,,[
+#if HAVE_WINDOWS_H
+#include <windows.h>
+#endif
 #if HAVE_WINSOCK2_H
 #include <winsock2.h>
 #endif])
diff -u -r -N squid-3.3.8/errors/af/error-details.txt squid-3.3.9/errors/af/error-details.txt
--- squid-3.3.8/errors/af/error-details.txt	2013-07-14 01:28:27.000000000 +1200
+++ squid-3.3.9/errors/af/error-details.txt	2013-09-11 16:11:23.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/ar/error-details.txt squid-3.3.9/errors/ar/error-details.txt
--- squid-3.3.8/errors/ar/error-details.txt	2013-07-14 01:28:59.000000000 +1200
+++ squid-3.3.9/errors/ar/error-details.txt	2013-09-11 16:11:44.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/az/error-details.txt squid-3.3.9/errors/az/error-details.txt
--- squid-3.3.8/errors/az/error-details.txt	2013-07-14 01:29:29.000000000 +1200
+++ squid-3.3.9/errors/az/error-details.txt	2013-09-11 16:12:06.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/bg/error-details.txt squid-3.3.9/errors/bg/error-details.txt
--- squid-3.3.8/errors/bg/error-details.txt	2013-07-14 01:30:06.000000000 +1200
+++ squid-3.3.9/errors/bg/error-details.txt	2013-09-11 16:12:28.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/ca/error-details.txt squid-3.3.9/errors/ca/error-details.txt
--- squid-3.3.8/errors/ca/error-details.txt	2013-07-14 01:30:37.000000000 +1200
+++ squid-3.3.9/errors/ca/error-details.txt	2013-09-11 16:12:49.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/cs/error-details.txt squid-3.3.9/errors/cs/error-details.txt
--- squid-3.3.8/errors/cs/error-details.txt	2013-07-14 01:31:11.000000000 +1200
+++ squid-3.3.9/errors/cs/error-details.txt	2013-09-11 16:13:11.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/da/error-details.txt squid-3.3.9/errors/da/error-details.txt
--- squid-3.3.8/errors/da/error-details.txt	2013-07-14 01:31:45.000000000 +1200
+++ squid-3.3.9/errors/da/error-details.txt	2013-09-11 16:13:33.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/de/error-details.txt squid-3.3.9/errors/de/error-details.txt
--- squid-3.3.8/errors/de/error-details.txt	2013-07-14 01:32:15.000000000 +1200
+++ squid-3.3.9/errors/de/error-details.txt	2013-09-11 16:13:56.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/el/error-details.txt squid-3.3.9/errors/el/error-details.txt
--- squid-3.3.8/errors/el/error-details.txt	2013-07-14 01:32:45.000000000 +1200
+++ squid-3.3.9/errors/el/error-details.txt	2013-09-11 16:14:17.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/en/error-details.txt squid-3.3.9/errors/en/error-details.txt
--- squid-3.3.8/errors/en/error-details.txt	2013-07-14 01:33:18.000000000 +1200
+++ squid-3.3.9/errors/en/error-details.txt	2013-09-11 16:14:39.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/es/error-details.txt squid-3.3.9/errors/es/error-details.txt
--- squid-3.3.8/errors/es/error-details.txt	2013-07-14 01:33:48.000000000 +1200
+++ squid-3.3.9/errors/es/error-details.txt	2013-09-11 16:15:02.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/et/error-details.txt squid-3.3.9/errors/et/error-details.txt
--- squid-3.3.8/errors/et/error-details.txt	2013-07-14 01:34:18.000000000 +1200
+++ squid-3.3.9/errors/et/error-details.txt	2013-09-11 16:15:28.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/fa/error-details.txt squid-3.3.9/errors/fa/error-details.txt
--- squid-3.3.8/errors/fa/error-details.txt	2013-07-14 01:34:48.000000000 +1200
+++ squid-3.3.9/errors/fa/error-details.txt	2013-09-11 16:15:50.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/fi/error-details.txt squid-3.3.9/errors/fi/error-details.txt
--- squid-3.3.8/errors/fi/error-details.txt	2013-07-14 01:35:23.000000000 +1200
+++ squid-3.3.9/errors/fi/error-details.txt	2013-09-11 16:16:15.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/fr/error-details.txt squid-3.3.9/errors/fr/error-details.txt
--- squid-3.3.8/errors/fr/error-details.txt	2013-07-14 01:35:55.000000000 +1200
+++ squid-3.3.9/errors/fr/error-details.txt	2013-09-11 16:16:48.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/he/error-details.txt squid-3.3.9/errors/he/error-details.txt
--- squid-3.3.8/errors/he/error-details.txt	2013-07-14 01:36:35.000000000 +1200
+++ squid-3.3.9/errors/he/error-details.txt	2013-09-11 16:17:17.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/hu/error-details.txt squid-3.3.9/errors/hu/error-details.txt
--- squid-3.3.8/errors/hu/error-details.txt	2013-07-14 01:37:06.000000000 +1200
+++ squid-3.3.9/errors/hu/error-details.txt	2013-09-11 16:17:47.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/hy/error-details.txt squid-3.3.9/errors/hy/error-details.txt
--- squid-3.3.8/errors/hy/error-details.txt	2013-07-14 01:37:36.000000000 +1200
+++ squid-3.3.9/errors/hy/error-details.txt	2013-09-11 16:18:18.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/id/error-details.txt squid-3.3.9/errors/id/error-details.txt
--- squid-3.3.8/errors/id/error-details.txt	2013-07-14 01:38:04.000000000 +1200
+++ squid-3.3.9/errors/id/error-details.txt	2013-09-11 16:18:51.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/it/error-details.txt squid-3.3.9/errors/it/error-details.txt
--- squid-3.3.8/errors/it/error-details.txt	2013-07-14 01:38:38.000000000 +1200
+++ squid-3.3.9/errors/it/error-details.txt	2013-09-11 16:19:19.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/ja/error-details.txt squid-3.3.9/errors/ja/error-details.txt
--- squid-3.3.8/errors/ja/error-details.txt	2013-07-14 01:39:13.000000000 +1200
+++ squid-3.3.9/errors/ja/error-details.txt	2013-09-11 16:19:49.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/ko/error-details.txt squid-3.3.9/errors/ko/error-details.txt
--- squid-3.3.8/errors/ko/error-details.txt	2013-07-14 01:39:42.000000000 +1200
+++ squid-3.3.9/errors/ko/error-details.txt	2013-09-11 16:20:22.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/lt/error-details.txt squid-3.3.9/errors/lt/error-details.txt
--- squid-3.3.8/errors/lt/error-details.txt	2013-07-14 01:40:15.000000000 +1200
+++ squid-3.3.9/errors/lt/error-details.txt	2013-09-11 16:20:50.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/lv/error-details.txt squid-3.3.9/errors/lv/error-details.txt
--- squid-3.3.8/errors/lv/error-details.txt	2013-07-14 01:40:45.000000000 +1200
+++ squid-3.3.9/errors/lv/error-details.txt	2013-09-11 16:21:21.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/ms/error-details.txt squid-3.3.9/errors/ms/error-details.txt
--- squid-3.3.8/errors/ms/error-details.txt	2013-07-14 01:41:24.000000000 +1200
+++ squid-3.3.9/errors/ms/error-details.txt	2013-09-11 16:21:52.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/nl/error-details.txt squid-3.3.9/errors/nl/error-details.txt
--- squid-3.3.8/errors/nl/error-details.txt	2013-07-14 01:41:56.000000000 +1200
+++ squid-3.3.9/errors/nl/error-details.txt	2013-09-11 16:22:25.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/oc/error-details.txt squid-3.3.9/errors/oc/error-details.txt
--- squid-3.3.8/errors/oc/error-details.txt	2013-07-14 01:42:30.000000000 +1200
+++ squid-3.3.9/errors/oc/error-details.txt	2013-09-11 16:22:58.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/pl/error-details.txt squid-3.3.9/errors/pl/error-details.txt
--- squid-3.3.8/errors/pl/error-details.txt	2013-07-14 01:43:01.000000000 +1200
+++ squid-3.3.9/errors/pl/error-details.txt	2013-09-11 16:23:28.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/pt/error-details.txt squid-3.3.9/errors/pt/error-details.txt
--- squid-3.3.8/errors/pt/error-details.txt	2013-07-14 01:44:04.000000000 +1200
+++ squid-3.3.9/errors/pt/error-details.txt	2013-09-11 16:24:23.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/pt-br/error-details.txt squid-3.3.9/errors/pt-br/error-details.txt
--- squid-3.3.8/errors/pt-br/error-details.txt	2013-07-14 01:43:34.000000000 +1200
+++ squid-3.3.9/errors/pt-br/error-details.txt	2013-09-11 16:23:56.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/ro/error-details.txt squid-3.3.9/errors/ro/error-details.txt
--- squid-3.3.8/errors/ro/error-details.txt	2013-07-14 01:44:33.000000000 +1200
+++ squid-3.3.9/errors/ro/error-details.txt	2013-09-11 16:24:52.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/ru/error-details.txt squid-3.3.9/errors/ru/error-details.txt
--- squid-3.3.8/errors/ru/error-details.txt	2013-07-14 01:45:08.000000000 +1200
+++ squid-3.3.9/errors/ru/error-details.txt	2013-09-11 16:25:21.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/sk/error-details.txt squid-3.3.9/errors/sk/error-details.txt
--- squid-3.3.8/errors/sk/error-details.txt	2013-07-14 01:45:39.000000000 +1200
+++ squid-3.3.9/errors/sk/error-details.txt	2013-09-11 16:25:49.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/sl/error-details.txt squid-3.3.9/errors/sl/error-details.txt
--- squid-3.3.8/errors/sl/error-details.txt	2013-07-14 01:46:14.000000000 +1200
+++ squid-3.3.9/errors/sl/error-details.txt	2013-09-11 16:26:26.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/sr-cyrl/error-details.txt squid-3.3.9/errors/sr-cyrl/error-details.txt
--- squid-3.3.8/errors/sr-cyrl/error-details.txt	2013-07-14 01:46:47.000000000 +1200
+++ squid-3.3.9/errors/sr-cyrl/error-details.txt	2013-09-11 16:27:03.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/sr-latn/error-details.txt squid-3.3.9/errors/sr-latn/error-details.txt
--- squid-3.3.8/errors/sr-latn/error-details.txt	2013-07-14 01:47:18.000000000 +1200
+++ squid-3.3.9/errors/sr-latn/error-details.txt	2013-09-11 16:27:35.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/sv/error-details.txt squid-3.3.9/errors/sv/error-details.txt
--- squid-3.3.8/errors/sv/error-details.txt	2013-07-14 01:47:47.000000000 +1200
+++ squid-3.3.9/errors/sv/error-details.txt	2013-09-11 16:28:07.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/templates/error-details.txt squid-3.3.9/errors/templates/error-details.txt
--- squid-3.3.8/errors/templates/error-details.txt	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/errors/templates/error-details.txt	2013-09-11 16:08:38.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/th/error-details.txt squid-3.3.9/errors/th/error-details.txt
--- squid-3.3.8/errors/th/error-details.txt	2013-07-14 01:48:17.000000000 +1200
+++ squid-3.3.9/errors/th/error-details.txt	2013-09-11 16:28:34.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/tr/error-details.txt squid-3.3.9/errors/tr/error-details.txt
--- squid-3.3.8/errors/tr/error-details.txt	2013-07-14 01:48:46.000000000 +1200
+++ squid-3.3.9/errors/tr/error-details.txt	2013-09-11 16:29:02.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/uk/error-details.txt squid-3.3.9/errors/uk/error-details.txt
--- squid-3.3.8/errors/uk/error-details.txt	2013-07-14 01:49:13.000000000 +1200
+++ squid-3.3.9/errors/uk/error-details.txt	2013-09-11 16:29:30.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/uz/error-details.txt squid-3.3.9/errors/uz/error-details.txt
--- squid-3.3.8/errors/uz/error-details.txt	2013-07-14 01:49:42.000000000 +1200
+++ squid-3.3.9/errors/uz/error-details.txt	2013-09-11 16:29:57.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/vi/error-details.txt squid-3.3.9/errors/vi/error-details.txt
--- squid-3.3.8/errors/vi/error-details.txt	2013-07-14 01:50:07.000000000 +1200
+++ squid-3.3.9/errors/vi/error-details.txt	2013-09-11 16:30:26.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/zh-cn/error-details.txt squid-3.3.9/errors/zh-cn/error-details.txt
--- squid-3.3.8/errors/zh-cn/error-details.txt	2013-07-14 01:50:30.000000000 +1200
+++ squid-3.3.9/errors/zh-cn/error-details.txt	2013-09-11 16:30:56.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/errors/zh-tw/error-details.txt squid-3.3.9/errors/zh-tw/error-details.txt
--- squid-3.3.8/errors/zh-tw/error-details.txt	2013-07-14 01:50:57.000000000 +1200
+++ squid-3.3.9/errors/zh-tw/error-details.txt	2013-09-11 16:31:31.000000000 +1200
@@ -130,6 +130,90 @@
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Key usage does not include certificate signing"
 
+name: X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unable to get CRL issuer certificate"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical extension"
+
+name: X509_V_ERR_KEYUSAGE_NO_CRL_SIGN
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include CRL signing"
+
+name: X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unhandled critical CRL extension"
+
+name: X509_V_ERR_INVALID_NON_CA
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid non-CA certificate (has CA markings)"
+
+name: X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy path length constraint exceeded"
+
+name: X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "key usage does not include digital signature"
+
+name: X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "proxy certificates not allowed, please set the appropriate flag"
+
+name: X509_V_ERR_INVALID_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate extension"
+
+name: X509_V_ERR_INVALID_POLICY_EXTENSION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "invalid or inconsistent certificate policy extension"
+
+name: X509_V_ERR_NO_EXPLICIT_POLICY
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "no explicit policy"
+
+name: X509_V_ERR_DIFFERENT_CRL_SCOPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Different CRL scope"
+
+name: X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "Unsupported extension feature"
+
+name: X509_V_ERR_UNNESTED_RESOURCE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "RFC 3779 resource not subset of parent's resources"
+
+name: X509_V_ERR_PERMITTED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "permitted subtree violation"
+
+name: X509_V_ERR_EXCLUDED_VIOLATION
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "excluded subtree violation"
+
+name: X509_V_ERR_SUBTREE_MINMAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "name constraints minimum and maximum not supported"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported name constraint type"
+
+name: X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name constraint syntax"
+
+name: X509_V_ERR_UNSUPPORTED_NAME_SYNTAX
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "unsupported or invalid name syntax"
+
+name: X509_V_ERR_CRL_PATH_VALIDATION_ERROR
+detail: "%ssl_error_descr: %ssl_subject"
+descr: "CRL path validation error"
+
 name: X509_V_ERR_APPLICATION_VERIFICATION
 detail: "%ssl_error_descr: %ssl_subject"
 descr: "Application verification failure"
diff -u -r -N squid-3.3.8/helpers/basic_auth/DB/basic_db_auth.8 squid-3.3.9/helpers/basic_auth/DB/basic_db_auth.8
--- squid-3.3.8/helpers/basic_auth/DB/basic_db_auth.8	2013-07-14 01:51:11.000000000 +1200
+++ squid-3.3.9/helpers/basic_auth/DB/basic_db_auth.8	2013-09-11 16:31:37.000000000 +1200
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "BASIC_DB_AUTH 1"
-.TH BASIC_DB_AUTH 1 "2013-07-13" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH BASIC_DB_AUTH 1 "2013-09-10" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.3.8/helpers/basic_auth/LDAP/basic_ldap_auth.cc squid-3.3.9/helpers/basic_auth/LDAP/basic_ldap_auth.cc
--- squid-3.3.8/helpers/basic_auth/LDAP/basic_ldap_auth.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/helpers/basic_auth/LDAP/basic_ldap_auth.cc	2013-09-11 16:08:38.000000000 +1200
@@ -93,8 +93,7 @@
 #include <string.h>
 #include <ctype.h>
 
-#if _SQUID_MSWIN_		/* Native Windows port and MinGW */
-
+#if _SQUID_WINDOWS_ && !_SQUID_CYGWIN_
 #define snprintf _snprintf
 #include <windows.h>
 #include <winldap.h>
@@ -554,7 +553,7 @@
     /* On Windows ldap_start_tls_s is available starting from Windows XP,
      * so we need to bind at run-time with the function entry point
      */
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     if (use_tls) {
 
         HMODULE WLDAP32Handle;
diff -u -r -N squid-3.3.8/helpers/basic_auth/RADIUS/basic_radius_auth.cc squid-3.3.9/helpers/basic_auth/RADIUS/basic_radius_auth.cc
--- squid-3.3.8/helpers/basic_auth/RADIUS/basic_radius_auth.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/helpers/basic_auth/RADIUS/basic_radius_auth.cc	2013-09-11 16:08:38.000000000 +1200
@@ -120,7 +120,7 @@
 
 char progname[] = "basic_radius_auth";
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 void
 Win32SockCleanup(void)
 {
@@ -532,7 +532,7 @@
         fprintf(stderr, "FATAL: %s: Shared secret not specified\n", argv[0]);
         exit(1);
     }
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     {
         WSADATA wsaData;
         WSAStartup(2, &wsaData);
diff -u -r -N squid-3.3.8/helpers/basic_auth/SSPI/valid.h squid-3.3.9/helpers/basic_auth/SSPI/valid.h
--- squid-3.3.8/helpers/basic_auth/SSPI/valid.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/helpers/basic_auth/SSPI/valid.h	2013-09-11 16:08:38.000000000 +1200
@@ -88,7 +88,7 @@
 debug(char *format,...)
 {
 #ifdef DEBUG
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     if (debug_enabled) {
         va_list args;
 
@@ -97,7 +97,7 @@
         vfprintf(stderr, format, args);
         va_end(args);
     }
-#endif /* _SQUID_MSWIN_ */
+#endif /* _SQUID_WINDOWS_ */
 #endif /* DEBUG */
 }
 #endif /* __GNUC__ */
diff -u -r -N squid-3.3.8/helpers/digest_auth/eDirectory/edir_ldapext.cc squid-3.3.9/helpers/digest_auth/eDirectory/edir_ldapext.cc
--- squid-3.3.8/helpers/digest_auth/eDirectory/edir_ldapext.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/helpers/digest_auth/eDirectory/edir_ldapext.cc	2013-09-11 16:08:38.000000000 +1200
@@ -26,7 +26,7 @@
 
 #include "digest_common.h"
 
-#if _SQUID_MSWIN_            /* Native Windows port and MinGW */
+#if _SQUID_WINDOWS_ && !_SQUID_CYGWIN_
 
 #define snprintf _snprintf
 #include <windows.h>
diff -u -r -N squid-3.3.8/helpers/digest_auth/eDirectory/ldap_backend.cc squid-3.3.9/helpers/digest_auth/eDirectory/ldap_backend.cc
--- squid-3.3.8/helpers/digest_auth/eDirectory/ldap_backend.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/helpers/digest_auth/eDirectory/ldap_backend.cc	2013-09-11 16:08:38.000000000 +1200
@@ -11,7 +11,7 @@
 
 #include "ldap_backend.h"
 
-#if _SQUID_MSWIN_		/* Native Windows port and MinGW */
+#if _SQUID_WINDOWS_ && !_SQUID_CYGWIN_
 
 #define snprintf _snprintf
 #include <windows.h>
@@ -332,7 +332,7 @@
     /* On Windows ldap_start_tls_s is available starting from Windows XP,
      * so we need to bind at run-time with the function entry point
      */
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     if (use_tls) {
 
         HMODULE WLDAP32Handle;
diff -u -r -N squid-3.3.8/helpers/digest_auth/LDAP/ldap_backend.cc squid-3.3.9/helpers/digest_auth/LDAP/ldap_backend.cc
--- squid-3.3.8/helpers/digest_auth/LDAP/ldap_backend.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/helpers/digest_auth/LDAP/ldap_backend.cc	2013-09-11 16:08:38.000000000 +1200
@@ -12,7 +12,7 @@
 
 #include "ldap_backend.h"
 
-#if _SQUID_MSWIN_		/* Native Windows port and MinGW */
+#if _SQUID_WINDOWS_ && !_SQUID_CYGWIN_
 
 #define snprintf _snprintf
 #include <windows.h>
@@ -304,7 +304,7 @@
     /* On Windows ldap_start_tls_s is available starting from Windows XP,
      * so we need to bind at run-time with the function entry point
      */
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     if (use_tls) {
 
         HMODULE WLDAP32Handle;
diff -u -r -N squid-3.3.8/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc squid-3.3.9/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc
--- squid-3.3.8/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc	2013-09-11 16:08:38.000000000 +1200
@@ -51,7 +51,7 @@
 #include <ctype.h>
 #endif
 
-#if _SQUID_MSWIN_		/* Native Windows port and MinGW */
+#if _SQUID_WINDOWS_ && !_SQUID_CYGWIN_
 
 #define snprintf _snprintf
 #include <windows.h>
@@ -451,7 +451,7 @@
     /* On Windows ldap_start_tls_s is available starting from Windows XP,
      * so we need to bind at run-time with the function entry point
      */
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     if (use_tls) {
 
         HMODULE WLDAP32Handle;
diff -u -r -N squid-3.3.8/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.3.9/helpers/external_acl/SQL_session/ext_sql_session_acl.8
--- squid-3.3.8/helpers/external_acl/SQL_session/ext_sql_session_acl.8	2013-07-14 01:51:22.000000000 +1200
+++ squid-3.3.9/helpers/external_acl/SQL_session/ext_sql_session_acl.8	2013-09-11 16:31:43.000000000 +1200
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_SQL_SESSION_ACL 1"
-.TH EXT_SQL_SESSION_ACL 1 "2013-07-13" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH EXT_SQL_SESSION_ACL 1 "2013-09-10" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.3.8/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.3.9/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8
--- squid-3.3.8/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8	2013-07-14 01:51:23.000000000 +1200
+++ squid-3.3.9/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8	2013-09-11 16:31:43.000000000 +1200
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1"
-.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-07-13" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-09-10" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.3.8/helpers/log_daemon/DB/log_db_daemon.8 squid-3.3.9/helpers/log_daemon/DB/log_db_daemon.8
--- squid-3.3.8/helpers/log_daemon/DB/log_db_daemon.8	2013-07-14 01:51:24.000000000 +1200
+++ squid-3.3.9/helpers/log_daemon/DB/log_db_daemon.8	2013-09-11 16:31:44.000000000 +1200
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "LOG_DB_DAEMON 1"
-.TH LOG_DB_DAEMON 1 "2013-07-13" "perl v5.10.1" "User Contributed Perl Documentation"
+.TH LOG_DB_DAEMON 1 "2013-09-10" "perl v5.10.1" "User Contributed Perl Documentation"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff -u -r -N squid-3.3.8/include/autoconf.h.in squid-3.3.9/include/autoconf.h.in
--- squid-3.3.8/include/autoconf.h.in	2013-07-14 01:25:35.000000000 +1200
+++ squid-3.3.9/include/autoconf.h.in	2013-09-11 16:09:07.000000000 +1200
@@ -1067,6 +1067,9 @@
 /* Define if you have PSAPI.DLL on Windows systems */
 #undef HAVE_WIN32_PSAPI
 
+/* Define to 1 if you have the <windows.h> header file. */
+#undef HAVE_WINDOWS_H
+
 /* Define to 1 if you have the <winsock2.h> header file. */
 #undef HAVE_WINSOCK2_H
 
@@ -1079,6 +1082,9 @@
 /* Define to 1 if you have the `write' function. */
 #undef HAVE_WRITE
 
+/* Define to 1 if you have the <ws2tcpip.h> header file. */
+#undef HAVE_WS2TCPIP_H
+
 /* Define to 1 if you have the `__res_init' function. */
 #undef HAVE___RES_INIT
 
diff -u -r -N squid-3.3.8/include/squid.h squid-3.3.9/include/squid.h
--- squid-3.3.8/include/squid.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/include/squid.h	2013-09-11 16:08:38.000000000 +1200
@@ -115,7 +115,7 @@
 #define SQUID_MAXPATHLEN 256
 
 // TODO: determine if this is required. OR if compat/os/mswin.h works
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 /** \cond AUTODOCS-IGNORE */
 using namespace Squid;
 /** \endcond */
diff -u -r -N squid-3.3.8/include/util.h squid-3.3.9/include/util.h
--- squid-3.3.8/include/util.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/include/util.h	2013-09-11 16:08:38.000000000 +1200
@@ -111,7 +111,7 @@
 
 /* Windows Port */
 /* win32lib.c */
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 SQUIDCEXTERN int chroot (const char *);
 #if !HAVE_GETTIMEOFDAY
 SQUIDCEXTERN int gettimeofday(struct timeval * ,void *);
diff -u -r -N squid-3.3.8/include/version.h squid-3.3.9/include/version.h
--- squid-3.3.8/include/version.h	2013-07-14 01:26:28.000000000 +1200
+++ squid-3.3.9/include/version.h	2013-09-11 16:09:46.000000000 +1200
@@ -7,7 +7,7 @@
  */
 
 #ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1373721912
+#define SQUID_RELEASE_TIME 1378872515
 #endif
 
 #ifndef APP_SHORTNAME
diff -u -r -N squid-3.3.8/lib/dirent.c squid-3.3.9/lib/dirent.c
--- squid-3.3.8/lib/dirent.c	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/lib/dirent.c	2013-09-11 16:08:38.000000000 +1200
@@ -49,7 +49,7 @@
 #include "squid.h"
 
 /* The following code section is part of the native Windows Squid port */
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
 #include "util.h"
 #include <stdlib.h>
@@ -309,4 +309,4 @@
         while ((dirp->dd_stat < lPos) && readdir(dirp));
     }
 }
-#endif /* _SQUID_MSWIN_ */
+#endif /* _SQUID_WINDOWS_ */
diff -u -r -N squid-3.3.8/lib/getopt.c squid-3.3.9/lib/getopt.c
--- squid-3.3.8/lib/getopt.c	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/lib/getopt.c	2013-09-11 16:08:38.000000000 +1200
@@ -45,7 +45,7 @@
 
 #define	BADCH	(int)'?'
 #define	BADARG	(int)':'
-#define	EMSG	""
+#define	EMSG	(char*)""
 
 /*
  * getopt --
diff -u -r -N squid-3.3.8/lib/Makefile.am squid-3.3.9/lib/Makefile.am
--- squid-3.3.8/lib/Makefile.am	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/lib/Makefile.am	2013-09-11 16:08:38.000000000 +1200
@@ -1,12 +1,9 @@
 include $(top_srcdir)/src/Common.am
 
 DIST_SUBDIRS = ntlmauth profiler rfcnb smblib libTrie
+SUBDIRS=
 EXTRA_DIST=
 
-SUBDIRS = rfcnb smblib
-if ENABLE_AUTH_NTLM
-SUBDIRS += ntlmauth
-endif
 if USE_ESI
 SUBDIRS += libTrie
 endif
@@ -14,23 +11,28 @@
 SUBDIRS += profiler
 endif
 
-
 install: all
 install-strip: all
 
-if ENABLE_WIN32SPECIFIC
-LIBSSPWIN32=libsspwin32.la
-else
-LIBSSPWIN32=
-EXTRA_LTLIBRARIES = \
-	libsspwin32.la
-endif
-
 noinst_LTLIBRARIES = \
 	libmiscencoding.la \
 	libmisccontainers.la \
-	libmiscutil.la \
-	$(LIBSSPWIN32)
+	libmiscutil.la
+
+#
+# Some libraries are only available on Windows
+# and others are unable to be built.
+#
+if ENABLE_WIN32SPECIFIC
+noinst_LTLIBRARIES += libsspwin32.la
+libsspwin32_la_SOURCES = sspwin32.c
+else
+SUBDIRS += rfcnb smblib
+EXTRA_DIST += sspwin32.c
+endif
+if ENABLE_AUTH_NTLM
+SUBDIRS += ntlmauth
+endif
 
 #
 # dirent.c, encrypt.c and getopt.c are needed for native Windows support.
@@ -71,10 +73,6 @@
 	util.c \
 	xusleep.c
 
-# $(top_srcdir)/include/version.h should be a dependency
-libsspwin32_la_SOURCES = \
-	sspwin32.c
-
 TESTS += tests/testAll
 
 check_PROGRAMS += tests/testAll
diff -u -r -N squid-3.3.8/lib/Makefile.in squid-3.3.9/lib/Makefile.in
--- squid-3.3.8/lib/Makefile.in	2013-07-14 01:25:50.000000000 +1200
+++ squid-3.3.9/lib/Makefile.in	2013-09-11 16:09:21.000000000 +1200
@@ -39,9 +39,17 @@
 check_PROGRAMS = tests/testAll$(EXEEXT)
 TESTS = tests/testAll$(EXEEXT) testHeaders
 @USE_LOADABLE_MODULES_TRUE@am__append_1 = $(INCLTDL)
-@ENABLE_AUTH_NTLM_TRUE@am__append_2 = ntlmauth
-@USE_ESI_TRUE@am__append_3 = libTrie
-@ENABLE_XPROF_STATS_TRUE@am__append_4 = profiler
+@USE_ESI_TRUE@am__append_2 = libTrie
+@ENABLE_XPROF_STATS_TRUE@am__append_3 = profiler
+
+#
+# Some libraries are only available on Windows
+# and others are unable to be built.
+#
+@ENABLE_WIN32SPECIFIC_TRUE@am__append_4 = libsspwin32.la
+@ENABLE_WIN32SPECIFIC_FALSE@am__append_5 = rfcnb smblib
+@ENABLE_WIN32SPECIFIC_FALSE@am__append_6 = sspwin32.c
+@ENABLE_AUTH_NTLM_TRUE@am__append_7 = ntlmauth
 subdir = lib
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/acinclude/init.m4 \
@@ -75,9 +83,9 @@
 	rfc3596.lo Splay.lo stub_memaccount.lo util.lo xusleep.lo
 libmiscutil_la_OBJECTS = $(am_libmiscutil_la_OBJECTS)
 libsspwin32_la_LIBADD =
-am_libsspwin32_la_OBJECTS = sspwin32.lo
+am__libsspwin32_la_SOURCES_DIST = sspwin32.c
+@ENABLE_WIN32SPECIFIC_TRUE@am_libsspwin32_la_OBJECTS = sspwin32.lo
 libsspwin32_la_OBJECTS = $(am_libsspwin32_la_OBJECTS)
-@ENABLE_WIN32SPECIFIC_FALSE@am_libsspwin32_la_rpath =
 @ENABLE_WIN32SPECIFIC_TRUE@am_libsspwin32_la_rpath =
 am_tests_testAll_OBJECTS = testArray.$(OBJEXT) testRFC1035.$(OBJEXT) \
 	testRFC1738.$(OBJEXT) testMain.$(OBJEXT)
@@ -120,8 +128,8 @@
 	$(tests_testAll_SOURCES)
 DIST_SOURCES = $(libmisccontainers_la_SOURCES) \
 	$(libmiscencoding_la_SOURCES) $(libmiscutil_la_SOURCES) \
-	$(EXTRA_libmiscutil_la_SOURCES) $(libsspwin32_la_SOURCES) \
-	$(tests_testAll_SOURCES)
+	$(EXTRA_libmiscutil_la_SOURCES) \
+	$(am__libsspwin32_la_SOURCES_DIST) $(tests_testAll_SOURCES)
 RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	html-recursive info-recursive install-data-recursive \
 	install-dvi-recursive install-exec-recursive \
@@ -385,19 +393,12 @@
 COMPAT_LIB = -L$(top_builddir)/compat -lcompat-squid $(LIBPROFILER)
 subst_perlshell = sed -e 's,[@]PERL[@],$(PERL),g' <$(srcdir)/$@.pl.in >$@ || ($(RM) -f $@ ; exit 1)
 DIST_SUBDIRS = ntlmauth profiler rfcnb smblib libTrie
-EXTRA_DIST = 
-SUBDIRS = rfcnb smblib $(am__append_2) $(am__append_3) $(am__append_4)
-@ENABLE_WIN32SPECIFIC_FALSE@LIBSSPWIN32 = 
-@ENABLE_WIN32SPECIFIC_TRUE@LIBSSPWIN32 = libsspwin32.la
-@ENABLE_WIN32SPECIFIC_FALSE@EXTRA_LTLIBRARIES = \
-@ENABLE_WIN32SPECIFIC_FALSE@	libsspwin32.la
-
-noinst_LTLIBRARIES = \
-	libmiscencoding.la \
-	libmisccontainers.la \
-	libmiscutil.la \
-	$(LIBSSPWIN32)
-
+SUBDIRS = $(am__append_2) $(am__append_3) $(am__append_5) \
+	$(am__append_7)
+EXTRA_DIST = $(am__append_6)
+noinst_LTLIBRARIES = libmiscencoding.la libmisccontainers.la \
+	libmiscutil.la $(am__append_4)
+@ENABLE_WIN32SPECIFIC_TRUE@libsspwin32_la_SOURCES = sspwin32.c
 
 #
 # dirent.c, encrypt.c and getopt.c are needed for native Windows support.
@@ -438,11 +439,6 @@
 	util.c \
 	xusleep.c
 
-
-# $(top_srcdir)/include/version.h should be a dependency
-libsspwin32_la_SOURCES = \
-	sspwin32.c
-
 tests_testAll_SOURCES = \
 	tests/testArray.h \
 	tests/testArray.cc \
diff -u -r -N squid-3.3.8/lib/rfcnb/session.c squid-3.3.9/lib/rfcnb/session.c
--- squid-3.3.8/lib/rfcnb/session.c	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/lib/rfcnb/session.c	2013-09-11 16:08:38.000000000 +1200
@@ -84,7 +84,7 @@
     /* Resolve that name into an IP address */
 
     Service_Address = Called_Name;
-    if (strcmp(Called_Address, "") != 0) {      /* If the Called Address = "" */
+    if (strlen(Called_Address) != 0) {      /* If the Called Address = "" */
         Service_Address = Called_Address;
     }
     if ((errno = RFCNB_Name_To_IP(Service_Address, &Dest_IP)) < 0) {    /* Error */
diff -u -r -N squid-3.3.8/lib/smblib/smblib.c squid-3.3.9/lib/smblib/smblib.c
--- squid-3.3.8/lib/smblib/smblib.c	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/lib/smblib/smblib.c	2013-09-11 16:08:38.000000000 +1200
@@ -152,7 +152,7 @@
 
     calling[strlen(con -> myname)] = 0;    /* Make it a string */
 
-    if (strcmp(con -> address, "") == 0)
+    if (strlen(con -> address) == 0)
         address = con -> desthost;
     else
         address = con -> address;
@@ -268,7 +268,7 @@
 
     calling[strlen(con -> myname)] = 0;    /* Make it a string */
 
-    if (strcmp(con -> address, "") == 0)
+    if (strlen(con -> address) == 0)
         address = con -> desthost;
     else
         address = con -> address;
diff -u -r -N squid-3.3.8/RELEASENOTES.html squid-3.3.9/RELEASENOTES.html
--- squid-3.3.8/RELEASENOTES.html	2013-07-14 01:51:51.000000000 +1200
+++ squid-3.3.9/RELEASENOTES.html	2013-09-11 16:32:08.000000000 +1200
@@ -2,10 +2,10 @@
 <HTML>
 <HEAD>
  <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
- <TITLE>Squid 3.3.8 release notes</TITLE>
+ <TITLE>Squid 3.3.9 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 3.3.8 release notes</H1>
+<H1>Squid 3.3.9 release notes</H1>
 
 <H2>Squid Developers</H2>
 <HR>
@@ -56,7 +56,7 @@
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
 
-<P>The Squid Team are pleased to announce the release of Squid-3.3.8.</P>
+<P>The Squid Team are pleased to announce the release of Squid-3.3.9.</P>
 <P>This new release is available for download from 
 <A HREF="http://www.squid-cache.org/Versions/v3/3.3/">http://www.squid-cache.org/Versions/v3/3.3/</A> or the 
 <A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
diff -u -r -N squid-3.3.8/src/acl/MyPortName.cc squid-3.3.9/src/acl/MyPortName.cc
--- squid-3.3.8/src/acl/MyPortName.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/acl/MyPortName.cc	2013-09-11 16:08:38.000000000 +1200
@@ -44,7 +44,7 @@
 int
 ACLMyPortNameStrategy::match(ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
 {
-    if (checklist->conn() != NULL)
+    if (checklist->conn() != NULL && checklist->conn()->port != NULL)
         return data->match(checklist->conn()->port->name);
     if (checklist->request != NULL)
         return data->match(checklist->request->myportname.termedBuf());
diff -u -r -N squid-3.3.8/src/auth/digest/auth_digest.cc squid-3.3.9/src/auth/digest/auth_digest.cc
--- squid-3.3.8/src/auth/digest/auth_digest.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/auth/digest/auth_digest.cc	2013-09-11 16:08:38.000000000 +1200
@@ -817,7 +817,7 @@
             vlen = 0;
         }
 
-        StringArea keyName(item, nlen-1);
+        StringArea keyName(item, nlen);
         String value;
 
         if (vlen > 0) {
diff -u -r -N squid-3.3.8/src/cache_cf.cc squid-3.3.9/src/cache_cf.cc
--- squid-3.3.8/src/cache_cf.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/cache_cf.cc	2013-09-11 16:08:38.000000000 +1200
@@ -1366,8 +1366,12 @@
         addr->SetNoAddr();
     else if ( (*addr = token) ) // try parse numeric/IPA
         (void) 0;
-    else
-        addr->GetHostByName(token); // dont use ipcache
+    else if (addr->GetHostByName(token)) // dont use ipcache
+        (void) 0;
+    else { // not an IP and not a hostname
+        debugs(3, DBG_CRITICAL, "FATAL: invalid IP address or domain name '" << token << "'");
+        self_destruct();
+    }
 }
 
 static void
diff -u -r -N squid-3.3.8/src/cf.data.pre squid-3.3.9/src/cf.data.pre
--- squid-3.3.8/src/cf.data.pre	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/cf.data.pre	2013-09-11 16:08:38.000000000 +1200
@@ -4466,10 +4466,12 @@
 		override-lastmod enforces min age even on objects
 		that were modified recently.
 
-		reload-into-ims changes client no-cache or ``reload''
-		to If-Modified-Since requests. Doing this VIOLATES the
-		HTTP standard. Enabling this feature could make you
-		liable for problems which it causes.
+		reload-into-ims changes a client no-cache or ``reload''
+		request for a cached entry into a conditional request using
+		If-Modified-Since and/or If-None-Match headers, provided the
+		cached entry has a Last-Modified and/or a strong ETag header.
+		Doing this VIOLATES the HTTP standard. Enabling this feature
+		could make you liable for problems which it causes.
 
 		ignore-reload ignores a client no-cache or ``reload''
 		header. Doing this VIOLATES the HTTP standard. Enabling
@@ -8388,7 +8390,7 @@
 DOC_END
 
 NAME: windows_ipaddrchangemonitor
-IFDEF: _SQUID_MSWIN_
+IFDEF: _SQUID_WINDOWS_
 COMMENT: on|off
 TYPE: onoff
 DEFAULT: on
diff -u -r -N squid-3.3.8/src/cf_gen_defines squid-3.3.9/src/cf_gen_defines
--- squid-3.3.8/src/cf_gen_defines	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/cf_gen_defines	2013-09-11 16:08:38.000000000 +1200
@@ -32,7 +32,7 @@
 	define["USE_WCCP"]="--enable-wccp"
 	define["USE_WCCPv2"]="--enable-wccpv2"
 	define["USE_QOS_TOS"]="--enable-zph-qos"
-	define["_SQUID_MSWIN_"]="MS Windows"
+	define["_SQUID_WINDOWS_"]="MS Windows"
 	define["SO_MARK&&USE_LIBCAP"]="Packet MARK (Linux)"
 }
 /^IFDEF:/ {
diff -u -r -N squid-3.3.8/src/client_side.cc squid-3.3.9/src/client_side.cc
--- squid-3.3.8/src/client_side.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/client_side.cc	2013-09-11 16:08:38.000000000 +1200
@@ -2609,10 +2609,9 @@
         goto finish;
     }
 
-    /* RFC 2616 section 10.5.6 : handle unsupported HTTP versions cleanly. */
-    /* We currently only accept 0.9, 1.0, 1.1 */
+    /* RFC 2616 section 10.5.6 : handle unsupported HTTP major versions cleanly. */
+    /* We currently only support 0.9, 1.0, 1.1 properly */
     if ( (http_ver.major == 0 && http_ver.minor != 9) ||
-            (http_ver.major == 1 && http_ver.minor > 1 ) ||
             (http_ver.major > 1) ) {
 
         clientStreamNode *node = context->getClientReplyContext();
@@ -3854,8 +3853,18 @@
     // Try to add generated ssl context to storage.
     if (port->generateHostCertificates && isNew) {
 
-        if (signAlgorithm == Ssl::algSignTrusted)
+        if (signAlgorithm == Ssl::algSignTrusted) {
+            // Add signing certificate to the certificates chain
+            X509 *cert = port->signingCert.get();
+            if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) {
+                // increase the certificate lock
+                CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
+            } else {
+                const int ssl_error = ERR_get_error();
+                debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
+            }
             Ssl::addChainToSslContext(sslContext, port->certsToChain.get());
+        }
         //else it is self-signed or untrusted do not attrach any certificate
 
         Ssl::LocalContextStorage & ssl_ctx_cache(Ssl::TheGlobalContextStorage.getLocalStorage(port->s));
@@ -4476,18 +4485,14 @@
     bool valid = true;
     if (!Comm::IsConnOpen(pinning.serverConnection))
         valid = false;
-    if (pinning.auth && request && strcasecmp(pinning.host, request->GetHost()) != 0) {
+    else if (pinning.auth && pinning.host && request && strcasecmp(pinning.host, request->GetHost()) != 0)
         valid = false;
-    }
-    if (request && pinning.port != request->port) {
+    else if (request && pinning.port != request->port)
         valid = false;
-    }
-    if (pinning.peer && !cbdataReferenceValid(pinning.peer)) {
+    else if (pinning.peer && !cbdataReferenceValid(pinning.peer))
         valid = false;
-    }
-    if (aPeer != pinning.peer) {
+    else if (aPeer != pinning.peer)
         valid = false;
-    }
 
     if (!valid) {
         /* The pinning info is not safe, remove any pinning info */
diff -u -r -N squid-3.3.8/src/client_side_reply.cc squid-3.3.9/src/client_side_reply.cc
--- squid-3.3.8/src/client_side_reply.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/client_side_reply.cc	2013-09-11 16:08:38.000000000 +1200
@@ -38,6 +38,7 @@
 #include "clientStream.h"
 #include "dlink.h"
 #include "errorpage.h"
+#include "ETag.h"
 #include "fd.h"
 #include "fde.h"
 #include "format/Token.h"
@@ -291,6 +292,13 @@
 #endif
 
     http->request->lastmod = old_entry->lastmod;
+
+    if (!http->request->header.has(HDR_IF_NONE_MATCH)) {
+        ETag etag = {NULL, -1}; // TODO: make that a default ETag constructor
+        if (old_entry->hasEtag(etag) && !etag.weak)
+            http->request->etag = etag.str;
+    }
+
     debugs(88, 5, "clientReplyContext::processExpired : lastmod " << entry->lastmod );
     http->storeEntry(entry);
     assert(http->out.offset == 0);
diff -u -r -N squid-3.3.8/src/comm/ConnOpener.cc squid-3.3.9/src/comm/ConnOpener.cc
--- squid-3.3.8/src/comm/ConnOpener.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/comm/ConnOpener.cc	2013-09-11 16:08:38.000000000 +1200
@@ -339,7 +339,7 @@
 
         if (failRetries_ < Config.connect_retries) {
             debugs(5, 5, HERE << conn_ << ": * - try again");
-            sleep();
+            retrySleep();
             return;
         } else {
             // send ERROR back to the upper layer.
@@ -352,7 +352,7 @@
 
 /// Close and wait a little before trying to open and connect again.
 void
-Comm::ConnOpener::sleep()
+Comm::ConnOpener::retrySleep()
 {
     Must(!calls_.sleep_);
     closeFd();
diff -u -r -N squid-3.3.8/src/comm/ConnOpener.h squid-3.3.9/src/comm/ConnOpener.h
--- squid-3.3.8/src/comm/ConnOpener.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/comm/ConnOpener.h	2013-09-11 16:08:38.000000000 +1200
@@ -47,7 +47,7 @@
     void connected();
     void lookupLocalAddress();
 
-    void sleep();
+    void retrySleep();
     void restart();
 
     bool createFd();
diff -u -r -N squid-3.3.8/src/comm/Loops.h squid-3.3.9/src/comm/Loops.h
--- squid-3.3.8/src/comm/Loops.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/comm/Loops.h	2013-09-11 16:08:38.000000000 +1200
@@ -36,7 +36,7 @@
  * This is a per-port limit for ICP/HTCP ports.
  * DNS has a separate limit.
  */
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 #define INCOMING_UDP_MAX 1
 #else
 #define INCOMING_UDP_MAX 15
@@ -45,7 +45,7 @@
 /**
  * Max number of DNS messages to receive per call to DNS read handler
  */
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 #define INCOMING_DNS_MAX 1
 #else
 #define INCOMING_DNS_MAX 15
@@ -55,7 +55,7 @@
  * Max number of new TCP connections to accept per call to the TCP listener poller.
  * This is a per-port limit for HTTP/HTTPS ports.
  */
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 #define INCOMING_TCP_MAX 1
 #else
 #define INCOMING_TCP_MAX 10
diff -u -r -N squid-3.3.8/src/comm.cc squid-3.3.9/src/comm.cc
--- squid-3.3.8/src/comm.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/comm.cc	2013-09-11 16:08:38.000000000 +1200
@@ -670,7 +670,7 @@
         commSetReuseAddr(new_socket);
 
     if (addr.GetPort() > (unsigned short) 0) {
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
         if (sock_type != SOCK_DGRAM)
 #endif
             commSetNoLinger(new_socket);
@@ -729,7 +729,7 @@
         fd_table[conn->fd].flags.close_on_exec = 1;
 
     if (conn->local.GetPort() > (unsigned short) 0) {
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
         if (AI->ai_socktype != SOCK_DGRAM)
 #endif
             fd_table[conn->fd].flags.nolinger = 1;
@@ -1330,7 +1330,7 @@
 int
 commSetNonBlocking(int fd)
 {
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
     int flags;
     int dummy = 0;
 #endif
@@ -1350,7 +1350,7 @@
     } else {
 #endif
 #endif
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
 
         if ((flags = fcntl(fd, F_GETFL, dummy)) < 0) {
             debugs(50, 0, "FD " << fd << ": fcntl F_GETFL: " << xstrerror());
@@ -1374,7 +1374,7 @@
 int
 commUnsetNonBlocking(int fd)
 {
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     int nonblocking = FALSE;
 
     if (ioctlsocket(fd, FIONBIO, (unsigned long *) &nonblocking) < 0) {
diff -u -r -N squid-3.3.8/src/debug.cc squid-3.3.9/src/debug.cc
--- squid-3.3.8/src/debug.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/debug.cc	2013-09-11 16:08:38.000000000 +1200
@@ -62,7 +62,7 @@
 static void _db_print_stderr(const char *format, va_list args);
 static void _db_print_file(const char *format, va_list args);
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 extern LPCRITICAL_SECTION dbg_mutex;
 typedef BOOL (WINAPI * PFInitializeCriticalSectionAndSpinCount) (LPCRITICAL_SECTION, DWORD);
 #endif
@@ -76,7 +76,7 @@
     va_list args2;
     va_list args3;
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     /* Multiple WIN32 threads may call this simultaneously */
 
     if (!dbg_mutex) {
@@ -129,7 +129,7 @@
     _db_print_syslog(format, args3);
 #endif
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     LeaveCriticalSection(dbg_mutex);
 #endif
 
@@ -485,7 +485,7 @@
         --i;
         snprintf(from, MAXPATHLEN, "%s.%d", debug_log_file, i - 1);
         snprintf(to, MAXPATHLEN, "%s.%d", debug_log_file, i);
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
         remove
         (to);
 #endif
@@ -496,14 +496,14 @@
      * You can't rename open files on Microsoft "operating systems"
      * so we close before renaming.
      */
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     if (debug_log != stderr)
         fclose(debug_log);
 #endif
     /* Rotate the current log to .0 */
     if (Debug::rotateNumber > 0) {
         snprintf(to, MAXPATHLEN, "%s.%d", debug_log_file, 0);
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
         remove
         (to);
 #endif
diff -u -r -N squid-3.3.8/src/DiskIO/AIO/AIODiskIOModule.cc squid-3.3.9/src/DiskIO/AIO/AIODiskIOModule.cc
--- squid-3.3.8/src/DiskIO/AIO/AIODiskIOModule.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/AIO/AIODiskIOModule.cc	2013-09-11 16:08:38.000000000 +1200
@@ -50,7 +50,7 @@
 {}
 
 void
-AIODiskIOModule::shutdown()
+AIODiskIOModule::gracefulShutdown()
 {}
 
 DiskIOStrategy *
diff -u -r -N squid-3.3.8/src/DiskIO/AIO/AIODiskIOModule.h squid-3.3.9/src/DiskIO/AIO/AIODiskIOModule.h
--- squid-3.3.8/src/DiskIO/AIO/AIODiskIOModule.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/AIO/AIODiskIOModule.h	2013-09-11 16:08:38.000000000 +1200
@@ -42,7 +42,7 @@
     static AIODiskIOModule &GetInstance();
     AIODiskIOModule();
     virtual void init();
-    virtual void shutdown();
+    virtual void gracefulShutdown();
     virtual char const *type () const;
     virtual DiskIOStrategy* createStrategy();
 
diff -u -r -N squid-3.3.8/src/DiskIO/AIO/aio_win32.cc squid-3.3.9/src/DiskIO/AIO/aio_win32.cc
--- squid-3.3.8/src/DiskIO/AIO/aio_win32.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/AIO/aio_win32.cc	2013-09-11 16:08:38.000000000 +1200
@@ -32,8 +32,11 @@
  */
 
 #include "squid.h"
+#include "DiskIO/AIO/aio_win32.h"
 #include "comm.h"
-#include "aio_win32.h"
+#include "fd.h"
+#include "StatCounters.h"
+#include "win32.h"
 
 #if HAVE_ERRNO_H
 #include <errno.h>
diff -u -r -N squid-3.3.8/src/DiskIO/AIO/aio_win32.h squid-3.3.9/src/DiskIO/AIO/aio_win32.h
--- squid-3.3.8/src/DiskIO/AIO/aio_win32.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/AIO/aio_win32.h	2013-09-11 16:08:38.000000000 +1200
@@ -42,7 +42,7 @@
 typedef int64_t	off64_t;
 #endif
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
 union sigval {
     int sival_int; /* integer value */
@@ -104,6 +104,6 @@
 int aio_open(const char *, int);
 void aio_close(int);
 
-#endif /* _SQUID_MSWIN_ */
+#endif /* _SQUID_WINDOWS_ */
 #endif /* USE_DISKIO_AIO */
 #endif /* __WIN32_AIO_H__ */
diff -u -r -N squid-3.3.8/src/DiskIO/Blocking/BlockingDiskIOModule.cc squid-3.3.9/src/DiskIO/Blocking/BlockingDiskIOModule.cc
--- squid-3.3.8/src/DiskIO/Blocking/BlockingDiskIOModule.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/Blocking/BlockingDiskIOModule.cc	2013-09-11 16:08:38.000000000 +1200
@@ -49,7 +49,7 @@
 {}
 
 void
-BlockingDiskIOModule::shutdown()
+BlockingDiskIOModule::gracefulShutdown()
 {}
 
 DiskIOStrategy*
diff -u -r -N squid-3.3.8/src/DiskIO/Blocking/BlockingDiskIOModule.h squid-3.3.9/src/DiskIO/Blocking/BlockingDiskIOModule.h
--- squid-3.3.8/src/DiskIO/Blocking/BlockingDiskIOModule.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/Blocking/BlockingDiskIOModule.h	2013-09-11 16:08:38.000000000 +1200
@@ -41,7 +41,7 @@
     static BlockingDiskIOModule &GetInstance();
     BlockingDiskIOModule();
     virtual void init();
-    virtual void shutdown();
+    virtual void gracefulShutdown();
     virtual char const *type () const;
     virtual DiskIOStrategy* createStrategy();
 
diff -u -r -N squid-3.3.8/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.cc squid-3.3.9/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.cc
--- squid-3.3.8/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.cc	2013-09-11 16:08:38.000000000 +1200
@@ -79,7 +79,7 @@
 }
 
 void
-DiskDaemonDiskIOModule::shutdown()
+DiskDaemonDiskIOModule::gracefulShutdown()
 {
     initialised = false;
 }
diff -u -r -N squid-3.3.8/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.h squid-3.3.9/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.h
--- squid-3.3.8/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/DiskDaemon/DiskDaemonDiskIOModule.h	2013-09-11 16:08:38.000000000 +1200
@@ -41,7 +41,7 @@
     static DiskDaemonDiskIOModule &GetInstance();
     DiskDaemonDiskIOModule();
     virtual void init();
-    virtual void shutdown();
+    virtual void gracefulShutdown();
     virtual char const *type () const;
     virtual DiskIOStrategy* createStrategy();
 
diff -u -r -N squid-3.3.8/src/DiskIO/DiskIOModule.cc squid-3.3.9/src/DiskIO/DiskIOModule.cc
--- squid-3.3.8/src/DiskIO/DiskIOModule.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/DiskIOModule.cc	2013-09-11 16:08:38.000000000 +1200
@@ -95,7 +95,7 @@
     while (GetModules().size()) {
         DiskIOModule *fs = GetModules().back();
         GetModules().pop_back();
-        fs->shutdown();
+        fs->gracefulShutdown();
     }
 }
 
diff -u -r -N squid-3.3.8/src/DiskIO/DiskIOModule.h squid-3.3.9/src/DiskIO/DiskIOModule.h
--- squid-3.3.8/src/DiskIO/DiskIOModule.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/DiskIOModule.h	2013-09-11 16:08:38.000000000 +1200
@@ -65,7 +65,7 @@
 
     virtual void init() = 0;
     //virtual void registerWithCacheManager(void);
-    virtual void shutdown() = 0;
+    virtual void gracefulShutdown() = 0;
     virtual DiskIOStrategy *createStrategy() = 0;
 
     virtual char const *type () const = 0;
diff -u -r -N squid-3.3.8/src/DiskIO/DiskThreads/aiops_win32.cc squid-3.3.9/src/DiskIO/DiskThreads/aiops_win32.cc
--- squid-3.3.8/src/DiskIO/DiskThreads/aiops_win32.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/DiskThreads/aiops_win32.cc	2013-09-11 16:08:38.000000000 +1200
@@ -36,6 +36,7 @@
 #include "squid_windows.h"
 #include "DiskIO/DiskThreads/CommIO.h"
 #include "DiskThreads.h"
+#include "fd.h"
 #include "SquidConfig.h"
 #include "SquidTime.h"
 #include "Store.h"
@@ -210,7 +211,7 @@
     MemAllocator *pool;
 
     if ((pool = squidaio_get_pool(size)) != NULL) {
-        pool->free(p);
+        pool->freeOne(p);
     } else
         xfree(p);
 }
@@ -222,7 +223,7 @@
     int len = strlen(str) + 1;
 
     if ((pool = squidaio_get_pool(len)) != NULL) {
-        pool->free(str);
+        pool->freeOne(str);
     } else
         xfree(str);
 }
@@ -296,7 +297,9 @@
 
     done_queue.blocked = 0;
 
-    CommIO::NotifyIOCompleted();
+    // Initialize the thread I/O pipes before creating any threads
+    // see bug 3189 comment 5 about race conditions.
+    CommIO::Initialize();
 
     /* Create threads and get them to sit in their wait loop */
     squidaio_thread_pool = memPoolCreate("aio_thread", sizeof(squidaio_thread_t));
@@ -716,7 +719,7 @@
         resultp->aio_errno = requestp->err;
     }
 
-    squidaio_request_pool->free(requestp);
+    squidaio_request_pool->freeOne(requestp);
 }				/* squidaio_cleanup_request */
 
 int
diff -u -r -N squid-3.3.8/src/DiskIO/DiskThreads/CommIO.cc squid-3.3.9/src/DiskIO/DiskThreads/CommIO.cc
--- squid-3.3.8/src/DiskIO/DiskThreads/CommIO.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/DiskThreads/CommIO.cc	2013-09-11 16:08:38.000000000 +1200
@@ -37,6 +37,7 @@
 #include "DiskIO/DiskThreads/CommIO.h"
 #include "fd.h"
 #include "globals.h"
+#include "win32.h"
 
 void
 CommIO::Initialize()
diff -u -r -N squid-3.3.8/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.cc squid-3.3.9/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.cc
--- squid-3.3.8/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.cc	2013-09-11 16:08:38.000000000 +1200
@@ -52,7 +52,7 @@
 }
 
 void
-DiskThreadsDiskIOModule::shutdown()
+DiskThreadsDiskIOModule::gracefulShutdown()
 {
     DiskThreadsIOStrategy::Instance.done();
 }
diff -u -r -N squid-3.3.8/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.h squid-3.3.9/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.h
--- squid-3.3.8/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/DiskThreads/DiskThreadsDiskIOModule.h	2013-09-11 16:08:38.000000000 +1200
@@ -42,7 +42,7 @@
     DiskThreadsDiskIOModule();
     virtual void init();
     //virtual void registerWithCacheManager(void);
-    virtual void shutdown();
+    virtual void gracefulShutdown();
     virtual char const *type () const;
     virtual DiskIOStrategy* createStrategy();
 
diff -u -r -N squid-3.3.8/src/DiskIO/IpcIo/IpcIoDiskIOModule.cc squid-3.3.9/src/DiskIO/IpcIo/IpcIoDiskIOModule.cc
--- squid-3.3.8/src/DiskIO/IpcIo/IpcIoDiskIOModule.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/IpcIo/IpcIoDiskIOModule.cc	2013-09-11 16:08:38.000000000 +1200
@@ -18,7 +18,7 @@
 {}
 
 void
-IpcIoDiskIOModule::shutdown()
+IpcIoDiskIOModule::gracefulShutdown()
 {}
 
 DiskIOStrategy*
diff -u -r -N squid-3.3.8/src/DiskIO/IpcIo/IpcIoDiskIOModule.h squid-3.3.9/src/DiskIO/IpcIo/IpcIoDiskIOModule.h
--- squid-3.3.8/src/DiskIO/IpcIo/IpcIoDiskIOModule.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/IpcIo/IpcIoDiskIOModule.h	2013-09-11 16:08:38.000000000 +1200
@@ -10,7 +10,7 @@
     static IpcIoDiskIOModule &GetInstance();
     IpcIoDiskIOModule();
     virtual void init();
-    virtual void shutdown();
+    virtual void gracefulShutdown();
     virtual char const *type () const;
     virtual DiskIOStrategy* createStrategy();
 
diff -u -r -N squid-3.3.8/src/DiskIO/Mmapped/MmappedDiskIOModule.cc squid-3.3.9/src/DiskIO/Mmapped/MmappedDiskIOModule.cc
--- squid-3.3.8/src/DiskIO/Mmapped/MmappedDiskIOModule.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/Mmapped/MmappedDiskIOModule.cc	2013-09-11 16:08:38.000000000 +1200
@@ -18,7 +18,7 @@
 {}
 
 void
-MmappedDiskIOModule::shutdown()
+MmappedDiskIOModule::gracefulShutdown()
 {}
 
 DiskIOStrategy*
diff -u -r -N squid-3.3.8/src/DiskIO/Mmapped/MmappedDiskIOModule.h squid-3.3.9/src/DiskIO/Mmapped/MmappedDiskIOModule.h
--- squid-3.3.8/src/DiskIO/Mmapped/MmappedDiskIOModule.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/DiskIO/Mmapped/MmappedDiskIOModule.h	2013-09-11 16:08:38.000000000 +1200
@@ -10,7 +10,7 @@
     static MmappedDiskIOModule &GetInstance();
     MmappedDiskIOModule();
     virtual void init();
-    virtual void shutdown();
+    virtual void gracefulShutdown();
     virtual char const *type () const;
     virtual DiskIOStrategy* createStrategy();
 
diff -u -r -N squid-3.3.8/src/dns_internal.cc squid-3.3.9/src/dns_internal.cc
--- squid-3.3.8/src/dns_internal.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/dns_internal.cc	2013-09-11 16:08:38.000000000 +1200
@@ -236,7 +236,7 @@
 static void idnsFreeNameservers(void);
 static void idnsFreeSearchpath(void);
 static void idnsParseNameservers(void);
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
 static void idnsParseResolvConf(void);
 #endif
 #if _SQUID_WINDOWS_
@@ -366,7 +366,7 @@
     }
 }
 
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
 static void
 idnsParseResolvConf(void)
 {
@@ -1535,7 +1535,7 @@
 
     assert(0 == nns);
     idnsParseNameservers();
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
 
     if (0 == nns)
         idnsParseResolvConf();
diff -u -r -N squid-3.3.8/src/dnsserver.cc squid-3.3.9/src/dnsserver.cc
--- squid-3.3.8/src/dnsserver.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/dnsserver.cc	2013-09-11 16:08:38.000000000 +1200
@@ -497,7 +497,7 @@
         }
     }
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     {
         WSADATA wsaData;
 
@@ -511,7 +511,7 @@
         memset(request, '\0', REQ_SZ);
 
         if (fgets(request, REQ_SZ, stdin) == NULL) {
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
             WSACleanup();
 #endif
             exit(1);
diff -u -r -N squid-3.3.8/src/fd.cc squid-3.3.9/src/fd.cc
--- squid-3.3.8/src/fd.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/fd.cc	2013-09-11 16:08:38.000000000 +1200
@@ -49,7 +49,7 @@
 
 int default_read_method(int, char *, int);
 int default_write_method(int, const char *, int);
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 int socket_read_method(int, char *, int);
 int socket_write_method(int, const char *, int);
 int file_read_method(int, char *, int);
@@ -122,7 +122,7 @@
     *F = fde();
 }
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
 int
 socket_read_method(int fd, char *buf, int len)
@@ -222,7 +222,7 @@
     F->type = type;
     F->flags.open = 1;
     F->epoll_state = 0;
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     F->win32.handle = _get_osfhandle(fd);
 
@@ -369,6 +369,7 @@
     if (Squid_MaxFD - newReserve < min(256, Squid_MaxFD / 2))
         fatalf("Too few filedescriptors available in the system (%d usable of %d).\n", Squid_MaxFD - newReserve, Squid_MaxFD);
 
-    debugs(51, DBG_CRITICAL, "Reserved FD adjusted from " << RESERVED_FD << " to " << newReserve << " due to failures");
+    debugs(51, DBG_CRITICAL, "Reserved FD adjusted from " << RESERVED_FD << " to " << newReserve <<
+           " due to failures (" << (Squid_MaxFD - newReserve) << "/" << Squid_MaxFD << " file descriptors available)");
     RESERVED_FD = newReserve;
 }
diff -u -r -N squid-3.3.8/src/fde.cc squid-3.3.9/src/fde.cc
--- squid-3.3.8/src/fde.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/fde.cc	2013-09-11 16:08:38.000000000 +1200
@@ -55,7 +55,7 @@
     if (!flags.open)
         return;
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     storeAppendPrintf(&dumpEntry, "%4d 0x%-8lX %-6.6s %4d %7" PRId64 "%c %7" PRId64 "%c %-21s %s\n",
                       fdNumber,
@@ -79,7 +79,7 @@
 {
     int i;
     storeAppendPrintf(dumpEntry, "Active file descriptors:\n");
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     storeAppendPrintf(dumpEntry, "%-4s %-10s %-6s %-4s %-7s* %-7s* %-21s %s\n",
                       "File",
@@ -94,7 +94,7 @@
                       "Nwrite",
                       "Remote Address",
                       "Description");
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     storeAppendPrintf(dumpEntry, "---- ---------- ------ ---- -------- -------- --------------------- ------------------------------\n");
 #else
     storeAppendPrintf(dumpEntry, "---- ------ ---- -------- -------- --------------------- ------------------------------\n");
diff -u -r -N squid-3.3.8/src/fde.h squid-3.3.9/src/fde.h
--- squid-3.3.8/src/fde.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/fde.h	2013-09-11 16:08:38.000000000 +1200
@@ -136,7 +136,7 @@
     SSL *ssl;
     SSL_CTX *dynamicSslContext; ///< cached and then freed when fd is closed
 #endif
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     struct {
         long handle;
     } win32;
@@ -189,7 +189,7 @@
         ssl = NULL;
         dynamicSslContext = NULL;
 #endif
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
         win32.handle = NULL;
 #endif
         tosFromServer = '\0';
diff -u -r -N squid-3.3.8/src/fs/coss/store_dir_coss.cc squid-3.3.9/src/fs/coss/store_dir_coss.cc
--- squid-3.3.8/src/fs/coss/store_dir_coss.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/fs/coss/store_dir_coss.cc	2013-09-11 16:08:38.000000000 +1200
@@ -901,14 +901,7 @@
 
     if (::stat(path, &swap_sb) < 0) {
         debugs (47, 2, "COSS swap space space being allocated.");
-#if _SQUID_MSWIN_
-
-        mkdir(path);
-#else
-
         mkdir(path, 0700);
-#endif
-
     }
 
     /* should check here for directories instead of files, and for file size
diff -u -r -N squid-3.3.8/src/fs/ufs/UFSSwapDir.cc squid-3.3.9/src/fs/ufs/UFSSwapDir.cc
--- squid-3.3.8/src/fs/ufs/UFSSwapDir.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/fs/ufs/UFSSwapDir.cc	2013-09-11 16:08:38.000000000 +1200
@@ -574,14 +574,7 @@
         } else {
             fatalf("Swap directory %s is not a directory.", aPath);
         }
-
-#if _SQUID_MSWIN_
-
-    } else if (0 == mkdir(aPath)) {
-#else
-
     } else if (0 == mkdir(aPath, 0755)) {
-#endif
         debugs(47, (should_exist ? DBG_IMPORTANT : 3), aPath << " created");
         created = 1;
     } else {
@@ -1306,14 +1299,7 @@
     if (dir_pointer == NULL) {
         if (errno == ENOENT) {
             debugs(36, DBG_CRITICAL, HERE << "WARNING: Creating " << p1);
-#if _SQUID_MSWIN_
-
-            if (mkdir(p1) == 0)
-#else
-
             if (mkdir(p1, 0777) == 0)
-#endif
-
                 return 0;
         }
 
diff -u -r -N squid-3.3.8/src/globals.h squid-3.3.9/src/globals.h
--- squid-3.3.8/src/globals.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/globals.h	2013-09-11 16:08:38.000000000 +1200
@@ -113,7 +113,7 @@
 extern int64_t store_maxobjsize;	/* -1 */
 extern hash_table *proxy_auth_username_cache;	/* NULL */
 extern int incoming_sockets_accepted;
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 extern unsigned int WIN32_Socks_initialized;	/* 0 */
 #endif
 #if _SQUID_WINDOWS_
diff -u -r -N squid-3.3.8/src/helper.cc squid-3.3.9/src/helper.cc
--- squid-3.3.8/src/helper.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/helper.cc	2013-09-11 16:08:38.000000000 +1200
@@ -97,7 +97,7 @@
 void
 HelperServerBase::closePipesSafely()
 {
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     int no = index + 1;
 
     shutdown(writePipe->fd, SD_BOTH);
@@ -110,7 +110,7 @@
         readPipe->close();
     writePipe->close();
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     if (hIpc) {
         if (WaitForSingleObject(hIpc, 5000) != WAIT_OBJECT_0) {
             getCurrentTime();
@@ -126,7 +126,7 @@
 void
 HelperServerBase::closeWritePipeSafely()
 {
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     int no = index + 1;
 
     shutdown(writePipe->fd, (readPipe->fd == writePipe->fd ? SD_BOTH : SD_SEND));
@@ -137,7 +137,7 @@
         readPipe->fd = -1;
     writePipe->close();
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     if (hIpc) {
         if (WaitForSingleObject(hIpc, 5000) != WAIT_OBJECT_0) {
             getCurrentTime();
diff -u -r -N squid-3.3.8/src/http.cc squid-3.3.9/src/http.cc
--- squid-3.3.8/src/http.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/http.cc	2013-09-11 16:08:38.000000000 +1200
@@ -1715,10 +1715,17 @@
     HttpHeaderPos pos = HttpHeaderInitPos;
     assert (hdr_out->owner == hoRequest);
 
-    /* append our IMS header */
+    /* use our IMS header if the cached entry has Last-Modified time */
     if (request->lastmod > -1)
         hdr_out->putTime(HDR_IF_MODIFIED_SINCE, request->lastmod);
 
+    // Add our own If-None-Match field if the cached entry has a strong ETag.
+    // copyOneHeaderFromClientsideRequestToUpstreamRequest() adds client ones.
+    if (request->etag.defined()) {
+        hdr_out->addEntry(new HttpHeaderEntry(HDR_IF_NONE_MATCH, NULL,
+                                              request->etag.termedBuf()));
+    }
+
     bool we_do_ranges = decideIfWeDoRanges (request);
 
     String strConnection (hdr_in->getList(HDR_CONNECTION));
diff -u -r -N squid-3.3.8/src/HttpHeader.cc squid-3.3.9/src/HttpHeader.cc
--- squid-3.3.8/src/HttpHeader.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/HttpHeader.cc	2013-09-11 16:08:38.000000000 +1200
@@ -107,6 +107,7 @@
     {"Expires", HDR_EXPIRES, ftDate_1123},
     {"From", HDR_FROM, ftStr},
     {"Host", HDR_HOST, ftStr},
+    {"HTTP2-Settings", HDR_HTTP2_SETTINGS, ftStr}, /* for now */
     {"If-Match", HDR_IF_MATCH, ftStr},	/* for now */
     {"If-Modified-Since", HDR_IF_MODIFIED_SINCE, ftDate_1123},
     {"If-None-Match", HDR_IF_NONE_MATCH, ftStr},	/* for now */
@@ -251,6 +252,7 @@
 static HttpHeaderMask RequestHeadersMask;	/* set run-time using RequestHeaders */
 static http_hdr_type RequestHeadersArr[] = {
     HDR_AUTHORIZATION, HDR_FROM, HDR_HOST,
+    HDR_HTTP2_SETTINGS,
     HDR_IF_MATCH, HDR_IF_MODIFIED_SINCE, HDR_IF_NONE_MATCH,
     HDR_IF_RANGE, HDR_MAX_FORWARDS,
     HDR_ORIGIN,
@@ -261,7 +263,7 @@
 
 static HttpHeaderMask HopByHopHeadersMask;
 static http_hdr_type HopByHopHeadersArr[] = {
-    HDR_CONNECTION, HDR_KEEP_ALIVE, /*HDR_PROXY_AUTHENTICATE,*/ HDR_PROXY_AUTHORIZATION,
+    HDR_CONNECTION, HDR_HTTP2_SETTINGS, HDR_KEEP_ALIVE, /*HDR_PROXY_AUTHENTICATE,*/ HDR_PROXY_AUTHORIZATION,
     HDR_TE, HDR_TRAILER, HDR_TRANSFER_ENCODING, HDR_UPGRADE, HDR_PROXY_CONNECTION
 };
 
diff -u -r -N squid-3.3.8/src/HttpHeader.h squid-3.3.9/src/HttpHeader.h
--- squid-3.3.8/src/HttpHeader.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/HttpHeader.h	2013-09-11 16:08:38.000000000 +1200
@@ -83,6 +83,7 @@
     HDR_EXPIRES,                        /**< RFC 2608, 2616 */
     HDR_FROM,                           /**< RFC 2608, 2616 */
     HDR_HOST,                           /**< RFC 2608, 2616 */
+    HDR_HTTP2_SETTINGS,                 /**< HTTP/2.0 upgrade header. see draft-ietf-httpbis-http2-04 */
     /*HDR_IF,*/                         /* RFC 2518 */
     HDR_IF_MATCH,                       /**< RFC 2608, 2616 */
     HDR_IF_MODIFIED_SINCE,              /**< RFC 2608, 2616 */
diff -u -r -N squid-3.3.8/src/HttpRequest.cc squid-3.3.9/src/HttpRequest.cc
--- squid-3.3.8/src/HttpRequest.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/HttpRequest.cc	2013-09-11 16:08:38.000000000 +1200
@@ -172,6 +172,8 @@
 
     extacl_message.clean();
 
+    etag.clean();
+
 #if USE_ADAPTATION
     adaptHistory_ = NULL;
 #endif
@@ -217,19 +219,16 @@
     // XXX: what to do with copy->peer_login?
 
     copy->lastmod = lastmod;
+    copy->etag = etag;
     copy->vary_headers = vary_headers ? xstrdup(vary_headers) : NULL;
     // XXX: what to do with copy->peer_domain?
 
-    copy->myportname = myportname;
     copy->tag = tag;
-#if USE_AUTH
-    copy->extacl_user = extacl_user;
-    copy->extacl_passwd = extacl_passwd;
-#endif
     copy->extacl_log = extacl_log;
     copy->extacl_message = extacl_message;
 
-    assert(copy->inheritProperties(this));
+    const bool inheritWorked = copy->inheritProperties(this);
+    assert(inheritWorked);
 
     return copy;
 }
@@ -264,8 +263,12 @@
     errDetail = aReq->errDetail;
 #if USE_AUTH
     auth_user_request = aReq->auth_user_request;
+    extacl_user = aReq->extacl_user;
+    extacl_passwd = aReq->extacl_passwd;
 #endif
 
+    myportname = aReq->myportname;
+
     // main property is which connection the request was received on (if any)
     clientConnectionManager = aReq->clientConnectionManager;
 
diff -u -r -N squid-3.3.8/src/HttpRequest.h squid-3.3.9/src/HttpRequest.h
--- squid-3.3.8/src/HttpRequest.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/HttpRequest.h	2013-09-11 16:08:38.000000000 +1200
@@ -211,6 +211,9 @@
     String x_forwarded_for_iterator; /* XXX a list of IP addresses */
 #endif /* FOLLOW_X_FORWARDED_FOR */
 
+    /// A strong etag of the cached entry. Used for refreshing that entry.
+    String etag;
+
 public:
     bool multipartRangeRequest() const;
 
diff -u -r -N squid-3.3.8/src/icmp/Icmp4.h squid-3.3.9/src/icmp/Icmp4.h
--- squid-3.3.8/src/icmp/Icmp4.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/icmp/Icmp4.h	2013-09-11 16:08:38.000000000 +1200
@@ -83,7 +83,7 @@
 #if _SQUID_WINDOWS_
 #include "fde.h"
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
 #if HAVE_WINSOCK2_H
 #include <winsock2.h>
@@ -123,7 +123,7 @@
     uint32_t timestamp;        /* not part of ICMP, but we need it */
 } icmphdr;
 
-#endif  /* _SQUID_MSWIN_ */
+#endif  /* _SQUID_WINDOWS_ */
 
 #ifndef ICMP_ECHO
 #define ICMP_ECHO 8
diff -u -r -N squid-3.3.8/src/icmp/IcmpPinger.cc squid-3.3.9/src/icmp/IcmpPinger.cc
--- squid-3.3.8/src/icmp/IcmpPinger.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/icmp/IcmpPinger.cc	2013-09-11 16:08:38.000000000 +1200
@@ -58,7 +58,7 @@
     Close();
 }
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 void
 Win32SockCleanup(void)
 {
@@ -70,7 +70,7 @@
 int
 IcmpPinger::Open(void)
 {
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     WSADATA wsaData;
     WSAPROTOCOL_INFO wpi;
@@ -152,7 +152,7 @@
 
     return icmp_sock;
 
-#else /* !_SQUID_MSWIN_ */
+#else /* !_SQUID_WINDOWS_ */
 
     /* non-windows apps use stdin/out pipes as the squid channel(s) */
     socket_from_squid = 0; // use STDIN macro ??
@@ -164,7 +164,7 @@
 void
 IcmpPinger::Close(void)
 {
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     shutdown(icmp_sock, SD_BOTH);
     close(icmp_sock);
diff -u -r -N squid-3.3.8/src/icmp/IcmpSquid.cc squid-3.3.9/src/icmp/IcmpSquid.cc
--- squid-3.3.8/src/icmp/IcmpSquid.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/icmp/IcmpSquid.cc	2013-09-11 16:08:38.000000000 +1200
@@ -263,11 +263,11 @@
     if (localhost.SetIPv4())
         SendEcho(localhost, S_ICMP_ECHO, "localhost");
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     debugs(37, 4, HERE << "Pinger handle: 0x" << std::hex << hIpc << std::dec << ", PID: " << pid);
 
-#endif /* _SQUID_MSWIN_ */
+#endif /* _SQUID_WINDOWS_ */
     return icmp_sock;
 #else /* USE_ICMP */
     return -1;
@@ -284,7 +284,7 @@
 
     debugs(37, DBG_IMPORTANT, HERE << "Closing Pinger socket on FD " << icmp_sock);
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     send(icmp_sock, (const void *) "$shutdown\n", 10, 0);
 
@@ -292,7 +292,7 @@
 
     comm_close(icmp_sock);
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     if (hIpc) {
         if (WaitForSingleObject(hIpc, 12000) != WAIT_OBJECT_0) {
diff -u -r -N squid-3.3.8/src/icmp/pinger.cc squid-3.3.9/src/icmp/pinger.cc
--- squid-3.3.8/src/icmp/pinger.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/icmp/pinger.cc	2013-09-11 16:08:38.000000000 +1200
@@ -72,7 +72,7 @@
 #include "IcmpPinger.h"
 #include "ip/tools.h"
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
 #if HAVE_WINSOCK2_H
 #include <winsock2.h>
@@ -106,7 +106,7 @@
 /* non-windows use STDOUT for feedback to squid */
 #define LINK_TO_SQUID	1
 
-#endif	/* _SQUID_MSWIN_ */
+#endif	/* _SQUID_WINDOWS_ */
 
 // ICMP Engines are declared global here so they can call each other easily.
 IcmpPinger control;
diff -u -r -N squid-3.3.8/src/ip/Address.cc squid-3.3.9/src/ip/Address.cc
--- squid-3.3.8/src/ip/Address.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/ip/Address.cc	2013-09-11 16:08:38.000000000 +1200
@@ -1021,7 +1021,7 @@
 }
 
 void
-Ip::Address::GetInAddr(in6_addr &buf) const
+Ip::Address::GetInAddr(struct in6_addr &buf) const
 {
     memcpy(&buf, &m_SocketAddr.sin6_addr, sizeof(struct in6_addr));
 }
@@ -1030,7 +1030,7 @@
 Ip::Address::GetInAddr(struct in_addr &buf) const
 {
     if ( IsIPv4() ) {
-        Map6to4((const in6_addr)m_SocketAddr.sin6_addr, buf);
+        Map6to4(m_SocketAddr.sin6_addr, buf);
         return true;
     }
 
diff -u -r -N squid-3.3.8/src/ip/Address.h squid-3.3.9/src/ip/Address.h
--- squid-3.3.8/src/ip/Address.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/ip/Address.h	2013-09-11 16:08:38.000000000 +1200
@@ -45,7 +45,7 @@
 #if HAVE_NETINET_IP_H
 #include <netinet/ip.h>
 #endif
-#if _SQUID_MSWIN_
+#if HAVE_WS2TCPIP_H
 #include <ws2tcpip.h>
 #endif
 #if HAVE_NETDB_H
diff -u -r -N squid-3.3.8/src/ip/testAddress.cc squid-3.3.9/src/ip/testAddress.cc
--- squid-3.3.8/src/ip/testAddress.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/ip/testAddress.cc	2013-09-11 16:08:38.000000000 +1200
@@ -108,7 +108,7 @@
     insock.sin_len = sizeof(struct sockaddr_in);
 #endif
 
-    Ip::Address anIPA((const struct sockaddr_in)insock);
+    Ip::Address anIPA(insock);
 
     /* test stored values */
     CPPUNIT_ASSERT( !anIPA.IsAnyAddr() );
diff -u -r -N squid-3.3.8/src/main.cc squid-3.3.9/src/main.cc
--- squid-3.3.8/src/main.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/main.cc	2013-09-11 16:08:38.000000000 +1200
@@ -203,7 +203,7 @@
 static void mainSetCwd(void);
 static int checkRunningPid(void);
 
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
 static const char *squid_start_script = "squid_start";
 #endif
 
@@ -619,7 +619,7 @@
 {
     do_rotate = 1;
     RotateSignal = sig;
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
 #if !HAVE_SIGACTION
 
     signal(sig, rotate_logs);
@@ -633,7 +633,7 @@
 {
     do_reconfigure = 1;
     ReconfigureSignal = sig;
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
 #if !HAVE_SIGACTION
 
     signal(sig, reconfigure);
@@ -662,7 +662,7 @@
                    " pid " << ppid << ": " << xstrerror());
     }
 
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
 #if KILL_PARENT_OPT
 
     if (!IamMasterProcess() && ppid > 1) {
@@ -1020,7 +1020,7 @@
     setSystemLimits();
     debugs(1, DBG_IMPORTANT, "With " << Squid_MaxFD << " file descriptors available");
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     debugs(1, DBG_IMPORTANT, "With " << _getmaxstdio() << " CRT stdio descriptors available");
 
@@ -1577,7 +1577,7 @@
     exit(0);
 }
 
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
 /*
  * This function is run when Squid is in daemon mode, just
  * before the parent forks and starts up the child process.
@@ -1620,7 +1620,7 @@
     }
 }
 
-#endif /* _SQUID_MSWIN_ */
+#endif /* _SQUID_WINDOWS_ */
 
 static int
 checkRunningPid(void)
@@ -1650,7 +1650,7 @@
 static void
 watch_child(char *argv[])
 {
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
     char *prog;
 #if _SQUID_NEXT_
 
@@ -1819,7 +1819,7 @@
     }
 
     /* NOTREACHED */
-#endif /* _SQUID_MSWIN_ */
+#endif /* _SQUID_WINDOWS_ */
 
 }
 
diff -u -r -N squid-3.3.8/src/mgr/InfoAction.cc squid-3.3.9/src/mgr/InfoAction.cc
--- squid-3.3.8/src/mgr/InfoAction.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/mgr/InfoAction.cc	2013-09-11 16:08:38.000000000 +1200
@@ -115,7 +115,7 @@
     gb_saved_count += stats.gb_saved_count;
     gb_freed_count += stats.gb_freed_count;
     max_fd += stats.max_fd;
-    biggest_fd += stats.biggest_fd;
+    biggest_fd = max(biggest_fd, stats.biggest_fd);
     number_fd += stats.number_fd;
     opening_fd += stats.opening_fd;
     num_fd_free += stats.num_fd_free;
diff -u -r -N squid-3.3.8/src/neighbors.cc squid-3.3.9/src/neighbors.cc
--- squid-3.3.8/src/neighbors.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/neighbors.cc	2013-09-11 16:08:38.000000000 +1200
@@ -204,8 +204,6 @@
         return do_ping;
 
     ACLFilledChecklist checklist(p->access, request, NULL);
-    checklist.src_addr = request->client_addr;
-    checklist.my_addr = request->my_addr;
 
     return (checklist.fastCheck() == ACCESS_ALLOWED);
 }
diff -u -r -N squid-3.3.8/src/Server.cc squid-3.3.9/src/Server.cc
--- squid-3.3.8/src/Server.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/Server.cc	2013-09-11 16:08:38.000000000 +1200
@@ -696,7 +696,8 @@
         // subscribe to receive adapted body
         adaptedBodySource = rep->body_pipe;
         // assume that ICAP does not auto-consume on failures
-        assert(adaptedBodySource->setConsumerIfNotLate(this));
+        const bool result = adaptedBodySource->setConsumerIfNotLate(this);
+        assert(result);
     } else {
         // no body
         if (doneWithAdaptation()) // we may still be sending virgin response
diff -u -r -N squid-3.3.8/src/ssl/certificate_db.cc squid-3.3.9/src/ssl/certificate_db.cc
--- squid-3.3.8/src/ssl/certificate_db.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/ssl/certificate_db.cc	2013-09-11 16:08:38.000000000 +1200
@@ -23,7 +23,7 @@
 
 Ssl::Lock::Lock(std::string const &aFilename) :
         filename(aFilename),
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
         hFile(INVALID_HANDLE_VALUE)
 #else
         fd(-1)
@@ -33,7 +33,7 @@
 
 bool Ssl::Lock::locked() const
 {
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     return hFile != INVALID_HANDLE_VALUE;
 #else
     return fd != -1;
@@ -43,7 +43,7 @@
 void Ssl::Lock::lock()
 {
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     hFile = CreateFile(TEXT(filename.c_str()), GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
     if (hFile == INVALID_HANDLE_VALUE)
 #else
@@ -52,7 +52,7 @@
 #endif
         throw std::runtime_error("Failed to open file " + filename);
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     if (!LockFile(hFile, 0, 0, 1, 0))
 #else
     if (flock(fd, LOCK_EX) != 0)
@@ -62,7 +62,7 @@
 
 void Ssl::Lock::unlock()
 {
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     if (hFile != INVALID_HANDLE_VALUE) {
         UnlockFile(hFile, 0, 0, 1, 0);
         CloseHandle(hFile);
diff -u -r -N squid-3.3.8/src/ssl/certificate_db.h squid-3.3.9/src/ssl/certificate_db.h
--- squid-3.3.8/src/ssl/certificate_db.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/ssl/certificate_db.h	2013-09-11 16:08:38.000000000 +1200
@@ -23,7 +23,7 @@
     const char *name() const { return filename.c_str(); }
 private:
     std::string filename;
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     HANDLE hFile; ///< Windows file handle.
 #else
     int fd; ///< Linux file descriptor.
diff -u -r -N squid-3.3.8/src/ssl/ErrorDetail.cc squid-3.3.9/src/ssl/ErrorDetail.cc
--- squid-3.3.8/src/ssl/ErrorDetail.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/ssl/ErrorDetail.cc	2013-09-11 16:08:38.000000000 +1200
@@ -87,6 +87,132 @@
      "X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH"},
     {X509_V_ERR_KEYUSAGE_NO_CERTSIGN,
      "X509_V_ERR_KEYUSAGE_NO_CERTSIGN"},
+#if defined(X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER)
+    {
+        X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, //33
+        "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER"
+    },
+#endif
+#if defined(X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION)
+    {
+        X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION, //34
+        "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION"
+    },
+#endif
+#if defined(X509_V_ERR_KEYUSAGE_NO_CRL_SIGN)
+    {
+        X509_V_ERR_KEYUSAGE_NO_CRL_SIGN, //35
+        "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN"
+    },
+#endif
+#if defined(X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION)
+    {
+        X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION, //36
+        "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION"
+    },
+#endif
+#if defined(X509_V_ERR_INVALID_NON_CA)
+    {
+        X509_V_ERR_INVALID_NON_CA, //37
+        "X509_V_ERR_INVALID_NON_CA"
+    },
+#endif
+#if defined(X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED)
+    {
+        X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED, //38
+        "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED"
+    },
+#endif
+#if defined(X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE)
+    {
+        X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE, //39
+        "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE"
+    },
+#endif
+#if defined(X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED)
+    {
+        X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, //40
+        "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED"
+    },
+#endif
+#if defined(X509_V_ERR_INVALID_EXTENSION)
+    {
+        X509_V_ERR_INVALID_EXTENSION, //41
+        "X509_V_ERR_INVALID_EXTENSION"
+    },
+#endif
+#if defined(X509_V_ERR_INVALID_POLICY_EXTENSION)
+    {
+        X509_V_ERR_INVALID_POLICY_EXTENSION, //42
+        "X509_V_ERR_INVALID_POLICY_EXTENSION"
+    },
+#endif
+#if defined(X509_V_ERR_NO_EXPLICIT_POLICY)
+    {
+        X509_V_ERR_NO_EXPLICIT_POLICY, //43
+        "X509_V_ERR_NO_EXPLICIT_POLICY"
+    },
+#endif
+#if defined(X509_V_ERR_DIFFERENT_CRL_SCOPE)
+    {
+        X509_V_ERR_DIFFERENT_CRL_SCOPE, //44
+        "X509_V_ERR_DIFFERENT_CRL_SCOPE"
+    },
+#endif
+#if defined(X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE)
+    {
+        X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE, //45
+        "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE"
+    },
+#endif
+#if defined(X509_V_ERR_UNNESTED_RESOURCE)
+    {
+        X509_V_ERR_UNNESTED_RESOURCE, //46
+        "X509_V_ERR_UNNESTED_RESOURCE"
+    },
+#endif
+#if defined(X509_V_ERR_PERMITTED_VIOLATION)
+    {
+        X509_V_ERR_PERMITTED_VIOLATION, //47
+        "X509_V_ERR_PERMITTED_VIOLATION"
+    },
+#endif
+#if defined(X509_V_ERR_EXCLUDED_VIOLATION)
+    {
+        X509_V_ERR_EXCLUDED_VIOLATION, //48
+        "X509_V_ERR_EXCLUDED_VIOLATION"
+    },
+#endif
+#if defined(X509_V_ERR_SUBTREE_MINMAX)
+    {
+        X509_V_ERR_SUBTREE_MINMAX, //49
+        "X509_V_ERR_SUBTREE_MINMAX"
+    },
+#endif
+#if defined(X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE)
+    {
+        X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE, //51
+        "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE"
+    },
+#endif
+#if defined(X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX)
+    {
+        X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX, //52
+        "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX"
+    },
+#endif
+#if defined(X509_V_ERR_UNSUPPORTED_NAME_SYNTAX)
+    {
+        X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, //53
+        "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX"
+    },
+#endif
+#if defined(X509_V_ERR_CRL_PATH_VALIDATION_ERROR)
+    {
+        X509_V_ERR_CRL_PATH_VALIDATION_ERROR, //54
+        "X509_V_ERR_CRL_PATH_VALIDATION_ERROR"
+    },
+#endif
     {X509_V_ERR_APPLICATION_VERIFICATION,
      "X509_V_ERR_APPLICATION_VERIFICATION"},
     { SSL_ERROR_NONE, "SSL_ERROR_NONE"},
diff -u -r -N squid-3.3.8/src/ssl/gadgets.cc squid-3.3.9/src/ssl/gadgets.cc
--- squid-3.3.8/src/ssl/gadgets.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/ssl/gadgets.cc	2013-09-11 16:08:38.000000000 +1200
@@ -410,7 +410,7 @@
     serial = BN_bin2bn(md, n, NULL);
 
     // if the serial is "0" set it to '1'
-    if (BN_is_zero(serial))
+    if (BN_is_zero(serial) == true)
         BN_one(serial);
 
     // serial size does not exceed 20 bytes
diff -u -r -N squid-3.3.8/src/ssl/support.cc squid-3.3.9/src/ssl/support.cc
--- squid-3.3.8/src/ssl/support.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/ssl/support.cc	2013-09-11 16:08:38.000000000 +1200
@@ -1488,11 +1488,7 @@
         if (X509_check_issued(certificate, certificate) == X509_V_OK)
             debugs(83, 5, "Certificate is self-signed, will not be chained");
         else {
-            if (sk_X509_push(chain, certificate))
-                CRYPTO_add(&(certificate->references), 1, CRYPTO_LOCK_X509);
-            else
-                debugs(83, DBG_IMPORTANT, "WARNING: unable to add signing certificate to cert chain");
-            // and add to the chain any certificate loaded from the file
+            // and add to the chain any other certificate exist in the file
             while (X509 *ca = PEM_read_bio_X509(bio.get(), NULL, NULL, NULL)) {
                 if (!sk_X509_push(chain, ca))
                     debugs(83, DBG_IMPORTANT, "WARNING: unable to add CA certificate to cert chain");
diff -u -r -N squid-3.3.8/src/ssl/support.h squid-3.3.9/src/ssl/support.h
--- squid-3.3.8/src/ssl/support.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/ssl/support.h	2013-09-11 16:08:38.000000000 +1200
@@ -244,7 +244,7 @@
 bool setClientSNI(SSL *ssl, const char *fqdn);
 } //namespace Ssl
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
 #if defined(__cplusplus)
 
@@ -272,6 +272,6 @@
 
 #endif /* __cplusplus */
 
-#endif /* _SQUID_MSWIN_ */
+#endif /* _SQUID_WINDOWS_ */
 
 #endif /* SQUID_SSL_SUPPORT_H */
diff -u -r -N squid-3.3.8/src/store.cc squid-3.3.9/src/store.cc
--- squid-3.3.8/src/store.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/store.cc	2013-09-11 16:08:38.000000000 +1200
@@ -1952,6 +1952,17 @@
 }
 
 bool
+StoreEntry::hasEtag(ETag &etag) const
+{
+    if (const HttpReply *reply = getReply()) {
+        etag = reply->header.getETag(HDR_ETAG);
+        if (etag.str)
+            return true;
+    }
+    return false;
+}
+
+bool
 StoreEntry::hasIfMatchEtag(const HttpRequest &request) const
 {
     const String reqETags = request.header.getList(HDR_IF_MATCH);
diff -u -r -N squid-3.3.8/src/store_dir.cc squid-3.3.9/src/store_dir.cc
--- squid-3.3.8/src/store_dir.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/store_dir.cc	2013-09-11 16:08:38.000000000 +1200
@@ -127,7 +127,7 @@
      * The following is a workaround for create store directories sequentially
      * when running on native Windows port.
      */
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
 
     if (fork())
         return;
@@ -136,7 +136,7 @@
 
     aStore.create();
 
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
 
     exit(0);
 
@@ -148,7 +148,7 @@
 {
     swapDir->create();
 
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
 
     pid_t pid;
 
diff -u -r -N squid-3.3.8/src/Store.h squid-3.3.9/src/Store.h
--- squid-3.3.8/src/Store.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/Store.h	2013-09-11 16:08:38.000000000 +1200
@@ -140,6 +140,8 @@
     bool hasIfMatchEtag(const HttpRequest &request) const;
     /// has ETag matching at least one of the If-None-Match etags
     bool hasIfNoneMatchEtag(const HttpRequest &request) const;
+    /// whether this entry has an ETag; if yes, puts ETag value into parameter
+    bool hasEtag(ETag &etag) const;
 
     /** What store does this entry belong too ? */
     virtual RefCount<SwapDir> store() const;
diff -u -r -N squid-3.3.8/src/tools.cc squid-3.3.9/src/tools.cc
--- squid-3.3.8/src/tools.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/tools.cc	2013-09-11 16:08:38.000000000 +1200
@@ -366,7 +366,7 @@
 #endif
 #endif /* PRINT_STACK_TRACE */
 
-#if SA_RESETHAND == 0 && !_SQUID_MSWIN_
+#if SA_RESETHAND == 0 && !_SQUID_WINDOWS_
     signal(SIGSEGV, SIG_DFL);
 
     signal(SIGBUS, SIG_DFL);
@@ -454,7 +454,7 @@
 void
 sig_child(int sig)
 {
-#if !_SQUID_MSWIN_
+#if !_SQUID_WINDOWS_
 #if _SQUID_NEXT_
     union wait status;
 #else
@@ -994,7 +994,7 @@
         debugs(50, DBG_CRITICAL, "sigaction: sig=" << sig << " func=" << func << ": " << xstrerror());
 
 #else
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
     /*
     On Windows, only SIGINT, SIGILL, SIGFPE, SIGTERM, SIGBREAK, SIGABRT and SIGSEGV signals
     are supported, so we must care of don't call signal() for other value.
diff -u -r -N squid-3.3.8/src/unlinkd.cc squid-3.3.9/src/unlinkd.cc
--- squid-3.3.8/src/unlinkd.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/unlinkd.cc	2013-09-11 16:08:38.000000000 +1200
@@ -149,7 +149,7 @@
 
 void
 unlinkdClose(void)
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 {
 
     if (unlinkd_wfd > -1) {
@@ -224,7 +224,7 @@
 #if USE_POLL && _SQUID_OSF_
               /* pipes and poll() don't get along on DUNIX -DW */
               IPC_STREAM,
-#elif _SQUID_MSWIN_
+#elif _SQUID_WINDOWS_
               /* select() will fail on a pipe */
               IPC_TCP_SOCKET,
 #else
@@ -265,7 +265,7 @@
 
     debugs(2, DBG_IMPORTANT, "Unlinkd pipe opened on FD " << unlinkd_wfd);
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     debugs(2, 4, "Unlinkd handle: 0x" << std::hex << hIpc << std::dec << ", PID: " << pid);
 
diff -u -r -N squid-3.3.8/src/win32.cc squid-3.3.9/src/win32.cc
--- squid-3.3.8/src/win32.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/win32.cc	2013-09-11 16:08:38.000000000 +1200
@@ -35,7 +35,7 @@
 #include "squid_windows.h"
 #include "win32.h"
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 #if HAVE_WIN32_PSAPI
 #include <psapi.h>
 #endif
diff -u -r -N squid-3.3.8/src/win32.h squid-3.3.9/src/win32.h
--- squid-3.3.8/src/win32.h	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/win32.h	2013-09-11 16:08:38.000000000 +1200
@@ -33,7 +33,7 @@
  *
  */
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
 #if HAVE_SYS_TIME_H
 #include <sys/time.h>
diff -u -r -N squid-3.3.8/src/WinSvc.cc squid-3.3.9/src/WinSvc.cc
--- squid-3.3.8/src/WinSvc.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/src/WinSvc.cc	2013-09-11 16:08:38.000000000 +1200
@@ -35,7 +35,7 @@
 #include "protos.h"
 #include "squid_windows.h"
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 #ifndef _MSWSOCK_
 #include <mswsock.h>
 #endif
diff -u -r -N squid-3.3.8/tools/cachemgr.cc squid-3.3.9/tools/cachemgr.cc
--- squid-3.3.8/tools/cachemgr.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/tools/cachemgr.cc	2013-09-11 16:08:38.000000000 +1200
@@ -164,7 +164,7 @@
 
 static int check_target_acl(const char *hostname, int port);
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 static int s_iInitCount = 0;
 
 int Win32SockInit(void)
@@ -610,7 +610,7 @@
 read_reply(int s, cachemgr_request * req)
 {
     char buf[4 * 1024];
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     int reply;
     char *tmpfile = tempnam(NULL, "tmp0000");
@@ -634,7 +634,7 @@
         parse_menu = 1;
 
     if (fp == NULL) {
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
         perror(tmpfile);
         xfree(tmpfile);
 #else
@@ -646,7 +646,7 @@
         return 1;
     }
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     while ((reply=recv(s, buf , sizeof(buf), 0)) > 0)
         fwrite(buf, 1, reply, fp);
@@ -785,7 +785,7 @@
     }
 
     fclose(fp);
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     remove(tmpfile);
     xfree(tmpfile);
@@ -902,7 +902,7 @@
     cachemgr_request *req;
 
     now = time(NULL);
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     Win32SockInit();
     atexit(Win32SockCleanup);
@@ -1027,7 +1027,7 @@
     else
         return NULL;
 
-#if _SQUID_MSWIN_
+#if _SQUID_WINDOWS_
 
     if (strlen(buf) == 0 || strlen(buf) == 4000)
 #else
diff -u -r -N squid-3.3.8/tools/purge/conffile.cc squid-3.3.9/tools/purge/conffile.cc
--- squid-3.3.8/tools/purge/conffile.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/tools/purge/conffile.cc	2013-09-11 16:08:38.000000000 +1200
@@ -34,10 +34,6 @@
 // Initial revision
 //
 //
-#if (defined(__GNUC__) || defined(__GNUG__)) && !defined(__clang__)
-#pragma implementation
-#endif
-
 #include "conffile.hh"
 #include <sys/types.h>
 #include <errno.h>
diff -u -r -N squid-3.3.8/tools/purge/conffile.hh squid-3.3.9/tools/purge/conffile.hh
--- squid-3.3.8/tools/purge/conffile.hh	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/tools/purge/conffile.hh	2013-09-11 16:08:38.000000000 +1200
@@ -39,16 +39,12 @@
 #define _CONFFILE_HH
 
 #if !defined(__cplusplus)
-#if defined(__GNUC__) || defined(__GNUG__)
-#pragma interface
-#else
 #ifndef HAVE_BOOL
 #define HAVE_BOOL
 typedef int bool;
 #define false 0
 #define true  1
 #endif
-#endif
 #endif /* __cplusplus */
 
 
diff -u -r -N squid-3.3.8/tools/purge/convert.cc squid-3.3.9/tools/purge/convert.cc
--- squid-3.3.8/tools/purge/convert.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/tools/purge/convert.cc	2013-09-11 16:08:38.000000000 +1200
@@ -40,9 +40,6 @@
 // Initial revision
 //
 //
-#if (defined(__GNUC__) || defined(__GNUG__)) && !defined(__clang__)
-#pragma implementation
-#endif
 
 #include "convert.hh"
 #include <string.h>
diff -u -r -N squid-3.3.8/tools/purge/convert.hh squid-3.3.9/tools/purge/convert.hh
--- squid-3.3.8/tools/purge/convert.hh	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/tools/purge/convert.hh	2013-09-11 16:08:38.000000000 +1200
@@ -39,16 +39,12 @@
 #define _CONVERT_HH
 
 #if !defined(__cplusplus)
-#if defined(__GNUC__) || defined(__GNUG__)
-#pragma interface
-#else
 #ifndef HAVE_BOOL
 #define HAVE_BOOL 1
 typedef char bool;
 #define false 0
 #define true  1
 #endif
-#endif
 #endif /* __cplusplus */
 
 #include <sys/types.h>
diff -u -r -N squid-3.3.8/tools/purge/copyout.cc squid-3.3.9/tools/purge/copyout.cc
--- squid-3.3.8/tools/purge/copyout.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/tools/purge/copyout.cc	2013-09-11 16:08:38.000000000 +1200
@@ -35,10 +35,6 @@
 // Initial revision
 //
 //
-#if (defined(__GNUC__) || defined(__GNUG__)) && !defined(__clang__)
-#pragma implementation
-#endif
-
 #include "squid.h"
 #include "copyout.hh"
 
diff -u -r -N squid-3.3.8/tools/purge/copyout.hh squid-3.3.9/tools/purge/copyout.hh
--- squid-3.3.8/tools/purge/copyout.hh	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/tools/purge/copyout.hh	2013-09-11 16:08:38.000000000 +1200
@@ -35,16 +35,12 @@
 #define _COPYOUT_HH
 
 #if !defined(__cplusplus)
-#if defined(__GNUC__) || defined(__GNUG__)
-#pragma interface
-#else
 #ifndef HAVE_BOOL
 #define HAVE_BOOL
 typedef int bool;
 #define false 0
 #define true  1
 #endif
-#endif
 #endif /* __cplusplus */
 
 int
diff -u -r -N squid-3.3.8/tools/purge/purge.cc squid-3.3.9/tools/purge/purge.cc
--- squid-3.3.8/tools/purge/purge.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/tools/purge/purge.cc	2013-09-11 16:08:38.000000000 +1200
@@ -90,10 +90,6 @@
 // Initial revision
 //
 //
-#if (defined(__GNUC__) || defined(__GNUG__)) && !defined(__clang__)
-#pragma implementation
-#endif
-
 #include "squid.h"
 #include "util.h"
 
diff -u -r -N squid-3.3.8/tools/purge/signal.cc squid-3.3.9/tools/purge/signal.cc
--- squid-3.3.8/tools/purge/signal.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/tools/purge/signal.cc	2013-09-11 16:08:38.000000000 +1200
@@ -41,11 +41,6 @@
 // Initial revision
 //
 //
-
-#if (defined(__GNUC__) || defined(__GNUG__)) && !defined(__clang__)
-#pragma implementation
-#endif
-
 #include "squid.h"
 #include "signal.hh"
 
diff -u -r -N squid-3.3.8/tools/purge/signal.hh squid-3.3.9/tools/purge/signal.hh
--- squid-3.3.8/tools/purge/signal.hh	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/tools/purge/signal.hh	2013-09-11 16:08:38.000000000 +1200
@@ -55,16 +55,12 @@
 #endif
 
 #if !defined(__cplusplus)
-#if defined(__GNUC__) || defined(__GNUG__)
-#pragma interface
-#else
 #ifndef HAVE_BOOL
 #define HAVE_BOOL
 typedef int bool;
 #define false 0
 #define true  1
 #endif
-#endif
 #endif /* __cplusplus */
 
 #if 1 // so far, all systems I know use void
diff -u -r -N squid-3.3.8/tools/purge/socket.cc squid-3.3.9/tools/purge/socket.cc
--- squid-3.3.8/tools/purge/socket.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/tools/purge/socket.cc	2013-09-11 16:08:38.000000000 +1200
@@ -42,10 +42,6 @@
 // Initial revision
 //
 //
-#if (defined(__GNUC__) || defined(__GNUG__)) && !defined(__clang__)
-#pragma implementation
-#endif
-
 #include "socket.hh"
 #include <netinet/tcp.h>
 #include <arpa/inet.h>
diff -u -r -N squid-3.3.8/tools/purge/socket.hh squid-3.3.9/tools/purge/socket.hh
--- squid-3.3.8/tools/purge/socket.hh	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/tools/purge/socket.hh	2013-09-11 16:08:38.000000000 +1200
@@ -45,16 +45,12 @@
 #define _SOCKET_HH
 
 #if !defined(__cplusplus)
-#if defined(__GNUC__) || defined(__GNUG__)
-#pragma interface
-#else
 #ifndef HAVE_BOOL
 #define HAVE_BOOL
 typedef int bool;
 #define false 0
 #define true  1
 #endif
-#endif
 #endif /* __cplusplus */
 
 #include <sys/types.h>
diff -u -r -N squid-3.3.8/tools/purge/squid-tlv.cc squid-3.3.9/tools/purge/squid-tlv.cc
--- squid-3.3.8/tools/purge/squid-tlv.cc	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/tools/purge/squid-tlv.cc	2013-09-11 16:08:38.000000000 +1200
@@ -32,10 +32,6 @@
 // Initial revision
 //
 //
-#if (defined(__GNUC__) || defined(__GNUG__)) && !defined(__clang__)
-#pragma implementation
-#endif
-
 #include "squid.h"
 //#include <assert.h>
 #include "squid-tlv.hh"
diff -u -r -N squid-3.3.8/tools/purge/squid-tlv.hh squid-3.3.9/tools/purge/squid-tlv.hh
--- squid-3.3.8/tools/purge/squid-tlv.hh	2013-07-14 01:25:14.000000000 +1200
+++ squid-3.3.9/tools/purge/squid-tlv.hh	2013-09-11 16:08:38.000000000 +1200
@@ -35,16 +35,12 @@
 #define SQUID_TLV_HH
 
 #if !defined(__cplusplus)
-#if defined(__GNUC__) || defined(__GNUG__)
-#pragma interface
-#else
 #ifndef HAVE_BOOL
 #define HAVE_BOOL
 typedef int bool;
 #define false 0
 #define true  1
 #endif
-#endif
 #endif /* __cplusplus */
 
 #include <sys/types.h>
