[PATCH] squid 3.5.25: latest patches (14155-14167)

[PATCH] squid 3.5.25: latest patches (14155-14167)

[Matthias Fischer]

[-- Attachment #1: Type: text/plain, Size: 44587 bytes --]

For details see:
http://www.squid-cache.org/Versions/v3/3.5/changesets/

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
 lfs/squid                               |  13 +++
 src/patches/squid/squid-3.5-14155.patch |  46 ++++++++
 src/patches/squid/squid-3.5-14156.patch |  44 ++++++++
 src/patches/squid/squid-3.5-14157.patch |  34 ++++++
 src/patches/squid/squid-3.5-14158.patch |  46 ++++++++
 src/patches/squid/squid-3.5-14159.patch |  35 ++++++
 src/patches/squid/squid-3.5-14160.patch |  39 +++++++
 src/patches/squid/squid-3.5-14161.patch |  52 +++++++++
 src/patches/squid/squid-3.5-14162.patch | 133 +++++++++++++++++++++++
 src/patches/squid/squid-3.5-14163.patch | 103 ++++++++++++++++++
 src/patches/squid/squid-3.5-14164.patch | 103 ++++++++++++++++++
 src/patches/squid/squid-3.5-14165.patch |  51 +++++++++
 src/patches/squid/squid-3.5-14166.patch |  47 +++++++++
 src/patches/squid/squid-3.5-14167.patch | 181 ++++++++++++++++++++++++++++++++
 14 files changed, 927 insertions(+)
 create mode 100644 src/patches/squid/squid-3.5-14155.patch
 create mode 100644 src/patches/squid/squid-3.5-14156.patch
 create mode 100644 src/patches/squid/squid-3.5-14157.patch
 create mode 100644 src/patches/squid/squid-3.5-14158.patch
 create mode 100644 src/patches/squid/squid-3.5-14159.patch
 create mode 100644 src/patches/squid/squid-3.5-14160.patch
 create mode 100644 src/patches/squid/squid-3.5-14161.patch
 create mode 100644 src/patches/squid/squid-3.5-14162.patch
 create mode 100644 src/patches/squid/squid-3.5-14163.patch
 create mode 100644 src/patches/squid/squid-3.5-14164.patch
 create mode 100644 src/patches/squid/squid-3.5-14165.patch
 create mode 100644 src/patches/squid/squid-3.5-14166.patch
 create mode 100644 src/patches/squid/squid-3.5-14167.patch

diff --git a/lfs/squid b/lfs/squid
index 70d83b04c..49db48a65 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -70,6 +70,19 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14155.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14156.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14157.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14158.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14159.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14160.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14161.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14162.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14163.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14164.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14165.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14166.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14167.patch
 	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.25-fix-max-file-descriptors.patch
 
 	cd $(DIR_APP) && autoreconf -vfi
diff --git a/src/patches/squid/squid-3.5-14155.patch b/src/patches/squid/squid-3.5-14155.patch
new file mode 100644
index 000000000..d110289f7
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14155.patch
@@ -0,0 +1,46 @@
+------------------------------------------------------------
+revno: 14155
+revision-id: squid3(a)treenet.co.nz-20170504061416-ks61dfut8wyml2qu
+parent: squid3(a)treenet.co.nz-20170402121452-ox6d8ttzlmbov3xm
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4682
+author: Christos Tsantilas <chtsanti(a)users.sourceforge.net>
+committer: Amos Jeffries <squid3(a)treenet.co.nz>
+branch nick: 3.5
+timestamp: Thu 2017-05-04 18:14:16 +1200
+message:
+  Bug 4682: Fix ssl_bump "bump" action documentation
+  
+  Fixes squid documentation to correctly describe the squid behavior  when the
+  "bump" action is selected on step SslBump1. In this case squid selects
+  the client-first bumping mode.
+  
+  This is a Measurement Factory project
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3(a)treenet.co.nz-20170504061416-ks61dfut8wyml2qu
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: f3b4861a085e069948da25398782237609037c5f
+# timestamp: 2017-05-04 06:16:54 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3(a)treenet.co.nz-20170402121452-\
+#   ox6d8ttzlmbov3xm
+# 
+# Begin patch
+=== modified file 'src/cf.data.pre'
+--- src/cf.data.pre	2017-03-31 23:38:31 +0000
++++ src/cf.data.pre	2017-05-04 06:14:16 +0000
+@@ -2669,8 +2669,11 @@
+ 		This is the default action.
+ 
+ 	    bump
+-		Establish a secure connection with the server and, using a
+-		mimicked server certificate, with the client.
++		When used on step SslBump1, establishes a secure connection
++		with the client first, then connect to the server.
++		When used on step SslBump2 or SslBump3, establishes a secure
++		connection with the server and, using a mimicked server
++		certificate, with the client.
+ 
+ 	    peek
+ 		Receive client (step SslBump1) or server (step SslBump2)
+
diff --git a/src/patches/squid/squid-3.5-14156.patch b/src/patches/squid/squid-3.5-14156.patch
new file mode 100644
index 000000000..59e58a5d7
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14156.patch
@@ -0,0 +1,44 @@
+------------------------------------------------------------
+revno: 14156
+revision-id: squid3(a)treenet.co.nz-20170508110920-73gma737u4x6ce87
+parent: squid3(a)treenet.co.nz-20170504061416-ks61dfut8wyml2qu
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4695
+author: Lubos Uhliarik <luhliari(a)redhat.com>
+committer: Amos Jeffries <squid3(a)treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-08 23:09:20 +1200
+message:
+  Bug 4695: squidpurge: GCC 7 build errors
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3(a)treenet.co.nz-20170508110920-73gma737u4x6ce87
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: a0f0c573b5be3d81cf0f8e65ae52bf27bd08dba5
+# timestamp: 2017-05-08 11:51:08 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3(a)treenet.co.nz-20170504061416-\
+#   ks61dfut8wyml2qu
+# 
+# Begin patch
+=== modified file 'tools/purge/purge.cc'
+--- tools/purge/purge.cc	2017-01-01 00:16:45 +0000
++++ tools/purge/purge.cc	2017-05-08 11:09:20 +0000
+@@ -272,7 +272,7 @@
+         snprintf( md5, sizeof(md5), "%-32s", "(no_md5_data_available)" );
+     }
+ 
+-    char timeb[64];
++    char timeb[256];
+     if ( meta && (findings = meta->search( STORE_META_STD )) ) {
+         StoreMetaStd temp;
+         // make data aligned, avoid SIGBUS on RISC machines (ARGH!)
+@@ -283,7 +283,7 @@
+     } else if ( meta && (findings = meta->search( STORE_META_STD_LFS )) ) {
+         StoreMetaStdLFS temp;
+         // make data aligned, avoid SIGBUS on RISC machines (ARGH!)
+-        memcpy( &temp, findings->data, sizeof(StoreMetaStd) );
++        memcpy( &temp, findings->data, sizeof(StoreMetaStdLFS) );
+         snprintf( timeb, sizeof(timeb), "%08lx %08lx %08lx %08lx %04x %5hu ",
+                   (unsigned long)temp.timestamp, (unsigned long)temp.lastref,
+                   (unsigned long)temp.expires, (unsigned long)temp.lastmod, temp.flags, temp.refcount );
+
diff --git a/src/patches/squid/squid-3.5-14157.patch b/src/patches/squid/squid-3.5-14157.patch
new file mode 100644
index 000000000..39d298c7d
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14157.patch
@@ -0,0 +1,34 @@
+------------------------------------------------------------
+revno: 14157
+revision-id: squid3(a)treenet.co.nz-20170529042116-kp9naxxmdsqicpjv
+parent: squid3(a)treenet.co.nz-20170508110920-73gma737u4x6ce87
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4589
+committer: Amos Jeffries <squid3(a)treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 16:21:16 +1200
+message:
+  Bug 4589: ssl_crtd: returning zero on failure
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3(a)treenet.co.nz-20170529042116-kp9naxxmdsqicpjv
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: ad29dd184416dc47dee80234c541185cca166bb3
+# timestamp: 2017-05-29 04:39:57 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3(a)treenet.co.nz-20170508110920-\
+#   73gma737u4x6ce87
+# 
+# Begin patch
+=== modified file 'src/ssl/ssl_crtd.cc'
+--- src/ssl/ssl_crtd.cc	2017-01-01 00:16:45 +0000
++++ src/ssl/ssl_crtd.cc	2017-05-29 04:21:16 +0000
+@@ -350,7 +350,7 @@
+         }
+     } catch (std::runtime_error & error) {
+         std::cerr << argv[0] << ": " << error.what() << std::endl;
+-        return 0;
++        return -1;
+     }
+     return 0;
+ }
+
diff --git a/src/patches/squid/squid-3.5-14158.patch b/src/patches/squid/squid-3.5-14158.patch
new file mode 100644
index 000000000..f0ed0f0d6
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14158.patch
@@ -0,0 +1,46 @@
+------------------------------------------------------------
+revno: 14158
+revision-id: squid3(a)treenet.co.nz-20170529043611-1hyb93ivtu5wrdwg
+parent: squid3(a)treenet.co.nz-20170529042116-kp9naxxmdsqicpjv
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3102
+author: Martin von Gagern <martin.vgagern(a)gmx.net>
+committer: Amos Jeffries <squid3(a)treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 16:36:11 +1200
+message:
+  Bug 3102: FTP directory listing drops fist character of file names
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3(a)treenet.co.nz-20170529043611-1hyb93ivtu5wrdwg
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 60a5f01fc9c9967c55c651c31546cb1067325705
+# timestamp: 2017-05-29 04:39:59 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3(a)treenet.co.nz-20170529042116-\
+#   kp9naxxmdsqicpjv
+# 
+# Begin patch
+=== modified file 'src/clients/FtpGateway.cc'
+--- src/clients/FtpGateway.cc	2017-02-26 08:50:09 +0000
++++ src/clients/FtpGateway.cc	2017-05-29 04:36:11 +0000
+@@ -626,10 +626,17 @@
+                 while (strchr(w_space, *copyFrom))
+                     ++copyFrom;
+             } else {
+-                /* XXX assumes a single space between date and filename
++                /* Handle the following four formats:
++                 * "MMM DD  YYYY Name"
++                 * "MMM DD  YYYYName"
++                 * "MMM DD YYYY  Name"
++                 * "MMM DD YYYY Name"
++                 * Assuming a single space between date and filename
+                  * suggested by:  Nathan.Bailey(a)cc.monash.edu.au and
+                  * Mike Battersby <mike(a)starbug.bofh.asn.au> */
+-                copyFrom += strlen(tbuf) + 1;
++                copyFrom += strlen(tbuf);
++                if (strchr(w_space, *copyFrom))
++                    ++copyFrom;
+             }
+ 
+             p->name = xstrdup(copyFrom);
+
diff --git a/src/patches/squid/squid-3.5-14159.patch b/src/patches/squid/squid-3.5-14159.patch
new file mode 100644
index 000000000..a50f470c7
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14159.patch
@@ -0,0 +1,35 @@
+------------------------------------------------------------
+revno: 14159
+revision-id: squid3(a)treenet.co.nz-20170529043741-9chwfs5onxuip52x
+parent: squid3(a)treenet.co.nz-20170529043611-1hyb93ivtu5wrdwg
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3772
+author: Rainer Tammer <rainer.tammer(a)schulergroup.com>
+committer: Amos Jeffries <squid3(a)treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 16:37:41 +1200
+message:
+  Bug 3772: message from FTP server gets mangled
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3(a)treenet.co.nz-20170529043741-9chwfs5onxuip52x
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 800db5dab62d996440fd6fccd35e9f1f34f2f0e1
+# timestamp: 2017-05-29 04:40:02 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3(a)treenet.co.nz-20170529043611-\
+#   1hyb93ivtu5wrdwg
+# 
+# Begin patch
+=== modified file 'src/clients/FtpGateway.cc'
+--- src/clients/FtpGateway.cc	2017-05-29 04:36:11 +0000
++++ src/clients/FtpGateway.cc	2017-05-29 04:37:41 +0000
+@@ -1541,7 +1541,7 @@
+         /* Reset cwd_message to only include the last message */
+         ftpState->cwd_message.reset("");
+         for (wordlist *w = ftpState->ctrl.message; w; w = w->next) {
+-            ftpState->cwd_message.append(' ');
++            ftpState->cwd_message.append('\n');
+             ftpState->cwd_message.append(w->key);
+         }
+         ftpState->ctrl.message = NULL;
+
diff --git a/src/patches/squid/squid-3.5-14160.patch b/src/patches/squid/squid-3.5-14160.patch
new file mode 100644
index 000000000..9f5122c5a
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14160.patch
@@ -0,0 +1,39 @@
+------------------------------------------------------------
+revno: 14160
+revision-id: squid3(a)treenet.co.nz-20170529043852-zkf91gxhaqdj0rkn
+parent: squid3(a)treenet.co.nz-20170529043741-9chwfs5onxuip52x
+committer: Amos Jeffries <squid3(a)treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 16:38:52 +1200
+message:
+  Add OpenSSL library details to -v output
+  
+  This is partially to meet the OpenSSL copyright requirement that binaries
+  mention when they are using the library, and partially for admin to see
+  which library their Squid is using when multiple are present in the system.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3(a)treenet.co.nz-20170529043852-zkf91gxhaqdj0rkn
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: c401fe3de5518102ac6a3a4dc7b121ac415c05d4
+# timestamp: 2017-05-29 04:40:04 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3(a)treenet.co.nz-20170529043741-\
+#   9chwfs5onxuip52x
+# 
+# Begin patch
+=== modified file 'src/main.cc'
+--- src/main.cc	2017-02-26 08:52:45 +0000
++++ src/main.cc	2017-05-29 04:38:52 +0000
+@@ -563,6 +563,10 @@
+             printf("Service Name: " SQUIDSBUFPH "\n", SQUIDSBUFPRINT(service_name));
+             if (strlen(SQUID_BUILD_INFO))
+                 printf("%s\n",SQUID_BUILD_INFO);
++#if USE_OPENSSL
++            printf("\nThis binary uses %s. ", SSLeay_version(SSLEAY_VERSION));
++            printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n");
++#endif
+             printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS);
+ 
+ #if USE_WIN32_SERVICE
+
diff --git a/src/patches/squid/squid-3.5-14161.patch b/src/patches/squid/squid-3.5-14161.patch
new file mode 100644
index 000000000..d3aaa2d35
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14161.patch
@@ -0,0 +1,52 @@
+------------------------------------------------------------
+revno: 14161
+revision-id: squid3(a)treenet.co.nz-20170529053359-xtbuev2zwmdfj9mp
+parent: squid3(a)treenet.co.nz-20170529043852-zkf91gxhaqdj0rkn
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4682
+author: Christos Tsantilas <chtsanti(a)users.sourceforge.net>
+committer: Amos Jeffries <squid3(a)treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 17:33:59 +1200
+message:
+  Bug 4653: %st lies about tunneled traffic volumes
+  
+  Squid-5 and squid-4 does not count the "HTTP/1.1 200 Connection Established"
+  header size for %<st formatting code.
+  
+  This is a Measurement Factory project
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3(a)treenet.co.nz-20170529053359-xtbuev2zwmdfj9mp
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: c340785d0d5042ae0f783d606f0998d605290ac4
+# timestamp: 2017-05-29 05:51:04 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3(a)treenet.co.nz-20170529043852-\
+#   zkf91gxhaqdj0rkn
+# 
+# Begin patch
+=== modified file 'src/tunnel.cc'
+--- src/tunnel.cc	2017-01-01 00:16:45 +0000
++++ src/tunnel.cc	2017-05-29 05:33:59 +0000
+@@ -836,7 +836,7 @@
+  * Call the tunnelStartShoveling to start the blind pump.
+  */
+ static void
+-tunnelConnectedWriteDone(const Comm::ConnectionPointer &conn, char *buf, size_t size, Comm::Flag flag, int xerrno, void *data)
++tunnelConnectedWriteDone(const Comm::ConnectionPointer &conn, char *, size_t len, Comm::Flag flag, int, void *data)
+ {
+     TunnelStateData *tunnelState = (TunnelStateData *)data;
+     debugs(26, 3, HERE << conn << ", flag=" << flag);
+@@ -848,6 +848,11 @@
+         return;
+     }
+ 
++    if (ClientHttpRequest *http = tunnelState->http.get()) {
++        http->out.headers_sz += len;
++        http->out.size += len;
++    }
++
+     tunnelStartShoveling(tunnelState);
+ }
+ 
+
diff --git a/src/patches/squid/squid-3.5-14162.patch b/src/patches/squid/squid-3.5-14162.patch
new file mode 100644
index 000000000..140aea732
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14162.patch
@@ -0,0 +1,133 @@
+------------------------------------------------------------
+revno: 14162
+revision-id: squid3(a)treenet.co.nz-20170529055234-790hfbazjwy0fmk4
+parent: squid3(a)treenet.co.nz-20170529053359-xtbuev2zwmdfj9mp
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4711
+author: Christos Tsantilas <chtsanti(a)users.sourceforge.net>
+committer: Amos Jeffries <squid3(a)treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 17:52:34 +1200
+message:
+  Bug 4711: SubjectAlternativeNames is missing in some generated certificates
+  
+  Squid may generate certificates which have a Common Name, but do not have
+  a subjectAltName extension. For example when squid generated certificates
+  do not mimic an origin certificate or when the certificate adaptation
+  algorithm sslproxy_cert_adapt/setCommonName is used.
+  
+  This is causes problems to some browsers, which validates a certificate using
+  the SubjectAlternativeNames but ignore the CommonName field.
+  
+  This patch fixes squid to always add a SubjectAlternativeNames extension in
+  generated certificates which do not mimic an origin certificate.
+  
+  Squid still will not add a subjectAltName extension when mimicking an origin
+  server certificate, even if that origin server certificate does not include
+  the subjectAltName extension. Such origin server may have problems when
+  talking directly to browsers, and patched Squid is not trying to fix those
+  problems.
+  
+  This is a Measurement Factory project
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3(a)treenet.co.nz-20170529055234-790hfbazjwy0fmk4
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: e3162152cf590c8126eb3d189ea1ab90ba9a5c37
+# timestamp: 2017-05-29 05:54:13 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3(a)treenet.co.nz-20170529053359-\
+#   xtbuev2zwmdfj9mp
+# 
+# Begin patch
+=== modified file 'src/ssl/gadgets.cc'
+--- src/ssl/gadgets.cc	2017-01-01 00:16:45 +0000
++++ src/ssl/gadgets.cc	2017-05-29 05:52:34 +0000
+@@ -339,7 +339,40 @@
+     return added;
+ }
+ 
+-static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificateProperties const &properties)
++/// Adds a new subjectAltName extension contining Subject CN or returns false
++/// expects the caller to check for the existing subjectAltName extension
++static bool
++addAltNameWithSubjectCn(Ssl::X509_Pointer &cert)
++{
++    X509_NAME *name = X509_get_subject_name(cert.get());
++    if (!name)
++        return false;
++
++    const int loc = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
++    if (loc < 0)
++        return false;
++
++    ASN1_STRING *cn_data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, loc));
++    if (!cn_data)
++        return false;
++
++    char dnsName[1024]; // DNS names are limited to 256 characters
++    const int res = snprintf(dnsName, sizeof(dnsName), "DNS:%*s", cn_data->length, cn_data->data);
++    if (res <= 0 || res >= static_cast<int>(sizeof(dnsName)))
++        return false;
++
++    X509_EXTENSION *ext = X509V3_EXT_conf_nid(NULL, NULL, NID_subject_alt_name, dnsName);
++    if (!ext)
++        return false;
++
++    const bool result = X509_add_ext(cert.get(), ext, -1);
++
++    X509_EXTENSION_free(ext);
++    return result;
++}
++
++static bool
++buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificateProperties const &properties)
+ {
+     // not an Ssl::X509_NAME_Pointer because X509_REQ_get_subject_name()
+     // returns a pointer to the existing subject name. Nothing to clean here.
+@@ -387,6 +420,8 @@
+     } else if (!X509_gmtime_adj(X509_get_notAfter(cert.get()), 60*60*24*356*3))
+         return false;
+ 
++    int addedExtensions = 0;
++    bool useCommonNameAsAltName = true;
+     // mimic the alias and possibly subjectAltName
+     if (properties.mimicCert.get()) {
+         unsigned char *alStr;
+@@ -396,26 +431,29 @@
+             X509_alias_set1(cert.get(), alStr, alLen);
+         }
+ 
+-        int addedExtensions = 0;
+-
+         // Mimic subjectAltName unless we used a configured CN: browsers reject
+         // certificates with CN unrelated to subjectAltNames.
+         if (!properties.setCommonName) {
+-            int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1);
++            int pos = X509_get_ext_by_NID(properties.mimicCert.get(), NID_subject_alt_name, -1);
+             X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos);
+             if (ext) {
+                 if (X509_add_ext(cert.get(), ext, -1))
+                     ++addedExtensions;
+             }
++            // We want to mimic the server-sent subjectAltName, not enhance it.
++            useCommonNameAsAltName = false;
+         }
+ 
+         addedExtensions += mimicExtensions(cert, properties.mimicCert);
+-
+-        // According to RFC 5280, using extensions requires v3 certificate.
+-        if (addedExtensions)
+-            X509_set_version(cert.get(), 2); // value 2 means v3
+     }
+ 
++    if (useCommonNameAsAltName && addAltNameWithSubjectCn(cert))
++        ++addedExtensions;
++
++    // According to RFC 5280, using extensions requires v3 certificate.
++    if (addedExtensions)
++        X509_set_version(cert.get(), 2); // value 2 means v3
++
+     return true;
+ }
+ 
+
diff --git a/src/patches/squid/squid-3.5-14163.patch b/src/patches/squid/squid-3.5-14163.patch
new file mode 100644
index 000000000..d4e27b7eb
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14163.patch
@@ -0,0 +1,103 @@
+------------------------------------------------------------
+revno: 14163
+revision-id: squid3(a)treenet.co.nz-20170529062945-gf7u7dukaumjof74
+parent: squid3(a)treenet.co.nz-20170529055234-790hfbazjwy0fmk4
+author: Ingo Schwarze, Francesco Chemolli <kinkie(a)squid-cache.org>
+committer: Amos Jeffries <squid3(a)treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 18:29:45 +1200
+message:
+  Docs: Improve formatting of several manual pages
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3(a)treenet.co.nz-20170529062945-gf7u7dukaumjof74
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: b417bbc7ffb2351fb670e7baa721b9d9b8315024
+# timestamp: 2017-05-29 06:33:51 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3(a)treenet.co.nz-20170529055234-\
+#   790hfbazjwy0fmk4
+# 
+# Begin patch
+=== modified file 'helpers/basic_auth/LDAP/basic_ldap_auth.8'
+--- helpers/basic_auth/LDAP/basic_ldap_auth.8	2017-03-31 23:47:47 +0000
++++ helpers/basic_auth/LDAP/basic_ldap_auth.8	2017-05-29 06:29:45 +0000
+@@ -5,9 +5,9 @@
+ .
+ .SH SYNOPSIS
+ .if !'po4a'hide' .B basic_ldap_auth
+-.if !'po4a'hide' .B \-b\ \"
++.if !'po4a'hide' .B \-b\ \(dq
+ base DN
+-.if !'po4a'hide' .B \"\ [\-u
++.if !'po4a'hide' .B \(dq\ [\-u
+ attribute
+ .if !'po4a'hide' .B ]\ [
+ options
+@@ -20,11 +20,11 @@
+ .if !'po4a'hide' .B ]...
+ .br
+ .if !'po4a'hide' .B basic_ldap_auth
+-.if !'po4a'hide' .B \-b\ \"
++.if !'po4a'hide' .B \-b\ \(dq
+ base DN
+-.if !'po4a'hide' .B \"\ \-f\ \"
++.if !'po4a'hide' .B \(dq\ \-f\ \(dq
+ LDAP search filter
+-.if !'po4a'hide' .B \"\ [
++.if !'po4a'hide' .B \(dq\ [
+ options
+ .if !'po4a'hide' .B ]\ [
+ LDAP server name
+@@ -74,7 +74,7 @@
+ The search filter can contain up to 15 occurrences of
+ .B %s
+ which will be replaced by the username, as in
+-.B "\"uid\=%s\""
++.B "\(dquid\=%s\(dq"
+ for RFC2037 directories. For a detailed description of LDAP search
+ filter syntax see RFC2254.
+ .br
+
+=== modified file 'helpers/basic_auth/RADIUS/basic_radius_auth.8'
+--- helpers/basic_auth/RADIUS/basic_radius_auth.8	2017-01-01 00:16:45 +0000
++++ helpers/basic_auth/RADIUS/basic_radius_auth.8	2017-05-29 06:29:45 +0000
+@@ -9,9 +9,9 @@
+ config file
+ .br
+ .if !'po4a'hide' .B basic_radius_auth
+-.if !'po4a'hide' .B "\-h \""
++.if !'po4a'hide' .B "\-h \(dq"
+ server name
+-.if !'po4a'hide' .B "\" [\-p "
++.if !'po4a'hide' .B "\(dq [\-p "
+ port
+ .if !'po4a'hide' .B "] [\-i "
+ identifier
+
+=== modified file 'helpers/external_acl/file_userip/ext_file_userip_acl.8'
+--- helpers/external_acl/file_userip/ext_file_userip_acl.8	2017-01-01 00:16:45 +0000
++++ helpers/external_acl/file_userip/ext_file_userip_acl.8	2017-05-29 06:29:45 +0000
+@@ -68,7 +68,7 @@
+ .B ALL 
+ and 
+ .B NONE 
+-, which mean \"any user on this IP address may authenticate\" or \"no user on this IP address may authenticate\".
++, which mean \(dqany user on this IP address may authenticate\(dq or \(dqno user on this IP address may authenticate\(dq.
+ .
+ .SH AUTHOR
+ This program was written by
+
+=== modified file 'tools/squidclient/squidclient.1'
+--- tools/squidclient/squidclient.1	2017-01-01 00:16:45 +0000
++++ tools/squidclient/squidclient.1	2017-05-29 06:29:45 +0000
+@@ -86,7 +86,7 @@
+ .if !'po4a'hide' .TP
+ .if !'po4a'hide' .B "\-H 'string'"
+ Extra headers to send. Use
+-.B '\\n'
++.B '\en'
+ for new lines.
+ .
+ .if !'po4a'hide' .TP
+
diff --git a/src/patches/squid/squid-3.5-14164.patch b/src/patches/squid/squid-3.5-14164.patch
new file mode 100644
index 000000000..9e64909c3
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14164.patch
@@ -0,0 +1,103 @@
+------------------------------------------------------------
+revno: 14164
+revision-id: squid3(a)treenet.co.nz-20170529063645-qmu68scq9go0wbqr
+parent: squid3(a)treenet.co.nz-20170529062945-gf7u7dukaumjof74
+author: Alex Rousskov <rousskov(a)measurement-factory.com>
+committer: Amos Jeffries <squid3(a)treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 18:36:45 +1200
+message:
+  Fix xstrndup() documentation, callers. Disclosed implementation bugs.
+  
+  xstrndup() does not work like strndup(3), and some callers got confused:
+  
+  1. When n is the str length or less, standard strndup(str,n) copies all
+     n bytes but our xstrndup(str,n) drops the last one. Thus, all callers
+     must add one to the desired result length when calling xstrndup().
+     Most already do, but it is often hard to see due to low code quality
+     (e.g., one must remember that MAX_URL is not the maximum URL length).
+  
+  2. xstrndup() also assumes that the source string is 0-terminated. This
+     dangerous assumption does not contradict many official strndup(3)
+     descriptions, but that lack of contradiction is actually a recently
+     fixed POSIX documentation bug (i.e., correct implementations must not
+     assume 0-termination): http://austingroupbugs.net/view.php?id=1019
+  
+  The OutOfBoundsException bug led to truncated exception messages.
+  
+  The ESI bug led to truncated 'literal strings', but I do not know what
+  that means in terms of user impact. That ESI fix is untested.
+  
+  cachemgr.cc bug was masked by the fact that the buffer ends with \n
+  that is unused and stripped by the custom xstrtok() implementation.
+  
+  TODO. Fix xstrndup() implementation (and rename the function so that
+  fixed callers do not misbehave if carelessly ported to older Squids).
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3(a)treenet.co.nz-20170529063645-qmu68scq9go0wbqr
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: 7321050a4405a155a8fe02f7125e446b9516dd51
+# timestamp: 2017-05-29 06:51:18 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3(a)treenet.co.nz-20170529062945-\
+#   gf7u7dukaumjof74
+# 
+# Begin patch
+=== modified file 'compat/xstring.h'
+--- compat/xstring.h	2017-01-01 00:16:45 +0000
++++ compat/xstring.h	2017-05-29 06:36:45 +0000
+@@ -41,7 +41,10 @@
+ char *xstrncpy(char *dst, const char *src, size_t n);
+ 
+ /**
+- * xstrndup() - same as strndup(3).  Used for portability.
++ * xstrndup() - Somewhat similar(XXX) to strndup(3): Allocates up to n bytes,
++ * while strndup(3) copies up to n bytes and allocates up to n+1 bytes
++ * to fit the terminating character. Assumes s is 0-terminated (another XXX).
++ *
+  * Never returns NULL; fatal on error.
+  *
+  * Sets errno to EINVAL if a NULL pointer or negative
+
+=== modified file 'src/SBufExceptions.cc'
+--- src/SBufExceptions.cc	2017-01-01 00:16:45 +0000
++++ src/SBufExceptions.cc	2017-05-29 06:36:45 +0000
+@@ -25,9 +25,7 @@
+         explanatoryText.appendf(" in file %s", aFileName);
+     explanatoryText.appendf(" while accessing position %d in a SBuf long %d",
+                             pos, throwingBuf.length());
+-    // we can safely alias c_str as both are local to the object
+-    //  and will not further manipulated.
+-    message = xstrndup(explanatoryText.c_str(),explanatoryText.length());
++    message = xstrdup(explanatoryText.c_str());
+ }
+ 
+ OutOfBoundsException::~OutOfBoundsException() throw()
+
+=== modified file 'src/esi/Expression.cc'
+--- src/esi/Expression.cc	2017-01-01 00:16:45 +0000
++++ src/esi/Expression.cc	2017-05-29 06:36:45 +0000
+@@ -743,7 +743,7 @@
+             /* Special case for zero length strings */
+ 
+             if (t - s - 1)
+-                rv.value.string = xstrndup(s + 1, t - s - 1);
++                rv.value.string = xstrndup(s + 1, t - (s + 1) + 1);
+             else
+                 rv.value.string = static_cast<char *>(xcalloc(1,1));
+ 
+
+=== modified file 'tools/cachemgr.cc'
+--- tools/cachemgr.cc	2017-01-01 00:16:45 +0000
++++ tools/cachemgr.cc	2017-05-29 06:36:45 +0000
+@@ -440,7 +440,7 @@
+         return;
+     }
+ 
+-    buf_copy = x = xstrndup(buf, bufLen);
++    buf_copy = x = xstrndup(buf, bufLen+1);
+ 
+     a = xstrtok(&x, '\t');
+ 
+
diff --git a/src/patches/squid/squid-3.5-14165.patch b/src/patches/squid/squid-3.5-14165.patch
new file mode 100644
index 000000000..317cd8dd3
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14165.patch
@@ -0,0 +1,51 @@
+------------------------------------------------------------
+revno: 14165
+revision-id: squid3(a)treenet.co.nz-20170529071037-o91o8xvaqata5y2b
+parent: squid3(a)treenet.co.nz-20170529063645-qmu68scq9go0wbqr
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4682
+author: Christos Tsantilas <chtsanti(a)users.sourceforge.net>
+committer: Amos Jeffries <squid3(a)treenet.co.nz>
+branch nick: 3.5
+timestamp: Mon 2017-05-29 19:10:37 +1200
+message:
+  Bug 4682: ignoring http_access deny when client-first bumping mode is used
+  
+  Squid fails to identify HTTP requests which are tunneled inside an already
+  established client-first bumped tunnel, and this is results in ignoring
+  http_access denied for these requests.
+  
+  This is a Measurement Factory project
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3(a)treenet.co.nz-20170529071037-o91o8xvaqata5y2b
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: f77b81826612d7248fb774ef1ea00747cd04d479
+# timestamp: 2017-05-29 07:51:03 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3(a)treenet.co.nz-20170529063645-\
+#   qmu68scq9go0wbqr
+# 
+# Begin patch
+=== modified file 'src/client_side_request.cc'
+--- src/client_side_request.cc	2017-03-30 13:31:22 +0000
++++ src/client_side_request.cc	2017-05-29 07:10:37 +0000
+@@ -1424,7 +1424,17 @@
+     if (bumpMode != Ssl::bumpEnd) {
+         debugs(85, 5, HERE << "SslBump already decided (" << bumpMode <<
+                "), " << "ignoring ssl_bump for " << http->getConn());
+-        if (!http->getConn()->serverBump())
++
++        // We need the following "if" for transparently bumped TLS connection,
++        // because in this case we are running ssl_bump access list before
++        // the doCallouts runs. It can be removed after the bug #4340 fixed.
++        // We do not want to proceed to bumping steps:
++        //  - if the TLS connection with the client is already established
++        //    because we are accepting normal HTTP requests on TLS port,
++        //    or because of the client-first bumping mode
++        //  - When the bumping is already started
++        if (!http->getConn()->switchedToHttps() &&
++                !http->getConn()->serverBump())
+             http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed and not already bumped
+         http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection
+         return false;
+
diff --git a/src/patches/squid/squid-3.5-14166.patch b/src/patches/squid/squid-3.5-14166.patch
new file mode 100644
index 000000000..54aad51b1
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14166.patch
@@ -0,0 +1,47 @@
+------------------------------------------------------------
+revno: 14166
+revision-id: squid3(a)treenet.co.nz-20170529125748-qt7yhdloygl4xosg
+parent: squid3(a)treenet.co.nz-20170529071037-o91o8xvaqata5y2b
+committer: Amos Jeffries <squid3(a)treenet.co.nz>
+branch nick: 3.5
+timestamp: Tue 2017-05-30 00:57:48 +1200
+message:
+  Revert r14161
+  
+  Wrong patch and commit message.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3(a)treenet.co.nz-20170529125748-qt7yhdloygl4xosg
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: ddecde537486c58df04564f3818b8ad9929dd186
+# timestamp: 2017-05-29 13:51:06 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3(a)treenet.co.nz-20170529071037-\
+#   o91o8xvaqata5y2b
+# 
+# Begin patch
+=== modified file 'src/tunnel.cc'
+--- src/tunnel.cc	2017-05-29 05:33:59 +0000
++++ src/tunnel.cc	2017-05-29 12:57:48 +0000
+@@ -836,7 +836,7 @@
+  * Call the tunnelStartShoveling to start the blind pump.
+  */
+ static void
+-tunnelConnectedWriteDone(const Comm::ConnectionPointer &conn, char *, size_t len, Comm::Flag flag, int, void *data)
++tunnelConnectedWriteDone(const Comm::ConnectionPointer &conn, char *buf, size_t size, Comm::Flag flag, int xerrno, void *data)
+ {
+     TunnelStateData *tunnelState = (TunnelStateData *)data;
+     debugs(26, 3, HERE << conn << ", flag=" << flag);
+@@ -848,11 +848,6 @@
+         return;
+     }
+ 
+-    if (ClientHttpRequest *http = tunnelState->http.get()) {
+-        http->out.headers_sz += len;
+-        http->out.size += len;
+-    }
+-
+     tunnelStartShoveling(tunnelState);
+ }
+ 
+
diff --git a/src/patches/squid/squid-3.5-14167.patch b/src/patches/squid/squid-3.5-14167.patch
new file mode 100644
index 000000000..39c9fd51e
--- /dev/null
+++ b/src/patches/squid/squid-3.5-14167.patch
@@ -0,0 +1,181 @@
+------------------------------------------------------------
+revno: 14167
+revision-id: squid3(a)treenet.co.nz-20170529131555-kut221f3geb3aczf
+parent: squid3(a)treenet.co.nz-20170529125748-qt7yhdloygl4xosg
+fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=4653
+author: Christos Tsantilas <chtsanti(a)users.sourceforge.net>
+committer: Amos Jeffries <squid3(a)treenet.co.nz>
+branch nick: 3.5
+timestamp: Tue 2017-05-30 01:15:55 +1200
+message:
+  Bug 4653: %st lies about tunneled traffic volumes
+  
+  Squid-3.5 counts only the "CONNECT ..." header size for %>st and does not
+  count the "HTTP/1.1 200" response header for the %<st.
+  
+  This is a Measurement Factory project
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3(a)treenet.co.nz-20170529131555-kut221f3geb3aczf
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# testament_sha1: dd5783b425c7c7125303a1bd1a5685bc28011754
+# timestamp: 2017-05-29 13:51:09 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5
+# base_revision_id: squid3(a)treenet.co.nz-20170529125748-\
+#   qt7yhdloygl4xosg
+# 
+# Begin patch
+=== modified file 'src/client_side.cc'
+--- src/client_side.cc	2017-03-31 00:51:52 +0000
++++ src/client_side.cc	2017-05-29 13:15:55 +0000
+@@ -4391,7 +4391,7 @@
+             // in.buf still has the "CONNECT ..." request data, reset it to SSL hello message
+             connState->in.buf.append(rbuf.content(), rbuf.contentSize());
+             ClientHttpRequest *http = context->http;
+-            tunnelStart(http, &http->out.size, &http->al->http.code, http->al);
++            tunnelStart(http);
+         }
+     }
+ }
+
+=== modified file 'src/client_side_reply.cc'
+--- src/client_side_reply.cc	2017-01-01 00:16:45 +0000
++++ src/client_side_reply.cc	2017-05-29 13:15:55 +0000
+@@ -1179,7 +1179,7 @@
+     if (curReply->content_length < 0)
+         return 0;
+ 
+-    int64_t expectedLength = curReply->content_length + http->out.headers_sz;
++    uint64_t expectedLength = curReply->content_length + http->out.headers_sz;
+ 
+     if (http->out.size < expectedLength)
+         return 0;
+
+=== modified file 'src/client_side_request.cc'
+--- src/client_side_request.cc	2017-05-29 07:10:37 +0000
++++ src/client_side_request.cc	2017-05-29 13:15:55 +0000
+@@ -1522,7 +1522,7 @@
+         }
+ #endif
+         getConn()->stopReading(); // tunnels read for themselves
+-        tunnelStart(this, &out.size, &al->http.code, al);
++        tunnelStart(this);
+         return;
+     }
+ 
+
+=== modified file 'src/client_side_request.h'
+--- src/client_side_request.h	2017-01-23 02:05:46 +0000
++++ src/client_side_request.h	2017-05-29 13:15:55 +0000
+@@ -73,7 +73,7 @@
+ 
+     struct {
+         int64_t offset;
+-        int64_t size;
++        uint64_t size;
+         size_t headers_sz;
+     } out;
+ 
+@@ -182,7 +182,7 @@
+ void clientAccessCheck(ClientHttpRequest *);
+ 
+ /* ones that should be elsewhere */
+-void tunnelStart(ClientHttpRequest *, int64_t *, int *, const AccessLogEntry::Pointer &al);
++void tunnelStart(ClientHttpRequest *);
+ 
+ #if _USE_INLINE_
+ #include "client_side_request.cci"
+
+=== modified file 'src/tests/stub_tunnel.cc'
+--- src/tests/stub_tunnel.cc	2017-01-01 00:16:45 +0000
++++ src/tests/stub_tunnel.cc	2017-05-29 13:15:55 +0000
+@@ -14,7 +14,7 @@
+ #include "FwdState.h"
+ class ClientHttpRequest;
+ 
+-void tunnelStart(ClientHttpRequest *, int64_t *, int *, const AccessLogEntryPointer &al) STUB
++void tunnelStart(ClientHttpRequest *) STUB
+ 
+ void switchToTunnel(HttpRequest *request, Comm::ConnectionPointer &clientConn, Comm::ConnectionPointer &srvConn) STUB
+ 
+
+=== modified file 'src/tunnel.cc'
+--- src/tunnel.cc	2017-05-29 12:57:48 +0000
++++ src/tunnel.cc	2017-05-29 13:15:55 +0000
+@@ -139,7 +139,7 @@
+         int len;
+         char *buf;
+         AsyncCall::Pointer writer; ///< pending Comm::Write callback
+-        int64_t *size_ptr;      /* pointer to size in an ConnStateData for logging */
++        uint64_t *size_ptr;      /* pointer to size in an ConnStateData for logging */
+ 
+         Comm::ConnectionPointer conn;    ///< The currently connected connection.
+         uint8_t delayedLoops; ///< how many times a read on this connection has been postponed.
+@@ -848,6 +848,11 @@
+         return;
+     }
+ 
++    if (ClientHttpRequest *http = tunnelState->http.get()) {
++        http->out.headers_sz += size;
++        http->out.size += size;
++    }
++
+     tunnelStartShoveling(tunnelState);
+ }
+ 
+@@ -995,7 +1000,7 @@
+ }
+ 
+ void
+-tunnelStart(ClientHttpRequest * http, int64_t * size_ptr, int *status_ptr, const AccessLogEntryPointer &al)
++tunnelStart(ClientHttpRequest * http)
+ {
+     debugs(26, 3, HERE);
+     /* Create state structure. */
+@@ -1021,7 +1026,7 @@
+         if (ch.fastCheck() == ACCESS_DENIED) {
+             debugs(26, 4, HERE << "MISS access forbidden.");
+             err = new ErrorState(ERR_FORWARDING_DENIED, Http::scForbidden, request);
+-            *status_ptr = Http::scForbidden;
++            http->al->http.code = Http::scForbidden;
+             errorSend(http->getConn()->clientConnection, err);
+             return;
+         }
+@@ -1037,12 +1042,13 @@
+ #endif
+     tunnelState->url = xstrdup(url);
+     tunnelState->request = request;
+-    tunnelState->server.size_ptr = size_ptr;
+-    tunnelState->status_ptr = status_ptr;
++    tunnelState->server.size_ptr = &http->out.size;
++    tunnelState->client.size_ptr = &http->al->http.clientRequestSz.payloadData;
++    tunnelState->status_ptr = &http->al->http.code;
+     tunnelState->logTag_ptr = &http->logType;
+     tunnelState->client.conn = http->getConn()->clientConnection;
+     tunnelState->http = http;
+-    tunnelState->al = al;
++    tunnelState->al = http->al ;
+     tunnelState->started = squid_curtime;
+ 
+     comm_add_close_handler(tunnelState->client.conn->fd,
+@@ -1053,7 +1059,7 @@
+                                      CommTimeoutCbPtrFun(tunnelTimeout, tunnelState));
+     commSetConnTimeout(tunnelState->client.conn, Config.Timeout.lifetime, timeoutCall);
+ 
+-    peerSelect(&(tunnelState->serverDestinations), request, al,
++    peerSelect(&(tunnelState->serverDestinations), request, tunnelState->al,
+                NULL,
+                tunnelPeerSelectComplete,
+                tunnelState);
+@@ -1226,6 +1232,10 @@
+         if (context != NULL && context->http != NULL) {
+             tunnelState->logTag_ptr = &context->http->logType;
+             tunnelState->server.size_ptr = &context->http->out.size;
++            if (context->http->al != NULL) {
++                tunnelState->al = context->http->al;
++                tunnelState->client.size_ptr = &context->http->al->http.clientRequestSz.payloadData;
++            }
+ 
+ #if USE_DELAY_POOLS
+             /* no point using the delayIsNoDelay stuff since tunnel is nice and simple */
+
-- 
2.13.0