diff -ruN squid-2.6.STABLE7/ChangeLog squid-2.6.STABLE8/ChangeLog
--- squid-2.6.STABLE7/ChangeLog	Sat Jan 13 09:19:58 2007
+++ squid-2.6.STABLE8/ChangeLog	Sun Jan 21 03:26:43 2007
@@ -1,3 +1,22 @@
+Changes to squid-2.6.STABLE8 (Jan 21 2007)
+
+	- Bug #1873: authenticateNTLMFixErrorHeader: state 4.
+	- Document the https_port vhost option, useful in combination with
+	  a wildcard certificate
+	- Document the existence of connection pinning / forwarding of NTLM
+	  auth and a few other features overlooked in the release notes.
+	- Spelling correction of the ssl cache_peer option
+	- Add back the optional "accel" http_port option. Makes accelerator
+	  mode configurations easier to read.
+	- Bug #1872: Date parsing error causing objects to get unexpectedly
+	  cached.
+	- Cleanup to have the access.log tags autogenerated from enums.h
+	- Bug #1783: STALE: Entry's timestamp greater than check time. Clock
+	  going backwards?
+	- Don't update object timestamps on a failed revalidation.
+	- Fix how ftp://user@host URLs is rendered when Squid is built with
+	  leak checking enabled
+
 Changes to squid-2.6.STABLE7 (Jan 13 2007)
 
 	- Windows port: Fix intermittent build error using Visual Studio
diff -ruN squid-2.6.STABLE7/RELEASENOTES.html squid-2.6.STABLE8/RELEASENOTES.html
--- squid-2.6.STABLE7/RELEASENOTES.html	Sat Jan 13 09:22:42 2007
+++ squid-2.6.STABLE8/RELEASENOTES.html	Sun Jan 21 03:30:36 2007
@@ -2,12 +2,12 @@
 <HTML>
 <HEAD>
  <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
- <TITLE>Squid 2.6.STABLE7 release notes</TITLE>
+ <TITLE>Squid 2.6.STABLE8 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 2.6.STABLE7 release notes</H1>
+<H1>Squid 2.6.STABLE8 release notes</H1>
 
-<H2>Squid Developers</H2>$Id: release-2.6.html,v 1.40 2007/01/13 16:19:58 hno Exp $
+<H2>Squid Developers</H2>$Id: release-2.6.html,v 1.44.2.1 2007/01/21 10:26:44 hno Exp $
 <HR>
 <EM>This document contains the release notes for version 2.6 of Squid.
 Squid is a WWW Cache application developed by the Web Caching community.</EM>
@@ -48,6 +48,9 @@
 <P>
 <H2><A NAME="toc12">12.</A> <A HREF="#s12">Key changes squid-2.6.STABLE6 to 2.6.STABLE7</A></H2>
 
+<P>
+<H2><A NAME="toc13">13.</A> <A HREF="#s13">Key changes squid-2.6.STABLE7 to 2.6.STABLE8</A></H2>
+
 
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Key changes from squid 2.5</A></H2>
@@ -108,6 +111,17 @@
 </LI>
 <LI>HTCP significantly cleaned up and added support for the CLR operation to purge contents from the cache</LI>
 <LI>Support for parsing X-Forwarded-For headers allowing access controls to be based on the real client IP even if behind secondary proxies</LI>
+<LI>Support for proxying of Microsoft Integrated Login (NTLM &amp; Negotiate) connection oriented authentication schemes, enabling access to servers or proxies using such authentication methods.</LI>
+<LI>Support for the Linux TPROXY patch allowing Squid to masquerade using the clients original IP address</LI>
+<LI>urlgroups, tagging URLs for redirection and access controls, and divides the cache allowing different users to get different results for the same URL.</LI>
+<LI>Optional automatic monotoring of cache peers and configured origin servers</LI>
+<LI>SSL client support, allowing both http->https gatewaying and SSL encrypted peers (both origin servers and proxies).</LI>
+<LI>Full ETag/Vary based caching, allowing efficient caching of server driven content negotiation.</LI>
+<LI>Customizable access log format</LI>
+<LI>Selective access logging, and ability to log to more than access log possibly in different formats</LI>
+<LI>New more efficient helper protocol allowing for multiple concurrent lookups to the same helper</LI>
+<LI>Ability to rewrite Location headers (redirects sent by servers)</LI>
+<LI></LI>
 </UL>
 </P>
 
@@ -117,6 +131,7 @@
 <DL>
 <DT><B>http_port</B><DD><P>Now takes a list of options in addition to the port address, specifying the purpose of this http_port. Default is plain Internet proxy as usual.</P>
 <DT><B>httpd_accel_* for transparent proxy</B><DD><P>Now implemented by the "transparent" http_port option</P>
+<DT><B>httpd_accel_* for accelerator mode</B><DD><P>Nov implemented by other options. See individual directives below.</P>
 <DT><B>httpd_accel_host</B><DD><P>Replaced by defaultsite http_port option and cache_peer originserver option.</P>
 <DT><B>httpd_accel_port</B><DD><P>No longer needed. Server port defined by the cache_peer port.</P>
 <DT><B>httpd_accel_uses_host_header</B><DD><P>Replaced by vhost http_port option</P>
@@ -146,7 +161,7 @@
 <DT><B>auth_param negotiate</B><DD><P>New Negotiate authentication scheme, the "next generation" scheme in the family of Microsoft authentication.</P>
 <DT><B>external_acl_type</B><DD><P>Many new format options %SRCPORT, %MYADDR, %MYPORT, %PATH, %USER_CERT, %ACL, %DATA and a few variants. Helper protocol defaults to the simpler "3.0" protocol, and there is support for a highly efficient protocol via the concurrency= option if supported by the helper.</P>
 <DT><B>refresh_pattern</B><DD><P>Several new HTTP override/ignore options</P>
-<DT><B>read_ahead_gap</B><DD><P>New directive to set the response buffer size.  </P>
+<DT><B>read_ahead_gap</B><DD><P>New directive to set the response buffer size.</P>
 <DT><B>collapsed_forwarding</B><DD><P>New directive to enable an alternative optimized forwarding path when there is very many concurrent requests for the same URL.</P>
 <DT><B>refresh_stale_hit</B><DD><P>New directive similar to collapsed_forwarding and activates an alternative optimized request processing when there is very many concurrent requests for the same recently expired URL.</P>
 <DT><B>acl urlgroup</B><DD><P>New acl class</P>
@@ -165,7 +180,8 @@
 <DT><B>minimum_expiry_time</B><DD><P>tune the magic 60 seconds limit of what is considered cachable when the object doesn't have any cache validators. (2.6.STABLE2)</P>
 <DT><B>wccp2_rebuild_wait</B><DD><P>make Squid delay registering with a WCCP router until store rebuild have finished. Default on. (2.6.STABLE2)</P>
 <DT><B>wccp2_weight</B><DD><P>Cache server load weigth in the cluster. (2.6.STABLE4)</P>
-
+<DT><B>check_hostnames</B><DD><P>Control if Squid should check the sanity of host names before trying to look them up in DNS</P>
+<DT><B>allow_underscores</B><DD><P>Control if _ is to be considered a valid character in hostnames or not</P>
 </DL>
 </P>
 
@@ -184,7 +200,6 @@
 <P>
 <UL>
 <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=1420">#1420</a>: 302 responses with an Expires header is always cached</LI>
-<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=1584">#1584</a>: WCCPv2 unable to register with more than one router on Linux</LI>
 <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=1059">#1059</a>: mime.conf and referenced icons must be within chroot</LI>
 <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=692">#692</a>: tcp_outgoing_address using an ident ACL does not work</LI>
 <LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=581">#581</a>: acl max_user_ip and multiple authentication schemes</LI>
@@ -557,5 +572,21 @@
 <A HREF="ChangeLog">ChangeLog</A> file for details.</LI>
 </UL>
 </P>
+
+<H2><A NAME="s13">13.</A> <A HREF="#toc13">Key changes squid-2.6.STABLE7 to 2.6.STABLE8</A></H2>
+
+<P>
+<UL>
+<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=1872">#1872</a>: Date parsing error causing objects to get unexpectedly cached. Problem introduced in 2.6.STABLE6.</LI>
+<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=1873">#1873</a>: authenticateNTLMFixErrorHeader: state 4. NTLM &amp;
+Negotiate instability introduced in 2.6.STABLE6.</LI>
+<LI>Bug <a href="http://www.squid-cache.org/bugs/show_bug.cgi?id=1783">#1783</a>: STALE: Entry's timestamp greater than check time. Clock going backwards?</LI>
+<LI>Don't update object timestamps on a failed revalidation.</LI>
+<LI>a number of other minor and cosmetic bugfixes. See the list of 
+<A HREF="http://www.squid-cache.org/Versions/v2/2.6/changesets/SQUID_2_6_STABLE8.html">squid-2.6.STABLE8 changes</A> and the 
+<A HREF="ChangeLog">ChangeLog</A> file for details.</LI>
+</UL>
+</P>
+
 </BODY>
 </HTML>
diff -ruN squid-2.6.STABLE7/configure squid-2.6.STABLE8/configure
--- squid-2.6.STABLE7/configure	Sat Jan 13 09:22:10 2007
+++ squid-2.6.STABLE8/configure	Sun Jan 21 03:30:04 2007
@@ -1,7 +1,7 @@
 #! /bin/sh
-# From configure.in Revision: 1.416 .
+# From configure.in Revision: 1.416.2.1 .
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59 for Squid Web Proxy 2.6.STABLE7.
+# Generated by GNU Autoconf 2.59 for Squid Web Proxy 2.6.STABLE8.
 #
 # Report bugs to <http://www.squid-cache.org/bugs/>.
 #
@@ -270,8 +270,8 @@
 # Identity of this package.
 PACKAGE_NAME='Squid Web Proxy'
 PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='2.6.STABLE7'
-PACKAGE_STRING='Squid Web Proxy 2.6.STABLE7'
+PACKAGE_VERSION='2.6.STABLE8'
+PACKAGE_STRING='Squid Web Proxy 2.6.STABLE8'
 PACKAGE_BUGREPORT='http://www.squid-cache.org/bugs/'
 
 ac_default_prefix=/usr/local/squid
@@ -781,7 +781,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures Squid Web Proxy 2.6.STABLE7 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 2.6.STABLE8 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -847,7 +847,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Squid Web Proxy 2.6.STABLE7:";;
+     short | recursive ) echo "Configuration of Squid Web Proxy 2.6.STABLE8:";;
    esac
   cat <<\_ACEOF
 
@@ -1158,7 +1158,7 @@
 test -n "$ac_init_help" && exit 0
 if $ac_init_version; then
   cat <<\_ACEOF
-Squid Web Proxy configure 2.6.STABLE7
+Squid Web Proxy configure 2.6.STABLE8
 generated by GNU Autoconf 2.59
 
 Copyright (C) 2003 Free Software Foundation, Inc.
@@ -1172,7 +1172,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Squid Web Proxy $as_me 2.6.STABLE7, which was
+It was created by Squid Web Proxy $as_me 2.6.STABLE8, which was
 generated by GNU Autoconf 2.59.  Invocation command line was
 
   $ $0 $@
@@ -1818,7 +1818,7 @@
 
 # Define the identity of the package.
  PACKAGE='squid'
- VERSION='2.6.STABLE7'
+ VERSION='2.6.STABLE8'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -18494,7 +18494,7 @@
 } >&5
 cat >&5 <<_CSEOF
 
-This file was extended by Squid Web Proxy $as_me 2.6.STABLE7, which was
+This file was extended by Squid Web Proxy $as_me 2.6.STABLE8, which was
 generated by GNU Autoconf 2.59.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -18557,7 +18557,7 @@
 
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-Squid Web Proxy config.status 2.6.STABLE7
+Squid Web Proxy config.status 2.6.STABLE8
 configured by $0, generated by GNU Autoconf 2.59,
   with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
 
diff -ruN squid-2.6.STABLE7/configure.in squid-2.6.STABLE8/configure.in
--- squid-2.6.STABLE7/configure.in	Sat Jan 13 09:22:10 2007
+++ squid-2.6.STABLE8/configure.in	Sun Jan 21 03:30:04 2007
@@ -1,16 +1,16 @@
 dnl
 dnl  Configuration input file for Squid
 dnl
-dnl  $Id: configure.in,v 1.416 2007/01/13 16:11:40 hno Exp $
+dnl  $Id: configure.in,v 1.416.2.1 2007/01/21 04:43:22 hno Exp $
 dnl
 dnl
 dnl
-AC_INIT(Squid Web Proxy, 2.6.STABLE7, http://www.squid-cache.org/bugs/, squid)
+AC_INIT(Squid Web Proxy, 2.6.STABLE8, http://www.squid-cache.org/bugs/, squid)
 AC_PREREQ(2.52)
 AM_CONFIG_HEADER(include/autoconf.h)
 AC_CONFIG_AUX_DIR(cfgaux)
 AM_INIT_AUTOMAKE
-AC_REVISION($Revision: 1.416 $)dnl
+AC_REVISION($Revision: 1.416.2.1 $)dnl
 AC_PREFIX_DEFAULT(/usr/local/squid)
 AM_MAINTAINER_MODE
 
diff -ruN squid-2.6.STABLE7/include/version.h squid-2.6.STABLE8/include/version.h
--- squid-2.6.STABLE7/include/version.h	Sat Jan 13 09:22:10 2007
+++ squid-2.6.STABLE8/include/version.h	Sun Jan 21 03:30:04 2007
@@ -9,5 +9,5 @@
  */
 
 #ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1168705326
+#define SQUID_RELEASE_TIME 1169375401
 #endif
diff -ruN squid-2.6.STABLE7/lib/rfc1123.c squid-2.6.STABLE8/lib/rfc1123.c
--- squid-2.6.STABLE7/lib/rfc1123.c	Wed Nov 29 08:54:58 2006
+++ squid-2.6.STABLE8/lib/rfc1123.c	Thu Jan 18 16:25:41 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: rfc1123.c,v 1.36 2006/11/29 15:54:58 hno Exp $
+ * $Id: rfc1123.c,v 1.37 2007/01/18 23:25:41 hno Exp $
  *
  * DEBUG: 
  * AUTHOR: Harvest Derived
@@ -119,7 +119,7 @@
 	return 0;
     if (tm->tm_mon < 0 || tm->tm_mon > 11)
 	return 0;
-    return mktime(tm) != -1;
+    return 1;
 }
 
 static struct tm *
@@ -219,14 +219,14 @@
     t = timegm(tm);
 #elif HAVE_TM_GMTOFF
     t = mktime(tm);
-    {
+    if (t != -1) {
 	struct tm *local = localtime(&t);
 	t += local->tm_gmtoff;
     }
 #else
     /* some systems do not have tm_gmtoff so we fake it */
     t = mktime(tm);
-    {
+    if (t != -1) {
 	time_t dst = 0;
 #if defined (_TIMEZONE)
 #elif defined (_timezone)
diff -ruN squid-2.6.STABLE7/src/HttpHeader.c squid-2.6.STABLE8/src/HttpHeader.c
--- squid-2.6.STABLE7/src/HttpHeader.c	Tue Nov 28 22:31:48 2006
+++ squid-2.6.STABLE8/src/HttpHeader.c	Sun Jan 21 03:26:44 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: HttpHeader.c,v 1.90 2006/11/29 05:31:48 adrian Exp $
+ * $Id: HttpHeader.c,v 1.91.2.1 2007/01/21 10:26:44 hno Exp $
  *
  * DEBUG: section 55    HTTP Header
  * AUTHOR: Alex Rousskov
diff -ruN squid-2.6.STABLE7/src/access_log.c squid-2.6.STABLE8/src/access_log.c
--- squid-2.6.STABLE7/src/access_log.c	Sat Nov  4 08:39:26 2006
+++ squid-2.6.STABLE8/src/access_log.c	Thu Jan 18 17:19:26 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: access_log.c,v 1.94 2006/11/04 15:39:26 hno Exp $
+ * $Id: access_log.c,v 1.95 2007/01/19 00:19:26 hno Exp $
  *
  * DEBUG: section 46    Access Log
  * AUTHOR: Duane Wessels
@@ -46,33 +46,6 @@
 static void mcast_encode(unsigned int *, size_t, const unsigned int *);
 #endif
 
-const char *log_tags[] =
-{
-    "NONE",
-    "TCP_HIT",
-    "TCP_MISS",
-    "TCP_REFRESH_HIT",
-    "TCP_REF_FAIL_HIT",
-    "TCP_REFRESH_MISS",
-    "TCP_CLIENT_REFRESH_MISS",
-    "TCP_IMS_HIT",
-    "TCP_SWAPFAIL_MISS",
-    "TCP_NEGATIVE_HIT",
-    "TCP_MEM_HIT",
-    "TCP_DENIED",
-    "TCP_OFFLINE_HIT",
-#if LOG_TCP_REDIRECTS
-    "TCP_REDIRECT",
-#endif
-    "UDP_HIT",
-    "UDP_MISS",
-    "UDP_DENIED",
-    "UDP_INVALID",
-    "UDP_MISS_NOFETCH",
-    "ICP_QUERY",
-    "LOG_TYPE_MAX"
-};
-
 #if FORW_VIA_DB
 typedef struct {
     hash_link hash;
@@ -1233,7 +1206,6 @@
 accessLogInit(void)
 {
     customlog *log;
-    assert(sizeof(log_tags) == (LOG_TYPE_MAX + 1) * sizeof(char *));
     for (log = Config.Log.accesslogs; log; log = log->next) {
 	if (log->type == CLF_NONE)
 	    continue;
diff -ruN squid-2.6.STABLE7/src/auth/negotiate/auth_negotiate.c squid-2.6.STABLE8/src/auth/negotiate/auth_negotiate.c
--- squid-2.6.STABLE7/src/auth/negotiate/auth_negotiate.c	Wed Jan  3 05:17:29 2007
+++ squid-2.6.STABLE8/src/auth/negotiate/auth_negotiate.c	Sat Jan 20 14:13:28 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: auth_negotiate.c,v 1.6 2007/01/03 12:17:29 hno Exp $
+ * $Id: auth_negotiate.c,v 1.7 2007/01/20 21:13:28 hno Exp $
  *
  * DEBUG: section 29    Negotiate Authenticator
  * AUTHOR: Robert Collins
@@ -340,6 +340,7 @@
 	request->flags.must_keepalive = 1;
 	break;
     case AUTHENTICATE_STATE_FINISHED:
+    case AUTHENTICATE_STATE_DONE:
 	/* Special case when authentication finished, but not allowed by ACL */
 	if (negotiate_request->server_blob) {
 	    debug(29, 9) ("authenticateNegotiateFixErrorHeader: Sending type:%d header: 'Negotiate %s'\n", type, negotiate_request->server_blob);
@@ -347,6 +348,7 @@
 	    safe_free(negotiate_request->server_blob);
 	} else {
 	    debug(29, 9) ("authenticateNegotiateFixErrorHeader: Connection authenticated\n");
+	    httpHeaderPutStrf(&rep->header, type, "Negotiate");
 	}
 	break;
     default:
@@ -369,7 +371,7 @@
 
     type = accel ? HDR_WWW_AUTHENTICATE : HDR_PROXY_AUTHENTICATE;
 
-    debug(29, 9) ("authenticateNegotiateFixErrorHeader: Sending type:%d header: 'Negotiate %s'\n", type, negotiate_request->server_blob);
+    debug(29, 9) ("authenticateNegotiateAddHeader: Sending type:%d header: 'Negotiate %s'\n", type, negotiate_request->server_blob);
     httpHeaderPutStrf(&rep->header, type, "Negotiate %s", negotiate_request->server_blob);
     safe_free(negotiate_request->server_blob);
 }
diff -ruN squid-2.6.STABLE7/src/auth/ntlm/auth_ntlm.c squid-2.6.STABLE8/src/auth/ntlm/auth_ntlm.c
--- squid-2.6.STABLE7/src/auth/ntlm/auth_ntlm.c	Wed Jan  3 05:17:30 2007
+++ squid-2.6.STABLE8/src/auth/ntlm/auth_ntlm.c	Sat Jan 20 14:13:28 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: auth_ntlm.c,v 1.36 2007/01/03 12:17:30 hno Exp $
+ * $Id: auth_ntlm.c,v 1.37 2007/01/20 21:13:28 hno Exp $
  *
  * DEBUG: section 29    NTLM Authenticator
  * AUTHOR: Robert Collins
@@ -333,6 +333,7 @@
 	request->flags.must_keepalive = 1;
 	break;
     case AUTHENTICATE_STATE_FINISHED:
+    case AUTHENTICATE_STATE_DONE:
 	/* Special case when authentication finished, but not allowed by ACL */
 	debug(29, 9) ("authenticateNTLMFixErrorHeader: Sending type:%d header: 'NTLM'\n", type);
 	httpHeaderPutStrf(&rep->header, type, "NTLM");
diff -ruN squid-2.6.STABLE7/src/cache_cf.c squid-2.6.STABLE8/src/cache_cf.c
--- squid-2.6.STABLE7/src/cache_cf.c	Tue Jan  9 03:24:41 2007
+++ squid-2.6.STABLE8/src/cache_cf.c	Thu Jan 18 16:19:14 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: cache_cf.c,v 1.462 2007/01/09 10:24:41 hno Exp $
+ * $Id: cache_cf.c,v 1.463 2007/01/18 23:19:14 hno Exp $
  *
  * DEBUG: section 3     Configuration File Parsing
  * AUTHOR: Harvest Derived
@@ -2738,6 +2738,8 @@
     } else if (strncmp(token, "vport=", 6) == 0) {
 	s->vport = xatos(token + 6);
 	s->accel = 1;
+    } else if (strcmp(token, "accel") == 0) {
+	s->accel = 1;
     } else if (strcmp(token, "no-connection-auth") == 0) {
 	s->no_connection_auth = 1;
     } else if (strncmp(token, "urlgroup=", 9) == 0) {
@@ -2752,10 +2754,19 @@
     } else {
 	self_destruct();
     }
+}
+
+static void
+verify_http_port_options(http_port_list * s)
+{
     if (s->accel && s->transparent) {
 	debug(28, 0) ("Can't be both a transparent proxy and web server accelerator on the same port\n");
 	self_destruct();
     }
+    if (s->accel && !s->vhost && !s->defaultsite && !s->vport) {
+	debug(28, 0) ("Accelerator mode requires at least one of vhost/vport/defaultsite\n");
+	self_destruct();
+    }
 }
 
 static void
@@ -2790,6 +2801,7 @@
     while ((token = strtok(NULL, w_space))) {
 	parse_http_port_option(s, token);
     }
+    verify_http_port_options(s);
     while (*head)
 	head = &(*head)->next;
     *head = s;
@@ -2802,14 +2814,22 @@
 	n,
 	inet_ntoa(s->s.sin_addr),
 	ntohs(s->s.sin_port));
-    if (s->defaultsite)
-	storeAppendPrintf(e, " defaultsite=%s", s->defaultsite);
     if (s->transparent)
 	storeAppendPrintf(e, " transparent");
+    if (s->accel)
+	storeAppendPrintf(e, " accel");
+    if (s->defaultsite)
+	storeAppendPrintf(e, " defaultsite=%s", s->defaultsite);
     if (s->vhost)
 	storeAppendPrintf(e, " vhost");
-    if (s->vport)
+    if (s->vport == ntohs(s->s.sin_port))
 	storeAppendPrintf(e, " vport");
+    else if (s->vport)
+	storeAppendPrintf(e, " vport=%d", s->vport);
+    if (s->urlgroup)
+	storeAppendPrintf(e, " urlgroup=%s", s->urlgroup);
+    if (s->protocol)
+	storeAppendPrintf(e, " protocol=%s", s->protocol);
     if (s->no_connection_auth)
 	storeAppendPrintf(e, " no-connection-auth");
 #if LINUX_TPROXY
@@ -2914,6 +2934,7 @@
 	    parse_http_port_option(&s->http, token);
 	}
     }
+    verify_http_port_options(&s->http);
     while (*head)
 	head = (https_port_list **) (void *) (&(*head)->http.next);
     s->sslContext = sslCreateServerContext(s->cert, s->key, s->version, s->cipher, s->options, s->sslflags, s->clientca, s->cafile, s->capath, s->crlfile, s->dhfile, s->sslcontext);
diff -ruN squid-2.6.STABLE7/src/cf.data.pre squid-2.6.STABLE8/src/cf.data.pre
--- squid-2.6.STABLE7/src/cf.data.pre	Sat Jan 13 09:06:42 2007
+++ squid-2.6.STABLE8/src/cf.data.pre	Fri Jan 19 15:03:03 2007
@@ -1,6 +1,6 @@
 
 #
-# $Id: cf.data.pre,v 1.380 2007/01/13 16:06:42 hno Exp $
+# $Id: cf.data.pre,v 1.382 2007/01/19 22:03:03 hno Exp $
 #
 #
 # SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -83,23 +83,37 @@
 	You may specify multiple socket addresses on multiple lines.
 
 	options are:
+
 		transparent	Support for transparent interception of
 				outgoing requests without browser settings
+
+		accel		Accelerator mode. Also needs at least one
+				of vhost/vport/defaultsite.
+
+		defaultsite=	Main web site name for accelerators. Implies
+				accel.
+
 		vhost		Accelerator using the Host header for
-				virtual domain support.
-		vport		Accelerator with IP based virtual host support
+				virtual domain support. Implies accel.
+
+		vport		Accelerator with IP based virtual host support.
+				Implies accel.
+
 		vport=		As above, but uses specified port number
-				rather than the http_port number.
-		defaultsite=	Main web site name for accelerators.
+				rather than the http_port number. Implies accel.
+
 		urlgroup=	Default urlgroup to mark requests
 				with (see also acl urlgroup and
 				url_rewrite_program)
+
 		protocol=	Protocol to reconstruct accelerated
 				requests with. Defaults to http.
+
 		no-connection-auth
 				Prevent forwarding of Microsoft
 				connection oriented authentication
 				(NTLM, Negotiate and Kerberos)
+
 		tproxy		Support Linux TPROXY for spoofing
 				outgoing connections using the client
 				IP address.
@@ -135,8 +149,16 @@
 
 	Options:
 
+	   accel	Accelerator mode. Also needs at least one of
+	   	        defaultsite or vhost.
+
 	   defaultsite=	The name of the https site presented on
-			this port.
+			this port. Implies accel.
+
+	   vhost	Domain based virtual host support. Useful
+			in combination with a wildcard certificate or
+			other certificates valid for more than one domain.
+			Implies accel.
 
 	   urlgroup=	Default urlgroup to mark requests with (see
 			also acl urlgroup and url_rewrite_program)
@@ -596,7 +618,7 @@
 		     is not feasible.
 
 		     use 'ssl' to indicate that connections to this peer should
-		     bs SSL/TLS encrypted.
+		     be SSL/TLS encrypted.
 
 		     use 'sslcert=/path/to/ssl/certificate' to specify a client
 		     SSL certificate to use when connecting to this peer.
diff -ruN squid-2.6.STABLE7/src/client_side.c squid-2.6.STABLE8/src/client_side.c
--- squid-2.6.STABLE7/src/client_side.c	Sat Jan  6 10:22:45 2007
+++ squid-2.6.STABLE8/src/client_side.c	Sun Jan 21 03:26:44 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: client_side.c,v 1.690 2007/01/06 17:22:45 hno Exp $
+ * $Id: client_side.c,v 1.693.2.1 2007/01/21 10:26:44 hno Exp $
  *
  * DEBUG: section 33    Client-side Routines
  * AUTHOR: Duane Wessels
@@ -983,12 +983,14 @@
 	    oldentry->mem_obj->request = requestLink(mem->request);
 	    unlink_request = 1;
 	}
-	/* Don't memcpy() the whole reply structure here.  For example,
-	 * www.thegist.com (Netscape/1.13) returns a content-length for
-	 * 304's which seems to be the length of the 304 HEADERS!!! and
-	 * not the body they refer to.  */
-	httpReplyUpdateOnNotModified(oldentry->mem_obj->reply, mem->reply);
-	storeTimestampsSet(oldentry);
+	if (mem->reply->sline.status == HTTP_NOT_MODIFIED) {
+	    /* Don't memcpy() the whole reply structure here.  For example,
+	     * www.thegist.com (Netscape/1.13) returns a content-length for
+	     * 304's which seems to be the length of the 304 HEADERS!!! and
+	     * not the body they refer to.  */
+	    httpReplyUpdateOnNotModified(oldentry->mem_obj->reply, mem->reply);
+	    storeTimestampsSet(oldentry);
+	}
 	storeClientUnregister(http->sc, entry, http);
 	http->sc = http->old_sc;
 	storeUnlockObject(entry);
@@ -1663,6 +1665,8 @@
     /* this should be a bitmap for better optimization */
     if (code == LOG_TCP_HIT)
 	return 1;
+    if (code == LOG_TCP_STALE_HIT)
+	return 1;
     if (code == LOG_TCP_IMS_HIT)
 	return 1;
     if (code == LOG_TCP_REFRESH_FAIL_HIT)
@@ -2058,6 +2062,7 @@
     MemObject *mem;
     request_t *r = http->request;
     int is_modified = -1;
+    int stale;
     debug(33, 3) ("clientCacheHit: %s, %d bytes\n", http->uri, (int) size);
     http->flags.hit = 0;
     if (http->entry == NULL) {
@@ -2171,10 +2176,6 @@
 	}
 	return;
     }
-    if (Config.refresh_stale_window > 0 && e->mem_obj && e->mem_obj->refresh_timestamp + Config.refresh_stale_window > squid_curtime && !refreshCheckHTTPStale(e, r)) {
-	debug(33, 2) ("clientProcessHit: refresh_stale HIT\n");
-	goto hit;
-    }
     if (httpHeaderHas(&r->header, HDR_IF_MATCH)) {
 	String req_etags;
 	const char *rep_etag = httpHeaderGetStr(&e->mem_obj->reply->header, HDR_ETAG);
@@ -2192,14 +2193,74 @@
 	stringClean(&req_etags);
 	if (!has_etag) {
 	    /* The entity tags does not match. This cannot be a
-	     * hit for this object. Qyery the origin.
+	     * hit for this object. Query the origin.
 	     */
 	    http->log_type = LOG_TCP_MISS;
 	    clientProcessMiss(http);
 	    return;
 	}
     }
-    if (!Config.onoff.offline && refreshCheckHTTP(e, r) && !http->flags.internal) {
+    if (httpHeaderHas(&r->header, HDR_IF_NONE_MATCH)) {
+	String req_etags;
+	const char *rep_etag = httpHeaderGetStr(&e->mem_obj->reply->header, HDR_ETAG);
+	int has_etag;
+	if (mem->reply->sline.status != HTTP_OK) {
+	    debug(33, 4) ("clientCacheHit: Reply code %d != 200\n",
+		mem->reply->sline.status);
+	    http->log_type = LOG_TCP_MISS;
+	    clientProcessMiss(http);
+	    return;
+	}
+	if (rep_etag) {
+	    req_etags = httpHeaderGetList(&http->request->header, HDR_IF_NONE_MATCH);
+	    has_etag = strListIsMember(&req_etags, rep_etag, ',');
+	    stringClean(&req_etags);
+	    if (has_etag) {
+		debug(33, 4) ("clientCacheHit: If-None-Match matches\n");
+		is_modified = 0;
+	    } else {
+		debug(33, 4) ("clientCacheHit: If-None-Match mismatch\n");
+		if (is_modified == -1)
+		    is_modified = 1;
+	    }
+	}
+    }
+    if (r->flags.ims) {
+	/*
+	 * Handle If-Modified-Since requests from the client
+	 */
+	if (mem->reply->sline.status != HTTP_OK) {
+	    debug(33, 4) ("clientCacheHit: Reply code %d != 200\n",
+		mem->reply->sline.status);
+	    http->log_type = LOG_TCP_MISS;
+	    clientProcessMiss(http);
+	    return;
+	}
+	if (modifiedSince(e, http->request)) {
+	    debug(33, 4) ("clientCacheHit: If-Modified-Since not modified\n");
+	    is_modified = 0;
+	} else {
+	    debug(33, 4) ("clientCacheHit: If-Modified-Since modified\n");
+	    if (is_modified == -1)
+		is_modified = 1;
+	}
+    }
+    stale = refreshCheckHTTPStale(e, r);
+    if (stale == 0) {
+	debug(33, 2) ("clientProcessHit: HIT\n");
+    } else if (stale == -1 && Config.refresh_stale_window > 0 && e->mem_obj->refresh_timestamp + Config.refresh_stale_window > squid_curtime) {
+	debug(33, 2) ("clientProcessHit: refresh_stale HIT\n");
+	http->log_type = LOG_TCP_STALE_HIT;
+	stale = 0;
+    } else if (stale && http->flags.internal) {
+	debug(33, 2) ("clientProcessHit: internal HIT\n");
+	stale = 0;
+    } else if (stale && Config.onoff.offline) {
+	debug(33, 2) ("clientProcessHit: offline HIT\n");
+	http->log_type = LOG_TCP_OFFLINE_HIT;
+	stale = 0;
+    }
+    if (stale) {
 	debug(33, 5) ("clientCacheHit: in refreshCheck() block\n");
 	/*
 	 * We hold a stale copy; it needs to be validated
@@ -2229,69 +2290,11 @@
 	     */
 	    http->log_type = LOG_TCP_CLIENT_REFRESH_MISS;
 	    clientProcessMiss(http);
-	} else if (r->protocol == PROTO_HTTP) {
-	    /*
-	     * Object needs to be revalidated
-	     * XXX This could apply to FTP as well, if Last-Modified is known.
-	     */
-	    http->log_type = LOG_TCP_REFRESH_MISS;
-	    clientProcessExpired(http);
 	} else {
-	    /*
-	     * We don't know how to re-validate other protocols. Handle
-	     * them as if the object has expired.
-	     */
-	    http->log_type = LOG_TCP_MISS;
-	    clientProcessMiss(http);
+	    clientProcessExpired(http);
 	}
 	return;
     }
-  hit:
-    if (httpHeaderHas(&r->header, HDR_IF_NONE_MATCH)) {
-	String req_etags;
-	const char *rep_etag = httpHeaderGetStr(&e->mem_obj->reply->header, HDR_ETAG);
-	int has_etag;
-	if (mem->reply->sline.status != HTTP_OK) {
-	    debug(33, 4) ("clientCacheHit: Reply code %d != 200\n",
-		mem->reply->sline.status);
-	    http->log_type = LOG_TCP_MISS;
-	    clientProcessMiss(http);
-	    return;
-	}
-	if (!rep_etag) {
-	    /* The cached object does not have a entity tag, but the client
-	     * obviously thinks there should be one... Query the origin to
-	     * be on the safe side.
-	     */
-	    http->log_type = LOG_TCP_MISS;
-	    clientProcessMiss(http);
-	    return;
-	}
-	req_etags = httpHeaderGetList(&http->request->header, HDR_IF_NONE_MATCH);
-	has_etag = strListIsMember(&req_etags, rep_etag, ',');
-	stringClean(&req_etags);
-	if (has_etag) {
-	    http->log_type = LOG_TCP_IMS_HIT;
-	    is_modified = 0;
-	}
-    }
-    if (is_modified != 0 && r->flags.ims) {
-	/*
-	 * Handle If-Modified-Since requests from the client
-	 */
-	if (mem->reply->sline.status != HTTP_OK) {
-	    debug(33, 4) ("clientCacheHit: Reply code %d != 200\n",
-		mem->reply->sline.status);
-	    http->log_type = LOG_TCP_MISS;
-	    clientProcessMiss(http);
-	    return;
-	} else if (modifiedSince(e, http->request)) {
-	    http->log_type = LOG_TCP_IMS_HIT;
-	    clientSendMoreHeaderData(data, buf, size);
-	    return;
-	}
-	is_modified = 0;
-    }
     if (is_modified == 0) {
 	time_t timestamp = e->timestamp;
 	MemBuf mb = httpPacked304Reply(e->mem_obj->reply);
@@ -2317,10 +2320,8 @@
      */
     if (e->store_status != STORE_OK)
 	http->log_type = LOG_TCP_MISS;
-    else if (e->mem_status == IN_MEMORY)
+    else if (http->log_type == LOG_TCP_HIT && e->mem_status == IN_MEMORY)
 	http->log_type = LOG_TCP_MEM_HIT;
-    else if (Config.onoff.offline)
-	http->log_type = LOG_TCP_OFFLINE_HIT;
     clientSendMoreHeaderData(data, buf, size);
 }
 
diff -ruN squid-2.6.STABLE7/src/enums.h squid-2.6.STABLE8/src/enums.h
--- squid-2.6.STABLE7/src/enums.h	Sat Sep 30 15:10:48 2006
+++ squid-2.6.STABLE8/src/enums.h	Sun Jan 21 03:26:44 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: enums.h,v 1.235 2006/09/30 21:10:48 hno Exp $
+ * $Id: enums.h,v 1.237.2.1 2007/01/21 10:26:44 hno Exp $
  *
  *
  * SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -51,6 +51,7 @@
 #if LOG_TCP_REDIRECTS
     LOG_TCP_REDIRECT,
 #endif
+    LOG_TCP_STALE_HIT,
     LOG_UDP_HIT,
     LOG_UDP_MISS,
     LOG_UDP_DENIED,
diff -ruN squid-2.6.STABLE7/src/errorpage.c squid-2.6.STABLE8/src/errorpage.c
--- squid-2.6.STABLE7/src/errorpage.c	Mon Nov  6 19:59:27 2006
+++ squid-2.6.STABLE8/src/errorpage.c	Thu Jan 18 17:21:01 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: errorpage.c,v 1.189 2006/11/07 02:59:27 hno Exp $
+ * $Id: errorpage.c,v 1.190 2007/01/19 00:21:01 hno Exp $
  *
  * DEBUG: section 4     Error Generation
  * AUTHOR: Duane Wessels
@@ -324,10 +324,10 @@
     authenticateFixHeader(rep, err->auth_user_request, err->request, 0, 1);
     httpReplySwapOut(rep, entry);
     EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT);
-    storeBufferFlush(entry);
-    storeComplete(entry);
     storeNegativeCache(entry);
     storeReleaseRequest(entry);
+    storeBufferFlush(entry);
+    storeComplete(entry);
     storeUnlockObject(entry);
     errorStateFree(err);
 }
diff -ruN squid-2.6.STABLE7/src/forward.c squid-2.6.STABLE8/src/forward.c
--- squid-2.6.STABLE7/src/forward.c	Sat Jan  6 10:22:45 2007
+++ squid-2.6.STABLE8/src/forward.c	Thu Jan 18 17:21:01 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: forward.c,v 1.119 2007/01/06 17:22:45 hno Exp $
+ * $Id: forward.c,v 1.120 2007/01/19 00:21:01 hno Exp $
  *
  * DEBUG: section 17    Request Forwarding
  * AUTHOR: Duane Wessels
@@ -106,8 +106,8 @@
 	    fwdState->err = NULL;
 	} else {
 	    EBIT_CLR(e->flags, ENTRY_FWD_HDR_WAIT);
-	    storeComplete(e);
 	    storeReleaseRequest(e);
+	    storeComplete(e);
 	}
     }
     if (EBIT_TEST(e->flags, ENTRY_DEFER_READ))
diff -ruN squid-2.6.STABLE7/src/ftp.c squid-2.6.STABLE8/src/ftp.c
--- squid-2.6.STABLE7/src/ftp.c	Mon Jan  1 14:38:39 2007
+++ squid-2.6.STABLE8/src/ftp.c	Thu Jan 18 17:52:49 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: ftp.c,v 1.341 2007/01/01 21:38:39 hno Exp $
+ * $Id: ftp.c,v 1.342 2007/01/19 00:52:49 hno Exp $
  *
  * DEBUG: section 9     File Transfer Protocol (FTP)
  * AUTHOR: Harvest Derived
@@ -2624,7 +2624,7 @@
 ftpUrlWith2f(const request_t * request)
 {
     LOCAL_ARRAY(char, buf, MAX_URL);
-    LOCAL_ARRAY(char, loginbuf, MAX_LOGIN_SZ + 1);
+    LOCAL_ARRAY(char, loginbuf, MAX_LOGIN_SZ + 2);
     LOCAL_ARRAY(char, portbuf, 32);
     char *t;
     portbuf[0] = '\0';
@@ -2634,7 +2634,7 @@
 	snprintf(portbuf, 32, ":%d", request->port);
     loginbuf[0] = '\0';
     if ((int) strlen(request->login) > 0) {
-	xstrncpy(loginbuf, request->login, sizeof(loginbuf) - 2);
+	xstrncpy(loginbuf, request->login, MAX_LOGIN_SZ);
 	if ((t = strchr(loginbuf, ':')))
 	    *t = '\0';
 	strcat(loginbuf, "@");
diff -ruN squid-2.6.STABLE7/src/globals.h squid-2.6.STABLE8/src/globals.h
--- squid-2.6.STABLE7/src/globals.h	Mon Sep 25 13:31:34 2006
+++ squid-2.6.STABLE8/src/globals.h	Thu Jan 18 17:19:26 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: globals.h,v 1.122 2006/09/25 19:31:34 serassio Exp $
+ * $Id: globals.h,v 1.123 2007/01/19 00:19:26 hno Exp $
  *
  *
  * SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -120,10 +120,10 @@
 extern unsigned long store_mem_size;	/* 0 */
 extern time_t hit_only_mode_until;	/* 0 */
 extern StatCounters statCounter;
-extern char *err_type_str[];
-extern char *icp_opcode_str[];
-extern char *swap_log_op_str[];
-extern char *lookup_t_str[];
+extern const char *err_type_str[];
+extern const char *icp_opcode_str[];
+extern const char *swap_log_op_str[];
+extern const char *lookup_t_str[];
 extern double request_failure_ratio;	/* 0.0 */
 extern double current_dtime;
 extern int store_hash_buckets;	/* 0 */
diff -ruN squid-2.6.STABLE7/src/http.c squid-2.6.STABLE8/src/http.c
--- squid-2.6.STABLE7/src/http.c	Mon Oct 23 15:34:17 2006
+++ squid-2.6.STABLE8/src/http.c	Sun Jan 21 03:26:44 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: http.c,v 1.418 2006/10/23 21:34:17 hno Exp $
+ * $Id: http.c,v 1.419.2.2 2007/01/21 10:26:44 hno Exp $
  *
  * DEBUG: section 11    Hypertext Transfer Protocol (HTTP)
  * AUTHOR: Harvest Derived
diff -ruN squid-2.6.STABLE7/src/mk-string-arrays.pl squid-2.6.STABLE8/src/mk-string-arrays.pl
--- squid-2.6.STABLE7/src/mk-string-arrays.pl	Tue Apr  7 17:31:51 1998
+++ squid-2.6.STABLE8/src/mk-string-arrays.pl	Thu Jan 18 17:19:26 2007
@@ -1,5 +1,5 @@
 #******************************************************************************
-# $Id: mk-string-arrays.pl,v 1.4 1998/04/07 23:31:51 rousskov Exp $
+# $Id: mk-string-arrays.pl,v 1.5 2007/01/19 00:19:26 hno Exp $
 #
 # File:		mk-strs.pl
 #
@@ -16,6 +16,9 @@
 $pat{'icp_opcode'} = "icp_opcode_str";
 $pat{'swap_log_op'} = "swap_log_op_str";
 $pat{'lookup_t'} = "lookup_t_str";
+$pat{'log_type'} = "log_tags";
+
+print "#include \"squid.h\"\n";
 
 $state = 0;	# start state
 while (<>) {
@@ -35,19 +38,27 @@
 				print "const char *$pat{$t}\[\] = \n";
 				print "{\n";
 				for ($i = 0; $i < $count; $i++) {
-					printf "\t\"%s\"%s\n",
-						$ea[$i],
-						$i == $count - 1 ? '' : ',';
+					if ($ea[$i] =~ /^#/) {
+						print $ea[$i];
+					} else {
+						printf "\t\"%s\"%s\n",
+							$ea[$i],
+							$i == $count - 1 ? '' : ',';
+					}
 				}
 				print "};\n";
 				print "\n";
 			}
 			$state = 0;
+		} elsif (/^#/) {
+			$ea[$count++] = $_;
 		} else {
 			($e) = split(' ', $_);
 			$e =~ s/,//;
-			$ea[$count] = $e;
-			$count++;
+			$e =~ s/^LOG_TAG_//;
+			$e =~ s/^LOG_//;
+			$e =~ s/^REFRESH_FAIL_HIT$/REF_FAIL_HIT/;
+			$ea[$count++] = $e;
 		}
 		next;
 	}
diff -ruN squid-2.6.STABLE7/src/neighbors.c squid-2.6.STABLE8/src/neighbors.c
--- squid-2.6.STABLE7/src/neighbors.c	Sat Dec  9 22:18:47 2006
+++ squid-2.6.STABLE8/src/neighbors.c	Thu Jan 18 17:19:26 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: neighbors.c,v 1.312 2006/12/10 05:18:47 hno Exp $
+ * $Id: neighbors.c,v 1.313 2007/01/19 00:19:26 hno Exp $
  *
  * DEBUG: section 15    Neighbor Routines
  * AUTHOR: Harvest Derived
@@ -799,7 +799,7 @@
     StoreEntry *entry;
     MemObject *mem = NULL;
     peer_t ntype = PEER_NONE;
-    char *opcode_d;
+    const char *opcode_d;
     icp_opcode opcode = (icp_opcode) header->opcode;
 
     debug(15, 6) ("neighborsUdpAck: opcode %d '%s'\n",
diff -ruN squid-2.6.STABLE7/src/refresh.c squid-2.6.STABLE8/src/refresh.c
--- squid-2.6.STABLE7/src/refresh.c	Fri Aug 18 15:06:04 2006
+++ squid-2.6.STABLE8/src/refresh.c	Thu Jan 18 17:21:01 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: refresh.c,v 1.62 2006/08/18 21:06:04 hno Exp $
+ * $Id: refresh.c,v 1.63 2007/01/19 00:21:01 hno Exp $
  *
  * DEBUG: section 22    Refresh Calculation
  * AUTHOR: Harvest Derived
@@ -80,6 +80,7 @@
     STALE_EXPIRES,
     STALE_MAX_RULE,
     STALE_LMFACTOR_RULE,
+    STALE_WITHIN_DELTA,
     STALE_DEFAULT = 299
 };
 
@@ -220,7 +221,7 @@
     const refresh_t *R;
     const char *uri = NULL;
     time_t age = 0;
-    time_t check_time = squid_curtime + delta;
+    time_t check_time = squid_curtime;
     int staleness;
     stale_flags sf;
     if (entry->mem_obj)
@@ -230,6 +231,8 @@
 
     debug(22, 3) ("refreshCheck: '%s'\n", uri ? uri : "<none>");
 
+    if (delta > 0)
+	check_time += delta;
     if (check_time > entry->timestamp)
 	age = check_time - entry->timestamp;
     R = uri ? refreshLimits(uri) : refreshUncompiledPattern(".");
@@ -280,7 +283,7 @@
 		    return STALE_EXCEEDS_REQUEST_MAX_AGE_VALUE;
 		}
 	    }
-	    if (EBIT_TEST(cc->mask, CC_MAX_STALE) && staleness > -1) {
+	    if (EBIT_TEST(cc->mask, CC_MAX_STALE) && staleness >= 0) {
 		if (cc->max_stale < 0) {
 		    /* max-stale directive without a value */
 		    debug(22, 3) ("refreshCheck: NO: max-stale wildcard\n");
@@ -292,7 +295,7 @@
 	    }
 	}
     }
-    if (-1 == staleness) {
+    if (staleness < 0) {
 	if (sf.expires)
 	    return FRESH_EXPIRES;
 	assert(!sf.max);
@@ -305,6 +308,9 @@
      * At this point the response is stale, unless one of
      * the override options kicks in.
      */
+    if (delta < 0 && staleness + delta < 0) {
+	return STALE_WITHIN_DELTA;
+    }
     if (sf.expires) {
 #if HTTP_VIOLATIONS
 	if (R->flags.override_expire && age < R->min) {
@@ -375,6 +381,8 @@
 refreshCheckHTTPStale(const StoreEntry * entry, request_t * request)
 {
     int reason = refreshCheck(entry, request, -Config.refresh_stale_window);
+    if (reason == STALE_WITHIN_DELTA)
+	return -1;
     return (reason < 200) ? 0 : 1;
 }
 
diff -ruN squid-2.6.STABLE7/src/store.c squid-2.6.STABLE8/src/store.c
--- squid-2.6.STABLE7/src/store.c	Sat Dec  9 22:55:17 2006
+++ squid-2.6.STABLE8/src/store.c	Thu Jan 18 17:21:01 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: store.c,v 1.569 2006/12/10 05:55:17 hno Exp $
+ * $Id: store.c,v 1.570 2007/01/19 00:21:01 hno Exp $
  *
  * DEBUG: section 20    Storage Manager
  * AUTHOR: Harvest Derived
@@ -1308,6 +1308,7 @@
     if (e->mem_obj->request)
 	e->mem_obj->request->hier.store_complete_stop = current_time;
 #endif
+    e->mem_obj->refresh_timestamp = e->timestamp;
     /*
      * We used to call InvokeHandlers, then storeSwapOut.  However,
      * Madhukar Reddy <myreddy@persistence.com> reported that
diff -ruN squid-2.6.STABLE7/src/structs.h squid-2.6.STABLE8/src/structs.h
--- squid-2.6.STABLE7/src/structs.h	Wed Nov 29 08:58:52 2006
+++ squid-2.6.STABLE8/src/structs.h	Sun Jan 21 03:26:44 2007
@@ -1,6 +1,6 @@
 
 /*
- * $Id: structs.h,v 1.506 2006/11/29 15:58:52 adrian Exp $
+ * $Id: structs.h,v 1.507.2.1 2007/01/21 10:26:44 hno Exp $
  *
  *
  * SQUID Web Proxy Cache          http://www.squid-cache.org/
