diff -u -r -N squid-3.1.6/bootstrap.sh squid-3.1.7/bootstrap.sh
--- squid-3.1.6/bootstrap.sh	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/bootstrap.sh	2010-08-24 17:41:26.000000000 +1200
@@ -115,12 +115,17 @@
         chmod u-w $makefile
 
         # Libtool 2.2.6b we bundle is slightly broken with non-portable dependencies
-        sed 's/<libltdl\/lt_system.h>/\"libltdl\/lt_system.h\"/g' $src/ltdl.h |
-            sed 's/<libltdl\/lt_error.h>/\"libltdl\/lt_error.h\"/g' |
-            sed 's/<libltdl\/lt_dlloader.h>/\"libltdl\/lt_dlloader.h\"/g' > $src/ltdl.h.new;
-        chmod u+w $src/ltdl.h
-        mv $src/ltdl.h.new $src/ltdl.h
-        chmod u-w $src/ltdl.h
+        # HACK: Make it backward-compatible by linking the bundled headers.
+        for f in ltdl.h libltdl/lt_error.h libltdl/lt_system.h libltdl/lt_dlloader.h libltdl/slist.h; do
+            echo "Fixing $f ..."
+            sed 's/<libltdl\/lt_system.h>/\"libltdl\/lt_system.h\"/g' $src/$f |
+                sed 's/<libltdl\/lt__glibc.h>/\"libltdl\/lt__glibc.h\"/g' |
+                sed 's/<libltdl\/lt_error.h>/\"libltdl\/lt_error.h\"/g' |
+                sed 's/<libltdl\/lt_dlloader.h>/\"libltdl\/lt_dlloader.h\"/g' > $src/$f.new;
+            chmod u+w $src/$f
+            mv $src/$f.new $src/$f
+            chmod u-w $src/$f
+        done
     fi
 }
 
diff -u -r -N squid-3.1.6/ChangeLog squid-3.1.7/ChangeLog
--- squid-3.1.6/ChangeLog	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/ChangeLog	2010-08-24 17:41:25.000000000 +1200
@@ -1,3 +1,20 @@
+Changes to squid-3.1.7 (23 Aug 2010):
+
+	- Regression Bug 3021: Large DNS reply causes crash
+	- Regression Bug 3011: ICAP, HTTPS, cache_peer probe IPv4-only port fixes
+	- Regression Bug 2997: visible_hostname directive no longer matches docs
+	- Bug 3012: deprecate sslBump and support ssl-bump spelling in http_port
+	- Bug 3006: handle IPV6_V6ONLY definition missing
+	- Bug 3004: Solaris 9 SunStudio 12 build failure
+	- Bug 3003: inconsistent concepts in documentation of cache_dir
+	- Bug 3001: dnsserver link issues
+	- HTTP/1.1: default keep-alive for 1.1 clients (bug 3016)
+	- HTTP/1.1: Improved Range header field validation
+	- HTTP/1.1: Forward multiple unknown Cache-Control directives
+	- HTTP/1.1: Stop sending Proxy-Connection header
+	- Fix 32-bit wrap in refresh_pattern min/max values
+	- ... and several documentation corrections.
+
 Changes to squid-3.1.6 (02 Aug 2010):
 
 	- Bug 2994, 2995: IPv4-only regressions
diff -u -r -N squid-3.1.6/configure squid-3.1.7/configure
--- squid-3.1.6/configure	2010-08-02 02:03:14.000000000 +1200
+++ squid-3.1.7/configure	2010-08-24 17:43:37.000000000 +1200
@@ -1,7 +1,7 @@
 #! /bin/sh
 # From configure.in Revision.
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.62 for Squid Web Proxy 3.1.6.
+# Generated by GNU Autoconf 2.62 for Squid Web Proxy 3.1.7.
 #
 # Report bugs to <http://www.squid-cache.org/bugs/>.
 #
@@ -750,8 +750,8 @@
 # Identity of this package.
 PACKAGE_NAME='Squid Web Proxy'
 PACKAGE_TARNAME='squid'
-PACKAGE_VERSION='3.1.6'
-PACKAGE_STRING='Squid Web Proxy 3.1.6'
+PACKAGE_VERSION='3.1.7'
+PACKAGE_STRING='Squid Web Proxy 3.1.7'
 PACKAGE_BUGREPORT='http://www.squid-cache.org/bugs/'
 
 ac_unique_file="src/main.cc"
@@ -1712,7 +1712,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures Squid Web Proxy 3.1.6 to adapt to many kinds of systems.
+\`configure' configures Squid Web Proxy 3.1.7 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1782,7 +1782,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of Squid Web Proxy 3.1.6:";;
+     short | recursive ) echo "Configuration of Squid Web Proxy 3.1.7:";;
    esac
   cat <<\_ACEOF
 
@@ -2109,7 +2109,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-Squid Web Proxy configure 3.1.6
+Squid Web Proxy configure 3.1.7
 generated by GNU Autoconf 2.62
 
 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -2123,7 +2123,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by Squid Web Proxy $as_me 3.1.6, which was
+It was created by Squid Web Proxy $as_me 3.1.7, which was
 generated by GNU Autoconf 2.62.  Invocation command line was
 
   $ $0 $@
@@ -2841,7 +2841,7 @@
 
 # Define the identity of the package.
  PACKAGE='squid'
- VERSION='3.1.6'
+ VERSION='3.1.7'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -48878,7 +48878,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by Squid Web Proxy $as_me 3.1.6, which was
+This file was extended by Squid Web Proxy $as_me 3.1.7, which was
 generated by GNU Autoconf 2.62.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -48931,7 +48931,7 @@
 _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_version="\\
-Squid Web Proxy config.status 3.1.6
+Squid Web Proxy config.status 3.1.7
 configured by $0, generated by GNU Autoconf 2.62,
   with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"
 
diff -u -r -N squid-3.1.6/configure.in squid-3.1.7/configure.in
--- squid-3.1.6/configure.in	2010-08-02 02:03:14.000000000 +1200
+++ squid-3.1.7/configure.in	2010-08-24 17:43:36.000000000 +1200
@@ -2,7 +2,7 @@
 dnl
 dnl  $Id$
 dnl
-AC_INIT([Squid Web Proxy],[3.1.6],[http://www.squid-cache.org/bugs/],[squid])
+AC_INIT([Squid Web Proxy],[3.1.7],[http://www.squid-cache.org/bugs/],[squid])
 AC_PREREQ(2.61)
 AC_CONFIG_HEADERS([include/autoconf.h])
 AC_CONFIG_AUX_DIR(cfgaux)
diff -u -r -N squid-3.1.6/include/version.h squid-3.1.7/include/version.h
--- squid-3.1.6/include/version.h	2010-08-02 02:03:14.000000000 +1200
+++ squid-3.1.7/include/version.h	2010-08-24 17:43:37.000000000 +1200
@@ -9,7 +9,7 @@
  */
 
 #ifndef SQUID_RELEASE_TIME
-#define SQUID_RELEASE_TIME 1280671275
+#define SQUID_RELEASE_TIME 1282628458
 #endif
 
 #ifndef APP_SHORTNAME
diff -u -r -N squid-3.1.6/libltdl/libltdl/lt_dlloader.h squid-3.1.7/libltdl/libltdl/lt_dlloader.h
--- squid-3.1.6/libltdl/libltdl/lt_dlloader.h	2010-08-02 02:02:22.000000000 +1200
+++ squid-3.1.7/libltdl/libltdl/lt_dlloader.h	2010-08-24 17:42:13.000000000 +1200
@@ -31,7 +31,7 @@
 #if !defined(LT_DLLOADER_H)
 #define LT_DLLOADER_H 1
 
-#include <libltdl/lt_system.h>
+#include "libltdl/lt_system.h"
 
 LT_BEGIN_C_DECLS
 
diff -u -r -N squid-3.1.6/libltdl/libltdl/lt_error.h squid-3.1.7/libltdl/libltdl/lt_error.h
--- squid-3.1.6/libltdl/libltdl/lt_error.h	2010-08-02 02:02:22.000000000 +1200
+++ squid-3.1.7/libltdl/libltdl/lt_error.h	2010-08-24 17:42:13.000000000 +1200
@@ -32,7 +32,7 @@
 #if !defined(LT_ERROR_H)
 #define LT_ERROR_H 1
 
-#include <libltdl/lt_system.h>
+#include "libltdl/lt_system.h"
 
 LT_BEGIN_C_DECLS
 
diff -u -r -N squid-3.1.6/libltdl/libltdl/slist.h squid-3.1.7/libltdl/libltdl/slist.h
--- squid-3.1.6/libltdl/libltdl/slist.h	2010-08-02 02:02:22.000000000 +1200
+++ squid-3.1.7/libltdl/libltdl/slist.h	2010-08-24 17:42:13.000000000 +1200
@@ -42,8 +42,8 @@
 #define SLIST_H 1
 
 #if defined(LTDL)
-#  include <libltdl/lt__glibc.h>
-#  include <libltdl/lt_system.h>
+#  include "libltdl/lt__glibc.h"
+#  include "libltdl/lt_system.h"
 #else
 #  define LT_SCOPE
 #endif
diff -u -r -N squid-3.1.6/RELEASENOTES.html squid-3.1.7/RELEASENOTES.html
--- squid-3.1.6/RELEASENOTES.html	2010-08-02 02:28:51.000000000 +1200
+++ squid-3.1.7/RELEASENOTES.html	2010-08-24 18:21:00.000000000 +1200
@@ -1,11 +1,11 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
 <HTML>
 <HEAD>
- <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.65">
- <TITLE>Squid 3.1.6 release notes</TITLE>
+ <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.66">
+ <TITLE>Squid 3.1.7 release notes</TITLE>
 </HEAD>
 <BODY>
-<H1>Squid 3.1.6 release notes</H1>
+<H1>Squid 3.1.7 release notes</H1>
 
 <H2>Squid Developers</H2>
 <HR>
@@ -70,7 +70,7 @@
 <HR>
 <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
 
-<P>The Squid Team are pleased to announce the release of Squid-3.1.6</P>
+<P>The Squid Team are pleased to announce the release of Squid-3.1.7</P>
 <P>This new release is available for download from 
 <A HREF="http://www.squid-cache.org/Versions/v3/3.1/">http://www.squid-cache.org/Versions/v3/3.1/</A> or the 
 <A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
@@ -241,7 +241,7 @@
 <LI>permit IPv6 server connection provided tcp_outgoing_address has been configured (see below).</LI>
 </UL>
 </P>
-<P><EM>NOTE:</EM> SNMP, ICP and HTCP are not yet opening double ports so they will only run as IPv4-only or IPv6-only.</P>
+<P><EM>NOTE:</EM> ICAP, SNMP, ICP and HTCP are not yet opening double ports so they will only run as IPv4-only or IPv6-only.</P>
 
 <P>Specify a specific tcp_outgoing_address and the clients who match its ACL are limited
 to the IPv4 or IPv6 network that address belongs to. They are not permitted over the
@@ -1033,8 +1033,8 @@
 
 <DT><B>ssl_bump</B><DD>
 <P>New Access control for which CONNECT requests to an http_port
-marked with an sslBump flag are actually "bumped". Please
-see the sslBump flag of an http_port option for more details
+marked with an ssl-bump flag are actually "bumped". Please
+see the ssl-bump flag of an http_port option for more details
 about decoding proxied SSL connections.
 DEFAULT: No requests are bumped.
 <PRE>
@@ -1288,7 +1288,7 @@
 </PRE>
 </P>
 
-<DT><B>http_port transparent intercept sslbump connection-auth[=on|off] ignore-cc</B><DD>
+<DT><B>http_port transparent intercept ssl-bump connection-auth[=on|off] ignore-cc</B><DD>
 <P>Option 'transparent' is being deprecated in favour of 'intercept' which more clearly identifies what the option does.
 For now option 'tproxy' remains with old behaviour meaning fully-invisible proxy using TPROXY support.</P>
 <P>New port options
@@ -1315,7 +1315,7 @@
                         Warning: This option violates HTTP specifications if
                         used in non-accelerator setups.
 
-           sslBump      Intercept each CONNECT request matching ssl_bump ACL,
+           ssl-bump     Intercept each CONNECT request matching ssl_bump ACL,
                         establish secure connection with the client and with
                         the server, decrypt HTTP messages as they pass through
                         Squid, and treat them as unencrypted HTTP messages,
@@ -1329,12 +1329,12 @@
                         for more information on these options.
 
                         The ssl_bump option is required to fully enable
-                        the SslBump feature.
+                        the SSL Bump feature.
         
 </PRE>
 </P>
 
-<DT><B>https_port intercept sslbump connection-auth[=on|off]</B><DD>
+<DT><B>https_port intercept ssl-bump connection-auth[=on|off]</B><DD>
 <P>New port options. see http_port.</P>
 
 <DT><B>icap_service bypass=on|off|1|0 routing=on|off|1|0</B><DD>
@@ -1361,7 +1361,7 @@
                 should have the same method and vectoring point as the current
                 ICAP transaction.  Services violating these rules are ignored.
                 An empty X-Next-Services value results in an empty plan which
-                ends the current adaptation. 
+                ends the current adaptation.
 
                 Routing is not allowed by default: the ICAP X-Next-Services
                 response header is ignored.
diff -u -r -N squid-3.1.6/src/adaptation/icap/Xaction.cc squid-3.1.7/src/adaptation/icap/Xaction.cc
--- squid-3.1.6/src/adaptation/icap/Xaction.cc	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/src/adaptation/icap/Xaction.cc	2010-08-24 17:41:27.000000000 +1200
@@ -13,6 +13,7 @@
 #include "pconn.h"
 #include "HttpRequest.h"
 #include "HttpReply.h"
+#include "ip/tools.h"
 #include "acl/FilledChecklist.h"
 #include "icap_log.h"
 #include "fde.h"
@@ -116,6 +117,15 @@
     disableRetries(); // we only retry pconn failures
 
     IpAddress outgoing;
+    if (!Ip::EnableIpv6 && !outgoing.SetIPv4()) {
+        debugs(31, DBG_CRITICAL, "ERROR: IPv6 is disabled. " << outgoing << " is not an IPv4 address.");
+        dieOnConnectionFailure(); // throws
+    }
+    /* split-stack for now requires default IPv4-only socket */
+    if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK && outgoing.IsAnyAddr() && !s.cfg().ipv6) {
+        outgoing.SetIPv4();
+    }
+
     connection = comm_open(SOCK_STREAM, 0, outgoing,
                            COMM_NONBLOCKING, s.cfg().uri.termedBuf());
 
diff -u -r -N squid-3.1.6/src/adaptation/Makefile.am squid-3.1.7/src/adaptation/Makefile.am
--- squid-3.1.6/src/adaptation/Makefile.am	2010-08-02 02:01:38.000000000 +1200
+++ squid-3.1.7/src/adaptation/Makefile.am	2010-08-24 17:41:27.000000000 +1200
@@ -12,6 +12,11 @@
 SUBDIRS += ecap
 endif
 
+if USE_LOADABLE_MODULES
+## LTDL headers require their local include path...
+INCLUDES += $(INCLTDL)
+endif
+
 noinst_LTLIBRARIES = libadaptation.la
 
 ## start with the code shared among all adaptation schemes
diff -u -r -N squid-3.1.6/src/adaptation/Makefile.in squid-3.1.7/src/adaptation/Makefile.in
--- squid-3.1.6/src/adaptation/Makefile.in	2010-08-02 02:02:37.000000000 +1200
+++ squid-3.1.7/src/adaptation/Makefile.in	2010-08-24 17:42:38.000000000 +1200
@@ -37,6 +37,7 @@
 check_PROGRAMS =
 @USE_ICAP_CLIENT_TRUE@am__append_1 = icap
 @USE_ECAP_TRUE@am__append_2 = ecap
+@USE_LOADABLE_MODULES_TRUE@am__append_3 = $(INCLTDL)
 subdir = src/adaptation
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/acinclude.m4 \
@@ -289,13 +290,8 @@
 AM_CXXFLAGS = $(SQUID_CXXFLAGS)
 CLEANFILES = testHeaders
 TESTS = testHeaders
-INCLUDES = \
-	-I$(top_srcdir) \
-	-I$(top_srcdir)/include \
-	-I$(top_srcdir)/src \
-	-I$(top_builddir)/include \
-	$(SQUID_CPPUNIT_INC)
-
+INCLUDES = -I$(top_srcdir) -I$(top_srcdir)/include -I$(top_srcdir)/src \
+	-I$(top_builddir)/include $(SQUID_CPPUNIT_INC) $(am__append_3)
 SUBDIRS = $(am__append_1) $(am__append_2)
 noinst_LTLIBRARIES = libadaptation.la
 libadaptation_la_SOURCES = \
diff -u -r -N squid-3.1.6/src/adaptation/ServiceConfig.cc squid-3.1.7/src/adaptation/ServiceConfig.cc
--- squid-3.1.6/src/adaptation/ServiceConfig.cc	2010-08-02 02:01:38.000000000 +1200
+++ squid-3.1.7/src/adaptation/ServiceConfig.cc	2010-08-24 17:41:27.000000000 +1200
@@ -5,10 +5,11 @@
 #include "squid.h"
 #include "ConfigParser.h"
 #include "adaptation/ServiceConfig.h"
+#include "ip/tools.h"
 
 Adaptation::ServiceConfig::ServiceConfig():
         port(-1), method(methodNone), point(pointNone),
-        bypass(false), routing(false)
+        bypass(false), routing(false), ipv6(false)
 {}
 
 const char *
@@ -93,7 +94,11 @@
             grokked = grokBool(bypass, name, value);
         else if (strcmp(name, "routing") == 0)
             grokked = grokBool(routing, name, value);
-        else {
+        else if (strcmp(name, "ipv6") == 0) {
+            grokked = grokBool(ipv6, name, value);
+            if (grokked && ipv6 && !Ip::EnableIpv6)
+                debugs(3, DBG_IMPORTANT, "WARNING: IPv6 is disabled. ICAP service option ignored.");
+        } else {
             debugs(3, 0, cfg_filename << ':' << config_lineno << ": " <<
                    "unknown adaptation service option: " << name << '=' << value);
         }
diff -u -r -N squid-3.1.6/src/adaptation/ServiceConfig.h squid-3.1.7/src/adaptation/ServiceConfig.h
--- squid-3.1.6/src/adaptation/ServiceConfig.h	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/src/adaptation/ServiceConfig.h	2010-08-24 17:41:25.000000000 +1200
@@ -33,6 +33,7 @@
     VectPoint point; // where the adaptation happens (pre- or post-cache)
     bool bypass;
     bool routing; ///< whether this service may determine the next service(s)
+    bool ipv6;    ///< whether this service uses IPv6 transport (default IPv4)
 
 protected:
     Method parseMethod(const char *buf) const;
diff -u -r -N squid-3.1.6/src/auth/negotiate/auth_negotiate.cc squid-3.1.7/src/auth/negotiate/auth_negotiate.cc
--- squid-3.1.6/src/auth/negotiate/auth_negotiate.cc	2010-08-02 02:01:39.000000000 +1200
+++ squid-3.1.7/src/auth/negotiate/auth_negotiate.cc	2010-08-24 17:41:25.000000000 +1200
@@ -144,7 +144,7 @@
 
 }
 
-AuthNegotiateConfig::AuthNegotiateConfig() : authenticateChildren(5), keep_alive(1)
+AuthNegotiateConfig::AuthNegotiateConfig() : authenticateChildren(5), keep_alive(0)
 { }
 
 void
diff -u -r -N squid-3.1.6/src/auth/ntlm/auth_ntlm.cc squid-3.1.7/src/auth/ntlm/auth_ntlm.cc
--- squid-3.1.6/src/auth/ntlm/auth_ntlm.cc	2010-08-02 02:01:38.000000000 +1200
+++ squid-3.1.7/src/auth/ntlm/auth_ntlm.cc	2010-08-24 17:41:25.000000000 +1200
@@ -126,7 +126,7 @@
 
 }
 
-AuthNTLMConfig::AuthNTLMConfig() : authenticateChildren(5), keep_alive(1)
+AuthNTLMConfig::AuthNTLMConfig() : authenticateChildren(5), keep_alive(0)
 { }
 
 void
diff -u -r -N squid-3.1.6/src/cache_cf.cc squid-3.1.7/src/cache_cf.cc
--- squid-3.1.6/src/cache_cf.cc	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/src/cache_cf.cc	2010-08-24 17:41:25.000000000 +1200
@@ -2327,6 +2327,16 @@
 
     i = GetInteger();		/* token: min */
 
+    /* catch negative and insanely huge values close to 32-bit wrap */
+    if (i < 0) {
+        debugs(3, DBG_IMPORTANT, "WARNING: refresh_pattern minimum age negative. Cropped back to zero.");
+        i = 0;
+    }
+    if (i > 60*24*365) {
+        debugs(3, DBG_IMPORTANT, "WARNING: refresh_pattern minimum age too high. Cropped back to 1 year.");
+        i = 60*24*365;
+    }
+
     min = (time_t) (i * 60);	/* convert minutes to seconds */
 
     i = GetInteger();		/* token: pct */
@@ -2335,6 +2345,16 @@
 
     i = GetInteger();		/* token: max */
 
+    /* catch negative and insanely huge values close to 32-bit wrap */
+    if (i < 0) {
+        debugs(3, DBG_IMPORTANT, "WARNING: refresh_pattern maximum age negative. Cropped back to zero.");
+        i = 0;
+    }
+    if (i > 60*24*365) {
+        debugs(3, DBG_IMPORTANT, "WARNING: refresh_pattern maximum age too high. Cropped back to 1 year.");
+        i = 60*24*365;
+    }
+
     max = (time_t) (i * 60);	/* convert minutes to seconds */
 
     /* Options */
@@ -3136,7 +3156,11 @@
     } else if (strncmp(token, "sslcontext=", 11) == 0) {
         safe_free(s->sslcontext);
         s->sslcontext = xstrdup(token + 11);
-    } else if (strcmp(token, "sslBump") == 0) {
+    } else if (strcasecmp(token, "sslBump") == 0) {
+        debugs(3, DBG_CRITICAL, "WARNING: '" << token << "' is deprecated " <<
+               "in http_port. Use 'ssl-bump' instead.");
+        s->sslBump = 1; // accelerated when bumped, otherwise not
+    } else if (strcmp(token, "ssl-bump") == 0) {
         s->sslBump = 1; // accelerated when bumped, otherwise not
 #endif
     } else {
diff -u -r -N squid-3.1.6/src/cf.data.pre squid-3.1.7/src/cf.data.pre
--- squid-3.1.6/src/cf.data.pre	2010-08-02 02:01:38.000000000 +1200
+++ squid-3.1.7/src/cf.data.pre	2010-08-24 17:41:26.000000000 +1200
@@ -265,12 +265,12 @@
 	auth_param ntlm children 5
 
 	"keep_alive" on|off
-	If you experience problems with PUT/POST requests when using the
-	Negotiate authentication scheme then you can try setting this to
-	off. This will cause Squid to forcibly close the connection on
-	the initial requests where the browser asks which schemes are
-	supported by the proxy.
-
+	Whether to keep the connection open after the initial response where
+	Squid tells the browser which schemes are supported by the proxy.
+	Some browsers are known to present many login popups or to corrupt
+	POST/PUT requests transfer if the connection is not closed.
+	The default is currently OFF to avoid this, but may change.
+	
 	auth_param ntlm keep_alive on
 
 	=== Options for configuring the NEGOTIATE auth-scheme follow ===
@@ -299,15 +299,15 @@
 	auth_param negotiate children 5
 
 	"keep_alive" on|off
-	If you experience problems with PUT/POST requests when using the
-	Negotiate authentication scheme then you can try setting this to
-	off. This will cause Squid to forcibly close the connection on
-	the initial requests where the browser asks which schemes are
-	supported by the proxy.
-
+	Whether to keep the connection open after the initial response where
+	Squid tells the browser which schemes are supported by the proxy.
+	Some browsers are known to present many login popups or to corrupt
+	POST/PUT requests transfer if the connection is not closed.
+	The default is currently OFF to avoid this, but may change.
+	
 	auth_param negotiate keep_alive on
 
-	
+
 	Examples:
 
 #Recommended minimum configuration per scheme:
@@ -1157,7 +1157,7 @@
 			sporadically hang or never complete requests set
 			disable-pmtu-discovery option to 'transparent'.
 
-	   sslBump 	Intercept each CONNECT request matching ssl_bump ACL,
+	   ssl-bump 	Intercept each CONNECT request matching ssl_bump ACL,
 			establish secure connection with the client and with
 			the server, decrypt HTTP messages as they pass through
 			Squid, and treat them as unencrypted HTTP messages,
@@ -1650,6 +1650,10 @@
 	when using encrypted SSL certificate keys. If not specified
 	keys must either be unencrypted, or Squid started with the -N
 	option to allow it to query interactively for the passphrase.
+
+	The key file name is given as argument to the program allowing
+	selection of the right password if you have multiple encrypted
+	keys.
 DOC_END
 
 COMMENT_START
@@ -2233,10 +2237,10 @@
 	Instead, if you want Squid to use the entire disk drive,
 	subtract 20% and use that value.
 
-	'Level-1' is the number of first-level subdirectories which
+	'L1' is the number of first-level subdirectories which
 	will be created under the 'Directory'.  The default is 16.
 
-	'Level-2' is the number of second-level subdirectories which
+	'L2' is the number of second-level subdirectories which
 	will be created under each first-level directory.  The default
 	is 256.
 
@@ -3743,7 +3747,6 @@
 		request_header_access Retry-After allow all
 		request_header_access Title allow all
 		request_header_access Connection allow all
-		request_header_access Proxy-Connection allow all
 		request_header_access All deny all
 
 	although many of those are HTTP reply headers, and so should be
@@ -3819,7 +3822,6 @@
 		reply_header_access Retry-After allow all
 		reply_header_access Title allow all
 		reply_header_access Connection allow all
-		reply_header_access Proxy-Connection allow all
 		reply_header_access All deny all
 
 	although the HTTP request headers won't be usefully controlled
@@ -5794,6 +5796,11 @@
 		Routing is not allowed by default: the ICAP X-Next-Services
 		response header is ignored.
 
+	ipv6=on|off
+		Only has effect on split-stack systems. The default on those systems
+		is to use IPv4-only connections. When set to 'on' this option will
+		make Squid use IPv6-only connections to contact this ICAP service.
+
 	Older icap_service format without optional named parameters is
 	deprecated but supported for backward compatibility.
 
diff -u -r -N squid-3.1.6/src/client_side.cc squid-3.1.7/src/client_side.cc
--- squid-3.1.6/src/client_side.cc	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/src/client_side.cc	2010-08-24 17:41:27.000000000 +1200
@@ -704,10 +704,7 @@
     debugs(33, 3, "clientSetKeepaliveFlag: method = " <<
            RequestMethodStr(request->method));
 
-    /* We are HTTP/1.0 facing clients still */
-    HttpVersion http_ver(1,0);
-
-    if (httpMsgIsPersistent(http_ver, req_hdr))
+    if (httpMsgIsPersistent(request->http_ver, req_hdr))
         request->flags.proxy_keepalive = 1;
 }
 
diff -u -r -N squid-3.1.6/src/client_side_reply.cc squid-3.1.7/src/client_side_reply.cc
--- squid-3.1.6/src/client_side_reply.cc	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/src/client_side_reply.cc	2010-08-24 17:41:27.000000000 +1200
@@ -1405,9 +1405,8 @@
         hdr->delById(HDR_VIA);
         hdr->putStr(HDR_VIA, strVia.termedBuf());
     }
-    /* Signal keep-alive if needed */
-    hdr->putStr( (http->flags.accel || http->flags.intercepted)? HDR_CONNECTION : HDR_PROXY_CONNECTION,
-                 request->flags.proxy_keepalive ? "keep-alive" : "close");
+    /* Signal keep-alive or close explicitly */
+    hdr->putStr(HDR_CONNECTION, request->flags.proxy_keepalive ? "keep-alive" : "close");
 
 #if ADD_X_REQUEST_URI
     /*
diff -u -r -N squid-3.1.6/src/dns_internal.cc squid-3.1.7/src/dns_internal.cc
--- squid-3.1.6/src/dns_internal.cc	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/src/dns_internal.cc	2010-08-24 17:41:25.000000000 +1200
@@ -201,10 +201,15 @@
 
     if (A.IsAnyAddr()) {
         debugs(78, 0, "WARNING: Squid does not accept " << A << " in DNS server specifications.");
-        A = "127.0.0.1";
+        A.SetLocalhost();
         debugs(78, 0, "Will be using " << A << " instead, assuming you meant that DNS is running on the same machine");
     }
 
+    if (!Ip::EnableIpv6 && !A.SetIPv4()) {
+        debugs(78, DBG_IMPORTANT, "WARNING: IPv6 is disabled. Discarding " << A << " in DNS server specifications.");
+        return;
+    }
+
     if (nns == nns_alloc) {
         int oldalloc = nns_alloc;
         ns *oldptr = nameservers;
@@ -742,6 +747,12 @@
     else
         addr = Config.Addrs.udp_incoming;
 
+    if (nameservers[ns].S.IsIPv4() && !addr.SetIPv4()) {
+        debugs(31, DBG_CRITICAL, "ERROR: Cannot contact DNS nameserver " << nameservers[ns].S << " from " << addr);
+        addr.SetAnyAddr();
+        addr.SetIPv4();
+    }
+
     vc->queue = new MemBuf;
 
     vc->msg = new MemBuf;
@@ -832,14 +843,16 @@
 
     } while ( (x<0 && y<0) && q->nsends % nns != 0);
 
-    if (y >= 0) {
-        fd_bytes(DnsSocketB, y, FD_WRITE);
-        commSetSelect(DnsSocketB, COMM_SELECT_READ, idnsRead, NULL, 0);
-    }
+    if (!q->need_vc) {
+        if (y >= 0) {
+            fd_bytes(DnsSocketB, y, FD_WRITE);
+            commSetSelect(DnsSocketB, COMM_SELECT_READ, idnsRead, NULL, 0);
+        }
 
-    if (x >= 0) {
-        fd_bytes(DnsSocketA, x, FD_WRITE);
-        commSetSelect(DnsSocketA, COMM_SELECT_READ, idnsRead, NULL, 0);
+        if (x >= 0) {
+            fd_bytes(DnsSocketA, x, FD_WRITE);
+            commSetSelect(DnsSocketA, COMM_SELECT_READ, idnsRead, NULL, 0);
+        }
     }
 
     nameservers[ns].nqueries++;
diff -u -r -N squid-3.1.6/src/forward.cc squid-3.1.7/src/forward.cc
--- squid-3.1.6/src/forward.cc	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/src/forward.cc	2010-08-24 17:41:27.000000000 +1200
@@ -870,9 +870,9 @@
 
     // if IPv6 is disabled try to force IPv4-only outgoing.
     if (!Ip::EnableIpv6 && !outgoing.SetIPv4()) {
-        debugs(50, 4, "fwdConnectStart: " << xstrerror());
+        debugs(50, 4, "fwdConnectStart: IPv6 is Disabled. Cannot connect from " << outgoing);
         ErrorState *anErr = errorCon(ERR_CONNECT_FAIL, HTTP_SERVICE_UNAVAILABLE, request);
-        anErr->xerrno = errno;
+        anErr->xerrno = EAFNOSUPPORT;
         fail(anErr);
         self = NULL;	// refcounted
         return;
diff -u -r -N squid-3.1.6/src/gopher.cc squid-3.1.7/src/gopher.cc
--- squid-3.1.6/src/gopher.cc	2010-08-02 02:01:39.000000000 +1200
+++ squid-3.1.7/src/gopher.cc	2010-08-24 17:41:27.000000000 +1200
@@ -892,7 +892,7 @@
         ErrorState *err;
         err = errorCon(ERR_WRITE_ERROR, HTTP_SERVICE_UNAVAILABLE, gopherState->fwd->request);
         err->xerrno = errno;
-        err->port = gopherState->req->port;
+        err->port = gopherState->fwd->request->port;
         err->url = xstrdup(entry->url());
         gopherState->fwd->fail(err);
         comm_close(fd);
diff -u -r -N squid-3.1.6/src/http.cc squid-3.1.7/src/http.cc
--- squid-3.1.6/src/http.cc	2010-08-02 02:01:39.000000000 +1200
+++ squid-3.1.7/src/http.cc	2010-08-24 17:41:26.000000000 +1200
@@ -1720,11 +1720,7 @@
 
     /* maybe append Connection: keep-alive */
     if (flags.keepalive) {
-        if (flags.proxying) {
-            hdr_out->putStr(HDR_PROXY_CONNECTION, "keep-alive");
-        } else {
-            hdr_out->putStr(HDR_CONNECTION, "keep-alive");
-        }
+        hdr_out->putStr(HDR_CONNECTION, "keep-alive");
     }
 
     /* append Front-End-Https */
@@ -1870,12 +1866,13 @@
 
         break;
 
-    case HDR_PROXY_CONNECTION:
+    case HDR_PROXY_CONNECTION: // SHOULD ignore. But doing so breaks things.
+        break;
 
     case HDR_X_FORWARDED_FOR:
 
     case HDR_CACHE_CONTROL:
-        /** \par Proxy-Connaction:, X-Forwarded-For:, Cache-Control:
+        /** \par X-Forwarded-For:, Cache-Control:
          * handled specially by Squid, so leave off for now.
          * append these after the loop if needed */
         break;
diff -u -r -N squid-3.1.6/src/HttpHdrCc.cc squid-3.1.7/src/HttpHdrCc.cc
--- squid-3.1.6/src/HttpHdrCc.cc	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/src/HttpHdrCc.cc	2010-08-24 17:41:27.000000000 +1200
@@ -138,18 +138,17 @@
             type = CC_OTHER;
         }
 
+        // ignore known duplicate directives
         if (EBIT_TEST(cc->mask, type)) {
-            if (type != CC_OTHER)
+            if (type != CC_OTHER) {
                 debugs(65, 2, "hdr cc: ignoring duplicate cache-directive: near '" << item << "' in '" << str << "'");
-
-            CcFieldsInfo[type].stat.repCount++;
-
-            continue;
+                CcFieldsInfo[type].stat.repCount++;
+                continue;
+            }
+        } else {
+            EBIT_SET(cc->mask, type);
         }
 
-        /* update mask */
-        EBIT_SET(cc->mask, type);
-
         /* post-processing special cases */
         switch (type) {
 
diff -u -r -N squid-3.1.6/src/HttpHdrRange.cc squid-3.1.7/src/HttpHdrRange.cc
--- squid-3.1.6/src/HttpHdrRange.cc	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/src/HttpHdrRange.cc	2010-08-24 17:41:27.000000000 +1200
@@ -98,7 +98,7 @@
     } else
         /* must have a '-' somewhere in _this_ field */
         if (!((p = strchr(field, '-')) || (p - field >= flen))) {
-            debugs(64, 2, "ignoring invalid (missing '-') range-spec near: '" << field << "'");
+            debugs(64, 2, "invalid (missing '-') range-spec near: '" << field << "'");
             return false;
         } else {
             if (!httpHeaderParseOffset(field, &offset))
@@ -113,18 +113,18 @@
                 if (!httpHeaderParseOffset(p, &last_pos))
                     return false;
 
+                // RFC 2616 s14.35.1 MUST: last-byte-pos >= first-byte-pos
+                if (last_pos < offset) {
+                    debugs(64, 2, "invalid (last-byte-pos < first-byte-pos) range-spec near: " << field);
+                    return false;
+                }
+
                 HttpHdrRangeSpec::HttpRange aSpec (offset, last_pos + 1);
 
                 length = aSpec.size();
             }
         }
 
-    /* we managed to parse, check if the result makes sence */
-    if (length == 0) {
-        debugs(64, 2, "ignoring invalid (zero length) range-spec near: '" << field << "'");
-        return false;
-    }
-
     return true;
 }
 
@@ -248,7 +248,6 @@
     const char *item;
     const char *pos = NULL;
     int ilen;
-    int count = 0;
     assert(this && range_spec);
     ++ParsedCount;
     debugs(64, 8, "parsing range field: '" << range_spec << "'");
@@ -264,19 +263,21 @@
     while (strListGetItem(range_spec, ',', &item, &ilen, &pos)) {
         HttpHdrRangeSpec *spec = HttpHdrRangeSpec::Create(item, ilen);
         /*
-         * HTTP/1.1 draft says we must ignore the whole header field if one spec
-         * is invalid. However, RFC 2068 just says that we must ignore that spec.
+         * RFC 2616 section 14.35.1: MUST ignore Range with
+         * at least one syntactically invalid byte-range-specs.
          */
+        if (!spec) {
+            while (!specs.empty())
+                delete specs.pop_back();
+            debugs(64, 2, "ignoring invalid range field: '" << range_spec << "'");
+            break;
+        }
 
-        if (spec)
-            specs.push_back(spec);
-
-        ++count;
+        specs.push_back(spec);
     }
 
-    debugs(64, 8, "parsed range range count: " << count << ", kept " <<
-           specs.size());
-    return specs.count != 0;
+    debugs(64, 8, "got range specs: " << specs.size());
+    return !specs.empty();
 }
 
 HttpHdrRange::~HttpHdrRange()
diff -u -r -N squid-3.1.6/src/HttpHeaderTools.cc squid-3.1.7/src/HttpHeaderTools.cc
--- squid-3.1.6/src/HttpHeaderTools.cc	2010-08-02 02:01:39.000000000 +1200
+++ squid-3.1.7/src/HttpHeaderTools.cc	2010-08-24 17:41:25.000000000 +1200
@@ -145,18 +145,18 @@
 httpHeaderHasConnDir(const HttpHeader * hdr, const char *directive)
 {
     String list;
-    http_hdr_type ht;
     int res;
     /* what type of header do we have? */
 
+#if HTTP_VIOLATIONS
     if (hdr->has(HDR_PROXY_CONNECTION))
-        ht = HDR_PROXY_CONNECTION;
-    else if (hdr->has(HDR_CONNECTION))
-        ht = HDR_CONNECTION;
+        list = hdr->getList(HDR_PROXY_CONNECTION);
     else
-        return 0;
-
-    list = hdr->getList(ht);
+#endif
+        if (hdr->has(HDR_CONNECTION))
+            list = hdr->getList(HDR_CONNECTION);
+        else
+            return 0;
 
     res = strListIsMember(&list, directive, ',');
 
diff -u -r -N squid-3.1.6/src/ip/IpAddress.h squid-3.1.7/src/ip/IpAddress.h
--- squid-3.1.6/src/ip/IpAddress.h	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/src/ip/IpAddress.h	2010-08-24 17:41:27.000000000 +1200
@@ -238,7 +238,7 @@
      \param force (optional) require the IPA in a specific format.
      \return pointer to buffer received.
      */
-    char* NtoA(char *buf, unsigned int len, int force = AF_UNSPEC) const;
+    char* NtoA(char *buf, const unsigned int blen, int force = AF_UNSPEC) const;
 
     /** Return the ASCII equivalent of the address:port combination
      *  Provides a URL formatted version of the content.
diff -u -r -N squid-3.1.6/src/ip/tools.cc squid-3.1.7/src/ip/tools.cc
--- squid-3.1.6/src/ip/tools.cc	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/src/ip/tools.cc	2010-08-24 17:41:27.000000000 +1200
@@ -34,6 +34,9 @@
 #include "Debug.h"
 #include "ip/tools.h"
 
+#if HAVE_UNISTD_H
+#include <unistd.h>
+#endif
 #if HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
 #endif
@@ -59,6 +62,8 @@
     }
 
     // Test for v4-mapping capability
+    // (AKA. the operating system supports RFC 3493 section 5.3)
+#if defined(IPV6_V6ONLY)
     int tos = 0;
     if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (char *) &tos, sizeof(int)) == 0) {
         debugs(3, 2, "Detected IPv6 hybrid or v4-mapping stack...");
@@ -67,6 +72,12 @@
         debugs(3, 2, "Detected split IPv4 and IPv6 stacks ...");
         EnableIpv6 |= IPV6_SPECIAL_SPLITSTACK;
     }
+#else
+    // compliance here means they at least supply the option for compilers building code
+    // even if possibly to return hard-coded -1 on use.
+    debugs(3, 2, "Missing RFC 3493 compliance - attempting split IPv4 and IPv6 stacks ...");
+    EnableIpv6 |= IPV6_SPECIAL_SPLITSTACK;
+#endif
     close(s);
 
     debugs(3, 2, "IPv6 transport " << (EnableIpv6?"Enabled":"Disabled"));
diff -u -r -N squid-3.1.6/src/Makefile.am squid-3.1.7/src/Makefile.am
--- squid-3.1.6/src/Makefile.am	2010-08-02 02:01:39.000000000 +1200
+++ squid-3.1.7/src/Makefile.am	2010-08-24 17:41:26.000000000 +1200
@@ -558,7 +558,7 @@
 
 unlinkd_SOURCES = unlinkd_daemon.cc SquidNew.cc
 
-dnsserver_SOURCES = dnsserver.cc SquidNew.cc
+dnsserver_SOURCES = dnsserver.cc SquidNew.cc stub_debug.cc
 recv_announce_SOURCES = recv-announce.cc SquidNew.cc
 
 ## What requires what..
diff -u -r -N squid-3.1.6/src/Makefile.in squid-3.1.7/src/Makefile.in
--- squid-3.1.6/src/Makefile.in	2010-08-02 02:02:37.000000000 +1200
+++ squid-3.1.7/src/Makefile.in	2010-08-24 17:42:37.000000000 +1200
@@ -151,7 +151,8 @@
 cf_gen_OBJECTS = $(am_cf_gen_OBJECTS)
 cf_gen_DEPENDENCIES = ../compat/libcompat.la $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
-am_dnsserver_OBJECTS = dnsserver.$(OBJEXT) SquidNew.$(OBJEXT)
+am_dnsserver_OBJECTS = dnsserver.$(OBJEXT) SquidNew.$(OBJEXT) \
+	stub_debug.$(OBJEXT)
 dnsserver_OBJECTS = $(am_dnsserver_OBJECTS)
 dnsserver_LDADD = $(LDADD)
 dnsserver_DEPENDENCIES = $(COMMON_LIBS) $(am__DEPENDENCIES_1) \
@@ -1833,7 +1834,7 @@
 #         -all-static -dlopen self
 #
 unlinkd_SOURCES = unlinkd_daemon.cc SquidNew.cc
-dnsserver_SOURCES = dnsserver.cc SquidNew.cc
+dnsserver_SOURCES = dnsserver.cc SquidNew.cc stub_debug.cc
 recv_announce_SOURCES = recv-announce.cc SquidNew.cc
 ufsdump_SOURCES = \
 	ClientInfo.h \
@@ -3971,6 +3972,7 @@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/store_swapmeta.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/store_swapout.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/string_arrays.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stub_debug.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_tools.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/time.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tools.Po@am__quote@
diff -u -r -N squid-3.1.6/src/neighbors.cc squid-3.1.7/src/neighbors.cc
--- squid-3.1.6/src/neighbors.cc	2010-08-02 02:01:38.000000000 +1200
+++ squid-3.1.7/src/neighbors.cc	2010-08-24 17:41:27.000000000 +1200
@@ -46,6 +46,7 @@
 #include "Store.h"
 #include "icmp/net_db.h"
 #include "ip/IpAddress.h"
+#include "ip/tools.h"
 
 /* count mcast group peers every 15 minutes */
 #define MCAST_COUNT_RATE 900
@@ -1387,6 +1388,20 @@
 
     IpAddress temp(getOutgoingAddr(NULL,p));
 
+    // if IPv6 is disabled try to force IPv4-only outgoing.
+    if (!Ip::EnableIpv6 && !temp.SetIPv4()) {
+        debugs(50, DBG_IMPORTANT, "WARNING: IPv6 is disabled. Failed to use " << temp << " to probe " << p->host);
+        return ret;
+    }
+
+    // if IPv6 is split-stack, prefer IPv4
+    if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK) {
+        // NP: This is not a great choice of default,
+        // but with the current Internet being IPv4-majority has a higher success rate.
+        // if setting to IPv4 fails we dont care, that just means to use IPv6 outgoing.
+        temp.SetIPv4();
+    }
+
     fd = comm_open(SOCK_STREAM, IPPROTO_TCP, temp, COMM_NONBLOCKING, p->host);
 
     if (fd < 0)
diff -u -r -N squid-3.1.6/src/tools.cc squid-3.1.7/src/tools.cc
--- squid-3.1.6/src/tools.cc	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/src/tools.cc	2010-08-24 17:41:27.000000000 +1200
@@ -627,43 +627,42 @@
         }
 
         sa.FreeAddrInfo(AI);
-        debugs(50, 1, "WARNING: failed to resolve " << sa << " to a fully qualified hostname");
-    } else {
-        if (gethostname(host, SQUIDHOSTNAMELEN) < 0) {
-            debugs(50, 1, "WARNING: gethostname failed: " << xstrerror());
-        } else {
-            /* Verify that the hostname given resolves properly */
-            struct addrinfo hints;
-            memset(&hints, 0, sizeof(addrinfo));
-            hints.ai_flags = AI_CANONNAME;
-
-            if (xgetaddrinfo(host, NULL, NULL, &AI) == 0) {
-                /* DNS lookup successful */
-                /* use the official name from DNS lookup */
-                debugs(50, 6, "getMyHostname: '" << host << "' has rDNS.");
-                present = 1;
-
-                /* AYJ: do we want to flag AI_ALL and cache the result anywhere. ie as our local host IPs? */
-                if (AI) {
-                    xfreeaddrinfo(AI);
-                    AI = NULL;
-                }
+        debugs(50, 2, "WARNING: failed to resolve " << sa << " to a fully qualified hostname");
+    }
 
-                return host;
+    // still no host. fallback to gethostname()
+    if (gethostname(host, SQUIDHOSTNAMELEN) < 0) {
+        debugs(50, DBG_IMPORTANT, "WARNING: gethostname failed: " << xstrerror());
+    } else {
+        /* Verify that the hostname given resolves properly */
+        struct addrinfo hints;
+        memset(&hints, 0, sizeof(addrinfo));
+        hints.ai_flags = AI_CANONNAME;
+
+        if (xgetaddrinfo(host, NULL, NULL, &AI) == 0) {
+            /* DNS lookup successful */
+            /* use the official name from DNS lookup */
+            debugs(50, 6, "getMyHostname: '" << host << "' has DNS resolution.");
+            present = 1;
+
+            /* AYJ: do we want to flag AI_ALL and cache the result anywhere. ie as our local host IPs? */
+            if (AI) {
+                xfreeaddrinfo(AI);
+                AI = NULL;
             }
 
-            if (AI) xfreeaddrinfo(AI);
-            debugs(50, 1, "WARNING: '" << host << "' rDNS test failed: " << xstrerror());
+            return host;
         }
+
+        if (AI) freeaddrinfo(AI);
+        debugs(50, DBG_IMPORTANT, "WARNING: '" << host << "' rDNS test failed: " << xstrerror());
     }
 
-    /* throw a fatal configuration error when the Host/IP given has bad DNS/rDNS. */
-    if (opt_send_signal == -1)
-        fatal("Could not determine fully qualified hostname.  Please set 'visible_hostname'\n");
-    else
-        return ("localhost");
+    /* throw a configuration error when the Host/IP given has bad DNS/rDNS. */
+    debugs(50, DBG_CRITICAL, "WARNING: Could not determine this machines public hostname. " <<
+           "Please configure one or set 'visible_hostname'.");
 
-    return NULL;		/* keep compiler happy */
+    return ("localhost");
 }
 
 const char *
diff -u -r -N squid-3.1.6/src/tunnel.cc squid-3.1.7/src/tunnel.cc
--- squid-3.1.6/src/tunnel.cc	2010-08-02 02:01:38.000000000 +1200
+++ squid-3.1.7/src/tunnel.cc	2010-08-24 17:41:26.000000000 +1200
@@ -46,6 +46,7 @@
 #include "client_side.h"
 #include "MemBuf.h"
 #include "http.h"
+#include "ip/tools.h"
 
 class TunnelStateData
 {
@@ -641,6 +642,24 @@
     statCounter.server.other.requests++;
     /* Create socket. */
     IpAddress temp = getOutgoingAddr(request,NULL);
+
+    // if IPv6 is disabled try to force IPv4-only outgoing.
+    if (!Ip::EnableIpv6 && !temp.SetIPv4()) {
+        debugs(50, 4, "tunnelStart: IPv6 is Disabled. Tunnel failed from " << temp);
+        ErrorState *anErr = errorCon(ERR_CONNECT_FAIL, HTTP_SERVICE_UNAVAILABLE, request);
+        anErr->xerrno = EAFNOSUPPORT;
+        errorSend(fd, anErr);
+        return;
+    }
+
+    // if IPv6 is split-stack, prefer IPv4
+    if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK) {
+        // NP: This is not a great choice of default,
+        // but with the current Internet being IPv4-majority has a higher success rate.
+        // if setting to IPv4 fails we dont care, that just means to use IPv6 outgoing.
+        temp.SetIPv4();
+    }
+
     int flags = COMM_NONBLOCKING;
     if (request->flags.spoof_client_ip) {
         flags |= COMM_TRANSPARENT;
diff -u -r -N squid-3.1.6/tools/squidclient.cc squid-3.1.7/tools/squidclient.cc
--- squid-3.1.6/tools/squidclient.cc	2010-08-02 02:01:37.000000000 +1200
+++ squid-3.1.7/tools/squidclient.cc	2010-08-24 17:41:27.000000000 +1200
@@ -434,17 +434,11 @@
             strcat(msg, buf);
         }
 
-        /* HTTP/1.0 may need keep-alive */
-        if (strcmp(version, "1.0") == 0) {
-            if (keep_alive) {
-                if (strchr(url, ':')) {
-                    snprintf(buf, BUFSIZ, "Proxy-Connection: keep-alive\r\n");
-                    strcat(msg, buf);
-                } else
-                    strcat(msg, "Connection: keep-alive\r\n");
-            }
-        }
-        /* HTTP/1.1 may need close */
+        /* HTTP/1.0 may need keep-alive explicitly */
+        if (strcmp(version, "1.0") == 0 && keep_alive)
+            strcat(msg, "Connection: keep-alive\r\n");
+
+        /* HTTP/1.1 may need close explicitly */
         if (!keep_alive)
             strcat(msg, "Connection: close\r\n");
 
