Problem with update of nettle to 4.0

Problem with update of nettle to 4.0

[Adolf Belka]

Hi all,

For information.

A new nettle version has come out. Our old version was 3.10.2 and the new one is 4.0

Unfortunately nettle-4.0 has a new API/ABI and several packages that use nettle have found that it won't build for them.

Many of those packages have already issued updated versions that now work with nettle-4.0

That is not the case with squid. Here we have a greater problem.

Currently we are on squid-6.14 and the current release is squid-7.5. squid-6.14 fails to build with nettle-4.0 as there are changes in various variables/parameters.

squid-7.5 does not yet have any fix for the nettle API/ABI changes. I did find some discussion on it in the Pull Requests section but there seems to be some disagreement between various of the squid contributors which seems to be blocking anything being accepted. It is also not clear if that pull request would fix the error that I found in my build with squid-6.14

squid has not been updated to the 7.x branch in IPFire because there were a lot of significant changes in it which would require some re-write of our web proxy code.

It is probably worth noting that squid-6.14 stopped getting any security support in July 2025.

There also seems to be questions about squid-8.x and if it will have even more major changes to options.

squid typically is having a two year cycle on their major branch changes and so the expectation is that squid-7.x will go EOL somewhere around July 2027 with squid-8.x having beta status in Feb 2027 and stable declaration in July 2027 when 7.x is EOL'd

I will try and see if any other packages we run have any linkage to nettle.

Regards,

Adolf.

Re: Problem with update of nettle to 4.0

[Michael Tremer]

Hello Adolf,

Thanks for looking into this.

I wasn’t quite aware how outdated we are on squid, so let’s change that.

I checked the code and there are exactly two places where nettle is being used:

  * The base64 encoder/decoder
    https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/base64.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13

  * Some code to compute MD5 checksums
    https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/md5.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13

Both have an alternative implementation, so it is absolutely safe for us to build squid with --without-nettle. That way we won’t be held back until they have agreed on a unified API.

Let me know if this helps.

All the best,
-Michael

> On 20 May 2026, at 13:47, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi all,
> 
> For information.
> 
> A new nettle version has come out. Our old version was 3.10.2 and the new one is 4.0
> 
> Unfortunately nettle-4.0 has a new API/ABI and several packages that use nettle have found that it won't build for them.
> 
> Many of those packages have already issued updated versions that now work with nettle-4.0
> 
> That is not the case with squid. Here we have a greater problem.
> 
> Currently we are on squid-6.14 and the current release is squid-7.5. squid-6.14 fails to build with nettle-4.0 as there are changes in various variables/parameters.
> 
> squid-7.5 does not yet have any fix for the nettle API/ABI changes. I did find some discussion on it in the Pull Requests section but there seems to be some disagreement between various of the squid contributors which seems to be blocking anything being accepted. It is also not clear if that pull request would fix the error that I found in my build with squid-6.14
> 
> squid has not been updated to the 7.x branch in IPFire because there were a lot of significant changes in it which would require some re-write of our web proxy code.
> 
> It is probably worth noting that squid-6.14 stopped getting any security support in July 2025.
> 
> There also seems to be questions about squid-8.x and if it will have even more major changes to options.
> 
> squid typically is having a two year cycle on their major branch changes and so the expectation is that squid-7.x will go EOL somewhere around July 2027 with squid-8.x having beta status in Feb 2027 and stable declaration in July 2027 when 7.x is EOL'd
> 
> I will try and see if any other packages we run have any linkage to nettle.
> 
> Regards,
> 
> Adolf.
> 

Re: Problem with update of nettle to 4.0

[Adolf Belka]

Hi Michael,

On 20/05/2026 17:32, Michael Tremer wrote:
> Hello Adolf,
> 
> Thanks for looking into this.
> 
> I wasn’t quite aware how outdated we are on squid, so let’s change that.

I think Matthias looked at updating squid from the 6.x to 7.x branch but felt uncomfortable with how to deal with some of the changes in that new branch.

Maybe we can both have a try and see what happens. Check if we can we make it work as expected. I will look back at the previous email chain on the discussion on moving to squid-7.x

> 
> I checked the code and there are exactly two places where nettle is being used:
> 
>    * The base64 encoder/decoder
>      https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/base64.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13
> 
>    * Some code to compute MD5 checksums
>      https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/md5.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13

This was the bit where the build failed as it could not find MD5_DIGEST_SIZE. It could be that the base64 encoder/decoder might have been next in line.

> 
> Both have an alternative implementation, so it is absolutely safe for us to build squid with --without-nettle. That way we won’t be held back until they have agreed on a unified API.
> > Let me know if this helps.

I will try it and see. Everything before the squid build had no problems with nettle-4.0, I just need to see if there is anything still to come in the build tree. I will look at it when/if it comes.

Regards,

Adolf.

> 
> All the best,
> -Michael
> 
>> On 20 May 2026, at 13:47, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> Hi all,
>>
>> For information.
>>
>> A new nettle version has come out. Our old version was 3.10.2 and the new one is 4.0
>>
>> Unfortunately nettle-4.0 has a new API/ABI and several packages that use nettle have found that it won't build for them.
>>
>> Many of those packages have already issued updated versions that now work with nettle-4.0
>>
>> That is not the case with squid. Here we have a greater problem.
>>
>> Currently we are on squid-6.14 and the current release is squid-7.5. squid-6.14 fails to build with nettle-4.0 as there are changes in various variables/parameters.
>>
>> squid-7.5 does not yet have any fix for the nettle API/ABI changes. I did find some discussion on it in the Pull Requests section but there seems to be some disagreement between various of the squid contributors which seems to be blocking anything being accepted. It is also not clear if that pull request would fix the error that I found in my build with squid-6.14
>>
>> squid has not been updated to the 7.x branch in IPFire because there were a lot of significant changes in it which would require some re-write of our web proxy code.
>>
>> It is probably worth noting that squid-6.14 stopped getting any security support in July 2025.
>>
>> There also seems to be questions about squid-8.x and if it will have even more major changes to options.
>>
>> squid typically is having a two year cycle on their major branch changes and so the expectation is that squid-7.x will go EOL somewhere around July 2027 with squid-8.x having beta status in Feb 2027 and stable declaration in July 2027 when 7.x is EOL'd
>>
>> I will try and see if any other packages we run have any linkage to nettle.
>>
>> Regards,
>>
>> Adolf.
>>
> 

Re: Problem with update of nettle to 4.0

[Michael Tremer]

Hello Adolf,

> On 20 May 2026, at 16:57, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi Michael,
> 
> On 20/05/2026 17:32, Michael Tremer wrote:
>> Hello Adolf,
>> Thanks for looking into this.
>> I wasn’t quite aware how outdated we are on squid, so let’s change that.
> 
> I think Matthias looked at updating squid from the 6.x to 7.x branch but felt uncomfortable with how to deal with some of the changes in that new branch.
> 
> Maybe we can both have a try and see what happens. Check if we can we make it work as expected. I will look back at the previous email chain on the discussion on moving to squid-7.x

Yes, please. If there is a number of items that need work in our scripting, tooling or UI, please create an umbrella ticket and create tickets for individual tasks so that we can assign them and share the load amongst several shoulders.

>> I checked the code and there are exactly two places where nettle is being used:
>>   * The base64 encoder/decoder
>>     https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/base64.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13
>>   * Some code to compute MD5 checksums
>>     https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/md5.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13
> 
> This was the bit where the build failed as it could not find MD5_DIGEST_SIZE. It could be that the base64 encoder/decoder might have been next in line.
> 
>> Both have an alternative implementation, so it is absolutely safe for us to build squid with --without-nettle. That way we won’t be held back until they have agreed on a unified API.
>> > Let me know if this helps.
> 
> I will try it and see. Everything before the squid build had no problems with nettle-4.0, I just need to see if there is anything still to come in the build tree. I will look at it when/if it comes.
> 
> Regards,
> 
> Adolf.
> 
>> All the best,
>> -Michael
>>> On 20 May 2026, at 13:47, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>> 
>>> Hi all,
>>> 
>>> For information.
>>> 
>>> A new nettle version has come out. Our old version was 3.10.2 and the new one is 4.0
>>> 
>>> Unfortunately nettle-4.0 has a new API/ABI and several packages that use nettle have found that it won't build for them.
>>> 
>>> Many of those packages have already issued updated versions that now work with nettle-4.0
>>> 
>>> That is not the case with squid. Here we have a greater problem.
>>> 
>>> Currently we are on squid-6.14 and the current release is squid-7.5. squid-6.14 fails to build with nettle-4.0 as there are changes in various variables/parameters.
>>> 
>>> squid-7.5 does not yet have any fix for the nettle API/ABI changes. I did find some discussion on it in the Pull Requests section but there seems to be some disagreement between various of the squid contributors which seems to be blocking anything being accepted. It is also not clear if that pull request would fix the error that I found in my build with squid-6.14
>>> 
>>> squid has not been updated to the 7.x branch in IPFire because there were a lot of significant changes in it which would require some re-write of our web proxy code.
>>> 
>>> It is probably worth noting that squid-6.14 stopped getting any security support in July 2025.
>>> 
>>> There also seems to be questions about squid-8.x and if it will have even more major changes to options.
>>> 
>>> squid typically is having a two year cycle on their major branch changes and so the expectation is that squid-7.x will go EOL somewhere around July 2027 with squid-8.x having beta status in Feb 2027 and stable declaration in July 2027 when 7.x is EOL'd
>>> 
>>> I will try and see if any other packages we run have any linkage to nettle.
>>> 
>>> Regards,
>>> 
>>> Adolf.
>>> 
> 
> 

Re: Problem with update of nettle to 4.0

[Matthias Fischer]

Hi,

On 20.05.2026 17:57, Adolf Belka wrote:
> Hi Michael,
> 
> On 20/05/2026 17:32, Michael Tremer wrote:
>> Hello Adolf,
>> 
>> Thanks for looking into this.
>> 
>> I wasn’t quite aware how outdated we are on squid, so let’s change that.
> 
> I think Matthias looked at updating squid from the 6.x to 7.x branch but felt uncomfortable with how to deal with some of the changes in that new branch.

I'm watching  - and yes, I'm feeling very uncomfortable with these v7.x
changes. ;-))

But I got 'squid 7.xx' running without seen problems - currently v7.5
with Core 201. But I was in fact "very unpleased" with the various
changes which came with v7.0.1.

A lot of features were removed - Ident protocol support, cache object
protocol support, 'cachemgr.cgi' tool, just to name a few. Because of
these changes, the ‘proxy.cgi’ file should to be revised in a few
places. And this was a job I avoided until now, I just hadn't the
nerves. I took a look at the code and wasn't sure which parts should be
removed and which parts need to stay. So I didn't touch the CGI, crossed
my fingers and started 'squid 7.5'. It works.
> Maybe we can both have a try and see what happens. Check if we can we make it work as expected. I will look back at the previous email chain on the discussion on moving to squid-7.x

Yep. We can try this together. At the moment I'm only unsure which parts
 of 'proxy.cgi' must be removed and which have to stay. The whole thing
is currently running - I use only the basic squid functions without any
authentication. With a few changes I even got 'privoxy 4.1.0' running.

First thing I could do (e.g.) is trying to get 'squid 7.5' compiling and
running without nettle support as you wrote below. Would that help as a
first step?

Best
Matthias

>> I checked the code and there are exactly two places where nettle is being used:
>> 
>>    * The base64 encoder/decoder
>>      https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/base64.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13
>> 
>>    * Some code to compute MD5 checksums
>>      https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/md5.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13
> 
> This was the bit where the build failed as it could not find MD5_DIGEST_SIZE. It could be that the base64 encoder/decoder might have been next in line.
> 
>> 
>> Both have an alternative implementation, so it is absolutely safe for us to build squid with --without-nettle. That way we won’t be held back until they have agreed on a unified API.
>> > Let me know if this helps.
> 
> I will try it and see. Everything before the squid build had no problems with nettle-4.0, I just need to see if there is anything still to come in the build tree. I will look at it when/if it comes.
> 
> Regards,
> 
> Adolf.
> 
>> 
>> All the best,
>> -Michael
>> 
>>> On 20 May 2026, at 13:47, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>
>>> Hi all,
>>>
>>> For information.
>>>
>>> A new nettle version has come out. Our old version was 3.10.2 and the new one is 4.0
>>>
>>> Unfortunately nettle-4.0 has a new API/ABI and several packages that use nettle have found that it won't build for them.
>>>
>>> Many of those packages have already issued updated versions that now work with nettle-4.0
>>>
>>> That is not the case with squid. Here we have a greater problem.
>>>
>>> Currently we are on squid-6.14 and the current release is squid-7.5. squid-6.14 fails to build with nettle-4.0 as there are changes in various variables/parameters.
>>>
>>> squid-7.5 does not yet have any fix for the nettle API/ABI changes. I did find some discussion on it in the Pull Requests section but there seems to be some disagreement between various of the squid contributors which seems to be blocking anything being accepted. It is also not clear if that pull request would fix the error that I found in my build with squid-6.14
>>>
>>> squid has not been updated to the 7.x branch in IPFire because there were a lot of significant changes in it which would require some re-write of our web proxy code.
>>>
>>> It is probably worth noting that squid-6.14 stopped getting any security support in July 2025.
>>>
>>> There also seems to be questions about squid-8.x and if it will have even more major changes to options.
>>>
>>> squid typically is having a two year cycle on their major branch changes and so the expectation is that squid-7.x will go EOL somewhere around July 2027 with squid-8.x having beta status in Feb 2027 and stable declaration in July 2027 when 7.x is EOL'd
>>>
>>> I will try and see if any other packages we run have any linkage to nettle.
>>>
>>> Regards,
>>>
>>> Adolf.
>>>
>> 
> 
> 

Re: Problem with update of nettle to 4.0

[Matthias Fischer]

On 20.05.2026 17:59, Michael Tremer wrote:
> Hello Adolf,

FYI - currently running:

'squid 7.5'
Added:
'--without-nettle'

Removed:
'--disable-esi'
'--enable-ident-lookups'
'cachemgr'-entries

Updates -> The Devels are running:
'unbound 1.25.1', 'rrdtool 1.10.2', 'bind 9.20.23'

;-)

Best
Matthias
>> On 20 May 2026, at 16:57, Adolf Belka <adolf.belka@ipfire.org> wrote:
>> 
>> Hi Michael,
>> 
>> On 20/05/2026 17:32, Michael Tremer wrote:
>>> Hello Adolf,
>>> Thanks for looking into this.
>>> I wasn’t quite aware how outdated we are on squid, so let’s change that.
>> 
>> I think Matthias looked at updating squid from the 6.x to 7.x branch but felt uncomfortable with how to deal with some of the changes in that new branch.
>> 
>> Maybe we can both have a try and see what happens. Check if we can we make it work as expected. I will look back at the previous email chain on the discussion on moving to squid-7.x
> 
> Yes, please. If there is a number of items that need work in our scripting, tooling or UI, please create an umbrella ticket and create tickets for individual tasks so that we can assign them and share the load amongst several shoulders.
> 
>>> I checked the code and there are exactly two places where nettle is being used:
>>>   * The base64 encoder/decoder
>>>     https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/base64.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13
>>>   * Some code to compute MD5 checksums
>>>     https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/md5.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13
>> 
>> This was the bit where the build failed as it could not find MD5_DIGEST_SIZE. It could be that the base64 encoder/decoder might have been next in line.
>> 
>>> Both have an alternative implementation, so it is absolutely safe for us to build squid with --without-nettle. That way we won’t be held back until they have agreed on a unified API.
>>> > Let me know if this helps.
>> 
>> I will try it and see. Everything before the squid build had no problems with nettle-4.0, I just need to see if there is anything still to come in the build tree. I will look at it when/if it comes.
>> 
>> Regards,
>> 
>> Adolf.
>> 
>>> All the best,
>>> -Michael
>>>> On 20 May 2026, at 13:47, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>> 
>>>> Hi all,
>>>> 
>>>> For information.
>>>> 
>>>> A new nettle version has come out. Our old version was 3.10.2 and the new one is 4.0
>>>> 
>>>> Unfortunately nettle-4.0 has a new API/ABI and several packages that use nettle have found that it won't build for them.
>>>> 
>>>> Many of those packages have already issued updated versions that now work with nettle-4.0
>>>> 
>>>> That is not the case with squid. Here we have a greater problem.
>>>> 
>>>> Currently we are on squid-6.14 and the current release is squid-7.5. squid-6.14 fails to build with nettle-4.0 as there are changes in various variables/parameters.
>>>> 
>>>> squid-7.5 does not yet have any fix for the nettle API/ABI changes. I did find some discussion on it in the Pull Requests section but there seems to be some disagreement between various of the squid contributors which seems to be blocking anything being accepted. It is also not clear if that pull request would fix the error that I found in my build with squid-6.14
>>>> 
>>>> squid has not been updated to the 7.x branch in IPFire because there were a lot of significant changes in it which would require some re-write of our web proxy code.
>>>> 
>>>> It is probably worth noting that squid-6.14 stopped getting any security support in July 2025.
>>>> 
>>>> There also seems to be questions about squid-8.x and if it will have even more major changes to options.
>>>> 
>>>> squid typically is having a two year cycle on their major branch changes and so the expectation is that squid-7.x will go EOL somewhere around July 2027 with squid-8.x having beta status in Feb 2027 and stable declaration in July 2027 when 7.x is EOL'd
>>>> 
>>>> I will try and see if any other packages we run have any linkage to nettle.
>>>> 
>>>> Regards,
>>>> 
>>>> Adolf.
>>>> 
>> 
>> 
> 
> 

Re: Problem with update of nettle to 4.0

[Adolf Belka]

Hi Matthias,

On 20/05/2026 19:36, Matthias Fischer wrote:
> Hi,
> 
> On 20.05.2026 17:57, Adolf Belka wrote:
>> Hi Michael,
>>
>> On 20/05/2026 17:32, Michael Tremer wrote:
>>> Hello Adolf,
>>>
>>> Thanks for looking into this.
>>>
>>> I wasn’t quite aware how outdated we are on squid, so let’s change that.
>>
>> I think Matthias looked at updating squid from the 6.x to 7.x branch but felt uncomfortable with how to deal with some of the changes in that new branch.
> 
> I'm watching  - and yes, I'm feeling very uncomfortable with these v7.x
> changes. ;-))
> 
> But I got 'squid 7.xx' running without seen problems - currently v7.5
> with Core 201. But I was in fact "very unpleased" with the various
> changes which came with v7.0.1.
> 
> A lot of features were removed - Ident protocol support, cache object
> protocol support, 'cachemgr.cgi' tool, just to name a few. Because of
> these changes, the ‘proxy.cgi’ file should to be revised in a few
> places. And this was a job I avoided until now, I just hadn't the
> nerves. I took a look at the code and wasn't sure which parts should be
> removed and which parts need to stay. So I didn't touch the CGI, crossed
> my fingers and started 'squid 7.5'. It works.
>> Maybe we can both have a try and see what happens. Check if we can we make it work as expected. I will look back at the previous email chain on the discussion on moving to squid-7.x
> 
> Yep. We can try this together. At the moment I'm only unsure which parts
>   of 'proxy.cgi' must be removed and which have to stay. The whole thing
> is currently running - I use only the basic squid functions without any
> authentication. With a few changes I even got 'privoxy 4.1.0' running.
> 
> First thing I could do (e.g.) is trying to get 'squid 7.5' compiling and
> running without nettle support as you wrote below. Would that help as a
> first step?

I think that is a good approach. You did the previous evaluation of squid.7.x so you can take this as far as you feel comfortable taking it and I can then have a look at the things you are unsure about and if there are things neither of us are sure how to approach then we ask the other devs for their help.

Good luck and I will wait to hear your feedback.

Regards,

Adolf.

> 
> Best
> Matthias
> 
>>> I checked the code and there are exactly two places where nettle is being used:
>>>
>>>     * The base64 encoder/decoder
>>>       https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/base64.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13
>>>
>>>     * Some code to compute MD5 checksums
>>>       https://git.ipfire.org/?p=thirdparty/squid.git;a=blob;f=include/md5.h;hb=5c1d937d2068e4861f206884cebb02d2958d3563#l13
>>
>> This was the bit where the build failed as it could not find MD5_DIGEST_SIZE. It could be that the base64 encoder/decoder might have been next in line.
>>
>>>
>>> Both have an alternative implementation, so it is absolutely safe for us to build squid with --without-nettle. That way we won’t be held back until they have agreed on a unified API.
>>>> Let me know if this helps.
>>
>> I will try it and see. Everything before the squid build had no problems with nettle-4.0, I just need to see if there is anything still to come in the build tree. I will look at it when/if it comes.
>>
>> Regards,
>>
>> Adolf.
>>
>>>
>>> All the best,
>>> -Michael
>>>
>>>> On 20 May 2026, at 13:47, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>>
>>>> Hi all,
>>>>
>>>> For information.
>>>>
>>>> A new nettle version has come out. Our old version was 3.10.2 and the new one is 4.0
>>>>
>>>> Unfortunately nettle-4.0 has a new API/ABI and several packages that use nettle have found that it won't build for them.
>>>>
>>>> Many of those packages have already issued updated versions that now work with nettle-4.0
>>>>
>>>> That is not the case with squid. Here we have a greater problem.
>>>>
>>>> Currently we are on squid-6.14 and the current release is squid-7.5. squid-6.14 fails to build with nettle-4.0 as there are changes in various variables/parameters.
>>>>
>>>> squid-7.5 does not yet have any fix for the nettle API/ABI changes. I did find some discussion on it in the Pull Requests section but there seems to be some disagreement between various of the squid contributors which seems to be blocking anything being accepted. It is also not clear if that pull request would fix the error that I found in my build with squid-6.14
>>>>
>>>> squid has not been updated to the 7.x branch in IPFire because there were a lot of significant changes in it which would require some re-write of our web proxy code.
>>>>
>>>> It is probably worth noting that squid-6.14 stopped getting any security support in July 2025.
>>>>
>>>> There also seems to be questions about squid-8.x and if it will have even more major changes to options.
>>>>
>>>> squid typically is having a two year cycle on their major branch changes and so the expectation is that squid-7.x will go EOL somewhere around July 2027 with squid-8.x having beta status in Feb 2027 and stable declaration in July 2027 when 7.x is EOL'd
>>>>
>>>> I will try and see if any other packages we run have any linkage to nettle.
>>>>
>>>> Regards,
>>>>
>>>> Adolf.
>>>>
>>>
>>
>>
> 
>