about summary refs log tree commit diff
path: root/nixpkgs/nixos/modules/security/ca.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/nixos/modules/security/ca.nix')
-rw-r--r--nixpkgs/nixos/modules/security/ca.nix14
1 files changed, 13 insertions, 1 deletions
diff --git a/nixpkgs/nixos/modules/security/ca.nix b/nixpkgs/nixos/modules/security/ca.nix
index 3cd56bff04d1..ae188ea709dd 100644
--- a/nixpkgs/nixos/modules/security/ca.nix
+++ b/nixpkgs/nixos/modules/security/ca.nix
@@ -11,7 +11,8 @@ let
     extraCertificateFiles = cfg.certificateFiles;
     extraCertificateStrings = cfg.certificates;
   };
-  caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt";
+  caBundleName = if cfg.useCompatibleBundle then "ca-no-trust-rules-bundle.crt" else "ca-bundle.crt";
+  caBundle = "${cacertPackage}/etc/ssl/certs/${caBundleName}";
 
 in
 
@@ -23,6 +24,17 @@ in
       internal = true;
     };
 
+    security.pki.useCompatibleBundle = mkEnableOption ''usage of a compatibility bundle.
+
+      Such a bundle consist exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`,
+      which is a OpenSSL specific PEM format.
+
+      It is known to be incompatible with certain software stacks.
+
+      Nevertheless, enabling this will strip all additional trust rules provided by the
+      certificates themselves, this can have security consequences depending on your usecases.
+    '';
+
     security.pki.certificateFiles = mkOption {
       type = types.listOf types.path;
       default = [];
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-05 05:39:58 +0000