nixos/security/ca: enable support for compatibility bundles

Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use
our NixOS CA bundle.

For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional
trust rules.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>

1 files changed, 13 insertions, 1 deletions

diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix
index 3cd56bff04d1..ae188ea709dd 100644
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@@ -11,7 +11,8 @@ let
     extraCertificateFiles = cfg.certificateFiles;
     extraCertificateStrings = cfg.certificates;
   };
-  caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt";
+  caBundleName = if cfg.useCompatibleBundle then "ca-no-trust-rules-bundle.crt" else "ca-bundle.crt";
+  caBundle = "${cacertPackage}/etc/ssl/certs/${caBundleName}";
 
 in
 
@@ -23,6 +24,17 @@ in
       internal = true;
     };
 
+    security.pki.useCompatibleBundle = mkEnableOption ''usage of a compatibility bundle.
+
+      Such a bundle consist exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`,
+      which is a OpenSSL specific PEM format.
+
+      It is known to be incompatible with certain software stacks.
+
+      Nevertheless, enabling this will strip all additional trust rules provided by the
+      certificates themselves, this can have security consequences depending on your usecases.
+    '';
+
     security.pki.certificateFiles = mkOption {
       type = types.listOf types.path;
       default = [];