diff options
author | Raito Bezarius <masterancpp@gmail.com> | 2024-02-07 02:04:56 +0100 |
---|---|---|
committer | Raito Bezarius <masterancpp@gmail.com> | 2024-02-11 17:51:00 +0100 |
commit | 19159a234916d7169e15d267e6ee1c9462790319 (patch) | |
tree | af0051fe65f0bab2197f007a25c16801503a5c36 /nixos/modules/security | |
parent | af70ce2c476e9de57172e6c95617e43e0df62266 (diff) | |
download | nixlib-19159a234916d7169e15d267e6ee1c9462790319.tar nixlib-19159a234916d7169e15d267e6ee1c9462790319.tar.gz nixlib-19159a234916d7169e15d267e6ee1c9462790319.tar.bz2 nixlib-19159a234916d7169e15d267e6ee1c9462790319.tar.lz nixlib-19159a234916d7169e15d267e6ee1c9462790319.tar.xz nixlib-19159a234916d7169e15d267e6ee1c9462790319.tar.zst nixlib-19159a234916d7169e15d267e6ee1c9462790319.zip |
nixos/security/ca: enable support for compatibility bundles
Certain software stacks have no support for OpenSSL non-standard PEM format and will fail to use our NixOS CA bundle. For this, it is necessary to fallback on a 'compatibility' bundle which will contain no additional trust rules. Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/ca.nix | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 3cd56bff04d1..ae188ea709dd 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -11,7 +11,8 @@ let extraCertificateFiles = cfg.certificateFiles; extraCertificateStrings = cfg.certificates; }; - caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt"; + caBundleName = if cfg.useCompatibleBundle then "ca-no-trust-rules-bundle.crt" else "ca-bundle.crt"; + caBundle = "${cacertPackage}/etc/ssl/certs/${caBundleName}"; in @@ -23,6 +24,17 @@ in internal = true; }; + security.pki.useCompatibleBundle = mkEnableOption ''usage of a compatibility bundle. + + Such a bundle consist exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, + which is a OpenSSL specific PEM format. + + It is known to be incompatible with certain software stacks. + + Nevertheless, enabling this will strip all additional trust rules provided by the + certificates themselves, this can have security consequences depending on your usecases. + ''; + security.pki.certificateFiles = mkOption { type = types.listOf types.path; default = []; |