openssl, curl, git: Respect $NIX_SSL_CERT_FILE

$NIX_SSL_CERT_FILE overrides $SSL_CERT_FILE, which in turn overrides
the default CA path (/etc/ssl/certs/ca-certificates.crt). This allows
Nix to set a CA path without interfering with other packages (such as
Homebrew).

See https://github.com/NixOS/nix/issues/921.

2 files changed, 16 insertions, 0 deletions

diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
index ea89bb859e5f..6aefc8b79723 100644
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@@ -19,6 +19,7 @@ let
 
     patches =
       (args.patches or [])
+      ++ [ ./nix-ssl-cert-file.patch ]
       ++ optional (versionOlder version "1.1.0") ./use-etc-ssl-certs.patch
       ++ optional stdenv.isCygwin ./1.0.1-cygwin64.patch
       ++ optional
diff --git a/pkgs/development/libraries/openssl/nix-ssl-cert-file.patch b/pkgs/development/libraries/openssl/nix-ssl-cert-file.patch
new file mode 100644
index 000000000000..4b3c6f458b4c
--- /dev/null
+++ b/pkgs/development/libraries/openssl/nix-ssl-cert-file.patch
@@ -0,0 +1,15 @@
+diff -ru -x '*~' openssl-1.0.2j-orig/crypto/x509/by_file.c openssl-1.0.2j/crypto/x509/by_file.c
+--- openssl-1.0.2j-orig/crypto/x509/by_file.c	2016-09-26 11:49:07.000000000 +0200
++++ openssl-1.0.2j/crypto/x509/by_file.c	2016-10-13 16:54:31.400288302 +0200
+@@ -97,7 +97,10 @@
+     switch (cmd) {
+     case X509_L_FILE_LOAD:
+         if (argl == X509_FILETYPE_DEFAULT) {
+-            file = (char *)getenv(X509_get_default_cert_file_env());
++            file = (char *)getenv("NIX_SSL_CERT_FILE");
++            if (!file)
++                file = (char *)getenv(X509_get_default_cert_file_env());
++            fprintf(stderr, "OPEN %s", file);
+             if (file)
+                 ok = (X509_load_cert_crl_file(ctx, file,
+                                               X509_FILETYPE_PEM) != 0);