summary refs log tree commit diff
path: root/pkgs
diff options
context:
space:
mode:
authorEelco Dolstra <edolstra@gmail.com>2016-10-14 12:04:28 +0200
committerEelco Dolstra <edolstra@gmail.com>2016-10-14 12:06:10 +0200
commit942dbf89c6120cb5b52fb2ab456855d1fbf2994e (patch)
tree2abe1536e2d47fc0c8ace6da13dbea1de0f92ac8 /pkgs
parent027efec8798547c0e8cff7861680f9b95732c12d (diff)
downloadnixlib-942dbf89c6120cb5b52fb2ab456855d1fbf2994e.tar
nixlib-942dbf89c6120cb5b52fb2ab456855d1fbf2994e.tar.gz
nixlib-942dbf89c6120cb5b52fb2ab456855d1fbf2994e.tar.bz2
nixlib-942dbf89c6120cb5b52fb2ab456855d1fbf2994e.tar.lz
nixlib-942dbf89c6120cb5b52fb2ab456855d1fbf2994e.tar.xz
nixlib-942dbf89c6120cb5b52fb2ab456855d1fbf2994e.tar.zst
nixlib-942dbf89c6120cb5b52fb2ab456855d1fbf2994e.zip
openssl, curl, git: Respect $NIX_SSL_CERT_FILE
$NIX_SSL_CERT_FILE overrides $SSL_CERT_FILE, which in turn overrides
the default CA path (/etc/ssl/certs/ca-certificates.crt). This allows
Nix to set a CA path without interfering with other packages (such as
Homebrew).

See https://github.com/NixOS/nix/issues/921.
Diffstat (limited to 'pkgs')
-rw-r--r--pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch7
-rw-r--r--pkgs/development/libraries/openssl/default.nix1
-rw-r--r--pkgs/development/libraries/openssl/nix-ssl-cert-file.patch15
-rw-r--r--pkgs/tools/networking/curl/default.nix2
-rw-r--r--pkgs/tools/networking/curl/nix-ssl-cert-file.patch14
5 files changed, 37 insertions, 2 deletions
diff --git a/pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch b/pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch
index bafd65e8c93e..0e0697dfb211 100644
--- a/pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch
+++ b/pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch
@@ -1,11 +1,14 @@
 diff -ru git-2.7.4-orig/http.c git-2.7.4/http.c
 --- git-2.7.4-orig/http.c	2016-03-17 21:47:59.000000000 +0100
 +++ git-2.7.4/http.c	2016-04-12 11:38:33.187070848 +0200
-@@ -544,6 +544,7 @@
+@@ -544,6 +544,10 @@
  #if LIBCURL_VERSION_NUM >= 0x070908
  	set_from_env(&ssl_capath, "GIT_SSL_CAPATH");
  #endif
-+	set_from_env(&ssl_cainfo, "SSL_CERT_FILE");
++	if (getenv("NIX_SSL_CERT_FILE"))
++	  set_from_env(&ssl_cainfo, "NIX_SSL_CERT_FILE");
++	else
++	  set_from_env(&ssl_cainfo, "SSL_CERT_FILE");
  	set_from_env(&ssl_cainfo, "GIT_SSL_CAINFO");
  
  	set_from_env(&user_agent, "GIT_HTTP_USER_AGENT");
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
index ea89bb859e5f..6aefc8b79723 100644
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@@ -19,6 +19,7 @@ let
 
     patches =
       (args.patches or [])
+      ++ [ ./nix-ssl-cert-file.patch ]
       ++ optional (versionOlder version "1.1.0") ./use-etc-ssl-certs.patch
       ++ optional stdenv.isCygwin ./1.0.1-cygwin64.patch
       ++ optional
diff --git a/pkgs/development/libraries/openssl/nix-ssl-cert-file.patch b/pkgs/development/libraries/openssl/nix-ssl-cert-file.patch
new file mode 100644
index 000000000000..4b3c6f458b4c
--- /dev/null
+++ b/pkgs/development/libraries/openssl/nix-ssl-cert-file.patch
@@ -0,0 +1,15 @@
+diff -ru -x '*~' openssl-1.0.2j-orig/crypto/x509/by_file.c openssl-1.0.2j/crypto/x509/by_file.c
+--- openssl-1.0.2j-orig/crypto/x509/by_file.c	2016-09-26 11:49:07.000000000 +0200
++++ openssl-1.0.2j/crypto/x509/by_file.c	2016-10-13 16:54:31.400288302 +0200
+@@ -97,7 +97,10 @@
+     switch (cmd) {
+     case X509_L_FILE_LOAD:
+         if (argl == X509_FILETYPE_DEFAULT) {
+-            file = (char *)getenv(X509_get_default_cert_file_env());
++            file = (char *)getenv("NIX_SSL_CERT_FILE");
++            if (!file)
++                file = (char *)getenv(X509_get_default_cert_file_env());
++            fprintf(stderr, "OPEN %s", file);
+             if (file)
+                 ok = (X509_load_cert_crl_file(ctx, file,
+                                               X509_FILETYPE_PEM) != 0);
diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix
index 958bea34e7d3..d1936cb11ad3 100644
--- a/pkgs/tools/networking/curl/default.nix
+++ b/pkgs/tools/networking/curl/default.nix
@@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
     sha256 = "1v6q83qsrf7dgp3y5fa5vkppgqyy82pnsk8z9b4047b6fvclfwvv";
   };
 
+  patches = [ ./nix-ssl-cert-file.patch ];
+
   outputs = [ "bin" "dev" "out" "man" "devdoc" ];
 
   nativeBuildInputs = [ pkgconfig perl ];
diff --git a/pkgs/tools/networking/curl/nix-ssl-cert-file.patch b/pkgs/tools/networking/curl/nix-ssl-cert-file.patch
new file mode 100644
index 000000000000..20c408bfae23
--- /dev/null
+++ b/pkgs/tools/networking/curl/nix-ssl-cert-file.patch
@@ -0,0 +1,14 @@
+diff -ru -x '*~' curl-7.50.3-orig/src/tool_operate.c curl-7.50.3/src/tool_operate.c
+--- curl-7.50.3-orig/src/tool_operate.c	2016-09-06 23:25:06.000000000 +0200
++++ curl-7.50.3/src/tool_operate.c	2016-10-14 11:51:48.999943142 +0200
+@@ -269,7 +269,9 @@
+         capath_from_env = true;
+       }
+       else {
+-        env = curlx_getenv("SSL_CERT_FILE");
++        env = curlx_getenv("NIX_SSL_CERT_FILE");
++        if(!env)
++          env = curlx_getenv("SSL_CERT_FILE");
+         if(env) {
+           config->cacert = strdup(env);
+           if(!config->cacert) {
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-22 06:06:01 +0000