diff --git a/pkgs/development/libraries/openssl/1.0.0e.nix b/pkgs/development/libraries/openssl/1.0.0e.nix
index e1a550dc525..b1e1c3aa1d0 100644
--- a/pkgs/development/libraries/openssl/1.0.0e.nix
+++ b/pkgs/development/libraries/openssl/1.0.0e.nix
@@ -14,7 +14,17 @@ stdenv.mkDerivation rec {
     sha256 = "1xw0ffzmr4wbnb0glywgks375dvq8x87pgxmwx6vhgvkflkxqqg3";
   };
 
-  patches = stdenv.lib.optional stdenv.isDarwin ./darwin-arch.patch;
+  patches =
+    [ # Allow the location of the X509 certificate file (the CA
+      # bundle) to be set through the environment variable
+      # ‘OPENSSL_X509_CERT_FILE’.  This is necessary because the
+      # default location ($out/ssl/cert.pem) doesn't exist, and
+      # hardcoding something like /etc/ssl/cert.pem is impure and
+      # cannot be overriden per-process.  For security, the
+      # environment variable is ignored for setuid binaries.
+      ./cert-file.patch
+    ]
+    ++ stdenv.lib.optional stdenv.isDarwin ./darwin-arch.patch;
 
   buildNativeInputs = [ perl ];
   
diff --git a/pkgs/development/libraries/openssl/cert-file.patch b/pkgs/development/libraries/openssl/cert-file.patch
new file mode 100644
index 00000000000..6b7a60e9026
--- /dev/null
+++ b/pkgs/development/libraries/openssl/cert-file.patch
@@ -0,0 +1,35 @@
+diff -ru -x '*~' openssl-1.0.0e-orig/crypto/x509/x509_def.c openssl-1.0.0e/crypto/x509/x509_def.c
+--- openssl-1.0.0e-orig/crypto/x509/x509_def.c	1999-09-11 19:54:11.000000000 +0200
++++ openssl-1.0.0e/crypto/x509/x509_def.c	2011-09-12 18:30:59.386501609 +0200
+@@ -57,6 +57,10 @@
+  */
+ 
+ #include <stdio.h>
++#include <stdlib.h>
++#include <limits.h>
++#include <unistd.h>
++#include <sys/types.h>
+ #include "cryptlib.h"
+ #include <openssl/crypto.h>
+ #include <openssl/x509.h>
+@@ -71,7 +75,19 @@
+ 	{ return(X509_CERT_DIR); }
+ 
+ const char *X509_get_default_cert_file(void)
+-	{ return(X509_CERT_FILE); }
++	{
++	static char buf[PATH_MAX] = X509_CERT_FILE;
++	static int init = 0;
++	if (!init) {
++	    init = 1;
++	    char * s = getenv("OPENSSL_X509_CERT_FILE");
++	    if (s && getuid() == geteuid()) {
++		strncpy(buf, s, sizeof(buf));
++		buf[sizeof(buf) - 1] = 0;
++	    }
++	}
++	return buf;
++	}
+ 
+ const char *X509_get_default_cert_dir_env(void)
+ 	{ return(X509_CERT_DIR_EVP); }