public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

curl: Use default trust store of TLS backend

Browse Source 
Having curl fall back to openssl's CA means that we need not patch curl
to respect NIX_SSL_CERT_FILE. It will work in all the cases.

This reverts commit fb4c43dd8adbd7a10d1c52539b36e2da269f3f7f "curl: Use CA bundle in nix default profile by default"
If we want to reintroduce that feature, this needs to go inside openssl
This commit is contained in:
Guillaume Maudoux 2017-03-22 11:48:06 +01:00
parent 525a663174
commit 8ecb94bb97
2 changed files with 1 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkgs/tools/networking/curl/default.nix
View File

@ -28,8 +28,6 @@ stdenv.mkDerivation rec {
sha256 = "1s1hyndva0yp62xy96pcp4anzrvw6cl0abjajim17sbmdp00fwhw"; sha256 = "1s1hyndva0yp62xy96pcp4anzrvw6cl0abjajim17sbmdp00fwhw";
}; };
patches = [ ./nix-ssl-cert-file.patch ];
outputs = [ "bin" "dev" "out" "man" "devdoc" ]; outputs = [ "bin" "dev" "out" "man" "devdoc" ];
enableParallelBuilding = true; enableParallelBuilding = true;
@ -57,9 +55,7 @@ stdenv.mkDerivation rec {
''; '';
configureFlags = [ configureFlags = [
# OS X does not have a default system bundle, so we assume cacerts is installed in the default nix-env profile "--with-ca-fallback"
# This sucks. We should probably just include the latest cacerts in the darwin bootstrap.
"--with-ca-bundle=${if stdenv.isDarwin then "/nix/var/nix/profiles/default" else ""}/etc/ssl/certs/ca-${if stdenv.isDarwin then "bundle" else "certificates"}.crt"
"--disable-manual" "--disable-manual"
( if sslSupport then "--with-ssl=${openssl.dev}" else "--without-ssl" ) ( if sslSupport then "--with-ssl=${openssl.dev}" else "--without-ssl" )
( if gnutlsSupport then "--with-gnutls=${gnutls.dev}" else "--without-gnutls" ) ( if gnutlsSupport then "--with-gnutls=${gnutls.dev}" else "--without-gnutls" )

37
pkgs/tools/networking/curl/nix-ssl-cert-file.patch
View File

@ -1,37 +0,0 @@
diff --git a/lib/url.c b/lib/url.c
index 03feaa20f..43d3baa80 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -574,11 +574,15 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
/* This is our preferred CA cert bundle/path since install time */
#if defined(CURL_CA_BUNDLE)
- result = setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE);
+ char* env = curl_getenv("NIX_SSL_CERT_FILE");
+ if (!env)
+ env = CURL_CA_BUNDLE;
+
+ result = setstropt(&set->str[STRING_SSL_CAFILE_ORIG], env);
if(result)
return result;
- result = setstropt(&set->str[STRING_SSL_CAFILE_PROXY], CURL_CA_BUNDLE);
+ result = setstropt(&set->str[STRING_SSL_CAFILE_PROXY], env);
if(result)
return result;
#endif
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 572c8d0cc..ca4fb31cb 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -265,7 +265,9 @@ static CURLcode operate_do(struct GlobalConfig *global,
capath_from_env = true;
}
else {
- env = curlx_getenv("SSL_CERT_FILE");
+ env = curlx_getenv("NIX_SSL_CERT_FILE");
+ if(!env)
+ env = curlx_getenv("SSL_CERT_FILE");
if(env) {
config->cacert = strdup(env);
if(!config->cacert) {