diff --git a/pkgs/data/misc/cacert/setup-hook.sh b/pkgs/data/misc/cacert/setup-hook.sh
index b704a6a919e..e969596752f 100644
--- a/pkgs/data/misc/cacert/setup-hook.sh
+++ b/pkgs/data/misc/cacert/setup-hook.sh
@@ -1,4 +1,6 @@
 cacertHook() {
+    export NIX_SSL_CERT_FILE=@out@/etc/ssl/certs/ca-bundle.crt
+    # left for compatibility
     export SSL_CERT_FILE=@out@/etc/ssl/certs/ca-bundle.crt
 }
 
diff --git a/pkgs/development/interpreters/gauche/default.nix b/pkgs/development/interpreters/gauche/default.nix
index 5481c4e7d05..bb3294e2097 100644
--- a/pkgs/development/interpreters/gauche/default.nix
+++ b/pkgs/development/interpreters/gauche/default.nix
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
     "--with-iconv=${libiconv}"
     "--with-dbm=gdbm"
     "--with-zlib=${zlib}"
-    "--with-ca-bundle=$SSL_CERT_FILE"
+    "--with-ca-bundle=$NIX_SSL_CERT_FILE"
     # TODO: Enable slib
     #       Current slib in nixpkgs is specialized to Guile
     # "--with-slib=${slibGuile}/lib/slib"
diff --git a/pkgs/development/tools/pypi2nix/default.nix b/pkgs/development/tools/pypi2nix/default.nix
index 70c292365ab..e3d458fc648 100644
--- a/pkgs/development/tools/pypi2nix/default.nix
+++ b/pkgs/development/tools/pypi2nix/default.nix
@@ -43,7 +43,7 @@ in stdenv.mkDerivation rec {
     mv click-*/click                    $out/pkgs/click
     mv requests-*/requests              $out/pkgs/
 
-    if [ "$IN_NIX_SHELL" != "1" ]; then
+    if [ -z "$IN_NIX_SHELL" ]; then
       if [ -e git-export ]; then
         mv git-export/src/pypi2nix      $out/pkgs/pypi2nix
       else
diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh
index 6f1a654a38a..dcccdaa50ae 100644
--- a/pkgs/stdenv/generic/setup.sh
+++ b/pkgs/stdenv/generic/setup.sh
@@ -646,10 +646,13 @@ fi
 export NIX_BUILD_CORES
 
 
-# Prevent OpenSSL-based applications from using certificates in
-# /etc/ssl.
-# Leave it in shells for convenience.
-if [ -z "${SSL_CERT_FILE:-}" ] && [ -z "${IN_NIX_SHELL:-}" ]; then
+# Prevent SSL libraries from using certificates in /etc/ssl, unless set explicitly.
+# Leave it in impure shells for convenience.
+if [ -z "${NIX_SSL_CERT_FILE:-}" ] && [ "${IN_NIX_SHELL:-}" != "impure" ]; then
+  export NIX_SSL_CERT_FILE=/no-cert-file.crt
+fi
+# Another variant left for compatibility.
+if [ -z "${SSL_CERT_FILE:-}" ] && [ "${IN_NIX_SHELL:-}" != "impure" ]; then
   export SSL_CERT_FILE=/no-cert-file.crt
 fi