Configure a default trust store for openssl
This commit is contained in:
Guillaume Maudoux
Eelco Dolstra
parent
0876a44169
commit
9f358f809d
@ -74,7 +74,7 @@ let cfg = config.system.autoUpgrade; in
|
|||||||
serviceConfig.Type = "oneshot";
|
serviceConfig.Type = "oneshot";
|
||||||
|
|
||||||
environment = config.nix.envVars //
|
environment = config.nix.envVars //
|
||||||
{ inherit (config.environment.sessionVariables) NIX_PATH SSL_CERT_FILE;
|
{ inherit (config.environment.sessionVariables) NIX_PATH;
|
||||||
HOME = "/root";
|
HOME = "/root";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@ -165,7 +165,6 @@ in
|
|||||||
script = "exec venus-planet ${configFile}";
|
script = "exec venus-planet ${configFile}";
|
||||||
serviceConfig.User = "${cfg.user}";
|
serviceConfig.User = "${cfg.user}";
|
||||||
serviceConfig.Group = "${cfg.group}";
|
serviceConfig.Group = "${cfg.group}";
|
||||||
environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
|
|
||||||
startAt = cfg.dates;
|
startAt = cfg.dates;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@ -64,12 +64,6 @@ in
|
|||||||
# CentOS/Fedora compatibility.
|
# CentOS/Fedora compatibility.
|
||||||
environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;
|
environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;
|
||||||
|
|
||||||
environment.sessionVariables =
|
|
||||||
{ SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
|
|
||||||
# FIXME: unneeded - remove eventually.
|
|
||||||
GIT_SSL_CAINFO = "/etc/ssl/certs/ca-certificates.crt";
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -92,11 +92,12 @@ in {
|
|||||||
type = with types; attrsOf str;
|
type = with types; attrsOf str;
|
||||||
description = ''
|
description = ''
|
||||||
Additional environment variables to be passed to the jenkins process.
|
Additional environment variables to be passed to the jenkins process.
|
||||||
As a base environment, jenkins receives NIX_PATH, SSL_CERT_FILE and
|
As a base environment, jenkins receives NIX_PATH from
|
||||||
GIT_SSL_CAINFO from <option>environment.sessionVariables</option>,
|
<option>environment.sessionVariables</option>, NIX_REMOTE is set to
|
||||||
NIX_REMOTE is set to "daemon" and JENKINS_HOME is set to
|
"daemon" and JENKINS_HOME is set to the value of
|
||||||
the value of <option>services.jenkins.home</option>. This option has
|
<option>services.jenkins.home</option>.
|
||||||
precedence and can be used to override those mentioned variables.
|
This option has precedence and can be used to override those
|
||||||
|
mentioned variables.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -136,11 +137,7 @@ in {
|
|||||||
environment =
|
environment =
|
||||||
let
|
let
|
||||||
selectedSessionVars =
|
selectedSessionVars =
|
||||||
lib.filterAttrs (n: v: builtins.elem n
|
lib.filterAttrs (n: v: builtins.elem n [ "NIX_PATH" ])
|
||||||
[ "NIX_PATH"
|
|
||||||
"SSL_CERT_FILE"
|
|
||||||
"GIT_SSL_CAINFO"
|
|
||||||
])
|
|
||||||
config.environment.sessionVariables;
|
config.environment.sessionVariables;
|
||||||
in
|
in
|
||||||
selectedSessionVars //
|
selectedSessionVars //
|
||||||
|
|||||||
@ -183,7 +183,6 @@ in {
|
|||||||
Restart = "always";
|
Restart = "always";
|
||||||
RestartSec = 2;
|
RestartSec = 2;
|
||||||
};
|
};
|
||||||
environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
|
|
||||||
restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig ];
|
restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@ -127,7 +127,6 @@ in
|
|||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "network.target" ];
|
after = [ "network.target" ];
|
||||||
|
|
||||||
environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
# Uncomment this if too many problems occur:
|
# Uncomment this if too many problems occur:
|
||||||
# Type = "forking";
|
# Type = "forking";
|
||||||
|
|||||||
@ -156,12 +156,6 @@ in
|
|||||||
after = [ "ip-up.target" ];
|
after = [ "ip-up.target" ];
|
||||||
wants = [ "ip-up.target" ];
|
wants = [ "ip-up.target" ];
|
||||||
|
|
||||||
environment = {
|
|
||||||
GIT_SSL_CAINFO = "/etc/ssl/certs/ca-certificates.crt";
|
|
||||||
OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
|
|
||||||
SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
|
|
||||||
};
|
|
||||||
|
|
||||||
path = [ pkgs.e2fsprogs ];
|
path = [ pkgs.e2fsprogs ];
|
||||||
description = "Windows Azure Agent Service";
|
description = "Windows Azure Agent Service";
|
||||||
unitConfig.ConditionPathExists = "/etc/waagent.conf";
|
unitConfig.ConditionPathExists = "/etc/waagent.conf";
|
||||||
|
|||||||
@ -62,7 +62,6 @@ stdenv.mkDerivation rec {
|
|||||||
--prefix "PATH" : "$out/share/panamax-api/bin:${env.ruby}/bin:$PATH" \
|
--prefix "PATH" : "$out/share/panamax-api/bin:${env.ruby}/bin:$PATH" \
|
||||||
--prefix "HOME" : "$out/share/panamax-api" \
|
--prefix "HOME" : "$out/share/panamax-api" \
|
||||||
--prefix "GEM_HOME" : "${env}/${env.ruby.gemPath}" \
|
--prefix "GEM_HOME" : "${env}/${env.ruby.gemPath}" \
|
||||||
--prefix "SSL_CERT_FILE" : /etc/ssl/certs/ca-certificates.crt \
|
|
||||||
--prefix "GEM_PATH" : "$out/share/panamax-api:${bundler}/${env.ruby.gemPath}"
|
--prefix "GEM_PATH" : "$out/share/panamax-api:${bundler}/${env.ruby.gemPath}"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
|||||||
@ -40,11 +40,7 @@ let
|
|||||||
} // removeAttrs attrs [ "name" "sha256" ]);
|
} // removeAttrs attrs [ "name" "sha256" ]);
|
||||||
|
|
||||||
in mkTkabber (main // {
|
in mkTkabber (main // {
|
||||||
postPatch = ''
|
postPatch = optionalString (theme != null) ''
|
||||||
substituteInPlace login.tcl --replace \
|
|
||||||
"custom::defvar loginconf(sslcacertstore) \"\"" \
|
|
||||||
"custom::defvar loginconf(sslcacertstore) \$env(SSL_CERT_FILE)"
|
|
||||||
'' + optionalString (theme != null) ''
|
|
||||||
themePath="$out/share/doc/tkabber/examples/xrdb/${theme}.xrdb"
|
themePath="$out/share/doc/tkabber/examples/xrdb/${theme}.xrdb"
|
||||||
sed -i '/^if.*load_default_xrdb/,/^}$/ {
|
sed -i '/^if.*load_default_xrdb/,/^}$/ {
|
||||||
s@option readfile \(\[fullpath [^]]*\]\)@option readfile "'"$themePath"'"@
|
s@option readfile \(\[fullpath [^]]*\]\)@option readfile "'"$themePath"'"@
|
||||||
|
|||||||
@ -1,12 +0,0 @@
|
|||||||
diff -ru -x '*~' git-1.9.2-orig/git-send-email.perl git-1.9.2/git-send-email.perl
|
|
||||||
--- git-1.9.2-orig/git-send-email.perl 2014-04-09 21:09:34.000000000 +0200
|
|
||||||
+++ git-1.9.2/git-send-email.perl 2014-04-16 18:35:05.861132282 +0200
|
|
||||||
@@ -1094,6 +1094,8 @@
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ $smtp_ssl_cert_path //= $ENV{'SSL_CERT_FILE'};
|
|
||||||
+
|
|
||||||
if (!defined $smtp_ssl_cert_path) {
|
|
||||||
# use the OpenSSL defaults
|
|
||||||
return (SSL_verify_mode => SSL_VERIFY_PEER());
|
|
||||||
@ -24,8 +24,6 @@ stdenv.mkDerivation {
|
|||||||
patches = [
|
patches = [
|
||||||
./docbook2texi.patch
|
./docbook2texi.patch
|
||||||
./symlinks-in-bin.patch
|
./symlinks-in-bin.patch
|
||||||
./cert-path.patch
|
|
||||||
./ssl-cert-file.patch
|
|
||||||
];
|
];
|
||||||
|
|
||||||
buildInputs = [curl openssl zlib expat gettext cpio makeWrapper libiconv]
|
buildInputs = [curl openssl zlib expat gettext cpio makeWrapper libiconv]
|
||||||
|
|||||||
@ -1,13 +0,0 @@
|
|||||||
This patch adds support for the OpenSSL SSL_CERT_FILE environment variable.
|
|
||||||
GIT_SSL_CAINFO still takes precedence.
|
|
||||||
|
|
||||||
--- git-orig/http.c.orig 2014-11-25 23:27:56.000000000 +0100
|
|
||||||
+++ git-orig/http.c 2014-11-25 23:28:48.000000000 +0100
|
|
||||||
@@ -433,6 +433,7 @@
|
|
||||||
#if LIBCURL_VERSION_NUM >= 0x070908
|
|
||||||
set_from_env(&ssl_capath, "GIT_SSL_CAPATH");
|
|
||||||
#endif
|
|
||||||
+ set_from_env(&ssl_cainfo, "SSL_CERT_FILE");
|
|
||||||
set_from_env(&ssl_cainfo, "GIT_SSL_CAINFO");
|
|
||||||
|
|
||||||
set_from_env(&user_agent, "GIT_HTTP_USER_AGENT");
|
|
||||||
@ -16,8 +16,6 @@ stdenv.mkDerivation {
|
|||||||
outputHashMode = "recursive";
|
outputHashMode = "recursive";
|
||||||
outputHash = sha256;
|
outputHash = sha256;
|
||||||
|
|
||||||
SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
|
|
||||||
|
|
||||||
impureEnvVars = [ "http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy" ];
|
impureEnvVars = [ "http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy" ];
|
||||||
preferLocalBuild = true;
|
preferLocalBuild = true;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -16,7 +16,6 @@ stdenv.mkDerivation {
|
|||||||
outputs = [ "out" "man" ];
|
outputs = [ "out" "man" ];
|
||||||
|
|
||||||
configureFlags =
|
configureFlags =
|
||||||
# FIXME: perhaps use $SSL_CERT_FILE instead
|
|
||||||
lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
|
lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
|
||||||
++ [
|
++ [
|
||||||
"--disable-dependency-tracking"
|
"--disable-dependency-tracking"
|
||||||
|
|||||||
@ -1,5 +1,6 @@
|
|||||||
{ stdenv, fetchurl, perl
|
{ stdenv, fetchurl, perl
|
||||||
, withCryptodev ? false, cryptodevHeaders }:
|
, withCryptodev ? false, cryptodevHeaders
|
||||||
|
, defaultCertificate ? "/etc/ssl/certs/ca-certificates.crt" }:
|
||||||
|
|
||||||
with stdenv.lib;
|
with stdenv.lib;
|
||||||
let
|
let
|
||||||
@ -58,6 +59,9 @@ stdenv.mkDerivation rec {
|
|||||||
|
|
||||||
# remove dependency on Perl at runtime
|
# remove dependency on Perl at runtime
|
||||||
rm -r $out/etc/ssl/misc $out/bin/c_rehash
|
rm -r $out/etc/ssl/misc $out/bin/c_rehash
|
||||||
|
|
||||||
|
# configure the default trust store
|
||||||
|
${optionalString (defaultCertificate != null) "ln -s ${defaultCertificate} $out/etc/ssl/cert.pem"}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
postFixup = ''
|
postFixup = ''
|
||||||
|
|||||||
@ -1,17 +0,0 @@
|
|||||||
Use $SSL_CERT_FILE to get the CA certificates.
|
|
||||||
|
|
||||||
diff -ru -x '*~' LWP-Protocol-https-6.02-orig/lib/LWP/Protocol/https.pm LWP-Protocol-https-6.02/lib/LWP/Protocol/https.pm
|
|
||||||
--- LWP-Protocol-https-6.02-orig/lib/LWP/Protocol/https.pm 2011-03-27 13:54:01.000000000 +0200
|
|
||||||
+++ LWP-Protocol-https-6.02/lib/LWP/Protocol/https.pm 2011-10-07 13:23:41.398628375 +0200
|
|
||||||
@@ -21,6 +21,11 @@
|
|
||||||
}
|
|
||||||
if ($ssl_opts{SSL_verify_mode}) {
|
|
||||||
unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
|
|
||||||
+ if (defined $ENV{'SSL_CERT_FILE'}) {
|
|
||||||
+ $ssl_opts{SSL_ca_file} = $ENV{'SSL_CERT_FILE'};
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
|
|
||||||
eval {
|
|
||||||
require Mozilla::CA;
|
|
||||||
};
|
|
||||||
@ -33,12 +33,8 @@ stdenv.mkDerivation rec {
|
|||||||
sed -e 's|/usr/bin|/no-such-path|g' -i.bak configure
|
sed -e 's|/usr/bin|/no-such-path|g' -i.bak configure
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# make curl honor CURL_CA_BUNDLE & SSL_CERT_FILE
|
|
||||||
postConfigure = ''
|
|
||||||
echo '#define CURL_CA_BUNDLE (getenv("CURL_CA_BUNDLE") || getenv("SSL_CERT_FILE"))' >> lib/curl_config.h
|
|
||||||
'';
|
|
||||||
|
|
||||||
configureFlags = [
|
configureFlags = [
|
||||||
|
"--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt"
|
||||||
( if sslSupport then "--with-ssl=${openssl}" else "--without-ssl" )
|
( if sslSupport then "--with-ssl=${openssl}" else "--without-ssl" )
|
||||||
( if scpSupport then "--with-libssh2=${libssh2}" else "--without-libssh2" )
|
( if scpSupport then "--with-libssh2=${libssh2}" else "--without-libssh2" )
|
||||||
]
|
]
|
||||||
|
|||||||
@ -44,12 +44,8 @@ stdenv.mkDerivation rec {
|
|||||||
rm src/tool_hugehelp.c
|
rm src/tool_hugehelp.c
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# make curl honor CURL_CA_BUNDLE & SSL_CERT_FILE
|
|
||||||
postConfigure = ''
|
|
||||||
echo '#define CURL_CA_BUNDLE (getenv("CURL_CA_BUNDLE") ? getenv("CURL_CA_BUNDLE") : getenv("SSL_CERT_FILE"))' >> lib/curl_config.h
|
|
||||||
'';
|
|
||||||
|
|
||||||
configureFlags = [
|
configureFlags = [
|
||||||
|
"--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt"
|
||||||
"--disable-manual"
|
"--disable-manual"
|
||||||
"--with-nghttp2=${libnghttp2}"
|
"--with-nghttp2=${libnghttp2}"
|
||||||
( if sslSupport then "--with-ssl=${openssl}" else "--without-ssl" )
|
( if sslSupport then "--with-ssl=${openssl}" else "--without-ssl" )
|
||||||
|
|||||||
@ -6934,7 +6934,6 @@ let self = _self // overrides; _self = with self; {
|
|||||||
url = mirror://cpan/authors/id/G/GA/GAAS/LWP-Protocol-https-6.04.tar.gz;
|
url = mirror://cpan/authors/id/G/GA/GAAS/LWP-Protocol-https-6.04.tar.gz;
|
||||||
sha256 = "0agnga5dg94222h6rlzqxa0dri2sh3gayncvfb7jad9nxr87gxhy";
|
sha256 = "0agnga5dg94222h6rlzqxa0dri2sh3gayncvfb7jad9nxr87gxhy";
|
||||||
};
|
};
|
||||||
patches = [ ../development/perl-modules/lwp-protocol-https-cert-file.patch ];
|
|
||||||
propagatedBuildInputs = [ LWP IOSocketSSL ];
|
propagatedBuildInputs = [ LWP IOSocketSSL ];
|
||||||
doCheck = false; # tries to connect to https://www.apache.org/.
|
doCheck = false; # tries to connect to https://www.apache.org/.
|
||||||
meta = {
|
meta = {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user