Skip to content

Commit

Permalink
Configure a default trust store for openssl
Browse files Browse the repository at this point in the history
  • Loading branch information
layus authored and edolstra committed Feb 3, 2016
1 parent 0876a44 commit 9f358f8
Show file tree
Hide file tree
Showing 19 changed files with 16 additions and 91 deletions.
2 changes: 1 addition & 1 deletion nixos/modules/installer/tools/auto-upgrade.nix
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ let cfg = config.system.autoUpgrade; in
serviceConfig.Type = "oneshot";

environment = config.nix.envVars //
{ inherit (config.environment.sessionVariables) NIX_PATH SSL_CERT_FILE;
{ inherit (config.environment.sessionVariables) NIX_PATH;
HOME = "/root";
};

Expand Down
1 change: 0 additions & 1 deletion nixos/modules/programs/venus.nix
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,6 @@ in
script = "exec venus-planet ${configFile}";
serviceConfig.User = "${cfg.user}";
serviceConfig.Group = "${cfg.group}";
environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
startAt = cfg.dates;
};

Expand Down
6 changes: 0 additions & 6 deletions nixos/modules/security/ca.nix
Original file line number Diff line number Diff line change
Expand Up @@ -64,12 +64,6 @@ in
# CentOS/Fedora compatibility.
environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;

environment.sessionVariables =
{ SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
# FIXME: unneeded - remove eventually.
GIT_SSL_CAINFO = "/etc/ssl/certs/ca-certificates.crt";
};

};

}
17 changes: 7 additions & 10 deletions nixos/modules/services/continuous-integration/jenkins/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -92,11 +92,12 @@ in {
type = with types; attrsOf str;
description = ''
Additional environment variables to be passed to the jenkins process.
As a base environment, jenkins receives NIX_PATH, SSL_CERT_FILE and
GIT_SSL_CAINFO from <option>environment.sessionVariables</option>,
NIX_REMOTE is set to "daemon" and JENKINS_HOME is set to
the value of <option>services.jenkins.home</option>. This option has
precedence and can be used to override those mentioned variables.
As a base environment, jenkins receives NIX_PATH from
<option>environment.sessionVariables</option>, NIX_REMOTE is set to
"daemon" and JENKINS_HOME is set to the value of
<option>services.jenkins.home</option>.
This option has precedence and can be used to override those
mentioned variables.
'';
};

Expand Down Expand Up @@ -136,11 +137,7 @@ in {
environment =
let
selectedSessionVars =
lib.filterAttrs (n: v: builtins.elem n
[ "NIX_PATH"
"SSL_CERT_FILE"
"GIT_SSL_CAINFO"
])
lib.filterAttrs (n: v: builtins.elem n [ "NIX_PATH" ])
config.environment.sessionVariables;
in
selectedSessionVars //
Expand Down
1 change: 0 additions & 1 deletion nixos/modules/services/monitoring/dd-agent.nix
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,6 @@ in {
Restart = "always";
RestartSec = 2;
};
environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig ];
};

Expand Down
1 change: 0 additions & 1 deletion nixos/modules/services/networking/ddclient.nix
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,6 @@ in
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];

environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
serviceConfig = {
# Uncomment this if too many problems occur:
# Type = "forking";
Expand Down
6 changes: 0 additions & 6 deletions nixos/modules/virtualisation/azure-agent.nix
Original file line number Diff line number Diff line change
Expand Up @@ -156,12 +156,6 @@ in
after = [ "ip-up.target" ];
wants = [ "ip-up.target" ];

environment = {
GIT_SSL_CAINFO = "/etc/ssl/certs/ca-certificates.crt";
OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
};

path = [ pkgs.e2fsprogs ];
description = "Windows Azure Agent Service";
unitConfig.ConditionPathExists = "/etc/waagent.conf";
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,6 @@ stdenv.mkDerivation rec {
--prefix "PATH" : "$out/share/panamax-api/bin:${env.ruby}/bin:$PATH" \
--prefix "HOME" : "$out/share/panamax-api" \
--prefix "GEM_HOME" : "${env}/${env.ruby.gemPath}" \
--prefix "SSL_CERT_FILE" : /etc/ssl/certs/ca-certificates.crt \
--prefix "GEM_PATH" : "$out/share/panamax-api:${bundler}/${env.ruby.gemPath}"
'';

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,11 +40,7 @@ let
} // removeAttrs attrs [ "name" "sha256" ]);

in mkTkabber (main // {
postPatch = ''
substituteInPlace login.tcl --replace \
"custom::defvar loginconf(sslcacertstore) \"\"" \
"custom::defvar loginconf(sslcacertstore) \$env(SSL_CERT_FILE)"
'' + optionalString (theme != null) ''
postPatch = optionalString (theme != null) ''
themePath="$out/share/doc/tkabber/examples/xrdb/${theme}.xrdb"
sed -i '/^if.*load_default_xrdb/,/^}$/ {
s@option readfile \(\[fullpath [^]]*\]\)@option readfile "'"$themePath"'"@
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,6 @@ stdenv.mkDerivation {
patches = [
./docbook2texi.patch
./symlinks-in-bin.patch
./cert-path.patch
./ssl-cert-file.patch
];

buildInputs = [curl openssl zlib expat gettext cpio makeWrapper libiconv]
Expand Down

This file was deleted.

2 changes: 0 additions & 2 deletions pkgs/build-support/rust/fetchcargo.nix
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,6 @@ stdenv.mkDerivation {
outputHashMode = "recursive";
outputHash = sha256;

SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";

impureEnvVars = [ "http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy" ];
preferLocalBuild = true;
}
1 change: 0 additions & 1 deletion pkgs/development/libraries/gnutls/generic.nix
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ stdenv.mkDerivation {
outputs = [ "out" "man" ];

configureFlags =
# FIXME: perhaps use $SSL_CERT_FILE instead
lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
++ [
"--disable-dependency-tracking"
Expand Down
6 changes: 5 additions & 1 deletion pkgs/development/libraries/openssl/default.nix
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
{ stdenv, fetchurl, perl
, withCryptodev ? false, cryptodevHeaders }:
, withCryptodev ? false, cryptodevHeaders
, defaultCertificate ? "/etc/ssl/certs/ca-certificates.crt" }:

with stdenv.lib;
let
Expand Down Expand Up @@ -58,6 +59,9 @@ stdenv.mkDerivation rec {
# remove dependency on Perl at runtime
rm -r $out/etc/ssl/misc $out/bin/c_rehash
# configure the default trust store
${optionalString (defaultCertificate != null) "ln -s ${defaultCertificate} $out/etc/ssl/cert.pem"}
'';

postFixup = ''
Expand Down
17 changes: 0 additions & 17 deletions pkgs/development/perl-modules/lwp-protocol-https-cert-file.patch

This file was deleted.

6 changes: 1 addition & 5 deletions pkgs/tools/networking/curl/7.15.nix
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,8 @@ stdenv.mkDerivation rec {
sed -e 's|/usr/bin|/no-such-path|g' -i.bak configure
'';

# make curl honor CURL_CA_BUNDLE & SSL_CERT_FILE
postConfigure = ''
echo '#define CURL_CA_BUNDLE (getenv("CURL_CA_BUNDLE") || getenv("SSL_CERT_FILE"))' >> lib/curl_config.h
'';

configureFlags = [
"--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt"
( if sslSupport then "--with-ssl=${openssl}" else "--without-ssl" )
( if scpSupport then "--with-libssh2=${libssh2}" else "--without-libssh2" )
]
Expand Down
6 changes: 1 addition & 5 deletions pkgs/tools/networking/curl/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,8 @@ stdenv.mkDerivation rec {
rm src/tool_hugehelp.c
'';

# make curl honor CURL_CA_BUNDLE & SSL_CERT_FILE
postConfigure = ''
echo '#define CURL_CA_BUNDLE (getenv("CURL_CA_BUNDLE") ? getenv("CURL_CA_BUNDLE") : getenv("SSL_CERT_FILE"))' >> lib/curl_config.h
'';

configureFlags = [
"--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt"
"--disable-manual"
"--with-nghttp2=${libnghttp2}"
( if sslSupport then "--with-ssl=${openssl}" else "--without-ssl" )
Expand Down
1 change: 0 additions & 1 deletion pkgs/top-level/perl-packages.nix
Original file line number Diff line number Diff line change
Expand Up @@ -6934,7 +6934,6 @@ let self = _self // overrides; _self = with self; {
url = mirror://cpan/authors/id/G/GA/GAAS/LWP-Protocol-https-6.04.tar.gz;
sha256 = "0agnga5dg94222h6rlzqxa0dri2sh3gayncvfb7jad9nxr87gxhy";
};
patches = [ ../development/perl-modules/lwp-protocol-https-cert-file.patch ];
propagatedBuildInputs = [ LWP IOSocketSSL ];
doCheck = false; # tries to connect to https://www.apache.org/.
meta = {
Expand Down

5 comments on commit 9f358f8

@wmertens
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@edolstra this pretty much breaks everything relying on SSL on non-NixOS.

What should we do about that? I suppose we could require /etc/ssl/certs/ca-certificates.crt to be a symlink to the OS one, but on OS X, there is no such file to link to since they use the System Keychain.

So that leaves symlinking to the user profile, which is a bit brittle…

@edolstra
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wmertens What does it break exactly? Maybe good to make an issue about it.

@vcunat
Copy link
Member

@vcunat vcunat commented on 9f358f8 Apr 25, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There were quite lengthy discussions around these questions, e.g. on #8247, but I didn't follow them fully.

@Profpatsch
Copy link
Member

@Profpatsch Profpatsch commented on 9f358f8 Apr 25, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The installer depends on SSL_CERT_FILE, at least partially.
Probably completely, since this is only a day old. Maybe a bit more documentation and a good commit message?

Edit to make it clearer: This patch probably breaks the installer, at least it broke my tries at nixos-install -I <link-to-tar.xz> with an SSL error.

@wmertens
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@edolstra looks like the problem and solutions were discussed at #8247 (comment) which you participated in but only before that comment.

Right now anything using SSL on non-NixOS is broken because it cannot find the trust store.

Please sign in to comment.