From 9f358f809d1db46f3206d4a09a5366f13c93e777 Mon Sep 17 00:00:00 2001 From: Guillaume Maudoux Date: Mon, 1 Feb 2016 10:18:31 +0100 Subject: [PATCH] Configure a default trust store for openssl --- nixos/modules/installer/tools/auto-upgrade.nix | 2 +- nixos/modules/programs/venus.nix | 1 - nixos/modules/security/ca.nix | 6 ------ .../continuous-integration/jenkins/default.nix | 17 +++++++---------- nixos/modules/services/monitoring/dd-agent.nix | 1 - nixos/modules/services/networking/ddclient.nix | 1 - nixos/modules/virtualisation/azure-agent.nix | 6 ------ .../networking/cluster/panamax/api/default.nix | 1 - .../instant-messengers/tkabber/default.nix | 6 +----- .../git-and-tools/git/cert-path.patch | 12 ------------ .../git-and-tools/git/default.nix | 2 -- .../git-and-tools/git/ssl-cert-file.patch | 13 ------------- pkgs/build-support/rust/fetchcargo.nix | 2 -- pkgs/development/libraries/gnutls/generic.nix | 1 - pkgs/development/libraries/openssl/default.nix | 6 +++++- .../lwp-protocol-https-cert-file.patch | 17 ----------------- pkgs/tools/networking/curl/7.15.nix | 6 +----- pkgs/tools/networking/curl/default.nix | 6 +----- pkgs/top-level/perl-packages.nix | 1 - 19 files changed, 16 insertions(+), 91 deletions(-) delete mode 100644 pkgs/applications/version-management/git-and-tools/git/cert-path.patch delete mode 100644 pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch delete mode 100644 pkgs/development/perl-modules/lwp-protocol-https-cert-file.patch diff --git a/nixos/modules/installer/tools/auto-upgrade.nix b/nixos/modules/installer/tools/auto-upgrade.nix index 4ef5fa8bc1d4c..2da330f9b5716 100644 --- a/nixos/modules/installer/tools/auto-upgrade.nix +++ b/nixos/modules/installer/tools/auto-upgrade.nix @@ -74,7 +74,7 @@ let cfg = config.system.autoUpgrade; in serviceConfig.Type = "oneshot"; environment = config.nix.envVars // - { inherit (config.environment.sessionVariables) NIX_PATH SSL_CERT_FILE; + { inherit (config.environment.sessionVariables) NIX_PATH; HOME = "/root"; }; diff --git a/nixos/modules/programs/venus.nix b/nixos/modules/programs/venus.nix index c3756b4838c75..76827eeced6f1 100644 --- a/nixos/modules/programs/venus.nix +++ b/nixos/modules/programs/venus.nix @@ -165,7 +165,6 @@ in script = "exec venus-planet ${configFile}"; serviceConfig.User = "${cfg.user}"; serviceConfig.Group = "${cfg.group}"; - environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; startAt = cfg.dates; }; diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 98d73ed254261..8bd634b10a51d 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -64,12 +64,6 @@ in # CentOS/Fedora compatibility. environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates; - environment.sessionVariables = - { SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; - # FIXME: unneeded - remove eventually. - GIT_SSL_CAINFO = "/etc/ssl/certs/ca-certificates.crt"; - }; - }; } diff --git a/nixos/modules/services/continuous-integration/jenkins/default.nix b/nixos/modules/services/continuous-integration/jenkins/default.nix index d6ae4b45ceefb..cfb1cd773c7fe 100644 --- a/nixos/modules/services/continuous-integration/jenkins/default.nix +++ b/nixos/modules/services/continuous-integration/jenkins/default.nix @@ -92,11 +92,12 @@ in { type = with types; attrsOf str; description = '' Additional environment variables to be passed to the jenkins process. - As a base environment, jenkins receives NIX_PATH, SSL_CERT_FILE and - GIT_SSL_CAINFO from , - NIX_REMOTE is set to "daemon" and JENKINS_HOME is set to - the value of . This option has - precedence and can be used to override those mentioned variables. + As a base environment, jenkins receives NIX_PATH from + , NIX_REMOTE is set to + "daemon" and JENKINS_HOME is set to the value of + . + This option has precedence and can be used to override those + mentioned variables. ''; }; @@ -136,11 +137,7 @@ in { environment = let selectedSessionVars = - lib.filterAttrs (n: v: builtins.elem n - [ "NIX_PATH" - "SSL_CERT_FILE" - "GIT_SSL_CAINFO" - ]) + lib.filterAttrs (n: v: builtins.elem n [ "NIX_PATH" ]) config.environment.sessionVariables; in selectedSessionVars // diff --git a/nixos/modules/services/monitoring/dd-agent.nix b/nixos/modules/services/monitoring/dd-agent.nix index ed9be73ba65bf..bd8d9950f77cf 100644 --- a/nixos/modules/services/monitoring/dd-agent.nix +++ b/nixos/modules/services/monitoring/dd-agent.nix @@ -183,7 +183,6 @@ in { Restart = "always"; RestartSec = 2; }; - environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig ]; }; diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix index e60520c742bd5..c5dd1e71c189d 100644 --- a/nixos/modules/services/networking/ddclient.nix +++ b/nixos/modules/services/networking/ddclient.nix @@ -127,7 +127,6 @@ in wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; - environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; serviceConfig = { # Uncomment this if too many problems occur: # Type = "forking"; diff --git a/nixos/modules/virtualisation/azure-agent.nix b/nixos/modules/virtualisation/azure-agent.nix index ef4e3e1e48d4f..e657cc519396d 100644 --- a/nixos/modules/virtualisation/azure-agent.nix +++ b/nixos/modules/virtualisation/azure-agent.nix @@ -156,12 +156,6 @@ in after = [ "ip-up.target" ]; wants = [ "ip-up.target" ]; - environment = { - GIT_SSL_CAINFO = "/etc/ssl/certs/ca-certificates.crt"; - OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; - SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; - }; - path = [ pkgs.e2fsprogs ]; description = "Windows Azure Agent Service"; unitConfig.ConditionPathExists = "/etc/waagent.conf"; diff --git a/pkgs/applications/networking/cluster/panamax/api/default.nix b/pkgs/applications/networking/cluster/panamax/api/default.nix index 6e20f7c230387..ee74e665b0c7b 100644 --- a/pkgs/applications/networking/cluster/panamax/api/default.nix +++ b/pkgs/applications/networking/cluster/panamax/api/default.nix @@ -62,7 +62,6 @@ stdenv.mkDerivation rec { --prefix "PATH" : "$out/share/panamax-api/bin:${env.ruby}/bin:$PATH" \ --prefix "HOME" : "$out/share/panamax-api" \ --prefix "GEM_HOME" : "${env}/${env.ruby.gemPath}" \ - --prefix "SSL_CERT_FILE" : /etc/ssl/certs/ca-certificates.crt \ --prefix "GEM_PATH" : "$out/share/panamax-api:${bundler}/${env.ruby.gemPath}" ''; diff --git a/pkgs/applications/networking/instant-messengers/tkabber/default.nix b/pkgs/applications/networking/instant-messengers/tkabber/default.nix index f9209f28cf20a..9c84e60601bbf 100644 --- a/pkgs/applications/networking/instant-messengers/tkabber/default.nix +++ b/pkgs/applications/networking/instant-messengers/tkabber/default.nix @@ -40,11 +40,7 @@ let } // removeAttrs attrs [ "name" "sha256" ]); in mkTkabber (main // { - postPatch = '' - substituteInPlace login.tcl --replace \ - "custom::defvar loginconf(sslcacertstore) \"\"" \ - "custom::defvar loginconf(sslcacertstore) \$env(SSL_CERT_FILE)" - '' + optionalString (theme != null) '' + postPatch = optionalString (theme != null) '' themePath="$out/share/doc/tkabber/examples/xrdb/${theme}.xrdb" sed -i '/^if.*load_default_xrdb/,/^}$/ { s@option readfile \(\[fullpath [^]]*\]\)@option readfile "'"$themePath"'"@ diff --git a/pkgs/applications/version-management/git-and-tools/git/cert-path.patch b/pkgs/applications/version-management/git-and-tools/git/cert-path.patch deleted file mode 100644 index 7d5dca9abfebd..0000000000000 --- a/pkgs/applications/version-management/git-and-tools/git/cert-path.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ru -x '*~' git-1.9.2-orig/git-send-email.perl git-1.9.2/git-send-email.perl ---- git-1.9.2-orig/git-send-email.perl 2014-04-09 21:09:34.000000000 +0200 -+++ git-1.9.2/git-send-email.perl 2014-04-16 18:35:05.861132282 +0200 -@@ -1094,6 +1094,8 @@ - return; - } - -+ $smtp_ssl_cert_path //= $ENV{'SSL_CERT_FILE'}; -+ - if (!defined $smtp_ssl_cert_path) { - # use the OpenSSL defaults - return (SSL_verify_mode => SSL_VERIFY_PEER()); diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 49ecce0456b20..f8223a7de396e 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -24,8 +24,6 @@ stdenv.mkDerivation { patches = [ ./docbook2texi.patch ./symlinks-in-bin.patch - ./cert-path.patch - ./ssl-cert-file.patch ]; buildInputs = [curl openssl zlib expat gettext cpio makeWrapper libiconv] diff --git a/pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch b/pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch deleted file mode 100644 index dd216b7bf6f8d..0000000000000 --- a/pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch +++ /dev/null @@ -1,13 +0,0 @@ -This patch adds support for the OpenSSL SSL_CERT_FILE environment variable. -GIT_SSL_CAINFO still takes precedence. - ---- git-orig/http.c.orig 2014-11-25 23:27:56.000000000 +0100 -+++ git-orig/http.c 2014-11-25 23:28:48.000000000 +0100 -@@ -433,6 +433,7 @@ - #if LIBCURL_VERSION_NUM >= 0x070908 - set_from_env(&ssl_capath, "GIT_SSL_CAPATH"); - #endif -+ set_from_env(&ssl_cainfo, "SSL_CERT_FILE"); - set_from_env(&ssl_cainfo, "GIT_SSL_CAINFO"); - - set_from_env(&user_agent, "GIT_HTTP_USER_AGENT"); diff --git a/pkgs/build-support/rust/fetchcargo.nix b/pkgs/build-support/rust/fetchcargo.nix index 95eefbedc327b..7910887ba640a 100644 --- a/pkgs/build-support/rust/fetchcargo.nix +++ b/pkgs/build-support/rust/fetchcargo.nix @@ -16,8 +16,6 @@ stdenv.mkDerivation { outputHashMode = "recursive"; outputHash = sha256; - SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt"; - impureEnvVars = [ "http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy" ]; preferLocalBuild = true; } diff --git a/pkgs/development/libraries/gnutls/generic.nix b/pkgs/development/libraries/gnutls/generic.nix index ebaef47ca140f..e51b77eb5b07c 100644 --- a/pkgs/development/libraries/gnutls/generic.nix +++ b/pkgs/development/libraries/gnutls/generic.nix @@ -16,7 +16,6 @@ stdenv.mkDerivation { outputs = [ "out" "man" ]; configureFlags = - # FIXME: perhaps use $SSL_CERT_FILE instead lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt" ++ [ "--disable-dependency-tracking" diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 4e009e5306d6b..be224fd54eb5a 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -1,5 +1,6 @@ { stdenv, fetchurl, perl -, withCryptodev ? false, cryptodevHeaders }: +, withCryptodev ? false, cryptodevHeaders +, defaultCertificate ? "/etc/ssl/certs/ca-certificates.crt" }: with stdenv.lib; let @@ -58,6 +59,9 @@ stdenv.mkDerivation rec { # remove dependency on Perl at runtime rm -r $out/etc/ssl/misc $out/bin/c_rehash + + # configure the default trust store + ${optionalString (defaultCertificate != null) "ln -s ${defaultCertificate} $out/etc/ssl/cert.pem"} ''; postFixup = '' diff --git a/pkgs/development/perl-modules/lwp-protocol-https-cert-file.patch b/pkgs/development/perl-modules/lwp-protocol-https-cert-file.patch deleted file mode 100644 index 4a4b49a829d2c..0000000000000 --- a/pkgs/development/perl-modules/lwp-protocol-https-cert-file.patch +++ /dev/null @@ -1,17 +0,0 @@ -Use $SSL_CERT_FILE to get the CA certificates. - -diff -ru -x '*~' LWP-Protocol-https-6.02-orig/lib/LWP/Protocol/https.pm LWP-Protocol-https-6.02/lib/LWP/Protocol/https.pm ---- LWP-Protocol-https-6.02-orig/lib/LWP/Protocol/https.pm 2011-03-27 13:54:01.000000000 +0200 -+++ LWP-Protocol-https-6.02/lib/LWP/Protocol/https.pm 2011-10-07 13:23:41.398628375 +0200 -@@ -21,6 +21,11 @@ - } - if ($ssl_opts{SSL_verify_mode}) { - unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) { -+ if (defined $ENV{'SSL_CERT_FILE'}) { -+ $ssl_opts{SSL_ca_file} = $ENV{'SSL_CERT_FILE'}; -+ } -+ } -+ unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) { - eval { - require Mozilla::CA; - }; diff --git a/pkgs/tools/networking/curl/7.15.nix b/pkgs/tools/networking/curl/7.15.nix index 4e533878ec189..1e91d6bd08832 100644 --- a/pkgs/tools/networking/curl/7.15.nix +++ b/pkgs/tools/networking/curl/7.15.nix @@ -33,12 +33,8 @@ stdenv.mkDerivation rec { sed -e 's|/usr/bin|/no-such-path|g' -i.bak configure ''; - # make curl honor CURL_CA_BUNDLE & SSL_CERT_FILE - postConfigure = '' - echo '#define CURL_CA_BUNDLE (getenv("CURL_CA_BUNDLE") || getenv("SSL_CERT_FILE"))' >> lib/curl_config.h - ''; - configureFlags = [ + "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt" ( if sslSupport then "--with-ssl=${openssl}" else "--without-ssl" ) ( if scpSupport then "--with-libssh2=${libssh2}" else "--without-libssh2" ) ] diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index d5421f0a500e3..bb08966ed49ef 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -44,12 +44,8 @@ stdenv.mkDerivation rec { rm src/tool_hugehelp.c ''; - # make curl honor CURL_CA_BUNDLE & SSL_CERT_FILE - postConfigure = '' - echo '#define CURL_CA_BUNDLE (getenv("CURL_CA_BUNDLE") ? getenv("CURL_CA_BUNDLE") : getenv("SSL_CERT_FILE"))' >> lib/curl_config.h - ''; - configureFlags = [ + "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt" "--disable-manual" "--with-nghttp2=${libnghttp2}" ( if sslSupport then "--with-ssl=${openssl}" else "--without-ssl" ) diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index 1e8dfa91d2d25..1cc4e7a7b920c 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -6934,7 +6934,6 @@ let self = _self // overrides; _self = with self; { url = mirror://cpan/authors/id/G/GA/GAAS/LWP-Protocol-https-6.04.tar.gz; sha256 = "0agnga5dg94222h6rlzqxa0dri2sh3gayncvfb7jad9nxr87gxhy"; }; - patches = [ ../development/perl-modules/lwp-protocol-https-cert-file.patch ]; propagatedBuildInputs = [ LWP IOSocketSSL ]; doCheck = false; # tries to connect to https://www.apache.org/. meta = {