-
-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
git, openssl, curl: Respect $NIX_SSL_CERT_FILE #24121
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,14 @@ | ||
diff -ru git-2.7.4-orig/http.c git-2.7.4/http.c | ||
--- git-2.7.4-orig/http.c 2016-03-17 21:47:59.000000000 +0100 | ||
+++ git-2.7.4/http.c 2016-04-12 11:38:33.187070848 +0200 | ||
@@ -544,6 +544,7 @@ | ||
@@ -544,6 +544,10 @@ | ||
#if LIBCURL_VERSION_NUM >= 0x070908 | ||
set_from_env(&ssl_capath, "GIT_SSL_CAPATH"); | ||
#endif | ||
+ set_from_env(&ssl_cainfo, "SSL_CERT_FILE"); | ||
+ if (getenv("NIX_SSL_CERT_FILE")) | ||
+ set_from_env(&ssl_cainfo, "NIX_SSL_CERT_FILE"); | ||
+ else | ||
+ set_from_env(&ssl_cainfo, "SSL_CERT_FILE"); | ||
set_from_env(&ssl_cainfo, "GIT_SSL_CAINFO"); | ||
|
||
set_from_env(&user_agent, "GIT_HTTP_USER_AGENT"); |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
diff -ru -x '*~' openssl-1.0.2j-orig/crypto/x509/by_file.c openssl-1.0.2j/crypto/x509/by_file.c | ||
--- openssl-1.0.2j-orig/crypto/x509/by_file.c 2016-09-26 11:49:07.000000000 +0200 | ||
+++ openssl-1.0.2j/crypto/x509/by_file.c 2016-10-13 16:54:31.400288302 +0200 | ||
@@ -97,7 +97,9 @@ | ||
switch (cmd) { | ||
case X509_L_FILE_LOAD: | ||
if (argl == X509_FILETYPE_DEFAULT) { | ||
- file = (char *)getenv(X509_get_default_cert_file_env()); | ||
+ file = (char *)getenv("NIX_SSL_CERT_FILE"); | ||
+ if (!file) | ||
+ file = (char *)getenv(X509_get_default_cert_file_env()); | ||
if (file) | ||
ok = (X509_load_cert_crl_file(ctx, file, | ||
X509_FILETYPE_PEM) != 0); |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
diff -ru -x '*~' curl-7.50.3-orig/src/tool_operate.c curl-7.50.3/src/tool_operate.c | ||
--- curl-7.50.3-orig/src/tool_operate.c 2016-09-06 23:25:06.000000000 +0200 | ||
+++ curl-7.50.3/src/tool_operate.c 2016-10-14 11:51:48.999943142 +0200 | ||
@@ -269,7 +269,9 @@ | ||
capath_from_env = true; | ||
} | ||
else { | ||
- env = curlx_getenv("SSL_CERT_FILE"); | ||
+ env = curlx_getenv("NIX_SSL_CERT_FILE"); | ||
+ if(!env) | ||
+ env = curlx_getenv("SSL_CERT_FILE"); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same as above, let SSL_CERT_FILE return to its rank of default value if none provided. We now use "NIX_SSL_CERT_FILE" as first priority override. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this is intentional because of Darwin #23605. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sorry, this one is correct because it is how curl works... |
||
if(env) { | ||
config->cacert = strdup(env); | ||
if(!config->cacert) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should not appear here. Git does follow SSL_CERT_FILE by default. There is no reason to keep this line if we use NIX_SSL_CERT_FILE. Git uses openssl and without this override, the underlying openssl will look at SSL_CERT_FILE anyway.
tl;dr
set_from_env(&ssl_cainfo, "SSL_CERT_FILE");
should not appear here.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If so,
NIX_SSL_CERT_FILE
is tried by the patched openssl as well...There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Anyway, NIX_SSL_CERT_FILE should be a default value, not a global override. If someone knows better than us where to look for the CA bundle, let them have it their way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this case, SSL_CERT_FILE was introduced by #14617. There was not much investigation to understand the issue. Maybe it was due to some misconfigured openssl, Or this i really needed. Who knows... Anyway, it's NIX_SSL_CERT_FILE which is needed, not "SSL_CERT_FILE".