Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

git, openssl, curl: Respect $NIX_SSL_CERT_FILE #24121

Merged
merged 1 commit into from
Mar 20, 2017
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,11 +1,14 @@
diff -ru git-2.7.4-orig/http.c git-2.7.4/http.c
--- git-2.7.4-orig/http.c 2016-03-17 21:47:59.000000000 +0100
+++ git-2.7.4/http.c 2016-04-12 11:38:33.187070848 +0200
@@ -544,6 +544,7 @@
@@ -544,6 +544,10 @@
#if LIBCURL_VERSION_NUM >= 0x070908
set_from_env(&ssl_capath, "GIT_SSL_CAPATH");
#endif
+ set_from_env(&ssl_cainfo, "SSL_CERT_FILE");
+ if (getenv("NIX_SSL_CERT_FILE"))
+ set_from_env(&ssl_cainfo, "NIX_SSL_CERT_FILE");
+ else
+ set_from_env(&ssl_cainfo, "SSL_CERT_FILE");
Copy link
Member

@layus layus Mar 21, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should not appear here. Git does follow SSL_CERT_FILE by default. There is no reason to keep this line if we use NIX_SSL_CERT_FILE. Git uses openssl and without this override, the underlying openssl will look at SSL_CERT_FILE anyway.

tl;dr set_from_env(&ssl_cainfo, "SSL_CERT_FILE"); should not appear here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If so, NIX_SSL_CERT_FILE is tried by the patched openssl as well...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it is.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anyway, NIX_SSL_CERT_FILE should be a default value, not a global override. If someone knows better than us where to look for the CA bundle, let them have it their way.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case, SSL_CERT_FILE was introduced by #14617. There was not much investigation to understand the issue. Maybe it was due to some misconfigured openssl, Or this i really needed. Who knows... Anyway, it's NIX_SSL_CERT_FILE which is needed, not "SSL_CERT_FILE".

set_from_env(&ssl_cainfo, "GIT_SSL_CAINFO");

set_from_env(&user_agent, "GIT_HTTP_USER_AGENT");
1 change: 1 addition & 0 deletions pkgs/development/libraries/openssl/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ let

patches =
(args.patches or [])
++ [ ./nix-ssl-cert-file.patch ]
++ optional (versionOlder version "1.1.0") ./use-etc-ssl-certs.patch
++ optional stdenv.isCygwin ./1.0.1-cygwin64.patch
++ optional
Expand Down
14 changes: 14 additions & 0 deletions pkgs/development/libraries/openssl/nix-ssl-cert-file.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
diff -ru -x '*~' openssl-1.0.2j-orig/crypto/x509/by_file.c openssl-1.0.2j/crypto/x509/by_file.c
--- openssl-1.0.2j-orig/crypto/x509/by_file.c 2016-09-26 11:49:07.000000000 +0200
+++ openssl-1.0.2j/crypto/x509/by_file.c 2016-10-13 16:54:31.400288302 +0200
@@ -97,7 +97,9 @@
switch (cmd) {
case X509_L_FILE_LOAD:
if (argl == X509_FILETYPE_DEFAULT) {
- file = (char *)getenv(X509_get_default_cert_file_env());
+ file = (char *)getenv("NIX_SSL_CERT_FILE");
+ if (!file)
+ file = (char *)getenv(X509_get_default_cert_file_env());
if (file)
ok = (X509_load_cert_crl_file(ctx, file,
X509_FILETYPE_PEM) != 0);
2 changes: 1 addition & 1 deletion pkgs/tools/networking/curl/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ stdenv.mkDerivation rec {
sha256 = "1s1hyndva0yp62xy96pcp4anzrvw6cl0abjajim17sbmdp00fwhw";
};

patches = [ ];
patches = [ ./nix-ssl-cert-file.patch ];

outputs = [ "bin" "dev" "out" "man" "devdoc" ];

Expand Down
14 changes: 14 additions & 0 deletions pkgs/tools/networking/curl/nix-ssl-cert-file.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
diff -ru -x '*~' curl-7.50.3-orig/src/tool_operate.c curl-7.50.3/src/tool_operate.c
--- curl-7.50.3-orig/src/tool_operate.c 2016-09-06 23:25:06.000000000 +0200
+++ curl-7.50.3/src/tool_operate.c 2016-10-14 11:51:48.999943142 +0200
@@ -269,7 +269,9 @@
capath_from_env = true;
}
else {
- env = curlx_getenv("SSL_CERT_FILE");
+ env = curlx_getenv("NIX_SSL_CERT_FILE");
+ if(!env)
+ env = curlx_getenv("SSL_CERT_FILE");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, let SSL_CERT_FILE return to its rank of default value if none provided. We now use "NIX_SSL_CERT_FILE" as first priority override.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is intentional because of Darwin #23605.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, this one is correct because it is how curl works...

if(env) {
config->cacert = strdup(env);
if(!config->cacert) {