openssl: Compile in /etc/ssl/certs/ca-certificates.crt

pkgs/development/libraries/openssl/default.nix

@@ -1,6 +1,6 @@
 { stdenv, fetchurl, perl
 , withCryptodev ? false, cryptodevHeaders
-, defaultCertificate ? "/etc/ssl/certs/ca-certificates.crt" }:
+}:
 
 with stdenv.lib;
 let
@@ -21,7 +21,9 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "man" ];
 
-  patches = optional stdenv.isCygwin ./1.0.1-cygwin64.patch
+  patches =
+    [ ./use-etc-ssl-certs.patch ]
+    ++ optional stdenv.isCygwin ./1.0.1-cygwin64.patch
     ++ optional (stdenv.isDarwin || (stdenv ? cross && stdenv.cross.libc == "libSystem")) ./darwin-arch.patch;
 
   nativeBuildInputs = [ perl ];
@@ -60,8 +62,7 @@ stdenv.mkDerivation rec {
     # remove dependency on Perl at runtime
     rm -r $out/etc/ssl/misc $out/bin/c_rehash
 
-    # configure the default trust store
-    ${optionalString (defaultCertificate != null) "ln -s ${defaultCertificate} $out/etc/ssl/cert.pem"}
+    rmdir $out/etc/ssl/certs
   '';
 
   postFixup = ''
@@ -72,6 +73,11 @@ stdenv.mkDerivation rec {
     fi
   '';
 
+  setupHook = builtins.toFile "openssl-setup-hook"
+    ''
+      export SSL_CERT_FILE=/no-cert-file.crt
+    '';
+
   crossAttrs = {
     # upstream patch: https://rt.openssl.org/Ticket/Display.html?id=2558
     postPatch = ''

pkgs/development/libraries/openssl/use-etc-ssl-certs.patch

@@ -0,0 +1,13 @@
+diff -ru -x '*~' openssl-1.0.1r-orig/crypto/cryptlib.h openssl-1.0.1r/crypto/cryptlib.h
+--- openssl-1.0.1r-orig/crypto/cryptlib.h	2016-01-28 14:38:30.000000000 +0100
++++ openssl-1.0.1r/crypto/cryptlib.h	2016-02-03 12:54:29.193165176 +0100
+@@ -81,8 +81,8 @@
+ 
+ # ifndef OPENSSL_SYS_VMS
+ #  define X509_CERT_AREA          OPENSSLDIR
+ #  define X509_CERT_DIR           OPENSSLDIR "/certs"
+-#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
++#  define X509_CERT_FILE          "/etc/ssl/certs/ca-certificates.crt"
+ #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
+ # else
+ #  define X509_CERT_AREA          "SSLROOT:[000000]"