curl: Use default trust store of TLS backend
Having curl fall back to openssl's CA means that we need not patch curl
to respect NIX_SSL_CERT_FILE. It will work in all the cases.
This reverts commit fb4c43dd8a
"curl: Use CA bundle in nix default profile by default"
If we want to reintroduce that feature, this needs to go inside openssl
This commit is contained in:
parent
525a663174
commit
8ecb94bb97
@ -28,8 +28,6 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1s1hyndva0yp62xy96pcp4anzrvw6cl0abjajim17sbmdp00fwhw";
|
||||
};
|
||||
|
||||
patches = [ ./nix-ssl-cert-file.patch ];
|
||||
|
||||
outputs = [ "bin" "dev" "out" "man" "devdoc" ];
|
||||
|
||||
enableParallelBuilding = true;
|
||||
@ -57,9 +55,7 @@ stdenv.mkDerivation rec {
|
||||
'';
|
||||
|
||||
configureFlags = [
|
||||
# OS X does not have a default system bundle, so we assume cacerts is installed in the default nix-env profile
|
||||
# This sucks. We should probably just include the latest cacerts in the darwin bootstrap.
|
||||
"--with-ca-bundle=${if stdenv.isDarwin then "/nix/var/nix/profiles/default" else ""}/etc/ssl/certs/ca-${if stdenv.isDarwin then "bundle" else "certificates"}.crt"
|
||||
"--with-ca-fallback"
|
||||
"--disable-manual"
|
||||
( if sslSupport then "--with-ssl=${openssl.dev}" else "--without-ssl" )
|
||||
( if gnutlsSupport then "--with-gnutls=${gnutls.dev}" else "--without-gnutls" )
|
||||
|
@ -1,37 +0,0 @@
|
||||
diff --git a/lib/url.c b/lib/url.c
|
||||
index 03feaa20f..43d3baa80 100644
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -574,11 +574,15 @@ CURLcode Curl_init_userdefined(struct UserDefined *set)
|
||||
|
||||
/* This is our preferred CA cert bundle/path since install time */
|
||||
#if defined(CURL_CA_BUNDLE)
|
||||
- result = setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE);
|
||||
+ char* env = curl_getenv("NIX_SSL_CERT_FILE");
|
||||
+ if (!env)
|
||||
+ env = CURL_CA_BUNDLE;
|
||||
+
|
||||
+ result = setstropt(&set->str[STRING_SSL_CAFILE_ORIG], env);
|
||||
if(result)
|
||||
return result;
|
||||
|
||||
- result = setstropt(&set->str[STRING_SSL_CAFILE_PROXY], CURL_CA_BUNDLE);
|
||||
+ result = setstropt(&set->str[STRING_SSL_CAFILE_PROXY], env);
|
||||
if(result)
|
||||
return result;
|
||||
#endif
|
||||
diff --git a/src/tool_operate.c b/src/tool_operate.c
|
||||
index 572c8d0cc..ca4fb31cb 100644
|
||||
--- a/src/tool_operate.c
|
||||
+++ b/src/tool_operate.c
|
||||
@@ -265,7 +265,9 @@ static CURLcode operate_do(struct GlobalConfig *global,
|
||||
capath_from_env = true;
|
||||
}
|
||||
else {
|
||||
- env = curlx_getenv("SSL_CERT_FILE");
|
||||
+ env = curlx_getenv("NIX_SSL_CERT_FILE");
|
||||
+ if(!env)
|
||||
+ env = curlx_getenv("SSL_CERT_FILE");
|
||||
if(env) {
|
||||
config->cacert = strdup(env);
|
||||
if(!config->cacert) {
|
Loading…
Reference in New Issue
Block a user