pyrox.dev / nixpkgs
lol
fork atom

Configure a default trust store for openssl

Guillaume Maudoux 9f358f80 0876a441

options
unified split
Changed files
+16 -91
nixos
modules
installer
tools
auto-upgrade.nix
programs
venus.nix
security
ca.nix
services
continuous-integration
jenkins
default.nix
monitoring
dd-agent.nix
networking
ddclient.nix
virtualisation
azure-agent.nix
pkgs
applications
networking
cluster
panamax
api
default.nix
instant-messengers
tkabber
default.nix
version-management
git-and-tools
git
cert-path.patch
default.nix
ssl-cert-file.patch
build-support
rust
fetchcargo.nix
development
libraries
gnutls
generic.nix
openssl
default.nix
perl-modules
lwp-protocol-https-cert-file.patch
tools
networking
curl
7.15.nix
default.nix
top-level
perl-packages.nix
+1 -1
nixos/modules/installer/tools/auto-upgrade.nix 
···

       
74

       
74

       
 

       
      serviceConfig.Type = "oneshot";


     

       
75

       
75

       
 

       



     

       
76

       
76

       
 

       
      environment = config.nix.envVars //


     

       
77

       

       
-

       
        { inherit (config.environment.sessionVariables) NIX_PATH SSL_CERT_FILE;


     

       

       
77

       
+

       
        { inherit (config.environment.sessionVariables) NIX_PATH;


     

       
78

       
78

       
 

       
          HOME = "/root";


     

       
79

       
79

       
 

       
        };


     

       
80

       
80
-1
nixos/modules/programs/venus.nix 
···

       
165

       
165

       
 

       
        script = "exec venus-planet ${configFile}";


     

       
166

       
166

       
 

       
        serviceConfig.User = "${cfg.user}";


     

       
167

       
167

       
 

       
        serviceConfig.Group = "${cfg.group}";


     

       
168

       

       
-

       
        environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";


     

       
169

       
168

       
 

       
        startAt = cfg.dates;


     

       
170

       
169

       
 

       
      };


     

       
171

       
170
-6
nixos/modules/security/ca.nix 
···

       
64

       
64

       
 

       
    # CentOS/Fedora compatibility.


     

       
65

       
65

       
 

       
    environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;


     

       
66

       
66

       
 

       



     

       
67

       

       
-

       
    environment.sessionVariables =


     

       
68

       

       
-

       
      { SSL_CERT_FILE          = "/etc/ssl/certs/ca-certificates.crt";


     

       
69

       

       
-

       
        # FIXME: unneeded - remove eventually.


     

       
70

       

       
-

       
        GIT_SSL_CAINFO         = "/etc/ssl/certs/ca-certificates.crt";


     

       
71

       

       
-

       
      };


     

       
72

       

       
-

       



     

       
73

       
67

       
 

       
  };


     

       
74

       
68

       
 

       



     

       
75

       
69

       
 

       
}
+7 -10
nixos/modules/services/continuous-integration/jenkins/default.nix 
···

       
92

       
92

       
 

       
        type = with types; attrsOf str;


     

       
93

       
93

       
 

       
        description = ''


     

       
94

       
94

       
 

       
          Additional environment variables to be passed to the jenkins process.


     

       
95

       

       
-

       
          As a base environment, jenkins receives NIX_PATH, SSL_CERT_FILE and


     

       
96

       

       
-

       
          GIT_SSL_CAINFO from <option>environment.sessionVariables</option>,


     

       
97

       

       
-

       
          NIX_REMOTE is set to "daemon" and JENKINS_HOME is set to


     

       
98

       

       
-

       
          the value of <option>services.jenkins.home</option>. This option has


     

       
99

       

       
-

       
          precedence and can be used to override those mentioned variables.


     

       

       
95

       
+

       
          As a base environment, jenkins receives NIX_PATH from


     

       

       
96

       
+

       
          <option>environment.sessionVariables</option>, NIX_REMOTE is set to


     

       

       
97

       
+

       
          "daemon" and JENKINS_HOME is set to the value of


     

       

       
98

       
+

       
          <option>services.jenkins.home</option>.


     

       

       
99

       
+

       
          This option has precedence and can be used to override those


     

       

       
100

       
+

       
          mentioned variables.


     

       
100

       
101

       
 

       
        '';


     

       
101

       
102

       
 

       
      };


     

       
102

       
103

       
 

       



     
···

       
136

       
137

       
 

       
      environment =


     

       
137

       
138

       
 

       
        let


     

       
138

       
139

       
 

       
          selectedSessionVars =


     

       
139

       

       
-

       
            lib.filterAttrs (n: v: builtins.elem n


     

       
140

       

       
-

       
                [ "NIX_PATH"


     

       
141

       

       
-

       
                  "SSL_CERT_FILE"


     

       
142

       

       
-

       
                  "GIT_SSL_CAINFO"


     

       
143

       

       
-

       
                ])


     

       

       
140

       
+

       
            lib.filterAttrs (n: v: builtins.elem n [ "NIX_PATH" ])


     

       
144

       
141

       
 

       
              config.environment.sessionVariables;


     

       
145

       
142

       
 

       
        in


     

       
146

       
143

       
 

       
          selectedSessionVars //
-1
nixos/modules/services/monitoring/dd-agent.nix 
···

       
183

       
183

       
 

       
        Restart = "always";


     

       
184

       
184

       
 

       
        RestartSec = 2;


     

       
185

       
185

       
 

       
      };


     

       
186

       

       
-

       
      environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";


     

       
187

       
186

       
 

       
      restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig ];


     

       
188

       
187

       
 

       
    };


     

       
189

       
188
-1
nixos/modules/services/networking/ddclient.nix 
···

       
127

       
127

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
128

       
128

       
 

       
      after = [ "network.target" ];


     

       
129

       
129

       
 

       



     

       
130

       

       
-

       
      environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";


     

       
131

       
130

       
 

       
      serviceConfig = {


     

       
132

       
131

       
 

       
        # Uncomment this if too many problems occur:


     

       
133

       
132

       
 

       
        # Type = "forking";
-6
nixos/modules/virtualisation/azure-agent.nix 
···

       
156

       
156

       
 

       
      after = [ "ip-up.target" ];


     

       
157

       
157

       
 

       
      wants = [ "ip-up.target" ];


     

       
158

       
158

       
 

       



     

       
159

       

       
-

       
      environment = {


     

       
160

       

       
-

       
        GIT_SSL_CAINFO = "/etc/ssl/certs/ca-certificates.crt";


     

       
161

       

       
-

       
        OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";


     

       
162

       

       
-

       
        SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";


     

       
163

       

       
-

       
      };


     

       
164

       

       
-

       



     

       
165

       
159

       
 

       
      path = [ pkgs.e2fsprogs ];


     

       
166

       
160

       
 

       
      description = "Windows Azure Agent Service";


     

       
167

       
161

       
 

       
      unitConfig.ConditionPathExists = "/etc/waagent.conf";
-1
pkgs/applications/networking/cluster/panamax/api/default.nix 
···

       
62

       
62

       
 

       
      --prefix "PATH" : "$out/share/panamax-api/bin:${env.ruby}/bin:$PATH" \


     

       
63

       
63

       
 

       
      --prefix "HOME" : "$out/share/panamax-api" \


     

       
64

       
64

       
 

       
      --prefix "GEM_HOME" : "${env}/${env.ruby.gemPath}" \


     

       
65

       

       
-

       
      --prefix "SSL_CERT_FILE" : /etc/ssl/certs/ca-certificates.crt \


     

       
66

       
65

       
 

       
      --prefix "GEM_PATH" : "$out/share/panamax-api:${bundler}/${env.ruby.gemPath}"


     

       
67

       
66

       
 

       
  '';


     

       
68

       
67
+1 -5
pkgs/applications/networking/instant-messengers/tkabber/default.nix 
···

       
40

       
40

       
 

       
  } // removeAttrs attrs [ "name" "sha256" ]);


     

       
41

       
41

       
 

       



     

       
42

       
42

       
 

       
in mkTkabber (main // {


     

       
43

       

       
-

       
  postPatch = ''


     

       
44

       

       
-

       
    substituteInPlace login.tcl --replace \


     

       
45

       

       
-

       
      "custom::defvar loginconf(sslcacertstore) \"\"" \


     

       
46

       

       
-

       
      "custom::defvar loginconf(sslcacertstore) \$env(SSL_CERT_FILE)"


     

       
47

       

       
-

       
  '' + optionalString (theme != null) ''


     

       

       
43

       
+

       
  postPatch = optionalString (theme != null) ''


     

       
48

       
44

       
 

       
    themePath="$out/share/doc/tkabber/examples/xrdb/${theme}.xrdb"


     

       
49

       
45

       
 

       
    sed -i '/^if.*load_default_xrdb/,/^}$/ {


     

       
50

       
46

       
 

       
      s@option readfile \(\[fullpath [^]]*\]\)@option readfile "'"$themePath"'"@
-12
pkgs/applications/version-management/git-and-tools/git/cert-path.patch 
···

       
1

       

       
-

       
diff -ru -x '*~' git-1.9.2-orig/git-send-email.perl git-1.9.2/git-send-email.perl


     

       
2

       

       
-

       
--- git-1.9.2-orig/git-send-email.perl	2014-04-09 21:09:34.000000000 +0200


     

       
3

       

       
-

       
+++ git-1.9.2/git-send-email.perl	2014-04-16 18:35:05.861132282 +0200


     

       
4

       

       
-

       
@@ -1094,6 +1094,8 @@


     

       
5

       

       
-

       
 		return;


     

       
6

       

       
-

       
 	}


     

       
7

       

       
-

       
 


     

       
8

       

       
-

       
+	$smtp_ssl_cert_path //= $ENV{'SSL_CERT_FILE'};


     

       
9

       

       
-

       
+


     

       
10

       

       
-

       
 	if (!defined $smtp_ssl_cert_path) {


     

       
11

       

       
-

       
 		# use the OpenSSL defaults


     

       
12

       

       
-

       
 		return (SSL_verify_mode => SSL_VERIFY_PEER());
-2
pkgs/applications/version-management/git-and-tools/git/default.nix 
···

       
24

       
24

       
 

       
  patches = [


     

       
25

       
25

       
 

       
    ./docbook2texi.patch


     

       
26

       
26

       
 

       
    ./symlinks-in-bin.patch


     

       
27

       

       
-

       
    ./cert-path.patch


     

       
28

       

       
-

       
    ./ssl-cert-file.patch


     

       
29

       
27

       
 

       
  ];


     

       
30

       
28

       
 

       



     

       
31

       
29

       
 

       
  buildInputs = [curl openssl zlib expat gettext cpio makeWrapper libiconv]
-13
pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch 
···

       
1

       

       
-

       
This patch adds support for the OpenSSL SSL_CERT_FILE environment variable.


     

       
2

       

       
-

       
GIT_SSL_CAINFO still takes precedence.


     

       
3

       

       
-

       



     

       
4

       

       
-

       
--- git-orig/http.c.orig	2014-11-25 23:27:56.000000000 +0100


     

       
5

       

       
-

       
+++ git-orig/http.c	2014-11-25 23:28:48.000000000 +0100


     

       
6

       

       
-

       
@@ -433,6 +433,7 @@


     

       
7

       

       
-

       
 #if LIBCURL_VERSION_NUM >= 0x070908


     

       
8

       

       
-

       
 	set_from_env(&ssl_capath, "GIT_SSL_CAPATH");


     

       
9

       

       
-

       
 #endif


     

       
10

       

       
-

       
+	set_from_env(&ssl_cainfo, "SSL_CERT_FILE");


     

       
11

       

       
-

       
 	set_from_env(&ssl_cainfo, "GIT_SSL_CAINFO");


     

       
12

       

       
-

       
 


     

       
13

       

       
-

       
 	set_from_env(&user_agent, "GIT_HTTP_USER_AGENT");
-2
pkgs/build-support/rust/fetchcargo.nix 
···

       
16

       
16

       
 

       
  outputHashMode = "recursive";


     

       
17

       
17

       
 

       
  outputHash = sha256;


     

       
18

       
18

       
 

       



     

       
19

       

       
-

       
  SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";


     

       
20

       

       
-

       



     

       
21

       
19

       
 

       
  impureEnvVars = [ "http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy" ];


     

       
22

       
20

       
 

       
  preferLocalBuild = true;


     

       
23

       
21

       
 

       
}
-1
pkgs/development/libraries/gnutls/generic.nix 
···

       
16

       
16

       
 

       
  outputs = [ "out" "man" ];


     

       
17

       
17

       
 

       



     

       
18

       
18

       
 

       
  configureFlags =


     

       
19

       

       
-

       
    # FIXME: perhaps use $SSL_CERT_FILE instead


     

       
20

       
19

       
 

       
    lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"


     

       
21

       
20

       
 

       
  ++ [


     

       
22

       
21

       
 

       
    "--disable-dependency-tracking"
+5 -1
pkgs/development/libraries/openssl/default.nix 
···

       
1

       
1

       
 

       
{ stdenv, fetchurl, perl


     

       
2

       

       
-

       
, withCryptodev ? false, cryptodevHeaders }:


     

       

       
2

       
+

       
, withCryptodev ? false, cryptodevHeaders


     

       

       
3

       
+

       
, defaultCertificate ? "/etc/ssl/certs/ca-certificates.crt" }:


     

       
3

       
4

       
 

       



     

       
4

       
5

       
 

       
with stdenv.lib;


     

       
5

       
6

       
 

       
let


     
···

       
58

       
59

       
 

       



     

       
59

       
60

       
 

       
    # remove dependency on Perl at runtime


     

       
60

       
61

       
 

       
    rm -r $out/etc/ssl/misc $out/bin/c_rehash


     

       

       
62

       
+

       



     

       

       
63

       
+

       
    # configure the default trust store


     

       

       
64

       
+

       
    ${optionalString (defaultCertificate != null) "ln -s ${defaultCertificate} $out/etc/ssl/cert.pem"}


     

       
61

       
65

       
 

       
  '';


     

       
62

       
66

       
 

       



     

       
63

       
67

       
 

       
  postFixup = ''
-17
pkgs/development/perl-modules/lwp-protocol-https-cert-file.patch 
···

       
1

       

       
-

       
Use $SSL_CERT_FILE to get the CA certificates.


     

       
2

       

       
-

       



     

       
3

       

       
-

       
diff -ru -x '*~' LWP-Protocol-https-6.02-orig/lib/LWP/Protocol/https.pm LWP-Protocol-https-6.02/lib/LWP/Protocol/https.pm


     

       
4

       

       
-

       
--- LWP-Protocol-https-6.02-orig/lib/LWP/Protocol/https.pm	2011-03-27 13:54:01.000000000 +0200


     

       
5

       

       
-

       
+++ LWP-Protocol-https-6.02/lib/LWP/Protocol/https.pm	2011-10-07 13:23:41.398628375 +0200


     

       
6

       

       
-

       
@@ -21,6 +21,11 @@


     

       
7

       

       
-

       
     }


     

       
8

       

       
-

       
     if ($ssl_opts{SSL_verify_mode}) {


     

       
9

       

       
-

       
 	unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {


     

       
10

       

       
-

       
+            if (defined $ENV{'SSL_CERT_FILE'}) {


     

       
11

       

       
-

       
+                $ssl_opts{SSL_ca_file} = $ENV{'SSL_CERT_FILE'};


     

       
12

       

       
-

       
+            }


     

       
13

       

       
-

       
+        }


     

       
14

       

       
-

       
+	unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {


     

       
15

       

       
-

       
 	    eval {


     

       
16

       

       
-

       
 		require Mozilla::CA;


     

       
17

       

       
-

       
 	    };
+1 -5
pkgs/tools/networking/curl/7.15.nix 
···

       
33

       
33

       
 

       
    sed -e 's|/usr/bin|/no-such-path|g' -i.bak configure


     

       
34

       
34

       
 

       
  '';


     

       
35

       
35

       
 

       



     

       
36

       

       
-

       
  # make curl honor CURL_CA_BUNDLE & SSL_CERT_FILE


     

       
37

       

       
-

       
  postConfigure = ''


     

       
38

       

       
-

       
    echo  '#define CURL_CA_BUNDLE (getenv("CURL_CA_BUNDLE") || getenv("SSL_CERT_FILE"))' >> lib/curl_config.h


     

       
39

       

       
-

       
  '';


     

       
40

       

       
-

       



     

       
41

       
36

       
 

       
  configureFlags = [


     

       

       
37

       
+

       
      "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt"


     

       
42

       
38

       
 

       
      ( if sslSupport then "--with-ssl=${openssl}" else "--without-ssl" )


     

       
43

       
39

       
 

       
      ( if scpSupport then "--with-libssh2=${libssh2}" else "--without-libssh2" )


     

       
44

       
40

       
 

       
    ]
+1 -5
pkgs/tools/networking/curl/default.nix 
···

       
44

       
44

       
 

       
    rm src/tool_hugehelp.c


     

       
45

       
45

       
 

       
  '';


     

       
46

       
46

       
 

       



     

       
47

       

       
-

       
  # make curl honor CURL_CA_BUNDLE & SSL_CERT_FILE


     

       
48

       

       
-

       
  postConfigure = ''


     

       
49

       

       
-

       
    echo  '#define CURL_CA_BUNDLE (getenv("CURL_CA_BUNDLE") ? getenv("CURL_CA_BUNDLE") : getenv("SSL_CERT_FILE"))' >> lib/curl_config.h


     

       
50

       

       
-

       
  '';


     

       
51

       

       
-

       



     

       
52

       
47

       
 

       
  configureFlags = [


     

       

       
48

       
+

       
      "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt"


     

       
53

       
49

       
 

       
      "--disable-manual"


     

       
54

       
50

       
 

       
      "--with-nghttp2=${libnghttp2}"


     

       
55

       
51

       
 

       
      ( if sslSupport then "--with-ssl=${openssl}" else "--without-ssl" )
-1
pkgs/top-level/perl-packages.nix 
···

       
6934

       
6934

       
 

       
      url = mirror://cpan/authors/id/G/GA/GAAS/LWP-Protocol-https-6.04.tar.gz;


     

       
6935

       
6935

       
 

       
      sha256 = "0agnga5dg94222h6rlzqxa0dri2sh3gayncvfb7jad9nxr87gxhy";


     

       
6936

       
6936

       
 

       
    };


     

       
6937

       

       
-

       
    patches = [ ../development/perl-modules/lwp-protocol-https-cert-file.patch ];


     

       
6938

       
6937

       
 

       
    propagatedBuildInputs = [ LWP IOSocketSSL ];


     

       
6939

       
6938

       
 

       
    doCheck = false; # tries to connect to https://www.apache.org/.


     

       
6940

       
6939

       
 

       
    meta = {