Merge pull request #8062 from edolstra/ssl-cert-file

Add a setting for configuring the SSL certificates file
This commit is contained in:
Eelco Dolstra 2023-03-27 15:37:15 +02:00 committed by GitHub
commit 5a0f5b5c34
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 33 additions and 20 deletions

View file

@ -42,14 +42,11 @@ export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt
> You must not add the export and then do the install, as the Nix > You must not add the export and then do the install, as the Nix
> installer will detect the presence of Nix configuration, and abort. > installer will detect the presence of Nix configuration, and abort.
## `NIX_SSL_CERT_FILE` with macOS and the Nix daemon If you use the Nix daemon, you should also add the following to
`/etc/nix/nix.conf`:
On macOS you must specify the environment variable for the Nix daemon ```
service, then restart it: ssl-cert-file = /etc/ssl/my-certificate-bundle.crt
```console
$ sudo launchctl setenv NIX_SSL_CERT_FILE /etc/ssl/my-certificate-bundle.crt
$ sudo launchctl kickstart -k system/org.nixos.nix-daemon
``` ```
## Proxy Environment Variables ## Proxy Environment Variables

View file

@ -4,8 +4,6 @@
<dict> <dict>
<key>EnvironmentVariables</key> <key>EnvironmentVariables</key>
<dict> <dict>
<key>NIX_SSL_CERT_FILE</key>
<string>/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt</string>
<key>OBJC_DISABLE_INITIALIZE_FORK_SAFETY</key> <key>OBJC_DISABLE_INITIALIZE_FORK_SAFETY</key>
<string>YES</string> <string>YES</string>
</dict> </dict>

View file

@ -318,7 +318,7 @@ struct curlFileTransfer : public FileTransfer
if (request.verifyTLS) { if (request.verifyTLS) {
if (settings.caFile != "") if (settings.caFile != "")
curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.c_str()); curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.get().c_str());
} else { } else {
curl_easy_setopt(req, CURLOPT_SSL_VERIFYPEER, 0); curl_easy_setopt(req, CURLOPT_SSL_VERIFYPEER, 0);
curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0); curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);

View file

@ -44,14 +44,9 @@ Settings::Settings()
lockCPU = getEnv("NIX_AFFINITY_HACK") == "1"; lockCPU = getEnv("NIX_AFFINITY_HACK") == "1";
allowSymlinkedStore = getEnv("NIX_IGNORE_SYMLINK_STORE") == "1"; allowSymlinkedStore = getEnv("NIX_IGNORE_SYMLINK_STORE") == "1";
caFile = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or("")); auto sslOverride = getEnv("NIX_SSL_CERT_FILE").value_or(getEnv("SSL_CERT_FILE").value_or(""));
if (caFile == "") { if (sslOverride != "")
for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"}) caFile = sslOverride;
if (pathExists(fn)) {
caFile = fn;
break;
}
}
/* Backwards compatibility. */ /* Backwards compatibility. */
auto s = getEnv("NIX_REMOTE_SYSTEMS"); auto s = getEnv("NIX_REMOTE_SYSTEMS");
@ -175,6 +170,13 @@ bool Settings::isWSL1()
return hasSuffix(utsbuf.release, "-Microsoft"); return hasSuffix(utsbuf.release, "-Microsoft");
} }
Path Settings::getDefaultSSLCertFile()
{
for (auto & fn : {"/etc/ssl/certs/ca-certificates.crt", "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"})
if (pathExists(fn)) return fn;
return "";
}
const std::string nixVersion = PACKAGE_VERSION; const std::string nixVersion = PACKAGE_VERSION;
NLOHMANN_JSON_SERIALIZE_ENUM(SandboxMode, { NLOHMANN_JSON_SERIALIZE_ENUM(SandboxMode, {

View file

@ -63,6 +63,8 @@ class Settings : public Config {
bool isWSL1(); bool isWSL1();
Path getDefaultSSLCertFile();
public: public:
Settings(); Settings();
@ -825,8 +827,22 @@ public:
> `.netrc`. > `.netrc`.
)"}; )"};
/* Path to the SSL CA file used */ Setting<Path> caFile{
Path caFile; this, getDefaultSSLCertFile(), "ssl-cert-file",
R"(
The path of a file containing CA certificates used to
authenticate `https://` downloads. Nix by default will use
the first of the following files that exists:
1. `/etc/ssl/certs/ca-certificates.crt`
2. `/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt`
The path can be overridden by the following environment
variables, in order of precedence:
1. `NIX_SSL_CERT_FILE`
2. `SSL_CERT_FILE`
)"};
#if __linux__ #if __linux__
Setting<bool> filterSyscalls{ Setting<bool> filterSyscalls{