Configure a default trust store for openssl

nixos/modules/installer/tools/auto-upgrade.nix

@@ -74,7 +74,7 @@ let cfg = config.system.autoUpgrade; in
       serviceConfig.Type = "oneshot";
 
       environment = config.nix.envVars //
-        { inherit (config.environment.sessionVariables) NIX_PATH SSL_CERT_FILE;
+        { inherit (config.environment.sessionVariables) NIX_PATH;
           HOME = "/root";
         };
 

nixos/modules/programs/venus.nix

@@ -165,7 +165,6 @@ in
         script = "exec venus-planet ${configFile}";
         serviceConfig.User = "${cfg.user}";
         serviceConfig.Group = "${cfg.group}";
-        environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
         startAt = cfg.dates;
       };
 

nixos/modules/security/ca.nix

@@ -64,12 +64,6 @@ in
     # CentOS/Fedora compatibility.
     environment.etc."pki/tls/certs/ca-bundle.crt".source = caCertificates;
 
-    environment.sessionVariables =
-      { SSL_CERT_FILE          = "/etc/ssl/certs/ca-certificates.crt";
-        # FIXME: unneeded - remove eventually.
-        GIT_SSL_CAINFO         = "/etc/ssl/certs/ca-certificates.crt";
-      };
-
   };
 
 }

nixos/modules/services/continuous-integration/jenkins/default.nix

@@ -92,11 +92,12 @@ in {
         type = with types; attrsOf str;
         description = ''
           Additional environment variables to be passed to the jenkins process.
-          As a base environment, jenkins receives NIX_PATH, SSL_CERT_FILE and
-          GIT_SSL_CAINFO from <option>environment.sessionVariables</option>,
-          NIX_REMOTE is set to "daemon" and JENKINS_HOME is set to
-          the value of <option>services.jenkins.home</option>. This option has
-          precedence and can be used to override those mentioned variables.
+          As a base environment, jenkins receives NIX_PATH from
+          <option>environment.sessionVariables</option>, NIX_REMOTE is set to
+          "daemon" and JENKINS_HOME is set to the value of
+          <option>services.jenkins.home</option>.
+          This option has precedence and can be used to override those
+          mentioned variables.
         '';
       };
 
@@ -136,11 +137,7 @@ in {
       environment =
         let
           selectedSessionVars =
-            lib.filterAttrs (n: v: builtins.elem n
-                [ "NIX_PATH"
-                  "SSL_CERT_FILE"
-                  "GIT_SSL_CAINFO"
-                ])
+            lib.filterAttrs (n: v: builtins.elem n [ "NIX_PATH" ])
               config.environment.sessionVariables;
         in
           selectedSessionVars //

nixos/modules/services/monitoring/dd-agent.nix

@@ -183,7 +183,6 @@ in {
         Restart = "always";
         RestartSec = 2;
       };
-      environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
       restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig ];
     };
 

nixos/modules/services/networking/ddclient.nix

@@ -127,7 +127,6 @@ in
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
 
-      environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
       serviceConfig = {
         # Uncomment this if too many problems occur:
         # Type = "forking";

nixos/modules/virtualisation/azure-agent.nix

@@ -156,12 +156,6 @@ in
       after = [ "ip-up.target" ];
       wants = [ "ip-up.target" ];
 
-      environment = {
-        GIT_SSL_CAINFO = "/etc/ssl/certs/ca-certificates.crt";
-        OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
-        SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
-      };
-
       path = [ pkgs.e2fsprogs ];
       description = "Windows Azure Agent Service";
       unitConfig.ConditionPathExists = "/etc/waagent.conf";

pkgs/applications/networking/cluster/panamax/api/default.nix

@@ -62,7 +62,6 @@ stdenv.mkDerivation rec {
       --prefix "PATH" : "$out/share/panamax-api/bin:${env.ruby}/bin:$PATH" \
       --prefix "HOME" : "$out/share/panamax-api" \
       --prefix "GEM_HOME" : "${env}/${env.ruby.gemPath}" \
-      --prefix "SSL_CERT_FILE" : /etc/ssl/certs/ca-certificates.crt \
       --prefix "GEM_PATH" : "$out/share/panamax-api:${bundler}/${env.ruby.gemPath}"
   '';
 

pkgs/applications/networking/instant-messengers/tkabber/default.nix

@@ -40,11 +40,7 @@ let
   } // removeAttrs attrs [ "name" "sha256" ]);
 
 in mkTkabber (main // {
-  postPatch = ''
-    substituteInPlace login.tcl --replace \
-      "custom::defvar loginconf(sslcacertstore) \"\"" \
-      "custom::defvar loginconf(sslcacertstore) \$env(SSL_CERT_FILE)"
-  '' + optionalString (theme != null) ''
+  postPatch = optionalString (theme != null) ''
     themePath="$out/share/doc/tkabber/examples/xrdb/${theme}.xrdb"
     sed -i '/^if.*load_default_xrdb/,/^}$/ {
       s@option readfile \(\[fullpath [^]]*\]\)@option readfile "'"$themePath"'"@

pkgs/applications/version-management/git-and-tools/git/cert-path.patch

@@ -1,12 +0,0 @@
-diff -ru -x '*~' git-1.9.2-orig/git-send-email.perl git-1.9.2/git-send-email.perl
---- git-1.9.2-orig/git-send-email.perl	2014-04-09 21:09:34.000000000 +0200
-+++ git-1.9.2/git-send-email.perl	2014-04-16 18:35:05.861132282 +0200
-@@ -1094,6 +1094,8 @@
- 		return;
- 	}
- 
-+	$smtp_ssl_cert_path //= $ENV{'SSL_CERT_FILE'};
-+
- 	if (!defined $smtp_ssl_cert_path) {
- 		# use the OpenSSL defaults
- 		return (SSL_verify_mode => SSL_VERIFY_PEER());

pkgs/applications/version-management/git-and-tools/git/default.nix

@@ -24,8 +24,6 @@ stdenv.mkDerivation {
   patches = [
     ./docbook2texi.patch
     ./symlinks-in-bin.patch
-    ./cert-path.patch
-    ./ssl-cert-file.patch
   ];
 
   buildInputs = [curl openssl zlib expat gettext cpio makeWrapper libiconv]

pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch

@@ -1,13 +0,0 @@
-This patch adds support for the OpenSSL SSL_CERT_FILE environment variable.
-GIT_SSL_CAINFO still takes precedence.
-
---- git-orig/http.c.orig	2014-11-25 23:27:56.000000000 +0100
-+++ git-orig/http.c	2014-11-25 23:28:48.000000000 +0100
-@@ -433,6 +433,7 @@
- #if LIBCURL_VERSION_NUM >= 0x070908
- 	set_from_env(&ssl_capath, "GIT_SSL_CAPATH");
- #endif
-+	set_from_env(&ssl_cainfo, "SSL_CERT_FILE");
- 	set_from_env(&ssl_cainfo, "GIT_SSL_CAINFO");
- 
- 	set_from_env(&user_agent, "GIT_HTTP_USER_AGENT");

pkgs/build-support/rust/fetchcargo.nix

@@ -16,8 +16,6 @@ stdenv.mkDerivation {
   outputHashMode = "recursive";
   outputHash = sha256;
 
-  SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
-
   impureEnvVars = [ "http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy" ];
   preferLocalBuild = true;
 }

pkgs/development/libraries/gnutls/generic.nix

@@ -16,7 +16,6 @@ stdenv.mkDerivation {
   outputs = [ "out" "man" ];
 
   configureFlags =
-    # FIXME: perhaps use $SSL_CERT_FILE instead
     lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
   ++ [
     "--disable-dependency-tracking"

pkgs/development/libraries/openssl/default.nix

@@ -1,5 +1,6 @@
 { stdenv, fetchurl, perl
-, withCryptodev ? false, cryptodevHeaders }:
+, withCryptodev ? false, cryptodevHeaders
+, defaultCertificate ? "/etc/ssl/certs/ca-certificates.crt" }:
 
 with stdenv.lib;
 let
@@ -58,6 +59,9 @@ stdenv.mkDerivation rec {
 
     # remove dependency on Perl at runtime
     rm -r $out/etc/ssl/misc $out/bin/c_rehash
+
+    # configure the default trust store
+    ${optionalString (defaultCertificate != null) "ln -s ${defaultCertificate} $out/etc/ssl/cert.pem"}
   '';
 
   postFixup = ''

pkgs/development/perl-modules/lwp-protocol-https-cert-file.patch

@@ -1,17 +0,0 @@
-Use $SSL_CERT_FILE to get the CA certificates.
-
-diff -ru -x '*~' LWP-Protocol-https-6.02-orig/lib/LWP/Protocol/https.pm LWP-Protocol-https-6.02/lib/LWP/Protocol/https.pm
---- LWP-Protocol-https-6.02-orig/lib/LWP/Protocol/https.pm	2011-03-27 13:54:01.000000000 +0200
-+++ LWP-Protocol-https-6.02/lib/LWP/Protocol/https.pm	2011-10-07 13:23:41.398628375 +0200
-@@ -21,6 +21,11 @@
-     }
-     if ($ssl_opts{SSL_verify_mode}) {
- 	unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
-+            if (defined $ENV{'SSL_CERT_FILE'}) {
-+                $ssl_opts{SSL_ca_file} = $ENV{'SSL_CERT_FILE'};
-+            }
-+        }
-+	unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
- 	    eval {
- 		require Mozilla::CA;
- 	    };

pkgs/tools/networking/curl/7.15.nix

@@ -33,12 +33,8 @@ stdenv.mkDerivation rec {
     sed -e 's|/usr/bin|/no-such-path|g' -i.bak configure
   '';
 
-  # make curl honor CURL_CA_BUNDLE & SSL_CERT_FILE
-  postConfigure = ''
-    echo  '#define CURL_CA_BUNDLE (getenv("CURL_CA_BUNDLE") || getenv("SSL_CERT_FILE"))' >> lib/curl_config.h
-  '';
-
   configureFlags = [
+      "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt"
       ( if sslSupport then "--with-ssl=${openssl}" else "--without-ssl" )
       ( if scpSupport then "--with-libssh2=${libssh2}" else "--without-libssh2" )
     ]

pkgs/tools/networking/curl/default.nix

@@ -44,12 +44,8 @@ stdenv.mkDerivation rec {
     rm src/tool_hugehelp.c
   '';
 
-  # make curl honor CURL_CA_BUNDLE & SSL_CERT_FILE
-  postConfigure = ''
-    echo  '#define CURL_CA_BUNDLE (getenv("CURL_CA_BUNDLE") ? getenv("CURL_CA_BUNDLE") : getenv("SSL_CERT_FILE"))' >> lib/curl_config.h
-  '';
-
   configureFlags = [
+      "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt"
       "--disable-manual"
       "--with-nghttp2=${libnghttp2}"
       ( if sslSupport then "--with-ssl=${openssl}" else "--without-ssl" )

pkgs/top-level/perl-packages.nix

@@ -6934,7 +6934,6 @@ let self = _self // overrides; _self = with self; {
       url = mirror://cpan/authors/id/G/GA/GAAS/LWP-Protocol-https-6.04.tar.gz;
       sha256 = "0agnga5dg94222h6rlzqxa0dri2sh3gayncvfb7jad9nxr87gxhy";
     };
-    patches = [ ../development/perl-modules/lwp-protocol-https-cert-file.patch ];
     propagatedBuildInputs = [ LWP IOSocketSSL ];
     doCheck = false; # tries to connect to https://www.apache.org/.
     meta = {