3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

23 commits

Author SHA1 Message Date
Franz Pletz 0d59fc1169
cacerts: refactor, add blacklist option
Previously, the list of CA certificates was generated with a perl script
which is included in curl. As this script is not very flexible, this commit
refactors the expression to use the python script that Debian uses to
generate their CA certificates from Mozilla's trust store in NSS.

Additionally, an option was added to the cacerts derivation and the
`security.pki` module to blacklist specific CAs.
2016-10-09 02:00:18 +02:00
Leroy Hopson 24d5d28820 cacert: fix formatting of example 2016-02-27 22:25:39 +13:00
Guillaume Maudoux 9f358f809d Configure a default trust store for openssl 2016-02-03 12:42:01 +01:00
Eelco Dolstra bfebc7342e Fix some references to deprecated /etc/ssl/certs/ca-bundle.crt 2016-01-29 02:32:05 +01:00
William A. Kennington III 8e19ac8d7c Merge branch 'master.upstream' into staging.upstream 2015-06-17 11:57:40 -07:00
Eelco Dolstra 6e6a96d42c Some more type cleanup 2015-06-15 18:18:46 +02:00
William A. Kennington III 9d6555dc0a Merge branch 'master.upstream' into staging.upstream 2015-06-06 12:04:42 -07:00
William A. Kennington III ffd0539eba cacert: store ca-bundle.crt in $out/etc/ssl/certs instead of $out 2015-06-05 13:00:52 -07:00
William A. Kennington III 867d2c5c46 openssl: Remove References to OPENSSL_X509_CERT_FILE 2015-05-31 15:50:51 -07:00
William A. Kennington III d6cbb061e3 cacert: Build directly from nss instead of our own tarball 2015-05-29 13:52:07 -07:00
Eelco Dolstra 5092d625d6 /etc/ssl/certs/ca-bundle.crt -> ca-certificates.crt
Even though there is no "official" standard location, it's better to
stick to what most distros are using.
2015-02-15 19:06:31 +01:00
Eelco Dolstra 75e1b5e317 Provide symlinks to ca-bundle.crt for compat with other distros
There is no "standard" location for the certificate bundle, so many
programs/libraries have various hard-coded default locations that
don't exist on NixOS. To make these more likely to work, provide
some symlinks.
2015-02-15 19:06:31 +01:00
Eelco Dolstra d2bfb5ceb0 Add options for installing additional root certificates 2015-02-05 18:08:35 +01:00
wmertens 3cecef15d7 Revert $GIT_SSL_CAINFO removal
Users have an older git in their user environment and it doesn't work without it. We should keep it around for a while.
2014-12-01 23:07:50 +01:00
Wout Mertens 72b81cf8bb Remove unnecessary $GIT_SSL_CAINFO from sys env 2014-11-26 00:30:07 +01:00
Eelco Dolstra 36f99a9a82 Set $SSL_CERT_FILE
It's more standard than $OPENSSL_X509_CERT_FILE (which I guess was a
totally unnecessary patch to OpenSSL). Since curl respects
$SSL_CERT_FILE, it's no longer needed to set $CURL_CA_BUNDLE. Git
unfortunately doesn't.
2014-07-28 19:09:32 +02:00
Eelco Dolstra f5055e2ef6 Rename environment.systemVariables -> environment.sessionVariables
This makes it clearer that they're part of PAM sessions.
2014-06-13 17:57:04 +02:00
Eelco Dolstra 8ae659f16c Revert "Revert "Merge #2692: Use pam_env to properly setup system-wide env""
This reverts commit 491c088731.
2014-06-10 13:07:10 +02:00
Eelco Dolstra 491c088731 Revert "Merge #2692: Use pam_env to properly setup system-wide env"
This reverts commit 18a0cdd864.
2014-06-10 13:03:44 +02:00
Vladimír Čunát 18a0cdd864 Merge #2692: Use pam_env to properly setup system-wide env 2014-06-10 11:42:59 +02:00
Eelco Dolstra 29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Eelco Dolstra 9c616e3bf4 Remove /etc/ca-bundle.crt
Applications should use /etc/ssl/certs/ca-bundle.crt instead.
2014-02-11 17:13:36 +01:00
Eelco Dolstra 5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00
Renamed from modules/security/ca.nix (Browse further)