Merge pull request #24203 from layus/nix-ssl-cert-file

git, curl, openssl: Refactor $NIX_SSL_CERT_FILE handling
This commit is contained in:
Eelco Dolstra 2017-03-22 13:40:57 +01:00 committed by GitHub
commit f0875982d1
6 changed files with 16 additions and 35 deletions

View File

@ -30,7 +30,6 @@ stdenv.mkDerivation {
./symlinks-in-bin.patch
./git-sh-i18n.patch
./ssh-path.patch
./ssl-cert-file.patch
];
postPatch = ''

View File

@ -1,14 +0,0 @@
diff -ru git-2.7.4-orig/http.c git-2.7.4/http.c
--- git-2.7.4-orig/http.c 2016-03-17 21:47:59.000000000 +0100
+++ git-2.7.4/http.c 2016-04-12 11:38:33.187070848 +0200
@@ -544,6 +544,10 @@
#if LIBCURL_VERSION_NUM >= 0x070908
set_from_env(&ssl_capath, "GIT_SSL_CAPATH");
#endif
+ if (getenv("NIX_SSL_CERT_FILE"))
+ set_from_env(&ssl_cainfo, "NIX_SSL_CERT_FILE");
+ else
+ set_from_env(&ssl_cainfo, "SSL_CERT_FILE");
set_from_env(&ssl_cainfo, "GIT_SSL_CAINFO");
set_from_env(&user_agent, "GIT_HTTP_USER_AGENT");

View File

@ -20,7 +20,8 @@ let
patches =
(args.patches or [])
++ [ ./nix-ssl-cert-file.patch ]
++ optional (versionOlder version "1.1.0") ./use-etc-ssl-certs.patch
++ optional (versionOlder version "1.1.0")
(if stdenv.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch)
++ optional stdenv.isCygwin ./1.0.1-cygwin64.patch
++ optional
(versionOlder version "1.0.2" && (stdenv.isDarwin || (stdenv ? cross && stdenv.cross.libc == "libSystem")))

View File

@ -0,0 +1,13 @@
diff -ru -x '*~' openssl-1.0.1r-orig/crypto/cryptlib.h openssl-1.0.1r/crypto/cryptlib.h
--- openssl-1.0.1r-orig/crypto/cryptlib.h 2016-01-28 14:38:30.000000000 +0100
+++ openssl-1.0.1r/crypto/cryptlib.h 2016-02-03 12:54:29.193165176 +0100
@@ -81,8 +81,8 @@
# ifndef OPENSSL_SYS_VMS
# define X509_CERT_AREA OPENSSLDIR
# define X509_CERT_DIR OPENSSLDIR "/certs"
-# define X509_CERT_FILE OPENSSLDIR "/cert.pem"
+# define X509_CERT_FILE "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
# define X509_PRIVATE_DIR OPENSSLDIR "/private"
# else
# define X509_CERT_AREA "SSLROOT:[000000]"

View File

@ -28,8 +28,6 @@ stdenv.mkDerivation rec {
sha256 = "1s1hyndva0yp62xy96pcp4anzrvw6cl0abjajim17sbmdp00fwhw";
};
patches = [ ./nix-ssl-cert-file.patch ];
outputs = [ "bin" "dev" "out" "man" "devdoc" ];
enableParallelBuilding = true;
@ -57,9 +55,7 @@ stdenv.mkDerivation rec {
'';
configureFlags = [
# OS X does not have a default system bundle, so we assume cacerts is installed in the default nix-env profile
# This sucks. We should probably just include the latest cacerts in the darwin bootstrap.
"--with-ca-bundle=${if stdenv.isDarwin then "/nix/var/nix/profiles/default" else ""}/etc/ssl/certs/ca-${if stdenv.isDarwin then "bundle" else "certificates"}.crt"
"--with-ca-fallback"
"--disable-manual"
( if sslSupport then "--with-ssl=${openssl.dev}" else "--without-ssl" )
( if gnutlsSupport then "--with-gnutls=${gnutls.dev}" else "--without-gnutls" )

View File

@ -1,14 +0,0 @@
diff -ru -x '*~' curl-7.50.3-orig/src/tool_operate.c curl-7.50.3/src/tool_operate.c
--- curl-7.50.3-orig/src/tool_operate.c 2016-09-06 23:25:06.000000000 +0200
+++ curl-7.50.3/src/tool_operate.c 2016-10-14 11:51:48.999943142 +0200
@@ -269,7 +269,9 @@
capath_from_env = true;
}
else {
- env = curlx_getenv("SSL_CERT_FILE");
+ env = curlx_getenv("NIX_SSL_CERT_FILE");
+ if(!env)
+ env = curlx_getenv("SSL_CERT_FILE");
if(env) {
config->cacert = strdup(env);
if(!config->cacert) {