From 39c2b6452c02ac7d3b187fc18255ad1a7d1e9e6f Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Mon, 22 Apr 2019 10:49:11 +0200 Subject: gnutls: respect NIX_SSL_CERT_FILE, same as our openssl The patch should work fine, regardless of the Darwin patch being applied. --- pkgs/development/libraries/gnutls/default.nix | 5 +++-- .../libraries/gnutls/nix-ssl-cert-file.patch | 19 +++++++++++++++++++ 2 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch (limited to 'pkgs/development/libraries/gnutls') diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix index b0ddbbee30c..8a92390ca30 100644 --- a/pkgs/development/libraries/gnutls/default.nix +++ b/pkgs/development/libraries/gnutls/default.nix @@ -30,8 +30,9 @@ stdenv.mkDerivation { outputs = [ "bin" "dev" "out" "man" "devdoc" ]; outputInfo = "devdoc"; - # Disable native add_system_trust. - patches = lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch; + patches = [ ./nix-ssl-cert-file.patch ] + # Disable native add_system_trust. + ++ lib.optional (isDarwin && !withSecurity) ./no-security-framework.patch; # Skip some tests: # - pkgconfig: building against the result won't work before installing (3.5.11) diff --git a/pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch b/pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch new file mode 100644 index 00000000000..90d1e85ee8c --- /dev/null +++ b/pkgs/development/libraries/gnutls/nix-ssl-cert-file.patch @@ -0,0 +1,19 @@ +allow overriding system trust store location via $NIX_SSL_CERT_FILE + +diff --git a/lib/system/certs.c b/lib/system/certs.c +index 611c645..6ef6edb 100644 +--- a/lib/system/certs.c ++++ b/lib/system/certs.c +@@ -369,6 +369,11 @@ gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list, + unsigned int tl_flags, + unsigned int tl_vflags) + { +- return add_system_trust(list, tl_flags|GNUTLS_TL_NO_DUPLICATES, tl_vflags); ++ tl_flags = tl_flags|GNUTLS_TL_NO_DUPLICATES; ++ const char *file = secure_getenv("NIX_SSL_CERT_FILE"); ++ return file ++ ? gnutls_x509_trust_list_add_trust_file( ++ list, file, NULL/*CRL*/, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags) ++ : add_system_trust(list, tl_flags, tl_vflags); + } + -- cgit 1.4.1