fetchurl: revert enabling TLS verification when NIX_SSL_CERT_FILE
This reverts commit f829274128
.
This commit is contained in:
parent
f251273e41
commit
31ab653f7e
@ -19,8 +19,7 @@ curl=(
|
|||||||
--user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
|
--user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
|
||||||
)
|
)
|
||||||
|
|
||||||
# Default fallback value defined in pkgs/build-support/fetchurl/default.nix
|
if ! [ -f "$SSL_CERT_FILE" ]; then
|
||||||
if [ "$SSL_CERT_FILE" == "/no-cert-file.crt" ]; then
|
|
||||||
curl+=(--insecure)
|
curl+=(--insecure)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -220,26 +220,20 @@ stdenvNoCC.mkDerivation (
|
|||||||
# New-style output content requirements.
|
# New-style output content requirements.
|
||||||
inherit (hash_) outputHashAlgo outputHash;
|
inherit (hash_) outputHashAlgo outputHash;
|
||||||
|
|
||||||
|
# Disable TLS verification only when we know the hash and no credentials are
|
||||||
|
# needed to access the resource
|
||||||
SSL_CERT_FILE =
|
SSL_CERT_FILE =
|
||||||
let
|
if
|
||||||
nixSSLCertFile = builtins.getEnv "NIX_SSL_CERT_FILE";
|
|
||||||
in
|
|
||||||
if nixSSLCertFile != "" then
|
|
||||||
nixSSLCertFile
|
|
||||||
else if
|
|
||||||
(
|
(
|
||||||
hash_.outputHash == ""
|
hash_.outputHash == ""
|
||||||
|| hash_.outputHash == lib.fakeSha256
|
|| hash_.outputHash == lib.fakeSha256
|
||||||
|| hash_.outputHash == lib.fakeSha512
|
|| hash_.outputHash == lib.fakeSha512
|
||||||
|| hash_.outputHash == lib.fakeHash
|
|| hash_.outputHash == lib.fakeHash
|
||||||
# Make sure we always enforce TLS verification when credentials
|
|
||||||
# are needed to access the resource
|
|
||||||
|| netrcPhase != null
|
|| netrcPhase != null
|
||||||
)
|
)
|
||||||
then
|
then
|
||||||
"${cacert}/etc/ssl/certs/ca-bundle.crt"
|
"${cacert}/etc/ssl/certs/ca-bundle.crt"
|
||||||
else
|
else
|
||||||
# Fallback to stdenv default, see pkgs/stdenv/generic/setup.sh
|
|
||||||
"/no-cert-file.crt";
|
"/no-cert-file.crt";
|
||||||
|
|
||||||
outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";
|
outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";
|
||||||
|
Loading…
Reference in New Issue
Block a user