Merge pull request #24203 from layus/nix-ssl-cert-file

git, curl, openssl: Refactor $NIX_SSL_CERT_FILE handling

pkgs/applications/version-management/git-and-tools/git/default.nix

@@ -30,7 +30,6 @@ stdenv.mkDerivation {
     ./symlinks-in-bin.patch
     ./git-sh-i18n.patch
     ./ssh-path.patch
-    ./ssl-cert-file.patch
   ];
 
   postPatch = ''

pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch

@@ -1,14 +0,0 @@
-diff -ru git-2.7.4-orig/http.c git-2.7.4/http.c
---- git-2.7.4-orig/http.c	2016-03-17 21:47:59.000000000 +0100
-+++ git-2.7.4/http.c	2016-04-12 11:38:33.187070848 +0200
-@@ -544,6 +544,10 @@
- #if LIBCURL_VERSION_NUM >= 0x070908
- 	set_from_env(&ssl_capath, "GIT_SSL_CAPATH");
- #endif
-+	if (getenv("NIX_SSL_CERT_FILE"))
-+	  set_from_env(&ssl_cainfo, "NIX_SSL_CERT_FILE");
-+	else
-+	  set_from_env(&ssl_cainfo, "SSL_CERT_FILE");
- 	set_from_env(&ssl_cainfo, "GIT_SSL_CAINFO");
- 
- 	set_from_env(&user_agent, "GIT_HTTP_USER_AGENT");

pkgs/development/libraries/openssl/default.nix

@@ -20,7 +20,8 @@ let
     patches =
       (args.patches or [])
       ++ [ ./nix-ssl-cert-file.patch ]
-      ++ optional (versionOlder version "1.1.0") ./use-etc-ssl-certs.patch
+      ++ optional (versionOlder version "1.1.0")
+          (if stdenv.isDarwin then ./use-etc-ssl-certs-darwin.patch else ./use-etc-ssl-certs.patch)
       ++ optional stdenv.isCygwin ./1.0.1-cygwin64.patch
       ++ optional
            (versionOlder version "1.0.2" && (stdenv.isDarwin || (stdenv ? cross && stdenv.cross.libc == "libSystem")))

pkgs/development/libraries/openssl/use-etc-ssl-certs-darwin.patch

@@ -0,0 +1,13 @@
+diff -ru -x '*~' openssl-1.0.1r-orig/crypto/cryptlib.h openssl-1.0.1r/crypto/cryptlib.h
+--- openssl-1.0.1r-orig/crypto/cryptlib.h	2016-01-28 14:38:30.000000000 +0100
++++ openssl-1.0.1r/crypto/cryptlib.h	2016-02-03 12:54:29.193165176 +0100
+@@ -81,8 +81,8 @@
+ 
+ # ifndef OPENSSL_SYS_VMS
+ #  define X509_CERT_AREA          OPENSSLDIR
+ #  define X509_CERT_DIR           OPENSSLDIR "/certs"
+-#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
++#  define X509_CERT_FILE          "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+ #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
+ # else
+ #  define X509_CERT_AREA          "SSLROOT:[000000]"

pkgs/tools/networking/curl/default.nix

@@ -28,8 +28,6 @@ stdenv.mkDerivation rec {
     sha256 = "1s1hyndva0yp62xy96pcp4anzrvw6cl0abjajim17sbmdp00fwhw";
   };
 
-  patches = [ ./nix-ssl-cert-file.patch ];
-
   outputs = [ "bin" "dev" "out" "man" "devdoc" ];
 
   enableParallelBuilding = true;
@@ -57,9 +55,7 @@ stdenv.mkDerivation rec {
   '';
 
   configureFlags = [
-      # OS X does not have a default system bundle, so we assume cacerts is installed in the default nix-env profile
-      # This sucks. We should probably just include the latest cacerts in the darwin bootstrap.
-      "--with-ca-bundle=${if stdenv.isDarwin then "/nix/var/nix/profiles/default" else ""}/etc/ssl/certs/ca-${if stdenv.isDarwin then "bundle" else "certificates"}.crt"
+      "--with-ca-fallback"
       "--disable-manual"
       ( if sslSupport then "--with-ssl=${openssl.dev}" else "--without-ssl" )
       ( if gnutlsSupport then "--with-gnutls=${gnutls.dev}" else "--without-gnutls" )

pkgs/tools/networking/curl/nix-ssl-cert-file.patch

@@ -1,14 +0,0 @@
-diff -ru -x '*~' curl-7.50.3-orig/src/tool_operate.c curl-7.50.3/src/tool_operate.c
---- curl-7.50.3-orig/src/tool_operate.c	2016-09-06 23:25:06.000000000 +0200
-+++ curl-7.50.3/src/tool_operate.c	2016-10-14 11:51:48.999943142 +0200
-@@ -269,7 +269,9 @@
-         capath_from_env = true;
-       }
-       else {
--        env = curlx_getenv("SSL_CERT_FILE");
-+        env = curlx_getenv("NIX_SSL_CERT_FILE");
-+        if(!env)
-+          env = curlx_getenv("SSL_CERT_FILE");
-         if(env) {
-           config->cacert = strdup(env);
-           if(!config->cacert) {