From fb2dd3210072a03526e881cd2547cf4c2df4ba52 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 13 Oct 2016 17:09:10 +0200 Subject: [PATCH] SSL_CERT_FILE -> NIX_SSL_CERT_FILE This prevents collisions with the "native" OpenSSL, in particular on OS X. Fixes #921. --- misc/docker/Dockerfile | 4 ++-- misc/launchd/org.nixos.nix-daemon.plist.in | 2 +- scripts/install-nix-from-closure.sh | 4 ++-- scripts/nix-profile.sh.in | 14 +++++++------- src/libstore/download.cc | 3 ++- 5 files changed, 14 insertions(+), 13 deletions(-) diff --git a/misc/docker/Dockerfile b/misc/docker/Dockerfile index 20171d250..7b2865c94 100644 --- a/misc/docker/Dockerfile +++ b/misc/docker/Dockerfile @@ -13,11 +13,11 @@ ONBUILD ENV \ ENV=/etc/profile \ PATH=/root/.nix-profile/bin:/root/.nix-profile/sbin:/bin:/sbin:/usr/bin:/usr/sbin \ GIT_SSL_CAINFO=/root/.nix-profile/etc/ssl/certs/ca-bundle.crt \ - SSL_CERT_FILE=/root/.nix-profile/etc/ssl/certs/ca-bundle.crt + NIX_SSL_CERT_FILE=/root/.nix-profile/etc/ssl/certs/ca-bundle.crt ENV \ ENV=/etc/profile \ PATH=/root/.nix-profile/bin:/root/.nix-profile/sbin:/bin:/sbin:/usr/bin:/usr/sbin \ GIT_SSL_CAINFO=/root/.nix-profile/etc/ssl/certs/ca-bundle.crt \ - SSL_CERT_FILE=/root/.nix-profile/etc/ssl/certs/ca-bundle.crt \ + NIX_SSL_CERT_FILE=/root/.nix-profile/etc/ssl/certs/ca-bundle.crt \ NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/ diff --git a/misc/launchd/org.nixos.nix-daemon.plist.in b/misc/launchd/org.nixos.nix-daemon.plist.in index 0dd665db6..c5ef97ee9 100644 --- a/misc/launchd/org.nixos.nix-daemon.plist.in +++ b/misc/launchd/org.nixos.nix-daemon.plist.in @@ -14,7 +14,7 @@ /dev/null EnvironmentVariables - SSL_CERT_FILE + NIX_SSL_CERT_FILE /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt diff --git a/scripts/install-nix-from-closure.sh b/scripts/install-nix-from-closure.sh index a6b764bcb..3b8c97ed2 100644 --- a/scripts/install-nix-from-closure.sh +++ b/scripts/install-nix-from-closure.sh @@ -76,9 +76,9 @@ if ! $nix/bin/nix-env -i "$nix"; then fi # Install an SSL certificate bundle. -if [ -z "$SSL_CERT_FILE" -o ! -f "$SSL_CERT_FILE" ]; then +if [ -z "$NIX_SSL_CERT_FILE" -o ! -f "$NIX_SSL_CERT_FILE" ]; then $nix/bin/nix-env -i "$cacert" - export SSL_CERT_FILE="$HOME/.nix-profile/etc/ssl/certs/ca-bundle.crt" + export NIX_SSL_CERT_FILE="$HOME/.nix-profile/etc/ssl/certs/ca-bundle.crt" fi # Subscribe the user to the Nixpkgs channel and fetch it. diff --git a/scripts/nix-profile.sh.in b/scripts/nix-profile.sh.in index 41111848b..3cdf43104 100644 --- a/scripts/nix-profile.sh.in +++ b/scripts/nix-profile.sh.in @@ -66,19 +66,19 @@ if [ -n "$HOME" ] && [ -n "$USER" ]; then fi done - # Set $SSL_CERT_FILE so that Nixpkgs applications like curl work. + # Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work. if [ -e /etc/ssl/certs/ca-certificates.crt ]; then # NixOS, Ubuntu, Debian, Gentoo, Arch - export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt + export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt elif [ -e /etc/ssl/ca-bundle.pem ]; then # openSUSE Tumbleweed - export SSL_CERT_FILE=/etc/ssl/ca-bundle.pem + export NIX_SSL_CERT_FILE=/etc/ssl/ca-bundle.pem elif [ -e /etc/ssl/certs/ca-bundle.crt ]; then # Old NixOS - export SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt + export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt elif [ -e /etc/pki/tls/certs/ca-bundle.crt ]; then # Fedora, CentOS - export SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt + export NIX_SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt elif [ -e "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" ]; then # fall back to cacert in Nix profile - export SSL_CERT_FILE="$NIX_LINK/etc/ssl/certs/ca-bundle.crt" + export NIX_SSL_CERT_FILE="$NIX_LINK/etc/ssl/certs/ca-bundle.crt" elif [ -e "$NIX_LINK/etc/ca-bundle.crt" ]; then # old cacert in Nix profile - export SSL_CERT_FILE="$NIX_LINK/etc/ca-bundle.crt" + export NIX_SSL_CERT_FILE="$NIX_LINK/etc/ca-bundle.crt" fi if [ -n ${MANPATH} ]; then diff --git a/src/libstore/download.cc b/src/libstore/download.cc index b228cd0b4..337ebc9bf 100644 --- a/src/libstore/download.cc +++ b/src/libstore/download.cc @@ -210,7 +210,8 @@ struct CurlDownloader : public Downloader curl_easy_setopt(req, CURLOPT_NOBODY, 1); if (request.verifyTLS) - curl_easy_setopt(req, CURLOPT_CAINFO, getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt").c_str()); + curl_easy_setopt(req, CURLOPT_CAINFO, + getEnv("NIX_SSL_CERT_FILE", getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt")).c_str()); else { curl_easy_setopt(req, CURLOPT_SSL_VERIFYPEER, 0); curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);