Kill SSL_CERT_FILE (aka fix openssl/curl config) #12748
Conversation
|
Using a mass-rebuild config change isn't very good for non-NixOS Linux systems (for Darwin it would be probably fine). I thought we would still honor SSL_CERT_FILE (or a similar variable) and leave it undefined on NixOS. |
|
My comment about changing the config is mostly about darwin indeed, because @zimbatm mentioned "issues" on darwin (#8486 (comment)) with respect to SSL_CERT_FILE (@zimbatm, would you mind to elaborate ?), and because it may be better to have no configured default path than a security-related symlink pointing to a nonexistent path. SSL_CERT_FILE is still available if you want to override the default location for openssl, just as the '--cacert' option to curl, the '-CAfile' option to openssl, the '--ca-certificate' option to wget, etc. However what you suggest is, on top of the default location configured in the binaries themselves, to make all these executables honour the SSL_CERT_FILE env variable. So, fixing the default path fixes nixos services, and using NIX_CERT_FILE fixes non-nixos distros. I think we need both mechanisms. Do we agree on the following priority order (from low to high precedence):
To be "Nix-way compliant", a derivation would then need to default to /etc/ssl/certs/ca-certificates.crt and honour NIX_CERT_FILE. I still think that the default path (/etc/ssl/certs/ca-certificates.crt) should be defined in stdenv, according to the platform/architecture, but independently of the usage of NixOS. On the other hand, if we agree that /etc/ssl/certs/ca-certificates.crt is stable enough and will not change in the long run, we can add it to systemd.globalEnvironment. |
|
One problem is that this creates a source of impurity: a Nix package that uses OpenSSL at build time might access certificates (at build time) that are not explicitly defined as an input, via |
| @@ -58,6 +59,9 @@ stdenv.mkDerivation rec { | |||
|
|
|||
| # remove dependency on Perl at runtime | |||
| rm -r $out/etc/ssl/misc $out/bin/c_rehash | |||
|
|
|||
| # configure the default trust store | |||
| ${optionalString (defaultCertificate != null) "ln -s ${defaultCertificate} $out/etc/ssl/cert.pem"} | |||
There was a problem hiding this comment.
Instead of making a symlink, why not just override X509_CERT_FILE at compile time? And maybe also set X509_CERT_DIR to /etc/ssl/certs.
Also, do we actually want to have this configurable? I can't think of a good reason to change the default.
There was a problem hiding this comment.
We could override X509_CERT_FILE, but it creates more impurities at build time IIRC.
In this case, we add something at the end of postInstall, this cannot harm much.
I made it configurable because it may not be desirable to have a reference to "/etc/ssl/certs/ca-certificates.crt" on darwin for example. I am not too sure about this.
There was a problem hiding this comment.
Hm, how does it create more impurity, compared to the symlink?
Regarding Darwin, there is no good default value, so /etc/ssl/certs/ca-certificates.crt is as good as any :-)
There was a problem hiding this comment.
Hm, my sentence makes no sense. What I wanted to say is that the symlink add no impurities in the build process because it happens at the end, and does not interfere with the build itself.
|
There are diverging needs for nix and NixOS. Plain Nix users want configurability through SSL_CERT_FILE, to use their system-wide trust sore. NixOS users want their trust store to always default to "/etc/ssl/certs/ca-certificates.crt". The easy solution, as the path "/etc/ssl/certs/ca-certificates.crt" is not going to change anytime soon, would be to export SSL_CERT_FILE in systemd.globalEnvironment. This solution explores the complete removal of SSL_CERT_FILE, which is a bas idea for Nix users on other systems. Maybe we need to support sane defaults and SSL_CERT_FILE ? |
| @@ -16,7 +16,6 @@ stdenv.mkDerivation { | |||
| outputs = [ "out" "man" ]; | |||
|
|
|||
| configureFlags = | |||
| # FIXME: perhaps use $SSL_CERT_FILE instead | |||
| lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt" | |||
There was a problem hiding this comment.
Why not re-use ${openssl}/etc/ssl/cert.pem ?
There was a problem hiding this comment.
Because GnuTLS does not depend on OpenSSL, it is another implementation.
That's why we need to agree on a common default store.
|
Pushed to staging with some changes, thanks! |
|
ddclient also suffers from this problem with |
OpenSSL is designed to trust the certificates located in "${openssl}/etc/ssl/cert.pem".
NixOS on the other uses /etc/ssl/certs/ca-certificates.crt as its trusted root CAs.
By symlinking "${openssl}/etc/ssl/cert.pem" to "/etc/ssl/certs/ca-certificates.crt",
we fix all the applications that rely on openssl defaults certificates.
This is not trivial as it includes git, curl, python, php, and more.
Doing this, we can also get rid of the annoying SSL_CERT_FILE previously defined in the global environment.
This variable will revert to being a simple mean to override the default store location.
Using "/etc/ssl/certs/ca-certificates.crt" as the system trusted certificates
is a sensible path already taken in GnuTLS (see #8121).
This is also what is done by other distros like ArchLinux or Debian.
This PR fixes openssl and curl to use the default system trusted certificates.
I tested openssl, curl, git, git-send-email.
Any help is welcome in testing other packages.
We cannot however test everything affected by the removal of the SSL_CERT_FILE environment variable.
Some issues/details remain:
Removing nixpkgs/pkgs/development/perl-modules/lwp-protocol-https-cert-file.patch may not be the best thing to do.
Closes #12628, #8486, #10875, #8247, #8534, #10703
Related #8867, #3382
cc: @edolstra, @vcunat, @zimbatm, @4levels and maybe others.