Commit a169553f authored by Thomas Gerbet's avatar Thomas Gerbet
Browse files

fetchurl: enable TLS verification when credentials are used 

This make sure the credentials cannot be leaked in a MITM attack.
Note that this change might break some existing deployments if the users
tries to fetch resources on endpoints with invalid certificates.
The impacted users will have the following choices:
* fix the endpoint providing the resource
* override SSL_CERT_FILE to either disable the verification (not
  recommended) or to set it to a path including their CA certificate.
parent d81fd7bf

pkgs/build-support/fetchurl/default.nix

+2 −1
Original line number Diff line number Diff line
@@ -164,7 +164,8 @@ stdenvNoCC.mkDerivation (( 
  # New-style output content requirements.

  inherit (hash_) outputHashAlgo outputHash;



  SSL_CERT_FILE = if (hash_.outputHash == "" || hash_.outputHash == lib.fakeSha256 || hash_.outputHash == lib.fakeSha512 || hash_.outputHash == lib.fakeHash)

  # Disable TLS verification only when we know the hash and no credentials are needed to access the ressource

  SSL_CERT_FILE = if (hash_.outputHash == "" || hash_.outputHash == lib.fakeSha256 || hash_.outputHash == lib.fakeSha512 || hash_.outputHash == lib.fakeHash || netrcPhase != null)

                  then "${cacert}/etc/ssl/certs/ca-bundle.crt"

                  else "/no-cert-file.crt";