nc doesnt' find system certificate store anymore

[andir]

Describe the bug
The nc attribute (provided by LibreSSL) is no longer able to find the system certificates on NixOS. It seems like with the change to the CMake build system / with the switch to libressl 2.9 the feature broke.

To Reproduce
Steps to reproduce the behavior:

1. nix-shell --pure -p nc with a current master / recent unstable channel.
2. nc -cvz google.com 443
3. See nc: failed to open CA file '/etc/ssl/cert.pem': No such file or directory

Expected behavior
nc should have been able to connect to find the local system certificates and connect successfully.

Metadata

• system: "x86_64-linux"
• host os: Linux 5.2.11, NixOS, 19.09.git.920dd87 (Loris)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.3pre6895_84de821
• channels(root): "nixos-19.09pre190978.8d1510abfb5"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
  - nc
  - libressl_2_9.nc
  - libressl_3_0.nc
# a list of nixos modules affected by the problem
module: []

cc libressl maintainers @fpletz @thoughtpolice

[d-goldin]

I ran a bisect and it seems like dc19376 broke it. I tested it with libressl_2_8 and libressl_3_0 additionally and those seems to be fine.

I toyed around a little bit and a patch like below seems to fix the issue for this particular version (they changed parts of this mechanism between 2.8 and 2.9).

Edit: dropped patch, to reduce confusion, as it didn't do nothing.

[andir]

That patch does nothing for me. 2.8 just works as it currently is in nixpkgs. 2.9 & 3.0 show no change in my mentioned test. How did you verify?

[d-goldin]

@andir: you're right, that doesn't fix it. Must have accidentally invoked some non broken version. I'll give it another look, out of curiosity.

[d-goldin]

So, having given it a closer look again - 2.9 and 3.0 are both equally broken.
There was a change made, where formerly there was the following in apps/nc/netcat.c:

[...]
12 #ifndef DEFAULT_CA_FILE
13 #define DEFAULT_CA_FILE "/etc/ssl/cert.pem"
14 #endif
[...]

Now, in 2.9 and 3.0 it was changed to simply pre-initialize using tls_default_ca_cert_file() from tls/tls_config.c which just returns a constant location of /etc/ssl/cert.pem so seems like there is no way override it through build config or macros anymore. That would likely mean we'd have to patch the default location from tls_config.c.

[d-goldin]

So, a rather quick and dirty patch that seems to work is:

diff --git a/pkgs/development/libraries/libressl/default.nix b/pkgs/development/libraries/libressl/default.nix
index 71b8d2bb20e..89e24edf5dc 100644
--- a/pkgs/development/libraries/libressl/default.nix
+++ b/pkgs/development/libraries/libressl/default.nix
@@ -28,6 +28,9 @@ let
     # Fortunately LibreSSL provides a CMake build as well, so opt for CMake by
     # removing ./configure pre-config.
     preConfigure = ''
+      # Since 2.9.x the default location can't be configured from the build using
+      # DEFAULT_CA_FILE anymore, instead we have to patch the default value.
+      sed -i "s|\"/etc/ssl/cert.pem\"|\"$out/etc/ssl/cert.pem\"|" ./tls/tls_config.c;
       rm configure
     '';

That of course is not overly clean and due to the structure of the file, one would have to make sure that it only applies to known versions instead of just the generic derivation.

[andir]

@d-goldin That doesn't sound too bad. Do you mind opening a PR for that? You can use lib.versionAtLeast to gate it behind a version switch?

[d-goldin]

@andir: Will do a bit later. Have you had a chance to test this one? Just to make sure.

[d-goldin]

There is another PR for this too: #68456

[d-goldin]

@andir: The issue should be fixed now on master and release-19.09.

[andir]

Confirmed. Fixed on master 👍

Thank you for your working on this!