New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl: add certificate package #659

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
5 participants
@lovek323
Copy link
Member

lovek323 commented Jun 21, 2013

I've done this so I can use curl to get content from sites using HTTPS without passing either --insecure or --cacert (which I can't do without modifying code when using php's curl extension). This may not be the best way to go about it, so I'm more than happy to hear your suggestions.

curl: add certificate package
add option to allow a default bundle of certificates to be installed and
used by curl
@viric

This comment has been minimized.

Copy link
Member

viric commented Jun 21, 2013

In NixOS, we simply have these env vars defined:

CURL_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt
GIT_SSL_CAINFO=/etc/ssl/certs/ca-bundle.crt
OPENSSL_X509_CERT_FILE=/etc/ssl/certs/ca-bundle.crt

And all works, with the bundle prepared by nixos at /etc.

On Thu, Jun 20, 2013 at 06:28:35PM -0700, lovek323 wrote:

I've done this so I can use curl to get content from sites using HTTPS without passing either --insecure or --cacert (which I can't do without modifying code when using php's curl extension). This may not be the best way to go about it, so I'm more than happy to hear your suggestions.
You can merge this Pull Request by running:

git pull https://github.com/lovek323/nixpkgs curl

Or you can view, comment on it, or merge it online at:

#659

-- Commit Summary --

  • curl: add certificate package

-- File Changes --

A pkgs/tools/networking/curl/cacert.pem (3895)
M pkgs/tools/networking/curl/default.nix (36)

-- Patch Links --

https://github.com/NixOS/nixpkgs/pull/659.patch
https://github.com/NixOS/nixpkgs/pull/659.diff

@lovek323

This comment has been minimized.

Copy link
Member

lovek323 commented Jun 23, 2013

OS X doesn't come with a certificate bundle by default. This change must be explicitly enabled in the config, so it shouldn't effect anyone adversely.

Also, will these environment variables work with the php module loaded into apache?

@vcunat

This comment has been minimized.

Copy link
Member

vcunat commented Jun 24, 2013

Are you sure postInstall is parenthesized well? I would think that function application has a higher precedence than the or operator.

@edolstra

This comment has been minimized.

Copy link
Member

edolstra commented Jun 24, 2013

It strikes me as ad hoc to add a certificate bundle to curl. There are numerous packages that do HTTPS and therefore can use certificates, and we don't want to add a bundle separately to each. If anything, this should be added to the openssl package.

Alternatively, you can install the cacert package from Nixpkgs and set the $CURL_CA_BUNDLE environment variable.

@edolstra

This comment has been minimized.

Copy link
Member

edolstra commented Jun 24, 2013

@vcunat "or" is part of the attribute selection operator, so it doesn't need parentheses. But for readability I'd still put parentheses around it...

@lovek323

This comment has been minimized.

Copy link
Member

lovek323 commented Jun 24, 2013

@vcunat Not sure which line(s) you're referring to?

@lovek323

This comment has been minimized.

Copy link
Member

lovek323 commented Jun 24, 2013

@edolstra I agree completely. It is probably better to create a separate package for certificate packages and either use the environment variables pointed out by @viric or bake in the location as I have done here when necessary.

@vcunat

This comment has been minimized.

Copy link
Member

vcunat commented Jun 25, 2013

@lovek323: we were talking about the line where postInstall starts https://github.com/NixOS/nixpkgs/pull/659/files#L1R60.

@edolstra: I see. I believe it can be confusing (without parentheses), due to the customs of functional programming.

@vcunat

This comment has been minimized.

Copy link
Member

vcunat commented Jun 25, 2013

(Fixing my cacert comment): I would probably install the cacert attribute from nixpkgs, and point $CURL_CA_BUNDLE to your profile.

@lovek323

This comment has been minimized.

Copy link
Member

lovek323 commented Jun 25, 2013

I will close this PR now and create a separate expression just for a certificate bundle. Unless anyone has a better suggestion?

@lovek323 lovek323 closed this Jun 25, 2013

@vcunat

This comment has been minimized.

Copy link
Member

vcunat commented Jun 25, 2013

@lovek323: maybe I got you wrong, but I want to stress that a certificate bundle already is in nixpkgs (attribute called cacert).

@lovek323

This comment has been minimized.

Copy link
Member

lovek323 commented Jun 25, 2013

@vcunat Excellent. I am just a poor fool then making a mistake. :)

@wmertens

This comment has been minimized.

Copy link
Contributor

wmertens commented Apr 29, 2014

So... when using a nix-only setup it would be nice if the cacert bundle automatically adds these environment variables, like nixos/modules/security/ca.nix does.
Thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment