aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2014-12-09 13:15:31 +0100
committerEelco Dolstra <eelco.dolstra@logicblox.com>2014-12-09 13:16:02 +0100
commitd44d923be971a9f9a05b156e20fe2b26151826a9 (patch)
tree67ddc20d7403aad9247b172bad50b1e2203ac472
parent5510d21193e84067230beb5f755e899180f963a2 (diff)
Add option to disable binary cache certificate checking
-rw-r--r--doc/manual/command-ref/conf-file.xml9
-rw-r--r--scripts/download-from-binary-cache.pl.in8
2 files changed, 16 insertions, 1 deletions
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
index 930ed773f..053f4d43c 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -402,6 +402,15 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para>
</varlistentry>
+ <varlistentry><term><literal>verify-https-binary-caches</literal></term>
+
+ <listitem><para>Whether HTTPS binary caches are required to have a
+ certificate that can be verified. Defaults to
+ <literal>true</literal>.</para></listitem>
+
+ </varlistentry>
+
+
<varlistentry><term><literal>force-manifest</literal></term>
<listitem><para>If this option is set to <literal>false</literal>
diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in
index db030c1db..0e640ee34 100644
--- a/scripts/download-from-binary-cache.pl.in
+++ b/scripts/download-from-binary-cache.pl.in
@@ -47,7 +47,12 @@ $caBundle = "/etc/ssl/certs/ca-certificates.crt" if !$caBundle && -f "/etc/ssl/c
my $userName = getpwuid($<) || $ENV{"USER"} or die "cannot figure out user name";
-my $requireSignedBinaryCaches = ($Nix::Config::config{"signed-binary-caches"} // "0") ne "0";
+sub isTrue {
+ my ($x) = @_;
+ return $x eq "true" || $x eq "1";
+}
+
+my $requireSignedBinaryCaches = isTrue($Nix::Config::config{"signed-binary-caches"} // "0");
my $curlConnectTimeout = int(
$Nix::Config::config{"untrusted-connect-timeout"} //
@@ -69,6 +74,7 @@ sub addRequest {
$curl->setopt(CURLOPT_WRITEDATA, $fh);
$curl->setopt(CURLOPT_FOLLOWLOCATION, 1);
$curl->setopt(CURLOPT_CAINFO, $caBundle) if defined $caBundle;
+ $curl->setopt(CURLOPT_SSL_VERIFYPEER, 0) unless isTrue($Nix::Config::config{"verify-https-binary-caches"} // "1");
$curl->setopt(CURLOPT_USERAGENT, "Nix/$Nix::Config::version");
$curl->setopt(CURLOPT_NOBODY, 1) if $head;
$curl->setopt(CURLOPT_FAILONERROR, 1);