Merge pull request #8062 from edolstra/ssl-cert-file

Add a setting for configuring the SSL certificates file
author: Eelco Dolstra <edolstra@gmail.com> 2023-03-27 15:37:15 +0200
committer: GitHub <noreply@github.com> 2023-03-27 15:37:15 +0200
commit: 5a0f5b5c34d90fe6515d23446402c491b992a99b (patch)
tree: 5678953d71137ec0e114ccbc604805b52799c4fa /src/libstore/globals.hh
parent: 570829d67e78d97d53a935e4e61b0a09589c4cd1 (diff)
parent: a519436e9d78fa6500999485c2c638553a32696f (diff)
1 files changed, 18 insertions, 2 deletions
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index db01ab657..09a58afed 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -63,6 +63,8 @@ class Settings : public Config {
 
     bool isWSL1();
 
+    Path getDefaultSSLCertFile();
+
 public:
 
     Settings();
@@ -825,8 +827,22 @@ public:
           > `.netrc`.
         )"};
 
-    /* Path to the SSL CA file used */
-    Path caFile;
+    Setting<Path> caFile{
+        this, getDefaultSSLCertFile(), "ssl-cert-file",
+        R"(
+          The path of a file containing CA certificates used to
+          authenticate `https://` downloads. Nix by default will use
+          the first of the following files that exists:
+
+          1. `/etc/ssl/certs/ca-certificates.crt`
+          2. `/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt`
+
+          The path can be overridden by the following environment
+          variables, in order of precedence:
+
+          1. `NIX_SSL_CERT_FILE`
+          2. `SSL_CERT_FILE`
+        )"};
 
 #if __linux__
     Setting<bool> filterSyscalls{
author	Eelco Dolstra <edolstra@gmail.com>	2023-03-27 15:37:15 +0200
committer	GitHub <noreply@github.com>	2023-03-27 15:37:15 +0200
commit	5a0f5b5c34d90fe6515d23446402c491b992a99b (patch)
tree	5678953d71137ec0e114ccbc604805b52799c4fa /src/libstore/globals.hh
parent	570829d67e78d97d53a935e4e61b0a09589c4cd1 (diff)
parent	a519436e9d78fa6500999485c2c638553a32696f (diff)