aboutsummaryrefslogtreecommitdiff
path: root/src/libutil
diff options
context:
space:
mode:
authorPhilip Potter <philip.g.potter@gmail.com>2015-03-04 20:08:40 +0000
committerEelco Dolstra <eelco.dolstra@logicblox.com>2016-01-05 14:19:46 +0100
commit4f3cf06c97cb1f15c74b51b60673a0ed9af0a603 (patch)
tree9df0c3ba03440ee764ba593846171e05f219d5da /src/libutil
parent39d1da7b51e6984a332a7eb68ae4048242b1adb8 (diff)
Verify TLS certificate before downloading binaries
The --insecure flag to curl tells curl not to bother checking if the TLS certificate presented by the server actually matches the hostname requested, and actually is issued by a trusted CA chain. This almost entirely negates any benefit from using TLS in the first place. This removes the --insecure flag to ensure we actually have a secure connection to the intended hostname before downloading binaries. Manually tested locally within a dev-shell; was able to download binaries from https://cache.nixos.org without issue. [Note: --insecure was only used for fetching NARs, whose integrity is verified by Nix anyway using the hash from the .narinfo. But if we can fetch the .narinfo without --insecure, we can also fetch the .nar, so there is not much point to using --insecure. --Eelco]
Diffstat (limited to 'src/libutil')
0 files changed, 0 insertions, 0 deletions