diff options
| author | Ryan Lahfa <masterancpp@gmail.com> | 2024-02-11 19:44:02 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-11 19:44:02 +0100 |
| commit | d9e7a2a88ab0c125ec1524394c3173ee6879f651 (patch) | |
| tree | 159610a708f8ba6c4cc6a4bdc4ddf100490bef3a /nixos/modules/security | |
| parent | 496cd829f0267244e7ffdadf4a9e21f3d96ce0b6 (diff) | |
| parent | 19159a234916d7169e15d267e6ee1c9462790319 (diff) | |
Merge pull request #286857 from RaitoBezarius/cacerts
nixos/security/ca: enable support for compatibility bundles
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/ca.nix | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 3cd56bff04d18..ae188ea709dd5 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -11,7 +11,8 @@ let extraCertificateFiles = cfg.certificateFiles; extraCertificateStrings = cfg.certificates; }; - caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt"; + caBundleName = if cfg.useCompatibleBundle then "ca-no-trust-rules-bundle.crt" else "ca-bundle.crt"; + caBundle = "${cacertPackage}/etc/ssl/certs/${caBundleName}"; in @@ -23,6 +24,17 @@ in internal = true; }; + security.pki.useCompatibleBundle = mkEnableOption ''usage of a compatibility bundle. + + Such a bundle consist exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, + which is a OpenSSL specific PEM format. + + It is known to be incompatible with certain software stacks. + + Nevertheless, enabling this will strip all additional trust rules provided by the + certificates themselves, this can have security consequences depending on your usecases. + ''; + security.pki.certificateFiles = mkOption { type = types.listOf types.path; default = []; |