diff options
| author | Martin Weinelt <mweinelt@users.noreply.github.com> | 2024-09-24 01:57:32 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-24 01:57:32 +0200 |
| commit | ee35dc7c19dd00e4a122e36b24603687f6d04359 (patch) | |
| tree | 0a8eb7801cea587be3ab0ecc1aa9ee3d33b1a8f4 /pkgs | |
| parent | 81c2eef9bcdf047cc699e75fb0012d4bb3f35446 (diff) | |
| parent | a169553f7e3b61b7390106d658dbc718e98ac1a1 (diff) | |
fetchurl: enable TLS verification when credentials are used (#344000)
Diffstat (limited to 'pkgs')
| -rw-r--r-- | pkgs/build-support/fetchurl/default.nix | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix index a9c2c7c46d14d..2901501afaab4 100644 --- a/pkgs/build-support/fetchurl/default.nix +++ b/pkgs/build-support/fetchurl/default.nix @@ -164,7 +164,8 @@ stdenvNoCC.mkDerivation (( # New-style output content requirements. inherit (hash_) outputHashAlgo outputHash; - SSL_CERT_FILE = if (hash_.outputHash == "" || hash_.outputHash == lib.fakeSha256 || hash_.outputHash == lib.fakeSha512 || hash_.outputHash == lib.fakeHash) + # Disable TLS verification only when we know the hash and no credentials are needed to access the ressource + SSL_CERT_FILE = if (hash_.outputHash == "" || hash_.outputHash == lib.fakeSha256 || hash_.outputHash == lib.fakeSha512 || hash_.outputHash == lib.fakeHash || netrcPhase != null) then "${cacert}/etc/ssl/certs/ca-bundle.crt" else "/no-cert-file.crt"; |