Provide a builtin default for $NIX_SSL_CERT_FILE

This is mostly to ensure that when Nix is started on macOS via a launchd service or sshd (for a remote build), it gets a certificate bundle.
2017-06-12 16:44:43 +02:00 · 2017-06-12 16:44:43 +02:00 · 847f19a5f7
commit 847f19a5f7
parent 7f5b750b40
3 changed files with 13 additions and 9 deletions
--- a/src/libstore/download.cc
+++ b/src/libstore/download.cc
@ -221,9 +221,10 @@ struct CurlDownloader : public Downloader
            if (request.head)
                curl_easy_setopt(req, CURLOPT_NOBODY, 1);

-            if (request.verifyTLS)
-                curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.c_str());
-            else {
+            if (request.verifyTLS) {
+                if (settings.caFile != "")
+                    curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.c_str());
+            } else {
                curl_easy_setopt(req, CURLOPT_SSL_VERIFYPEER, 0);
                curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);
            }