diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 3cd56bff04d1..ae188ea709dd 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -11,7 +11,8 @@ let extraCertificateFiles = cfg.certificateFiles; extraCertificateStrings = cfg.certificates; }; - caBundle = "${cacertPackage}/etc/ssl/certs/ca-bundle.crt"; + caBundleName = if cfg.useCompatibleBundle then "ca-no-trust-rules-bundle.crt" else "ca-bundle.crt"; + caBundle = "${cacertPackage}/etc/ssl/certs/${caBundleName}"; in @@ -23,6 +24,17 @@ in internal = true; }; + security.pki.useCompatibleBundle = mkEnableOption ''usage of a compatibility bundle. + + Such a bundle consist exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, + which is a OpenSSL specific PEM format. + + It is known to be incompatible with certain software stacks. + + Nevertheless, enabling this will strip all additional trust rules provided by the + certificates themselves, this can have security consequences depending on your usecases. + ''; + security.pki.certificateFiles = mkOption { type = types.listOf types.path; default = []; diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 30f2ee38c72f..4979fa6edfde 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -71,6 +71,7 @@ stdenv.mkDerivation rec { --ca_bundle_input "${extraCertificatesBundle}" ${lib.escapeShellArgs (map (arg: "${arg}") extraCertificateFiles)} \ --blocklist "${blocklist}" \ --ca_bundle_output ca-bundle.crt \ + --ca_standard_bundle_output ca-no-trust-rules-bundle.crt \ --ca_unpacked_output unbundled \ --p11kit_output ca-bundle.trust.p11-kit ''; @@ -78,6 +79,9 @@ stdenv.mkDerivation rec { installPhase = '' install -D -t "$out/etc/ssl/certs" ca-bundle.crt + # install standard PEM compatible bundle + install -D -t "$out/etc/ssl/certs" ca-no-trust-rules-bundle.crt + # install p11-kit specific output to p11kit output install -D -t "$p11kit/etc/ssl/trust-source" ca-bundle.trust.p11-kit