gnutls: enable p11-kit by default

GnuTLS has a single hard-coded location for the system trust store, currently set to the path used by NixOS, Debian, Arch, Gentoo, etc. Since not all distributions use the same path, notably Fedora and RHEL, the certificate validation will break on some non-NixOS system. This can be solved by enabling the p11-kit integration, so that by default p11-kit (properly configured for all major distos) will provide GnuTLS with the CA roots though the PKCS #11 API.
NixOS · Nov 18, 2021 · 6f3b6a2 · 6f3b6a2
1 parent cf3013b
commit 6f3b6a2
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix
@@ -51,8 +51,10 @@ stdenv.mkDerivation rec {
 
   preConfigure = "patchShebangs .";
   configureFlags =
-    lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
-  ++ [
+    lib.optionals stdenv.isLinux [
+    "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
+    "--with-default-trust-store-pkcs11=pkcs11:"
+  ] ++ [
     "--disable-dependency-tracking"
     "--enable-fast-install"
     "--with-unbound-root-key-file=${dns-root-data}/root.key"