From 6f3b6a2fea3278a91c120e67802b54a5823912d0 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Wed, 17 Nov 2021 23:50:53 +0100 Subject: [PATCH] gnutls: enable p11-kit by default GnuTLS has a single hard-coded location for the system trust store, currently set to the path used by NixOS, Debian, Arch, Gentoo, etc. Since not all distributions use the same path, notably Fedora and RHEL, the certificate validation will break on some non-NixOS system. This can be solved by enabling the p11-kit integration, so that by default p11-kit (properly configured for all major distos) will provide GnuTLS with the CA roots though the PKCS #11 API. --- pkgs/development/libraries/gnutls/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix index ace18afdeed8d..0d39abe1ac3ca 100644 --- a/pkgs/development/libraries/gnutls/default.nix +++ b/pkgs/development/libraries/gnutls/default.nix @@ -51,8 +51,10 @@ stdenv.mkDerivation rec { preConfigure = "patchShebangs ."; configureFlags = - lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt" - ++ [ + lib.optionals stdenv.isLinux [ + "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt" + "--with-default-trust-store-pkcs11=pkcs11:" + ] ++ [ "--disable-dependency-tracking" "--enable-fast-install" "--with-unbound-root-key-file=${dns-root-data}/root.key"