Merge pull request #5130 from wmertens/git-ssl-env

Let git use $SSL_CERT_FILE

nixos/modules/security/ca.nix

@@ -16,7 +16,6 @@ with lib;
       { SSL_CERT_FILE          = "/etc/ssl/certs/ca-bundle.crt";
         # FIXME: unneeded - remove eventually.
         OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt";
-        GIT_SSL_CAINFO         = "/etc/ssl/certs/ca-bundle.crt";
       };
 
   };

pkgs/applications/version-management/git-and-tools/git/default.nix

@@ -24,7 +24,12 @@ stdenv.mkDerivation {
     sha256 = "0mvgvr2hz25p49dhhizcw9591f2h17y2699mpmndis3kzap0c6zy";
   };
 
-  patches = [ ./docbook2texi.patch ./symlinks-in-bin.patch ./cert-path.patch ];
+  patches = [
+    ./docbook2texi.patch
+    ./symlinks-in-bin.patch
+    ./cert-path.patch
+    ./ssl-cert-file.patch
+  ];
 
   buildInputs = [curl openssl zlib expat gettext cpio makeWrapper]
     ++ stdenv.lib.optionals withManual [ asciidoc texinfo xmlto docbook2x
@@ -142,6 +147,6 @@ stdenv.mkDerivation {
     '';
 
     platforms = stdenv.lib.platforms.all;
-    maintainers = with stdenv.lib.maintainers; [ simons the-kenny ];
+    maintainers = with stdenv.lib.maintainers; [ simons the-kenny wmertens ];
   };
 }

pkgs/applications/version-management/git-and-tools/git/ssl-cert-file.patch

@@ -0,0 +1,13 @@
+This patch adds support for the OpenSSL SSL_CERT_FILE environment variable.
+GIT_SSL_CAINFO still takes precedence.
+
+--- git-orig/http.c.orig	2014-11-25 23:27:56.000000000 +0100
++++ git-orig/http.c	2014-11-25 23:28:48.000000000 +0100
+@@ -433,6 +433,7 @@
+ #if LIBCURL_VERSION_NUM >= 0x070908
+ 	set_from_env(&ssl_capath, "GIT_SSL_CAPATH");
+ #endif
++	set_from_env(&ssl_cainfo, "SSL_CERT_FILE");
+ 	set_from_env(&ssl_cainfo, "GIT_SSL_CAINFO");
+ 
+ 	set_from_env(&user_agent, "GIT_HTTP_USER_AGENT");