Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Downloader: Log configured CA file #3141

Merged
merged 1 commit into from Nov 26, 2019
Merged

Downloader: Log configured CA file #3141

merged 1 commit into from Nov 26, 2019

Conversation

xbreak
Copy link
Contributor

@xbreak xbreak commented Oct 12, 2019
edited

Update: Rescoped PR to only debug print configured CA file to address concerns by @edolstra.

It seems like a good idea to warn if no trusted CA's has been configured, to help narrow down issues like NixOS/nixpkgs#70939.

Update: CA files may come from different sources if e.g. Curl or the TLS library is used from the system and not Nix. Therefore it might be misleading to warn.

In addition I added a debug print of the configured CA file for the same reason.

Tested on CentOS and looks like this:

$ nix-env -i firefox -vvv
...
downloading 'https://cache.nixos.org/nar/0wpvc57l0sv8jxfylfyfwrkxzij6fxvakk4k3zd11iiaanwx8viy.nar.xz'...
starting download of https://cache.nixos.org/nar/0wpvc57l0sv8jxfylfyfwrkxzij6fxvakk4k3zd11iiaanwx8viy.nar.xz
verify TLS: Nix CA file = ''
finished download of 'https://cache.nixos.org/nar/0wpvc57l0sv8jxfylfyfwrkxzij6fxvakk4k3zd11iiaanwx8viy.nar.xz'; curl status = 60, HTTP status = 0, body = 0 bytes
warning: unable to download 'https://cache.nixos.org/nar/0wpvc57l0sv8jxfylfyfwrkxzij6fxvakk4k3zd11iiaanwx8viy.nar.xz': SSL peer certificate or SSH remote key was not OK (60); retrying in 274 ms

zimbatm
zimbatm reviewed Oct 14, 2019
View reviewed changes
src/libstore/download.cc Outdated Show resolved Hide resolved
@edolstra
Copy link
Member

I'm not sure about this. If libcurl is a native (non-Nix) package or if it's using some native TLS mechanism (I think this is the case on macOS), then it may be able to find certificates even if settings.caFile is unset.

@xbreak
Copy link
Contributor Author

xbreak commented Oct 14, 2019

I'm not sure about this. If libcurl is a native (non-Nix) package or if it's using some native TLS mechanism (I think this is the case on macOS), then it may be able to find certificates even if settings.caFile is unset.

Any suggestions on how to improve the PR? It e.g. sounds like it wouldn't be useful to read out paths from curl either, since other paths that are unknown to curl might be used as well, depending on the TLS library.

Maybe just keep the debug log then (and rephrase to indicate that the CA file is provided by Nix: "verify TLS: Nix CA file = '%s'")?

@xbreak xbreak mentioned this pull request Oct 17, 2019
Open
@xbreak xbreak changed the title Downloader: Warn if no trusted CA file has been configured Downloader: Log configure CA file Oct 18, 2019
@xbreak
Copy link
Contributor Author

xbreak commented Oct 18, 2019

I updated PR to only debug log the Nix configured CA file. Hope this addresses your concern @edolstra .

@xbreak xbreak changed the title Downloader: Log configure CA file Downloader: Log configured CA file Oct 18, 2019
@edolstra edolstra merged commit 4259918 into NixOS:master Nov 26, 2019
@xbreak xbreak deleted the nocafile branch December 10, 2019 13:29
@ldesgoui ldesgoui mentioned this pull request Aug 1, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zimbatm zimbatm zimbatm left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@xbreak @edolstra @zimbatm @nixos-discourse