New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
strongswan: include curl plugin by default #39506
Conversation
Success on aarch64-linux (full log) Attempted: strongswan Partial log (click to expand)
|
cc @basvandijk @ryantm @erickg @dhess, does this look reasonable to you? |
IMHO it makes sense and it is a sensible common enough case 👍 |
Success on x86_64-linux (full log) Attempted: strongswan Partial log (click to expand)
|
According to https://wiki.strongswan.org/projects/strongswan/wiki/Curl, you either need to pass How can we detect which crypto backend curl is using? I see the curl derivation is putting Maybe we could put |
It looks like we're already setting |
Note that users can override curl's crypto backend using: curl.override { gnutlsSupport = true; sslSupport = false; }; This happens in a few places in nixpkgs. I'm not sure how common this is in users configs. But it should be easy to detect using my proposed method. |
OK, I've added the requested changes - curl includes gnutlsSupport in its passthru data, and strongswan matches its --enable-openssl/--enable-gcrypt flags to what curl does. Look good? |
Success on x86_64-linux (full log) Attempted: curl, strongswan Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: curl, strongswan Partial log (click to expand)
|
Unfortunately the following fails:
I'm trying to get the strongswan gcrypt plugin to work on the strongswan-curl-gcrypt branch but I'm failing so far:
Maybe it's better for now to go with your first commit (93031e5) and fix the gcrypt situation later... |
OK. I'll add a note in strongswan/default.nix about it too. |
This is necessary for OCSP and/or remote CRL verification of server certificates to work, which is a fairly common thing to need.
Success on x86_64-linux (full log) Attempted: strongswan Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: strongswan Partial log (click to expand)
|
This is necessary for OCSP and/or remote CRL verification of server certificates to work, which is a fairly common thing to need.
This is necessary for OCSP and/or remote CRL verification of server certificates to work, which is a fairly common thing to need. (cherry picked from commit 1022dc5)
Motivation for this change
This is necessary for OCSP and/or remote CRL verification of server
certificates to work, which is a fairly common thing to need.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)