diff options
| author | Philip Potter <philip.g.potter@gmail.com> | 2015-03-04T20·08+0000 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2016-01-05T13·19+0100 |
| commit | 4f3cf06c97cb1f15c74b51b60673a0ed9af0a603 (patch) | |
| tree | 9df0c3ba03440ee764ba593846171e05f219d5da | |
| parent | 39d1da7b51e6984a332a7eb68ae4048242b1adb8 (diff) | |
Verify TLS certificate before downloading binaries
The --insecure flag to curl tells curl not to bother checking if the TLS certificate presented by the server actually matches the hostname requested, and actually is issued by a trusted CA chain. This almost entirely negates any benefit from using TLS in the first place. This removes the --insecure flag to ensure we actually have a secure connection to the intended hostname before downloading binaries. Manually tested locally within a dev-shell; was able to download binaries from https://cache.nixos.org without issue. [Note: --insecure was only used for fetching NARs, whose integrity is verified by Nix anyway using the hash from the .narinfo. But if we can fetch the .narinfo without --insecure, we can also fetch the .nar, so there is not much point to using --insecure. --Eelco]
| -rw-r--r-- | scripts/download-from-binary-cache.pl.in | 2 | ||||
| -rwxr-xr-x | scripts/download-using-manifests.pl.in | 3 |
2 files changed, 2 insertions, 3 deletions
diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in index 60f7f9aef3d2..a4f858610aca 100644 --- a/scripts/download-from-binary-cache.pl.in +++ b/scripts/download-from-binary-cache.pl.in @@ -566,7 +566,7 @@ sub downloadBinary { die if $requireSignedBinaryCaches && !defined $info->{signedBy}; print STDERR "\n*** Downloading ‘$url’ ", ($requireSignedBinaryCaches ? "(signed by ‘$info->{signedBy}’) " : ""), "to ‘$storePath’...\n"; checkURL $url; - if (system("$Nix::Config::curl --fail --location --insecure --connect-timeout $curlConnectTimeout -A '$userAgent' '$url' $decompressor | $Nix::Config::binDir/nix-store --restore $destPath") != 0) { + if (system("$Nix::Config::curl --fail --location --connect-timeout $curlConnectTimeout -A '$userAgent' '$url' $decompressor | $Nix::Config::binDir/nix-store --restore $destPath") != 0) { warn "download of ‘$url’ failed" . ($! ? ": $!" : "") . "\n"; next; } diff --git a/scripts/download-using-manifests.pl.in b/scripts/download-using-manifests.pl.in index 591cd6b43a3a..ffc49f8fffde 100755 --- a/scripts/download-using-manifests.pl.in +++ b/scripts/download-using-manifests.pl.in @@ -17,8 +17,7 @@ my $logFile = "$Nix::Config::logDir/downloads"; # estimating the expected download size. my $fast = 1; -# ‘--insecure’ is fine because Nix verifies the hash of the result. -my $curl = "$Nix::Config::curl --fail --location --insecure"; +my $curl = "$Nix::Config::curl --fail --location"; # Open the manifest cache and update it if necessary. |