Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fetchurl: enable TLS verification when credentials are used #344000

Merged
merged 1 commit into from
Sep 23, 2024
Merged

fetchurl: enable TLS verification when credentials are used #344000

merged 1 commit into from
Sep 23, 2024
+2 −1

Conversation

LeSuisse
Copy link
Contributor

Description of changes

This change ensure the credentials cannot be leaked in a MITM attack. Note that this change might break some existing deployments if the users tries to fetch resources on endpoints with invalid certificates. The impacted users will have the following choices:

  • fix the endpoint providing the resource.
  • override SSL_CERT_FILE to either disable the verification (not recommended) or to set it to a path including their CA certificate.

We probably should enable the TLS verification in all cases (like it is the case for fetchgit) but doing it this way allows us to quickly provide a fix for the main issue. I will open a PR against staging after this to do that.

No functional changes are expected in nixpkgs since there is no usage of netrcPhase.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@LeSuisse
fetchurl: enable TLS verification when credentials are used
a169553 
This make sure the credentials cannot be leaked in a MITM attack.
Note that this change might break some existing deployments if the users
tries to fetch resources on endpoints with invalid certificates.
The impacted users will have the following choices:
* fix the endpoint providing the resource
* override SSL_CERT_FILE to either disable the verification (not
  recommended) or to set it to a path including their CA certificate.
@mweinelt mweinelt merged commit ee35dc7 into NixOS:master Sep 23, 2024
24 checks passed
@mweinelt mweinelt added the backport release-24.05 Backport PR automatically label Sep 24, 2024
@github-actions github-actions bot mentioned this pull request Sep 24, 2024
Open
1 task
@github-actions GitHub Actions
Copy link
Contributor

Successfully created backport PR for release-24.05:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mweinelt mweinelt mweinelt approved these changes

@philiptaron philiptaron Awaiting requested review from philiptaron philiptaron is a code owner

Assignees
No one assigned
Labels
1.severity: security 6.topic: fetch 10.rebuild-darwin: 0 10.rebuild-linux: 0 backport release-24.05 Backport PR automatically
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LeSuisse @mweinelt