Verify TLS certificate before downloading binaries

The --insecure flag to curl tells curl not to bother checking if the TLS
certificate presented by the server actually matches the hostname
requested, and actually is issued by a trusted CA chain.  This almost
entirely negates any benefit from using TLS in the first place.

This removes the --insecure flag to ensure we actually have a secure
connection to the intended hostname before downloading binaries.

Manually tested locally within a dev-shell; was able to download
binaries from https://cache.nixos.org without issue.

[Note: --insecure was only used for fetching NARs, whose integrity is
verified by Nix anyway using the hash from the .narinfo. But if we can
fetch the .narinfo without --insecure, we can also fetch the .nar, so
there is not much point to using --insecure. --Eelco]
This commit is contained in:
Philip Potter 2015-03-04 20:08:40 +00:00 committed by Eelco Dolstra
parent 39d1da7b51
commit 4f3cf06c97
2 changed files with 2 additions and 3 deletions

View file

@ -566,7 +566,7 @@ sub downloadBinary {
die if $requireSignedBinaryCaches && !defined $info->{signedBy}; die if $requireSignedBinaryCaches && !defined $info->{signedBy};
print STDERR "\n*** Downloading $url ", ($requireSignedBinaryCaches ? "(signed by $info->{signedBy}) " : ""), "to $storePath...\n"; print STDERR "\n*** Downloading $url ", ($requireSignedBinaryCaches ? "(signed by $info->{signedBy}) " : ""), "to $storePath...\n";
checkURL $url; checkURL $url;
if (system("$Nix::Config::curl --fail --location --insecure --connect-timeout $curlConnectTimeout -A '$userAgent' '$url' $decompressor | $Nix::Config::binDir/nix-store --restore $destPath") != 0) { if (system("$Nix::Config::curl --fail --location --connect-timeout $curlConnectTimeout -A '$userAgent' '$url' $decompressor | $Nix::Config::binDir/nix-store --restore $destPath") != 0) {
warn "download of $url failed" . ($! ? ": $!" : "") . "\n"; warn "download of $url failed" . ($! ? ": $!" : "") . "\n";
next; next;
} }

View file

@ -17,8 +17,7 @@ my $logFile = "$Nix::Config::logDir/downloads";
# estimating the expected download size. # estimating the expected download size.
my $fast = 1; my $fast = 1;
# --insecure is fine because Nix verifies the hash of the result. my $curl = "$Nix::Config::curl --fail --location";
my $curl = "$Nix::Config::curl --fail --location --insecure";
# Open the manifest cache and update it if necessary. # Open the manifest cache and update it if necessary.