diff --git a/changelog.d/0-release-notes/nix-builds b/changelog.d/0-release-notes/nix-builds index a8ffbbc8bd..61ce21a6b4 100644 --- a/changelog.d/0-release-notes/nix-builds +++ b/changelog.d/0-release-notes/nix-builds @@ -1 +1 @@ -Build docker images using nix derivations instead of Dockerfiles (#2331, ##) \ No newline at end of file +Build docker images using nix derivations instead of Dockerfiles (#2331, #2771, #2772) \ No newline at end of file diff --git a/nix/wire-server.nix b/nix/wire-server.nix index e1eb035e43..9b7bd783a1 100644 --- a/nix/wire-server.nix +++ b/nix/wire-server.nix @@ -216,6 +216,7 @@ let lib = pkgs.lib; ''; config = { Entrypoint = ["${pkgs.dumb-init}/bin/dumb-init" "--" "${drv}/bin/${execName}"]; + Env = ["SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"]; }; } ) (staticExecs localMods); diff --git a/services/brig/src/Brig/App.hs b/services/brig/src/Brig/App.hs index 1b8a7d388d..b384000078 100644 --- a/services/brig/src/Brig/App.hs +++ b/services/brig/src/Brig/App.hs @@ -135,7 +135,6 @@ import Network.HTTP.Client.OpenSSL import OpenSSL.EVP.Digest (Digest, getDigestByName) import OpenSSL.Session (SSLOption (..)) import qualified OpenSSL.Session as SSL -import qualified OpenSSL.X509.SystemStore as SSL import Polysemy import Polysemy.Final import qualified Ropes.Nexmo as Nexmo @@ -339,7 +338,7 @@ initHttpManager = do SSL.contextSetCiphers ctx "HIGH" SSL.contextSetVerificationMode ctx $ SSL.VerifyPeer True True Nothing - SSL.contextLoadSystemCerts ctx + SSL.contextSetDefaultVerifyPaths ctx -- Unfortunately, there are quite some AWS services we talk to -- (e.g. SES, Dynamo) that still only support TLSv1. -- Ideally: SSL.contextAddOption ctx SSL_OP_NO_TLSv1 @@ -369,7 +368,7 @@ initExtGetManager = do -- We use public key pinning with service providers and want to -- support self-signed certificates as well, hence 'VerifyNone'. SSL.contextSetVerificationMode ctx SSL.VerifyNone - SSL.contextLoadSystemCerts ctx + SSL.contextSetDefaultVerifyPaths ctx mgr <- newManager (opensslManagerSettings (pure ctx)) -- see Note [SSL context] diff --git a/services/cargohold/src/CargoHold/App.hs b/services/cargohold/src/CargoHold/App.hs index bd0635e456..c585462199 100644 --- a/services/cargohold/src/CargoHold/App.hs +++ b/services/cargohold/src/CargoHold/App.hs @@ -66,7 +66,6 @@ import Network.HTTP.Client.OpenSSL import Network.Wai.Utilities (Error (..)) import OpenSSL.Session (SSLContext, SSLOption (..)) import qualified OpenSSL.Session as SSL -import qualified OpenSSL.X509.SystemStore as SSL import System.Logger.Class hiding (settings) import qualified System.Logger.Extended as Log @@ -132,7 +131,7 @@ initSSLContext = do SSL.contextAddOption ctx SSL_OP_NO_SSLv2 SSL.contextAddOption ctx SSL_OP_NO_SSLv3 SSL.contextSetCiphers ctx "HIGH" - SSL.contextLoadSystemCerts ctx + SSL.contextSetDefaultVerifyPaths ctx SSL.contextSetVerificationMode ctx $ SSL.VerifyPeer True True Nothing pure ctx diff --git a/services/galley/src/Galley/App.hs b/services/galley/src/Galley/App.hs index 97cd4b2bf4..6cca62b1f4 100644 --- a/services/galley/src/Galley/App.hs +++ b/services/galley/src/Galley/App.hs @@ -90,7 +90,6 @@ import Network.HTTP.Client (responseTimeoutMicro) import Network.HTTP.Client.OpenSSL import qualified Network.Wai.Utilities.Error as Wai import OpenSSL.Session as Ssl -import qualified OpenSSL.X509.SystemStore as Ssl import Polysemy import Polysemy.Error import Polysemy.Input @@ -189,7 +188,7 @@ initHttpManager o = do Ssl.contextAddOption ctx SSL_OP_NO_SSLv3 Ssl.contextAddOption ctx SSL_OP_NO_TLSv1 Ssl.contextSetCiphers ctx rsaCiphers - Ssl.contextLoadSystemCerts ctx + Ssl.contextSetDefaultVerifyPaths ctx newManager (opensslManagerSettings (pure ctx)) { managerResponseTimeout = responseTimeoutMicro 10000000, diff --git a/services/galley/src/Galley/Env.hs b/services/galley/src/Galley/Env.hs index 76eecaa2cf..b9856efc0f 100644 --- a/services/galley/src/Galley/Env.hs +++ b/services/galley/src/Galley/Env.hs @@ -34,7 +34,6 @@ import Network.HTTP.Client import Network.HTTP.Client.OpenSSL import OpenSSL.EVP.Digest import OpenSSL.Session as Ssl -import qualified OpenSSL.X509.SystemStore as Ssl import Ssl.Util import System.Logger import Util.Options @@ -80,7 +79,7 @@ initExtEnv = do Ssl.contextAddOption ctx SSL_OP_NO_SSLv3 Ssl.contextAddOption ctx SSL_OP_NO_TLSv1 Ssl.contextSetCiphers ctx rsaCiphers - Ssl.contextLoadSystemCerts ctx + Ssl.contextSetDefaultVerifyPaths ctx mgr <- newManager (opensslManagerSettings (pure ctx)) diff --git a/services/galley/test/integration/API/SQS.hs b/services/galley/test/integration/API/SQS.hs index 1a66a77292..d78fded08c 100644 --- a/services/galley/test/integration/API/SQS.hs +++ b/services/galley/test/integration/API/SQS.hs @@ -42,7 +42,6 @@ import Imports import Network.HTTP.Client import Network.HTTP.Client.OpenSSL import OpenSSL.Session as Ssl -import qualified OpenSSL.X509.SystemStore as Ssl import Proto.TeamEvents as E import Proto.TeamEvents_Fields as E import Safe (headDef) @@ -243,7 +242,7 @@ initHttpManager = do Ssl.contextAddOption ctx SSL_OP_NO_SSLv3 Ssl.contextAddOption ctx SSL_OP_NO_TLSv1 Ssl.contextSetCiphers ctx rsaCiphers - Ssl.contextLoadSystemCerts ctx + Ssl.contextSetDefaultVerifyPaths ctx newManager (opensslManagerSettings (pure ctx)) -- see Note [SSL context] { managerResponseTimeout = responseTimeoutMicro 10000000,