gnutls: fix an upstream regression in RSA certificates

The update to 3.8.5 involved adding a feature to conditionally disable RSAES-PKCS1-v1.5 [1]. It was intended to be turned on by default [2], but failed [3]. Therefore it is disabled, which in turn throws a new error: "Fatal error: The encryption algorithm is not supported". (error 113). This can have severe implications, as for example Lets Encrypt signed RSA certificates aren't trusted anymore. This commit fetches the upstream patch, which hasn't been included in 3.8.5 [1]: https://gitlab.com/gnutls/gnutls/-/merge_requests/1828 [2]: https://gitlab.com/gnutls/gnutls/-/merge_requests/1828/diffs#cd5a2ba3b145c1bd292e027ef84c618b6b7fb895_267_274 [3]: https://gitlab.com/gnutls/gnutls/-/issues/1540 Signed-off-by: Florian Brandes <[email protected]>
NixOS · May 15, 2024 · cb46783 · cb46783
1 parent 935cdc9
commit cb46783
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix
@@ -85,6 +85,16 @@ stdenv.mkDerivation rec {
       revert = true;
       hash = "sha256-r/+Gmwqy0Yc1LHL/PdPLXlErUBC5JxquLzCBAN3LuRM=";
     })
+    # Makes the system-wide configuration for RSAES-PKCS1-v1_5 actually apply
+    # and makes it enabled by default when the config file is missing
+    # Without this an error 113 is thrown when using some RSA certificates
+    # see https://gitlab.com/gnutls/gnutls/-/issues/1540
+    # "This is pretty sever[e], since it breaks on letsencrypt-issued RSA keys." (comment from above issue)
+    (fetchpatch2 {
+      name = "fix-rsaes-pkcs1-v1_5-system-wide-configuration.patch";
+      url = "https://gitlab.com/gnutls/gnutls/-/commit/2d73d945c4b1dfcf8d2328c4d23187d62ffaab2d.diff";
+      hash = "sha256-2aWcLff9jzJnY+XSqCIaK/zdwSLwkNlfDeMlWyRShN8=";
+    })
   ];
 
   # Skip some tests: