Is your feature request related to a problem? Please describe.
It would be nice to be able to specify the TLS certificate (PEM) to use when connecting to a HTTPS store.
The SSH and experimental SSH stores have a base64-ssh-public-host-key parameter, which allows specifying the remote host's public key. We don't have a similar feature for HTTPS, instead our only option right now is the PKI, or making the certificate globally trusted (e.g. by adding the authority to the trusted roots store).
Describe the solution you'd like
It would be nice to be able to specify the expected certificate as a parameter, e.g. https://nix-cache.example.com?certificate=/etc/nix/cache.pem.
Describe alternatives you've considered
There is NIX_SSL_CERT_FILE, but it would be nice to set it on a store URL basis, so that 1) the certificate isn't used to authenticate sites other than the store, and 2) other certificates are not allowed to authenticate connections to the store.
Additional context
This would be useful in situations where it's not easy to obtain a public HTTPS certificate (e.g. in intranets with restricted network access), or for privacy reasons (due to certificate transparency programs), or due to simply wanting to use a self-signed certificate.
Is your feature request related to a problem? Please describe.
It would be nice to be able to specify the TLS certificate (PEM) to use when connecting to a HTTPS store.
The SSH and experimental SSH stores have a
base64-ssh-public-host-key
parameter, which allows specifying the remote host's public key. We don't have a similar feature for HTTPS, instead our only option right now is the PKI, or making the certificate globally trusted (e.g. by adding the authority to the trusted roots store).Describe the solution you'd like It would be nice to be able to specify the expected certificate as a parameter, e.g.
https://nix-cache.example.com?certificate=/etc/nix/cache.pem
.Describe alternatives you've considered There is
NIX_SSL_CERT_FILE
, but it would be nice to set it on a store URL basis, so that 1) the certificate isn't used to authenticate sites other than the store, and 2) other certificates are not allowed to authenticate connections to the store.Additional context This would be useful in situations where it's not easy to obtain a public HTTPS certificate (e.g. in intranets with restricted network access), or for privacy reasons (due to certificate transparency programs), or due to simply wanting to use a self-signed certificate.
Priorities
Add :+1: to issues you find important.