Rationale: openssl has a single configuration file, which i need to change in such a way that TLS 1.0 is reenabled (the system needs to contact a MS SQL Server 2008, which only does TLS 1.0).
When I do this, half the world gets recompiled, which is understandable, because the config file override path is an argument to the stuff that builds openssl. But the change is really about the runtime environment, not the build environment, so, in reality, there is no need to actually rebuild the dependents. I realize that if I were on NixOS, I could use system.replaceRuntimeDependencies to work around this, but I’m not. I’m in bare Nix. Does anyone have any thoughts (other than just caching the resulting built stuff) that might reduce my build times?
I’m game to change the openssl derivation code if it’s required.
I assume not every program provided by Nix needs to access the SQL server, so you should not override openssl in nixpkgs. Assign the modified derivation to openssl_with_tls1 and use it in the inputs of those derivations that actually need to access SQL server.
The overlay would be useless in most circumstances given OPENSSL_CONF… in this one, however, I think I’m sticking with it.
Rationale: The config file formats between openssl 1.1.1 and 3.X are very different and I’m not sure 3.X would be happy with a 1.1.1 config file. The ODBC driver needs openssl 1.1.1 because I can’t figure out how to allow openssl 3.0.X to talk TLS 1.0. If I set OPENSSL_CONF globally I’m not sure what would happen. WIth the overlay, the rest of the stuff in the process can go ahead and use whatever openssl they’re compiled against.