From a6a8731dc75b967d7e8b0f21a901623e8202b472 Mon Sep 17 00:00:00 2001
From: Izorkin <izorkin@elven.pw>
Date: Sun, 17 Apr 2022 16:05:13 +0300
Subject: [PATCH] curl: enable ca-bundle if activated http3 protocol

---
 pkgs/tools/networking/curl/default.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix
index a7cac48d52d7..7c7f301552e7 100644
--- a/pkgs/tools/networking/curl/default.nix
+++ b/pkgs/tools/networking/curl/default.nix
@@ -110,7 +110,8 @@ stdenv.mkDerivation rec {
       "--disable-manual"
       # Disable default CA bundle, use NIX_SSL_CERT_FILE or fallback
       # to nss-cacert from the default profile.
-      "--without-ca-bundle"
+      # https://github.com/curl/curl/issues/8696 - fallback is not supported by HTTP3
+      (if http3Support then "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt" else "--without-ca-bundle")
       "--without-ca-path"
       (lib.enableFeature c-aresSupport "ares")
       (lib.enableFeature ldapSupport "ldap")