diff --git a/pkgs/build-support/fetchurl/builder.sh b/pkgs/build-support/fetchurl/builder.sh
index a82728ef1025..52d4155f4604 100644
--- a/pkgs/build-support/fetchurl/builder.sh
+++ b/pkgs/build-support/fetchurl/builder.sh
@@ -19,7 +19,8 @@ curl=(
     --user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
 )
 
-if ! [ -f "$SSL_CERT_FILE" ]; then
+# Default fallback value defined in pkgs/build-support/fetchurl/default.nix
+if [ "$SSL_CERT_FILE" == "/no-cert-file.crt" ]; then
     curl+=(--insecure)
 fi
 
diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix
index e4a70743334b..ccfc02d47c54 100644
--- a/pkgs/build-support/fetchurl/default.nix
+++ b/pkgs/build-support/fetchurl/default.nix
@@ -220,20 +220,26 @@ stdenvNoCC.mkDerivation (
     # New-style output content requirements.
     inherit (hash_) outputHashAlgo outputHash;
 
-    # Disable TLS verification only when we know the hash and no credentials are
-    # needed to access the resource
     SSL_CERT_FILE =
-      if
+      let
+        nixSSLCertFile = builtins.getEnv "NIX_SSL_CERT_FILE";
+      in
+      if nixSSLCertFile != "" then
+        nixSSLCertFile
+      else if
         (
           hash_.outputHash == ""
           || hash_.outputHash == lib.fakeSha256
           || hash_.outputHash == lib.fakeSha512
           || hash_.outputHash == lib.fakeHash
+          # Make sure we always enforce TLS verification when credentials
+          # are needed to access the resource
           || netrcPhase != null
         )
       then
         "${cacert}/etc/ssl/certs/ca-bundle.crt"
       else
+        # Fallback to stdenv default, see pkgs/stdenv/generic/setup.sh
         "/no-cert-file.crt";
 
     outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";