diff --git a/pkgs/build-support/fetchurl/builder.sh b/pkgs/build-support/fetchurl/builder.sh
index 52d4155f4604..a82728ef1025 100644
--- a/pkgs/build-support/fetchurl/builder.sh
+++ b/pkgs/build-support/fetchurl/builder.sh
@@ -19,8 +19,7 @@ curl=(
     --user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
 )
 
-# Default fallback value defined in pkgs/build-support/fetchurl/default.nix
-if [ "$SSL_CERT_FILE" == "/no-cert-file.crt" ]; then
+if ! [ -f "$SSL_CERT_FILE" ]; then
     curl+=(--insecure)
 fi
 
diff --git a/pkgs/build-support/fetchurl/default.nix b/pkgs/build-support/fetchurl/default.nix
index ccfc02d47c54..e4a70743334b 100644
--- a/pkgs/build-support/fetchurl/default.nix
+++ b/pkgs/build-support/fetchurl/default.nix
@@ -220,26 +220,20 @@ stdenvNoCC.mkDerivation (
     # New-style output content requirements.
     inherit (hash_) outputHashAlgo outputHash;
 
+    # Disable TLS verification only when we know the hash and no credentials are
+    # needed to access the resource
     SSL_CERT_FILE =
-      let
-        nixSSLCertFile = builtins.getEnv "NIX_SSL_CERT_FILE";
-      in
-      if nixSSLCertFile != "" then
-        nixSSLCertFile
-      else if
+      if
         (
           hash_.outputHash == ""
           || hash_.outputHash == lib.fakeSha256
           || hash_.outputHash == lib.fakeSha512
           || hash_.outputHash == lib.fakeHash
-          # Make sure we always enforce TLS verification when credentials
-          # are needed to access the resource
           || netrcPhase != null
         )
       then
         "${cacert}/etc/ssl/certs/ca-bundle.crt"
       else
-        # Fallback to stdenv default, see pkgs/stdenv/generic/setup.sh
         "/no-cert-file.crt";
 
     outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";