fetchurl: enable TLS verification when NIX_SSL_CERT_FILE is set

This is a follow-up to a169553f7e.
In most cases it should allow the TLS verification to be enabled.
It also makes the behavior of `fetchurl` more consistent with other fetchers
like `fetchgit`.

Ideally we would always fallback on `cacert` but I am not sure how to build
`cacert` during bootstrap without making an unmaintainable mess.

pkgs/build-support/fetchurl/builder.sh

@@ -19,7 +19,8 @@ curl=(
     --user-agent "curl/$curlVersion Nixpkgs/$nixpkgsVersion"
 )
 
-if ! [ -f "$SSL_CERT_FILE" ]; then
+# Default fallback value defined in pkgs/build-support/fetchurl/default.nix
+if [ "$SSL_CERT_FILE" == "/no-cert-file.crt" ]; then
     curl+=(--insecure)
 fi
 

pkgs/build-support/fetchurl/default.nix

@@ -220,20 +220,26 @@ stdenvNoCC.mkDerivation (
     # New-style output content requirements.
     inherit (hash_) outputHashAlgo outputHash;
 
-    # Disable TLS verification only when we know the hash and no credentials are
-    # needed to access the resource
     SSL_CERT_FILE =
-      if
+      let
+        nixSSLCertFile = builtins.getEnv "NIX_SSL_CERT_FILE";
+      in
+      if nixSSLCertFile != "" then
+        nixSSLCertFile
+      else if
         (
           hash_.outputHash == ""
           || hash_.outputHash == lib.fakeSha256
           || hash_.outputHash == lib.fakeSha512
           || hash_.outputHash == lib.fakeHash
+          # Make sure we always enforce TLS verification when credentials
+          # are needed to access the resource
           || netrcPhase != null
         )
       then
         "${cacert}/etc/ssl/certs/ca-bundle.crt"
       else
+        # Fallback to stdenv default, see pkgs/stdenv/generic/setup.sh
         "/no-cert-file.crt";
 
     outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";