fetchurl: enable TLS verification when credentials are used (#344000)

pkgs/build-support/fetchurl/default.nix

@@ -164,7 +164,8 @@ stdenvNoCC.mkDerivation ((
  # New-style output content requirements.
  inherit (hash_) outputHashAlgo outputHash;
 
- SSL_CERT_FILE = if (hash_.outputHash == "" || hash_.outputHash == lib.fakeSha256 || hash_.outputHash == lib.fakeSha512 || hash_.outputHash == lib.fakeHash)
+ # Disable TLS verification only when we know the hash and no credentials are needed to access the ressource
+ SSL_CERT_FILE = if (hash_.outputHash == "" || hash_.outputHash == lib.fakeSha256 || hash_.outputHash == lib.fakeSha512 || hash_.outputHash == lib.fakeHash || netrcPhase != null)
  then "${cacert}/etc/ssl/certs/ca-bundle.crt"
  else "/no-cert-file.crt";