stdenv, cacert: consider $NIX_SSL_CERT_FILE in hooks

Some SSL libs don't react to $SSL_CERT_FILE.
That actually makes sense to me, as we add this behavior
as nixpkgs-specific, so it seems "safer" to use $NIX_*.

pkgs/data/misc/cacert/setup-hook.sh

@@ -1,4 +1,6 @@
 cacertHook() {
+    export NIX_SSL_CERT_FILE=@out@/etc/ssl/certs/ca-bundle.crt
+    # left for compatibility
     export SSL_CERT_FILE=@out@/etc/ssl/certs/ca-bundle.crt
 }
 

pkgs/development/interpreters/gauche/default.nix

@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
     "--with-iconv=${libiconv}"
     "--with-dbm=gdbm"
     "--with-zlib=${zlib}"
-    "--with-ca-bundle=$SSL_CERT_FILE"
+    "--with-ca-bundle=$NIX_SSL_CERT_FILE"
     # TODO: Enable slib
     #       Current slib in nixpkgs is specialized to Guile
     # "--with-slib=${slibGuile}/lib/slib"

pkgs/stdenv/generic/setup.sh

@@ -646,9 +646,12 @@ fi
 export NIX_BUILD_CORES
 
 
-# Prevent OpenSSL-based applications from using certificates in
-# /etc/ssl.
+# Prevent SSL libraries from using certificates in /etc/ssl, unless set explicitly.
 # Leave it in shells for convenience.
+if [ -z "${NIX_SSL_CERT_FILE:-}" ] && [ -z "${IN_NIX_SHELL:-}" ]; then
+  export NIX_SSL_CERT_FILE=/no-cert-file.crt
+fi
+# Another variant left for compatibility.
 if [ -z "${SSL_CERT_FILE:-}" ] && [ -z "${IN_NIX_SHELL:-}" ]; then
   export SSL_CERT_FILE=/no-cert-file.crt
 fi