diff --git a/doc/manual/conf-file.xml b/doc/manual/conf-file.xml
index c832108fed0644afa69ee4ea9a7b5e6b88fe20e3..327d22c4a19dadb5cbbe403c5edc8c0d95699ed1 100644
--- a/doc/manual/conf-file.xml
+++ b/doc/manual/conf-file.xml
@@ -451,6 +451,20 @@ flag, e.g. <literal>--option gc-keep-outputs false</literal>.</para>
   </varlistentry>
 
 
+  <varlistentry xml:id="conf-connect-timeout"><term><literal>connect-timeout</literal></term>
+
+    <listitem>
+
+      <para>The timeout (in seconds) for establishing connections in
+      the binary cache substituter.  It corresponds to
+      <command>curl</command>’s <option>--connect-timeout</option>
+      option.</para>
+
+    </listitem>
+
+  </varlistentry>
+
+
 </variablelist>
 
 </para>
diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in
index 4f7ff12e8f1798fbed2cc757988e2a1117eb4ac6..8b49a251765f01d234aba8b2d8a3c6f7eb6ee1af 100644
--- a/scripts/download-from-binary-cache.pl.in
+++ b/scripts/download-from-binary-cache.pl.in
@@ -44,7 +44,10 @@ my $userName = getpwuid($<) || $ENV{"USER"} or die "cannot figure out user name"
 
 my $requireSignedBinaryCaches = ($Nix::Config::config{"signed-binary-caches"} // "0") ne "0";
 
-my $curlConnectTimeout = int($ENV{"NIX_CONNECT_TIMEOUT"} // 0);
+my $curlConnectTimeout = int(
+    $Nix::Config::config{"untrusted-connect-timeout"} //
+    $Nix::Config::config{"connect-timeout"} //
+    $ENV{"NIX_CONNECT_TIMEOUT"} // 0);
 
 
 sub addRequest {