[Rd] r-project.org SSL certificate issues
@|mon@urb@nek @end|ng |rom R-project@org
Wed Jun 10 00:50:18 CEST 2020
To be clear, this not an issue in the libraries nor R, the certificates on the server were simply wrong. So, no, this has nothing to do with R.
> On Jun 10, 2020, at 10:45 AM, Henrik Bengtsson <henrik.bengtsson using gmail.com> wrote:
> Was this resolved upstream or is this something that R should/could
> fix? If the latter, could this also go into the "emergency release" R
> 4.0.2 that is scheduled for 2020-06-22?
> My $.02
> On Sun, May 31, 2020 at 8:13 AM Gábor Csárdi <csardi.gabor using gmail.com> wrote:
>> Btw. it would be also possible to create a macOS R installer that
>> embeds a static or dynamic libcurl with Secure Transport, instead of
>> the Apple default LibreSSL.
>> This might be too late for R 4.0.1, I don't know.
>> On Sun, May 31, 2020 at 4:09 PM Gábor Csárdi <csardi.gabor using gmail.com> wrote:
>>> On Sat, May 30, 2020 at 11:32 PM Gábor Csárdi <csardi.gabor using gmail.com> wrote:
>>>> Btw. why does this affect openssl? That root cert was published in
>>>> 2010, surely openssl should know about it? Maybe libcurl / openssl
>>>> only uses the chain provided by the server? Without trying to use an
>>>> alternate chain?
>>> Yes, indeed it seems that old OpenSSL versions cannot handle
>>> alternative certificate chains. This has been fixed in OpenSSL in
>>> 2015, so modern Linux systems should be fine. However, macOS uses
>>> LibreSSL, and LibreSSL never fixed this issue. E.g.
>>> r-project.org can be updated to send the new root certificate, which
>>> will solve most of our problems, but we'll probably have issues with
>>> other web sites that'll update slower or never.
>>> FWIW I built macOS binaries for the curl package, using a static
>>> libcurl and macOS Secure Transport, so these binaries does not have
>>> this issue.
>>> They are at https://files.r-hub.io/curl-macos-static and they can be
>>> installed with
>>> install.packages("curl", repos =
>>> "https://files.r-hub.io/curl-macos-static", type = "binary")
>>> They support R 3.2 and up, including R 4.1, and should work on all
>>> macOS versions that the given R release supports.
>> R-devel using r-project.org mailing list
> R-devel using r-project.org mailing list
More information about the R-devel