[Rd] r-project.org SSL certificate issues
Gábor Csárdi
c@@rd|@g@bor @end|ng |rom gm@||@com
Sun May 31 17:09:56 CEST 2020
On Sat, May 30, 2020 at 11:32 PM Gábor Csárdi <csardi.gabor using gmail.com> wrote:
[...]
> Btw. why does this affect openssl? That root cert was published in
> 2010, surely openssl should know about it? Maybe libcurl / openssl
> only uses the chain provided by the server? Without trying to use an
> alternate chain?
Yes, indeed it seems that old OpenSSL versions cannot handle
alternative certificate chains. This has been fixed in OpenSSL in
2015, so modern Linux systems should be fine. However, macOS uses
LibreSSL, and LibreSSL never fixed this issue. E.g.
https://github.com/libressl-portable/portable/issues/595
r-project.org can be updated to send the new root certificate, which
will solve most of our problems, but we'll probably have issues with
other web sites that'll update slower or never.
FWIW I built macOS binaries for the curl package, using a static
libcurl and macOS Secure Transport, so these binaries does not have
this issue.
They are at https://files.r-hub.io/curl-macos-static and they can be
installed with
install.packages("curl", repos =
"https://files.r-hub.io/curl-macos-static", type = "binary")
They support R 3.2 and up, including R 4.1, and should work on all
macOS versions that the given R release supports.
Gabor
More information about the R-devel
mailing list