[Rd] r-project.org SSL certificate issues
Gábor Csárdi
c@@rd|@g@bor @end|ng |rom gm@||@com
Sun May 31 17:12:54 CEST 2020
Btw. it would be also possible to create a macOS R installer that
embeds a static or dynamic libcurl with Secure Transport, instead of
the Apple default LibreSSL.
This might be too late for R 4.0.1, I don't know.
Gabor
On Sun, May 31, 2020 at 4:09 PM Gábor Csárdi <csardi.gabor using gmail.com> wrote:
>
> On Sat, May 30, 2020 at 11:32 PM Gábor Csárdi <csardi.gabor using gmail.com> wrote:
> [...]
> > Btw. why does this affect openssl? That root cert was published in
> > 2010, surely openssl should know about it? Maybe libcurl / openssl
> > only uses the chain provided by the server? Without trying to use an
> > alternate chain?
>
> Yes, indeed it seems that old OpenSSL versions cannot handle
> alternative certificate chains. This has been fixed in OpenSSL in
> 2015, so modern Linux systems should be fine. However, macOS uses
> LibreSSL, and LibreSSL never fixed this issue. E.g.
> https://github.com/libressl-portable/portable/issues/595
>
> r-project.org can be updated to send the new root certificate, which
> will solve most of our problems, but we'll probably have issues with
> other web sites that'll update slower or never.
>
> FWIW I built macOS binaries for the curl package, using a static
> libcurl and macOS Secure Transport, so these binaries does not have
> this issue.
>
> They are at https://files.r-hub.io/curl-macos-static and they can be
> installed with
> install.packages("curl", repos =
> "https://files.r-hub.io/curl-macos-static", type = "binary")
>
> They support R 3.2 and up, including R 4.1, and should work on all
> macOS versions that the given R release supports.
>
> Gabor
More information about the R-devel
mailing list