[R-SIG-Mac] Libre SSL bug on MacOS Monterey => error in download.file()

Petr Bouchal pbouch@| @end|ng |rom gm@||@com
Tue Jan 11 23:15:50 CET 2022 

Many thanks Jeroen - that is very helpful, I was not aware of the capability in curl to switch SSL backends. (The backend also shows up in the curl package onLoad message, which is helpful).

Kind regards
Petr

> On 11. 1. 2022, at 1:04, Jeroen Ooms <jeroenooms using gmail.com> wrote:
> 
> On Mon, Jan 10, 2022 at 11:22 AM Petr Bouchal <pbouchal using gmail.com> wrote:
>> 
>> Dear all,
>> 
>> In brief: on Monterey, R cannot reach certain web domains due to a bug in Libre SSL - and perhaps not relying on system curl/openssl in R would be a systematic solution to this and símilar issues.
>> 
>> Specifically: on MacOS Monterey 12.1 using R 4.1.2, download.file() and other functions that rely on system-provided curl/openssl/Libre SSL (including in the curl package) have been failing on specific domains.
>> 
>> So running
>> 
>> download.file(“https://www.czso.cz/”, tempfile())
>> 
>> returns:
>> 
>> status was ‘SSL connect error’
>> 
>> the underlying error being
>> 
>> error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length.
> 
> I have to investigate this further (it looks like a buggy TLS server
> actually), but as a workaround you can set an environment variable
> CURL_SSL_BACKEND=SecureTransport when starting R, see for details:
> https://curl.se/libcurl/c/libcurl-env.html
> 
> The version of libcurl that is included with the past few versions of
> MacOS is actually built with support for 2 TLS back-ends: LibreSSL and
> native apple TLS (aka SecureTransport). You can override the default
> using the environment variable above, but you have to set it before
> libcurl gets initiated, hence before making any http connections in
> the R session, e.g. in your .Renviron.
> 
> You can see which version is active by looking at
> curl::curl_version()$ssl_version, the version in parenthesis is  Try
> running:
> 
>   CURL_SSL_BACKEND=openssl R -e "curl::curl_version()$ssl_version"
>   CURL_SSL_BACKEND=SecureTransport R -e "curl::curl_version()$ssl_version"
> 
> The same version of libcurl is also used by base-R in download.file().
> I've also explained this a bit (mostly for windows) in this vignette:
> https://cran.r-project.org/web/packages/curl/vignettes/windows.html

More information about the R-SIG-Mac mailing list