[R-SIG-Mac] Libre SSL bug on MacOS Monterey => error in download.file()

Jeroen Ooms jeroenoom@ @end|ng |rom gm@||@com
Wed Jan 12 12:47:09 CET 2022


On Tue, Jan 11, 2022 at 10:12 PM Simon Urbanek
<simon.urbanek using r-project.org> wrote:
>
> Petře,
>
> thanks, for the detailed analysis. It is rather curious that the issue appears only on _newer_ systems - we are more used to issues due to older CA chains and similar. It looks like an Apple bug on specific systems, so hopefully it will be fixed eventually. In general I was trying to avoid having to supply our own SSL library since that opens a whole can of worms - on one hand due the dependency issues (which libraries get compiled against what) and on the other hand we become responsible for security updates.
>
> Thanks to Jeroen for the work-around (CURL_SSL_BACKEND=SecureTransport), using the native API is certainly preferred, there have been several issues with both OpenSSL and LibreSSL before. It seems that Apple has been flip-flopping with libcurl a lot - on El Capitan it was shipped with SecureTransport, on High-Sierra with LibreSSL, on Catalina and higher with both, but Libre the default.
>
> I am somewhat less apprehensive to use static libcurl for R than SSL libraries as the fallout is a bit smaller. As a trial I have added static curl[2] which is close to the Apple build minus MultiSSL to big-sur nightly builds of R[3] and as expected that solves the problem. It may not be entirely unproblematic for package space, because packages often forget to prepend  --static when using static builds of libraries, and so do other dependencies that may use curl, but I'll see what comes out of it.

I would much recommend to stick with the apple version of libcurl;
perhaps override the default ssl-backend if you like. There is some
example code to do this in the curl package that you could adapt for
base r: https://github.com/jeroen/curl/blob/master/src/ssl.c

The benefit of dynamically linking to apple's libcurl is that we
automatically get a version of libcurl+deps+certs that is tuned and
maintained for that version of macos, including future ones. If you
ship a version of base-R with a static libcurl now, that version of R
may not work anymore a few years from now or on a future version of
macos, when things have moved on (for example, when servers start to
require TLS1.3).



More information about the R-SIG-Mac mailing list