R openssl for mac12/28/2022 ![]() Thanks to Jeroen for the work-around (CURL_SSL_BACKEND=SecureTransport), using the native API is certainly preferred, there have been several issues with both OpenSSL and LibreSSL before. In general I was trying to avoid having to supply our own SSL library since that opens a whole can of worms - on one hand due the dependency issues (which libraries get compiled against what) and on the other hand we become responsible for security updates. It looks like an Apple bug on specific systems, so hopefully it will be fixed eventually. It is rather curious that the issue appears only on _newer_ systems - we are more used to issues due to older CA chains and similar. I've also explained this a bit (mostly for windows) in this vignette: The same version of libcurl is also used by base-R in download.file(). You can see which version is active by looking atĬurl::curl_version()$ssl_version, the version in parenthesis is TryĬURL_SSL_BACKEND=openssl R -e "curl::curl_version()$ssl_version"ĬURL_SSL_BACKEND=SecureTransport R -e "curl::curl_version()$ssl_version" Libcurl gets initiated, hence before making any http connections in ![]() Using the environment variable above, but you have to set it before MacOS is actually built with support for 2 TLS back-ends: LibreSSL and ![]() The version of libcurl that is included with the past few versions of I have to investigate this further (it looks like a buggy TLS serverĪctually), but as a workaround you can set an environment variableĬURL_SSL_BACKEND=SecureTransport when starting R, see for details: > error:06FFF089:digital envelope routines:CRYPTO_internal:bad key length. > Specifically: on MacOS Monterey 12.1 using R 4.1.2, download.file() and other functions that rely on system-provided curl/openssl/Libre SSL (including in the curl package) have been failing on specific domains. > In brief: on Monterey, R cannot reach certain web domains due to a bug in Libre SSL - and perhaps not relying on system curl/openssl in R would be a systematic solution to this and símilar issues. R-SIG-Mac mailing Mon, at 11:22 AM Petr Bouchal wrote: I’d be grateful for any thoughts on how this might be handled in the specific case and perhaps generally. ![]() (I don’t have in-depth knowledge of how R is compiled, so apologies for any inaccuracies hopefully it is clear what I mean.) Given Apple’s approach to openssl/Libre SSL in MacOS (the bundled Libre SSL version is 3 years old), such hard-to-handle issues are likely to reappear over time. Īpple also recommends against relying on shared openssl, if I understand this correctly. This has been discussed on the r-devel list. This brings back the question of whether R on MacOS should include its own openssl instead of relying on the system-provided library. Using HTTP instead of HTTPS does not work, nor does using curl -insecure and equivalents. It is difficult to work around even on individual machines as replacing the system curl/openssl requires steps beyond what a most users are comfortable with (or should be doing to begin with). I have also reported to Apple but it is unclear whether they will fix this given the rare nature of the issue. In browsers, no such issue occurs and the server is configured correctly as per testing. I am not an expert in web security so cannot tell if there is anything in the certificates which could be causing this. I have reported this to the server admin but since the problem is in the OS, I do not expect them to be able to help. The domain is the Czech Statistical Office, which makes it quite important for a number of users, also of a package I maintain (czso) which relies on accessing this domain. It can be replicated on both M1 and Intel and also occurs when using curl in the system command line. It has manifested on CRAN (causing a package archival) and Github outside of R, so is not caused by a specific machine. It is clearly an OS bug but infortunately also a situation where it affects R users because of how R relates to system libraries and is very difficult to work around. This is caused by the Libre SSL bundled in MacOS Monterey and also affects several other domains, most notably. ![]() Specifically: on MacOS Monterey 12.1 using R 4.1.2, download.file() and other functions that rely on system-provided curl/openssl/Libre SSL (including in the curl package) have been failing on specific domains.Įrror:06FFF089:digital envelope routines:CRYPTO_internal:bad key length. In brief: on Monterey, R cannot reach certain web domains due to a bug in Libre SSL - and perhaps not relying on system curl/openssl in R would be a systematic solution to this and símilar issues. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |