[Rd] r-project.org SSL certificate issues

Henrik Bengtsson henr|k@bengt@@on @end|ng |rom gm@||@com
Wed Jun 10 00:45:00 CEST 2020


Was this resolved upstream or is this something that R should/could
fix? If the latter, could this also go into the "emergency release" R
4.0.2 that is scheduled for 2020-06-22?

My $.02

/Henrik


On Sun, May 31, 2020 at 8:13 AM Gábor Csárdi <csardi.gabor using gmail.com> wrote:
>
> Btw. it would be also possible to create a macOS R installer that
> embeds a static or dynamic libcurl with Secure Transport, instead of
> the Apple default LibreSSL.
>
> This might be too late for R 4.0.1, I don't know.
>
> Gabor
>
> On Sun, May 31, 2020 at 4:09 PM Gábor Csárdi <csardi.gabor using gmail.com> wrote:
> >
> > On Sat, May 30, 2020 at 11:32 PM Gábor Csárdi <csardi.gabor using gmail.com> wrote:
> > [...]
> > > Btw. why does this affect openssl? That root cert was published in
> > > 2010, surely openssl should know about it? Maybe libcurl / openssl
> > > only uses the chain provided by the server? Without trying to use an
> > > alternate chain?
> >
> > Yes, indeed it seems that old OpenSSL versions cannot handle
> > alternative certificate chains. This has been fixed in OpenSSL in
> > 2015, so modern Linux systems should be fine. However, macOS uses
> > LibreSSL, and LibreSSL never fixed this issue. E.g.
> > https://github.com/libressl-portable/portable/issues/595
> >
> > r-project.org can be updated to send the new root certificate, which
> > will solve most of our problems, but we'll probably have issues with
> > other web sites that'll update slower or never.
> >
> > FWIW I built macOS binaries for the curl package, using a static
> > libcurl and macOS Secure Transport, so these binaries does not have
> > this issue.
> >
> > They are at https://files.r-hub.io/curl-macos-static and they can be
> > installed with
> > install.packages("curl", repos =
> > "https://files.r-hub.io/curl-macos-static", type = "binary")
> >
> > They support R 3.2 and up, including R 4.1, and should work on all
> > macOS versions that the given R release supports.
> >
> > Gabor
>
> ______________________________________________
> R-devel using r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel



More information about the R-devel mailing list