On Sat, May 30, 2020 at 11:32 PM G?bor Cs?rdi <csardi.gabor at gmail.com> wrote: [...]> Btw. why does this affect openssl? That root cert was published in > 2010, surely openssl should know about it? Maybe libcurl / openssl > only uses the chain provided by the server? Without trying to use an > alternate chain?Yes, indeed it seems that old OpenSSL versions cannot handle alternative certificate chains. This has been fixed in OpenSSL in 2015, so modern Linux systems should be fine. However, macOS uses LibreSSL, and LibreSSL never fixed this issue. E.g. https://github.com/libressl-portable/portable/issues/595 r-project.org can be updated to send the new root certificate, which will solve most of our problems, but we'll probably have issues with other web sites that'll update slower or never. FWIW I built macOS binaries for the curl package, using a static libcurl and macOS Secure Transport, so these binaries does not have this issue. They are at https://files.r-hub.io/curl-macos-static and they can be installed with install.packages("curl", repos "https://files.r-hub.io/curl-macos-static", type = "binary") They support R 3.2 and up, including R 4.1, and should work on all macOS versions that the given R release supports. Gabor
Btw. it would be also possible to create a macOS R installer that embeds a static or dynamic libcurl with Secure Transport, instead of the Apple default LibreSSL. This might be too late for R 4.0.1, I don't know. Gabor On Sun, May 31, 2020 at 4:09 PM G?bor Cs?rdi <csardi.gabor at gmail.com> wrote:> > On Sat, May 30, 2020 at 11:32 PM G?bor Cs?rdi <csardi.gabor at gmail.com> wrote: > [...] > > Btw. why does this affect openssl? That root cert was published in > > 2010, surely openssl should know about it? Maybe libcurl / openssl > > only uses the chain provided by the server? Without trying to use an > > alternate chain? > > Yes, indeed it seems that old OpenSSL versions cannot handle > alternative certificate chains. This has been fixed in OpenSSL in > 2015, so modern Linux systems should be fine. However, macOS uses > LibreSSL, and LibreSSL never fixed this issue. E.g. > https://github.com/libressl-portable/portable/issues/595 > > r-project.org can be updated to send the new root certificate, which > will solve most of our problems, but we'll probably have issues with > other web sites that'll update slower or never. > > FWIW I built macOS binaries for the curl package, using a static > libcurl and macOS Secure Transport, so these binaries does not have > this issue. > > They are at https://files.r-hub.io/curl-macos-static and they can be > installed with > install.packages("curl", repos > "https://files.r-hub.io/curl-macos-static", type = "binary") > > They support R 3.2 and up, including R 4.1, and should work on all > macOS versions that the given R release supports. > > Gabor
Was this resolved upstream or is this something that R should/could fix? If the latter, could this also go into the "emergency release" R 4.0.2 that is scheduled for 2020-06-22? My $.02 /Henrik On Sun, May 31, 2020 at 8:13 AM G?bor Cs?rdi <csardi.gabor at gmail.com> wrote:> > Btw. it would be also possible to create a macOS R installer that > embeds a static or dynamic libcurl with Secure Transport, instead of > the Apple default LibreSSL. > > This might be too late for R 4.0.1, I don't know. > > Gabor > > On Sun, May 31, 2020 at 4:09 PM G?bor Cs?rdi <csardi.gabor at gmail.com> wrote: > > > > On Sat, May 30, 2020 at 11:32 PM G?bor Cs?rdi <csardi.gabor at gmail.com> wrote: > > [...] > > > Btw. why does this affect openssl? That root cert was published in > > > 2010, surely openssl should know about it? Maybe libcurl / openssl > > > only uses the chain provided by the server? Without trying to use an > > > alternate chain? > > > > Yes, indeed it seems that old OpenSSL versions cannot handle > > alternative certificate chains. This has been fixed in OpenSSL in > > 2015, so modern Linux systems should be fine. However, macOS uses > > LibreSSL, and LibreSSL never fixed this issue. E.g. > > https://github.com/libressl-portable/portable/issues/595 > > > > r-project.org can be updated to send the new root certificate, which > > will solve most of our problems, but we'll probably have issues with > > other web sites that'll update slower or never. > > > > FWIW I built macOS binaries for the curl package, using a static > > libcurl and macOS Secure Transport, so these binaries does not have > > this issue. > > > > They are at https://files.r-hub.io/curl-macos-static and they can be > > installed with > > install.packages("curl", repos > > "https://files.r-hub.io/curl-macos-static", type = "binary") > > > > They support R 3.2 and up, including R 4.1, and should work on all > > macOS versions that the given R release supports. > > > > Gabor > > ______________________________________________ > R-devel at r-project.org mailing list > https://stat.ethz.ch/mailman/listinfo/r-devel