On Sat, May 30, 2020 at 11:32 PM Gábor Csárdi <csardi.ga...@gmail.com> wrote: [...] > Btw. why does this affect openssl? That root cert was published in > 2010, surely openssl should know about it? Maybe libcurl / openssl > only uses the chain provided by the server? Without trying to use an > alternate chain?
Yes, indeed it seems that old OpenSSL versions cannot handle alternative certificate chains. This has been fixed in OpenSSL in 2015, so modern Linux systems should be fine. However, macOS uses LibreSSL, and LibreSSL never fixed this issue. E.g. https://github.com/libressl-portable/portable/issues/595 r-project.org can be updated to send the new root certificate, which will solve most of our problems, but we'll probably have issues with other web sites that'll update slower or never. FWIW I built macOS binaries for the curl package, using a static libcurl and macOS Secure Transport, so these binaries does not have this issue. They are at https://files.r-hub.io/curl-macos-static and they can be installed with install.packages("curl", repos = "https://files.r-hub.io/curl-macos-static", type = "binary") They support R 3.2 and up, including R 4.1, and should work on all macOS versions that the given R release supports. Gabor ______________________________________________ R-devel@r-project.org mailing list https://stat.ethz.ch/mailman/listinfo/r-devel