On Tue, Jan 11, 2022 at 10:12 PM Simon Urbanek <simon.urba...@r-project.org> wrote: > > Petře, > > thanks, for the detailed analysis. It is rather curious that the issue > appears only on _newer_ systems - we are more used to issues due to older CA > chains and similar. It looks like an Apple bug on specific systems, so > hopefully it will be fixed eventually. In general I was trying to avoid > having to supply our own SSL library since that opens a whole can of worms - > on one hand due the dependency issues (which libraries get compiled against > what) and on the other hand we become responsible for security updates. > > Thanks to Jeroen for the work-around (CURL_SSL_BACKEND=SecureTransport), > using the native API is certainly preferred, there have been several issues > with both OpenSSL and LibreSSL before. It seems that Apple has been > flip-flopping with libcurl a lot - on El Capitan it was shipped with > SecureTransport, on High-Sierra with LibreSSL, on Catalina and higher with > both, but Libre the default. > > I am somewhat less apprehensive to use static libcurl for R than SSL > libraries as the fallout is a bit smaller. As a trial I have added static > curl[2] which is close to the Apple build minus MultiSSL to big-sur nightly > builds of R[3] and as expected that solves the problem. It may not be > entirely unproblematic for package space, because packages often forget to > prepend --static when using static builds of libraries, and so do other > dependencies that may use curl, but I'll see what comes out of it.
I would much recommend to stick with the apple version of libcurl; perhaps override the default ssl-backend if you like. There is some example code to do this in the curl package that you could adapt for base r: https://github.com/jeroen/curl/blob/master/src/ssl.c The benefit of dynamically linking to apple's libcurl is that we automatically get a version of libcurl+deps+certs that is tuned and maintained for that version of macos, including future ones. If you ship a version of base-R with a static libcurl now, that version of R may not work anymore a few years from now or on a future version of macos, when things have moved on (for example, when servers start to require TLS1.3). _______________________________________________ R-SIG-Mac mailing list R-SIG-Mac@r-project.org https://stat.ethz.ch/mailman/listinfo/r-sig-mac
