Developing R package and need to deal with "SSL connect error"

Question

I am developing an R package and getting reports of:

httr::GET('http://gdc-api.nci.nih.gov/status') 
Error in curl::curl_fetch_memory(url, handle = handle) : SSL connect error

I have seen a number of different approaches to dealing with the problem, but I am unable to test them locally since I cannot reproduce the issue. Is there a recommended approach to deal with this issue within R that does not require the user to install new system libraries (a can of worms)?

Answer 1

The issue is most likely due to outdated TLS support on the clients since disabling peer certificate and hostname validation doesn't help.

A quick scan of the server shows that they only support TLS 1.2 connections, so clients must support this (SSLv3, TLS 1.0, or TLS 1.1 won't work). This means OpenSSL 1.0.1 or greater is required.

Unfortunately, there's nothing you'll be able to do within your code to work around this. They'll need to ensure that their cURL libraries are built with modern TLS support.

sslscan https://gdc-api.nci.nih.gov
Version: 1.10.5-rbsec
OpenSSL 1.0.2k  26 Jan 2017

Testing SSL server gdc-api.nci.nih.gov on port 443

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.0 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.2 not vulnerable to heartbleed

  Supported Server Cipher(s):
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384  
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384      
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256  
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256      

  Preferred Server Cipher(s):
TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384