Reputation: 1186
R and SSL/curl on Ubuntu linux: failed SSL connect in R, but works in curl
I'm a bit at a loss on how to further investigate this, so pointers would be highly appreciated.
I'm running Ubuntu 17.04, and I believe roughly since around my upgrade time (was running 16.10 before) I can no longer update (or use anything "from the internet") anything from within R -- it fails on SSL for everything. All of the "normal" SSL traffic outside of R works fine.
For instance, doing install.packages("curl"), I get this error message:
Warning in install.packages :
URL 'https://cran.rstudio.com/src/contrib/PACKAGES.rds': status was 'SSL connect error'
Warning in install.packages :
URL 'https://cran.rstudio.com/src/contrib/PACKAGES.gz': status was 'SSL connect error'
Warning in install.packages :
URL 'https://cran.rstudio.com/src/contrib/PACKAGES': status was 'SSL connect error'
Warning in install.packages :
... [etc] ...
However, if I run curl -v "https://cran.rstudio.com/src/contrib/PACKAGES.rds" -o test.curl on command line, everything works.
* Trying 10.26.0.19...
* TCP_NODELAY set
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to (nil) (10.26.0.19) port 3128 (#0)
* Establish HTTP proxy tunnel to cran.rstudio.com:443
* Proxy auth using Basic with user '[redacted]'
> CONNECT cran.rstudio.com:443 HTTP/1.1
> Host: cran.rstudio.com:443
> Proxy-Authorization: Basic [redacted]
> User-Agent: curl/7.52.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /home/csafferling/programs/anaconda3/ssl/cacert.pem
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):{ [76 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):{ [4787 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: OU=Domain Control Validated; CN=cran.rstudio.com
* start date: Jun 30 19:59:41 2015 GMT
* expire date: Jun 30 19:59:41 2018 GMT
* subjectAltName: host "cran.rstudio.com" matched cert's "cran.rstudio.com"
* issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2
* SSL certificate verify ok.} [5 bytes data]
> GET /src/contrib/PACKAGES.rds HTTP/1.1
> Host: cran.rstudio.com
> User-Agent: curl/7.52.1
> Accept: */*
> { [5 bytes data]
< HTTP/1.1 200 OK
< Content-Length: 251020
< Connection: keep-alive
< Date: Wed, 12 Jul 2017 14:11:48 GMT
< Server: Apache/2.2.22 (Ubuntu)
< Last-Modified: Wed, 12 Jul 2017 13:02:43 GMT
< ETag: "d78fc54-3d48c-5541e6e7d22c0"
< Accept-Ranges: bytes
< Cache-Control: max-age=1800
< Expires: Wed, 12 Jul 2017 14:41:48 GMT
< Age: 1045
< X-Cache: Hit from cloudfront
< Via: 1.1 67284fcf464f6f1529cc1e521669622c.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: CqpfjeemEcxkxFYJueqzwUEu8Yh-qSenHJJiR2BdmqmAYLpu2_54dA==
< { [15891 bytes data]
* Curl_http_done: called premature == 0 100 245k 100 245k 0 0 583k 0 --:--:-- --:--:-- --:--:-- 589k
* Connection #0 to host (nil) left intact
One thing I notice is that command-line curl uses the CAs of my anaconda install, which is very weird indeed. Perhaps R uses the default CAs, and they don't work? Like I said, only R fails to work with SSL, everything else works.
Any help is highly appreciated!
Upvotes: 3
Views: 3796
Answers (1)
Reputation: 8666
Dear Christoph Saffering,
My sense is that you have hit the CRAN ssh by default issue with RStudio / R.
Solution
Add the following to your target machines .Rprofile
options(download.file.method = "wget")
local({
r<- getOption("repos");
r["CRAN"] <-"https://cran.rstudio.com/"
options(repos=r)
})
Explanation
Secure Download Methods
When R transfers files over HTTP (e.g. using the install.packages or download.file function) a download method is chosen based on the download.file.method option. There are several methods available and the default behavior if no option is explicitly specified is to use R’s internal HTTP implementation. In many circumstances this internal method will not support HTTPS connections so you’ll need to override the default.
R 3.2
R 3.2 includes two new download methods (“libcurl” and “wininet”) that both support HTTPS connections. We recommend that you use these new methods when running under R 3.2. The requisite code to add to .Rprofile or Rprofile.site is as follows:
Windows
options(download.file.method = "wininet")
Note that in the upcoming R 3.2.2 release this will no longer be necessary, as the default method is equivalent to “wininet”.
OS X and Linux
options(download.file.method = "libcurl")
Note that if you built R from source the “libcurl” method may or may not have been compiled in. In the case that it wasn’t (i.e. capabilities("libcurl") == FALSE), you can follow the directions for earlier versions of R below to configure an alternate secure method.
R 3.1 and Earlier
Windows
utils::setInternet2(TRUE)
options(download.file.method = "internal")
Note that setInternet2(TRUE) is the default value in RStudio however is not for R GUI. If you don’t want to use setInternet2(TRUE) on Windows then the only other way to configure secure downloads is to have the “wget” or “curl” utility on your PATH as described for OS X and Linux below.
OS X
options(download.file.method = "curl")
Linux
options(download.file.method = "wget")
Note that the “curl” and “wget” methods will work on any platform so long as the requisite binary is in the system PATH. The recommendations above are based on the fact that “curl” is included in OS X and “wget” is included in most Linux distributions.
ref: https://support.rstudio.com/hc/en-us/articles/206827897-Secure-Package-Downloads-for-R
Upvotes: 4
Related Questions
- SSL connect error in httr / curl
- 'SSL connect error' when using R download.file("https://..") from Ubuntu 20.04 LTS
- R curl fetch connection problem: time out reached
- How to Set Up a httr cURL Handle in R with SSL
- RCurl getURL SSL error
- SSL and/or TLS Errors
- curl with ssl installed but compling R says libcurl find no https support
- Developing R package and need to deal with "SSL connect error"
- https: sslv3 alert handshake failure from getURL()
- RCurl errors when fetching ssl endpoint