Reputation: 3776
error with R and httr2 via curl::curl_fetch_memory(): ! OpenSSL/3.1.4: error:1C8000E9:Provider routines::ems not enabled
BLUF: Some (but not all) of my httr2 requests result in the error
Failed to perform HTTP request. Caused by error in `curl::curl_fetch_memory()`: ! OpenSSL/3.1.4: error:1C8000E9:Provider routines::ems not enabled
I've had a hard time finding information about this specific error or enabling the "EMS" routine. Is this likely to be a problem with my OpenSSL install, the server configuration, or something else?
Additional, possibly relevant, details:
I'm running an AWS EC2 instance with apache and a docker service, which hosts a docker container running shiny-server and my app. My app uses uses httr2 to call a web API. The dockerized app works fine when running it off of my local machine, but when running it off the EC2 instance I get a strange error:
Failed to perform HTTP request. Caused by error in `curl::curl_fetch_memory()`: ! OpenSSL/3.1.4: error:1C8000E9:Provider routines::ems not enabled
This error seems to only occur with specific URLs, others seem to work fine. I can also log in to the hosted instance and use curl directly to successfully make a call to one of the problematic URLs.
I'm trying to figure out if this problem has to do with my container's install or configuration of OpenSSL, something about my EC2 instance configuration, or something specific to shiny-server and/or httr2 in an AWS context.
Upvotes: 1
Views: 436
Answers (2)
Reputation: 3776
Below is the workaround we used before we were able to update the server's openssl version based on guidance in the accepted answer. We worked around the problem by making some changes to openssl.conf.
First, we replaced
openssl_conf = openssl_init
with
openssl_conf = default_conf
And then defined default_conf as follows:
[default_conf]
ssl_conf = ssl_section
[ssl_section]
system_default = system_default_section
[system_default_section]
providers = provider_sect
ssl_conf = ssl_module
MaxProtocol = TLSv1.2
CipherString = Cipher1:Cipher2:etc
Ciphersuites =
where CipherString values for Cipher1, Cipher2, etc. was the list of
ciphers that our apache server supports, e.g.
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:.... We got
the list of Ciphers by running the command openssl ciphers on the
Apache server. Defining an empty value for Ciphersuites essentially
disables TLS v1.3.
Upvotes: 1
Reputation: 9392
EMS stands for Extended Master Secret as defined in rfc7627. It is a widely deployed TLS extension. Any up-to-date TLS server should be able to support this (EMS was standardised in 2015). EMS is only relevant for TLSv1.2 (or below) and does not apply to TLSv1.3
This error occurs when OpenSSL has been configured to use the FIPS provider. FIPS compliance requires certain minimum standards. In this case it requires that if TLSv1.2 is in use then EMS must also be used.
This likely means that the server that you are connecting to (a) does not support TLSv1.3 and (b) also does does not support the TLS EMS extension.
Assuming you really need to talk to the server that you are trying to connect to the only real solutions are (1) disable the OpenSSL FIPS provider for this connection or (2) get the server operator to upgrade their server.
Upvotes: 3
Related Questions
- cURL OpenSSL error error:0308010C:digital envelope routines::unsupported
- Using cURL with a username and password?
- aws ec2 with nodejs app curl error 7 failed to connect to host port 5000
- Shiny Server Error on webpage: An error has occurred The application failed to start. The application exited during initialization
- Shiny Server on AWS Elastic Beanstalk with Docker
- How to send email from contact form in R Shiny
- Docker and "The OpenSSL library reported an error" when deployed
- Running RStudio Shiny as a Docker container on AWS?