SSL certificates and curl on Mac

[sckott]

If there's already an issue for this, close this...

We realized at the hackathon that default curl on Mac (was it just mavericks?) causes authentication to not work, but does if users update to a more recent curl. Are there other OSes that are affected? Do Windows users and Linux users have a curl version by default that works?

The same issue in ropensci/rnbn#3 where SSL certificates used as well for authentication

[csjx]

My understanding is that Apple changed the default behavior of curl and other binaries in Mavericks to centralize certificate management in Keychain Access. See http://curl.haxx.se/mail/archive-2013-10/0036.html. I've yet to be able to get a curl command to send the certificate with the request after importing it into Keychain Access, but that certainly doesn't mean it can't be done. Needs some more investigation.

[mbjones]

@sckott Yeah, I worked on this some more in the evening, and it seems to be fixed by compiling RCurl against a non-apple version of libcurl, such as the one provided by MacPorts. When I tried curl from MacPorts on the commandline, the SSL connection worked fine too. So the problem seems isolated tothe apple-provided libcurl.

[mbjones]

Configuring and installing RCurl with a custom version of libcurl allows everything to work fine. I can now confirm this is a mac Mavericks issue alone, and so I am closing this bug as not an issue with the dataone library per se. To work around it you must:

1. Install an alternate (non-Apple) version of curl and libcurl

• I did this using MacPorts with sudo port install curl
• Homebrew will probably work for you too
• Once installed, you should see your version of curl includes an OpenSSL library

$ /opt/local/bin/curl --version
curl 7.37.1 (x86_64-apple-darwin13.2.0) libcurl/7.37.1 OpenSSL/1.0.1i zlib/1.2.8 libidn/1.26
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp 
Features: IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 

• Next, ensure that the non-apple version of curl-config comes up first on your path, and if not, change your PATH until it does

$ which curl-config
/opt/local/bin/curl-config

2. Install a new version of RCurl from source

install.packages("RCurl", type="source")

• You should see a bunch of CURL configuration variables that point at your newly installed version of libcurl.
• If it looks like it is still using the default apple-installed version of libcurl, you'll need to work more on the PATH/LDPATH issues

Once the new version of RCurl is installed, install devtools and httr. When I do this and log in to get my DataONE certificate, all dataone tests pass.

[sckott]

thanks @mbjones - I'll update my curl

[mbjones]

Reopening this curl on mac bug because the workaround no longer works on Yosemite. Need a better solution.

[mbjones]

Workaround for now is to use authTokens instead.