ncss-tech / ncss-tech.github.io

Documentation, presentations, and tutorials for aqp and soilDB
http://ncss-tech.github.io/AQP/
10 stars 3 forks source link

SSL issues with `download.file()` and other libcurl-based request on R 4.2+ #3

Open brownag opened 2 years ago

brownag commented 2 years ago

Since we switched over to R 4.2.1 many users have had issues with SSL connections preventing downloads and requests using the libcurl library which is used internally by base R. Examples of this include installing packages, downloading files inside soilDB functions, sourcing remote files, etc. This could have significant effects on getting sample datasets used in the stats for soil survey class.

As of 9/7/22 the patched version of R 4.2.1 supports R_LIBCURL_SSL_REVOKE_BEST_EFFORT environment variable.

R-devel/NEWS for Wed, 07 Sep 2022

On Windows, environment variable ‘R_LIBCURL_SSL_REVOKE_BEST_EFFORT’ can be used to switch to only ‘best-effort’ SSL certificate revocation checks with the default ‘"libcurl"’ download method. This reduces security, but may be needed for downloads to work with MITM proxies (PR#18379).

In the future (if we get the patched version approved, or when we move to R 4.3.x) should consider adding to the default setup for CCE machines setting a user environment variable R_LIBCURL_SSL_REVOKE_BEST_EFFORT=TRUE to avoid people having to debug this themselves. While we have worked around it temporarily by using the R {curl} library and custom headers, there are many instances where it is impractical to use non-base R download facilities