SSLv3 fallback attack POODLE

[jangorecki]

Hi, Due to POODLE it seems that SSLv3 can be considered as dead. There is information on Curl webside Immediately one can use CURLOPT_SSLVERSION with CURL_SSLVERSION_TLSv1 to force TLS. http://curl.haxx.se/mail/lib-2014-10/0160.html

As I understand we don't need to update libcurl but only set appropriate version of SSL protocol(?).

Could you please provide appropriate use of SSL in RCurl which will exclude SSLv3?

My current RCurl config for SSL support is the following:

O <- getOption("RCurlOptions")
O$ssl.verifyhost <- as.integer(2)
O$ssl.verifypeer <- TRUE
O$cainfo <- system.file("CurlSSL","cacert.pem",package="RCurl")
options("RCurlOptions" = O)

Thanks in advance

[labkey-bconn]

Jan, In order to force the use of TLSv1 or greater (and disable SSLv2 and SSLv3), you will need to set the sslversion=1.

For Linux and MacOSX, make sure you install the latest versions of libcurl and OpenSSL and this will provide you protection against POODLE and HEARTBLEED vulnerabilities

This configuration, however, will not work on a Windows workstation running the RCurl Windows package from CRAN. The RCurl package for Windows is shipped with DLLs for libcurl(v7.19.6) and openssl (1.0.0-beta3). Both of these releases are from ~2009. The version of OpenSSL in particular has a bug which causes it to error out when using TLSv1 as the SSL protocol. The error will be something like

error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list

It would be great to figure out a way to ship the Windows RCurl packages, from CRAN, using the latest version of libcurl (7.39.0).