Open chriskilding opened 1 year ago
curl
packageThe https://cran.r-project.org/web/packages/curl/index.html package wraps the libcurl C library.
The curl() and curl_download() functions provide highly configurable drop-in replacements for base url() and download.file() with better performance, support for encryption (https, ftps), gzip compression, authentication, and other 'libcurl' goodies.
If you want an HTTPS connection from R you are likely either using this package directly, or a wrapper for it (like httr).
Therefore when it comes to TLS verification, R programs that use this package effectively do whatever the bundled libcurl
does.
The compiled libcurl that ships with the curl
R package uses the Schannel backend (as described in https://cran.r-project.org/web/packages/curl/vignettes/windows.html). This means that by default these R programs do perform native TLS cert verification on Windows.
The only time this would not be the case would be if:
curl
and libcurl
were compiled from source using the OpenSSL backendCURL_SSL_BACKEND=openssl
R environment variable was setTODO
This contains a couple of flags like ssl.capath
(path to a folder containing PEM format certs). This suggests that unless something special has been done with the libssl
dependency, standard filesystem-based TLS certificate lookup is being done, and that it does not support native trust stores.
This is a wrapper for the hiredis
C library.
A cursory inspection of https://github.com/redis/hiredis/blob/master/ssl.c shows that hiredis uses OpenSSL for handling TLS. Therefore the only way to make Redux work with the native trust stores will be if OpenSSL can be persuaded to use them.
This depends on the libpq
library. (It might also depend on libssl
.)
It also performs a check on the libpq
version at build time, to see if it's new enough to have SSL support: https://github.com/r-dbi/RPostgres/blob/5533405cab6357a17bf3f31b3b10000ba8b9a4ec/configure
So it comes down to how libpq
handles TLS.
Tracking support for native TLS cert verification in R.
(R is not as widely used as the other languages on the list, but (anecdotally) a reasonable number of statisticians use it in large companies. These companies may also be running TLS interception, so a native TLS solution is in their interest.)
HTTPS
Packages:
curl
(https://cran.r-project.org/web/packages/curl/index.html) wraps thelibcurl
C library.httr
(https://github.com/r-lib/httr) is a popular HTTP library for R. It wraps the Rcurl
package above.CRAN: TODO find out how it works
Other TLS connections
Packages that do other types of TLS connections include:
rmariadb
(https://rmariadb.r-dbi.org) for MariaDB / MySQLrpostgres
(https://rpostgres.r-dbi.org)