Language support: R

[chriskilding]

Tracking support for native TLS cert verification in R.

(R is not as widely used as the other languages on the list, but (anecdotally) a reasonable number of statisticians use it in large companies. These companies may also be running TLS interception, so a native TLS solution is in their interest.)

HTTPS

Packages:

• curl (https://cran.r-project.org/web/packages/curl/index.html) wraps the libcurl C library.
• httr (https://github.com/r-lib/httr) is a popular HTTP library for R. It wraps the R curl package above.

CRAN: TODO find out how it works

Other TLS connections

Packages that do other types of TLS connections include:

• redux for Redis
• rmariadb (https://rmariadb.r-dbi.org) for MariaDB / MySQL
• rpostgres (https://rpostgres.r-dbi.org)

[chriskilding]

curl package

The https://cran.r-project.org/web/packages/curl/index.html package wraps the libcurl C library.

The curl() and curl_download() functions provide highly configurable drop-in replacements for base url() and download.file() with better performance, support for encryption (https, ftps), gzip compression, authentication, and other 'libcurl' goodies.

If you want an HTTPS connection from R you are likely either using this package directly, or a wrapper for it (like httr).

Therefore when it comes to TLS verification, R programs that use this package effectively do whatever the bundled libcurl does.

On Windows

The compiled libcurl that ships with the curl R package uses the Schannel backend (as described in https://cran.r-project.org/web/packages/curl/vignettes/windows.html). This means that by default these R programs do perform native TLS cert verification on Windows.

The only time this would not be the case would be if:

• curl and libcurl were compiled from source using the OpenSSL backend
• the CURL_SSL_BACKEND=openssl R environment variable was set

On macOS

TODO

rmariadb

This contains a couple of flags like ssl.capath (path to a folder containing PEM format certs). This suggests that unless something special has been done with the libssl dependency, standard filesystem-based TLS certificate lookup is being done, and that it does not support native trust stores.

redux

This is a wrapper for the hiredis C library.

A cursory inspection of https://github.com/redis/hiredis/blob/master/ssl.c shows that hiredis uses OpenSSL for handling TLS. Therefore the only way to make Redux work with the native trust stores will be if OpenSSL can be persuaded to use them.

RPostgres

This depends on the libpq library. (It might also depend on libssl.)

It also performs a check on the libpq version at build time, to see if it's new enough to have SSL support: https://github.com/r-dbi/RPostgres/blob/5533405cab6357a17bf3f31b3b10000ba8b9a4ec/configure

So it comes down to how libpq handles TLS.