Tis the Season to Check your SSL/TLS Cipher List Thrice (RCurl/curl/openssl)
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.
The libcurl
library (the foundational library behind the RCurl
and curl
packages) has switched to using OpenSSL’s default ciphers since version 7.56.0 (October 4 2017). If you’re a regular updater of curl
/httr
you should be fairly current with these cipher suites, but if you’re not a keen updater or use RCurl
for your web-content tasks, you are likely not working with a recent cipher list and may start running into trouble as the internet self-proclaimed web guardians keep their wild abandon push towards “HTTPS Everywhere”.
Why is this important? Well, as a web consumer (via browsers) you likely haven’t run into any issues when visiting SSL/TLS-enabled sites since most browsers update super-frequently and bring along modern additions to cipher suites with them. Cipher suites are one of the backbones of assurance when it comes to secure connections to servers and stronger/different ciphers are continually added to openssl
(and other libraries). If a server (rightfully) only supports a modern, seriously secure TLS configuration, clients that do not have such support won’t be able to connect and you’ll see errors such as:
SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
You can test what a server supports via tools like SSL Test. I’d point to a command-line tool but there are enough R users on crippled Windows systems that it’s just easier to have you point and click to see. If you are game to try a command-line tool then give testssl
a go from an RStudio terminal (I use that suggestion specifically to be platform agnostic as I cannot assume R Windows users know how to use a sane shell). The testssl
script has virtually no dependencies so it should “work everywhere”. Note that both SSL Test and testssl
make quite a few connections to a site so make sure you’re only using your own server(s) as test targets unless you have permission from others to use theirs (go ahead and hit mine if you like).
You can also see what your R client packages support. One could run:
library(magrittr) read.table( text = system("openssl ciphers -v", intern=TRUE) %>% gsub("[[:alpha:]]+=", "", .) ) %>% setNames( c("ciphername", "protoccol_version", "key_exchange", "authentication", "symmetric_encryption_method", "message_authentication_code") )
in attempt to do that via the openssl
binary on your system, but Windows users likely won’t be able to run that (unlike every other modern OS including iOS) and it might not show you what your installed R client packages can handle since they may be using different libraries.
So, another platform-agnostic (but requiring a call to a web site, so some privacy leakage) is to use How’s My SSL.
ssl_check_url <- "https://www.howsmyssl.com/a/check" jsonlite::fromJSON( readLines(url(ssl_check_url), warn = FALSE) ) -> base_chk jsonlite::fromJSON( RCurl::getURL(ssl_check_url) ) -> rcurl_chk jsonlite::fromJSON( rawToChar( curl::curl_fetch_memory(ssl_check_url)$content ) ) -> curl_chk
Compare the $given_cipher_suites
for each of those to see how they compare and also take a look at $rating
. macOS and Linux users should have fairly uniform results for all three. Windows users may be in for a sad awakening (I mean you’re used to that on a regular basis, so it’s cool). You can also configure how you communicate what you support via the ssl_cipher_list
cURL option (capitalization is a bit different with RCurl
but I kinda want you to use the curl
package so you’re on your own to translate. Note that you can’t game the system and claim you can handle a cipher you don’t actually have.
FIN
You should try to stay current with the OpenSSL (or equivalent) library on your operating system and also with the libcurl
library on your system and then the curl
, openssl
, and RCurl
packages. You may have production-rules requiring lead-times for changing configs but these should be in the “test when they make it to CRAN and install as-soon-as-possible-thereafter” category.
R-bloggers.com offers daily e-mail updates about R news and tutorials about learning R and many other topics. Click here if you're looking to post or find an R/data-science job.
Want to share your content on R-bloggers? click here if you have a blog, or here if you don't.