如何在R中配置libcurl以在通过HTTPS下载时使用自定义CA捆绑包

huangapple go评论108阅读模式
英文:

How to configure libcurl to use a custom CA bundle when downloading over HTTPS in R

问题

我正在尝试配置 R 以便它可以从使用自签名 SSL 证书的 HTTPS 服务器下载文件(及其扩展包)。download.file 文档 暗示,当使用 libcurl 时,可以使用 CURL_CA_BUNDLE 环境变量配置自定义 CA 捆绑。然而,curl 文档 本身仅在与 CLI 工具相关的情况下提到了这个环境变量,而没有提到 libcurl。

有可能 R 正在读取该环境变量并相应地配置 libcurl,然而,尝试将环境变量设置为工作的 CA 捆绑文件路径并尝试下载文件仍然导致 SSL 错误,就好像 CA 捆绑未被使用一样。这表明在 libcurl 上下文中讨论 CURL_CA_BUNDLE 变量时,R 文档可能是错误的。

download.file('https://self-signed.badssl.com', destfile='~/.test.html', method='libcurl')
trying URL 'https://self-signed.badssl.com'
Error in download.file("https://self-signed.badssl.com", destfile = "~/.test.html",  :
  cannot open URL 'https://self-signed.badssl.com'
In addition: Warning message:
In download.file("https://self-signed.badssl.com", destfile = "~/.test.html",  :
  URL 'https://self-signed.badssl.com/': status was 'SSL connect error'

在使用 libcurl 后端时,是否可以为 R 的 download.file 函数指定自定义 CA 捆绑?

英文:

I'm trying to configure R so that it can download files (and by extension packages) from an HTTPS server that uses a self-signed SSL certificate. The documentation for download.file implies that, when using libcurl, a custom CA bundle can be configured with the CURL_CA_BUNDLE environment variable. However, the documentation for curl itself only mentions this environment variable in relation to the CLI tool, not libcurl.

It is possible that R is reading the environment variable and configuring libcurl accordingly, however, attempting to download a file with the environment variable set to the path of a working CA bundle file still results in an SSL error, as if the CA bundle is not being used. This suggests that the R documentation is wrong when it talks about the CURL_CA_BUNDLE variable in the context of libcurl.

download.file('https://self-signed.badssl.com', destfile='~/.test.html', method='libcurl')
trying URL 'https://self-signed.badssl.com'
Error in download.file("https://self-signed.badssl.com", destfile = "~/.test.html",  :
  cannot open URL 'https://self-signed.badssl.com'
In addition: Warning message:
In download.file("https://self-signed.badssl.com", destfile = "~/.test.html",  :
  URL 'https://self-signed.badssl.com/': status was 'SSL connect error'

Is it possible to specify a custom CA bundle for use by R's download.file function when using the libcurl backend?

答案1

得分: 1

Windows?{curl} Proxies and Certificates on Windows Networks vignette 提供了一些额外的提示,要使用 CURL_CA_BUNDLElibucurl 的 SSL 后端应设置为 OpenSSL,Windows 的默认设置是 Secure Channel。所以需要关注另一个环境变量:CURL_SSL_BACKEND=openssl

在 (renv) 项目中测试,环境变量配置在项目的 .Renviron 文件中。

Sys.getenv(c("CURL_SSL_BACKEND", "CURL_CA_BUNDLE"))
#> CURL_SSL_BACKEND   CURL_CA_BUNDLE 
#>        "openssl" "badssl_com.crt" 

# 没有括号的是活动后端
curl::curl_version()$ssl_version
#> [1] "OpenSSL/1.1.1m (Schannel)"

download.file('https://self-signed.badssl.com', destfile='~/.test.html', method='libcurl')
#> trying URL 'https://self-signed.badssl.com'
#> Content type 'text/html' length 502 bytes
#> downloaded 502 bytes
.Renviron
CURL_SSL_BACKEND=openssl
CURL_CA_BUNDLE=badssl_com.crt
badssl_com.crt
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIJAKL5ZETgtiFQMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4...
-----END CERTIFICATE-----
英文:

Windows? {curl} Proxies and Certificates on Windows Networks vignette provides few extra hints, to use CURL_CA_BUNDLE, libucurl SSL backend should be set to OpenSSL, default in Windows is Secure Channel . So yet another env. var to take care of: CURL_SSL_BACKEND=openssl

Tested with (renv) project, environment variables configured in project's .Renviron file.

Sys.getenv(c("CURL_SSL_BACKEND",  "CURL_CA_BUNDLE"))
#> CURL_SSL_BACKEND   CURL_CA_BUNDLE 
#>        "openssl" "badssl_com.crt" 

# the one without parens is active backend
curl::curl_version()$ssl_version
#> [1] "OpenSSL/1.1.1m (Schannel)"

download.file('https://self-signed.badssl.com', destfile='~/.test.html', method='libcurl')
#> trying URL 'https://self-signed.badssl.com'
#> Content type 'text/html' length 502 bytes
#> downloaded 502 bytes
.Renviron
CURL_SSL_BACKEND=openssl
CURL_CA_BUNDLE=badssl_com.crt
badssl_com.crt
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIJAKL5ZETgtiFQMA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
c2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0y
MzA0MjQwMDAxNDVaFw0yNTA0MjMwMDAxNDVaMGIxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK
DAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2
PmzAS2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMW
hyefdOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3A
xPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve
ww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY
QCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T
BAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI
hvcNAQELBQADggEBAJqRSkgOf5GHCJzljWQg9D+1LEuByYyQfNzGJb+TZkPpxNEw
6gbt3vbQfWBx9WQ6995XjdjM6N6l5DO8p0Sp70OHHQ9Lt2N7PC7I5YhJFObkMyza
sRuLWTzlYShLvSRGQFC/Ky4hTbpzlZA5TADG1weajSlIBLo6UGkQaGk4xG4zhIKA
PhvsFZsayLexJ1DCql0XAiNnknTfX8FRMI9Ezsj0XeZ8ZD8ouLGYwbTezcYnE/uI
0Y/ayROwdd+Ny4N6McsEE+KOxS8Xe+LU4X3MEHSXcmT8ht/xTyxQ2JjzHtS6eHjO
lJON+7kLWv6kgtYf9jHJDsNMPLis6RbUYdkeP5A=
-----END CERTIFICATE-----

huangapple
  • 本文由 发表于 2023年7月3日 14:52:48
  • 转载请务必保留本文链接:https://go.coder-hub.com/76602454.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定