I am developing an R package and getting reports of:
httr::GET('http://gdc-api.nci.nih.gov/status')
Error in curl::curl_fetch_memory(url, handle = handle) : SSL connect error
I have seen a number of different approaches to dealing with the problem, but I am unable to test them locally since I cannot reproduce the issue. Is there a recommended approach to deal with this issue within R that does not require the user to install new system libraries (a can of worms)?
The issue is most likely due to outdated TLS support on the clients since disabling peer certificate and hostname validation doesn't help.
A quick scan of the server shows that they only support TLS 1.2 connections, so clients must support this (SSLv3, TLS 1.0, or TLS 1.1 won't work). This means OpenSSL 1.0.1 or greater is required.
Unfortunately, there's nothing you'll be able to do within your code to work around this. They'll need to ensure that their cURL libraries are built with modern TLS support.
sslscan https://gdc-api.nci.nih.gov
Version: 1.10.5-rbsec
OpenSSL 1.0.2k 26 Jan 2017
Testing SSL server gdc-api.nci.nih.gov on port 443
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.0 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256
Preferred Server Cipher(s):
TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384