Will SSLContext.getInstance(TLS) supports TLS v1.1 and TLS v1.2 also?
To use TLSv1.2 try to use below code:
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, null, null);
When was TLS 1.2 support added to OpenSSL?
On the official changelog page you provided, under Changes between 1.0.0h and 1.0.1 [14 Mar 2012] you can see Initial TLS v1.2 support.
*) Add TLS v1.2 server support for client authentication.
[Steve Henson]*) Add TLS v1.2 client side support for client authentication. Keep cache
of handshake records longer as we don't know the hash algorithm to use
until after the certificate request message is received.
[Steve Henson]*) Initial TLS v1.2 client support. Add a default signature algorithms
extension including all the algorithms we support. Parse new signature
format in client key exchange. Relax some ECC signing restrictions for
TLS v1.2 as indicated in RFC5246.
[Steve Henson]*) Add server support for TLS v1.2 signature algorithms extension. Switch
to new signature format when needed using client digest preference.
All server ciphersuites should now work correctly in TLS v1.2. No client
support yet and no support for client certificates.
[Steve Henson]*) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
ciphersuites. At present only RSA key exchange ciphersuites work with
TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
and version checking.
[Steve Henson]*) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only a few changes are required [...]
TLS 1.2 support is from OpenSSL version 1.0.1.
OpenSSL 0.9.8x is lower than 1.0.1 so it does not support TLS 1.2
Developing R package and need to deal with SSL connect error
The issue is most likely due to outdated TLS support on the clients since disabling peer certificate and hostname validation doesn't help.
A quick scan of the server shows that they only support TLS 1.2 connections, so clients must support this (SSLv3, TLS 1.0, or TLS 1.1 won't work). This means OpenSSL 1.0.1 or greater is required.
Unfortunately, there's nothing you'll be able to do within your code to work around this. They'll need to ensure that their cURL libraries are built with modern TLS support.
sslscan https://gdc-api.nci.nih.gov
Version: 1.10.5-rbsec
OpenSSL 1.0.2k 26 Jan 2017
Testing SSL server gdc-api.nci.nih.gov on port 443
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.0 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256
Preferred Server Cipher(s):
TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384
RCurl - Boolean Options
Curl stands for a few things http://daniel.haxx.se/docs/curl-vs-libcurl.html. The problem here is you are looking at what the curl command line tool does and instead want to ask how the libcurl library implements something.
RCurl use the libcurl library. This can be accessed via an api. The "symbols" used in the api are listed here http://curl.haxx.se/libcurl/c/symbols-in-versions.html. We can compare them to the options listed by RCurl
:
library(RCurl)
cInfo <- getURL("http://curl.haxx.se/libcurl/c/symbols-in-versions.html")
cInfo <- unlist(strsplit(cInfo, "\n"))
cInfo <- cInfo[grep("CURLOPT_", cInfo)]
cInfo <- gsub("([^[\\s]]*)\\s.*", "\\1", cInfo)
cInfo <- gsub("CURLOPT_", "", cInfo)
cInfo <- tolower(gsub("_", ".", cInfo))
listCurlOptions()[!listCurlOptions()%in%cInfo]
From the above we can see that all RCurl options are derived from libcurl api symbols. TheCURLOPT_
is removed _
is replaced by .
and the letters are demoted to lower case.
The question then arises as to what types the symbols represent. I usually just look at the
php library documentation to discover this. http://php.net/manual/en/function.curl-setopt.php lists
CURLOPT_SSLVERSION The SSL version (2 or 3) to use. By default PHP will try to determine this itself, although in some cases this must be set manually.
as an integer type. expecting the value 2 or 3.
Alternatively you can look at the curl_easy_setopt
manual page http://curl.haxx.se/libcurl/c/curl_easy_setopt.html.
CURLOPT_SSLVERSION
Pass a long as parameter to control what version of SSL/TLS to attempt to use. The available options are:
CURL_SSLVERSION_DEFAULT
The default action. This will attempt to figure out the remote SSL protocol version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled by default with 7.18.1).
CURL_SSLVERSION_TLSv1
Force TLSv1
CURL_SSLVERSION_SSLv2
Force SSLv2
CURL_SSLVERSION_SSLv3
Force SSLv3
It says we would need to pass a long with value CURL_SSLVERSION_SSLv3
to stipulate sslv3.
What is the value of CURL_SSLVERSION_SSLv3
? We can examine RCurl:::SSLVERSION_SSLv3
> c(RCurl:::SSLVERSION_DEFAULT, RCurl:::SSLVERSION_TLSv1, RCurl:::SSLVERSION_SSLv2, RCurl:::SSLVERSION_SSLv3)
[1] 0 1 2 3
>
So in fact the permissible values for sslversion are 0,1,2 or 3.
So the confusion in this case arose from the curl program which presumably uses the libcurl api implementing this in a binary fashion.
So the correct way in this case to use this option would be:
postForm(url, .opts = list(sslversion = 3))
or
postForm(url, .opts = list(sslv = 3))
you can use the shorter sslv
as .opts
is passed to mapCurlOptNames
which will use pmatch
to find sslversion
.
To be fair to the author of RCurl
this is all explained in http://www.omegahat.org/RCurl/philosophy.html also located in /RCurl/inst/doc/philosophy.html
.An excerpt reads:
Each of these and what it controls is described in the libcurl
man(ual) page for curl_easy_setopt and that is the authoritative
documentation. Anything we provide here is merely repetition or
additional explanation.The names of the options require a slight explanation. These
correspond to symbolic names in the C code of libcurl. For example,
the option url in R corresponds to CURLOPT_URL in C. Firstly,
uppercase letters are annoying to type and read, so we have mapped
them to lower case letters in R. We have also removed the prefix
"CURLOPT_" since we know the context in which they option names are
being used. And lastly, any option names that have a _ (after we have
removed the CURLOPT_ prefix) are changed to replace the '_' with a '.'
so we can type them in R without having to quote them. For example,
combining these three rules, "CURLOPT_URL" becomes url and
CURLOPT_NETRC_FILE becomes netrc.file. That is the mapping scheme.
Why getEnabledProtocols() returns TLS v1 instead of TLSv1.2?
You're confusing enabled and supported. The fact that a protocol is supported doesn't mean that it's enabled by default.
If you want to use TLS 1.2, use setEnabledProtocols
to enable it first, which should work if it's supported in getSupportedProtocols
.
Related Topics
How to Get This Data Structure in R
Why Does 1..99,999 == "1".."99,999" in R, But 100,000 != "100,000"
Mapping Variable to Hexagon Size with Geom_Hex
R - Random Forest and More Than 53 Categories
Split a Column to Multiple Columns
How to Prevent Blogdown from Rerendering All Posts
Separate a Column of a Dataframe in Undefined Number of Columns with R/Tidyverse
How to Subset Column Variables in Df1 Based on the Important Variables I Got in Df2
Drawing Minor Ticks (Not Grid Ticks) in Ggplot2 in a Date Format Axis
Scraping JavaScript Generated Data
Shiny Error in Match.Arg(Position):'Arg' Must Be Null or a Character Vector
Help Understand the Error in a Function I Defined in R
Using Grepl in R to Search for an Asterisk
How to Manage Parallel Processing with Animated Ggplot2-Plot
R: Miscellaneous Errors While Trying to Plot Graphs