Tls V1.1/Tls V1.2 Support in Rcurl

Will SSLContext.getInstance(TLS) supports TLS v1.1 and TLS v1.2 also?

To use TLSv1.2 try to use below code:

SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, null, null);

When was TLS 1.2 support added to OpenSSL?

On the official changelog page you provided, under Changes between 1.0.0h and 1.0.1 [14 Mar 2012] you can see Initial TLS v1.2 support.

*) Add TLS v1.2 server support for client authentication.
[Steve Henson]

*) Add TLS v1.2 client side support for client authentication. Keep cache
of handshake records longer as we don't know the hash algorithm to use
until after the certificate request message is received.
[Steve Henson]

*) Initial TLS v1.2 client support. Add a default signature algorithms
extension including all the algorithms we support. Parse new signature
format in client key exchange. Relax some ECC signing restrictions for
TLS v1.2 as indicated in RFC5246.
[Steve Henson]

*) Add server support for TLS v1.2 signature algorithms extension. Switch
to new signature format when needed using client digest preference.
All server ciphersuites should now work correctly in TLS v1.2. No client
support yet and no support for client certificates.
[Steve Henson]

*) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
ciphersuites. At present only RSA key exchange ciphersuites work with
TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
and version checking.
[Steve Henson]

*) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only a few changes are required [...]

TLS 1.2 support is from OpenSSL version 1.0.1.

OpenSSL 0.9.8x is lower than 1.0.1 so it does not support TLS 1.2

Developing R package and need to deal with SSL connect error

The issue is most likely due to outdated TLS support on the clients since disabling peer certificate and hostname validation doesn't help.

A quick scan of the server shows that they only support TLS 1.2 connections, so clients must support this (SSLv3, TLS 1.0, or TLS 1.1 won't work). This means OpenSSL 1.0.1 or greater is required.

Unfortunately, there's nothing you'll be able to do within your code to work around this. They'll need to ensure that their cURL libraries are built with modern TLS support.

sslscan https://gdc-api.nci.nih.gov
Version: 1.10.5-rbsec
OpenSSL 1.0.2k  26 Jan 2017

Testing SSL server gdc-api.nci.nih.gov on port 443

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.0 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.2 not vulnerable to heartbleed

  Supported Server Cipher(s):
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384  
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384      
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256  
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256      

  Preferred Server Cipher(s):
TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384

RCurl - Boolean Options

Curl stands for a few things http://daniel.haxx.se/docs/curl-vs-libcurl.html. The problem here is you are looking at what the curl command line tool does and instead want to ask how the libcurl library implements something.

RCurl use the libcurl library. This can be accessed via an api. The "symbols" used in the api are listed here http://curl.haxx.se/libcurl/c/symbols-in-versions.html. We can compare them to the options listed by RCurl:

library(RCurl)

cInfo <- getURL("http://curl.haxx.se/libcurl/c/symbols-in-versions.html")
cInfo <- unlist(strsplit(cInfo, "\n"))
cInfo <- cInfo[grep("CURLOPT_", cInfo)]
cInfo <- gsub("([^[\\s]]*)\\s.*", "\\1", cInfo)
cInfo <- gsub("CURLOPT_", "", cInfo)
cInfo <- tolower(gsub("_", ".", cInfo))

listCurlOptions()[!listCurlOptions()%in%cInfo]

From the above we can see that all RCurl options are derived from libcurl api symbols. The
CURLOPT_ is removed _ is replaced by . and the letters are demoted to lower case.

The question then arises as to what types the symbols represent. I usually just look at the
php library documentation to discover this. http://php.net/manual/en/function.curl-setopt.php lists

CURLOPT_SSLVERSION The SSL version (2 or 3) to use. By default PHP will try to determine this itself, although in some cases this must be set manually.

as an integer type. expecting the value 2 or 3.

Alternatively you can look at the curl_easy_setopt manual page http://curl.haxx.se/libcurl/c/curl_easy_setopt.html.

CURLOPT_SSLVERSION

Pass a long as parameter to control what version of SSL/TLS to attempt to use. The available options are:

CURL_SSLVERSION_DEFAULT

The default action. This will attempt to figure out the remote SSL protocol version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled by default with 7.18.1).

CURL_SSLVERSION_TLSv1

Force TLSv1

CURL_SSLVERSION_SSLv2

Force SSLv2

CURL_SSLVERSION_SSLv3

Force SSLv3

It says we would need to pass a long with value CURL_SSLVERSION_SSLv3 to stipulate sslv3.
What is the value of CURL_SSLVERSION_SSLv3? We can examine RCurl:::SSLVERSION_SSLv3

> c(RCurl:::SSLVERSION_DEFAULT, RCurl:::SSLVERSION_TLSv1, RCurl:::SSLVERSION_SSLv2, RCurl:::SSLVERSION_SSLv3)
[1] 0 1 2 3
>

So in fact the permissible values for sslversion are 0,1,2 or 3.

So the confusion in this case arose from the curl program which presumably uses the libcurl api implementing this in a binary fashion.

So the correct way in this case to use this option would be:

postForm(url, .opts = list(sslversion = 3))

or

postForm(url, .opts = list(sslv = 3))

you can use the shorter sslv as .opts is passed to mapCurlOptNames which will use pmatch
to find sslversion.

To be fair to the author of RCurl this is all explained in http://www.omegahat.org/RCurl/philosophy.html also located in /RCurl/inst/doc/philosophy.html .An excerpt reads:

Each of these and what it controls is described in the libcurl
man(ual) page for curl_easy_setopt and that is the authoritative
documentation. Anything we provide here is merely repetition or
additional explanation.

The names of the options require a slight explanation. These
correspond to symbolic names in the C code of libcurl. For example,
the option url in R corresponds to CURLOPT_URL in C. Firstly,
uppercase letters are annoying to type and read, so we have mapped
them to lower case letters in R. We have also removed the prefix
"CURLOPT_" since we know the context in which they option names are
being used. And lastly, any option names that have a _ (after we have
removed the CURLOPT_ prefix) are changed to replace the '_' with a '.'
so we can type them in R without having to quote them. For example,
combining these three rules, "CURLOPT_URL" becomes url and
CURLOPT_NETRC_FILE becomes netrc.file. That is the mapping scheme.

Why getEnabledProtocols() returns TLS v1 instead of TLSv1.2?

You're confusing enabled and supported. The fact that a protocol is supported doesn't mean that it's enabled by default.

If you want to use TLS 1.2, use setEnabledProtocols to enable it first, which should work if it's supported in getSupportedProtocols.