r - TLS v1.1 / TLS v1.2 support in RCurl

Question

ETA: Per https://github.com/hiratake55/RForcecom/issues/42, it looks like the author of the rforcecom package has updated rforcecom to use httr instead of RCurl (as of today, to be uploaded to CRAN tomorrow, 7/1/16), so my particular issue will be solved at that point. However, the general case (implementing TLS 1.1 / 1.2 in RCurl) may still be worth pursuing for other packages. Or everyone may just switch to the more recent curl package instead of RCurl.

Background: I've been using the rforcecom package to communicate with Salesforce for several months. Salesforce recently disabled support for TLS v1.0 and is requiring TLS v1.1 or higher in their Sandboxes; this update will take place for Production environments in March 2017.

rforcecom uses RCurl to communicate with salesforce.com servers. Generally the curlPerform method is used, which is implemented something like this (this example is from rforcecom.login.R):

h <- basicHeaderGatherer()
t <- basicTextGatherer()
URL <- paste(loginURL, rforcecom.api.getSoapEndpoint(apiVersion), sep="")
httpHeader <- c("SOAPAction"="login","Content-Type"="text/xml")
curlPerform(url=URL, httpheader=httpHeader, postfields=soapBody, headerfunction = h$update, writefunction = t$update, ssl.verifypeer=F)

This has been working for me for a while, as I mentioned. Now that Salesforce has disabled TLS v1.0 on Sandboxes, though, it fails with the following error:

UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https.

I've modified and sourced (without implementing it in the local copy of the package, as I'm not experienced enough to do this) a change to my local copy of the login module for RForcecom, and I've discovered through experimentation that I can specify any of the existing enumerated values for SSLVERSION successfully by adding sslversion=SSLVERSION_TLSv1, sslversion=SSLVERSION_SSLv3, etc. to the curlPerform options where it is called. However, all of these give me the same error as above. When I attempt to use one of the options that is implemented in libcurl but not in RCurl (SSLVERSION_TLSv1.1, SSLVERSION_TLSv1.2), I get the following error:

Error in merge(list(...), .opts) : object 'SSLVERSION_TLSv1.1' not found

or:

Error in merge(list(...), .opts) : object 'SSLVERSION_TLSv1.2' not found

I've verified with curlVersion() that my libcurl version is 7.40.0, which according to https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html does support those options. However, I'm unable to get RCurl to recognize them.

At this point what I'm looking for is a way to get RCurl to use TLS v1.1 or TLS v1.2, and I would very much appreciate any assistance I can get with that. I apologize for any problems/issues with my question as this is my first time asking one myself, I've previously always been able to muddle through by reading other people's questions and answers.

Answer 1

RCurl is an interface to libcurl and what it supports depends on the latter. It is possible that your libcurl was built with an older version of OpenSSL which does not have support for TLS v1.1 or v.1.2. Your can determine your SSL version from R like this:

RCurl::curlVersion()$ssl_version

I think that by default (e.g. ssl option CURL_SSLVERSION_DEFAULT), during the SSL handshake, the server and client would agree on the newest version that they both support. To make it work you would have to update OpenSSL to a newer version, recompile libcurl with it and rebuild RCurl so that it registers the updates.

That said, you can enforce a particular ssl version not defined in RCurl by passing the integer value of the required option yourself. The numbers you are looking for can be deduced from the C enum defined in the curl header file on GitHub:

enum {
  CURL_SSLVERSION_DEFAULT, // 0
  CURL_SSLVERSION_TLSv1, /* TLS 1.x */ // 1
  CURL_SSLVERSION_SSLv2, // 2
  CURL_SSLVERSION_SSLv3, // 3
  CURL_SSLVERSION_TLSv1_0, // 4
  CURL_SSLVERSION_TLSv1_1, // 5
  CURL_SSLVERSION_TLSv1_2, // 6
  CURL_SSLVERSION_TLSv1_3, // 7

  CURL_SSLVERSION_LAST /* never use, keep last */ // 8
};

For example:

# the data of you post request
nameValueList = list(data1 = "data1", data2 = "data2")

CURL_SSLVERSION_TLSv1_1 <- 5L
CURL_SSLVERSION_TLSv1_2 <- 6L

# TLS 1.1
opts <- RCurl::curlOptions(verbose = TRUE,
                           sslversion = CURL_SSLVERSION_TLSv1_1, ...)

# TLS 1.2
opts <- RCurl::curlOptions(verbose = TRUE,
                           sslversion = CURL_SSLVERSION_TLSv1_2, ...)

# finally, POST the data
RCurl::postForm(URL, .params = nameValueList, .opts = opts)

In general, this may not be a good practice because the authors of cURL could decide to change the values (although I believe chances are low) those options have.