如何在 RCurl 中设置密码 ECDHE-RSA-AES256-GCM-SHA384

Question

使用 RCurl getURL() 下载数据时出现类似错误

SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

据我所知，这可能与 curl 选项中的 ssl.cipher.list 选项有关。

如果是这样，我如何将 ECDHE-RSA-AES256-GCM-SHA384 设置为密码？

对我来说

curlOptions(ssl.cipher.list = "ECDHE-RSA-AES256-GCM-SHA384",...)

其他的尝试都没有成功。

这里是我的 sessionInfo()

> sessionInfo()
R version 3.5.1 (2018-07-02)
Platform: x86_64-w64-mingw32/x64 (64-bit)
Running under: Windows 7 x64 (build 7601) Service Pack 1

Matrix products: default

locale:
[1] LC_COLLATE=German_Germany.1252  LC_CTYPE=German_Germany.1252    LC_MONETARY=German_Germany.1252 LC_NUMERIC=C                   
[5] LC_TIME=German_Germany.1252    

attached base packages:
[1] stats     graphics  grDevices utils     datasets  methods   base     

other attached packages:
[1] RCurl_1.95-4.11 bitops_1.0-6   

loaded via a namespace (and not attached):
[1] compiler_3.5.1 tools_3.5.1    yaml_2.2.0 

如果需要更多详细信息，请告诉我。

更新：

这是 R 上 curl::curl_version() 版本的输出：

> curl::curl_version()
$`version`
[1] "7.59.0"

$ssl_version
[1] "(OpenSSL/1.0.2n) WinSSL"

$libz_version
[1] "1.2.8"

$libssh_version
[1] "libssh2/1.8.0"

$libidn_version
[1] NA

$host
[1] "x86_64-w64-mingw32"

$protocols
 [1] "dict"   "file"   "ftp"    "ftps"   "gopher" "http"   "https"  "imap"   "imaps"  "ldap"   "ldaps"  "pop3"   "pop3s"  "rtsp"   "scp"    "sftp"  
[17] "smtp"   "smtps"  "telnet" "tftp"  

$ipv6
[1] TRUE

$http2
[1] FALSE

$idn
[1] TRUE

这是RCurl::curlVersion()的输出

RCurl::curlVersion()
$`age`
[1] 3

$version
[1] "7.40.0"

$vesion_num
[1] 468992

$host
[1] "x86_64-pc-win32"

$features
      ssl      libz      ntlm asynchdns    spnego largefile       idn      sspi 
        4         8        16       128       256       512      1024      2048 

$ssl_version
[1] "OpenSSL/1.0.0o"

$ssl_version_num
[1] 0

$libz_version
[1] "1.2.8"

$protocols
 [1] "dict"   "file"   "ftp"    "ftps"   "gopher" "http"   "https"  "imap"   "imaps"  "ldap"   "pop3"   "pop3s"  "rtmp"   "rtsp"   "scp"    "sftp"  
[17] "smtp"   "smtps"  "telnet" "tftp"  

$ares
[1] ""

$ares_num
[1] 0

$libidn
[1] ""

在 Windows 本身上安装了以下内容，但 R 很可能不使用。 来自 git bash：

$ curl --version
curl 7.60.0 (x86_64-w64-mingw32) libcurl/7.60.0 OpenSSL/1.0.2o (WinSSL) zlib/1.2.11 libidn2/2.0.5 nghttp2/1.32.0

jsonlite::fromJSON(RCurl::getURL("https://www.howsmyssl.com/a/check", .opts = opts))的输出

> jsonlite::fromJSON(RCurl::getURL("https://www.howsmyssl.com/a/check", .opts = opts))
$`given_cipher_suites`
 [1] "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"  "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"     
 [4] "TLS_DHE_DSS_WITH_AES_256_CBC_SHA"      "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA" "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA"
 [7] "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"     "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"   "TLS_RSA_WITH_AES_256_CBC_SHA"         
[10] "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"     "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" 
[13] "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"      "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"      "TLS_DHE_RSA_WITH_SEED_CBC_SHA"        
[16] "TLS_DHE_DSS_WITH_SEED_CBC_SHA"         "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA" "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA"
[19] "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"     "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"   "TLS_RSA_WITH_AES_128_CBC_SHA"         
[22] "TLS_RSA_WITH_SEED_CBC_SHA"             "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"     "TLS_RSA_WITH_IDEA_CBC_SHA"            
[25] "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"   "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA" "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"    
[28] "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"     "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"    "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA" 
[31] "TLS_RSA_WITH_3DES_EDE_CBC_SHA"         "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"    

$ephemeral_keys_supported
[1] TRUE

$session_ticket_supported
[1] FALSE

$tls_compression_supported
[1] FALSE

$unknown_cipher_suite_supported
[1] FALSE

$beast_vuln
[1] FALSE

$able_to_detect_n_minus_one_splitting
[1] TRUE

$insecure_cipher_suites
named list()

$`tls_version`
[1] "TLS 1.0"

$rating
[1] "Bad"

httr::content(httr::GET("https://www.howsmyssl.com/a/check"))的输出

> httr::content(httr::GET("https://www.howsmyssl.com/a/check"))
$`given_cipher_suites`
$`given_cipher_suites`[[1]]
[1] "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"

$`given_cipher_suites`[[2]]
[1] "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"

$`given_cipher_suites`[[3]]
[1] "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"

$`given_cipher_suites`[[4]]
[1] "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"

$`given_cipher_suites`[[5]]
[1] "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"

$`given_cipher_suites`[[6]]
[1] "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"

$`given_cipher_suites`[[7]]
[1] "TLS_RSA_WITH_AES_256_GCM_SHA384"

$`given_cipher_suites`[[8]]
[1] "TLS_RSA_WITH_AES_128_GCM_SHA256"

$`given_cipher_suites`[[9]]
[1] "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"

$`given_cipher_suites`[[10]]
[1] "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"

$`given_cipher_suites`[[11]]
[1] "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"

$`given_cipher_suites`[[12]]
[1] "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"

$`given_cipher_suites`[[13]]
[1] "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"

$`given_cipher_suites`[[14]]
[1] "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"

$`given_cipher_suites`[[15]]
[1] "TLS_RSA_WITH_AES_256_CBC_SHA256"

$`given_cipher_suites`[[16]]
[1] "TLS_RSA_WITH_AES_128_CBC_SHA256"

$`given_cipher_suites`[[17]]
[1] "TLS_RSA_WITH_AES_256_CBC_SHA"

$`given_cipher_suites`[[18]]
[1] "TLS_RSA_WITH_AES_128_CBC_SHA"

$`given_cipher_suites`[[19]]
[1] "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"

$`given_cipher_suites`[[20]]
[1] "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"

$`given_cipher_suites`[[21]]
[1] "TLS_DHE_DSS_WITH_AES_256_CBC_SHA"

$`given_cipher_suites`[[22]]
[1] "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"

$`given_cipher_suites`[[23]]
[1] "TLS_RSA_WITH_3DES_EDE_CBC_SHA"

$`given_cipher_suites`[[24]]
[1] "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

$`given_cipher_suites`[[25]]
[1] "TLS_RSA_WITH_RC4_128_SHA"

$`given_cipher_suites`[[26]]
[1] "TLS_RSA_WITH_RC4_128_MD5"


$ephemeral_keys_supported
[1] TRUE

$session_ticket_supported
[1] FALSE

$tls_compression_supported
[1] FALSE

$unknown_cipher_suite_supported
[1] FALSE

$beast_vuln
[1] FALSE

$able_to_detect_n_minus_one_splitting
[1] FALSE

$insecure_cipher_suites
$insecure_cipher_suites$`TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA`
$insecure_cipher_suites$`TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA`[[1]]
[1] "uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order"


$insecure_cipher_suites$TLS_RSA_WITH_3DES_EDE_CBC_SHA
$insecure_cipher_suites$TLS_RSA_WITH_3DES_EDE_CBC_SHA[[1]]
[1] "uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order"


$insecure_cipher_suites$TLS_RSA_WITH_RC4_128_MD5
$insecure_cipher_suites$TLS_RSA_WITH_RC4_128_MD5[[1]]
[1] "uses RC4 which has insecure biases in its output"


$insecure_cipher_suites$TLS_RSA_WITH_RC4_128_SHA
$insecure_cipher_suites$TLS_RSA_WITH_RC4_128_SHA[[1]]
[1] "uses RC4 which has insecure biases in its output"



$tls_version
[1] "TLS 1.2"

$rating
[1] "Bad"

Answer 1

根据上面@hrbrmstr 的评论回答我自己的问题。

所以，看起来您的 RCurl 是使用近 4 年的 libcurl 版本构建的，并且是 CRAN (1.95-4.11) 上的最新 RCurl

我决定从 RCurl 切换到 httr 并立即得到结果，这意味着我现在可以从所需的 ftp 服务器下载数据。

我比较了RCurl::listCurlOptions() 和httr::httr_options() 的输出，这让我更容易找到用于 curl 选项的正确变量名。

希望这个答案可以帮助遇到与 RCurl 相同问题的其他人。