BLUF: Some (but not all) of my httr2
requests result in the error
Failed to perform HTTP request. Caused by error in `curl::curl_fetch_memory()`: ! OpenSSL/3.1.4: error:1C8000E9:Provider routines::ems not enabled
I've had a hard time finding information about this specific error or enabling the "EMS" routine. Is this likely to be a problem with my OpenSSL
install, the server configuration, or something else?
Additional, possibly relevant, details:
I'm running an AWS EC2 instance with apache and a docker service, which hosts a docker container running shiny-server and my app. My app uses uses httr2
to call a web API. The dockerized app works fine when running it off of my local machine, but when running it off the EC2 instance I get a strange error:
Failed to perform HTTP request. Caused by error in `curl::curl_fetch_memory()`: ! OpenSSL/3.1.4: error:1C8000E9:Provider routines::ems not enabled
This error seems to only occur with specific URLs, others seem to work fine. I can also log in to the hosted instance and use curl directly to successfully make a call to one of the problematic URLs.
I'm trying to figure out if this problem has to do with my container's install or configuration of OpenSSL, something about my EC2 instance configuration, or something specific to shiny-server and/or httr2
in an AWS context.
EMS stands for Extended Master Secret as defined in rfc7627. It is a widely deployed TLS extension. Any up-to-date TLS server should be able to support this (EMS was standardised in 2015). EMS is only relevant for TLSv1.2 (or below) and does not apply to TLSv1.3
This error occurs when OpenSSL has been configured to use the FIPS provider. FIPS compliance requires certain minimum standards. In this case it requires that if TLSv1.2 is in use then EMS must also be used.
This likely means that the server that you are connecting to (a) does not support TLSv1.3 and (b) also does does not support the TLS EMS extension.
Assuming you really need to talk to the server that you are trying to connect to the only real solutions are (1) disable the OpenSSL FIPS provider for this connection or (2) get the server operator to upgrade their server.