This document describes a few notes specifically for Windows users on networks with custom certificates or proxy settings. For regular Windows users, things should work out of the box.
In order to make SSL (https) connections, libcurl uses an SSL
backend. Currently the Windows version of the
supports two SSL backends: OpenSSL and Windows
Secure Channel. Only one can be enabled, which is determined
when the curl package is first loaded in your R session.
|trust certificates||Windows Cert Store||Windows Cert Store or
|works on corporate networks||Usually Yes||Maybe not|
|support http proxy server||Yes||Yes|
|support https proxy server||No||Yes|
|support client certificate authentication||No||Yes|
The default backend on Windows 7 and up is Secure Channel. This uses the native Windows SSL API and certificates, which is the safest choice for most users.
Have a look at
curl::curl_version() to see which ssl
backends are available and which one is in use.
curl::curl_version() #> $version #>  "7.64.1" #> #> $ssl_version #>  "(OpenSSL/1.1.1a) Schannel" #> #> $libz_version #>  "1.2.8" #> ...
The part in parentheses means this backend is available but currently not in use. Hence the output above means that the current active backend is Secure Channel, but OpenSSL is also supported, but currently not in use.
To switch to OpenSSL, you need to set an environment variable
"openssl" when starting R. A good place to set this is
.Renviron file in your user home (Documents)
?Startup manual has more details. The
following will write to your
write('CURL_SSL_BACKEND=openssl', file = "~/.Renviron", append = TRUE)
Now if you restart R, the default back-end should have changed:
> curl::curl_version()$ssl_version  "OpenSSL/1.1.1m (Schannel)"
Optionally, you can also set
CURL_CA_BUNDLE in your
~/.Renviron to use a custom trust bundle. If
CURL_CA_BUNDLE is not set, we use the Windows cert store.
When using Schannel, no trust bundle can be specified because we always
use the certificates from the native Windows cert store.
It is not possible to change the SSL backend once the
curl package has been loaded.
Windows proxy servers are a complicated topic because depending on your corporate network configuration, different settings may be needed. If your company uses proxies with custom certificates, this might also interact with the previous topic.
Proxy settings can either be configured in the handle for a single request, or globally via environment variables. This is explained in detail on the curl website detail in the manual pages for CURLOPT_PROXY and libcurl-env.
If you know the address of your proxy server you can set it via the
h <- new_handle(proxy = "http://proxyserver:8080", verbose = TRUE) req <- curl_fetch_memory("https://httpbin.org/get", handle = h) #> Verbose output here...
The example above should yield some verbose output indicating if the proxy connection was successful.
If this did not work, study the verbose output from above to see what seems to be the problem. Note that curl supports many options related to proxies (types, auth, etc), the details of which you can find on the libcurl homepage.
## haproxyprotocol httpproxytunnel noproxy pre_proxy proxy ## 274 61 10177 10262 10004 ## proxyauth proxyheader proxypassword proxyport proxytype ## 111 10228 10176 59 101 ## proxyusername proxyuserpwd proxy_cainfo proxy_cainfo_blob proxy_capath ## 10175 10006 10246 40310 10247 ## proxy_crlfile proxy_issuercert proxy_issuercert_blob proxy_keypasswd proxy_pinnedpublickey ## 10260 10296 40297 10258 10263 ## proxy_service_name proxy_sslcert proxy_sslcerttype proxy_sslcert_blob proxy_sslkey ## 10235 10254 10255 40293 10256 ## proxy_sslkeytype proxy_sslkey_blob proxy_sslversion proxy_ssl_cipher_list proxy_ssl_options ## 10257 40294 250 10259 261 ## proxy_ssl_verifyhost proxy_ssl_verifypeer proxy_tls13_ciphers proxy_tlsauth_password proxy_tlsauth_type ## 249 248 10277 10252 10253 ## proxy_tlsauth_username proxy_transfer_mode ## 10251 166
To use a global proxy server for all your requests, you can set the
http_proxy (lowercase!) or
ALL_PROXY. See this page for
details. This variable may be set or changed in R at runtime, for
Sys.setenv(ALL_PROXY = "http://proxy.mycorp.com:8080") req <- curl_fetch_memory("https://httpbin.org/get") #> verbose output here...
To use a default proxy server for all your R sessions, a good place
to set this environment variable is in your
An additional benefit of setting these environment variables is that
they are also supported by base R
install.packages. The manual page for
?download.file has a special section on “Setting Proxies”
which explains this.
If you don’t know what your proxy server is, the
package has a few utilities that interact with Internet Explorer to help
you find out. First have a look at
ie_proxy_info() to see
curl::ie_proxy_info() #> $AutoDetect #>  FALSE #> #> $AutoConfigUrl #>  "http://220.127.116.11:8543/proxypac.pac" #> #> $Proxy #>  "18.104.22.168:3228" #> #> $ProxyBypass #>  "10.*;173.*;mail.mycorp.org;autodiscover.mycorp.org;ev.mycorp.org;ecms.mycorp.org"
There are a few settings here, such as default proxy server and a
list of hosts which do not need proxying, usually hosts within
the corporate intranet (these can probably be used in
The most complicated case is when your network uses different proxy
servers for different target urls. The
above refers to a proxy auto
config (PAC) script that Internet Explorer has to run to find out
which proxy server it has to use for a given host. The
package exposes another function which calls out to Internet Explorer do
it’s thing and tell us the appropriate proxy server for a given
curl::ie_get_proxy_for_url("https://www.google.com") #>  "http://22.214.171.124:3228" curl::ie_get_proxy_for_url("http://mail.mycorp.org") #> NULL
The exact logic that Windows uses to derive the appropriate proxy server for a given host from the settings above is very complicated and may involve some trial and error until something works.
curl does not automatically set IE proxies, so
you need to manually set these in the handles or environment variables.
One day we could try to make the
curl package automatically
discover and apply Windows proxy settings. However to make sure we cover
all edge cases we need more examples from users in real world corporate
As of version 5 we now default to
To use a traditional PEM bundle set the CURL_CA_BUNDLE environment