[Clamav-devel] HTTPS Support?

Matthew Bearup matthew.bearup at gmail.com
Fri Oct 10 14:36:08 EDT 2014

My team is currently evaluating AV solutions and we're interesting in using
ClamAV. However, due to policy requirements the updates need to be
downloaded via a secure protocol (e.g. https). Yes, I'm aware that this is
pointless because the signature of downloaded CVDs is verified to
identify/prevent tampering, but the policy requirement still stands for us.
Has anyone considered supporting HTTPS for retrieving updates? I don't see
any mention of it in the archives so I'm guessing no...

1. I see that the code in manager.c is hard-coded to use http. I could
update that to read an option from the config file for either http or https
and then pull updates from our own https mirror...
2. Due to the same policy requirements, our mirror will also have to get *its
*definitions via a secure protocol. Considering that manager.c is
hard-coded to use http, I assume there are no https mirrors out there,
correct? Alternatively the sync method for public mirrors (rsync overssh)
would meet that need, but that would require us to make the mirror public,
which I'm not sure we could do.

Appreciate any answers/feedback

Matt Bearup

More information about the clamav-devel mailing list