[Clamav-devel] HTTPS Support?

Ján ONDREJ (SAL) ondrejj at salstar.sk
Sat Oct 11 02:41:07 EDT 2014


  I think this is really not required, but still I can add a certificate
for our official mirror at https://clamav.upjs.sk/.
But still I think this will be only one official mirror with https support.
Content to this mirror is uploaded over ssh, so also our source is secure.


On Fri, Oct 10, 2014 at 11:36:08AM -0700, Matthew Bearup wrote:
> My team is currently evaluating AV solutions and we're interesting in using
> ClamAV. However, due to policy requirements the updates need to be
> downloaded via a secure protocol (e.g. https). Yes, I'm aware that this is
> pointless because the signature of downloaded CVDs is verified to
> identify/prevent tampering, but the policy requirement still stands for us.
> Has anyone considered supporting HTTPS for retrieving updates? I don't see
> any mention of it in the archives so I'm guessing no...
> 1. I see that the code in manager.c is hard-coded to use http. I could
> update that to read an option from the config file for either http or https
> and then pull updates from our own https mirror...
> 2. Due to the same policy requirements, our mirror will also have to get *its
> *definitions via a secure protocol. Considering that manager.c is
> hard-coded to use http, I assume there are no https mirrors out there,
> correct? Alternatively the sync method for public mirrors (rsync overssh)
> would meet that need, but that would require us to make the mirror public,
> which I'm not sure we could do.
> Appreciate any answers/feedback
> -- 
> Matt Bearup
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
> http://www.clamav.net/contact.html#ml

More information about the clamav-devel mailing list