[clamav-users] ClamAV®: ClamAV 0.98.4rc1 is now available!
Charles Swiger
cswiger at mac.com
Fri May 30 21:59:50 UTC 2014
On May 30, 2014, at 2:06 PM, Andreas Schulze <andreas.schulze at datev.de> wrote:
> Am 30.05.2014 10:02 schrieb Charles Swiger:
>>> Is there a chance the codepath could be disabled?
>>
>> Of course. Source code is available; and anyone is welcome to create a patch.
>
> Charles,
>
> thanks for response. I'm not unfamiliar in creating patches but here I need a hint
> to a starting point. That's why I ask...
OK. Edit libclamav/crypto.c around line 827 and replace cl_validate_certificate_chain() function with:
int cl_validate_certificate_chain(char **authorities, char *crlpath, char *certpath)
{
/* Disclaimer: you're disabling SSL certificate validation */
return 1;
}
>> A second point to note is that openssl-0.9.7d not only has a bunch of known security
>> issues, it's obsolete and will not be getting fixes. It should be easier to update
>> your OpenSSL to something secure than it would be to create a patch ClamAV to have it
>> work with obsolete versions of OpenSSL.
>
> normaly the server in question don't use ssl at all. for that reason they still run.
> But no clamav uses parts of openssl and I run into that problem.
...and the reason one can't update OpenSSL might be? :-)
Regards,
--
-Chuck
More information about the clamav-users
mailing list