[clamav-users] Freshclam can't use HTTPS with PrivateMirror?

Sean smalder73 at gmail.com
Thu Oct 18 16:44:24 UTC 2018 

Thanks for the update Micah!  While I'm not a developer, libcurl would
seem to be the way to go.  We use other software based on it and it
works very well with SSL validation especially in areas where
self-signed or not publicly trusted CAs are used (assuming that the
local system's pki is trusting the CAs correctly).

--Sean
On Thu, Oct 18, 2018 at 12:23 PM Micah Snyder (micasnyd)
<micasnyd at cisco.com> wrote:
>
> Hi Sean,
>
> Sorry to say -- freshclam presently doesn't support HTTPS.  It is not simply a matter of connecting over port 443 and performing TLS encryption handshakes.  Certificate validation is also required.  We're considering rewriting a lot of freshclam code to use libcurl to handle HTTPS connections, but feature planning for 0.102 is not complete and I can't promise that it will make it the next version of ClamAV.
>
> Regards,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Oct 17, 2018, at 10:51 AM, Sean <smalder73 at gmail.com> wrote:
>
> Hi,
> I'm new to the list, but have been using clam for a good while, it's
> just always worked :)
>
> We have created a private mirror of clam data updates on a network
> that is not Internet connected.  We are required to encrypt network
> traffic, e.g. the mirror server must redirect http -> https.  I was
> hoping to configure freshclam.conf to use the PrivateMirror setting as
> detailed at https://github.com/Cisco-Talos/clamav-faq/blob/master/mirrors/CvdPrivateMirror.md
> Option #2.  We wish to go with #2, because we will not control all
> clients, and it will be simpler to user freshclam with proper
> configuration than having to support clients configuring a custom
> script and having the right things installed to run it.
>
> I see in the code
> (https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/freshclam/manager.c#L225)
> that unless a proxy is used, the port is hard coded to 80.
>
> Is there a reason for this?  Should I file a bug?  I would think that
> utilizing https as much as possible would be a good idea.
>
> Thanks!
>
> --Sean
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list