[clamav-users] What is OpenSSL used for in ClamAV?

Micah Snyder (micasnyd) micasnyd at cisco.com
Wed Aug 7 13:52:07 EDT 2019


Openssl had been used exclusively for performing hashes up until ClamAV 0.100.1 where it was used [indirectly] by libcurl to enable HTTPS for clamsubmit.  I suppose that libcurl may use an alternative like GnuTLS; it depends on which libcurl package you're using.

In 0.102, OpenSSL is used via libcurl for HTTPS for freshclam as well.  In addition, when adding HTTPS support to freshclam we realized that Mac and Windows builds would need to query each respective system certificate store (KeyChain on macOS) to validate certificates.  While the actual HTTPS protocol implementation and certificate checking is done by libcurl indirectly, this system certificate lookup is done directly in our own code.  The imported  certs are cached (in memory) on freshclam startup to speed up cert validation for subsequent HTTPS connections.

On Windows, our recent releases were built with OpenSSL 1.1.1c, though on other OS's we primarily do our testing with 1.0.2 versions (1.0.2s, on my Macbook). 

If anyone is interested in reviewing/auditing correct usage of OpenSSL in ClamAV we always appreciate the help!


Micah Snyder
ClamAV Development
Cisco Systems, Inc.

On 8/7/19, 10:55 AM, "clamav-users on behalf of J.R. via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:

    I was compiling the new version of ClamAV and figured I would see if
    it would build against OpenSSL 1.1.1 (which apparently it did).
    That got me to thinking, what exactly is it used for? I did some
    searching and only found one little post that didn't give any real
    detail. Is it just used to verify the databases, or does it work with
    scanning / hashing files?
    I guess I'm just wondering if it is worth doing, or if I'm asking for
    trouble. Has ClamAV been verified against OpenSSL 1.1.1?
    clamav-users mailing list
    clamav-users at lists.clamav.net
    Help us build a comprehensive ClamAV guide:

More information about the clamav-users mailing list