[clamav-users] What is OpenSSL used for in ClamAV?
Micah Snyder (micasnyd)
micasnyd at cisco.com
Wed Aug 7 13:52:07 EDT 2019
Openssl had been used exclusively for performing hashes up until ClamAV 0.100.1 where it was used [indirectly] by libcurl to enable HTTPS for clamsubmit. I suppose that libcurl may use an alternative like GnuTLS; it depends on which libcurl package you're using.
In 0.102, OpenSSL is used via libcurl for HTTPS for freshclam as well. In addition, when adding HTTPS support to freshclam we realized that Mac and Windows builds would need to query each respective system certificate store (KeyChain on macOS) to validate certificates. While the actual HTTPS protocol implementation and certificate checking is done by libcurl indirectly, this system certificate lookup is done directly in our own code. The imported certs are cached (in memory) on freshclam startup to speed up cert validation for subsequent HTTPS connections.
On Windows, our recent releases were built with OpenSSL 1.1.1c, though on other OS's we primarily do our testing with 1.0.2 versions (1.0.2s, on my Macbook).
If anyone is interested in reviewing/auditing correct usage of OpenSSL in ClamAV we always appreciate the help!
Cisco Systems, Inc.
On 8/7/19, 10:55 AM, "clamav-users on behalf of J.R. via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:
I was compiling the new version of ClamAV and figured I would see if
it would build against OpenSSL 1.1.1 (which apparently it did).
That got me to thinking, what exactly is it used for? I did some
searching and only found one little post that didn't give any real
detail. Is it just used to verify the databases, or does it work with
scanning / hashing files?
I guess I'm just wondering if it is worth doing, or if I'm asking for
trouble. Has ClamAV been verified against OpenSSL 1.1.1?
clamav-users mailing list
clamav-users at lists.clamav.net
Help us build a comprehensive ClamAV guide:
More information about the clamav-users