Mailing List Archive

Will we see changes to the clamd protocol to support SSL in the near future?

On 02/26/2014 10:08 AM, Joel Esler (jesler) wrote:
> On Friday last week I put a blog post up about introducing OpenSSL into the ClamAV ecosystem. I wanted to make sure everyone saw it, so please have a look at the blog post here:
>
> http://blog.clamav.net/2014/02/introducing-openssl-as-dependency-to.html
>
> --
> Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Hi,

The blog post doesn't mention what would now be SSL-ified. Would the
dependency be added to enable support for SSL enabled streams using the
clams protocol?


On Wed, Feb 26, 2014 at 6:23 PM, Brandon Perry <bperry.volatile@gmail.com>wrote:

> Will we see changes to the clamd protocol to support SSL in the near
> future?
>
> On 02/26/2014 10:08 AM, Joel Esler (jesler) wrote:
> > On Friday last week I put a blog post up about introducing OpenSSL into
> the ClamAV ecosystem. I wanted to make sure everyone saw it, so please
> have a look at the blog post here:
> >
> > http://blog.clamav.net/2014/02/introducing-openssl-as-dependency-to.html
> >
> > --
> > Joel Esler | Threat Intelligence Team Lead | Open Source Manager |
> Vulnerability Research Team
> > _______________________________________________
> > http://lurker.clamav.net/list/clamav-devel.html
> > Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
>


--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

On Mon, Mar 3, 2014 at 6:32 PM, Brandon Perry <bperry.volatile@gmail.com>wrote:

> Hi,
>
> The blog post doesn't mention what would now be SSL-ified. Would the
> dependency be added to enable support for SSL enabled streams using the
> clams protocol?
>

For now, we plan on using only the hashing functionality in OpenSSL instead
of our own hand-rolled hashing code (for MD5, SHA1, and SHA256). The
protocol for clamd will remain untouched. Further work we have planned for
freshclam will depend on additional functionality in the OpenSSL library.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Looks like relying on OpenSSL might cause problems for ClamAV on OS X.

Al (a regular contributor to this list) pointed me towards the following blog post

https://hynek.me/articles/apple-openssl-verification-surprises/

It explains some of the problems with Apple's installation of OpenSSL, and offers some workarounds. Relying on homebrew or MacPorts isn't an option for me because I produce compiled pre-packaged installers for ClamAV on OS X; I provide these to the general public, so have to expect users to be running the standard Apple-supplied OpenSSL.

Can I ask you to consider one of the two code-level solutions proposed in that blog post please? Presumably it would have to be implemented as a configure flag rather than for all Mac builds as I suspect some of the more advanced ClamAV users out there *will* have compiled their own OpenSSL.

Thanks
Mark

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

On Tue, Mar 4, 2014 at 6:58 AM, Mark Allan <markjallan@gmail.com> wrote:

> Looks like relying on OpenSSL might cause problems for ClamAV on OS X.
>
> Al (a regular contributor to this list) pointed me towards the following
> blog post
>
> https://hynek.me/articles/apple-openssl-verification-surprises/
>
> It explains some of the problems with Apple's installation of OpenSSL, and
> offers some workarounds. Relying on homebrew or MacPorts isn't an option
> for me because I produce compiled pre-packaged installers for ClamAV on OS
> X; I provide these to the general public, so have to expect users to be
> running the standard Apple-supplied OpenSSL.
>
> Can I ask you to consider one of the two code-level solutions proposed in
> that blog post please? Presumably it would have to be implemented as a
> configure flag rather than for all Mac builds as I suspect some of the more
> advanced ClamAV users out there *will* have compiled their own OpenSSL.
>
> Thanks
> Mark


Hey Mark,

We're currently only using the hashing functionality in OpenSSL. For the
time being, we're not doing anything with X509 certificates, certificate
chains, or SSL. We're only using OpenSSL for MD5, SHA1, and SHA256.

Thanks,

Shawn
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net