Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. devel
HTTPS Support?
matthew.bearup at gmail
Oct 10, 2014, 11:36 AM
Post #1 of 3 (1394 views)
Permalink
My team is currently evaluating AV solutions and we're interesting in using
ClamAV. However, due to policy requirements the updates need to be
downloaded via a secure protocol (e.g. https). Yes, I'm aware that this is
pointless because the signature of downloaded CVDs is verified to
identify/prevent tampering, but the policy requirement still stands for us.
Has anyone considered supporting HTTPS for retrieving updates? I don't see
any mention of it in the archives so I'm guessing no...

1. I see that the code in manager.c is hard-coded to use http. I could
update that to read an option from the config file for either http or https
and then pull updates from our own https mirror...
2. Due to the same policy requirements, our mirror will also have to get *its
*definitions via a secure protocol. Considering that manager.c is
hard-coded to use http, I assume there are no https mirrors out there,
correct? Alternatively the sync method for public mirrors (rsync overssh)
would meet that need, but that would require us to make the mirror public,
which I'm not sure we could do.

Appreciate any answers/feedback

--
Matt Bearup
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
Re: HTTPS Support? [ In reply to ]
ondrejj at salstar
Oct 10, 2014, 11:41 PM
Post #2 of 3 (1365 views)
Permalink
Hello,

I think this is really not required, but still I can add a certificate
for our official mirror at https://clamav.upjs.sk/.
But still I think this will be only one official mirror with https support.
Content to this mirror is uploaded over ssh, so also our source is secure.

SAL

On Fri, Oct 10, 2014 at 11:36:08AM -0700, Matthew Bearup wrote:
> My team is currently evaluating AV solutions and we're interesting in using
> ClamAV. However, due to policy requirements the updates need to be
> downloaded via a secure protocol (e.g. https). Yes, I'm aware that this is
> pointless because the signature of downloaded CVDs is verified to
> identify/prevent tampering, but the policy requirement still stands for us.
> Has anyone considered supporting HTTPS for retrieving updates? I don't see
> any mention of it in the archives so I'm guessing no...
>
> 1. I see that the code in manager.c is hard-coded to use http. I could
> update that to read an option from the config file for either http or https
> and then pull updates from our own https mirror...
> 2. Due to the same policy requirements, our mirror will also have to get *its
> *definitions via a secure protocol. Considering that manager.c is
> hard-coded to use http, I assume there are no https mirrors out there,
> correct? Alternatively the sync method for public mirrors (rsync overssh)
> would meet that need, but that would require us to make the mirror public,
> which I'm not sure we could do.
>
> Appreciate any answers/feedback
>
> --
> Matt Bearup
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
Re: HTTPS Support? [ In reply to ]
matthew.bearup at gmail
Oct 13, 2014, 10:14 AM
Post #3 of 3 (1357 views)
Permalink
That would be perfect, thanks so much for your help! I'll continue
investigating the updates to manager.c.
--
Matt Bearup

> Date: Sat, 11 Oct 2014 08:41:07 +0200
> Subject: Re: [Clamav-devel] HTTPS Support?
> Content-Type: text/plain; charset=us-ascii
>
> Hello,
>
> I think this is really not required, but still I can add a certificate
> for our official mirror at https://clamav.upjs.sk/.
> But still I think this will be only one official mirror with https
support.
> Content to this mirror is uploaded over ssh, so also our source is secure.
>
> SAL
>
>> Date: Fri, 10 Oct 2014 11:36:08 -0700
>> Subject: [Clamav-devel] HTTPS Support?
>> Content-Type: text/plain; charset=UTF-8
>>
>> My team is currently evaluating AV solutions and we're interesting in
using
>> ClamAV. However, due to policy requirements the updates need to be
>> downloaded via a secure protocol (e.g. https). Yes, I'm aware that this
is
>> pointless because the signature of downloaded CVDs is verified to
>> identify/prevent tampering, but the policy requirement still stands for
us.
>> Has anyone considered supporting HTTPS for retrieving updates? I don't
see
>> any mention of it in the archives so I'm guessing no...
>>
>> 1. I see that the code in manager.c is hard-coded to use http. I could
>> update that to read an option from the config file for either http or
https
>> and then pull updates from our own https mirror...
>> 2. Due to the same policy requirements, our mirror will also have to get
*its
>> *definitions via a secure protocol. Considering that manager.c is
>> hard-coded to use http, I assume there are no https mirrors out there,
>> correct? Alternatively the sync method for public mirrors (rsync overssh)
>> would meet that need, but that would require us to make the mirror
public,
>> which I'm not sure we could do.
>>
>> Appreciate any answers/feedback
>>
>> --
>> Matt Bearup
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal