Hi clamav-users,
I just upgraded one of our Linux machines from Ubuntu 18.04 to 20.04. It
seems that the ClamAV package (although having the same version as in
18.04) has been built with stronger OpenSSL/cURL flags.
Freshclam is no longer able to fetch definition updates due to a weak
SSL certificate that is presented by our (crappy) corporate proxy:
* Connected to proxy.company.lan (172.22.xxx.yyy) port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to database.clamav.net:443
> CONNECT database.clamav.net:443 HTTP/1.1
Host: database.clamav.net:443
User-Agent: ClamAV/0.102.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Proxy-Connection: Keep-Alive
< HTTP/1.1 200 Connection established
< Proxy-Connection: keep-alive
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* CONNECT phase completed!
* CONNECT phase completed!
* SSL certificate problem: *EE certificate key too weak*
* Closing connection 0
I know that the proxy is bad and you can't imagine how much I hate
SSL-breaking 'enterprise' security gear, but I cannot do anything about
it. Is there a way to make freshclam (or the SSL library it uses) accept
weak certificates? Something like '-k' for curl?
I've already tried changing to plain HTTP for database downloads, but
this doesn't work either:
!downloadFile: Unexpected response (0) from
http://database.clamav.net/daily.cvd (Proxy: proxy.company.lan:8080)
Thanks in advance for any recommendations!
Best regards,
Alex
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
I just upgraded one of our Linux machines from Ubuntu 18.04 to 20.04. It
seems that the ClamAV package (although having the same version as in
18.04) has been built with stronger OpenSSL/cURL flags.
Freshclam is no longer able to fetch definition updates due to a weak
SSL certificate that is presented by our (crappy) corporate proxy:
* Connected to proxy.company.lan (172.22.xxx.yyy) port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to database.clamav.net:443
> CONNECT database.clamav.net:443 HTTP/1.1
Host: database.clamav.net:443
User-Agent: ClamAV/0.102.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Proxy-Connection: Keep-Alive
< HTTP/1.1 200 Connection established
< Proxy-Connection: keep-alive
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* CONNECT phase completed!
* CONNECT phase completed!
* SSL certificate problem: *EE certificate key too weak*
* Closing connection 0
I know that the proxy is bad and you can't imagine how much I hate
SSL-breaking 'enterprise' security gear, but I cannot do anything about
it. Is there a way to make freshclam (or the SSL library it uses) accept
weak certificates? Something like '-k' for curl?
I've already tried changing to plain HTTP for database downloads, but
this doesn't work either:
!downloadFile: Unexpected response (0) from
http://database.clamav.net/daily.cvd (Proxy: proxy.company.lan:8080)
Thanks in advance for any recommendations!
Best regards,
Alex
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml