Mailing List Archive

J.R.,

Openssl had been used exclusively for performing hashes up until ClamAV 0.100.1 where it was used [indirectly] by libcurl to enable HTTPS for clamsubmit. I suppose that libcurl may use an alternative like GnuTLS; it depends on which libcurl package you're using.

In 0.102, OpenSSL is used via libcurl for HTTPS for freshclam as well. In addition, when adding HTTPS support to freshclam we realized that Mac and Windows builds would need to query each respective system certificate store (KeyChain on macOS) to validate certificates. While the actual HTTPS protocol implementation and certificate checking is done by libcurl indirectly, this system certificate lookup is done directly in our own code. The imported certs are cached (in memory) on freshclam startup to speed up cert validation for subsequent HTTPS connections.

On Windows, our recent releases were built with OpenSSL 1.1.1c, though on other OS's we primarily do our testing with 1.0.2 versions (1.0.2s, on my Macbook).

If anyone is interested in reviewing/auditing correct usage of OpenSSL in ClamAV we always appreciate the help!

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.



?On 8/7/19, 10:55 AM, "clamav-users on behalf of J.R. via clamav-users" <clamav-users-bounces@lists.clamav.net on behalf of clamav-users@lists.clamav.net> wrote:

I was compiling the new version of ClamAV and figured I would see if
it would build against OpenSSL 1.1.1 (which apparently it did).

That got me to thinking, what exactly is it used for? I did some
searching and only found one little post that didn't give any real
detail. Is it just used to verify the databases, or does it work with
scanning / hashing files?

I guess I'm just wondering if it is worth doing, or if I'm asking for
trouble. Has ClamAV been verified against OpenSSL 1.1.1?

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Am 07.08.19 um 19:52 schrieb Micah Snyder (micasnyd) via clamav-users:
> If anyone is interested in reviewing/auditing correct usage of OpenSSL in ClamAV we always appreciate the help!

I'm compiling clamav and use openssl-1.1.1x since last year or so - no trouble.
But that's not a revewi/audit. I simply say: works ...

Andreas


--
A. Schulze
DATEV eG

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Thu, 8 Aug 2019 13:11:38 +0200, Andreas Schulze via clamav-users
stated:
>Am 07.08.19 um 19:52 schrieb Micah Snyder (micasnyd) via clamav-users:
>> If anyone is interested in reviewing/auditing correct usage of
>> OpenSSL in ClamAV we always appreciate the help!
>
>I'm compiling clamav and use openssl-1.1.1x since last year or so - no
>trouble. But that's not a revewi/audit. I simply say: works ...

Openssl 1.1.1c on FreeBSD 12.0-RELEASE-p9

It works fine here.

--
Jerry

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml