On 05/15/2010 01:34 AM, Nathan Gibbs wrote: > * Török Edwin wrote: >> On 05/14/2010 09:42 PM, Nathan Gibbs wrote: >>> >>> 1. Is moving updates over https a good idea? For the ClamAV update >>> infrastructure at large, probably not. >> >> For the public mirrors no. https has extra overhead (ssl setup), > > Thats what I thought, more complicated for you guys. > >> and the CVD files contain a digital signature already (which is checked by >> freshclam) so https won't offer any additional security. >> > > Oh, and redundant, so for the public mirrors, it is bad idea. > >>> For a local mirror setup, it would be an interesting option. >> >> Is it just about using port 443 to connect (and still using http protocol) >> or actually using the https protocol to transfer the files? >> > > Using the https protocol. > > I would like the option to use the https protocol with freshclam in a local > mirror setup. > > At our site, the "update server" hosts clamav DBs, snort rules, some conf > files, etc. The ability to protect the other data would be a plus. It would > add another layer of defense to our setup. However its not workable if > Freshclam cannot speak https.
Can you serve the other data via https, and only the freshclam updates via http? > Its redundant as far as ClamAV's data integrity > goes. However, I think its worth doing as far as "hack value" and > interoperability go. > > I would already be running https on our update server, except > > 1. I hadn't even thought of it until Eddie Ekwo mentioned it. > 2. I'm not sure if freshclam can speak https. > > I'll gladly put my 2 cents into the bugzilla, but only if its an idea you guys > think is worth considering. On 05/15/2010 02:12 AM, Nathan Gibbs wrote: > Seriously, wget can do it, freshclam could too. I think it would be doable if optional support for GnuTLS is added to freshclam: http://www.gnu.org/software/gnutls/manual/gnutls.html#Simple-client-example-with-anonymous-authentication As far as the bugreport goes I think it would be moved to unplanned until someone provides a patch. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
