On May 30, 2014, at 2:06 PM, Andreas Schulze <[email protected]> wrote:
> Am 30.05.2014 10:02 schrieb Charles Swiger:
>>> Is there a chance the codepath could be disabled?
>>
>> Of course. Source code is available; and anyone is welcome to create a
>> patch.
>
> Charles,
>
> thanks for response. I'm not unfamiliar in creating patches but here I need a
> hint
> to a starting point. That's why I ask...
OK. Edit libclamav/crypto.c around line 827 and replace
cl_validate_certificate_chain() function with:
int cl_validate_certificate_chain(char **authorities, char *crlpath, char
*certpath)
{
/* Disclaimer: you're disabling SSL certificate validation */
return 1;
}
>> A second point to note is that openssl-0.9.7d not only has a bunch of known
>> security
>> issues, it's obsolete and will not be getting fixes. It should be easier to
>> update
>> your OpenSSL to something secure than it would be to create a patch ClamAV
>> to have it
>> work with obsolete versions of OpenSSL.
>
> normaly the server in question don't use ssl at all. for that reason they
> still run.
> But no clamav uses parts of openssl and I run into that problem.
...and the reason one can't update OpenSSL might be? :-)
Regards,
--
-Chuck
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
