Re: [clamav-users] Freshclam can't use HTTPS with PrivateMirror?

[Sean]

Thanks for the update Micah!  While I'm not a developer, libcurl would
seem to be the way to go.  We use other software based on it and it
works very well with SSL validation especially in areas where
self-signed or not publicly trusted CAs are used (assuming that the
local system's pki is trusting the CAs correctly).

--Sean
On Thu, Oct 18, 2018 at 12:23 PM Micah Snyder (micasnyd)
 wrote:
>
> Hi Sean,
>
> Sorry to say -- freshclam presently doesn't support HTTPS.  It is not simply 
> a matter of connecting over port 443 and performing TLS encryption 
> handshakes.  Certificate validation is also required.  We're considering 
> rewriting a lot of freshclam code to use libcurl to handle HTTPS connections, 
> but feature planning for 0.102 is not complete and I can't promise that it 
> will make it the next version of ClamAV.
>
> Regards,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Oct 17, 2018, at 10:51 AM, Sean  wrote:
>
> Hi,
> I'm new to the list, but have been using clam for a good while, it's
> just always worked :)
>
> We have created a private mirror of clam data updates on a network
> that is not Internet connected.  We are required to encrypt network
> traffic, e.g. the mirror server must redirect http -> https.  I was
> hoping to configure freshclam.conf to use the PrivateMirror setting as
> detailed at 
> https://github.com/Cisco-Talos/clamav-faq/blob/master/mirrors/CvdPrivateMirror.md
> Option #2.  We wish to go with #2, because we will not control all
> clients, and it will be simpler to user freshclam with proper
> configuration than having to support clients configuring a custom
> script and having the right things installed to run it.
>
> I see in the code
> (https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/freshclam/manager.c#L225)
> that unless a proxy is used, the port is hard coded to 80.
>
> Is there a reason for this?  Should I file a bug?  I would think that
> utilizing https as much as possible would be a good idea.
>
> Thanks!
>
> --Sean
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Freshclam can't use HTTPS with PrivateMirror?

[Micah Snyder (micasnyd)]

Hi Sean,

Sorry to say -- freshclam presently doesn't support HTTPS.  It is not simply a 
matter of connecting over port 443 and performing TLS encryption handshakes.  
Certificate validation is also required.  We're considering rewriting a lot of 
freshclam code to use libcurl to handle HTTPS connections, but feature planning 
for 0.102 is not complete and I can't promise that it will make it the next 
version of ClamAV.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Oct 17, 2018, at 10:51 AM, Sean 
mailto:smalde...@gmail.com>> wrote:

Hi,
I'm new to the list, but have been using clam for a good while, it's
just always worked :)

We have created a private mirror of clam data updates on a network
that is not Internet connected.  We are required to encrypt network
traffic, e.g. the mirror server must redirect http -> https.  I was
hoping to configure freshclam.conf to use the PrivateMirror setting as
detailed at 
https://github.com/Cisco-Talos/clamav-faq/blob/master/mirrors/CvdPrivateMirror.md
Option #2.  We wish to go with #2, because we will not control all
clients, and it will be simpler to user freshclam with proper
configuration than having to support clients configuring a custom
script and having the right things installed to run it.

I see in the code
(https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/freshclam/manager.c#L225)
that unless a proxy is used, the port is hard coded to 80.

Is there a reason for this?  Should I file a bug?  I would think that
utilizing https as much as possible would be a good idea.

Thanks!

--Sean
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Freshclam can't use HTTPS with PrivateMirror?

[G.W. Haywood]

Hi there,

On Wed, 17 Oct 2018, Sean wrote:


We have created a private mirror of clam data updates on a network
that is not Internet connected.  We are required to encrypt network
traffic, e.g. the mirror server must redirect http -> https.


This all seems a little strange.  Perhaps you can explain.


... freshclam ... port is hard coded to 80.

Is there a reason for this?  Should I file a bug?  I would think that
utilizing https as much as possible would be a good idea.


There's nothing remotely private about a *public* database of malware
signatures, so (especially on a network that is not connected to the
Internet!) it makes very little sense to encrypt freshclam's traffic.
You might as well encrypt Sky News.  It would just mean a lot of extra
work/code/issues/cycles for no purpose, diverting scarce resources from
where they're actually needed.  Don't do it.

Will your accountants want you to encrypt NTP traffic too?  Oh - your
network isn't connected to the Internet anyway, so it won't know what
time it is, and so it can't decide when to do, well, anything, and the
timestamps in the logs will just be guesses, so forensics is right off
the menu and if you use Kerberos then it probably won't be long before
nobody will be able to log in, and...

Tell them it's a lot better to let you apply your intelligence to this
stuff than to get you running around in circles doing so many things
that make no sense that you have no time to implement real security.

--

73,
Ged.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Freshclam can't use HTTPS with PrivateMirror?

[Sean]

Hi,
I'm new to the list, but have been using clam for a good while, it's
just always worked :)

We have created a private mirror of clam data updates on a network
that is not Internet connected.  We are required to encrypt network
traffic, e.g. the mirror server must redirect http -> https.  I was
hoping to configure freshclam.conf to use the PrivateMirror setting as
detailed at 
https://github.com/Cisco-Talos/clamav-faq/blob/master/mirrors/CvdPrivateMirror.md
Option #2.  We wish to go with #2, because we will not control all
clients, and it will be simpler to user freshclam with proper
configuration than having to support clients configuring a custom
script and having the right things installed to run it.

I see in the code
(https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/freshclam/manager.c#L225)
that unless a proxy is used, the port is hard coded to 80.

Is there a reason for this?  Should I file a bug?  I would think that
utilizing https as much as possible would be a good idea.

Thanks!

--Sean
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml