Discussion:
[clamav-users] Freshclam can't use HTTPS with PrivateMirror?
Sean
2018-10-17 14:51:57 UTC
Permalink
Hi,
I'm new to the list, but have been using clam for a good while, it's
just always worked :)

We have created a private mirror of clam data updates on a network
that is not Internet connected. We are required to encrypt network
traffic, e.g. the mirror server must redirect http -> https. I was
hoping to configure freshclam.conf to use the PrivateMirror setting as
detailed at https://github.com/Cisco-Talos/clamav-faq/blob/master/mirrors/CvdPrivateMirror.md
Option #2. We wish to go with #2, because we will not control all
clients, and it will be simpler to user freshclam with proper
configuration than having to support clients configuring a custom
script and having the right things installed to run it.

I see in the code
(https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/freshclam/manager.c#L225)
that unless a proxy is used, the port is hard coded to 80.

Is there a reason for this? Should I file a bug? I would think that
utilizing https as much as possible would be a good idea.

Thanks!

--Sean
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
G.W. Haywood
2018-10-17 21:21:18 UTC
Permalink
Hi there,
Post by Sean
We have created a private mirror of clam data updates on a network
that is not Internet connected. We are required to encrypt network
traffic, e.g. the mirror server must redirect http -> https.
This all seems a little strange. Perhaps you can explain.
Post by Sean
... freshclam ... port is hard coded to 80.
Is there a reason for this? Should I file a bug? I would think that
utilizing https as much as possible would be a good idea.
There's nothing remotely private about a *public* database of malware
signatures, so (especially on a network that is not connected to the
Internet!) it makes very little sense to encrypt freshclam's traffic.
You might as well encrypt Sky News. It would just mean a lot of extra
work/code/issues/cycles for no purpose, diverting scarce resources from
where they're actually needed. Don't do it.

Will your accountants want you to encrypt NTP traffic too? Oh - your
network isn't connected to the Internet anyway, so it won't know what
time it is, and so it can't decide when to do, well, anything, and the
timestamps in the logs will just be guesses, so forensics is right off
the menu and if you use Kerberos then it probably won't be long before
nobody will be able to log in, and...

Tell them it's a lot better to let you apply your intelligence to this
stuff than to get you running around in circles doing so many things
that make no sense that you have no time to implement real security.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Micah Snyder (micasnyd)
2018-10-18 16:23:11 UTC
Permalink
Hi Sean,

Sorry to say -- freshclam presently doesn't support HTTPS. It is not simply a matter of connecting over port 443 and performing TLS encryption handshakes. Certificate validation is also required. We're considering rewriting a lot of freshclam code to use libcurl to handle HTTPS connections, but feature planning for 0.102 is not complete and I can't promise that it will make it the next version of ClamAV.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Oct 17, 2018, at 10:51 AM, Sean <***@gmail.com<mailto:***@gmail.com>> wrote:

Hi,
I'm new to the list, but have been using clam for a good while, it's
just always worked :)

We have created a private mirror of clam data updates on a network
that is not Internet connected. We are required to encrypt network
traffic, e.g. the mirror server must redirect http -> https. I was
hoping to configure freshclam.conf to use the PrivateMirror setting as
detailed at https://github.com/Cisco-Talos/clamav-faq/blob/master/mirrors/CvdPrivateMirror.md
Option #2. We wish to go with #2, because we will not control all
clients, and it will be simpler to user freshclam with proper
configuration than having to support clients configuring a custom
script and having the right things installed to run it.

I see in the code
(https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/freshclam/manager.c#L225)
that unless a proxy is used, the port is hard coded to 80.

Is there a reason for this? Should I file a bug? I would think that
utilizing https as much as possible would be a good idea.

Thanks!

--Sean
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Sean
2018-10-18 16:44:24 UTC
Permalink
Thanks for the update Micah! While I'm not a developer, libcurl would
seem to be the way to go. We use other software based on it and it
works very well with SSL validation especially in areas where
self-signed or not publicly trusted CAs are used (assuming that the
local system's pki is trusting the CAs correctly).

--Sean
On Thu, Oct 18, 2018 at 12:23 PM Micah Snyder (micasnyd)
Post by Micah Snyder (micasnyd)
Hi Sean,
Sorry to say -- freshclam presently doesn't support HTTPS. It is not simply a matter of connecting over port 443 and performing TLS encryption handshakes. Certificate validation is also required. We're considering rewriting a lot of freshclam code to use libcurl to handle HTTPS connections, but feature planning for 0.102 is not complete and I can't promise that it will make it the next version of ClamAV.
Regards,
Micah
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
Hi,
I'm new to the list, but have been using clam for a good while, it's
just always worked :)
We have created a private mirror of clam data updates on a network
that is not Internet connected. We are required to encrypt network
traffic, e.g. the mirror server must redirect http -> https. I was
hoping to configure freshclam.conf to use the PrivateMirror setting as
detailed at https://github.com/Cisco-Talos/clamav-faq/blob/master/mirrors/CvdPrivateMirror.md
Option #2. We wish to go with #2, because we will not control all
clients, and it will be simpler to user freshclam with proper
configuration than having to support clients configuring a custom
script and having the right things installed to run it.
I see in the code
(https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/freshclam/manager.c#L225)
that unless a proxy is used, the port is hard coded to 80.
Is there a reason for this? Should I file a bug? I would think that
utilizing https as much as possible would be a good idea.
Thanks!
--Sean
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Loading...