"SSL connect error" from at least one clamav signature mirror

[scoser]

Describe the bug

A few of our clamav instances are running into this error when trying to download signatures from freshclam:

ERROR: Fri Jul 12 14:48:09 2024 -> Download failed (35) ERROR: Fri Jul 12 14:48:09 2024 -> Message: SSL connect error

How to reproduce the problem

We are using Ubuntu 24.04 containers with freshclam installed alongside Apache to serve as a private signature mirror. However, some of our deployments of this type are running into issues downloading signatures as seen in the error message above. Other deployments are able to successfully download signatures.

We checked the cert from the instances that are having the issue and are getting SSL cert expiration notices when checking the cert:

>>> openssl s_client -connect database.clamav.net:443 -servername clamav.net -showcerts | openssl x509 -text -noout
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
verify return:1
depth=0 CN = ssl392509.cloudflaressl.com
verify error:num=10:certificate has expired
notAfter=Oct 13 23:59:59 2020 GMT
verify return:1
depth=0 CN = ssl392509.cloudflaressl.com
notAfter=Oct 13 23:59:59 2020 GMT
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e7:28:4e:d7:e1:29:eb:04:df:95:78:6a:e4:cd:8a:d0
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
        Validity
            Not Before: Apr  6 00:00:00 2020 GMT
            Not After : Oct 13 23:59:59 2020 GMT
        Subject: CN = ssl392509.cloudflaressl.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:0c:b2:3d:e1:a0:35:46:7b:0c:30:95:c6:62:17:
                    5d:b1:a0:04:71:27:f5:d7:30:4b:fa:fa:db:ec:5f:
                    20:c3:58:dc:12:cc:b2:62:31:f1:1e:5e:99:8f:dd:
                    43:f4:f9:1a:45:17:e3:a8:88:31:30:bd:f1:be:87:
                    bc:5a:d6:f0:f2
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                40:09:61:67:F0:BC:83:71:4F:DE:12:08:2C:6F:D4:D4:2B:76:3D:96
            X509v3 Subject Key Identifier:
                0E:85:B3:45:D0:81:69:D0:98:5D:65:83:49:60:2C:70:4B:49:77:72
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.2.7
                  CPS: https://sectigo.com/CPS
                Policy: 2.23.140.1.2.1
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://crl.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crl
            Authority Information Access:
                CA Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt
                OCSP - URI:http://ocsp.comodoca4.com
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA:
                                E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C
                    Timestamp : Apr  6 18:51:58.024 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:EC:CA:4F:2C:0B:94:72:58:6C:BC:20:
                                45:72:5C:6E:7D:D1:6F:7C:DF:E0:27:6A:75:E9:0B:54:
                                C6:67:B1:0E:12:02:21:00:B2:70:4E:50:7A:F9:49:CA:
                                97:40:21:4B:22:17:B8:F2:EC:58:62:E7:28:7B:AA:E2:
                                E9:B3:68:A1:20:F7:05:56
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : E7:12:F2:B0:37:7E:1A:62:FB:8E:C9:0C:61:84:F1:EA:
                                7B:37:CB:56:1D:11:26:5B:F3:E0:F3:4B:F2:41:54:6E
                    Timestamp : Apr  6 18:51:58.072 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:9B:53:00:3B:C3:7F:21:7E:F7:88:6C:
                                63:FD:B3:63:3A:57:CD:E7:34:37:74:6A:67:B1:6A:D9:
                                E3:58:4A:0A:9F:02:21:00:DC:0C:DB:30:27:5D:D9:A3:
                                CE:EB:A2:44:69:26:66:48:5A:5D:F9:8D:C8:84:EC:0B:
                                E1:37:F9:3D:78:C3:16:2D
            X509v3 Subject Alternative Name:
                DNS:ssl392509.cloudflaressl.com
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:45:02:20:70:19:15:5f:c3:a1:ba:50:36:73:d8:40:1d:4b:
        e1:90:99:54:8d:18:d5:17:64:46:93:1d:d9:92:b3:3d:18:1f:
        02:21:00:ee:69:3b:08:e6:b5:5a:31:0b:b5:25:5d:3c:65:63:
        d3:7f:6d:44:24:28:ac:e8:bf:87:02:67:13:29:93:ed:e6

Our freshclam.conf is set up as follows:

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground true
Debug false
MaxAttempts 5
DatabaseDirectory /var/www/html
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 30
TestDatabases yes
ScriptedUpdates no
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

[brebell]

We haven't seen this error before and the config looks good to me. We tested with the openssl command to show the certs and it also shows the "certificate has expired" message. I've raised the issue with our Cloudflare account admins.

[clchandan]

@brebell any update on this?

[brebell]

Can you try to update to this: openssl s_client -connect database.clamav.net:443 -servername database.clamav.net -showcerts | openssl x509 -text -noout

That should fix the issue.