Open shakaran opened 2 years ago
Not a bad idea. Right now you can also change the freshclam.conf
option DatabaseMirror
from:
DatabaseMirror database.clamav.net
to
DatabaseMirror http://database.clamav.net
so it will do the old-style HTTP download.
ClamAV verifies the downloaded CVD database archives are signed by our private signing key so switching from HTTPS to HTTP shouldn't bother you much.
The above suggestion worked for me. Thanks @micahsnyder for the tip!
In libfreshclam_internal.c there are a function called create_curl_handle() where all the curl options are set.
My proposal is add some struct variable to handle the parameter enableVerifyOption and the curl setopt like this:
Because I try to set global config for curl, creating in ~/.curlrc a file with "insecure" to skip the warning with certificate.
In curl command line, you have the option -k or --insecure for enable this flag. But since this is called via the C API, the current clamav users don't have a way to enable/disable this flag in command line or config file in freshclam.conf.
Why would be useful this? Because when you have DMZ zones machines, that access via .gov proxies, the .gov could not want add the Cloudflare certificate to the proxy or you cannot have access as BOFH to that machine.
This only could be solved if the proxy gives you a .cer or .crt file of issuer, which could be or not possible to run as:
Count the name of certs:
$ grep -c "BEGIN CERTIFICATE" /etc/pki/tls/certs/ca-bundle.crt
Add the cert:
Count the name of certs (checking that you have one more):
$ grep -c "BEGIN CERTIFICATE" /etc/pki/tls/certs/ca-bundle.crt
Check that it is present in ca-bundle:
openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs | grep subject | grep -i yourname
An example of failure update of daily.cvd diff file, when you cannot add the cert in the proxy :
The idea is have a flag in freshclam command that allow disable the Peer verification, for example:
freshclam -k
or
freshclam --insecure
or
freshclam --noverifycert
This would allow update with proxy without break with errors like:
NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
or
Peer certificate cannot be authenticted with given CA certificates