Closed lirigithub closed 3 years ago
micahsnyder
commented
3 years ago Hi @lirigithub,
I can't recommend disabling SSL certificate verification.
It's hard to say for sure what the issue is. This may help: https://stackoverflow.com/questions/51390968/python-ssl-certificate-verify-error
It may be that your certificate store is missing the Digicert root CA, which signs the Cloudflare cert. Cloudflare is our CDN for database.clamav.net.
What OS are you on?
lirigithub
commented
3 years ago Hi @micahsnyder,
We want to download the updates as a mirror in one server from our own clamAv DB mirror that is being updated on a daily basis and publicly available. How can it be done using cvd update? It seems there that it is hard coded looking on database.clamav.net.
I tried to edit the configuration file of config.json, and then it is downloading from the mirror, however, this way doesn't seems the correct way to me. Is there other way to change it?
Also, when I do change the config.json, it downloads the daily.cvd, but fails to download the main.cvd due to the error: "ailed to download main.cvd header to check the version #." Do you know what can be the root cause of it?
micahsnyder
commented
3 years ago You should be able to manually change the "url" in config.json for main.cvd, daily.cvd, and bytecode.cvd to point to your own mirror. You should probably also then change the "DNS field" to 0 for each as well so that it tries to download the header for the version # check.
You could also use cvd remove and cvd add to replace the databases in your config with new ones that have different URLs.
But be warned that when HTTP is used for the version check instead of DNS, it will use the HTTP Range header to request the first 96 bytes of the file. This means your mirror's HTTP server must support HTTP Range requests or it may download the entire database for the version check 😬. For example, Python's built-in http.server (formerly SimpleHTTPServer in Python 2.7) doesn't support Range requests, so for testing CVDUpdate, I use the 3rd party rangehttpserver Python package.
micahsnyder
commented
3 years ago I forgot -- the HTTP version check does also try to use the "If-Modified-Since" HTTP header as well, in case the Range request doesn't work, but support may vary for this feature as well and I haven't tested it as thoroughly.
micahsnyder
commented
3 years ago @lirigithub may I close this issue?
lirigithub
commented
3 years ago For now yes, Thank you!
On Tue, May 4, 2021, 02:22 Micah Snyder @.***> wrote:
@lirigithub https://github.com/lirigithub may I close this issue?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Cisco-Talos/cvdupdate/issues/23#issuecomment-831595690, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALWB233M2FKPKM7K6PLV5QTTL4V25ANCNFSM43H4OKVA .
Hi,
During running 'cvd update' on my machine, I get an error of:
"requests.exceptions.SSLError: HTTPSConnectionPool(host='database.clamav.net', port=443): Max retries exceeded with url: /main-59.cdiff (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1076)')))"
Is there a way to disable the certificate check here? Or do you have any other suggestion for solution. I have tried several of different solutions, but couldn't solve it.
Thanks s lot.