On 02/15/2010 03:45 PM, Matus UHLAR - fantomas wrote: >> On 02/15/2010 02:54 PM, sokratis.kapetan...@accenture.com wrote: >> >>> I was wondering if there is a way to connect to the Update Servers (not >>> mirrors) using SSL/HTTPS instead of standard HTTP. >>> > > On 15.02.10 15:34, Török Edwin wrote: > >> The databases, and updates are digitally signed, so you don't need >> SSL/HTTPS. >> Freshclam and libclamav check the digital signatures when loading the >> databases. >> > > hmmm, signed by whom? And where are public keys stored?
CVDs are signed prior to publishing, and pushing to the mirrors. The public key is hardcoded in libclamav. You can verify the signature using sigtool manually: $ sigtool/sigtool --info daily.cvd File: daily.cvd Build time: 14 Feb 2010 20:31 -0500 Version: 10392 Signatures: 168531 Functionality level: 44 Builder: acab MD5: d6ab08bc2271847d06ebcfe95a2b6bfc Digital signature: lamlVM3R8gXfEFFGQTQ0ptug07l6p1zkr40HyRgi9/g1rvIiBTP7I1N/XDwsMzEb9QwKv0HkMQyRneCYc7VE5PU8Eysg1kp3LM/AnqpyfTGcZ2NKfFaUPOuaRkfjSF8z7iExR1bY3miLzKlVmT/ZM/7Dr4ofa3NOpM6cXqr1Gyj Verification OK. If the database is tampered with you will get something like this (for example if one byte is wrong): ile: daily.cvd Build time: 14 Feb 2010 20:31 -0500 Version: 10392 Signatures: 168531 Functionality level: 44 Builder: acab MD5: d6ab08bc2271847d06ebcfe95a2b6bfc Digital signature: lamlVM3R8gXfEFFGQTQ0ptug07l6p1zkr40HyRgi9/g1rvIiBTP7I1N/XDwsMzEb9QwKv0HkMQyRneCYc7VE5PU8Eysg1kp3LM/AnqpyfTGcZ2NKfFaUPOuaRkfjSF8z7iExR1bY3miLzKlVmT/ZM/7Dr4ofa3NOpM6cXqr1Gyj ERROR: cvdinfo: Verification: Can't verify database integrity cdiff files (incremental updates) have a digital signature that is checked by freshclam too. Also 0.96 will check the SHA-256 hash of each file in the .cvd/.cld, and these hashes are signed similarly to .cdiffs. So downloading via HTTPS/SSL won't give you additional security. In fact if freshclam wasn't able to check the digital signature, then even if you downloaded over HTTPS you wouldn't know if the databases have been tampered with or not. You only know that you get what is on the mirror, and not that the mirror has the same database that was published. > How are 3rd party > databases checked? > They are not checked by freshclam (yet). Some 3rdparty update scripts check them using gpg signatures I think. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
