Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
On Wed, Mar 12, 2014 at 4:48 PM, Paul Kosinski wrote: > I'm not worried about dependency on external libraries per se. I just > want to know *why*? With libz and libz2, it's pretty obvious, with > SSL, it's not clear. > > Decrypting encrypted data while scanning would need the key. Is the > idea to crack open encrypted malware which comes with its own key? > That would be great. Is the idea to do Man-in-the-Middle AV in an > enterprise environment? Unethical if done without notification. > Somehow locking up ClamAV usage ("Tivoing"). Not very nice. Hey Paul, We're currently only using the hashing functionality in OpenSSL, nothing else. Additionally, planned work in Freshclam will depend on OpenSSL. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
I'm not worried about dependency on external libraries per se. I just want to know *why*? With libz and libz2, it's pretty obvious, with SSL, it's not clear. Decrypting encrypted data while scanning would need the key. Is the idea to crack open encrypted malware which comes with its own key? That would be great. Is the idea to do Man-in-the-Middle AV in an enterprise environment? Unethical if done without notification. Somehow locking up ClamAV usage ("Tivoing"). Not very nice. > Message: 2 > Date: Wed, 12 Mar 2014 12:17:28 +0100 > From: Andreas Schulze > To: ClamAV users ML > Subject: Re: [clamav-users] Introducing OpenSSL as a dependency to > ClamAV > Message-ID: <53204248.3050...@datev.de> > Content-Type: text/plain; charset=ISO-8859-1 > > Am 03.03.2014 08:38, schrieb Paul Kosinski: > > There are only a few of reasons I can imagine that SSL (OpenSSL) > > would be a *required* addition to ClamAV: > > Hello, > > I thinks that's the keyquestion. *Which* problem should SSL solve. > Focus the problem, not one possible solution ... > > Btw. > my clamav binary and libraries depend on libz and libbz2 and I never > worry about that... > > Andreas ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
Am 03.03.2014 08:38, schrieb Paul Kosinski: > There are only a few of reasons I can imagine that SSL (OpenSSL) > would be a *required* addition to ClamAV: Hello, I thinks that's the keyquestion. *Which* problem should SSL solve. Focus the problem, not one possible solution ... Btw. my clamav binary and libraries depend on libz and libbz2 and I never worry about that... Andreas ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
On Fri, 28 Feb 2014 12:00:00 -0500 clamav-users-requ...@lists.clamav.net wrote: There are only a few of reasons I can imagine that SSL (OpenSSL) would be a *required* addition to ClamAV: 1. A "better" way of signing signature downloads than whatever is currently done (not sure what that is, if anything). 2. A mechanism to secure the CLAMD port to restrict LAN access (pretty far-fetched). 3. A mechanism to encrypt signature downloads so that you have to pay if you want the latest and greatest (like for Snort). 4. A mechanism to encrypt signatures to keep them pretty much secret from the users of ClamAV. I would be quite disappointed if ClamAV turned its back on the spirit of GPL software by charging for signature data (#3 above, like Snort has done). I would find it quite unacceptable if ClamAV signatures could no longer even be examined to see what they detect (#4 above), as this would mean that ClamAV had effectively become Closed Source. > Message: 5 > Date: Thu, 27 Feb 2014 15:55:55 -0800 > From: Dennis Peterson > To: clamav-users@lists.clamav.net > Subject: Re: [clamav-users] clamav-users Digest, Vol 113, Issue 18 > Message-ID: <530fd08b.6010...@inetnw.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 2/27/14, 3:43:08PM, Paul Kosinski wrote: > > The blog post concerning OpenSSL being required for ClamAV only > > has one reason as to why it might *benefit* ClamAV, the other > > reasons are why OpenSSL *itself* in good. > > > > That single reason is: > > > >"We will be able to provide a better freshclam experience in a > >future release." > > > > What exactly does this mean? (The phrase "freshclam experience" is > > marketing speak, not a technical explanation.) > > > > Since adding complexity to a system tends to increase bugs and > > decrease security, I am leery of seeing ClamAV become even more > > complicated than it already has become. > > > > Paul > > I took it to mean there is a cloud on the horizon like they have > for Snort. > > http://www.snort.org/snort-rules/ > > Instead of Oinkcode you get gastrocode. > > dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
I need to correct myself on this. The version of OpenSSL that Apple includes in the current OS X is 0.9.8y 5 Feb 2013. I now see that the previously reported version was add by me from MacPorts. -Al- On Feb 28, 2014, at 2:56 AM, Al Varnell wrote: > > On Wed, Feb 26, 2014 at 08:08 AM, Joel Esler (jesler) wrote: >> On Friday last week I put a blog post up about introducing OpenSSL into the >> ClamAV ecosystem. I wanted to make sure everyone saw it, so please have a >> look at the blog post here: >> >> http://blog.clamav.net/2014/02/introducing-openssl-as-dependency-to.html > > > Just thought I'd throw this out from the OS X world. > > OpenSSL was officially deprecated by Apple with OS X 10.7 in favor of Common > Crypto and Security Transforms (and you probably all know what that did for > them this weekend). OpenSSL v1.0.1f is still included in the library so I > don't anticipate any immediate issues for developers or users, but we'll have > to wait for a ClamAV® developer release to be certain and there's no telling > how long Apple will continue to include it. After that I'm sure there will > be ports available that can be adapted. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
On Feb 28, 2014, at 7:34 AM, Shawn Webb mailto:sw...@sourcefire.com>> wrote: On Fri, Feb 28, 2014 at 10:27 AM, Mark Allan mailto:markjal...@blueyonder.co.uk>>wrote: As this is first time ClamAV has had an external dependency, would it be worth making it an opt-out configure option for people who can't get it to compile or who have to rely on an older/incompatible version of OpenSSL? Mark Hey Mark, I explored that option, but I found attempting to support both too be too "cludgy". We would need to maintain two separate code paths, brought together with a shim. There would be a noticeable performance impact along with added complexity. I settled on outright replacing our current hashing functions with OpenSSL's in order to keep ClamAV's engine's performance top-notch and keep complexity at a minimum. In addition here Mark, we’re going to be using OpenSSL in future features we have planned for ClamAV, so this is the best option. -- Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
On Fri, Feb 28, 2014 at 10:27 AM, Mark Allan wrote: > As this is first time ClamAV has had an external dependency, would it be > worth making it an opt-out configure option for people who can't get it to > compile or who have to rely on an older/incompatible version of OpenSSL? > > Mark Hey Mark, I explored that option, but I found attempting to support both too be too "cludgy". We would need to maintain two separate code paths, brought together with a shim. There would be a noticeable performance impact along with added complexity. I settled on outright replacing our current hashing functions with OpenSSL's in order to keep ClamAV's engine's performance top-notch and keep complexity at a minimum. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
As this is first time ClamAV has had an external dependency, would it be worth making it an opt-out configure option for people who can't get it to compile or who have to rely on an older/incompatible version of OpenSSL? Mark ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
On Fri, Feb 28, 2014 at 8:59 AM, Richard Conto wrote: > Can the OpenSSL dependency be abstracted so that GNU TLS could be a > replacement as well? (Frankly, I'm speaking out of a bit of ignorance here > as I don't know how incompatible GNU TLS is with OpenSSL at the API layer. > With the exception of a few places in ClamAV's code, I wrapped most of the functions with abstractions. So yes, it'd be possible to replace our OpenSSL Integration work with GNU TLS integration, but it still would be a sizeable task. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
On Thu, Feb 27, 2014 at 5:56 PM, Lawrence K. Chen, P.Eng. wrote: > > > On 02/27/14 02:34, Steve Basford wrote: > > > > > >> OpenSSL will be required to both compile and run ClamAV. > > > > Out of interest what Cipher: > > > > http://zombe.es/post/4078724716/openssl-cipher-selection > > > > > http://security.stackexchange.com/questions/35036/different-performance-of-openssl-speed-on-the-same-hardware-with-aes-256-evp-an > > > > Cheers, > > > > Steve > > Sanesecurity > > > > So, will it build/run with openssl 0.9.8* or require openssl 1.0.* > > We only have openssl 0.9.8* in our environment (with some ancient boxes > using 0.9.7*) > > Currently, the latest available is 0.9.8y, since I have DNS only VMs > where I don't have to worry about the newer version causing problems for > other automated (through CFEngine) sun package installs. > > And, my clamav instances are also dedicated VMs (well, semi...but > hopefully there won't be a problem with having older 0.9.8 openssl > 32-bit libraries with the latest 0.9.8 64-bit libraries :) I confirmed this morning that using 0.9.8 and later is fine. I haven't tested with 0.9.7. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
Can the OpenSSL dependency be abstracted so that GNU TLS could be a replacement as well? (Frankly, I'm speaking out of a bit of ignorance here as I don't know how incompatible GNU TLS is with OpenSSL at the API layer.) --- Richard Conto DNA Sequencing Core Biomedical Research Core Facilities Medical School Administration Office of Research NCRC Bldg 14 room 168 -- (734) 764-7620 On Fri, Feb 28, 2014 at 5:56 AM, Al Varnell wrote: > > On Wed, Feb 26, 2014 at 08:08 AM, Joel Esler (jesler) wrote: > > On Friday last week I put a blog post up about introducing OpenSSL into > the ClamAV ecosystem. I wanted to make sure everyone saw it, so please > have a look at the blog post here: > > > > http://blog.clamav.net/2014/02/introducing-openssl-as-dependency-to.html > > > Just thought I'd throw this out from the OS X world. > > OpenSSL was officially deprecated by Apple with OS X 10.7 in favor of > Common Crypto and Security Transforms (and you probably all know what that > did for them this weekend). OpenSSL v1.0.1f is still included in the > library so I don't anticipate any immediate issues for developers or users, > but we'll have to wait for a ClamAV® developer release to be certain and > there's no telling how long Apple will continue to include it. After that > I'm sure there will be ports available that can be adapted. > > > -Al- > -- > Al Varnell > Mountain View, CA > > > > > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
On Wed, Feb 26, 2014 at 08:08 AM, Joel Esler (jesler) wrote: > On Friday last week I put a blog post up about introducing OpenSSL into the > ClamAV ecosystem. I wanted to make sure everyone saw it, so please have a > look at the blog post here: > > http://blog.clamav.net/2014/02/introducing-openssl-as-dependency-to.html Just thought I'd throw this out from the OS X world. OpenSSL was officially deprecated by Apple with OS X 10.7 in favor of Common Crypto and Security Transforms (and you probably all know what that did for them this weekend). OpenSSL v1.0.1f is still included in the library so I don't anticipate any immediate issues for developers or users, but we'll have to wait for a ClamAV® developer release to be certain and there's no telling how long Apple will continue to include it. After that I'm sure there will be ports available that can be adapted. -Al- -- Al Varnell Mountain View, CA ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
On Thu, Feb 27, 2014 at 5:56 PM, Lawrence K. Chen, P.Eng. wrote: > > > On 02/27/14 02:34, Steve Basford wrote: > > > > > >> OpenSSL will be required to both compile and run ClamAV. > > > > Out of interest what Cipher: > > > > http://zombe.es/post/4078724716/openssl-cipher-selection > > > > > http://security.stackexchange.com/questions/35036/different-performance-of-openssl-speed-on-the-same-hardware-with-aes-256-evp-an > > > > Cheers, > > > > Steve > > Sanesecurity > > > > So, will it build/run with openssl 0.9.8* or require openssl 1.0.* > > We only have openssl 0.9.8* in our environment (with some ancient boxes > using 0.9.7*) > > Currently, the latest available is 0.9.8y, since I have DNS only VMs > where I don't have to worry about the newer version causing problems for > other automated (through CFEngine) sun package installs. > > And, my clamav instances are also dedicated VMs (well, semi...but > hopefully there won't be a problem with having older 0.9.8 openssl > 32-bit libraries with the latest 0.9.8 64-bit libraries :) Great question. I will have a solid answer for you tomorrow. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
On 02/27/14 02:34, Steve Basford wrote: > > >> OpenSSL will be required to both compile and run ClamAV. > > Out of interest what Cipher: > > http://zombe.es/post/4078724716/openssl-cipher-selection > > http://security.stackexchange.com/questions/35036/different-performance-of-openssl-speed-on-the-same-hardware-with-aes-256-evp-an > > Cheers, > > Steve > Sanesecurity > So, will it build/run with openssl 0.9.8* or require openssl 1.0.* We only have openssl 0.9.8* in our environment (with some ancient boxes using 0.9.7*) Currently, the latest available is 0.9.8y, since I have DNS only VMs where I don't have to worry about the newer version causing problems for other automated (through CFEngine) sun package installs. And, my clamav instances are also dedicated VMs (well, semi...but hopefully there won't be a problem with having older 0.9.8 openssl 32-bit libraries with the latest 0.9.8 64-bit libraries :) -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- & SafeZone Ally ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
> OpenSSL will be required to both compile and run ClamAV. Out of interest what Cipher: http://zombe.es/post/4078724716/openssl-cipher-selection http://security.stackexchange.com/questions/35036/different-performance-of-openssl-speed-on-the-same-hardware-with-aes-256-evp-an Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
Jim Rimedio died on Feb. 25, 2014 so no longer will be participating. His wife On Wed, Feb 26, 2014 at 3:35 PM, Dennis Peterson wrote: > On 2/26/14, 12:32 PM, Shawn Webb wrote: > >> On Wed, Feb 26, 2014 at 1:01 PM, Dennis Peterson > >wrote: >> >> On 2/26/14, 8:08 AM, Joel Esler (jesler) wrote: >>> >>> On Friday last week I put a blog post up about introducing OpenSSL into the ClamAV ecosystem. I wanted to make sure everyone saw it, so please have a look at the blog post here: http://blog.clamav.net/2014/02/introducing-openssl-as- dependency-to.html -- Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team >>> Is this an openssl library requirement for run-time or a full openssl >>> development requirement (surely yes if we wish to build it, of course)? >>> >>> dp >>> >> >> >> Hey Dennis, >> >> OpenSSL will be required to both compile and run ClamAV. >> >> Thanks, >> >> Shawn >> > > It has an incremental install, so the question is is the full binary set > required on the mail server? Normally I would not include dev tools on a > mail appliance. > > dp > > > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > -- Jim Rimedio jrime...@gmail.com ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
On 2/26/14, 12:32 PM, Shawn Webb wrote: On Wed, Feb 26, 2014 at 1:01 PM, Dennis Peterson wrote: On 2/26/14, 8:08 AM, Joel Esler (jesler) wrote: On Friday last week I put a blog post up about introducing OpenSSL into the ClamAV ecosystem. I wanted to make sure everyone saw it, so please have a look at the blog post here: http://blog.clamav.net/2014/02/introducing-openssl-as-dependency-to.html -- Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team Is this an openssl library requirement for run-time or a full openssl development requirement (surely yes if we wish to build it, of course)? dp Hey Dennis, OpenSSL will be required to both compile and run ClamAV. Thanks, Shawn It has an incremental install, so the question is is the full binary set required on the mail server? Normally I would not include dev tools on a mail appliance. dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
On Wed, Feb 26, 2014 at 1:01 PM, Dennis Peterson wrote: > On 2/26/14, 8:08 AM, Joel Esler (jesler) wrote: > >> On Friday last week I put a blog post up about introducing OpenSSL into >> the ClamAV ecosystem. I wanted to make sure everyone saw it, so please >> have a look at the blog post here: >> >> http://blog.clamav.net/2014/02/introducing-openssl-as-dependency-to.html >> >> -- >> Joel Esler | Threat Intelligence Team Lead | Open Source Manager | >> Vulnerability Research Team >> > > Is this an openssl library requirement for run-time or a full openssl > development requirement (surely yes if we wish to build it, of course)? > > dp Hey Dennis, OpenSSL will be required to both compile and run ClamAV. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Introducing OpenSSL as a dependency to ClamAV
On 2/26/14, 8:08 AM, Joel Esler (jesler) wrote: On Friday last week I put a blog post up about introducing OpenSSL into the ClamAV ecosystem. I wanted to make sure everyone saw it, so please have a look at the blog post here: http://blog.clamav.net/2014/02/introducing-openssl-as-dependency-to.html -- Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team Is this an openssl library requirement for run-time or a full openssl development requirement (surely yes if we wish to build it, of course)? dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] Introducing OpenSSL as a dependency to ClamAV
On Friday last week I put a blog post up about introducing OpenSSL into the ClamAV ecosystem. I wanted to make sure everyone saw it, so please have a look at the blog post here: http://blog.clamav.net/2014/02/introducing-openssl-as-dependency-to.html -- Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml