[Pkg-clamav-devel] Bug#951057: clamav-freshclam: allow overriding of CA store
Adam D. Barratt
adam at adam-barratt.org.uk
Mon Feb 17 20:48:14 GMT 2020
On Mon, 2020-02-17 at 00:00 +0100, Sebastian Andrzej Siewior wrote:
> On 2020-02-10 13:50:00 [+0000], Adam D. Barratt wrote:
> > With 0.102, Freshclam started using libcurl for database downloads,
> > but appears to provide no way to configure which certificates
> > should be trusted.
>
> I just learned about the https part.
We discovered it after monitoring started complaining that the
signature databases weren't being updated.
> > but this isn't ideal. A configuration option to allow specifying an
> > alternative bundle / root, or even respecting CURL_CA_BUNDLE, would
> > be much appreciated.
> [...]
> I was going to submit a pu for 102.2 which migrated to testing a few
> days ago and then this showed up. At [0] I prepared a deb9u1 based
> package of 102.2 with a patch [1] on top of it which should do just
> what you asked for (just set the enviroment variable CURL_CA_BUNDLE
> before invoking freshclam and all should be good).
Thanks!
I've built stretch packages based on your source package, and buster
packages using the buster branch on salsa with the new patch added, and
both seem to be performing well. I look forward to being able to
install the packages from the archive proper. :-)
For the record, d.o's systemd override for freshclam is now:
# /etc/systemd/system/clamav-freshclam.service.d/override.conf
[Service]
Environment=CURL_CA_BUNDLE=/etc/ssl/ca-global/ca-certificates.crt
Regards,
Adam
More information about the Pkg-clamav-devel
mailing list