On 2020-02-10 13:50:00 [+0000], Adam D. Barratt wrote: > With 0.102, Freshclam started using libcurl for database downloads, but > appears to provide no way to configure which certificates should be trusted.
I just learned about the https part. … > but this isn't ideal. A configuration option to allow specifying an > alternative bundle / root, or even respecting CURL_CA_BUNDLE, would be much > appreciated. I've been plumbing a variable from the config file up to the needed part at the other end of the source code and I got bored in the middle of it. This would also require a .so bump of the libfresclam but since the header files are never exported as part of any -dev package I think we could get around it (but you get the idea of the change). And then you said that respecting CURL_CA_BUNDLE would do the job for you and this would make the change much easier. I was going to submit a pu for 102.2 which migrated to testing a few days ago and then this showed up. At [0] I prepared a deb9u1 based package of 102.2 with a patch [1] on top of it which should do just what you asked for (just set the enviroment variable CURL_CA_BUNDLE before invoking freshclam and all should be good). In my testing I've set CURL_CA_BUNDLE to /bin/bash and freshclam didn't work so I think it will work if you set it properly :) I didn't look at the daemon mode… The tar archive contains a source package and an amd64 binary one. If you could test it and confirm that it works for you, that would be great. [0] https://breakpoint.cc/clamav_0.102.2+dfsg-0~deb9u1.tar [1] https://salsa.debian.org/clamav-team/clamav/blob/unstable/debian/patches/clamsubmit-libfreshclam-Use-CURL_CA_BUNDLE.patch > Regards, > > Adam Sebastian
