Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"SSL connect error" from at least one clamav signature mirror #1310

Open
scoser opened this issue Jul 12, 2024 · 3 comments
Open

"SSL connect error" from at least one clamav signature mirror #1310

scoser opened this issue Jul 12, 2024 · 3 comments

Comments

@scoser
Copy link

scoser commented Jul 12, 2024

Describe the bug

A few of our clamav instances are running into this error when trying to download signatures from freshclam:

ERROR: Fri Jul 12 14:48:09 2024 -> Download failed (35) ERROR: Fri Jul 12 14:48:09 2024 -> Message: SSL connect error

How to reproduce the problem

We are using Ubuntu 24.04 containers with freshclam installed alongside Apache to serve as a private signature mirror. However, some of our deployments of this type are running into issues downloading signatures as seen in the error message above. Other deployments are able to successfully download signatures.

We checked the cert from the instances that are having the issue and are getting SSL cert expiration notices when checking the cert:

>>> openssl s_client -connect database.clamav.net:443 -servername clamav.net -showcerts | openssl x509 -text -noout
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
verify return:1
depth=0 CN = ssl392509.cloudflaressl.com
verify error:num=10:certificate has expired
notAfter=Oct 13 23:59:59 2020 GMT
verify return:1
depth=0 CN = ssl392509.cloudflaressl.com
notAfter=Oct 13 23:59:59 2020 GMT
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e7:28:4e:d7:e1:29:eb:04:df:95:78:6a:e4:cd:8a:d0
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
        Validity
            Not Before: Apr  6 00:00:00 2020 GMT
            Not After : Oct 13 23:59:59 2020 GMT
        Subject: CN = ssl392509.cloudflaressl.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:0c:b2:3d:e1:a0:35:46:7b:0c:30:95:c6:62:17:
                    5d:b1:a0:04:71:27:f5:d7:30:4b:fa:fa:db:ec:5f:
                    20:c3:58:dc:12:cc:b2:62:31:f1:1e:5e:99:8f:dd:
                    43:f4:f9:1a:45:17:e3:a8:88:31:30:bd:f1:be:87:
                    bc:5a:d6:f0:f2
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                40:09:61:67:F0:BC:83:71:4F:DE:12:08:2C:6F:D4:D4:2B:76:3D:96
            X509v3 Subject Key Identifier:
                0E:85:B3:45:D0:81:69:D0:98:5D:65:83:49:60:2C:70:4B:49:77:72
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.2.7
                  CPS: https://sectigo.com/CPS
                Policy: 2.23.140.1.2.1
            X509v3 CRL Distribution Points:
                Full Name:
                  URI:http://crl.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crl
            Authority Information Access:
                CA Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt
                OCSP - URI:http://ocsp.comodoca4.com
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA:
                                E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C
                    Timestamp : Apr  6 18:51:58.024 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:EC:CA:4F:2C:0B:94:72:58:6C:BC:20:
                                45:72:5C:6E:7D:D1:6F:7C:DF:E0:27:6A:75:E9:0B:54:
                                C6:67:B1:0E:12:02:21:00:B2:70:4E:50:7A:F9:49:CA:
                                97:40:21:4B:22:17:B8:F2:EC:58:62:E7:28:7B:AA:E2:
                                E9:B3:68:A1:20:F7:05:56
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : E7:12:F2:B0:37:7E:1A:62:FB:8E:C9:0C:61:84:F1:EA:
                                7B:37:CB:56:1D:11:26:5B:F3:E0:F3:4B:F2:41:54:6E
                    Timestamp : Apr  6 18:51:58.072 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:9B:53:00:3B:C3:7F:21:7E:F7:88:6C:
                                63:FD:B3:63:3A:57:CD:E7:34:37:74:6A:67:B1:6A:D9:
                                E3:58:4A:0A:9F:02:21:00:DC:0C:DB:30:27:5D:D9:A3:
                                CE:EB:A2:44:69:26:66:48:5A:5D:F9:8D:C8:84:EC:0B:
                                E1:37:F9:3D:78:C3:16:2D
            X509v3 Subject Alternative Name:
                DNS:ssl392509.cloudflaressl.com
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:45:02:20:70:19:15:5f:c3:a1:ba:50:36:73:d8:40:1d:4b:
        e1:90:99:54:8d:18:d5:17:64:46:93:1d:d9:92:b3:3d:18:1f:
        02:21:00:ee:69:3b:08:e6:b5:5a:31:0b:b5:25:5d:3c:65:63:
        d3:7f:6d:44:24:28:ac:e8:bf:87:02:67:13:29:93:ed:e6

Our freshclam.conf is set up as follows:

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground true
Debug false
MaxAttempts 5
DatabaseDirectory /var/www/html
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 30
TestDatabases yes
ScriptedUpdates no
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
@brebell
Copy link

brebell commented Jul 18, 2024

We haven't seen this error before and the config looks good to me.
We tested with the openssl command to show the certs and it also shows the "certificate has expired" message. I've raised the issue with our Cloudflare account admins.

@clchandan
Copy link

@brebell any update on this?

@brebell
Copy link

brebell commented Aug 13, 2024

Can you try to update to this:
openssl s_client -connect database.clamav.net:443 -servername database.clamav.net -showcerts | openssl x509 -text -noout

That should fix the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@clchandan @scoser @brebell