Allow to use client authentication with certificate in freshclam#955
Merged
val-ms merged 2 commits intoCisco-Talos:mainfrom Aug 4, 2023
Merged
Conversation
jedrzejj
force-pushed
the
feature/freshclam-client-cert-authentication
branch
from
08ae1bc to
13e3b23
Compare
val-ms
force-pushed
the
feature/freshclam-client-cert-authentication
branch
from
13e3b23 to
ca335f9
Compare
Contributor
|
Apologies for the delay in reviewing this. This change look very straightforward. Some issues that I've taken on with the commit I just pushed:
I believe this works, and could be tested like so, if your FRESHCLAM_CLIENT_CERT="/home/micah/client_certificate.pem" FRESHCLAM_CLIENT_KEY="/home/micah/client_private_key.pem" FRESHCLAM_CLIENT_KEY_PASSWD="testtest" ./install/bin/freshclamWindows powershell: $env:FRESHCLAM_CLIENT_CERT="C:\Users\micah\.ssh\client_certificate.pem" & $env:FRESHCLAM_CLIENT_KEY="C:\Users\micah\.ssh\client_private_key.pem" & .\install\freshclam.exeI don't have such a server and am uncertain how to quickly set one up. |
Also: - Rename to use FRESHCLAM_CLIENT_CERT, FRESHCLAM_CLIENT_KEY instead prefixing with "CURL_". Unlike CURL_CA_BUNDLE, these variable names are not used by the `curl` program and so do not piggyback on that existing functionality. - Add FRESHCLAM_CLIENT_KEY_PASSWD environment variable to support password protected private key PEM files, as described in: https://curl.se/libcurl/c/CURLOPT_SSLCERT.html - Document the new environment variable options in the manpage and in the `freshclam --help` message. Also add missing documentation in the freshclam and clamsubmit help-messages for CURL_CA_BUNDLE. - Update the NEWS.md file to credit jedrzej for the new feature.
val-ms
force-pushed
the
feature/freshclam-client-cert-authentication
branch
from
5413c54 to
3f3382b
Compare
val-ms
approved these changes
Aug 4, 2023
Contributor
val-ms
left a comment
val-ms
left a comment
There was a problem hiding this comment.
Had a bit of a hiccup this morning with our Jenkins. It's fixed now and this ran through okay, not that I expected any differently. Perhaps we could set up a test some time that makes use of this feature, but in the meantime I'm going to trust that it works okay base don the limited testing I did, and happy that it isn't causing any problems.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds the possibility to define certificate and private key for client authentication in freshclam when using private repo. Certificate and key paths are read from environment variables and passed on to libcurl, similarly to the CA bundle.