Protection Engine error messages Failed to complete TLS/SSL handshake initiated by TLS/SSL client
search cancel

Protection Engine error messages Failed to complete TLS/SSL handshake initiated by TLS/SSL client

book

Article ID: 214296

calendar_today

Updated On:

Products

Protection Engine for NAS Protection Engine for Cloud Services

Issue/Introduction

You have Symantec Protection Engine (SPE) configured for Secure ICAP and see one or more of the following errors in the SSE logs found in

  • Linux: /opt/SYMCscan/log
  • Windows: C:\Program Files\Symantec\Scan Engine\log\
Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:1408F09C:SSL routines:ssl3_get_record:http request  
Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low
Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol
Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher
Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Environment

  • Symantec Protection Engine 9.0 and newer

Cause

Typically these errors are the result of plain text traffic being sent to SPE when it's expecting encrypted traffic, or the SPE ICAP server and the client sending traffic were unable to agree on a common protocol or cipher suite. This can also happen if you enable Secure ICAP but do not configure your connector/client to connect via TLS/SSL before sending an ICAP request.

Port or Vulnerability scanners can also cause this issue.  If several different types of these error messages happen within a few minutes of each other, it's likely a vulnerability scanner.

Resolution

Plain text traffic received when encrypted is expected by SPE.

  • Log Entry:  Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:1408F09C:SSL routines:ssl3_get_record:http request  
  • Cause: Plain text traffic received when encrypted is expected by SPE.

  • Log Entry: Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
  • Cause: Plain text ICAP traffic was received on a Secure ICAP port.

 

Client/Server unable to agree on a Protocol.

  • Log Entry: Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low
  • Cause: Typically a client sending an old version of TLS SPE is not configured to use.

  • Log Entry: Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
  • Cause: Client sending request to SPE is using a protocol version SPE doesn't support.

  • Log Entry: Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol
  • Cause: Client sent protocol the SPE doesn't recognize as valid.  Could be caused malformed packet/traffic.

A result of the Client (application sending requests to SPE) and Server (SPE) being unable to agree on protocol to communicate with.  Ensure the two systems have the ability to use a common protocol to communicate.  Also could be caused by malformed packets.

 

Client/Server unable to agree on a Cipher Suite.

  • Log Entry: Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
  • Cause: The client provided a list of cipher suites it can use, but SPE is not configured to use any of those cipher suites.

Unable to connect to Protection Engine using the Java SDK via secure ICAP
https://knowledge.broadcom.com/external/article/368976/unable-to-connect-to-protection-engine-u.html

  • Log Entry: Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher    
  • Cause: The client provided a list of cipher suites it can use, but SPE is not configured to use any of those cipher suites.

A result of the Client (application sending requests to SPE) and Server (SPE) being unable to agree on cipher to communicate with.  Ensure the two systems have the ability to use a common cipher to communicate.  The configuration.xml shows the Cipher List.

 

Additional Troubleshooting

  • A packet capture when the issue is being reproduced can be useful in identifying the source or cause the issue.
  • Check SPE configuration to confirm that basic ICAP is set to port 1344 and secure ICAP is set to port 11344.
  • Ensure all clients/connectors are configured to connect via TLS/SSL before sending an ICAP request.
    • Example: ssecls.exe -secure true -verifycert false -server 127.0.0.1:11344:0:true "C:\Program Files\Symantec\Scan Engine\cmdLineScanner\C\ssecls.exe"

Additional Information

"ERROR: Unknown error in execution : Unable to send data to the server." while testing secure ICAP with Java version of ssecls

 

Powered by Wolken Software