search cancel

Protection Engine Secure ICAP TLS Handshake Error: ssl3_get_record:wrong version number

book

Article ID: 214296

calendar_today

Updated On:

Products

Protection Engine for NAS Protection Engine for Cloud Services

Issue/Introduction

You have Symantec Protection Engine (SPE) configured for Secure ICAP and see the following error in the logs:

Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Environment

SPE 8.2
Secure ICAP

Cause

Protection Engine received a request that was not using TLS when configured to use Secure ICAP. This can happen if you enable Secure ICAP but do not configure your connector/client to connect via TLS/SSL before sending an ICAP request.

Resolution

Check SPE configuration to confirm that basic ICAP is set to port 1344 and secure ICAP is set to port 11344.

Ensure all clients/connectors are configured to connect via TLS/SSL before sending an ICAP request.

Example: ssecls.exe -secure true -verifycert false -server 127.0.0.1:11344:0:true "C:\Program Files\Symantec\Scan Engine\cmdLineScanner\C\ssecls.exe"

For more information on ssecls see documentation

 

Protection Engine Development have released a patched version of ssecls for Linux to fix a known issue that can also cause this error. Please see attached file "ssecls-5.4.0-8.2.2_1665783251910.zip"

Here are the steps to rename the current ssecls and replace it with this file:

  1. mv /opt/SYMCScan/ssecls/C/ssecls /opt/SYMCScan/ssecls/C/ssecls-old
  2. unzip ssecls-5.4.0-8.2.2_1665783251910.zip
  3. cd ssecls-5.4.0-8.2.2_1665783251910/
  4. mv ssecls /opt/SYMCScan/ssecls/C/ssecls
  5. cd /opt/SYMCScan/ssecls/C/
  6. chmod +x ssecls

Then please run the new ssecls with the same command.

Additional Information

Please also see the following.

https://knowledge.broadcom.com/external/article/201321/error-unknown-error-in-execution-unable.html

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/symantec-protection-engine/8-2/SSECLS_Demonstration_Tool_11/supported-command-line-options-for-c-based-command-v128510239-d4995e25540.html

Attachments

ssecls-5.4.0-8.2.2_1665783251910.zip get_app