search cancel

Protection Engine Secure ICAP TLS Handshake Error: ssl3_get_record:wrong version number


Article ID: 214296


Updated On:


Protection Engine for NAS Protection Engine for Cloud Services


You have Symantec Protection Engine (SPE) configured for Secure ICAP and see the following error in the logs:

Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:1408F10B:SSL routines:ssl3_get_record:wrong version number


SPE 8.2
Secure ICAP


Protection Engine received a request that was not using TLS when configured to use Secure ICAP. This can happen if you enable Secure ICAP but do not configure your connector/client to connect via TLS/SSL before sending an ICAP request.


Check SPE configuration to confirm that basic ICAP is set to port 1344 and secure ICAP is set to port 11344.

Ensure all clients/connectors are configured to connect via TLS/SSL before sending an ICAP request.

Example: ssecls.exe -secure true -verifycert false -server "C:\Program Files\Symantec\Scan Engine\cmdLineScanner\C\ssecls.exe"

For more information on ssecls see documentation


Protection Engine Development have released a patched version of ssecls for Linux to fix a known issue that can also cause this error. Please see attached file ""

Here are the steps to rename the current ssecls and replace it with this file:

  1. mv /opt/SYMCScan/ssecls/C/ssecls /opt/SYMCScan/ssecls/C/ssecls-old
  2. unzip
  3. cd ssecls-5.4.0-8.2.2_1665783251910/
  4. mv ssecls /opt/SYMCScan/ssecls/C/ssecls
  5. cd /opt/SYMCScan/ssecls/C/
  6. chmod +x ssecls

Then please run the new ssecls with the same command.

Additional Information

Please also see the following.

Attachments get_app