You have Symantec Protection Engine (SPE) configured for Secure ICAP and see the following error in the logs:

Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

SPE 8.2
Secure ICAP

Protection Engine received a request that was not using TLS when configured to use Secure ICAP. This can happen if you enable Secure ICAP but do not configure your connector/client to connect via TLS/SSL before sending an ICAP request.

Check SPE configuration to confirm that basic ICAP is set to port 1344 and secure ICAP is set to port 11344.

Ensure all clients/connectors are configured to connect via TLS/SSL before sending an ICAP request.

Example: ssecls.exe -secure true -verifycert false -server 127.0.0.1:11344:0:true "C:\Program Files\Symantec\Scan Engine\cmdLineScanner\C\ssecls.exe"

For more information on ssecls see documentation

Protection Engine Development have released a patched version of ssecls for Linux to fix a known issue that can also cause this error. Please see attached file "ssecls-5.4.0-8.2.2_1665783251910.zip"

Here are the steps to rename the current ssecls and replace it with this file:

1. mv /opt/SYMCScan/ssecls/C/ssecls /opt/SYMCScan/ssecls/C/ssecls-old

2. unzip ssecls-5.4.0-8.2.2_1665783251910.zip

3. cd ssecls-5.4.0-8.2.2_1665783251910/

4. mv ssecls /opt/SYMCScan/ssecls/C/ssecls

5. cd /opt/SYMCScan/ssecls/C/

6. chmod +x ssecls

Then please run the new ssecls with the same command.

Please also see the following.

https://knowledge.broadcom.com/external/article/201321/error-unknown-error-in-execution-unable.html

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/symantec-protection-engine/8-2/SSECLS_Demonstration_Tool_11/supported-command-line-options-for-c-based-command-v128510239-d4995e25540.html