search cancel

Symantec Endpoint Security Installation Fails with an Error Related to Encryption Weakness

book

Article ID: 242066

calendar_today

Updated On:

Products

Endpoint Security Complete

Issue/Introduction

SES installation is failing on RHEL 8 due to the repository certificate being too weak.

Configuring Repo (linux-repo.us.securitycloud.symantec.com) .. YUM Repo communication error: /===============================================================================================================================================================================================================================================\ | Updating Subscription Management repositories. | | Symantec Agent for Linux repository 0.0 B/s | 0 B 00:00 | | Errors during downloading metadata for repository 'SDCSS': | | - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://linux-repo.us.securitycloud.symantec.com/SAL/1.0/rhel8/x86_64/repodata/repomd.xml [SSL certificate problem: EE certificate key too weak]

After running the following commands to test the linux repo and spoc connection, you see that the box seems to connect with the Symantec backend just fine, but when you try the installation, it fails with the above error.

curl -v https://linux-repo.us.securitycloud.symantec.com

openssl s_client -tls1_2 -showcerts -tlsextdebug -connect us.spoc.securitycloud.symantec.com:443

Environment

Release : SES 14.3 RU4

Component : SES installation.

OS: RHEL 8+.

Cause

The encryption mismatch between the TLS certificate bit length and the crypto policies on the box causes a failure to properly connect to Symantec's Linux repository servers.

Resolution

When you consult with Red Hat Linux documentation, you see that changing the crypto policies to FUTURE requires that you use TLS certificates with a bit length greater than 3071.

https://access.redhat.com/articles/3642912

DEFAULT remains the suitable option for contemporary, day to day business needs because 2048 bit key lengths represent the modern standard. Change your policy settings to DEFAULT and reference RSA and NIST documentation for further information and updates.

Additional Information

NIST and RSA prescribe the use of 2048 key bit lengths.

Please refer to the following document for more:

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt3r1.pdf

Attachments