Today we had a Kerio customer report a problem with Kerio and Anti Virus updates not being downloaded, this are the error message he was getting.
02/Feb/2018 08:43:41] AntivirusModule.cpp: Antivirus Server error(0): Cannot find update location: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version. Download failed. [02/Feb/2018 08:43:51] AntivirusModule.cpp: Antivirus Server error(0): Cannot find update location: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version. Download failed. [02/Feb/2018 08:43:51] AntivirusModule.cpp: Antivirus update failed: Cannot find update location: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version. Download failed. [02/Feb/2018 20:41:51] UpdateChecker.cpp: Update check failed, an error occured. [02/Feb/2018 20:43:53] AntivirusModule.cpp: Antivirus Server error(0): Cannot find update location: Failed to connect to bdupdate.kerio.com port 443: Connection refused. Download failed.
My first thougth is their server hasn’t been upgraded lately, and their TLS support is not current. They are running CentOS 6.4 which has an older version of libraries and needs to be upgraded. You must be running CentOS 6.x otherwise these upgrades will not work for you and you probably running an end of life operating system.
rpm --all -q | grep cert
the result would be something like this
ca-certificates-2010.63-3.el6_1.5.noarch
Yes, they are definitely running without any updates.
You can test by running
curl -v -I https://bdupdate.kerio.com
This will output an error message that TLS is not support.
Next, we need to upgrade to support TLS. I usually update these packages together so I can ensure their server supports TLS properly
yum -y update ca-certificates openssl nss wget openssl libcurl
curl -v -I https://bdupdate.kerio.com
You’ll see there are no errors and you’re results should look something like this:
* About to connect() to bdupdate.kerio.com port 443 (#0) * Trying 35.168.223.144... connected * Connected to bdupdate.kerio.com (35.168.223.144) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=*.kerio.com,OU=Domain Control Validated * start date: Nov 17 13:41:01 2017 GMT * expire date: Nov 17 13:41:01 2018 GMT * common name: *.kerio.com * issuer: CN=Starfield Secure Certificate Authority - G2,OU=http://certs.starfieldtech.com/repository/,O="Starfield Technologies, Inc.",L=Scottsdale,ST=Arizona,C=US > HEAD / HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: bdupdate.kerio.com > Accept: */* > < HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden < Date: Tue, 06 Feb 2018 20:38:32 GMT Date: Tue, 06 Feb 2018 20:38:32 GMT < Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16 < Content-Type: text/html; charset=iso-8859-1 Content-Type: text/html; charset=iso-8859-1 < * Connection #0 to host bdupdate.kerio.com left intact * Closing connection #0
After that everything should be working okay now, not just Kerio, but any other executables that are having problems with SSL/TLS support.
Hope that help you too.