F-Secure Software Updater - SSL connect error.
Hello
For a few weeks (maybe up to 2 months) I have problem with Software Updater. It doesn't want to download updates for Windows 7. With Java or adobe updates it works fine. My setup is:
F-Secure Client Security Premium 12
F-Secure Client Security 11.61 (for older computers - without Software Updater)
F-Secure Policy Manager 12
Squid Proxy
Software Updater is configured to go through a proxy. The proxy allows only three ports 21,80 and 443 and only on defined hours when Software Updater should work. I've tested many settings for Software Updater and Squid, but it still doesn't work. For every update I saw an error in logs:
Exception occurred. Type: CurlException, Reason: SSL connect error, Function: fs::CurlHandle:
erform, File: "..\\..\\..\\..\\..\\src\\fssua_common\\Downloader.cpp", Line: 142, Error Code : 35
The questions are: Is it my Proxy fault or some settings of software updater?
Comments
-
Hello,
I think you should allow everything, try a Microsoft patching and monitor / packet capture what goes where. If i is HTTPS, you can't see the content (unless some gateway is availble with faux-cert MITM capability). The direction of traffic and origination / destination IP and port should be visible. Based on that info, you could narrow down the net access rules.
As you say Java or Adobe updates work fine, access to 'xml.shavlik.com' should be already OK?
Best Regards: Tamas Feher, Hungary.0 -
Hello,
I am afraid that we don't have enough details to find out whether the problem is with the client or proxy configuration. Could you please open a support ticket and send us a fsdiag report with all relevant logs from your system.
BR,
Dmitriy
0 -
Hello
Sorry for not responding earlier, but I was kinda busy. I was doing some testing, including windows updates and I've come to a little conclusion. Without changing anything in proxy setting windows updates doesn't want to go through the F-Secure Software Updater but they will go smoothly using the Windows Update Tool. So I think the problem isn't caused by proxy (very simple sonfig) but configuration/methods of the F-Secure Software Updater. Maybe Someone could point me some crucial setting that may cause my problem.
P.S. I'm mostly concerned about one setting - Override WSUS Updates (although it did not change anything while I was testing it).
0 -
Hello GeminiMDZ,
You are right, policy setting "Override WSUS Updates" is the only one which affects handling of Windows updates installation. As it is described in help text for this setting in PMC, Software updater installs updates for Microsoft products even if Windows Server Update Services (WSUS) are configured to handle such updates on the target hosts, if this setting is enabled. Software Updater checks WSUS configuration in registry, and decides whether it should handle Microsoft updates or not.
Best regards,
Vad
0 -
We have same problem. This is official answer from F-Secure Support Team:
I've done some research, it looks like its a bug being documented, the issue is caused by the SYSTEM account configuration on workstations regarding proxy settings. Since certificate checking is performed by the operating system on such account, proper proxy configuration on clients should be performed. When OS cannot download certificate revocation lists from servers during certificate checking it fails certificate verification and breaks connection so the downloads fails. Software Updater works under SYSTEM account that is why proxy should be configured for SYSTEM account as well (not only for user account) One of the ways to solve the issue is using WPAD (Web Proxy Auto-Discovery) in the organisation. So the proxy will be automatically configured for SYSTEM account as well. Workaround so far consists on configuring proxy for LOCAL SYSTEM account: http://serverfault.com/questions/34940/how-do-i-configure-proxy-settings-for-local-system
2 -
Thank you very much for so helpfull reply. I'll look into this.
0