This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SCHANNEL errors with the new 10.6.3 version

After the upgrade we started getting the error "A fatal error occurred while creating an SSL client credential. The internal error state is 10013" on all of our systems.  It does it 2 times, every 30 seconds.  We have SHA1 and SSL disabled on our workstations in order to be PCI compliant.  Version 10.3.15 didn't exhibit this behavior.  Do you know of a way we can stop the errors? 

 Event ID 36871 A fatal error occurred while creating an SSL client credential. The internal error state is 10013.

- Joe



This thread was automatically locked due to age.
  • The clients get an HTTP 400 error trying to get to that link.  But then so does my phone.  It says "400 protobuff message violation".  

    The cac.pem certificate files that Sophos uses are still using MD5.  I wonder if that could be part of the problem? 

    And my original message wasn't quite right.  We have RC4 and SSL2 and SSL3 disabled on our workstations.

    - Joe

  • So when I read https://www.sophos.com/en-us/support/knowledgebase/117936.aspx I can see this is using HTTPS for file reputation lookups.   Wireshark is showing our workstations getting a RST from 4.sophosxl.net when they try to connect.   I have malicious traffic detection, Block access to malicious web sites, and Live Protection all turned off, but I still get the errors and the 4.sophosxl.net traffic.

    This registry key which enables SSLV3 on my workstation, makes the SCHANNEL errors stop:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
    "Enabled"=dword:00000001

    Too bad that isn't a fix for us.   I've had case 5894880 open for a couple of days now, but no activity since it was opened.

    - Joe

  •  It's the Sophos System Protection Service using SSLV3 and causing the errors.  When I stop the service, the errors go away.   This makes sense.  https://www.sophos.com/en-us/support/knowledgebase/121619.aspx says it is using SXL4 over HTTPS.  It's a new feature, why did they write it to use SSLV3??

    - Joe

  •  

    This is a known issue and we are currently working on a fix. I will update this thread once I know more.

    Thank you,

    Bob

  • No updates on this issue, right? We also have SSLv3 disabled to be PCI compliant and have some complaints about the event logs getting flooded with these errors.

  • As a quick test you could "host file" the 4.sophosxl.net domain just to point to 12.0.0.1.  I guess this would stop the noise?

  • jak said:

    As a quick test you could "host file" the 4.sophosxl.net domain just to point to 12.0.0.1.  I guess this would stop the noise?

    Tell me you mean 127.0.0.1 and not Thailand :)    I'll try it now.   But since it isn't going to be successful connecting to 127.0.0.1 I don't know if it will stop the noise.
    - Joe
  • I'm kind of the middle-man here, but my co-worker said he thinks it stopped the event from logging (and yep I knew you meant 127.0.0.1). I hopped on a server of mine and I don't have event ID 36871, but I do have a bunch of 36874 and 36888, which give a similar description but for TLS1.0. However, these entries stopped the night of 8/12 for my server, so I need a better test system. I'll verify with my co-worker whenever he gets here and checks the event logs.

    I checked a couple other servers of mine and see lots of 36887 events still happening, which just says "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40." The 36874 events seem to have ceased on 8/12 at around 9:00PM on multiple servers.

    Will update this again once I get more info. Thanks! 

  • Setting 4.sophosxl.net to 127.0.0.1 in the host file got rid of almost all the errors.  And the malware/spyware/Trojan blocking of sites still works.   It looks like it is only used for reputation lookups.

    - Joe