KSC update error: Failed to establish the HTTPS connection: TLS error (54) [KSC for Windows]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Product:  KSC 11+

Applies also to the update utility version 4.1 and more recent.

Consider the following problematic scenarios:

1. You have installed KSWS on the KSC server and enabled Traffic Security component and Traffic Security uses MITM mechanism to analyze traffic.
2. You use a 3rd party software or hardware appliance for traffic filtering and this appliance disrupts connections to HTTPS-enabled public update servers. It can be a hardware appliance like BlueCoat or F5, FortiGate SSL Deep Inspection, or a software proxy like Squid that uses ICAP to redirect traffic to another security application for scanning.

KL uses HTTP public key pinning mechanism to verify update server authenticity; certificate used for authentication is self-signed by KL. Using any MITM-based solutions for SSL traffic inspection will lead to failures in establishing connection between KSC and a HTTPS-enabled KL update source. It happens because any MITM traffic inspection will forward a wrong certificate to KSC after inspection and KSC11 will break the connection.

The following string can be found in up2date trace:

self signed certificate in certificate chain

The following trace files are required for accurate diagnostic: $up2date-1103.*, $up2date-1103-eka.*

Please bear in mind that Kaspersky Support needs KSC traces mentioned above to be collected BEFORE you apply any of the workarounds listed in this post. 

Troubleshooting steps

1. If you have KSWS blocking traffic, add Up2Date.exe process or the update source certificate to trusted in Traffic Security settings.
2. If you use a 3rd party appliance to filter traffic, you can explicitly allow traffic signed by KL certificate.
3. Otherwise you can use HTTP to download updates. There are two ways to make KSC use HTTP:

   1. Set a server flag on KSC using following commands:

      klscflag.exe -fset -pv klserver -s Updater -n DisableKLHttps -t d -v 1

      and on Update Agents (Distribution Points) getting updates from the internet, if any:

      klscflag.exe -fset -pv klnagent -s Updater -n DisableKLHttps -t d -v 1

   2. Explicitly set update task to use HTTP sources URLs, for example http://p00.upd.kaspersky.com. Full list of HTTP-enable sources can be found in <insecure_sites_list> parameter in http://dnl-05.geo.kaspersky.com/updates/upd/updcfg2.xml
4. Download updates using update utility 4.0. More recent version of update utility uses https.