KSC update error: retranslation operation results in the TLS error "CrlHasExpired" [KSC for Windows]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Product:  KSC 11 and more recent versions

Consider the following problematic scenario:

You use a caching proxy server to download updates for the KSC Server, for example, Squid. KSC is configured to download updates via https (default config). 

$up2date-1103-eka.log analysis

KL uses the HTTP public key pinning mechanism to verify update server authenticity; a certificate used for authentication is self-signed by KL. A certificate revocation list is also implemented. 

More information about the certification revocation process is available here:

https://learn.microsoft.com/en-us/archive/blogs/ieinternals/understanding-certificate-revocation-checks
https://technet.microsoft.com/en-us/library/ee619754(WS.10).aspx

A recent update of CRL was performed at the end of July 2023. CRL is available on this link: http://crl.kaspersky.com/cdp/KasperskyLabPublicServicesRootCertificationAuthority.crl

Old CLR was valid till 23.7.2023 and is expired now.

When KSC requests the CRL file, the proxy server sends back to KSC the cached version of it and the CRL verification fails. 

The details can be found in the $up2date-1103-eka.log to identify the issue precisely.

04:01:48.817    0x326c    INF    httpcli    cert_revoke    0x70e2908 Got error: 0xa0010019 (http_client::eCrlHasExpired)

04:01:48.817    0x326c    INF    httpcli    Req 0x70e2908 <- HttpsErrorOccurs: Revocation Error [0xa0010019 (http_client::eCrlHasExpired)

04:01:48.892    0x1d0c    INF    updater    core: ========= Downloading primary index result TLS error =========

Troubleshooting steps

To solve the problem, an administrator of the proxy server should turn off caching of the http://crl.kaspersky.com/cdp/KasperskyLabPublicServicesRootCertificationAuthority.crl file. It is recommended to turn off caching for all files downloaded from public update servers using this mask:

*.kaspersky.com

*.kaspersky-labs.com

An alternative workaround:

1. Set a server flag for KSC using the following commands:

   klscflag.exe -fset -pv klserver -s Updater -n DisableKLHttps -t d -v 1

   Also, set a server flag for Update Agents (Distribution Points) that get updates from the Internet, if any:

   klscflag.exe -fset -pv klnagent -s Updater -n DisableKLHttps -t d -v 1

2. Explicitly set an update task to use HTTP sources for URLs, for example, http://p00.upd.kaspersky.com. The full list of HTTP-enabled sources can be found in the <insecure_sites_list> parameter at http://dnl-05.geo.kaspersky.com/updates/upd/updcfg2.xml