cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
brentil
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 13

ePO 5.9 -> 5.10 ciper suite blocker not detected by ePIP/Pre-Installation Auditor

I've spent a while trying to get a ePO 5.9 system to upgrade to 5.10 and even made a case to track down the issue.  What you see happen is successful communication to the SQL server and all the checks run and show no blockers but when you get to the Product Compatibility step it throws an error trying to talk to the ePO server to pull the list of installed applications.

It turns out the ePIP.exe & UpgradeCompatibility.exe only use the TLS 1.2 cipher suites that ePO 5.10 will use for this step but doesn't detect in the previous checks section your system is actually running these cipher suites.  A bunch of Wiresharking discovered this and the following KB article lists the cipher suites that need to be enabled for it to correctly work.  Once enabled and the system rebooted I'm now able to finally run the ePO 5.10 upgrade.

Transport Layer Security and cipher suite requirements for ePO 5.10.x (mcafee.com)

TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

Labels (1)
12 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 13

Re: ePO 5.9 -> 5.10 ciper suite blocker not detected by ePIP/Pre-Installation Auditor

What version of epip was running?  The installer for epo is updated periodically with newer version of epip.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

brentil
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 13

Re: ePO 5.9 -> 5.10 ciper suite blocker not detected by ePIP/Pre-Installation Auditor

I tried the ePIP from the Grants area along with the ePIP inside of the new ePO 5.10 HF10 repost.  They both have the same issue.

ePIP 3.1.0.222R5 (ePIP inside of EPO510_2428_18_LR4 and Grants area)

ePIP 3.1.0.257 (ePIP inside of EPO510_2428_57_LR5)

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 13

Re: ePO 5.9 -> 5.10 ciper suite blocker not detected by ePIP/Pre-Installation Auditor

Do you have the epip log?  Make sure there is no personally identifiable info in it.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

brentil
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 13

Re: ePO 5.9 -> 5.10 ciper suite blocker not detected by ePIP/Pre-Installation Auditor

I've attached a copy from testing I also provided for my case.  The ePIP log itself isn't very helpful because it doesn't show the actual underlying issue.  For example the cpcwiz.log instead it led us on a chase about the certificates being bad which they were not.  All of the items listed in the log were not true for the certificate.

 

3/26/2021 16:00:50	SSL certificate was revoked.
3/26/2021 16:00:50	SSL certificate common name (host name field) is incorrect, for example, if you entered www.microsoft.com and the common name on the certificate says www.msn.com.
3/26/2021 16:00:50	SSL certificate date that was received from the server is bad. The certificate is expired.

 

 

When we were doing Wireshark analysis of the ePIP running I finally found a TLS communication error code during the handshake process that was terminating the communication BEFORE the actual SSL certificate was even being passed which I knew wasn't a TLS version issue itself but something cipher suite related.

It passed all of the communication to MS-SQL checks without issue though and that MS-SQL instance is on the same system as ePO for this test environment so had the same cipher suite list.

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 13

Re: ePO 5.9 -> 5.10 ciper suite blocker not detected by ePIP/Pre-Installation Auditor

One thing I do know about the epip, it never really analyzes what ciphers are enabled/disabled on a system, but should provide a warning to have you check them.  So if it isn't even prompting you or showing a warning when it runs to check the ciphers, that would be a problem.  I know one of the older versions than you have has more checks in it than recent ones, as they changed it for whether you are upgrading epo or just installing an update.  The cpwiz entries also in the log regarding cert not being correct, you have to look at a couple of things.  The certificate (browser) is issued by default to the netbios name of the server.  If you access console by IP or fqdn, the cert doesn't match, even though epo has a valid cert - the url just doesn't match the name the cert was issued to.  You may have run into that if the actual log entries show https://MY-EPO-SERVER.MY.DOMAIN:8443 with your fqdn.

The epipapi_installer.log should contain an entry like this:

7524 2021-03-08 10:57:39 I CHECK NAME: McAfee ePO server SSL parameter
7524 2021-03-08 10:57:39 I Entering 'CheckSSLParam'
7524 2021-03-08 10:57:39 I Exiting 'CheckSSLParam', result 1
7524 2021-03-08 10:57:39 I Result : Passed
7524 2021-03-08 10:57:39 I EXITED

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

brentil
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 13

Re: ePO 5.9 -> 5.10 ciper suite blocker not detected by ePIP/Pre-Installation Auditor

The certificate was definitely not the issue.  I've done this process with both the self signed ePO certs and 3rd part SAN cert that has the IP, NetBIOS name, and FQDN as attempts to figure out the issue before finding it was the cipher suite order.

There is no epipapi_installer.log when ePIP is run by itself which is what we were focusing on getting running before moving on to even trying the ePO upgrade.  But yes the screen did not throw a warning or error regarding SSL before moving on to the product checks where it would error.

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 13

Re: ePO 5.9 -> 5.10 ciper suite blocker not detected by ePIP/Pre-Installation Auditor

I will test that - need to set up a 5.9.1 epo server

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

brentil
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 13

Re: ePO 5.9 -> 5.10 ciper suite blocker not detected by ePIP/Pre-Installation Auditor

Not sure if it matters or not but this particular server was a Windows 2012 R2 system.  I think though just using IISCrypto to shut down the 4 cipher suites listed above and rebooting would emulate the same state on any newer version of Windows Server as well.

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 13

Re: ePO 5.9 -> 5.10 ciper suite blocker not detected by ePIP/Pre-Installation Auditor

Thanks, will do that

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community