SAS_SSL_MIN_PROTOCOL Environment Variable

Specifies the minimum TLS or SSL protocol that can be negotiated when using OpenSSL. This environment variable is available when security hot fixes are applied.
Client: optional
Server: optional
Valid in: Configuration file, command line
Categories: Communications: Networking and Encryption

System Administration: Security

Default: TLS 1.0. When the security hot fixes are applied to the second maintenance release for SAS 9.3, the minimum OpenSSL protocol default is TLS 1.0.
Operating environment: UNIX, z/OS, and Windows
Note: This environment variable must be set before TLS or SSL are loaded. It cannot be changed after TLS or SSL are loaded. You must set the environment variable before the SAS/CONNECT spawner is started and before SAS is started on the client.
Tip: You can also define SET commands for Windows by using the System Properties dialog box that you access from the Control Panel.
See: Defining Environment Variables in UNIX Environments in SAS Companion for UNIX Environments, TKMVSENV File in SAS Companion for z/OS, Using Environment Variables in SAS Companion for Windows
Examples: Export the environment variable on UNIX hosts for the Bourne Shell:
export SAS_SSL_MIN_PROTOCOL=TLS

Set the environment variable on UNIX hosts for the C Shell environment:

SETENV SAS_SSL_MIN_PROTOCOL SSLv3

Set the environment variable at SAS invocation for UNIX hosts:

-set "SAS_SSL_MIN_PROTOCOL=SSLv3"

Set the environment variable on Windows hosts:

SET SAS_SSL_MIN_PROTOCOL=TLS1.0

Syntax

SAS_SSL_MIN_PROTOCOL= protocol
"SAS_SSL_MIN_PROTOCOL= protocol"
SAS_SSL_MIN_PROTOCOL protocol

Syntax Description

protocol
specifies the minimum TLS or SSL protocol version that is negotiated between UNIX, z/OS, and Windows servers when using OpenSSL. This environment variable is available only when security hot fixes are applied to the second maintenance release for SAS 9.3.
Valid OpenSSL protocol values available for this environment variable are as follows.
  • SSL3
  • SSLv3
  • TLS
  • TLS1.0
  • TLSv1
  • TLSv1.0
CAUTION:
SSL 3.0 is insecure. It is highly recommended that you use TLS 1.0.
Note: When the security hot fixes are applied, the default minimum protocol for OpenSSL is set to TLS 1.0.
Note: A message is written to the SAS log when an invalid value is specified.

Details

When the security hot fixes are applied in the second maintenance release for SAS 9.3, the SAS_SSL_MIN_PROTOCOL environment variable enables you to set a minimum SSL or TLS protocol that can be negotiated. During the first SSL or TLS handshake attempt, the highest supported protocol version is offered. If this handshake fails, earlier protocol versions are offered instead.
TLS 1.0 is the default minimum OpenSSL protocol version set when the hot fixes are applied. The SSL 3.0 value can be specified as a fallback value. However, the use of SSL 3.0 is not recommended.