SAS_SSL_MIN_PROTOCOL Environment Variable

Specifies the minimum TLS or SSL protocol that can be negotiated when using OpenSSL.

Client:	Optional
Server:	Optional
Valid in:	Configuration file, command line
Categories:	Communications: Networking and Encryption
Categories:	System Administration: Security
Default:	TLS 1.2. Starting in the fourth maintenance release of SAS 9.4, the minimum OpenSSL protocol default is TLS 1.2.
Operating environment:	UNIX, z/OS, and Windows
Notes:	This environment variable must be set before TLS or SSL are loaded. It cannot be changed after TLS or SSL are loaded. You must set the environment variable before the SAS/CONNECT spawner is started and before SAS is started on the client.
Notes:	This environment variable is available in all SAS 9.3 and SAS 9.4 versions of software if hot fixes are applied.
Tip:	You can also define SET commands for Windows by using the System Properties dialog box that you access from the Control Panel.
See:	Defining Environment Variables in UNIX Environments in SAS Companion for UNIX Environments, TKMVSENV File in SAS Companion for z/OS, Using Environment Variables in SAS Companion for Windows
Examples:	Export the environment variable on UNIX hosts for the Bourne Shell: export SAS_SSL_MIN_PROTOCOL=TLS1.2
	Set the environment variable on UNIX hosts for the C Shell environment: SETENV SAS_SSL_MIN_PROTOCOL TLS1.2
	Set the environment variable at SAS invocation for UNIX hosts: -set "SAS_SSL_MIN_PROTOCOL=TLS1.2"
	Set the environment variable on Windows hosts SET SAS_SSL_MIN_PROTOCOL=TLS1.2

Syntax

Syntax Description

Details

Syntax

SAS_SSL_MIN_PROTOCOL= protocol

"SAS_SSL_MIN_PROTOCOL= protocol"

SAS_SSL_MIN_PROTOCOL protocol

Syntax Description

protocol

specifies the minimum TLS protocol version that is negotiated between UNIX, z/OS, and Windows servers when using OpenSSL. Valid values for TLS 1.2 are TLS1.2 and TLSv1.2.

See the SAS Security Bulletin on OpenSSL for the most current information about the versions of OpenSSL used in SAS products and about the advisories under consideration. For a list of the versions of OpenSSL libraries provided by SAS, see OpenSSL Version to SAS Software Release.

CAUTION:

It is highly recommended that you use TLS 1.2 or above. Versions prior to TLS 1.2 have known security vulnerabilities.

Note: A message is written to the SAS log when an invalid value is specified.

Details

The SAS_SSL_MIN_PROTOCOL environment variable enables you to set a minimum TLS protocol that will be negotiated. During the first TLS handshake attempt, the highest supported protocol version is offered. If this handshake fails, earlier protocol versions are offered instead.

TLS1.2 is the default minimum OpenSSL protocol version used to negotiate between client and servers in the fourth maintenance release of SAS 9.4. You can specify an earlier fallback value, but it is not recommended.