Troubleshooting TLS

ERROR: Unable to load extension: (tkessl)
ERROR: SSL provider not in FIPS mode
ERROR: HTTP proxy handshake failed.
ERROR: Cannot load SSL Support
ERROR:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
Failed to Find the Following Issuer of this Certificate in Truststore
Verify that the File Contains Certificates in the Proper Encoding

ERROR: Unable to load extension: (tkessl)

There are a lot of reasons the library might not load. The best way to debug this error is to turn on logging and get a SAS logging facility (log4SAS) log output.

ERROR: SSL provider not in FIPS mode

This message might be displayed on Windows servers when the system cryptography "Use FIPS compliant algorithms for encryption, hashing, and signing" setting is not enabled. Enable this under your Local Security Policy. For more information, see TLS on Windows: FIPS 140-2 Capable OpenSSL .

ERROR: HTTP proxy handshake failed.

This message is displayed when clients sending TLS Subject Name Identification (SNI) cannot connect to a secured proxy server.
There are servers that do not handle SNI host name checking in a way that allows connecting to secured proxy servers.
  • On UNIX servers, make sure that the USE_SSL_SNI environment variable is not set.
  • On Windows servers, SNI is always sent. Other than disabling name checking (Subject Alternative Name) on server certificates, there is currently no workaround.

ERROR: Cannot load SSL Support

This message is displayed when SAS cannot find required software.
  • This message can be generated when SSL certificates cannot be found. If the directory where the certificates are located is specified using the SSLCACERTDIR environment variable, and the certificate names in the directory are not named using the value of a hash that OpenSSL generates, this message is generated. For more information, see SSLCACERTDIR Environment Variable.
  • This message is generated when requisite software cannot be loaded in an IOM session.

ERROR:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed

This message is displayed when certificates cannot be verified. If the directory where the certificates are located is specified using the SSLCACERTDIR environment variable, and the certificate names in the directory are not named using the value of a hash that OpenSSL generates, this message is generated. For more information, see SSLCACERTDIR Environment Variable.

Failed to Find the Following Issuer of this Certificate in Truststore

This message is displayed when using the SAS Deployment Manager (SDM) to add certificates to the trust list in the wrong order. First, you need to add the issuer of the certificate or the root certificate. Then you can add the intermediate certificate. You need to run the SDM task for each certificate that you need to add.

Verify that the File Contains Certificates in the Proper Encoding

This message is displayed when using the SDM to add certificates with unacceptable encodings. Certificates must be X.509 certificates formatted in Base-64 encoding that have .pem, .crt, or .cer extensions. For more information, see Certificate File Formats.
Copyright © SAS Institute Inc. All Rights Reserved.