If you configure SAS Web Server, SAS Web Application Server, or SAS Environment Manager Server for HTTPS, Secure Sockets Layer (SSL) 3.0 is enabled by default. SSL 3.0 has the POODLE vulnerability that is described in these documents:

• https://www.us-cert.gov/ncas/alerts/TA14-290A
• https://www.openssl.org/~bodo/ssl-poodle.pdf

To disable SSL 3.0 in these servers, follow the steps below.

SAS^® Web Server

1. Open the httpd-ssl.conf file that resides in the conf/extra directory under the SAS Web Server directory.
2. Specify -SSLv3 in the SSLProcotol directive, as shown below:
   
   SSLProtocol all -SSLv2 -SSLv3
3. Then restart the server.

SAS^® Web Application Server

1. Open the server.xml file that resides in the conf directory under the directory for each SAS Web Application Server instance.
2. In that file, specify the sslProtocols parameter in the <Connector> element that specifies SSLEnabled="true":
   
   <Connector ... sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"/>
3. Then restart the server.

SAS^® Environment Manager Server

1. Open the server.xml file that resides in the server-5.0.0-EE/hq-engine/hq-server/conf directory under the SAS Environment Manager directory.
2. Specify the sslProtocols parameter in the <Connector> element that specifies SSLEnabled="true":
   
   <Connector ... sslProtocols="TLSv1,TLSv1.1,TLSv1.2"/>
3. Then restart the server.

Note: As of revision 94_14w47 for SAS 9.4 TS1M2, the sslProtocols parameter is specified as shown above by default.

Operating System and Release Information