A recent fix for SAS/SECURE™ software had disabled support for encryption cipher suites that are less secure. After applying this fix to the SAS® Viya® 3.5 server, clients that do not support newer cipher suites can fail to connect, and the SAS Viya server logs show the following message:
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
How to determine whether you have the fix that disables less secure encryption cipher suites
Check whether you applied the SAS/SECURE updates listed in SAS/SECURE™ software supports the use of CBC mode encryption ciphers.
For example, run the following commands to print the currently installed sas-tkcore and sas-tkcore1 packages:
If your sas-tkcore and sas-tkcore1 package versions match or are newer than those that are listed, you have the fix.
How to resolve this problem
The most secure option for resolving the problem is to upgrade client systems so that they support the latest encryption cipher suites. If this action cannot be done, other options in order of decreasing security are as follows:
Here is an example of an SSLCIPHERLIST setting that enables the cipher suites that the fix had disabled:
export SSLCIPHERLIST="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:
ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256"
2. The least secure option is to set the environment variable SSLMODE with the value SSLMODEDEPRECATED. Here is an example:
export SSLMODE=SSLMODEDEPRECATED
Either of the environment variables mentioned above can be placed in locations such as the following:
After you place the environment variable in the relevant location, restart the affected service.