TLSVersion IBM data server driver configuration keyword

Sets the desired version of the Transport Layer Security (TLS) protocol for a TLS connection.

Important:

In response to CVE-2023-32342, Db2 releases with KI DT223175 uses the non-FIPS ICC for TLS ciphers that use RSA key exchange, as the FIPS certified ICC is vulnerable to CVE-2023-32342.

Customers with a requirement to use only FIPS 140 certified cryptographic modules must enable Strict FIPS mode. In strict FIPS mode, Db2 releases with KI DT223175 disable all TLS ciphers and versions that are vulnerable to CVE-2023-32342.

The following restrictions apply to TLS when strict mode is enabled in Db2 releases that contain KI DT223175:
  • TLS 1.0 and 1.1 are disabled in strict mode regardless of the SSL_VERSIONS setting, as the only supported ciphers use RSA key exchange. If the SSL_VERSIONS DBM CFG parameter is unset, or is set to TLSV1, TLS 1.2 will be enabled in its place.
  • TLS 1.2 ciphers that use RSA key exchange (TLS_RSA_*) are disabled. If there are no remaining ciphers in the SSL_CIPHERSPECS DBM CFG parameter, all supported ECDHE ciphers are enabled. For instances using RSA certificates, Db2 automatically prefers TLS_ECDHE_RSA ciphers for TLS 1.2 and no certificate change is required.
  • TLS 1.3 is unaffected by CVE-2023-32342, and behavior does not change in strict FIPS mode.
For further details on how to enable strict FIPS mode, refer to Industry Standards
Attention: This keyword is available in Db2 11.5.6 and later versions.
Equivalent CLI keyword
TLSVersion
Equivalent IBM® data server provider for .NET connection string keyword
TLSVersion
IBM data server driver configuration file (db2dsdriver.cfg) syntax
<parameter name="TLSVersion" value="TLSV1 | TLSV12 | TLSV13"/>
Default setting:
None
Usage notes:

This option sets the desired version of the TLS protocol for a TLS connection. When the TLSVersion parameter is not set, or is set to NULL, TLS 1.2 and TLS 1.3 are enabled. In Db2 versions prior to 11.5.9, and Db2 11.5.8 releases without KI DT245990, all TLS versions are enabled.