ssl_versions - Supported SSL versions at the server configuration parameter

This configuration parameter specifies Secure Sockets Layer (SSL) and Transport Layer Security (TLS) versions that the server supports for incoming connection requests.

Important:

In response to CVE-2023-32342, Db2 releases with KI DT223175 will use the non-FIPS IBM Crypto for C (ICC) for TLS ciphers that use RSA key exchange, as the FIPS certified IBM Crypto for C (ICC) is vulnerable to CVE-2023-32342.

Customers with a requirement to use only FIPS 140 certified cryptographic modules must enable Strict FIPS mode. In strict FIPS mode, Db2 releases with KI DT223175 will disable all TLS ciphers and versions that are vulnerable to CVE-2023-32342.

The following restrictions will apply to TLS when strict mode is enabled in Db2 releases that contain KI DT223175:
  • TLS 1.0 and 1.1 will be disabled in strict mode regardless of the SSL_VERSIONS setting, as the only supported ciphers use RSA key exchange. If the SSL_VERSIONS DBM CFG parameter is unset, or is set to TLSV1, TLS 1.2 will be enabled in its place.
  • TLS 1.2 ciphers that use RSA key exchange (TLS_RSA_*) will be disabled. If there are no remaining ciphers in the SSL_CIPHERSPECS DBM CFG parameter, all supported ECDHE ciphers will be enabled. For instances using RSA certificates, Db2 will automatically prefer TLS_ECDHE_RSA ciphers for TLS 1.2 and no certificate change is required.
  • TLS 1.3 is unaffected by CVE-2023-32342, and behaviour will not change in strict FIPS mode.
For further details on how to enable strict FIPS mode, refer to Industry Standards
Important: Use of versions 1.0 and 1.1 of the Transport Layer Security (TLS) protocol is deprecated. We recommend to use TLS version 1.2.
Configuration type
Database
Applies to
  • Database server with local and remote clients
  • Database server with local clients
  • Partitioned database server with local and remote clients
Parameter type
Configurable
Default [range]
Null [TLSV1,TLSV12,TLSV13]

The default value for SSL_VERSIONS is NULL. If you set the parameter to NULL, the parameter enables support for TLS 1.2. In Db2 versions prior to 11.5.9, the value NULL enables support for TLS 1.1 and 1.0. TLS 1.3 is not enabled by default.

Note: During the TLS handshake, the client and the server negotiate and find the most secure version to use. If there is no compatible version between the client and the server, the connection fails.
With Db2® 11.5.8 and later, setting the SSL_VERSIONS parameter to TLSV13 (RFC8446) enables support for TLS 1.3.
Warning: Enabling support for TLS 1.3 automatically restricts the allowed ciphers and certificate types when falling back to prior TLS versions, if any prior TLS versions are enabled. In addition, older non-Java clients that only support TLS 1.1 cannot connect when TLS 1.3 is enabled, even if TLSV1 is set as an available fallback protocol. For more information, see First steps in enabling TLS in Db2 servers and clients.

Note: With Db2 11.5.8 and later, the SSL_VERSIONS parameter also controls the TLS version used in HADR configurations when TLS is enabled for communication between primary and standby databases. If SSL_VERSIONS is set to TLSV1, the setting is ignored for HADR and the default value of TLS 1.2 is used. For more information, see Configuring TLS for the communication between primary and standby HADR servers.

If you set the parameter to TLSV12 (RFC5246), the parameter enables support for TLS 1.2.

If you set the parameter to TLSV13 (RFC8446), the parameter enables support for TLS 1.3.

If multiple TLS versions are specified in the parameter, such as TLSV13,TLSV12, the parameter enables support for the latest specified TLS version with the option to fall back to an earlier TLS version.