Hostname validation for Db2 11.5.6 clients

Db2 11.5.6 clients can verify the hostname that appears in a Db2® server's Transport Layer Security (TLS, formerly known as SSL) certificate against the server for which they are configured to connect. Using hostname validation, Db2 clients have an added layer of security when negotiating secure connections to Db2 servers during a TLS handshake.

How hostname validation works

When a Db2 client sends a client hello message to a Db2 server during a TLS handshake, the server responds with it's own server hello message, which includes, among other things, its certificate. It is at this point that the client authenticates the server using this certificate.

If hostname validation is enabled, the client verifies that the hostname to which it is configured to connect matches one of the hostnames present in the certificate. The server’s identity can be represented using different fields in the certificate. Once the client authenticates the server, both parties perform key exchange and a successful TLS connection is established.

Here is an example scenario where the client connects to the database server at with TLS and hostname validation enabled:
  1. A Db2 client initiates a connection with a Db2 server:;Security=SSL;SSLClientHostnameValidation=Basic;Database=….
  2. The server responds with its certificate:
    Key Size : 2048
    Version : X509 V3
    Serial : xxx
    Issuer : CN=Example Enterprise CA
    Subject :
    Not Before : November 26, 2020 4:44:11 PM EST
    Not After : November 27, 2021 4:44:11 PM EST
    Signature Algorithm : SHA1WithRSASignature
  3. The client performs hostname validation. In this case, it is successful because the certificate contains as its subject alternate name (SAN).
  4. The rest of the handshake takes place and a secure connection is established with the server.
Note: If hostname validation fails, SQL20576N with SQLSTATE 08001 is returned to the client and an error message is logged to the db2diag.log. This message includes one or more hostnames contained in the server certificate and any hostnames that the client used to match against this certificate.