Troubleshooting hostname validation at the client when negotiating a TLS connection

When hostname validation fails at the client during a TLS handshake, the details of the failure are saved to the db2diag.log file.

Analyzing the details in the db2diag.log file

The first three data points in the db2diag.log record specify which hostnames the client used to perform hostname validation against the server’s certificate. The rest of the data points list the hostnames that are present in the common name or subject alternate name (SAN) of the certificate.

The following example shows the details of the db2daig.log file:
2021-04-06-16.35.00.951803-240 E9461858E1589         LEVEL: Error
PID     : 2996888              TID : 140497763679360 PROC : db2bp
INSTANCE: <instance user>      NODE : 000
HOSTNAME: <client hostname>
FUNCTION: DB2 UDB, common communication, sqlccHostnameValidationDumpCert, probe:500
MESSAGE : Failed to validate the hostname against the server certificate sent
          by the server. Dumping the expected hostname(s), certficate CN(s), and
          certificate SAN(s).
DATA #1 : String, 19 bytes
Hostname configured
DATA #2 : String
<Hostname that the client configured>
DATA #3 : String, 33 bytes
Hostname in the server list entry
DATA #4 : String
<Hostname associated with the server list entry>
DATA #5 : String, 47 bytes
Hostname of the last connected alternate server
DATA #7 : String, 29 bytes
Certificate Dump: Common Name
DATA #8 : String
<hostname in the common name of the subject>
DATA #9 : String, 52 bytes
Certificate Dump: Subject Alternative Name (DNSNAME)
DATA #10: String, 27 bytes
<Hostnames in the SAN>
DATA #11: String, 55 bytes
Certificate Dump: Subject Alternative Name (RFC822NAME)
DATA #12: String, 50 bytes
Server certificate does not have any RFC822 names.
DATA #13: String, 58 bytes
Certificate Dump: Subject Alternative Name (DIRECTORYNAME)
DATA #14: String, 53 bytes
Server certificate does not have any Directory names.
DATA #15: String, 48 bytes
Certificate Dump: Subject Alternative Name (URI)
DATA #16: String, 42 bytes
Server certificate does not have any URIs.
DATA #17: String, 54 bytes
Certificate Dump: Subject Alternative Name (IPADDRESS)
DATA #18: String, 50 bytes
Server certificate does not have any IP addresses.

Reviewing this data can help figure out why hostname validation is failing. For example, if the hostnames in the Common Name and the SAN fields are not trusted, you should not connect to this server as a malicious site could be intercepting the connection. However if these hostnames are trusted, then either the configured hostname on the client is incorrect or the server certificate has been setup with incorrect hostnames.

Consult the TLS hostname validation documentation for more information about how to properly create server certificates for your environment.