ssl_cipherspecs - Supported cipher specifications at the server configuration parameter

This configuration parameter specifies the cipher suites that the server allows for incoming connection requests when using the Transport Layer Security (TLS) protocol. This parameter also affects TLS communication between HADR Primary and Standby servers.

Important:

In response to CVE-2023-32342, Db2 releases with KI DT223175 uses the non-FIPS IBM Crypto for C (ICC) for TLS ciphers that use RSA key exchange, as the FIPS certified ICC is vulnerable to CVE-2023-32342. Customers with a requirement to use only FIPS 140 certified cryptographic modules must enable Strict FIPS mode.

The FIPS certified ICC is unavailable on 32-bit and MacOS platforms. Db2 automatically switches to using the non-FIPS ICC if on those platforms.

In strict FIPS mode, Db2 releases with KI DT223175 disables all TLS ciphers and versions that are vulnerable to CVE-2023-32342.

The following restrictions applies to TLS when strict mode is enabled in Db2 releases that contain KI DT223175:
  • TLS 1.0 and 1.1 is disabled in strict mode regardless of the SSL_VERSIONS setting, as the only supported ciphers use RSA key exchange. If the SSL_VERSIONS DBM CFG parameter is unset, or is set to TLSV1, TLS 1.2 is enabled in its place.
  • TLS 1.2 ciphers that use RSA key exchange (TLS_RSA_*) are disabled. If there are no remaining ciphers in the SSL_CIPHERSPECS DBM CFG parameter, the SSL environment fails to initialize. For instances using RSA certificates, the SSL_CIPHERSPECS DBM CFG parameter must be configured to use TLS_ECDHE_RSA ciphers for no certificate changes to be required.
  • TLS 1.3 is unaffected by CVE-2023-32342, and behavior does not change in strict FIPS mode.
For more information regarding how to enable strict FIPS mode, see Industry standards.
Configuration type
Database manager
Applies to
  • Database server with local and remote clients
  • Database server with local clients
  • Partitioned database server with local and remote clients
Parameter type
Configurable
Default [range]

The default value for the SSL_CIPHERSPECS is NULL. When the SSL_CIPHERSPECS parameter is set to NULL, all valid cipherspecs for the TLS version set in the SSL_VERSIONS parameter are enabled. The valid cipherspecs will vary depending on the FIPS mode configured. See the lists below to see the valid cipherspecs in each SSL_VERSIONS.

If the SSL_CIPHERSPECS parameter contains cipherspecs that only apply to one TLS version, but the SSL_VERSIONS parameter contains multiple TLS versions, all valid cipherspecs are enabled for the remaining TLS version.

You can specify multiple cipher specifications, such as TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 or TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. They must be separated by a comma (,) with no space either before or after the comma.

During a TLS handshake, if null or multiple values are specified, the client and the server negotiate and find the most secure cipher suites to use. If no compatible cipher suites is found, the connection fails. You cannot prioritize the cipher suites by specifying one before the another.

If you set ssl_versions to TLSV12, the following values are valid for ssl_cipherspecs.
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Note: The following cipher suites are disabled by default in FIPS compatibility and strict FIPS mode in response to CVE-2023-32342. To enable the following cipher suites, server must be set to run in NOFIPS mode:
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
If you set SSL_VERSIONS to TLSV13, the following values are valid for ssl_cipherspecs. Cipher specifications for TLS 1.3 are defined in three groups:
  • Ciphers
  • Key exchange groups
  • Signature schemes
If options from only one group are specified, all valid options are enabled for the remaining groups.
Table 1. TLS 1.3 Ciphers
Option Description
TLS_AES_128_GCM_SHA256 AES128 encryption in Galois/Counter mode and SHA-256 Hash
TLS_AES_256_GCM_SHA384 AES256 encryption in Galois/Counter mode and SHA-384 Hash
TLS_AES_128_CCM_SHA256 AES128 encryption in Counter with CBC-MAC mode and SHA-256 Hash
TLS_AES_128_CCM_8_SHA256 AES128 encryption in Counter with CBC-MAC and 8-byte ICV mode and SHA-256 Hash
TLS_CHACHA20_POLY1305_SHA256 ChaCha20 stream cipher with Poly1305 MAC and SHA-256 Hash
Note: The TLS_CHACHA20_POLY1305_SHA256 cipher is disabled in strict FIPS mode and enabled in other FIPS modes if configured:
Table 2. TLS 1.3 Key Exchange Groups
Option Description
X25519 ECDH Key exchange using the 25519 elliptic curve
X448 ECDH Key exchange using the 448 elliptic curve
SECP256R1 ECDSA Key exchange using the secp256r1 elliptic curve
SECP384R1 ECDSA Key exchange using the secp384r1 elliptic curve
SECP521R1 ECDSA Key exchange using the secp521r1 elliptic curve
Note: The following ciphers are disabled in strict FIPS mode and enabled in other FIPS modes if configured:
  • X25519
  • X448
Table 3. TLS 1.3 Signature Schemes
Option Description
RSA_PKCS1_SHA256 RSASSA-PKCS1-v1_5 signature with SHA-256 Hash
RSA_PKCS1_SHA384 RSASSA-PKCS1-v1_5 signature with SHA-384 Hash
RSA_PKCS1_SHA512 RSASSA-PKCS1-v1_5 signature with SHA-512 Hash
ECDSA_SECP256R1_SHA256 ECDSA signature using the secp256r1 elliptic curve with SHA-256 Hash
ECDSA_SECP384R1_SHA384 ECDSA signature using the secp384r1 elliptic curve with SHA-384 Hash
ECDSA_SECP521R1_SHA512 ECDSA signature using the secp521r1 elliptic curve with SHA-512 Hash
RSA_PSS_RSAE_SHA256 RSASSA-PSS signature with SHA-256 Hash. Public keys present in certificates must use the rsaEncryption OID.
RSA_PSS_RSAE_SHA384 RSASSA-PSS signature with SHA-384 Hash. Public keys present in certificates must use the rsaEncryption OID.
RSA_PSS_RSAE_SHA512 RSASSA-PSS signature with SHA-512 Hash. Public keys present in certificates must use the rsaEncryption OID.
RSA_PSS_PSS_SHA256 RSASSA-PSS signature with SHA-256 Hash. Public keys present in certificates must use the RSASSA-PSS OID.
RSA_PSS_PSS_SHA384 RSASSA-PSS signature with SHA-384 Hash. Public keys present in certificates must use the RSASSA-PSS OID.
RSA_PSS_PSS_SHA512 RSASSA-PSS signature with SHA-512 Hash. Public keys present in certificates must use the RSASSA-PSS OID.
Note: TLS 1.3 supports RSA_PKCS1_* Signature Schemes for certificates only. You must configure at least one other non-PKCS1 signature scheme, if an RSA_PKCS1 signature scheme is selected for your certificate.