ssl_versions- Supported SSL versions at the server configuration parameter
This configuration parameter specifies Secure Sockets Layer (SSL) and Transport Layer Security (TLS) versions that the server supports for incoming connection requests.
In response to CVE-2023-32342, Db2 releases with KI DT223175 uses the non-FIPS IBM Crypto for C (ICC) for TLS ciphers that use RSA key exchange, as the FIPS certified ICC is vulnerable to CVE-2023-32342. Customers with a requirement to use only FIPS 140 certified cryptographic modules must enable Strict FIPS mode.
Note: The FIPS certified ICC is unavailable on 32-bit and MacOS platforms. Db2® automatically switches to using the non-FIPS ICC if on those platforms.
In strict FIPS mode, Db2 releases with KI DT223175 disables all TLS ciphers and versions that are vulnerable to CVE-2023-32342.
- TLS 1.0 and 1.1 is disabled in strict mode regardless of the SSL_VERSIONS setting, as the only supported ciphers use RSA key exchange. If the SSL_VERSIONS DBM CFG parameter is unset, or is set to TLSV1, TLS 1.2 is enabled in its place.
- TLS 1.2 ciphers that use RSA key exchange (TLS_RSA_*) are disabled. If there are no remaining ciphers in the SSL_CIPHERSPECS DBM CFG parameter, the SSL environment fails to initialize. For instances using RSA certificates, the SSL_CIPHERSPECS DBM CFG parameter must be configured to use TLS_ECDHE_RSA ciphers for no certificate changes to be required.
- TLS 1.3 is unaffected by CVE-2023-32342, and behavior does not change in strict FIPS mode.
- Configuration type
- Database
- Parameter type
- Configurable
- Default [range]
-
- Null [TLSV12,TLSV13]
- TLS 1.2 and TLS 1.3 are enabled by default.
The default value for SSL_VERSIONS is NULL. If you set the parameter to NULL, the parameter enables support for TLS 1.2 and TLS 1.3.
If you set the parameter to TLSV12 (RFC5246), the parameter enables support for TLS 1.2.
If you set the parameter to TLSV13 (RFC8446), the parameter enables support for TLS 1.3.