Hostname validation for Db2 clients

With the release of Db2 11.5.6, Db2 clients can verify the hostname that appears in a Db2 server's Transport Layer Security (TLS, formerly known as SSL) certificate against the server for which they are configured to connect. Using hostname validation, Db2 clients have an added layer of security when negotiating secure connections to Db2 servers during a TLS handshake.

Attention: TLS was developed in 1999 as the successor to the popular encryption protocol Secure Socket Layer (SSL). Because of the popularity of SSL, the acronym is now synonymous with encryption technology and by association, TLS. As a result, some Db2® commands and database objects that are related to TLS encryption still contain 'ssl' in their names. However, Db2 does not use the SSL protocol for data encryption. Any references to SSL in this guide can be interpreted as TLS.

How hostname validation works

When a Db2 client sends a client hello message to a Db2 server during a TLS handshake, the server responds with it's own server hello message, which includes, among other things, its certificate. It is at this point that the client authenticates the server using this certificate.

If hostname validation is enabled, the client verifies that the hostname to which it is configured to connect matches one of the hostnames present in the certificate. The server’s identity can be represented using different fields in the certificate. Once the client authenticates the server, both parties perform key exchange and a successful TLS connection is established.

Here is an example scenario where the client connects to the database server at xyz.example.com with TLS and hostname validation enabled:
  1. A Db2 client initiates a connection with a Db2 server:
    Hostname=xyz.example.com;Security=SSL;SSLClientHostnameValidation=Basic;Database=….
  2. The server responds with its certificate:
    Key Size : 2048
    Version : X509 V3
    Serial : xxx
    Issuer : CN=Example Enterprise CA
    Subject : CN=xyz.example.com
    Not Before : November 26, 2020 4:44:11 PM EST
    
    Not After : November 27, 2021 4:44:11 PM EST
    
    Extensions
        subjectAlternativeName
            dNSName: xyz.example.com
    
    Signature Algorithm : SHA1WithRSASignature
  3. The client performs hostname validation. In this case, it is successful because the certificate contains xyz.example.com as its subject alternate name (SAN).
  4. The rest of the handshake takes place and a secure connection is established with the server.
Note: If hostname validation fails, SQL20576N with SQLSTATE 08001 is returned to the client and an error message is logged to the db2diag.log. This message includes one or more hostnames contained in the server certificate and any hostnames that the client used to match against this certificate.