Considerations when enabling TLS 1.3 in Db2

Starting in Db2 11.5.8, support for TLS 1.3 was added to the Db2 server and Db2 clients. In 12.1, TLS 1.3 is enabled by default. Certain restrictions apply to enhance security when using TLS 1.3.

Certificates

Certain restrictions apply when enabling TLS 1.3 on Db2 servers and supported clients:
  • When TLS 1.3 support is enabled in a Db2 server, the certificate chosen must use a SHA-2 hash algorithm such as SHA256, SHA384, or SHA512. SHA-1 and > SHA-224 are not supported. In addition, RSA certificates must use a 2048-bit or larger key size.
    Warning: These restrictions apply whenever TLS 1.3 is enabled in a Db2 server, even if both TLS 1.3 and TLS 1.2 are enabled and TLS 1.2 is negotiated.
  • Starting in 11.5.8, non-Java Db2 clients enable TLS 1.3 by default. For improved compatibility with existing installations, non-Java clients allow RSA key sizes less than 2048 bits, and SHA-1 certificates when falling back to TLS 1.2 or 1.1. To enforce TLS 1.3, use the TLSVersion client configuration keyword.
  • Due to the enablement of TLS 1.3, non-Java clients will not be able to connect to Db2 servers using SHA-224 certificates. To allow connections to Db2 servers using SHA-224 certificates, re-generate the server certificate using SHA-256 or better, or explicitly restrict the client to TLS 1.2 or below using the TLSVersion configuration keyword.
  • For HADR environments, SHA-1 certificates can not be used with TLS 1.3.

Older clients that do not support TLS 1.3

If TLS 1.3 is enabled as the only protocol, older clients that do not support TLS 1.3 will not be able to connect to Db2. If your environment contains clients that do not support TLS 1.3, it is recommended to enable both TLS 1.3 and TLS 1.2. This can be done by setting the SSL_VERSIONS database manager configuration parameter to TLSV12,TLSV13.

TLS 1.3 is not support by the following clients:
  • All 9.7, 10.1, 10.5, and 11.1 clients
  • 11.5 clients prior to 11.5.8
  • IBM Java releases prior to 8.0.6.25

Older clients that do not support TLS 1.2

When TLS 1.3 support is enabled, non-Java clients that only support TLS 1.1 will not be able to connect, even if the TLS 1.1 protocol is enabled. In an environment using one of the following Db2 client levels, it is recommended to upgrade the client.

  • Db2 9.7 FP8 and prior supports TLS 1.1 only. Db2 9.7 FP9 and later clients add support for TLS 1.2
  • Db2 10.1 FP3 and prior supports TLS 1.1 only. Db2 10.1 FP4 and later clients add support TLS 1.2
  • Db2 10.5 FP2 and prior supports TLS 1.1 only. Db2 10.5 FP3 and later clients add support TLS 1.2
  • All 11.1 and 11.5 clients support TLS 1.2

Java environments that do not support TLS 1.3

Java clients using a runtime environment that does not support TLS 1.3 must ensure the SSL socket factory provided by the JRE does not use an SSLv2 compatible client. This can be achieved by prepending jdk.tls.disabledAlgorithms with "SSLv2Hello" in the java.security configuration file, typically found under jre/lib/security/java.security.

jdk.tls.disabledAlgorithms=SSLv2Hello, ...