DB2 Version 9.7 for Linux, UNIX, and Windows

Supported cipher suites

During an SSL handshake, the client and server negotiate which cipher suite to use to exchange data. A cipher suite is a set of algorithms that are used to provide authentication, encryption, and data integrity.

The DB2® database system uses GSKit running in FIPS mode to provide SSL support. GSKit supports the following cipher suites:

The name of each cipher suite specifies the algorithms that it uses for authentication, encryption, and data integrity checking. For example, the cipher suite TLS_RSA_WITH_AES_256_CBC_SHA uses RSA for authentication; AES 256-bit and CBC for encryption algorithms; and SHA-1 for the hash function for data integrity.

During the SSL handshake, the DB2 database system automatically picks the strongest cipher suite supported by both the client and the server. If you want the server to accept only one or more specific cipher suites, you can set the ssl_cipherspecs configuration parameter to any of the following values:

You cannot prioritize which cipher suite is selected. If you set the ssl_cipherspecs configuration parameter, the DB2 database system picks the strongest available cipher suite; this selection does not depend on the order you specify the cipher suites when you set ssl_cipherspecs.