ssl_versions - Supported SSL versions at the server configuration parameter

This configuration parameter specifies Secure Sockets Layer (SSL) and Transport Layer Security (TLS) versions that the server supports for incoming connection requests.

Important: Use of versions 1.0 and 1.1 of the Transport Layer Security (TLS) protocol is deprecated. We recommend to use TLS version 1.2.

Configuration type

Database

Applies to

Database server with local and remote clients
Database server with local clients
Partitioned database server with local and remote clients

Parameter type

Configurable

Default [range]

Null [TLSV1,TLSV12]

The default value for SSL_VERSIONS is NULL. If you set the parameter to NULL, the parameter enables support for TLS 1.2. In Db2 versions prior to 11.5.9, the value NULL enables support for TLS 1.1 and 1.0. TLS 1.3 is not enabled by default.

Note: During the TLS handshake, the client and the server negotiate and find the most secure version to use. If there is no compatible version between the client and the server, the connection fails. If the client supports TLS 1.0 and TLS 1.1, but the server support TLS 1.0 only, then TLS 1.0 is used.

With Db2® 11.5.8 and later, setting the SSL_VERSIONS parameter to TLSV13 (RFC8446) enables support for TLS 1.3. If you set the parameter to TLSV12 (RFC5246), the parameter enables support for TLS 1.2. This setting is required to comply with NIST SP 800-131A.

If you set the parameter to TLSV12 and TLSV1, the parameter enables support for TLS 1.2 with the option to fall back on TLS 1.0 and 1.1.