TLSVersion CLI/ODBC configuration keyword
Set the TLS Version to be used for communication between the client and server.
Important:
In response to CVE-2023-32342, Db2 releases with KI DT223175 will use the non-FIPS IBM Crypto for C (ICC) for TLS ciphers that use RSA key exchange, as the FIPS certified IBM Crypto for C (ICC) is vulnerable to CVE-2023-32342.
Customers with a requirement to use only FIPS 140 certified cryptographic modules must enable Strict FIPS mode. In strict FIPS mode, Db2 releases with KI DT223175 will disable all TLS ciphers and versions that are vulnerable to CVE-2023-32342.
The following restrictions will apply to TLS when strict mode is enabled in Db2 releases that
contain KI DT223175:
- TLS 1.0 and 1.1 will be disabled in strict mode regardless of the SSL_VERSIONS setting, as the only supported ciphers use RSA key exchange. If the SSL_VERSIONS DBM CFG parameter is unset, or is set to TLSV1, TLS 1.2 will be enabled in its place.
- TLS 1.2 ciphers that use RSA key exchange (TLS_RSA_*) will be disabled. If there are no remaining ciphers in the SSL_CIPHERSPECS DBM CFG parameter, all supported ECDHE ciphers will be enabled. For instances using RSA certificates, Db2 will automatically prefer TLS_ECDHE_RSA ciphers for TLS 1.2 and no certificate change is required.
- TLS 1.3 is unaffected by CVE-2023-32342, and behavior will not change in strict FIPS mode.
Attention: This keyword is available in Db2 11.5.6 and later versions.
- db2cli.ini keyword syntax:
- TLSVersion = NULL | TLSV1 | TLSV12 | TLSV13
- Default setting:
- NULL
- Usage notes:
- This option set the TLS Version to be used for communication from client/driver.