1

Is there away to make DB2 not accept SSL3?

I'm trying to secure couple of DB2 databases I have on couple of servers against the POODLE attack. I know you can do this through the Operating System itself, but my question is if I don't have control over the OS can I at least make DB2 stop using use SSL3?

I have many Java applications and some of it might be using SSL3, I want to be sure these application will fail when they try to use the SSL3 to connect these DB2 databases.

M. A. Kishawy
  • 5,001
  • 11
  • 47
  • 72
  • I don't think it even uses SSL v3 -- only [TLS 1.0 and 1.1](http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0053616.html?cp=SSEPGG_10.5.0%2F2-4-4-7-85&lang=en) – mustaccio Oct 23 '14 at 15:27
  • IBM website says it does uses SSL (not sure which version). http://www.ibm.com/developerworks/data/library/techarticle/dm-1306securesocketlayers/ – M. A. Kishawy Oct 23 '14 at 15:30
  • 4
    _SSL_ is used here as a generic term. Only the SSL v3 implementation of it is vulnerable, while DB2 uses more recent implementations: TLS 1.0 and TLS 2.0 – mustaccio Oct 23 '14 at 16:02
  • So are you saying any program trying to connect to DB2 through SSL3 will fail? – M. A. Kishawy Oct 23 '14 at 16:04
  • If I say yes, will you trust me and not test your environment? – mustaccio Oct 23 '14 at 16:40
  • :) I was hoping you would provide some trusted reference. – M. A. Kishawy Oct 23 '14 at 17:10

1 Answers1

2

Starting with DB2 LUW 9.7 (I'm assuming you mean LUW here...), you can specify which implementation of SSL you want to use when doing the handshake. It looks like (at least since they implemented this configuration option) DB2 has only ever supported TLS. The configuration option is called ssl_version.

Additionally, you can specify which ciphers you wish to use with the ssl_cipherspecs configuration option. The default is to allow DB2 and the client to negotiate the strongest cipher they both understand.

bhamby
  • 15,112
  • 1
  • 45
  • 66