Usage Notes
The SSLMODE parameter specifies the requested SSLMODE used in a connection to a server.
Language | Variable Name |
---|---|
COBOL: | DBCAREA-SSLMODE |
C: DBCAREA.H: | sslmode |
Routine | Action Taken |
---|---|
DBCHINI: | writes |
DBCHCL: | reads (CON) |
Used by | Action Taken |
---|---|
application program | writes |
The application sets SSLMODE to the desired sslmode to be used in a connection to a server. It supports the following values:
Value | Description |
---|---|
D | disable Establish an unencrypted connection using the non-TLS port. If data_encryption=Y is specified in clispb.dat or DBCAREA, the TeraGSS encryption mechanism is used. |
A | allow Establish an unencrypted connection using the non-TLS port. If data_encryption=Y is specified in clispb.dat or DBCAREA, the TeraGSS encryption mechanism is used. If the server is configured to accept connections on the non-TLS port but the attempt to connect to the non-TLS port fails (for example, timeout), the connection attempt will fail and return an error. This is the default value for CLI. Encrypted (TLS) connection is used in the fallback scenarios when administrator disabled the non-TLS port and enabled the TLS port. |
P | prefer Establish an encrypted (TLS) connection if the server supports TLS and the TLS port is enabled. If the server is configured to accept connections on the TLS port but the attempt to connect to the TLS port fails (for example, timeout), the connection attempt will fail and return an error. Unencrypted connection to the non-TLS port is used in the following fallback scenarios:
|
R | require Establish an encrypted (TLS) connection if the server supports TLS connections. The connection attempt fails if TLS connection cannot be established. Do not fallback to the non-TLS port. |
C | verify-ca Similar to require, but additionally verify the server Certificate Authority (CA) certificate against the configured trusted CA certificates. The connection attempt fails if no valid matching CA certificates are found. |
F | verify-full Similar to verify-ca, but additionally perform host name identity verification by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client. The client checks whether the host name that it uses for connecting matches either the Subject Alternative Name value or the Common Name value in the server certificate. The connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. In verify-full mode, the host name is matched against the certificate's Subject Alternative Name attribute(s), or against the Common Name attribute if no Subject Alternative Name of type "DNS Name" is present. If the certificate's name attribute starts with an asterisk (*), the asterisk will be treated as a wildcard, which will match all characters except a dot (.). This means the certificate will not match subdomains. If the connection is made using an IP address instead of a host name, the IP address will be matched (without doing any DNS lookups). |