Phillip,
Thanks for your feedback but this is what we have tried so far but unable to achieve what we want. when using the following: ^.*GCM_SHA384$,^.*GCM_SHA256$, we get this: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A =============================== when using the following: ^.*POLY1305_SHA256$, we get this: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A | TLSv1.3: | ciphers: | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A =========================== when using the following: ^TLS_ECDHE.*, we get this: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A ================================ when using the following: ^TLS_AKE.*, we get this: 2023-08-18 07:20:38,567 INFO [main] o.e.jetty.util.ssl.SslContextFactory No Cipher Suite matching '^TLS_AKE.*' is supported ================================ when using the following: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_AKE_WITH_AES_128_GCM_SHA256,TLS_AKE_WITH_AES_256_GCM_SHA384,TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 we get this: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A with the following errors: 2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory No Cipher Suite matching 'TLS_AKE_WITH_AES_128_GCM_SHA256' is supported 2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory No Cipher Suite matching 'TLS_AKE_WITH_AES_256_GCM_SHA384' is supported 2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory No Cipher Suite matching 'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256' is supported ================= Ultimately we want this (no DHE and no CBC but unable to find a perfect regex syntax): TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A Please advise. Martin. On 2023/08/17 14:23:28 Phillip Lord wrote: > I think you just need to adjust your regex here... > > Have you tried something like this... ^TLS_ECDHE.* > > Thanks, > Phil > > On Thu, Aug 17, 2023 at 8:26 AM Martin Fong <ma...@toronto.ca> wrote: > > > I would like to find out the syntax to set only ECDHE*. > > > > The following works: > > nifi.web.https.ciphersuites.include=^.*GCM_SHA256$ > > > > The following does not work: > > nifi.web.https.ciphersuites.include=^.*TLS_ECDHE$ > > > > This will work but I want the whole ECDHE* and nothing else but it will be > > a very long line to set them up. > > nifi.web.https.ciphersuites.include= > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > > > > 2023-08-16 13:54:52,811 INFO [main] o.e.jetty.util.ssl.SslContextFactory > > No Cipher Suite matching '^.*TLS_ECDHE$' is supported > > 2023-08-16 13:54:52,812 WARN [main] o.e.jetty.util.ssl.SslContextFactory > > No supported Cipher Suite from [TLS_AES_256_GCM_SHA384, > > TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, > > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, > > TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, > > TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, > > TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, > > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, > > TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, > > TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA] > > > > Please advise if there is a correct syntax just only for ECDHE*. > > > > Thanks, > > Martin Fong > > Enterprise Technical Support Specialist, Infrastructure & Platform (IAG) > > Technology Services Division, Technology Infrastructure Services > > City of Toronto > > 703 Don Mills Road, 2nd Floor > > Toronto, ON > > M3C 3N3 > > Tel: 416-397-7565 > > e-mail: martin.f...@toronto.ca<ma...@toronto.ca> > > > > This e-mail message is confidential and subject to copyright. Any > > unauthorized use or disclosure is prohibited. If you have received this > > email and are not the intended recipient, please advise and delete it. > > Thank you. > > > > >
