Martin,

Java follows RFC naming conventions for cipher suites as mentioned in the
Java Security standard names table [1].

It looks like the "TLS_AKE_WITH_"* cipher names you are trying to match are
not used by Java.  I found one site [2] that mentions them as cipher codes
0x1301-0x1305.

>From RFC 8446 [3], the names that Java would use for those ciphers
are TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
and TLS_CHACHA20_POLY1305_SHA256.

Hope this helps.

[1] -
https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names
[2] - https://svn.nmap.org/nmap/nselib/tls.lua
[3] - https://datatracker.ietf.org/doc/html/rfc8446#appendix-B.4

-- Mike


On Fri, Aug 18, 2023 at 8:57 AM Martin Fong <martin.f...@toronto.ca> wrote:

> Phillip,
>
>
>
> Thanks for your feedback but this is what we have tried so far but unable
> to achieve what we want.
>
>
>
> when using the following:  ^.*GCM_SHA384$,^.*GCM_SHA256$, we get this:
>
> |   TLSv1.2:
>
> |     ciphers:
>
> |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
>
> |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
>
> |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
>
> |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
>
> |   TLSv1.3:
>
> |     ciphers:
>
> |       TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A
>
> |       TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A
>
> ===============================
>
> when using the following: ^.*POLY1305_SHA256$, we get this:
>
> |   TLSv1.2:
>
> |     ciphers:
>
> |       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
>
> |       TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
>
> |   TLSv1.3:
>
> |     ciphers:
>
> |       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
>
> ===========================
>
> when using the following: ^TLS_ECDHE.*, we get this:
>
> |   TLSv1.2:
>
> |     ciphers:
>
> |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
>
> |       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
>
> |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
>
> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
>
> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
>
> ================================
>
> when using the following: ^TLS_AKE.*, we get this:
>
> 2023-08-18 07:20:38,567 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> No Cipher Suite matching '^TLS_AKE.*' is supported
>
> ================================
>
>
>
> when using the following:
>
>
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_AKE_WITH_AES_128_GCM_SHA256,TLS_AKE_WITH_AES_256_GCM_SHA384,TLS_AKE_WITH_CHACHA20_POLY1305_SHA256
>
>
>
> we get this:
>
> |   TLSv1.2:
>
> |     ciphers:
>
> |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
>
> |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
>
> |       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
>
>
>
> with the following errors:
>
> 2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> No Cipher Suite matching 'TLS_AKE_WITH_AES_128_GCM_SHA256' is supported
>
> 2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> No Cipher Suite matching 'TLS_AKE_WITH_AES_256_GCM_SHA384' is supported
>
> 2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> No Cipher Suite matching 'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256' is
> supported
>
> =================
>
>
>
> Ultimately we want this (no DHE and no CBC but unable to find a perfect
> regex syntax):
>
> TLSv1.2:
>
> |     ciphers:
>
> |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
>
> |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
>
> |       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
>
> TLSv1.3:
>
> |     ciphers:
>
> |       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
>
> |       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
>
> |       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
>
>
>
> Please advise.
>
> Martin.
>
> On 2023/08/17 14:23:28 Phillip Lord wrote:
> > I think you just need to adjust your regex here...
> >
> > Have you tried something like this...   ^TLS_ECDHE.*
> >
> > Thanks,
> > Phil
> >
> > On Thu, Aug 17, 2023 at 8:26 AM Martin Fong <ma...@toronto.ca> wrote:
> >
> > > I would like to find out the syntax to set only ECDHE*.
> > >
> > > The following works:
> > > nifi.web.https.ciphersuites.include=^.*GCM_SHA256$
> > >
> > > The following does not work:
> > > nifi.web.https.ciphersuites.include=^.*TLS_ECDHE$
> > >
> > > This will work but I want the whole ECDHE* and nothing else but it
> will be
> > > a very long line to set them up.
> > > nifi.web.https.ciphersuites.include=
> > >
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> > >
> > > 2023-08-16 13:54:52,811 INFO [main]
> o.e.jetty.util.ssl.SslContextFactory
> > > No Cipher Suite matching '^.*TLS_ECDHE$' is supported
> > > 2023-08-16 13:54:52,812 WARN [main]
> o.e.jetty.util.ssl.SslContextFactory
> > > No supported Cipher Suite from [TLS_AES_256_GCM_SHA384,
> > > TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256,
> > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> > > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> > > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> > > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> > > TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
> > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
> > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384,
> > > TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
> > > TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
> > > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
> > > TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA,
> > > TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA]
> > >
> > > Please advise if there is a correct syntax just only for ECDHE*.
> > >
> > > Thanks,
> > > Martin Fong
> > > Enterprise Technical Support Specialist, Infrastructure & Platform
> (IAG)
> > > Technology Services Division, Technology Infrastructure Services
> > > City of Toronto
> > > 703 Don Mills Road, 2nd Floor
> > > Toronto, ON
> > > M3C 3N3
> > > Tel:           416-397-7565
> > > e-mail:     martin.f...@toronto.ca<ma...@toronto.ca>
> > >
> > > This e-mail message is confidential and subject to copyright. Any
> > > unauthorized use or disclosure is prohibited. If you have received this
> > > email and are not the intended recipient, please advise and delete it.
> > > Thank you.
> > >
> > >
> >
>

Reply via email to