Martin, Java follows RFC naming conventions for cipher suites as mentioned in the Java Security standard names table [1].
It looks like the "TLS_AKE_WITH_"* cipher names you are trying to match are not used by Java. I found one site [2] that mentions them as cipher codes 0x1301-0x1305. >From RFC 8446 [3], the names that Java would use for those ciphers are TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, and TLS_CHACHA20_POLY1305_SHA256. Hope this helps. [1] - https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names [2] - https://svn.nmap.org/nmap/nselib/tls.lua [3] - https://datatracker.ietf.org/doc/html/rfc8446#appendix-B.4 -- Mike On Fri, Aug 18, 2023 at 8:57 AM Martin Fong <martin.f...@toronto.ca> wrote: > Phillip, > > > > Thanks for your feedback but this is what we have tried so far but unable > to achieve what we want. > > > > when using the following: ^.*GCM_SHA384$,^.*GCM_SHA256$, we get this: > > | TLSv1.2: > > | ciphers: > > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > > | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A > > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > > | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A > > | TLSv1.3: > > | ciphers: > > | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A > > | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A > > =============================== > > when using the following: ^.*POLY1305_SHA256$, we get this: > > | TLSv1.2: > > | ciphers: > > | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A > > | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A > > | TLSv1.3: > > | ciphers: > > | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A > > =========================== > > when using the following: ^TLS_ECDHE.*, we get this: > > | TLSv1.2: > > | ciphers: > > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A > > ================================ > > when using the following: ^TLS_AKE.*, we get this: > > 2023-08-18 07:20:38,567 INFO [main] o.e.jetty.util.ssl.SslContextFactory > No Cipher Suite matching '^TLS_AKE.*' is supported > > ================================ > > > > when using the following: > > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_AKE_WITH_AES_128_GCM_SHA256,TLS_AKE_WITH_AES_256_GCM_SHA384,TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 > > > > we get this: > > | TLSv1.2: > > | ciphers: > > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A > > > > with the following errors: > > 2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory > No Cipher Suite matching 'TLS_AKE_WITH_AES_128_GCM_SHA256' is supported > > 2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory > No Cipher Suite matching 'TLS_AKE_WITH_AES_256_GCM_SHA384' is supported > > 2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory > No Cipher Suite matching 'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256' is > supported > > ================= > > > > Ultimately we want this (no DHE and no CBC but unable to find a perfect > regex syntax): > > TLSv1.2: > > | ciphers: > > | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A > > | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A > > TLSv1.3: > > | ciphers: > > | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A > > | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A > > | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A > > > > Please advise. > > Martin. > > On 2023/08/17 14:23:28 Phillip Lord wrote: > > I think you just need to adjust your regex here... > > > > Have you tried something like this... ^TLS_ECDHE.* > > > > Thanks, > > Phil > > > > On Thu, Aug 17, 2023 at 8:26 AM Martin Fong <ma...@toronto.ca> wrote: > > > > > I would like to find out the syntax to set only ECDHE*. > > > > > > The following works: > > > nifi.web.https.ciphersuites.include=^.*GCM_SHA256$ > > > > > > The following does not work: > > > nifi.web.https.ciphersuites.include=^.*TLS_ECDHE$ > > > > > > This will work but I want the whole ECDHE* and nothing else but it > will be > > > a very long line to set them up. > > > nifi.web.https.ciphersuites.include= > > > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > > > > > > 2023-08-16 13:54:52,811 INFO [main] > o.e.jetty.util.ssl.SslContextFactory > > > No Cipher Suite matching '^.*TLS_ECDHE$' is supported > > > 2023-08-16 13:54:52,812 WARN [main] > o.e.jetty.util.ssl.SslContextFactory > > > No supported Cipher Suite from [TLS_AES_256_GCM_SHA384, > > > TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, > > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > > > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > > > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, > > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, > > > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, > > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, > > > TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, > > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, > > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, > > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, > > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, > > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, > > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, > > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, > > > TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, > > > TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, > > > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, > > > TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, > > > TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA] > > > > > > Please advise if there is a correct syntax just only for ECDHE*. > > > > > > Thanks, > > > Martin Fong > > > Enterprise Technical Support Specialist, Infrastructure & Platform > (IAG) > > > Technology Services Division, Technology Infrastructure Services > > > City of Toronto > > > 703 Don Mills Road, 2nd Floor > > > Toronto, ON > > > M3C 3N3 > > > Tel: 416-397-7565 > > > e-mail: martin.f...@toronto.ca<ma...@toronto.ca> > > > > > > This e-mail message is confidential and subject to copyright. Any > > > unauthorized use or disclosure is prohibited. If you have received this > > > email and are not the intended recipient, please advise and delete it. > > > Thank you. > > > > > > > > >
