Re: NiFi 1.19.1 TLS Cipher syntax

[Matthew Hawkins]

Just be aware that simple regex would also include undesirable outcomes
like null hashes and weak bit strengths, effecting a downgrade attack. You
should also explicitly exclude them using something like

 nifi.web.https.ciphersuites.exclude=.*128.*,.*NULL.*

Or whatever suits your needs. It should be and possibly is a default
setting but always best to enforce and note in documentation to stay on top
of.

I acknowledge it's a pest to set these manually, but that's what tooling
like ansible is for, you can do it once and apply to all your Nifi servers
easily. Also, even if you did it manually in windows notepad even, the hour
spent would cost something like $35-100 whereas the cyber incident could
cost hundreds of millions. Never shy putting your hand to the till with
mindless administrative tasks that are actually achieving something.

Kr,


On Fri, 18 Aug 2023, 00:23 Phillip Lord,  wrote:

> I think you just need to adjust your regex here...
>
> Have you tried something like this...   ^TLS_ECDHE.*
>
> Thanks,
> Phil
>
> On Thu, Aug 17, 2023 at 8:26 AM Martin Fong 
> wrote:
>
> > I would like to find out the syntax to set only ECDHE*.
> >
> > The following works:
> > nifi.web.https.ciphersuites.include=^.*GCM_SHA256$
> >
> > The following does not work:
> > nifi.web.https.ciphersuites.include=^.*TLS_ECDHE$
> >
> > This will work but I want the whole ECDHE* and nothing else but it will
> be
> > a very long line to set them up.
> > nifi.web.https.ciphersuites.include=
> >
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> >
> > 2023-08-16 13:54:52,811 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> > No Cipher Suite matching '^.*TLS_ECDHE$' is supported
> > 2023-08-16 13:54:52,812 WARN [main] o.e.jetty.util.ssl.SslContextFactory
> > No supported Cipher Suite from [TLS_AES_256_GCM_SHA384,
> > TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256,
> > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> > TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
> > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384,
> > TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
> > TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
> > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
> > TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA,
> > TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA]
> >
> > Please advise if there is a correct syntax just only for ECDHE*.
> >
> > Thanks,
> > Martin Fong
> > Enterprise Technical Support Specialist, Infrastructure & Platform (IAG)
> > Technology Services Division, Technology Infrastructure Services
> > City of Toronto
> > 703 Don Mills Road, 2nd Floor
> > Toronto, ON
> > M3C 3N3
> > Tel:   416-397-7565
> > e-mail: martin.f...@toronto.ca
> >
> > This e-mail message is confidential and subject to copyright. Any
> > unauthorized use or disclosure is prohibited. If you have received this
> > email and are not the intended recipient, please advise and delete it.
> > Thank you.
> >
> >
>

Re: Re: NiFi 1.19.1 TLS Cipher syntax

[Michael Moser]

Martin,

Java follows RFC naming conventions for cipher suites as mentioned in the
Java Security standard names table [1].

It looks like the "TLS_AKE_WITH_"* cipher names you are trying to match are
not used by Java.  I found one site [2] that mentions them as cipher codes
0x1301-0x1305.

>From RFC 8446 [3], the names that Java would use for those ciphers
are TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
and TLS_CHACHA20_POLY1305_SHA256.

Hope this helps.

[1] -
https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names
[2] - https://svn.nmap.org/nmap/nselib/tls.lua
[3] - https://datatracker.ietf.org/doc/html/rfc8446#appendix-B.4

-- Mike


On Fri, Aug 18, 2023 at 8:57 AM Martin Fong  wrote:

> Phillip,
>
>
>
> Thanks for your feedback but this is what we have tried so far but unable
> to achieve what we want.
>
>
>
> when using the following:  ^.*GCM_SHA384$,^.*GCM_SHA256$, we get this:
>
> |   TLSv1.2:
>
> | ciphers:
>
> |   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
>
> |   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
>
> |   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
>
> |   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
>
> |   TLSv1.3:
>
> | ciphers:
>
> |   TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A
>
> |   TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A
>
> ===
>
> when using the following: ^.*POLY1305_SHA256$, we get this:
>
> |   TLSv1.2:
>
> | ciphers:
>
> |   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
>
> |   TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
>
> |   TLSv1.3:
>
> | ciphers:
>
> |   TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
>
> ===
>
> when using the following: ^TLS_ECDHE.*, we get this:
>
> |   TLSv1.2:
>
> | ciphers:
>
> |   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
>
> |   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
>
> |   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
>
> |   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
>
> |   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
>
> 
>
> when using the following: ^TLS_AKE.*, we get this:
>
> 2023-08-18 07:20:38,567 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> No Cipher Suite matching '^TLS_AKE.*' is supported
>
> 
>
>
>
> when using the following:
>
>
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_AKE_WITH_AES_128_GCM_SHA256,TLS_AKE_WITH_AES_256_GCM_SHA384,TLS_AKE_WITH_CHACHA20_POLY1305_SHA256
>
>
>
> we get this:
>
> |   TLSv1.2:
>
> | ciphers:
>
> |   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
>
> |   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
>
> |   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
>
>
>
> with the following errors:
>
> 2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> No Cipher Suite matching 'TLS_AKE_WITH_AES_128_GCM_SHA256' is supported
>
> 2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> No Cipher Suite matching 'TLS_AKE_WITH_AES_256_GCM_SHA384' is supported
>
> 2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> No Cipher Suite matching 'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256' is
> supported
>
> =
>
>
>
> Ultimately we want this (no DHE and no CBC but unable to find a perfect
> regex syntax):
>
> TLSv1.2:
>
> | ciphers:
>
> |   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
>
> |   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
>
> |   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
>
> TLSv1.3:
>
> | ciphers:
>
> |   TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
>
> |   TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
>
> |   TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
>
>
>
> Please advise.
>
> Martin.
>
> On 2023/08/17 14:23:28 Phillip Lord wrote:
> > I think you just need to adjust your regex here...
> >
> > Have you tried something like this...   ^TLS_ECDHE.*
> >
> > Thanks,
> > Phil
> >
> > On Thu, Aug 17, 2023 at 8:26 AM Martin Fong  wrote:
> >
> > > I would like to find out the syntax to set only ECDHE*.
> > >
> > > The following works:
> > > nifi.web.https.ciphersuites.include=^.*GCM_SHA256$
> > >
> > > The following does not work:
> > > nifi.web.https.ciphersuites.include=^.*TLS_ECDHE$
> > >
> > > This will work but I want the whole ECDHE* and nothing else but it
> will be
> > > a very long line to set them up.
> > > nifi.web.https.ciphersuites.include=
> > >
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> > >
> > > 2023-08-16 13:54:52,811 INFO [main]
> o.e.jetty.util.ssl.SslContextFactory
> > > No Cipher Suite 

RE: Re: NiFi 1.19.1 TLS Cipher syntax

[Martin Fong]

Phillip,



Thanks for your feedback but this is what we have tried so far but unable to 
achieve what we want.



when using the following:  ^.*GCM_SHA384$,^.*GCM_SHA256$, we get this:

|   TLSv1.2:

| ciphers:

|   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

|   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A

|   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

|   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A

|   TLSv1.3:

| ciphers:

|   TLS_AKE_WITH_AES_256_GCM_SHA384 (secp256r1) - A

|   TLS_AKE_WITH_AES_128_GCM_SHA256 (secp256r1) - A

===

when using the following: ^.*POLY1305_SHA256$, we get this:

|   TLSv1.2:

| ciphers:

|   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A

|   TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A

|   TLSv1.3:

| ciphers:

|   TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A

===

when using the following: ^TLS_ECDHE.*, we get this:

|   TLSv1.2:

| ciphers:

|   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

|   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A

|   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A

|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A



when using the following: ^TLS_AKE.*, we get this:

2023-08-18 07:20:38,567 INFO [main] o.e.jetty.util.ssl.SslContextFactory No 
Cipher Suite matching '^TLS_AKE.*' is supported





when using the following:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_AKE_WITH_AES_128_GCM_SHA256,TLS_AKE_WITH_AES_256_GCM_SHA384,TLS_AKE_WITH_CHACHA20_POLY1305_SHA256



we get this:

|   TLSv1.2:

| ciphers:

|   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

|   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

|   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A



with the following errors:

2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory No 
Cipher Suite matching 'TLS_AKE_WITH_AES_128_GCM_SHA256' is supported

2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory No 
Cipher Suite matching 'TLS_AKE_WITH_AES_256_GCM_SHA384' is supported

2023-08-18 08:22:02,284 INFO [main] o.e.jetty.util.ssl.SslContextFactory No 
Cipher Suite matching 'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256' is supported

=



Ultimately we want this (no DHE and no CBC but unable to find a perfect regex 
syntax):

TLSv1.2:

| ciphers:

|   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

|   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

|   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A

TLSv1.3:

| ciphers:

|   TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A

|   TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A

|   TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A



Please advise.

Martin.

On 2023/08/17 14:23:28 Phillip Lord wrote:
> I think you just need to adjust your regex here...
>
> Have you tried something like this...   ^TLS_ECDHE.*
>
> Thanks,
> Phil
>
> On Thu, Aug 17, 2023 at 8:26 AM Martin Fong  wrote:
>
> > I would like to find out the syntax to set only ECDHE*.
> >
> > The following works:
> > nifi.web.https.ciphersuites.include=^.*GCM_SHA256$
> >
> > The following does not work:
> > nifi.web.https.ciphersuites.include=^.*TLS_ECDHE$
> >
> > This will work but I want the whole ECDHE* and nothing else but it will be
> > a very long line to set them up.
> > nifi.web.https.ciphersuites.include=
> > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> >
> > 2023-08-16 13:54:52,811 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> > No Cipher Suite matching '^.*TLS_ECDHE$' is supported
> > 2023-08-16 13:54:52,812 WARN [main] o.e.jetty.util.ssl.SslContextFactory
> > No supported Cipher Suite from [TLS_AES_256_GCM_SHA384,
> > TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256,
> > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> > TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
> > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> > 

Re: NiFi 1.19.1 TLS Cipher syntax

[Phillip Lord]

I think you just need to adjust your regex here...

Have you tried something like this...   ^TLS_ECDHE.*

Thanks,
Phil

On Thu, Aug 17, 2023 at 8:26 AM Martin Fong  wrote:

> I would like to find out the syntax to set only ECDHE*.
>
> The following works:
> nifi.web.https.ciphersuites.include=^.*GCM_SHA256$
>
> The following does not work:
> nifi.web.https.ciphersuites.include=^.*TLS_ECDHE$
>
> This will work but I want the whole ECDHE* and nothing else but it will be
> a very long line to set them up.
> nifi.web.https.ciphersuites.include=
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>
> 2023-08-16 13:54:52,811 INFO [main] o.e.jetty.util.ssl.SslContextFactory
> No Cipher Suite matching '^.*TLS_ECDHE$' is supported
> 2023-08-16 13:54:52,812 WARN [main] o.e.jetty.util.ssl.SslContextFactory
> No supported Cipher Suite from [TLS_AES_256_GCM_SHA384,
> TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384,
> TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
> TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA,
> TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA]
>
> Please advise if there is a correct syntax just only for ECDHE*.
>
> Thanks,
> Martin Fong
> Enterprise Technical Support Specialist, Infrastructure & Platform (IAG)
> Technology Services Division, Technology Infrastructure Services
> City of Toronto
> 703 Don Mills Road, 2nd Floor
> Toronto, ON
> M3C 3N3
> Tel:   416-397-7565
> e-mail: martin.f...@toronto.ca
>
> This e-mail message is confidential and subject to copyright. Any
> unauthorized use or disclosure is prohibited. If you have received this
> email and are not the intended recipient, please advise and delete it.
> Thank you.
>
>

NiFi 1.19.1 TLS Cipher syntax

[Martin Fong]

I would like to find out the syntax to set only ECDHE*.

The following works:
nifi.web.https.ciphersuites.include=^.*GCM_SHA256$

The following does not work:
nifi.web.https.ciphersuites.include=^.*TLS_ECDHE$

This will work but I want the whole ECDHE* and nothing else but it will be a 
very long line to set them up.
nifi.web.https.ciphersuites.include= 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

2023-08-16 13:54:52,811 INFO [main] o.e.jetty.util.ssl.SslContextFactory No 
Cipher Suite matching '^.*TLS_ECDHE$' is supported
2023-08-16 13:54:52,812 WARN [main] o.e.jetty.util.ssl.SslContextFactory No 
supported Cipher Suite from [TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, 
TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, 
TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, 
TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_RSA_WITH_NULL_SHA256, 
TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, 
SSL_RSA_WITH_NULL_SHA]

Please advise if there is a correct syntax just only for ECDHE*.

Thanks,
Martin Fong
Enterprise Technical Support Specialist, Infrastructure & Platform (IAG)
Technology Services Division, Technology Infrastructure Services
City of Toronto
703 Don Mills Road, 2nd Floor
Toronto, ON
M3C 3N3
Tel:   416-397-7565
e-mail: martin.f...@toronto.ca

This e-mail message is confidential and subject to copyright. Any unauthorized 
use or disclosure is prohibited. If you have received this email and are not 
the intended recipient, please advise and delete it. Thank you.