Just be aware that simple regex would also include undesirable outcomes like null hashes and weak bit strengths, effecting a downgrade attack. You should also explicitly exclude them using something like
nifi.web.https.ciphersuites.exclude=.*128.*,.*NULL.* Or whatever suits your needs. It should be and possibly is a default setting but always best to enforce and note in documentation to stay on top of. I acknowledge it's a pest to set these manually, but that's what tooling like ansible is for, you can do it once and apply to all your Nifi servers easily. Also, even if you did it manually in windows notepad even, the hour spent would cost something like $35-100 whereas the cyber incident could cost hundreds of millions. Never shy putting your hand to the till with mindless administrative tasks that are actually achieving something. Kr, On Fri, 18 Aug 2023, 00:23 Phillip Lord, <phillord0...@gmail.com> wrote: > I think you just need to adjust your regex here... > > Have you tried something like this... ^TLS_ECDHE.* > > Thanks, > Phil > > On Thu, Aug 17, 2023 at 8:26 AM Martin Fong <martin.f...@toronto.ca> > wrote: > > > I would like to find out the syntax to set only ECDHE*. > > > > The following works: > > nifi.web.https.ciphersuites.include=^.*GCM_SHA256$ > > > > The following does not work: > > nifi.web.https.ciphersuites.include=^.*TLS_ECDHE$ > > > > This will work but I want the whole ECDHE* and nothing else but it will > be > > a very long line to set them up. > > nifi.web.https.ciphersuites.include= > > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > > > > 2023-08-16 13:54:52,811 INFO [main] o.e.jetty.util.ssl.SslContextFactory > > No Cipher Suite matching '^.*TLS_ECDHE$' is supported > > 2023-08-16 13:54:52,812 WARN [main] o.e.jetty.util.ssl.SslContextFactory > > No supported Cipher Suite from [TLS_AES_256_GCM_SHA384, > > TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, > > TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, > > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, > > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, > > TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, > > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, > > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, > > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, > > TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, > > TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, > > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, > > TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, > > TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA] > > > > Please advise if there is a correct syntax just only for ECDHE*. > > > > Thanks, > > Martin Fong > > Enterprise Technical Support Specialist, Infrastructure & Platform (IAG) > > Technology Services Division, Technology Infrastructure Services > > City of Toronto > > 703 Don Mills Road, 2nd Floor > > Toronto, ON > > M3C 3N3 > > Tel: 416-397-7565 > > e-mail: martin.f...@toronto.ca<mailto:martin.f...@toronto.ca> > > > > This e-mail message is confidential and subject to copyright. Any > > unauthorized use or disclosure is prohibited. If you have received this > > email and are not the intended recipient, please advise and delete it. > > Thank you. > > > > >
