0

I need Java Regex which can match the argument used to set ciphers for SSL/TLS

valid ciphers : (For testing multiple pattern at a go, added them to string with comma separated, later iterating each for pattern match)

"ALL:!kRSA:!CBC,ALL:-aRSA:-CBC:SHA256,ALL:!kRSA,ALL:!aRSA,ALL:!RSA,ALL:!EDH-RSA-DES-CBC-SHA,ALL:!DES-CBC,ALL:!DES,ALL:-RSA+AES-128-CBC+SHA256";

Can be matched with regex = "^((?:ALL)|(?:ALL)(:([!-]?(a|k)?[A-Z0-9]+([+-]?(a|k)?[A-Z0-9]+)?)*)*)$";

But when I try invalid ciphers: (basically it should fail to match)

invalidciphers = "ALL:+DES,+DES,-DES,DEFAULT:-aRSA,akRSA,kDHE-aRSA,!ECDHE";

unable to create one.

Can any one help me out?

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
chetan
  • 633
  • 1
  • 10
  • 26
  • Where would you find a comma-separated list like that?? – Andreas Jan 13 '17 at 06:46
  • @Andreas , sorry for that. As part of testing multiple ciphers i have added them to string. later iterating over it for individual pattern match .... Just for testing – chetan Jan 13 '17 at 06:48
  • It is really very unclear what your validation logic is. I think you doesn't really understand what those strings mean. E.g. why would both `ALL:!RSA` and `ALL:!DES` be ok, but `ALL:+DES` be bad? `ALL:!RSA` means that `DES` is ok, and `ALL:!DES` means that `RSA` is ok, so why wouldn't both `RSA` and `DES` be ok? – Andreas Jan 13 '17 at 07:08
  • But you said that `ALL:!RSA` is valid, and that would allow `DES` ciphers. Alternative, you said that `ALL:!DES` is valid, and that would allow `RSA` ciphers. So you're saying the it's ok to allow `RSA` ciphers and it's ok to allow `DES` ciphers, as long as you don't allow both at the same time? That makes no sense. – Andreas Jan 13 '17 at 07:26
  • Similarly, you say that `ALL:!aRSA` is ok, but `DEFAULT:-aRSA` is not? `DEFAULT` is stricter than `ALL`, so still not making much sense. Heck, why would you allow any of the `ALL` ciphers, given that `ALL` includes `SSLv2`? *Yikes!* – Andreas Jan 13 '17 at 07:29
  • @Andreas there are certain rules for building cipher filter where in how to use !, +, -, : and when to use. That's the reason why ALL:!DES is valid but ALL:+DES is not. – chetan Jan 13 '17 at 07:32
  • ! can be used before cipher, + cannot be used like this ALL:+DSA:+ECDHE, - can be used like this ALL:-RSA:-DES, and when DEFAULT is used, no other character should follow – chetan Jan 13 '17 at 07:35
  • @Andreas , There are still more rules to be followed. And If followed, im unable to build one for pattern check. – chetan Jan 13 '17 at 07:37
  • Why can't you use `+`? It doesn't add anything, it just moves the cipher to the end. Do you understand the difference between `ALL:!RSA:RSA`, `ALL:!RSA:+RSA`, and `ALL:+RSA:-RSA`? All three result is *exactly the same* set of ciphers, i.e. the same as `ALL:!RSA`, and you said that's allowed. – Andreas Jan 13 '17 at 07:37
  • @Andreas + can only be used when combination of cipher suites to be mentioned like ALL:-RSA+AES-128-CBC+SHA256 , + should always be preceeded by cipher string and - is used in two ways 1. part of a cipher algorithm string or in combining a full cipher suite. 2. to remove the cipher suite containing that cipher – chetan Jan 13 '17 at 07:44
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/133056/discussion-between-chetan-and-andreas). – chetan Jan 13 '17 at 07:49
  • 1
    So, you looking for this: `^(ALL)(:[!-]?[ak]?[A-Z0-9]+([+-][ak]?[A-Z0-9]+)*)*$`? See [regex101](https://regex101.com/r/Mp1OL1/1). – Andreas Jan 13 '17 at 08:13
  • Cipher suite names are taken from IANA's [Transport Layer Security (TLS) Parameters](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4). The names are like `TLS_NULL_WITH_NULL_NULL` and `TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256`. They will not match a cipher string like `HIGH:!aNULL:!kRSA:!MD5:!RC4`. You retrieve the list of cipher suites from, say, `SSLSocketFactory` using `getDefaultCipherSuites` and `getEnabledCipherSuites`. Also see [Which Cipher Suites to enable for SSL Socket?](http://stackoverflow.com/a/23365536/608639) on Stack Overflow. – jww Jan 13 '17 at 08:23
  • @jww Please refer to OpenSSL cipher setting. The one you speak about with '_' are the actual cipher suites which are enabled/supported. Out of ALL supported cipher suites in TLS/SSL, if we need to filter out few and allow only specific cipher suites, we use CipherFilter (This is a Regex that I am working on) – chetan Jan 13 '17 at 09:36
  • @Andreas add your reply as answer, I will accept it. Just before that pls check this 1. ^(ALL)(:[!-]?[ake]?[A-Z0-9]+([+-][ak]?[A-Z0-9]+)*)*$ works if String starts with ALL, 2. ^([!]?[ake]?[A-Z0-9]+([+-]?[A-Z0-9]+)*)(:[!-]?[ake]?[A-Z0-9]+([+-][ak]?[A-Z0-9]+)*)*$ works for all . But how not to allow ALL and DEFAULT in this? 3. ^DEFAULT$ only for DEFAULT 4. And can we merge these 3 regex to single regex – chetan Jan 13 '17 at 10:39
  • Maybe https://regex101.com/r/CEwDK0/1 will work. Not sure what the rules for combining these 3 are. – Wiktor Stribiżew Feb 05 '17 at 09:00

1 Answers1

1

You may use

^ALL(?::[!-]?[ak]?[A-Z0-9]+(?:[+-]?[ak]?[A-Z0-9]+)*)*(?:,ALL(?::[!-]?[ak]?[A-Z0-9]+(?:[+-]?[ak]?[A-Z0-9]+)*)*)*$

See the regex demo

The scheme is ^<single_pattern>(?:,<single_pattern>)*$. It matches the start of string, then the single pattern, and then 0 or more occurrences of a comma followed with the single pattern up to the end of string.

The single_pattern here is ALL(?::[!-]?[ak]?[A-Z0-9]+(?:[+-]?[ak]?[A-Z0-9]+)*)*:

  • ALL - a substring
  • (?::[!-]?[ak]?[A-Z0-9]+(?:[+-]?[ak]?[A-Z0-9]+)*)* - 0 or more occurrences of
    • : - a colon
    • [!-]? - an optional ! or -
    • [ak]? - an optional a or k
    • [A-Z0-9]+ - 1+ uppercase letters or digits
    • (?:[+-]?[ak]?[A-Z0-9]+)* - 0 or more occurrences of
      • [+-]? - an optional + or -
      • [ak]? - an optional a or k
      • [A-Z0-9]+ - 1+ uppercase letters or digits
Wiktor Stribiżew
  • 607,720
  • 39
  • 448
  • 563