From 8c1ecd7655bd052a26e64d3361dede3096cd80c6 Mon Sep 17 00:00:00 2001
From: steve21168 <steve21168@gmail.com>
Date: Tue, 1 Apr 2025 10:14:41 -0400
Subject: [PATCH] Annotations: Allow ciphers with underscores. (#13110)

---
 internal/ingress/annotations/sslcipher/main.go      | 2 +-
 internal/ingress/annotations/sslcipher/main_test.go | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/internal/ingress/annotations/sslcipher/main.go b/internal/ingress/annotations/sslcipher/main.go
index 3cfd903bd..180cb3914 100644
--- a/internal/ingress/annotations/sslcipher/main.go
+++ b/internal/ingress/annotations/sslcipher/main.go
@@ -33,7 +33,7 @@ const (
 
 // Should cover something like "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
 // (?:@STRENGTH) is included twice so it can appear before or after @SECLEVEL=n
-var regexValidSSLCipher = regexp.MustCompile(`^(?:(?:[A-Za-z0-9!:+\-])*(?:@STRENGTH)*(?:@SECLEVEL=[0-5])*(?:@STRENGTH)*)*$`)
+var regexValidSSLCipher = regexp.MustCompile(`^(?:(?:[A-Za-z0-9!:+\-_])*(?:@STRENGTH)*(?:@SECLEVEL=[0-5])*(?:@STRENGTH)*)*$`)
 
 var sslCipherAnnotations = parser.Annotation{
 	Group: "backend",
diff --git a/internal/ingress/annotations/sslcipher/main_test.go b/internal/ingress/annotations/sslcipher/main_test.go
index f1675d4c7..2ef2ab536 100644
--- a/internal/ingress/annotations/sslcipher/main_test.go
+++ b/internal/ingress/annotations/sslcipher/main_test.go
@@ -57,6 +57,7 @@ func TestParse(t *testing.T) {
 		{map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", annotationSSLPreferServerCiphers: "true"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", "on"}, false},
 		{map[string]string{annotationSSLCiphers: "ALL:SOMETHING:;locationXPTO"}, Config{"", ""}, true},
 		{map[string]string{}, Config{"", ""}, false},
+		{map[string]string{annotationSSLCiphers: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"}, Config{"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256", ""}, false},
 		{nil, Config{"", ""}, false},
 	}