This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 1d31320739d7d45b790f23a8a860ec5bf669a835 Author: Mark Thomas <[email protected]> AuthorDate: Tue Feb 10 16:11:55 2026 +0000 Remove support for the EXPORT aliases --- java/org/apache/tomcat/util/net/SSLHostConfig.java | 2 +- .../ciphers/OpenSSLCipherConfigurationParser.java | 20 +---------- .../TestOpenSSLCipherConfigurationParser.java | 42 ++++++++++++---------- webapps/docs/changelog.xml | 3 +- 4 files changed, 28 insertions(+), 39 deletions(-) diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java b/java/org/apache/tomcat/util/net/SSLHostConfig.java index ed5fce389d..5a3fdc05f1 100644 --- a/java/org/apache/tomcat/util/net/SSLHostConfig.java +++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java @@ -59,7 +59,7 @@ public class SSLHostConfig implements Serializable { // keys in Maps. protected static final String DEFAULT_SSL_HOST_NAME = "_default_"; protected static final Set<String> SSL_PROTO_ALL_SET = new HashSet<>(); - public static final String DEFAULT_TLS_CIPHERS_12 = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA"; + public static final String DEFAULT_TLS_CIPHERS_12 = "HIGH:!aNULL:!eNULL:!DES:!RC4:!MD5:!kRSA"; public static final String DEFAULT_TLS_CIPHERS_13 = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"; /** * Default cipher list for TLS 1.2 and below. diff --git a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java index 95c6e49897..7885b73c42 100644 --- a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java +++ b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java @@ -99,18 +99,6 @@ public class OpenSSLCipherConfigurationParser { * cipher suites. */ private static final String LOW = "LOW"; - /** - * Export encryption algorithms. Including 40 and 56 bits algorithms. - */ - private static final String EXPORT = "EXPORT"; - /** - * 40 bit export encryption algorithms. - */ - private static final String EXPORT40 = "EXPORT40"; - /** - * 56 bit export encryption algorithms. - */ - private static final String EXPORT56 = "EXPORT56"; /** * Cipher suites using RSA key exchange. */ @@ -450,11 +438,6 @@ public class OpenSSLCipherConfigurationParser { addListAlias(HIGH, filterByEncryptionLevel(allCiphers, Collections.singleton(EncryptionLevel.HIGH))); addListAlias(MEDIUM, filterByEncryptionLevel(allCiphers, Collections.singleton(EncryptionLevel.MEDIUM))); addListAlias(LOW, filterByEncryptionLevel(allCiphers, Collections.singleton(EncryptionLevel.LOW))); - addListAlias(EXPORT, filterByEncryptionLevel(allCiphers, - new HashSet<>(Arrays.asList(EncryptionLevel.EXP40, EncryptionLevel.EXP56)))); - aliases.put("EXP", aliases.get(EXPORT)); - addListAlias(EXPORT40, filterByEncryptionLevel(allCiphers, Collections.singleton(EncryptionLevel.EXP40))); - addListAlias(EXPORT56, filterByEncryptionLevel(allCiphers, Collections.singleton(EncryptionLevel.EXP56))); aliases.put("NULL", aliases.get(eNULL)); aliases.put(COMPLEMENTOFALL, aliases.get(eNULL)); addListAlias(aNULL, filterByAuthentication(allCiphers, Collections.singleton(Authentication.aNULL))); @@ -573,13 +556,12 @@ public class OpenSSLCipherConfigurationParser { addListAlias(SRP, filterByKeyExchange(allCiphers, Collections.singleton(KeyExchange.SRP))); initialized = true; addListAlias(DEFAULT, parse( - "ALL:!EXPORT:!eNULL:!aNULL:!DES:!RC2:!RC4:!DSS:!SEED:!IDEA:!CAMELLIA:!AESCCM:!3DES:!ARIA")); + "ALL:!eNULL:!aNULL:!DES:!RC2:!RC4:!DSS:!SEED:!IDEA:!CAMELLIA:!AESCCM:!3DES:!ARIA")); // COMPLEMENTOFDEFAULT is also not exactly as defined by the docs LinkedHashSet<Cipher> complementOfDefault = filterByKeyExchange(all, new HashSet<>(Arrays.asList(KeyExchange.EDH, KeyExchange.EECDH))); complementOfDefault = filterByAuthentication(complementOfDefault, Collections.singleton(Authentication.aNULL)); aliases.get(eNULL).forEach(complementOfDefault::remove); - complementOfDefault.addAll(aliases.get(EXPORT)); complementOfDefault.addAll(aliases.get(DES)); complementOfDefault.addAll(aliases.get(TRIPLE_DES)); complementOfDefault.addAll(aliases.get(RC2)); diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java index e1468256bc..aee2878a20 100644 --- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java +++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java @@ -88,18 +88,6 @@ public class TestOpenSSLCipherConfigurationParser { } - @Test - public void testEXPORT40() throws Exception { - testSpecification("EXPORT40"); - } - - - @Test - public void testEXPORT() throws Exception { - testSpecification("EXPORT"); - } - - @Test public void testRSA() throws Exception { testSpecification("RSA"); @@ -545,17 +533,17 @@ public class TestOpenSSLCipherConfigurationParser { // a number of the reference browsers if (TesterOpenSSL.VERSION < 30200) { // OpenSSL 3.2.x moved the CCM8 ciphers from high to medium - testSpecification("HIGH:!AESCCM8:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5"); + testSpecification("HIGH:!AESCCM8:!aNULL:!eNULL:!DES:!RC4:!MD5"); } else { - testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5"); + testSpecification("HIGH:!aNULL:!eNULL:!DES:!RC4:!MD5"); } } @Test public void testSpecification02() throws Exception { - // Suggestion from dev list (s/ECDHE/kEECDH/, s/DHE/EDH/, s/\!SSLv2//) - testSpecification("!aNULL:!eNULL:!EXPORT:!DSS:!DES:kEECDH:ECDH:EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:+RC4:HIGH:aRSA:kECDHr:MEDIUM"); + // Suggestion from dev list (s/ECDHE/kEECDH/, s/DHE/EDH/, s/\!SSLv2//, s/\!EXPORT//) + testSpecification("!aNULL:!eNULL:!DSS:!DES:kEECDH:ECDH:EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:+RC4:HIGH:aRSA:kECDHr:MEDIUM"); } @@ -574,9 +562,9 @@ public class TestOpenSSLCipherConfigurationParser { public void testSpecification04() throws Exception { if (TesterOpenSSL.VERSION < 30200) { // OpenSSL 3.2.x moved the CCM8 ciphers from high to medium - testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384:!AESCCM8"); + testSpecification("HIGH:!aNULL:!eNULL:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384:!AESCCM8"); } else { - testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384:"); + testSpecification("HIGH:!aNULL:!eNULL:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384:"); } } @@ -593,6 +581,24 @@ public class TestOpenSSLCipherConfigurationParser { } + @Test + public void testSpecificationIsEmptyEXPORT() throws Exception { + testSpecificationIsEmpty("EXPORT"); + } + + + @Test + public void testSpecificationIsEmptyEXPORT40() throws Exception { + testSpecificationIsEmpty("EXPORT40"); + } + + + @Test + public void testSpecificationIsEmptyEXPORT56() throws Exception { + testSpecificationIsEmpty("EXPORT56"); + } + + private void testSpecificationIsEmpty(String specification) throws Exception { String openSSLCipherList = TesterOpenSSL.getOpenSSLCiphersAsExpression(specification); Assert.assertEquals("Specification [" + specification + "] returned [" + openSSLCipherList + diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index cf7f4de65e..0b24e939c7 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -239,7 +239,8 @@ </fix> <fix> To maintain the documented alignment with the OpenSSL development - branch, the use of the alias <code>SSLv3</code> is no longer supported + branch, the use of the aliases <code>SSLv3</code>, <code>EXPORT</code>, + <code>EXPORT40</code> and <code>EXPORT56</code> are no longer supported when setting the <code>ciphers</code> attribute of an <code>SSLHostConfig</code> element. (markt) </fix> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
