This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 03f757637275c2d5c474ecf5c0f54a077f969124 Author: Mark Thomas <[email protected]> AuthorDate: Tue Feb 10 15:40:22 2026 +0000 Remove support for the SSLv3 alias when configuring ciphers This is consistent with the documented alignment with the OpenSSL development branch. --- .../util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java | 1 - .../net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java | 4 ++++ webapps/docs/changelog.xml | 6 ++++++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java index 13130b5811..6d20af1997 100644 --- a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java +++ b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java @@ -501,7 +501,6 @@ public class OpenSSLCipherConfigurationParser { addListAlias(Constants.SSL_PROTO_TLSv1_2, filterByProtocol(allCiphers, Collections.singleton(Protocol.TLSv1_2))); addListAlias(Constants.SSL_PROTO_TLSv1_0, filterByProtocol(allCiphers, Collections.singleton(Protocol.TLSv1))); - addListAlias(Constants.SSL_PROTO_SSLv3, filterByProtocol(allCiphers, Collections.singleton(Protocol.SSLv3))); aliases.put(Constants.SSL_PROTO_TLSv1, aliases.get(Constants.SSL_PROTO_TLSv1_0)); addListAlias(DH, filterByKeyExchange(allCiphers, new HashSet<>(Arrays.asList(KeyExchange.DHr, KeyExchange.DHd, KeyExchange.EDH)))); diff --git a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java index 06a41f9d42..8f62f9cc40 100644 --- a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java +++ b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java @@ -282,6 +282,10 @@ public class TestOpenSSLCipherConfigurationParser { @Test public void testSSLv3() throws Exception { + if (TesterOpenSSL.VERSION < 40000) { + return; + } + // As of OpenSSL 4.0.0, support for the SSLv3 alias has been removed testSpecification("SSLv3"); } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 6beb524a55..b98d31d374 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -237,6 +237,12 @@ Add size limit for OCSP responses. Based on code submitted by Chenjp. (remm) </fix> + <fix> + To maintain the documented alignment with the OpenSSL development + branch, the use of the alias SSLv3 is no longer supported when setting + the <code>ciphers</code> attribute of an <code>SSLHostConfig</code> + element. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper"> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
