This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new fceaa6d198 Remove support for the SSLv3 alias when configuring ciphers
fceaa6d198 is described below
commit fceaa6d1982c64cc662ea48b6e4ed0b311fec60e
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Feb 10 15:40:22 2026 +0000
Remove support for the SSLv3 alias when configuring ciphers
This is consistent with the documented alignment with the OpenSSL
development branch.
---
.../util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java | 1 -
.../net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java | 4 ++++
webapps/docs/changelog.xml | 6 ++++++
3 files changed, 10 insertions(+), 1 deletion(-)
diff --git
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
index 6c7b49ae44..7f89f2141f 100644
---
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
+++
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
@@ -501,7 +501,6 @@ public class OpenSSLCipherConfigurationParser {
addListAlias(Constants.SSL_PROTO_TLSv1_2,
filterByProtocol(allCiphers,
Collections.singleton(Protocol.TLSv1_2)));
addListAlias(Constants.SSL_PROTO_TLSv1_0, filterByProtocol(allCiphers,
Collections.singleton(Protocol.TLSv1)));
- addListAlias(Constants.SSL_PROTO_SSLv3, filterByProtocol(allCiphers,
Collections.singleton(Protocol.SSLv3)));
aliases.put(Constants.SSL_PROTO_TLSv1,
aliases.get(Constants.SSL_PROTO_TLSv1_0));
addListAlias(DH, filterByKeyExchange(allCiphers,
new HashSet<>(Arrays.asList(KeyExchange.DHr, KeyExchange.DHd,
KeyExchange.EDH))));
diff --git
a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index 06a41f9d42..8f62f9cc40 100644
---
a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++
b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -282,6 +282,10 @@ public class TestOpenSSLCipherConfigurationParser {
@Test
public void testSSLv3() throws Exception {
+ if (TesterOpenSSL.VERSION < 40000) {
+ return;
+ }
+ // As of OpenSSL 4.0.0, support for the SSLv3 alias has been removed
testSpecification("SSLv3");
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 810ee98c61..1908b237ff 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -117,6 +117,12 @@
Add size limit for OCSP responses. Based on code submitted by Chenjp.
(remm)
</fix>
+ <fix>
+ To maintain the documented alignment with the OpenSSL development
+ branch, the use of the alias SSLv3 is no longer supported when setting
+ the <code>ciphers</code> attribute of an <code>SSLHostConfig</code>
+ element. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
