(tomcat) branch 11.0.x updated: Remove support for the EXPORT aliases

Tue, 10 Feb 2026 08:43:02 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new 3307e26a1d Remove support for the EXPORT aliases
3307e26a1d is described below

commit 3307e26a1d2c620dd60a97f9179b931cd17c3e36
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Feb 10 16:11:55 2026 +0000

    Remove support for the EXPORT aliases
---
 java/org/apache/tomcat/util/net/SSLHostConfig.java |  2 +-
 .../ciphers/OpenSSLCipherConfigurationParser.java  | 20 +----------
 .../TestOpenSSLCipherConfigurationParser.java      | 42 ++++++++++++----------
 webapps/docs/changelog.xml                         |  3 +-
 4 files changed, 28 insertions(+), 39 deletions(-)

diff --git a/java/org/apache/tomcat/util/net/SSLHostConfig.java 
b/java/org/apache/tomcat/util/net/SSLHostConfig.java
index ed5fce389d..5a3fdc05f1 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfig.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfig.java
@@ -59,7 +59,7 @@ public class SSLHostConfig implements Serializable {
     // keys in Maps.
     protected static final String DEFAULT_SSL_HOST_NAME = "_default_";
     protected static final Set<String> SSL_PROTO_ALL_SET = new HashSet<>();
-    public static final String DEFAULT_TLS_CIPHERS_12 = 
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
+    public static final String DEFAULT_TLS_CIPHERS_12 = 
"HIGH:!aNULL:!eNULL:!DES:!RC4:!MD5:!kRSA";
     public static final String DEFAULT_TLS_CIPHERS_13 = 
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
     /**
      * Default cipher list for TLS 1.2 and below.
diff --git 
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
 
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
index 4fd0e15168..afe390743d 100644
--- 
a/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
+++ 
b/java/org/apache/tomcat/util/net/openssl/ciphers/OpenSSLCipherConfigurationParser.java
@@ -99,18 +99,6 @@ public class OpenSSLCipherConfigurationParser {
      * cipher suites.
      */
     private static final String LOW = "LOW";
-    /**
-     * Export encryption algorithms. Including 40 and 56 bits algorithms.
-     */
-    private static final String EXPORT = "EXPORT";
-    /**
-     * 40 bit export encryption algorithms.
-     */
-    private static final String EXPORT40 = "EXPORT40";
-    /**
-     * 56 bit export encryption algorithms.
-     */
-    private static final String EXPORT56 = "EXPORT56";
     /**
      * Cipher suites using RSA key exchange.
      */
@@ -450,11 +438,6 @@ public class OpenSSLCipherConfigurationParser {
         addListAlias(HIGH, filterByEncryptionLevel(allCiphers, 
Collections.singleton(EncryptionLevel.HIGH)));
         addListAlias(MEDIUM, filterByEncryptionLevel(allCiphers, 
Collections.singleton(EncryptionLevel.MEDIUM)));
         addListAlias(LOW, filterByEncryptionLevel(allCiphers, 
Collections.singleton(EncryptionLevel.LOW)));
-        addListAlias(EXPORT, filterByEncryptionLevel(allCiphers,
-                new HashSet<>(Arrays.asList(EncryptionLevel.EXP40, 
EncryptionLevel.EXP56))));
-        aliases.put("EXP", aliases.get(EXPORT));
-        addListAlias(EXPORT40, filterByEncryptionLevel(allCiphers, 
Collections.singleton(EncryptionLevel.EXP40)));
-        addListAlias(EXPORT56, filterByEncryptionLevel(allCiphers, 
Collections.singleton(EncryptionLevel.EXP56)));
         aliases.put("NULL", aliases.get(eNULL));
         aliases.put(COMPLEMENTOFALL, aliases.get(eNULL));
         addListAlias(aNULL, filterByAuthentication(allCiphers, 
Collections.singleton(Authentication.aNULL)));
@@ -573,13 +556,12 @@ public class OpenSSLCipherConfigurationParser {
         addListAlias(SRP, filterByKeyExchange(allCiphers, 
Collections.singleton(KeyExchange.SRP)));
         initialized = true;
         addListAlias(DEFAULT, parse(
-                
"ALL:!EXPORT:!eNULL:!aNULL:!DES:!RC2:!RC4:!DSS:!SEED:!IDEA:!CAMELLIA:!AESCCM:!3DES:!ARIA"));
+                
"ALL:!eNULL:!aNULL:!DES:!RC2:!RC4:!DSS:!SEED:!IDEA:!CAMELLIA:!AESCCM:!3DES:!ARIA"));
         // COMPLEMENTOFDEFAULT is also not exactly as defined by the docs
         LinkedHashSet<Cipher> complementOfDefault =
                 filterByKeyExchange(all, new 
HashSet<>(Arrays.asList(KeyExchange.EDH, KeyExchange.EECDH)));
         complementOfDefault = filterByAuthentication(complementOfDefault, 
Collections.singleton(Authentication.aNULL));
         aliases.get(eNULL).forEach(complementOfDefault::remove);
-        complementOfDefault.addAll(aliases.get(EXPORT));
         complementOfDefault.addAll(aliases.get(DES));
         complementOfDefault.addAll(aliases.get(TRIPLE_DES));
         complementOfDefault.addAll(aliases.get(RC2));
diff --git 
a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
 
b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
index e1468256bc..aee2878a20 100644
--- 
a/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
+++ 
b/test/org/apache/tomcat/util/net/openssl/ciphers/TestOpenSSLCipherConfigurationParser.java
@@ -88,18 +88,6 @@ public class TestOpenSSLCipherConfigurationParser {
     }
 
 
-    @Test
-    public void testEXPORT40() throws Exception {
-        testSpecification("EXPORT40");
-    }
-
-
-    @Test
-    public void testEXPORT() throws Exception {
-        testSpecification("EXPORT");
-    }
-
-
     @Test
     public void testRSA() throws Exception {
         testSpecification("RSA");
@@ -545,17 +533,17 @@ public class TestOpenSSLCipherConfigurationParser {
         // a number of the reference browsers
         if (TesterOpenSSL.VERSION < 30200) {
             // OpenSSL 3.2.x moved the CCM8 ciphers from high to medium
-            
testSpecification("HIGH:!AESCCM8:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+            testSpecification("HIGH:!AESCCM8:!aNULL:!eNULL:!DES:!RC4:!MD5");
         } else {
-            testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5");
+            testSpecification("HIGH:!aNULL:!eNULL:!DES:!RC4:!MD5");
         }
     }
 
 
     @Test
     public void testSpecification02() throws Exception {
-        // Suggestion from dev list (s/ECDHE/kEECDH/, s/DHE/EDH/, s/\!SSLv2//)
-        
testSpecification("!aNULL:!eNULL:!EXPORT:!DSS:!DES:kEECDH:ECDH:EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:+RC4:HIGH:aRSA:kECDHr:MEDIUM");
+        // Suggestion from dev list (s/ECDHE/kEECDH/, s/DHE/EDH/, s/\!SSLv2//, 
s/\!EXPORT//)
+        
testSpecification("!aNULL:!eNULL:!DSS:!DES:kEECDH:ECDH:EDH:AES256-GCM-SHA384:AES128-GCM-SHA256:+RC4:HIGH:aRSA:kECDHr:MEDIUM");
     }
 
 
@@ -574,9 +562,9 @@ public class TestOpenSSLCipherConfigurationParser {
     public void testSpecification04() throws Exception {
         if (TesterOpenSSL.VERSION < 30200) {
             // OpenSSL 3.2.x moved the CCM8 ciphers from high to medium
-            
testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384:!AESCCM8");
+            
testSpecification("HIGH:!aNULL:!eNULL:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384:!AESCCM8");
         } else {
-            
testSpecification("HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384:");
+            
testSpecification("HIGH:!aNULL:!eNULL:!DES:!RC4:!3DES:!MD5:!PSK:!DSS:!SHA1:!SHA256:!SHA384:");
         }
     }
 
@@ -593,6 +581,24 @@ public class TestOpenSSLCipherConfigurationParser {
     }
 
 
+    @Test
+    public void testSpecificationIsEmptyEXPORT() throws Exception {
+        testSpecificationIsEmpty("EXPORT");
+    }
+
+
+    @Test
+    public void testSpecificationIsEmptyEXPORT40() throws Exception {
+        testSpecificationIsEmpty("EXPORT40");
+    }
+
+
+    @Test
+    public void testSpecificationIsEmptyEXPORT56() throws Exception {
+        testSpecificationIsEmpty("EXPORT56");
+    }
+
+
     private void testSpecificationIsEmpty(String specification) throws 
Exception {
         String openSSLCipherList = 
TesterOpenSSL.getOpenSSLCiphersAsExpression(specification);
         Assert.assertEquals("Specification [" + specification + "] returned [" 
+ openSSLCipherList +
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 23899ea03d..2231e36a33 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -119,7 +119,8 @@
       </fix>
       <fix>
         To maintain the documented alignment with the OpenSSL development
-        branch, the use of the alias <code>SSLv3</code> is no longer supported
+        branch, the use of the aliases <code>SSLv3</code>, <code>EXPORT</code>,
+        <code>EXPORT40</code> and <code>EXPORT56</code> are no longer supported
         when setting the <code>ciphers</code> attribute of an
         <code>SSLHostConfig</code> element. (markt)
       </fix>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to