Refactor default cipher lists

Author: markt-asf

java/org/apache/tomcat/util/net/SSLHostConfig.java

@@ -59,9 +59,14 @@ public class SSLHostConfig implements Serializable {
     // keys in Maps.
     protected static final String DEFAULT_SSL_HOST_NAME = "_default_";
     protected static final Set<String> SSL_PROTO_ALL_SET = new HashSet<>();
-    protected static final String DEFAULT_TLS_12_BELOW_CIPHERS = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
-    protected static final String DEFAULT_TLS_13_ABOVE_CIPHERS = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
-    public static final String DEFAULT_TLS_CIPHERS = DEFAULT_TLS_12_BELOW_CIPHERS + ":" + DEFAULT_TLS_13_ABOVE_CIPHERS;
+    public static final String DEFAULT_TLS_CIPHERS_12 = "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA";
+    public static final String DEFAULT_TLS_CIPHERS_13 = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256";
+    /**
+     * Default cipher list for TLS 1.2 and below.
+     * @deprecated Replaced by {@link #DEFAULT_TLS_CIPHERS_12}
+     */
+    @Deprecated
+    public static final String DEFAULT_TLS_CIPHERS = DEFAULT_TLS_CIPHERS_12;
 
     static {
         /*

java/org/apache/tomcat/util/net/SSLUtilBase.java

@@ -128,7 +128,7 @@ protected SSLUtilBase(SSLHostConfigCertificate certificate, boolean warnTls13) {
             // OpenSSL profiles cannot be resolved without Java 22
             this.enabledCiphers = new String[0];
         } else {
-            boolean warnOnSkip = !sslHostConfig.getCiphers().equals(SSLHostConfig.DEFAULT_TLS_CIPHERS);
+            boolean warnOnSkip = !sslHostConfig.getCiphers().equals(SSLHostConfig.DEFAULT_TLS_CIPHERS_12);
             List<String> configuredCiphers = sslHostConfig.getJsseCipherNames();
             Set<String> implementedCiphers = getImplementedCiphers();
             List<String> enabledCiphers =