diff --git a/debian/patches/0003-Remove-the-EXPORT-ciphers-and-related-code-path.patch b/debian/patches/0003-Remove-the-EXPORT-ciphers-and-related-code-path.patch
new file mode 100644
index 0000000000..c338c4cfb9
--- /dev/null
+++ b/debian/patches/0003-Remove-the-EXPORT-ciphers-and-related-code-path.patch
@@ -0,0 +1,233 @@
+From 9c38772f094168d8bfd5bc73bf8925cd04faad10 Mon Sep 17 00:00:00 2001
+From: Sebastien Pouliot <sebastien@xamarin.com>
+Date: Fri, 6 Mar 2015 10:35:27 -0500
+Subject: [PATCH 3/3]     Remove the EXPORT ciphers and related code path
+
+    That was still useful in 2003/2004 but the technical and legal landscape
+    changed a lot since then. Removing the old, limited key size, cipher
+    suites also allow removed additional parts of the code that deals with
+    them.
+---
+ .../CipherSuiteFactory.cs                          | 28 +++++------
+ .../ClientRecordProtocol.cs                        |  7 ---
+ .../Mono.Security.Protocol.Tls/SslCipherSuite.cs   | 54 ++--------------------
+ .../Mono.Security.Protocol.Tls/SslServerStream.cs  | 12 +----
+ .../Mono.Security.Protocol.Tls/TlsCipherSuite.cs   | 40 ++--------------
+ 5 files changed, 26 insertions(+), 115 deletions(-)
+
+diff --git a/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/CipherSuiteFactory.cs b/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/CipherSuiteFactory.cs
+index b8eb7ec..13573cb 100644
+--- a/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/CipherSuiteFactory.cs
++++ b/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/CipherSuiteFactory.cs
+@@ -116,14 +116,14 @@ namespace Mono.Security.Protocol.Tls
+ 			scs.Add((0x00 << 0x08) | 0x09, "TLS_RSA_WITH_DES_CBC_SHA", CipherAlgorithmType.Des, HashAlgorithmType.Sha1, ExchangeAlgorithmType.RsaKeyX, false, true, 8, 8, 56, 8, 8);
+ 			
+ 			// Supported exportable ciphers
+-			scs.Add((0x00 << 0x08) | 0x03, "TLS_RSA_EXPORT_WITH_RC4_40_MD5", CipherAlgorithmType.Rc4, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, false, 5, 16, 40, 0, 0);
+-			scs.Add((0x00 << 0x08) | 0x06, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5", CipherAlgorithmType.Rc2, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, true, 5, 16, 40, 8, 8);
+-			scs.Add((0x00 << 0x08) | 0x08, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA", CipherAlgorithmType.Des, HashAlgorithmType.Sha1, ExchangeAlgorithmType.RsaKeyX, true, true, 5, 8, 40, 8, 8);
+-			scs.Add((0x00 << 0x08) | 0x60, "TLS_RSA_EXPORT_WITH_RC4_56_MD5", CipherAlgorithmType.Rc4, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, false, 7, 16, 56, 0, 0);
+-			scs.Add((0x00 << 0x08) | 0x61, "TLS_RSA_EXPORT_WITH_RC2_CBC_56_MD5", CipherAlgorithmType.Rc2, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, true, 7, 16, 56, 8, 8);
++			// scs.Add((0x00 << 0x08) | 0x03, "TLS_RSA_EXPORT_WITH_RC4_40_MD5", CipherAlgorithmType.Rc4, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, false, 5, 16, 40, 0, 0);
++			// scs.Add((0x00 << 0x08) | 0x06, "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5", CipherAlgorithmType.Rc2, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, true, 5, 16, 40, 8, 8);
++			// scs.Add((0x00 << 0x08) | 0x08, "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA", CipherAlgorithmType.Des, HashAlgorithmType.Sha1, ExchangeAlgorithmType.RsaKeyX, true, true, 5, 8, 40, 8, 8);
++			// scs.Add((0x00 << 0x08) | 0x60, "TLS_RSA_EXPORT_WITH_RC4_56_MD5", CipherAlgorithmType.Rc4, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, false, 7, 16, 56, 0, 0);
++			// scs.Add((0x00 << 0x08) | 0x61, "TLS_RSA_EXPORT_WITH_RC2_CBC_56_MD5", CipherAlgorithmType.Rc2, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, true, 7, 16, 56, 8, 8);
+ 			// 56 bits but we use 64 bits because of parity (DES is really 56 bits)
+-			scs.Add((0x00 << 0x08) | 0x62, "TLS_RSA_EXPORT_WITH_DES_CBC_56_SHA", CipherAlgorithmType.Des, HashAlgorithmType.Sha1, ExchangeAlgorithmType.RsaKeyX, true, true, 8, 8, 64, 8, 8); 
+-			scs.Add((0x00 << 0x08) | 0x64, "TLS_RSA_EXPORT_WITH_RC4_56_SHA", CipherAlgorithmType.Rc4, HashAlgorithmType.Sha1, ExchangeAlgorithmType.RsaKeyX, true, false, 7, 16, 56, 0, 0);
++			// scs.Add((0x00 << 0x08) | 0x62, "TLS_RSA_EXPORT_WITH_DES_CBC_56_SHA", CipherAlgorithmType.Des, HashAlgorithmType.Sha1, ExchangeAlgorithmType.RsaKeyX, true, true, 8, 8, 64, 8, 8);
++			// scs.Add((0x00 << 0x08) | 0x64, "TLS_RSA_EXPORT_WITH_RC4_56_SHA", CipherAlgorithmType.Rc4, HashAlgorithmType.Sha1, ExchangeAlgorithmType.RsaKeyX, true, false, 7, 16, 56, 0, 0);
+ 			
+ 			// Default CipherSuite
+ 			// scs.Add(0, "TLS_NULL_WITH_NULL_NULL", CipherAlgorithmType.None, HashAlgorithmType.None, ExchangeAlgorithmType.None, true, false, 0, 0, 0, 0, 0);
+@@ -195,14 +195,14 @@ namespace Mono.Security.Protocol.Tls
+ 			scs.Add((0x00 << 0x08) | 0x09, "SSL_RSA_WITH_DES_CBC_SHA", CipherAlgorithmType.Des, HashAlgorithmType.Sha1, ExchangeAlgorithmType.RsaKeyX, false, true, 8, 8, 56, 8, 8);
+ 
+ 			// Supported exportable ciphers
+-			scs.Add((0x00 << 0x08) | 0x03, "SSL_RSA_EXPORT_WITH_RC4_40_MD5", CipherAlgorithmType.Rc4, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, false, 5, 16, 40, 0, 0);
+-			scs.Add((0x00 << 0x08) | 0x06, "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5", CipherAlgorithmType.Rc2, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, true, 5, 16, 40, 8, 8);
+-			scs.Add((0x00 << 0x08) | 0x08, "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", CipherAlgorithmType.Des, HashAlgorithmType.Sha1, ExchangeAlgorithmType.RsaKeyX, true, true, 5, 8, 40, 8, 8);
+-			scs.Add((0x00 << 0x08) | 0x60, "SSL_RSA_EXPORT_WITH_RC4_56_MD5", CipherAlgorithmType.Rc4, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, false, 7, 16, 56, 0, 0);
+-			scs.Add((0x00 << 0x08) | 0x61, "SSL_RSA_EXPORT_WITH_RC2_CBC_56_MD5", CipherAlgorithmType.Rc2, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, true, 7, 16, 56, 8, 8);
++			// scs.Add((0x00 << 0x08) | 0x03, "SSL_RSA_EXPORT_WITH_RC4_40_MD5", CipherAlgorithmType.Rc4, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, false, 5, 16, 40, 0, 0);
++			// scs.Add((0x00 << 0x08) | 0x06, "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5", CipherAlgorithmType.Rc2, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, true, 5, 16, 40, 8, 8);
++			// scs.Add((0x00 << 0x08) | 0x08, "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", CipherAlgorithmType.Des, HashAlgorithmType.Sha1, ExchangeAlgorithmType.RsaKeyX, true, true, 5, 8, 40, 8, 8);
++			// scs.Add((0x00 << 0x08) | 0x60, "SSL_RSA_EXPORT_WITH_RC4_56_MD5", CipherAlgorithmType.Rc4, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, false, 7, 16, 56, 0, 0);
++			// scs.Add((0x00 << 0x08) | 0x61, "SSL_RSA_EXPORT_WITH_RC2_CBC_56_MD5", CipherAlgorithmType.Rc2, HashAlgorithmType.Md5, ExchangeAlgorithmType.RsaKeyX, true, true, 7, 16, 56, 8, 8);
+ 			// 56 bits but we use 64 bits because of parity (DES is really 56 bits)
+-			scs.Add((0x00 << 0x08) | 0x62, "SSL_RSA_EXPORT_WITH_DES_CBC_56_SHA", CipherAlgorithmType.Des, HashAlgorithmType.Sha1, ExchangeAlgorithmType.RsaKeyX, true, true, 8, 8, 64, 8, 8); 
+-			scs.Add((0x00 << 0x08) | 0x64, "SSL_RSA_EXPORT_WITH_RC4_56_SHA", CipherAlgorithmType.Rc4, HashAlgorithmType.Sha1, ExchangeAlgorithmType.RsaKeyX, true, false, 7, 16, 56, 0, 0);
++			// scs.Add((0x00 << 0x08) | 0x62, "SSL_RSA_EXPORT_WITH_DES_CBC_56_SHA", CipherAlgorithmType.Des, HashAlgorithmType.Sha1, ExchangeAlgorithmType.RsaKeyX, true, true, 8, 8, 64, 8, 8);
++			// scs.Add((0x00 << 0x08) | 0x64, "SSL_RSA_EXPORT_WITH_RC4_56_SHA", CipherAlgorithmType.Rc4, HashAlgorithmType.Sha1, ExchangeAlgorithmType.RsaKeyX, true, false, 7, 16, 56, 0, 0);
+ 
+ 			// Default CipherSuite
+ 			// scs.Add(0, "SSL_NULL_WITH_NULL_NULL", CipherAlgorithmType.None, HashAlgorithmType.None, true, false, 0, 0, 0, 0, 0);
+diff --git a/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/ClientRecordProtocol.cs b/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/ClientRecordProtocol.cs
+index acaa0c2..0602e70 100644
+--- a/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/ClientRecordProtocol.cs
++++ b/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/ClientRecordProtocol.cs
+@@ -160,13 +160,6 @@ namespace Mono.Security.Protocol.Tls
+ 					return new TlsServerCertificate(this.context, buffer);
+ 
+ 					// Optional
+-				case HandshakeType.ServerKeyExchange:
+-					// only for RSA_EXPORT
+-					if (last == HandshakeType.Certificate && context.Current.Cipher.IsExportable)
+-						return new TlsServerKeyExchange(this.context, buffer);
+-					break;
+-
+-					// Optional
+ 				case HandshakeType.CertificateRequest:
+ 					if (last == HandshakeType.ServerKeyExchange || last == HandshakeType.Certificate)
+ 						return new TlsServerCertificateRequest(this.context, buffer);
+diff --git a/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslCipherSuite.cs b/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslCipherSuite.cs
+index ae9b9d5..da95ed1 100644
+--- a/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslCipherSuite.cs
++++ b/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslCipherSuite.cs
+@@ -190,59 +190,15 @@ namespace Mono.Security.Protocol.Tls
+ 			this.Context.ClientWriteKey = keyBlock.ReadBytes(this.KeyMaterialSize);
+ 			this.Context.ServerWriteKey = keyBlock.ReadBytes(this.KeyMaterialSize);
+ 
+-			if (!this.IsExportable)
++			if (this.IvSize != 0)
+ 			{
+-				if (this.IvSize != 0)
+-				{
+-					this.Context.ClientWriteIV = keyBlock.ReadBytes(this.IvSize);
+-					this.Context.ServerWriteIV = keyBlock.ReadBytes(this.IvSize);
+-				}
+-				else
+-				{
+-					this.Context.ClientWriteIV = CipherSuite.EmptyArray;
+-					this.Context.ServerWriteIV = CipherSuite.EmptyArray;
+-				}
++				this.Context.ClientWriteIV = keyBlock.ReadBytes(this.IvSize);
++				this.Context.ServerWriteIV = keyBlock.ReadBytes(this.IvSize);
+ 			}
+ 			else
+ 			{
+-				HashAlgorithm md5 = MD5.Create();
+-
+-				int keySize = (md5.HashSize >> 3); //in bytes not bits
+-				byte[] temp = new byte [keySize];
+-
+-				// Generate final write keys
+-				md5.TransformBlock(this.Context.ClientWriteKey, 0, this.Context.ClientWriteKey.Length, temp, 0);
+-				md5.TransformFinalBlock(this.Context.RandomCS, 0, this.Context.RandomCS.Length);
+-				byte[] finalClientWriteKey = new byte[this.ExpandedKeyMaterialSize];
+-				Buffer.BlockCopy(md5.Hash, 0, finalClientWriteKey, 0, this.ExpandedKeyMaterialSize);
+-
+-				md5.Initialize();
+-				md5.TransformBlock(this.Context.ServerWriteKey, 0, this.Context.ServerWriteKey.Length, temp, 0);
+-				md5.TransformFinalBlock(this.Context.RandomSC, 0, this.Context.RandomSC.Length);
+-				byte[] finalServerWriteKey = new byte[this.ExpandedKeyMaterialSize];
+-				Buffer.BlockCopy(md5.Hash, 0, finalServerWriteKey, 0, this.ExpandedKeyMaterialSize);
+-				
+-				this.Context.ClientWriteKey = finalClientWriteKey;
+-				this.Context.ServerWriteKey = finalServerWriteKey;
+-
+-				// Generate IV keys
+-				if (this.IvSize > 0) 
+-				{
+-					md5.Initialize();
+-					temp = md5.ComputeHash(this.Context.RandomCS, 0, this.Context.RandomCS.Length);
+-					this.Context.ClientWriteIV = new byte[this.IvSize];
+-					Buffer.BlockCopy(temp, 0, this.Context.ClientWriteIV, 0, this.IvSize);
+-
+-					md5.Initialize();
+-					temp = md5.ComputeHash(this.Context.RandomSC, 0, this.Context.RandomSC.Length);
+-					this.Context.ServerWriteIV = new byte[this.IvSize];
+-					Buffer.BlockCopy(temp, 0, this.Context.ServerWriteIV, 0, this.IvSize);
+-				}
+-				else 
+-				{
+-					this.Context.ClientWriteIV = CipherSuite.EmptyArray;
+-					this.Context.ServerWriteIV = CipherSuite.EmptyArray;
+-				}
++				this.Context.ClientWriteIV = CipherSuite.EmptyArray;
++				this.Context.ServerWriteIV = CipherSuite.EmptyArray;
+ 			}
+ 
+ 			DebugHelper.WriteLine(">>>> KeyBlock", keyBlock.ToArray());
+diff --git a/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslServerStream.cs b/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslServerStream.cs
+index 6862c69..fb8ede4 100644
+--- a/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslServerStream.cs
++++ b/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/SslServerStream.cs
+@@ -233,16 +233,8 @@ namespace Mono.Security.Protocol.Tls
+ 			// Send ServerCertificate message
+ 			this.protocol.SendRecord(HandshakeType.Certificate);
+ 
+-			// If the negotiated cipher is a KeyEx cipher send ServerKeyExchange
+-			if (this.context.Negotiating.Cipher.IsExportable)
+-			{
+-				this.protocol.SendRecord(HandshakeType.ServerKeyExchange);
+-			}
+-
+-			// If the negotiated cipher is a KeyEx cipher or
+-			// the client certificate is required send the CertificateRequest message
+-			if (this.context.Negotiating.Cipher.IsExportable ||
+-				((ServerContext)this.context).ClientCertificateRequired ||
++			// If the client certificate is required send the CertificateRequest message
++			if (((ServerContext)this.context).ClientCertificateRequired ||
+ 				((ServerContext)this.context).RequestClientCertificate)
+ 			{
+ 				this.protocol.SendRecord(HandshakeType.CertificateRequest);
+diff --git a/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/TlsCipherSuite.cs b/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/TlsCipherSuite.cs
+index f4feb4e..2b261bf 100644
+--- a/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/TlsCipherSuite.cs
++++ b/mcs/class/Mono.Security/Mono.Security.Protocol.Tls/TlsCipherSuite.cs
+@@ -123,45 +123,15 @@ namespace Mono.Security.Protocol.Tls
+ 			this.Context.ClientWriteKey = keyBlock.ReadBytes(this.KeyMaterialSize);
+ 			this.Context.ServerWriteKey = keyBlock.ReadBytes(this.KeyMaterialSize);
+ 
+-			if (!this.IsExportable)
++			if (this.IvSize != 0)
+ 			{
+-				if (this.IvSize != 0)
+-				{
+-					this.Context.ClientWriteIV = keyBlock.ReadBytes(this.IvSize);
+-					this.Context.ServerWriteIV = keyBlock.ReadBytes(this.IvSize);
+-				}
+-				else
+-				{
+-					this.Context.ClientWriteIV = CipherSuite.EmptyArray;
+-					this.Context.ServerWriteIV = CipherSuite.EmptyArray;
+-				}
++				this.Context.ClientWriteIV = keyBlock.ReadBytes(this.IvSize);
++				this.Context.ServerWriteIV = keyBlock.ReadBytes(this.IvSize);
+ 			}
+ 			else
+ 			{
+-				// Generate final write keys
+-				byte[] finalClientWriteKey	= PRF(this.Context.ClientWriteKey, "client write key", this.Context.RandomCS, this.ExpandedKeyMaterialSize);
+-				byte[] finalServerWriteKey	= PRF(this.Context.ServerWriteKey, "server write key", this.Context.RandomCS, this.ExpandedKeyMaterialSize);
+-				
+-				this.Context.ClientWriteKey	= finalClientWriteKey;
+-				this.Context.ServerWriteKey	= finalServerWriteKey;
+-
+-				if (this.IvSize > 0) 
+-				{
+-					// Generate IV block
+-					byte[] ivBlock = PRF(CipherSuite.EmptyArray, "IV block", this.Context.RandomCS, this.IvSize*2);
+-
+-					// Generate IV keys
+-					this.Context.ClientWriteIV = new byte[this.IvSize];				
+-					Buffer.BlockCopy(ivBlock, 0, this.Context.ClientWriteIV, 0, this.Context.ClientWriteIV.Length);
+-
+-					this.Context.ServerWriteIV = new byte[this.IvSize];
+-					Buffer.BlockCopy(ivBlock, this.IvSize, this.Context.ServerWriteIV, 0, this.Context.ServerWriteIV.Length);
+-				}
+-				else 
+-				{
+-					this.Context.ClientWriteIV = CipherSuite.EmptyArray;
+-					this.Context.ServerWriteIV = CipherSuite.EmptyArray;
+-				}
++				this.Context.ClientWriteIV = CipherSuite.EmptyArray;
++				this.Context.ServerWriteIV = CipherSuite.EmptyArray;
+ 			}
+ 
+ 			DebugHelper.WriteLine(">>>> KeyBlock", keyBlock.ToArray());
+-- 
+1.9.1
+
diff --git a/debian/patches/series b/debian/patches/series
index fae4927cc5..e548b65003 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,5 @@
 0001-TLS-protocol-add-handshake-state-validation.patch
 0002-Remove-the-client-side-SSLv2-fallback.patch
+0003-Remove-the-EXPORT-ciphers-and-related-code-path.patch
 0001-Workaround-for-X509Certificate.RSA-throwing-an-unhan.patch
 0001-Fix-build-on-s390.patch