I have extensively searched the web, but I can't find a definitive answer on this. Here's the situation.
I have tomcat 4.1.31 with Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_15-b04), running on a Solaris 8 box. Due to custom production apps we can not upgrade tomcat at this time (the transition to tomcat 6 is in progress but not yet completed). Our security scanner is reporting the following weak ciphers on the port we use for tomcat. EXP-DES-CBC-SHA Weak Security EXP-RC4-MD5 Weak Security DES-CBC-SHA Weak Security The list of ciphers I have configured in servers.xml is ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_W ITH_3DES_EDE_CBC_SHA" as you can see none of the weak ciphers detected by the scanner are listed in the servers.xml. The question is how do I block these weak ciphers and is it possible that an application other than tomcat might be providing/serving these ciphers (such as a java certificate etc.) on the port used by tomcat. Thanks for any help you can provide. Zahid ************************************************************************* The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank you. *************************************************************************