Hi everybody, I am having trouble configuring Tomcat right... The machine I'm using is a Win2003 server with Tomcat 6.0.14 installed. In general everything works fine, but for security reasons, I need the server to pass a Nessus security scan. With Nessus, I receive the following message about the security of the server:
- The remote service supports the use of anonymous SSL ciphers. - The remote service supports the use of weak SSL ciphers. After googling the problem and reviewing the ssl configuration howto, I came to the conclusion that I need to tweak the ciphers attribute of the connectors tag. Unfortunately, this has not been sucessful so far. My current connector tag looks like: <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5" keystoreFile="<somepath>" keystorePass="<somepass>"/> Connecting to the server is no problem, Firefox tells me that the connection has high security and it's using RC4 encryption. So everything seems to be fine. Still, I can not pass the Nessus security scan. Why is that? What kind of cipher would be wise to choose? From my current understanding, it should not be possible to connect to Tomcat with any cipher other than "SSL_RSA_WITH_RC4_128_MD5", but still I get the message about the anonymous SSL cipher. Thanks for your time in advance, any help is appreciated. Stefan