Tomcat 6 cipher suites / Nessus

[tomcat question <to...@googlemail.com>]

Hi everybody,

I am having trouble configuring Tomcat right...
The machine I'm using is a Win2003 server with Tomcat 6.0.14 installed. In
general everything works fine, but for security reasons, I need the server
to pass a Nessus security scan. With Nessus, I receive the following message
about the security of the server:

- The remote service supports the use of anonymous SSL ciphers.
- The remote service supports the use of weak SSL ciphers.

After googling the problem and reviewing the ssl configuration howto, I came
to the conclusion that I need to tweak the ciphers attribute of the
connectors tag. Unfortunately, this has not been sucessful so far. My
current connector tag looks like:

      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               ciphers="SSL_RSA_WITH_RC4_128_MD5"
               keystoreFile="<somepath>" keystorePass="<somepass>"/>

Connecting to the server is no problem, Firefox tells me that the connection
has high security and it's using RC4 encryption. So everything seems to be
fine. Still, I can not pass the Nessus security scan. Why is that? What kind
of cipher would be wise to choose? From my current understanding, it should
not be possible to connect to Tomcat with any cipher other than
"SSL_RSA_WITH_RC4_128_MD5", but still I get the message about the anonymous
SSL cipher.

Thanks for your time in advance, any help is appreciated.

Stefan