When just taking the samples, even null ciphers are accepted! How about 1) defining a default cipher suite equivalent to the "MEDIUM:HIGH" of openssl (http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS) that is also used by the apache httpd (http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite) 2) changing org.apache.tomcat.util.net.jsse.JSSESocketFactory.getEnabledCiphers for the case that requestedCiphers == null not simply do a enabledCiphers = supportedCiphers; but use this fail-safe default cipher suite (based upon the above-referenced JSSERefGuide.html)? as a quick-fix, I suggest to add a well-visible warning to ssl-howto.xml
for jdk1.5, I guess this could be a list to start with: public static String MEDIUM_HIGH="SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5,SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA,TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5,TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"; obviously, there should be also a keyword "ALL" that equals to sslProxy.getSupportedCipherSuites()
an easy outside discovery is described in http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=1162 the related issues in we-axis is http://issues.apache.org/jira/browse/AXIS-2216 (client side).
Ralf, it's been two years almost since you filed this issue, and a few months since you've been a committer with the ability to fix it yourself. Since it hasn't been done, and no one's complained or voted or even expressed interest, I'm guessing it's not going to happen. Unless you want to do it, in which case feel free to reopen and then address the issue.