We are having this issue too, We have been advised by our security analysts that although this nominally presents a low risk, when the consequences of a breach are of a certain proportion this should be addressed.   I have searched around for guidance but found nothing I can apply except the following:   adding this property to ssl_security.xml    <property> <name>ssl.server.exclude.cipher.list</name> <value>TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_EXPORT_WITH_RC4_40_MD5|SSL_DH_anon_EXPORT_WITH_RC4_40_MD5|TLS_KRB5_EXPORT_WITH_RC4_40_SHA|TLS_KRB5_EXPORT_WITH_RC4_40_MD5</value> <description>Optional. The weak security cipher suites that you want excluded from SSL communication.</description> </property>   however there seems to be no mechanism by which I can apply this property.    Please could someone advise on how we can affect this change.  ... View more