Following a recent "distribution policy : make .md5 optional" thread at
us...@infra.apache.org and looking at https://en.wikipedia.org/wiki/MD5
"Although MD5 was initially designed to be used as a cryptographic hash function <https://en.wikipedia.org/wiki/Cryptographic_hash_function>, it has
been found to suffer from extensive vulnerabilities. It can still be used as a checksum <https://en.wikipedia.org/wiki/Checksum> to verify data
integrity <https://en.wikipedia.org/wiki/Data_integrity>, but only against unintentional corruption."
I was wondering so I checked and we no longer use MD5 anywhere but for last
usable ciphers in Catalina ofbiz-component.xml
I copied that recently from  and read now at  that MD5 is still used,
though still almost at the end of the possible default ciphers.
I also read at  "HOW TO -- Disable weak ciphers in Tomcat 7 & 8" how to used
only nowadays reliable ciphers
Maybe we could ask Tomcat user ML for advice, but reading https://wiki.apache.org/tomcat/Security/Ciphers it seems it's a tradeoff and we will get the
same answer from the ML.
What are your opinions? Should we follow  suggestion or let it as is OOTB and just warn users about that in a comment? Note that  is really
complete and interesting, MD5 as a cypher is not recommended there.