Difference between revisions of "SUNScholar/Secure Internet Connections/S04"
Jump to navigation
Jump to search
(Created page with "<center> '''Back to Secure Communications''' </center>") |
m |
||
| Line 2: | Line 2: | ||
'''[[SUNScholar/Secure Internet Connections|Back to Secure Communications]]''' | '''[[SUNScholar/Secure Internet Connections|Back to Secure Communications]]''' | ||
</center> | </center> | ||
| + | ==Step 4. Setup Tomcat to use the SSL certs== | ||
| + | ===Convert SSL cert to PKCS12=== | ||
| + | We convert the SSL signed certs, to a PKCS#12 compatible cert. | ||
| + | See: http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat | ||
| + | |||
| + | See: http://en.wikipedia.org/wiki/PKCS_12 for more info about the PKCS12 file. | ||
| + | |||
| + | To do this as the root user, change to the cert folder as follows: | ||
| + | cd /etc/ssl/certs | ||
| + | |||
| + | Type the following to create the PKCS12 security cert that is chained with the Symantec/Verisign intermediate CA certs mentioned above. | ||
| + | openssl pkcs12 -export -certfile PCA-3G5.pem -certfile ICA-3G5.pem -in '''%hostname%'''.crt -inkey '''%hostname%'''.key -out '''%hostname%'''.pkcs12 | ||
| + | |||
| + | ---- | ||
| + | #Replace '''%hostname%''' with the [[SUNScholar/Install_Ubuntu/S02|hostname of the server]]. | ||
| + | #You will be asked for a keystore password. | ||
| + | #Enter it and keep a careful record of it somewhere. | ||
| + | ---- | ||
| + | You can check the details of the PKCS12 cert by typing the following: | ||
| + | keytool -list -v -storetype pkcs12 -keystore '''%hostname%'''.pkcs12 | ||
| + | |||
| + | See example below: | ||
| + | <pre> | ||
| + | root@ir1:~# keytool -list -v -storetype pkcs12 -keystore /etc/ssl/certs/scholar.sun.ac.za.pkcs12 | ||
| + | Enter keystore password: | ||
| + | |||
| + | Keystore type: PKCS12 | ||
| + | Keystore provider: SunJSSE | ||
| + | |||
| + | Your keystore contains 1 entry | ||
| + | |||
| + | Alias name: 2 | ||
| + | Creation date: 09 Oct 2013 | ||
| + | Entry type: PrivateKeyEntry | ||
| + | Certificate chain length: 2 | ||
| + | Certificate[1]: | ||
| + | Owner: CN=scholar.sun.ac.za, OU=JS Gericke Library, O=Universiteit Stellenbosch, L=Stellenbosch, ST=WP, C=ZA | ||
| + | Issuer: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | ||
| + | Serial number: 6c6fa1e8a7629802a9ac207d1ece5d03 | ||
| + | Valid from: Fri Sep 17 02:00:00 SAST 2010 until: Mon Nov 17 01:59:59 SAST 2014 | ||
| + | Certificate fingerprints: | ||
| + | MD5: 43:1A:DB:8A:73:60:C2:3A:BB:8B:0B:99:86:C8:AB:9F | ||
| + | SHA1: A0:FD:54:76:4C:55:91:DC:1D:3A:FB:81:AB:95:BC:C3:97:CB:24:56 | ||
| + | Signature algorithm name: SHA1withRSA | ||
| + | Version: 3 | ||
| + | |||
| + | Extensions: | ||
| + | |||
| + | #1: ObjectId: 2.5.29.15 Criticality=false | ||
| + | KeyUsage [ | ||
| + | DigitalSignature | ||
| + | Key_Encipherment | ||
| + | ] | ||
| + | |||
| + | #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false | ||
| + | AuthorityInfoAccess [ | ||
| + | [ | ||
| + | accessMethod: 1.3.6.1.5.5.7.48.1 | ||
| + | accessLocation: URIName: http://ocsp.verisign.com, | ||
| + | accessMethod: 1.3.6.1.5.5.7.48.2 | ||
| + | accessLocation: URIName: http://SVRSecure-G2-aia.verisign.com/SVRSecureG2.cer] | ||
| + | ] | ||
| + | |||
| + | #3: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false | ||
| + | |||
| + | #4: ObjectId: 2.5.29.31 Criticality=false | ||
| + | CRLDistributionPoints [ | ||
| + | [DistributionPoint: | ||
| + | [URIName: http://SVRSecure-G2-crl.verisign.com/SVRSecureG2.crl] | ||
| + | ]] | ||
| + | |||
| + | #5: ObjectId: 2.5.29.32 Criticality=false | ||
| + | CertificatePolicies [ | ||
| + | [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3] | ||
| + | [PolicyQualifierInfo: [ | ||
| + | qualifierID: 1.3.6.1.5.5.7.2.1 | ||
| + | qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve | ||
| + | 0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa | ||
| + | |||
| + | ]] ] | ||
| + | ] | ||
| + | |||
| + | #6: ObjectId: 2.5.29.37 Criticality=false | ||
| + | ExtendedKeyUsages [ | ||
| + | serverAuth | ||
| + | clientAuth | ||
| + | ] | ||
| + | |||
| + | #7: ObjectId: 2.5.29.19 Criticality=false | ||
| + | BasicConstraints:[ | ||
| + | CA:false | ||
| + | PathLen: undefined | ||
| + | ] | ||
| + | |||
| + | #8: ObjectId: 2.5.29.35 Criticality=false | ||
| + | AuthorityKeyIdentifier [ | ||
| + | KeyIdentifier [ | ||
| + | 0000: A5 EF 0B 11 CE C0 41 03 A3 4A 65 90 48 B2 1C E0 ......A..Je.H... | ||
| + | 0010: 57 2D 7D 47 W-.G | ||
| + | ] | ||
| + | |||
| + | ] | ||
| + | |||
| + | Certificate[2]: | ||
| + | Owner: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | ||
| + | Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US | ||
| + | Serial number: 6e4ffab3c5e669c4d167c992abe858c4 | ||
| + | Valid from: Wed Mar 25 02:00:00 SAST 2009 until: Mon Mar 25 01:59:59 SAST 2019 | ||
| + | Certificate fingerprints: | ||
| + | MD5: AE:0F:D7:09:45:EA:3C:10:60:B6:17:BC:8E:09:07:69 | ||
| + | SHA1: 62:F3:C8:97:71:DA:4C:E0:1A:91:FC:13:E0:2B:60:57:B4:54:7A:1D | ||
| + | Signature algorithm name: SHA1withRSA | ||
| + | Version: 3 | ||
| + | |||
| + | Extensions: | ||
| + | |||
| + | #1: ObjectId: 2.5.29.15 Criticality=true | ||
| + | KeyUsage [ | ||
| + | Key_CertSign | ||
| + | Crl_Sign | ||
| + | ] | ||
| + | |||
| + | #2: ObjectId: 2.5.29.19 Criticality=true | ||
| + | BasicConstraints:[ | ||
| + | CA:true | ||
| + | PathLen:0 | ||
| + | ] | ||
| + | |||
| + | #3: ObjectId: 2.5.29.14 Criticality=false | ||
| + | SubjectKeyIdentifier [ | ||
| + | KeyIdentifier [ | ||
| + | 0000: A5 EF 0B 11 CE C0 41 03 A3 4A 65 90 48 B2 1C E0 ......A..Je.H... | ||
| + | 0010: 57 2D 7D 47 W-.G | ||
| + | ] | ||
| + | ] | ||
| + | |||
| + | #4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false | ||
| + | AuthorityInfoAccess [ | ||
| + | [ | ||
| + | accessMethod: 1.3.6.1.5.5.7.48.1 | ||
| + | accessLocation: URIName: http://ocsp.verisign.com] | ||
| + | ] | ||
| + | |||
| + | #5: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false | ||
| + | |||
| + | #6: ObjectId: 2.5.29.31 Criticality=false | ||
| + | CRLDistributionPoints [ | ||
| + | [DistributionPoint: | ||
| + | [URIName: http://crl.verisign.com/pca3-g2.crl] | ||
| + | ]] | ||
| + | |||
| + | #7: ObjectId: 2.5.29.32 Criticality=false | ||
| + | CertificatePolicies [ | ||
| + | [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3] | ||
| + | [PolicyQualifierInfo: [ | ||
| + | qualifierID: 1.3.6.1.5.5.7.2.1 | ||
| + | qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve | ||
| + | 0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 63 70 73 risign.com/cps | ||
| + | |||
| + | ], PolicyQualifierInfo: [ | ||
| + | qualifierID: 1.3.6.1.5.5.7.2.2 | ||
| + | qualifier: 0000: 30 1E 1A 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 0...https://www. | ||
| + | 0010: 76 65 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 verisign.com/rpa | ||
| + | |||
| + | ]] ] | ||
| + | ] | ||
| + | |||
| + | #8: ObjectId: 2.5.29.35 Criticality=false | ||
| + | AuthorityKeyIdentifier [ | ||
| + | [OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US] | ||
| + | SerialNumber: [ 7dd9fe07 cfa81eb7 107967fb a78934c6] | ||
| + | ] | ||
| + | |||
| + | #9: ObjectId: 2.5.29.17 Criticality=false | ||
| + | SubjectAlternativeName [ | ||
| + | CN=Class3CA2048-1-52 | ||
| + | ] | ||
| + | |||
| + | |||
| + | |||
| + | ******************************************* | ||
| + | ******************************************* | ||
| + | </pre> | ||
| + | |||
| + | ===Setup Tomcat "server.xml" to use the converted certificate=== | ||
| + | Now the Tomcat server has to be told where to find this security key file. Edit the '''/etc/tomcat6/server.xml''' file as follows: | ||
| + | nano /etc/tomcat6/server.xml | ||
| + | Find the port 8443 connector section. | ||
| + | #Remove the comments surrounding the section. | ||
| + | #'''Change the listening port to 443.''' | ||
| + | #Add the following keystore settings. | ||
| + | <pre> | ||
| + | keystoreFile="/etc/ssl/certs/%hostname%.pkcs12" | ||
| + | keystoreType="PKCS12" | ||
| + | keystorePass="%SecretPassword%" /> | ||
| + | </pre> | ||
| + | ---- | ||
| + | #Replace '''%SecretPassword%''' with the password you used when creating the keystore above. | ||
| + | #And add the '''%hostname%''' used when creating the keystore above. | ||
| + | |||
| + | {{NANO}} | ||
| + | |||
| + | ====Example "server.xml" secure settings==== | ||
| + | See full example below using a local PKCS12 keystore cert file with password embedded. | ||
| + | <pre> | ||
| + | <Connector port="443" protocol="HTTP/1.1" | ||
| + | enableLookups="false" | ||
| + | maxThreads="150" | ||
| + | URIEncoding="UTF-8" | ||
| + | SSLEnabled="true" | ||
| + | scheme="https" | ||
| + | secure="true" | ||
| + | clientAuth="false" | ||
| + | sslProtocols="TLSv1,TLSv1.1,TLSv1.2" | ||
| + | # ciphers="<<To enable, See SSL Ciphers Note below then remove the # and replace this text with the cipher list you choose>>" | ||
| + | keystoreFile="/etc/ssl/certs/scholar.sun.ac.za.pkcs12" | ||
| + | keystoreType="PKCS12" | ||
| + | keystorePass="%SecretPassword%" /> | ||
| + | </pre> | ||
| + | |||
| + | ====SSL Ciphers Note:==== | ||
| + | *TLSv1.2 is only available when using JDK 7 and higher. | ||
| + | *For Tomcat7 change "sslProtocols" to "sslEnabledProtocols". | ||
| + | *For more detail about what cipher suite to use, check: https://wiki.mozilla.org/Security/Server_Side_TLS and https://bettercrypto.org. | ||
| + | *To see what ciphers will be used, install <tt>'''sslscan'''</tt> and scan using '''<tt>sslscan --no-failed localhost:443</tt>'''. | ||
| + | *See the links below for help about Tomcat cipher setup: | ||
| + | **https://en.wikipedia.org/wiki/Cipher | ||
| + | **https://en.wikipedia.org/wiki/Cipher_suite | ||
| + | **https://en.wikipedia.org/wiki/Cryptography | ||
| + | **https://en.wikipedia.org/wiki/Public-key_cryptography | ||
| + | **https://en.wikipedia.org/wiki/Transport_Layer_Security | ||
| + | **https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml | ||
| + | **https://wiki.apache.org/tomcat/HowTo/SSLCiphers | ||
| + | **https://httpd.apache.org/docs/2.0/ssl/ssl_howto.html | ||
| + | **https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat | ||
| + | **https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html | ||
| + | **http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA | ||
| + | **https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak | ||
Revision as of 21:31, 29 December 2014
Back to Secure Communications
Contents
Step 4. Setup Tomcat to use the SSL certs
Convert SSL cert to PKCS12
We convert the SSL signed certs, to a PKCS#12 compatible cert.
See: http://www.brandonchecketts.com/archives/convert-and-openssl-apache-ssl-certificate-to-a-pkcs12-tomcat
See: http://en.wikipedia.org/wiki/PKCS_12 for more info about the PKCS12 file.
To do this as the root user, change to the cert folder as follows:
cd /etc/ssl/certs
Type the following to create the PKCS12 security cert that is chained with the Symantec/Verisign intermediate CA certs mentioned above.
openssl pkcs12 -export -certfile PCA-3G5.pem -certfile ICA-3G5.pem -in %hostname%.crt -inkey %hostname%.key -out %hostname%.pkcs12
- Replace %hostname% with the hostname of the server.
- You will be asked for a keystore password.
- Enter it and keep a careful record of it somewhere.
You can check the details of the PKCS12 cert by typing the following:
keytool -list -v -storetype pkcs12 -keystore %hostname%.pkcs12
See example below:
root@ir1:~# keytool -list -v -storetype pkcs12 -keystore /etc/ssl/certs/scholar.sun.ac.za.pkcs12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: 2
Creation date: 09 Oct 2013
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=scholar.sun.ac.za, OU=JS Gericke Library, O=Universiteit Stellenbosch, L=Stellenbosch, ST=WP, C=ZA
Issuer: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Serial number: 6c6fa1e8a7629802a9ac207d1ece5d03
Valid from: Fri Sep 17 02:00:00 SAST 2010 until: Mon Nov 17 01:59:59 SAST 2014
Certificate fingerprints:
MD5: 43:1A:DB:8A:73:60:C2:3A:BB:8B:0B:99:86:C8:AB:9F
SHA1: A0:FD:54:76:4C:55:91:DC:1D:3A:FB:81:AB:95:BC:C3:97:CB:24:56
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com,
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://SVRSecure-G2-aia.verisign.com/SVRSecureG2.cer]
]
#3: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://SVRSecure-G2-crl.verisign.com/SVRSecureG2.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 risign.com/rpa
]] ]
]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#7: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#8: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A5 EF 0B 11 CE C0 41 03 A3 4A 65 90 48 B2 1C E0 ......A..Je.H...
0010: 57 2D 7D 47 W-.G
]
]
Certificate[2]:
Owner: CN=VeriSign Class 3 Secure Server CA - G2, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Serial number: 6e4ffab3c5e669c4d167c992abe858c4
Valid from: Wed Mar 25 02:00:00 SAST 2009 until: Mon Mar 25 01:59:59 SAST 2019
Certificate fingerprints:
MD5: AE:0F:D7:09:45:EA:3C:10:60:B6:17:BC:8E:09:07:69
SHA1: 62:F3:C8:97:71:DA:4C:E0:1A:91:FC:13:E0:2B:60:57:B4:54:7A:1D
Signature algorithm name: SHA1withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A5 EF 0B 11 CE C0 41 03 A3 4A 65 90 48 B2 1C E0 ......A..Je.H...
0010: 57 2D 7D 47 W-.G
]
]
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.verisign.com]
]
#5: ObjectId: 1.3.6.1.5.5.7.1.12 Criticality=false
#6: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.verisign.com/pca3-g2.crl]
]]
#7: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 63 70 73 risign.com/cps
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 1E 1A 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 0...https://www.
0010: 76 65 72 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 verisign.com/rpa
]] ]
]
#8: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US]
SerialNumber: [ 7dd9fe07 cfa81eb7 107967fb a78934c6]
]
#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=Class3CA2048-1-52
]
*******************************************
*******************************************
Setup Tomcat "server.xml" to use the converted certificate
Now the Tomcat server has to be told where to find this security key file. Edit the /etc/tomcat6/server.xml file as follows:
nano /etc/tomcat6/server.xml
Find the port 8443 connector section.
- Remove the comments surrounding the section.
- Change the listening port to 443.
- Add the following keystore settings.
keystoreFile="/etc/ssl/certs/%hostname%.pkcs12"
keystoreType="PKCS12"
keystorePass="%SecretPassword%" />
- Replace %SecretPassword% with the password you used when creating the keystore above.
- And add the %hostname% used when creating the keystore above.
- NANO Editor Help
| CTL+O | = Save the file and then press Enter |
| CTL+X | = Exit "nano" |
| CTL+K | = Delete line |
| CTL+U | = Undelete line |
| CTL+W | = Search for %%string%% |
| CTL+\ | = Search for %%string%% and replace with $$string$$ |
| CTL+C | = Show line numbers |
More info = http://en.wikipedia.org/wiki/Nano_(text_editor)
Example "server.xml" secure settings
See full example below using a local PKCS12 keystore cert file with password embedded.
<Connector port="443" protocol="HTTP/1.1"
enableLookups="false"
maxThreads="150"
URIEncoding="UTF-8"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
# ciphers="<<To enable, See SSL Ciphers Note below then remove the # and replace this text with the cipher list you choose>>"
keystoreFile="/etc/ssl/certs/scholar.sun.ac.za.pkcs12"
keystoreType="PKCS12"
keystorePass="%SecretPassword%" />
SSL Ciphers Note:
- TLSv1.2 is only available when using JDK 7 and higher.
- For Tomcat7 change "sslProtocols" to "sslEnabledProtocols".
- For more detail about what cipher suite to use, check: https://wiki.mozilla.org/Security/Server_Side_TLS and https://bettercrypto.org.
- To see what ciphers will be used, install sslscan and scan using sslscan --no-failed localhost:443.
- See the links below for help about Tomcat cipher setup:
- https://en.wikipedia.org/wiki/Cipher
- https://en.wikipedia.org/wiki/Cipher_suite
- https://en.wikipedia.org/wiki/Cryptography
- https://en.wikipedia.org/wiki/Public-key_cryptography
- https://en.wikipedia.org/wiki/Transport_Layer_Security
- https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
- https://wiki.apache.org/tomcat/HowTo/SSLCiphers
- https://httpd.apache.org/docs/2.0/ssl/ssl_howto.html
- https://blog.eveoh.nl/2014/02/tls-ssl-ciphers-pfs-tomcat
- https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html
- http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA
- https://confluence.atlassian.com/display/JIRAKB/Default+SSL+ciphers+too+weak
