adding ordered cipher list, stronger settings in generate-ssl-certs script, and hsts settings

jloveland · jloveland · commit 4949bdd9c3a8 · 2015-08-05T22:48:59.000-04:00
diff --git a/config/lib/express.js b/config/lib/express.js
@@ -136,10 +136,16 @@ module.exports.initModulesConfiguration = function (app, db) {
  */
 module.exports.initHelmetHeaders = function (app) {
   // Use helmet to secure Express headers
+  var SIX_MONTHS = 15778476000;
   app.use(helmet.xframe());
   app.use(helmet.xssFilter());
   app.use(helmet.nosniff());
   app.use(helmet.ienoopen());
+  app.use(helmet.hsts({
+      maxAge: SIX_MONTHS,
+      includeSubdomains: true,
+      force: true
+  }));
   app.disable('x-powered-by');
 };
 
diff --git a/config/lib/socket.io.js b/config/lib/socket.io.js
@@ -21,7 +21,34 @@ module.exports = function (app, db) {
     var certificate = fs.readFileSync('./config/sslcerts/cert.pem', 'utf8');
     var options = {
       key: privateKey,
-      cert: certificate
+      cert: certificate,
+      //  requestCert : true,
+      //  rejectUnauthorized : true,
+      secureProtocol: 'TLSv1_method',
+      ciphers: [
+        'ECDHE-RSA-AES128-GCM-SHA256',
+        'ECDHE-ECDSA-AES128-GCM-SHA256',
+        'ECDHE-RSA-AES256-GCM-SHA384',
+        'ECDHE-ECDSA-AES256-GCM-SHA384',
+        'DHE-RSA-AES128-GCM-SHA256',
+        'ECDHE-RSA-AES128-SHA256',
+        'DHE-RSA-AES128-SHA256',
+        'ECDHE-RSA-AES256-SHA384',
+        'DHE-RSA-AES256-SHA384',
+        'ECDHE-RSA-AES256-SHA256',
+        'DHE-RSA-AES256-SHA256',
+        'HIGH',
+        '!aNULL',
+        '!eNULL',
+        '!EXPORT',
+        '!DES',
+        '!RC4',
+        '!MD5',
+        '!PSK',
+        '!SRP',
+        '!CAMELLIA'
+      ].join(':'),
+      honorCipherOrder: true
     };
 
     // Create new HTTPS Server
diff --git a/scripts/generate-ssl-certs.sh b/scripts/generate-ssl-certs.sh
@@ -10,8 +10,8 @@ fi
 
 echo "Generating self-signed certificates..."
 mkdir -p ./config/sslcerts
-openssl genrsa -out ./config/sslcerts/key.pem 1024
+openssl genrsa -out ./config/sslcerts/key.pem 4096
 openssl req -new -key ./config/sslcerts/key.pem -out ./config/sslcerts/csr.pem
-openssl x509 -req -days 9999 -in ./config/sslcerts/csr.pem -signkey ./config/sslcerts/key.pem -out ./config/sslcerts/cert.pem
+openssl x509 -req -days 365 -in ./config/sslcerts/csr.pem -signkey ./config/sslcerts/key.pem -out ./config/sslcerts/cert.pem
 rm ./config/sslcerts/csr.pem
 chmod 600 ./config/sslcerts/key.pem ./config/sslcerts/cert.pem
