From 4949bdd9c3a820dd78b03fbae89e3a1b7d936a63 Mon Sep 17 00:00:00 2001
From: jloveland <jason.c.loveland@gmail.com>
Date: Wed, 5 Aug 2015 22:48:59 -0400
Subject: [PATCH] adding ordered cipher list, stronger settings in
 generate-ssl-certs script, and hsts settings

---
 config/lib/express.js         |  6 ++++++
 config/lib/socket.io.js       | 29 ++++++++++++++++++++++++++++-
 scripts/generate-ssl-certs.sh |  4 ++--
 3 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/config/lib/express.js b/config/lib/express.js
index 70b4e3e644..edd3e74459 100644
--- a/config/lib/express.js
+++ b/config/lib/express.js
@@ -136,10 +136,16 @@ module.exports.initModulesConfiguration = function (app, db) {
  */
 module.exports.initHelmetHeaders = function (app) {
   // Use helmet to secure Express headers
+  var SIX_MONTHS = 15778476000;
   app.use(helmet.xframe());
   app.use(helmet.xssFilter());
   app.use(helmet.nosniff());
   app.use(helmet.ienoopen());
+  app.use(helmet.hsts({
+      maxAge: SIX_MONTHS,
+      includeSubdomains: true,
+      force: true
+  }));
   app.disable('x-powered-by');
 };
 
diff --git a/config/lib/socket.io.js b/config/lib/socket.io.js
index e3e7659b6e..aa613c267c 100644
--- a/config/lib/socket.io.js
+++ b/config/lib/socket.io.js
@@ -21,7 +21,34 @@ module.exports = function (app, db) {
     var certificate = fs.readFileSync('./config/sslcerts/cert.pem', 'utf8');
     var options = {
       key: privateKey,
-      cert: certificate
+      cert: certificate,
+      //  requestCert : true,
+      //  rejectUnauthorized : true,
+      secureProtocol: 'TLSv1_method',
+      ciphers: [
+        'ECDHE-RSA-AES128-GCM-SHA256',
+        'ECDHE-ECDSA-AES128-GCM-SHA256',
+        'ECDHE-RSA-AES256-GCM-SHA384',
+        'ECDHE-ECDSA-AES256-GCM-SHA384',
+        'DHE-RSA-AES128-GCM-SHA256',
+        'ECDHE-RSA-AES128-SHA256',
+        'DHE-RSA-AES128-SHA256',
+        'ECDHE-RSA-AES256-SHA384',
+        'DHE-RSA-AES256-SHA384',
+        'ECDHE-RSA-AES256-SHA256',
+        'DHE-RSA-AES256-SHA256',
+        'HIGH',
+        '!aNULL',
+        '!eNULL',
+        '!EXPORT',
+        '!DES',
+        '!RC4',
+        '!MD5',
+        '!PSK',
+        '!SRP',
+        '!CAMELLIA'
+      ].join(':'),
+      honorCipherOrder: true
     };
 
     // Create new HTTPS Server
diff --git a/scripts/generate-ssl-certs.sh b/scripts/generate-ssl-certs.sh
index b9fd595829..ec78b44a46 100755
--- a/scripts/generate-ssl-certs.sh
+++ b/scripts/generate-ssl-certs.sh
@@ -10,8 +10,8 @@ fi
 
 echo "Generating self-signed certificates..."
 mkdir -p ./config/sslcerts
-openssl genrsa -out ./config/sslcerts/key.pem 1024
+openssl genrsa -out ./config/sslcerts/key.pem 4096
 openssl req -new -key ./config/sslcerts/key.pem -out ./config/sslcerts/csr.pem
-openssl x509 -req -days 9999 -in ./config/sslcerts/csr.pem -signkey ./config/sslcerts/key.pem -out ./config/sslcerts/cert.pem
+openssl x509 -req -days 365 -in ./config/sslcerts/csr.pem -signkey ./config/sslcerts/key.pem -out ./config/sslcerts/cert.pem
 rm ./config/sslcerts/csr.pem
 chmod 600 ./config/sslcerts/key.pem ./config/sslcerts/cert.pem