From a49fac6cc89160878c552972d53463ec2a19d4c5 Mon Sep 17 00:00:00 2001
From: Josh Harvey <josh@lamassu.is>
Date: Mon, 24 Oct 2016 19:44:50 +0300
Subject: [PATCH] WIPP

---
 certs.sh    | 40 ++++++++++++++++++++++++++++++++++++++++
 lib/app.js  |  5 +----
 lib/pair.js |  2 +-
 3 files changed, 42 insertions(+), 5 deletions(-)
 create mode 100644 certs.sh

diff --git a/certs.sh b/certs.sh
new file mode 100644
index 00000000..2d7f0960
--- /dev/null
+++ b/certs.sh
@@ -0,0 +1,40 @@
+# make directories to work from
+mkdir -p certs
+
+# Create your very own Root Certificate Authority
+openssl genrsa \
+  -out certs/root-ca.key.pem \
+  4096
+
+# Self-sign your Root Certificate Authority
+# Since this is private, the details can be as bogus as you like
+openssl req \
+  -x509 \
+  -new \
+  -nodes \
+  -key certs/root-ca.key.pem \
+  -days 3560 \
+  -out certs/root-ca.crt.pem \
+  -subj "/C=IS/ST=/L=Reykjavik/O=Lamassu Operator CA/CN=lamassu-operator.is"
+
+# Create a Device Certificate for each domain,
+# such as example.com, *.example.com, awesome.example.com
+# NOTE: You MUST match CN to the domain name or ip address you want to use
+openssl genrsa \
+  -out certs/server.key.pem \
+  4096
+
+# Create a request from your Device, which your Root CA will sign
+openssl req -new \
+  -key certs/server.key.pem \
+  -out certs/server.csr.pem \
+  -subj "/C=IS/ST=/L=Reykjavik/O=Lamassu Operator/CN=localhost"
+
+# Sign the request from Device with your Root CA
+openssl x509 \
+  -req -in certs/server.csr.pem \
+  -CA certs/root-ca.crt.pem \
+  -CAkey certs/root-ca.key.pem \
+  -CAcreateserial \
+  -out certs/server.crt.pem \
+  -days 3650
diff --git a/lib/app.js b/lib/app.js
index 5dc9503f..90bb18d5 100644
--- a/lib/app.js
+++ b/lib/app.js
@@ -44,10 +44,7 @@ module.exports = function (options) {
       var serverOptions = {
         key: options.https.key,
         cert: options.https.cert,
-        requestCert: true,
-        secureProtocol: 'TLSv1_method',
-        ciphers: 'AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH',
-        honorCipherOrder: true
+        requestCert: true
       }
 
       server = https.createServer(serverOptions, app)
diff --git a/lib/pair.js b/lib/pair.js
index 9c92206c..90841d35 100644
--- a/lib/pair.js
+++ b/lib/pair.js
@@ -4,7 +4,7 @@ const pify = require('pify')
 const readFile = pify(fs.readFile)
 const db = require('./db')
 
-const CA_PATH = path.resolve(__dirname, '..', 'certs', 'ca-cert.pem')
+const CA_PATH = path.resolve(__dirname, '..', 'certs', 'root-ca.crt.pem')
 
 function pullToken (token) {
   const sql = `delete from pairing_tokens