Sane https

.travis.yml

@@ -1,9 +1,11 @@
 language: node_js
 node_js:
-  - "0.8"
-  - "0.10"
+  - "iojs-v3"
+  - "iojs-v2"
+  - "iojs-v1"
   - "0.12"
-  - "iojs"
+  - "0.10"
+  - "0.8"
 before_install:
   - 'if [ "${TRAVIS_NODE_VERSION}" == "0.8" ] ; then npm install -g npm@2.7.0; fi'
 script:

README.md

@@ -57,6 +57,12 @@ The following properties can be provided as callback object:
 - **http**: A new HTTP server has been created.
 - **spdy**: A new SPDY server has been created.
 
+When creating a secure server, we will do our best to provide sane defaults that
+will protect your server against known secure server attacks such as POODLE, we
+also update the cipher list to prevent attacks such as heart bleed. This can be
+overridden by supplying your own `cypher`, `secureProtocol` and `secureOptions`
+keys as option.
+
 ## License
 
 MIT

index.js

@@ -24,29 +24,19 @@ function is(obj) {
  * @returns {Server} The created server.
  */
 function create(server, fn) {
-  var options;
+  var type = is(server)
+    , options;
 
-  switch (is(server)) {
-    case 'object':
-      options = server;
-    break;
-
-    case 'number':
-      options = { port: server };
-    break;
-
-    default:
-      options = {};
-    break;
-  }
+  if ('object' === type) options = server;
+  else if ('number' === type) options = { port: server };
+  else options = {};
 
   fn = create.fns(fn || options);
 
   var port = options.port || 443                // Force HTTPS by default.
     , certs = options.key && options.cert       // Check HTTPS certs.
-    , secure = certs || 443 === port            // Check for true HTTPS
-    , spdy = 'spdy' in options                  // Or are we spdy
-    , type;
+    , secure = certs || 443 === port            // Check for true HTTPS.
+    , spdy = 'spdy' in options;                 // Or are we spdy.
 
   //
   // Determine which type of server we need to create.
@@ -83,12 +73,46 @@ function create(server, fn) {
     });
   }
 
-  if ('http' === type) {
-    server = require('http').createServer();
-  } else {
-    server = require(type).createServer(options);
+  //
+  // Provide additional protection for HTTPS server by supplying a safer cypher
+  // set and prevent POODLE attacks on the servers.
+  //
+  if (secure) {
+    //
+    // Protection against POODLE attacks.
+    //
+    options.secureProtocol = options.secureProtocol || 'SSLv23_method';
+    options.secureOptions = options.secureOptions || require('constants').SSL_OP_NO_SSLv3;
+
+    //
+    // Optimized cipher list.
+    //
+    options.ciphers = options.ciphers || [
+      'ECDHE-RSA-AES256-SHA384',
+      'DHE-RSA-AES256-SHA384',
+      'ECDHE-RSA-AES256-SHA256',
+      'DHE-RSA-AES256-SHA256',
+      'ECDHE-RSA-AES128-SHA256',
+      'DHE-RSA-AES128-SHA256',
+      'HIGH',
+      '!aNULL',
+      '!eNULL',
+      '!EXPORT',
+      '!DES',
+      '!RC4',
+      '!MD5',
+      '!PSK',
+      '!SRP',
+      '!CAMELLIA'
+    ].join(':');
   }
 
+  //
+  // Create the correct server instance and pass in the options object for those
+  // who require it (spoiler: all non http servers).
+  //
+  server = require(type).createServer('http' !== type && options);
+
   //
   // Setup an addition redirect server which redirects people to the correct
   // HTTP or HTTPS server.

package.json

@@ -32,11 +32,11 @@
     "connected": "0.0.x"
   },
   "devDependencies": {
-    "assume": "1.1.x",
+    "assume": "1.2.x",
     "istanbul": "0.3.x",
-    "mocha": "2.1.x",
-    "pre-commit": "1.0.x",
-    "request": "2.53.x",
-    "spdy": "1.31.x"
+    "mocha": "2.2.x",
+    "pre-commit": "1.1.x",
+    "request": "2.61.x",
+    "spdy": "2.0.x"
   }
 }