From 1ad5cce51e32a59d2c7f35d6affb95a3db79a061 Mon Sep 17 00:00:00 2001
From: D3m0nKingx <d3m0nkingx@gmail.com>
Date: Thu, 19 Jan 2017 21:45:40 -0500
Subject: [PATCH 1/4] Update HOWTO.md

Modification on creating openssl self signed server certificate to generate RSA key in 4096 bits for improved defense against brute force attacks. Additionally, changed key/crt file names to identify with electrum-stratis-server in case the user creates them in a folder with other keys.
---
 HOWTO.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/HOWTO.md b/HOWTO.md
index e9e6490a..d12bd235 100644
--- a/HOWTO.md
+++ b/HOWTO.md
@@ -237,8 +237,9 @@ Use the sample code below to create a self-signed cert with a recommended validi
 of 5 years. You may supply any information for your sign request to identify your server.
 They are not currently checked by the client except for the validity date.
 When asked for a challenge password just leave it empty and press enter.
-
-    $ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
+    
+    $ cd ~/stratis/electrum-stratis-server
+    $ openssl genrsa -des3 -passout pass:x -out server.pass.key 4096
     $ openssl rsa -passin pass:x -in server.pass.key -out server.key
     writing RSA key
     $ rm server.pass.key
@@ -251,7 +252,7 @@ When asked for a challenge password just leave it empty and press enter.
     A challenge password []:
     ...
 
-    $ openssl x509 -req -days 1825 -in server.csr -signkey server.key -out server.crt
+    $ openssl x509 -req -days 1825 -in server.csr -signkey electrum-stratis-server.key -out electrum-stratis-server.crt
 
 The server.crt file is your certificate suitable for the `ssl_certfile=` parameter and
 server.key corresponds to `ssl_keyfile=` in your Electrum server config.

From c53c3df68a9f6342c0e72f7f8c593c11fd6739af Mon Sep 17 00:00:00 2001
From: D3m0nKingx <d3m0nkingx@gmail.com>
Date: Tue, 24 Jan 2017 18:50:04 -0500
Subject: [PATCH 2/4] Update HOWTO.md

Improve Security of SSL Cert, change over to aes256 4096-bit encryption due to des3 being outdated:

AES is the successor of DES as standard symmetric encryption algorithm for US federal organizations. AES uses keys of 128, 192 or 256 bits, although, 128 bit keys provide sufficient strength today. ... DES is the previous "data encryption standard" from the seventies. Its key size is too short for proper security.
---
 HOWTO.md | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/HOWTO.md b/HOWTO.md
index d12bd235..67eef85f 100644
--- a/HOWTO.md
+++ b/HOWTO.md
@@ -238,12 +238,11 @@ of 5 years. You may supply any information for your sign request to identify you
 They are not currently checked by the client except for the validity date.
 When asked for a challenge password just leave it empty and press enter.
     
-    $ cd ~/stratis/electrum-stratis-server
-    $ openssl genrsa -des3 -passout pass:x -out server.pass.key 4096
-    $ openssl rsa -passin pass:x -in server.pass.key -out server.key
+    $ cd ~/stratis/electrum-stratis-server                                  
+    $ openssl genrsa -aes256 -passout pass:stratis -out server.key 4096   //generate rsa key with ae256 4096-bit encryption
+    $ openssl rsa -passin pass:stratis -in server.key -out server.key     //strip key of password
     writing RSA key
-    $ rm server.pass.key
-    $ openssl req -new -key server.key -out server.csr
+    $ openssl req -new -key server.key -out server.csr                    //generate CSR
     ...
     Country Name (2 letter code) [AU]:US
     State or Province Name (full name) [Some-State]:California

From b74343f04c610cfe2e5f71e51d319341dd808399 Mon Sep 17 00:00:00 2001
From: D3m0nKingx <d3m0nkingx@gmail.com>
Date: Tue, 24 Jan 2017 18:53:54 -0500
Subject: [PATCH 3/4] Update SSL Instructions for improved security

Improve SSL Certificate encryption to aes256, as des3 is old and insecure:

AES is the successor of DES as standard symmetric encryption algorithm for US federal organizations. AES uses keys of 128, 192 or 256 bits, although, 128 bit keys provide sufficient strength today. ... DES is the previous "data encryption standard" from the seventies. Its key size is too short for proper security.
---
 HOWTO.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/HOWTO.md b/HOWTO.md
index 67eef85f..2f6d8fbc 100644
--- a/HOWTO.md
+++ b/HOWTO.md
@@ -248,7 +248,7 @@ When asked for a challenge password just leave it empty and press enter.
     State or Province Name (full name) [Some-State]:California
     Common Name (eg, YOUR name) []: electrum-server.tld
     ...
-    A challenge password []:
+    A challenge password []:                                             // Leave Password blank !
     ...
 
     $ openssl x509 -req -days 1825 -in server.csr -signkey electrum-stratis-server.key -out electrum-stratis-server.crt

From 088e03181142cf9789210b4e4330834a6bc8e19b Mon Sep 17 00:00:00 2001
From: D3m0nKingx <d3m0nkingx@gmail.com>
Date: Tue, 24 Jan 2017 18:57:24 -0500
Subject: [PATCH 4/4] Update HOWTO.md

Improve SSL security switching des3 encryption over to aes256 4096-bit:

AES is the successor of DES as standard symmetric encryption algorithm for US federal organizations. AES uses keys of 128, 192 or 256 bits, although, 128 bit keys provide sufficient strength today. ... DES is the previous "data encryption standard" from the seventies. Its key size is too short for proper security.
---
 HOWTO.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/HOWTO.md b/HOWTO.md
index 2f6d8fbc..ccdb4f32 100644
--- a/HOWTO.md
+++ b/HOWTO.md
@@ -239,7 +239,7 @@ They are not currently checked by the client except for the validity date.
 When asked for a challenge password just leave it empty and press enter.
     
     $ cd ~/stratis/electrum-stratis-server                                  
-    $ openssl genrsa -aes256 -passout pass:stratis -out server.key 4096   //generate rsa key with ae256 4096-bit encryption
+    $ openssl genrsa -aes256 -passout pass:stratis -out server.key 4096   //generate rsa key
     $ openssl rsa -passin pass:stratis -in server.key -out server.key     //strip key of password
     writing RSA key
     $ openssl req -new -key server.key -out server.csr                    //generate CSR