Since it's was way more of a pain than it should be, I figured I'd brag a little bit.

Since Ubuntu 14.04 still ships with an ancient version of NodeJS, I had to compile my own version using the latest source (v0.13.0) in order to get ECC and perfect forward secrecy which was introduced in v0.12.

Then I used the following settings to order the cipher suites, blacklist some week algorithms (like md5, rc4, export ciphers, and null ciphers), and remove SSLv3:

var https_options = {
    'key': privateKey,
    'cert': certificate,
    'ca': ca_bundle,
    'secureProtocol': 'SSLv23_method',
    'secureOptions': constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_SSLv2,
    'honorCipherOrder': true,
    'ciphers': [

Finally, I used Helmet to enable HSTS and a few other features it includes.

And the result of all this 😀🔑: