On Sunday 10 Mar 2013 04:10:24 Grant wrote: > Thanks for the link. Which ssl_ciphers do you use? Which one does > openssl show you're using? I have: > > ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!kEDH:RC4+RSA:+HIGH;
To see what openssl is configured to use try:
openssl ciphers
> and 'openssl s_client -host HOSTNAME -port 443' shows:
>
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>
> I also get "Verify return code: 20 (unable to get local issuer
> certificate)" from that command but I'm guessing that's OK since I get
> the same when using www.google.com as the HOSTNAME.
>
> - Grant
This means that s_client is not pointed to the correct CApath for your
machine, or that the server's CA certificate is not in the local CApath.
Try this first:
openssl s_client -CApath /etc/ssl/certs/ -host www.google.com -port 443
which should return something like:
Verify return code: 0 (ok)
If it still returns a code 20, then this would mean that the CA certificate
for Google is not in your /etc/ssl/certs/, or its hash value/symlink in there
is incorrect.
Run this to rehash all certificates in that directory:
c_rehash /etc/ssl/certs/
or
c_rehash /etc/ssl/certs/Equifax*
which is Google's root CA.
HTH.
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
