>> Thanks for the link. Which ssl_ciphers do you use? Which one does >> openssl show you're using? I have: >> >> ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!kEDH:RC4+RSA:+HIGH; > > To see what openssl is configured to use try: > > openssl ciphers
Thank you but I'm most interested in the ciphers which nginx is configured to use over https. >> and 'openssl s_client -host HOSTNAME -port 443' shows: >> >> Cipher : ECDHE-RSA-AES256-GCM-SHA384 >> >> I also get "Verify return code: 20 (unable to get local issuer >> certificate)" from that command but I'm guessing that's OK since I get >> the same when using www.google.com as the HOSTNAME. >> > This means that s_client is not pointed to the correct CApath for your > machine, or that the server's CA certificate is not in the local CApath. > > Try this first: > > openssl s_client -CApath /etc/ssl/certs/ -host www.google.com -port 443 It works without error that way, thank you. - Grant
