1 |
On Sun, Mar 10, 2013 at 9:40 AM, Grant <emailgrant@×××××.com> wrote: |
2 |
>>> I can probably dump a lot of apache config. I still need SSL on both |
3 |
>>> servers even though only nginx faces the user? |
4 |
>> |
5 |
>> You don't need SSL at both. Only nginx is enough. |
6 |
>> But to ensure nginx performs well at SSL, follow this - http://matt.io/entry/ur |
7 |
> |
8 |
> Thanks for the link. Which ssl_ciphers do you use? Which one does |
9 |
> openssl show you're using? I have: |
10 |
> |
11 |
> ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!kEDH:RC4+RSA:+HIGH; |
12 |
> |
13 |
> and 'openssl s_client -host HOSTNAME -port 443' shows: |
14 |
> |
15 |
> Cipher : ECDHE-RSA-AES256-GCM-SHA384 |
16 |
> |
17 |
> I also get "Verify return code: 20 (unable to get local issuer |
18 |
> certificate)" from that command but I'm guessing that's OK since I get |
19 |
> the same when using www.google.com as the HOSTNAME. |
20 |
> |
21 |
> - Grant |
22 |
> |
23 |
|
24 |
I use exactly the one specified at the blog entry. |
25 |
I didn't test it with openssl, but seemed to play well with browsers |
26 |
[presently no ssl host on my server] |
27 |
|
28 |
-- |
29 |
Nilesh Govindrajan |
30 |
http://nileshgr.com |