1 |
On Sunday 10 Mar 2013 04:10:24 Grant wrote: |
2 |
|
3 |
> Thanks for the link. Which ssl_ciphers do you use? Which one does |
4 |
> openssl show you're using? I have: |
5 |
> |
6 |
> ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!MEDIUM:!LOW:!EXP:!kEDH:RC4+RSA:+HIGH; |
7 |
|
8 |
To see what openssl is configured to use try: |
9 |
|
10 |
openssl ciphers |
11 |
|
12 |
|
13 |
> and 'openssl s_client -host HOSTNAME -port 443' shows: |
14 |
> |
15 |
> Cipher : ECDHE-RSA-AES256-GCM-SHA384 |
16 |
> |
17 |
> I also get "Verify return code: 20 (unable to get local issuer |
18 |
> certificate)" from that command but I'm guessing that's OK since I get |
19 |
> the same when using www.google.com as the HOSTNAME. |
20 |
> |
21 |
> - Grant |
22 |
|
23 |
This means that s_client is not pointed to the correct CApath for your |
24 |
machine, or that the server's CA certificate is not in the local CApath. |
25 |
|
26 |
Try this first: |
27 |
|
28 |
openssl s_client -CApath /etc/ssl/certs/ -host www.google.com -port 443 |
29 |
|
30 |
which should return something like: |
31 |
|
32 |
Verify return code: 0 (ok) |
33 |
|
34 |
|
35 |
If it still returns a code 20, then this would mean that the CA certificate |
36 |
for Google is not in your /etc/ssl/certs/, or its hash value/symlink in there |
37 |
is incorrect. |
38 |
|
39 |
Run this to rehash all certificates in that directory: |
40 |
|
41 |
c_rehash /etc/ssl/certs/ |
42 |
|
43 |
or |
44 |
|
45 |
c_rehash /etc/ssl/certs/Equifax* |
46 |
|
47 |
which is Google's root CA. |
48 |
|
49 |
HTH. |
50 |
-- |
51 |
Regards, |
52 |
Mick |