Wowza Community

how to secure the ciphers?

Hi Guys,

Is there any help regarding securing the ciphers since wowza uses it’s own version of SSL.

Actually, we have a security requirment wherein we need to disable the Low encryption ciphers.

Thanks,

Kunal

Kunal,

Wowza uses RTMPE, and I don’t think there is any way to configure a lower encryption level. You can use SSL with Wowza, but there is not a Wowza SSL, so you can use whatever level you want.

Richard

I do not know of any way to do this. We are using the Java SSL implementation. I do not know if this is possible.

Charlie

Take a look at this article to see if it helps:

http://download.oracle.com/docs/cd/E19566-01/819-4428/bgbbj/index.html

It seems to suggest that you might be able to modify your SSL cert to only allow certain ciphers.

Again, we don’t have any experience with selecting SSL ciphers.

Charlie

Is this the list you are interested in trimming?

ciperSuites[0]: SSL_RSA_WITH_RC4_128_MD5
ciperSuites[1]: SSL_RSA_WITH_RC4_128_SHA
ciperSuites[2]: TLS_RSA_WITH_AES_128_CBC_SHA
ciperSuites[3]: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
ciperSuites[4]: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
ciperSuites[5]: SSL_RSA_WITH_3DES_EDE_CBC_SHA
ciperSuites[6]: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
ciperSuites[7]: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
ciperSuites[8]: SSL_RSA_WITH_DES_CBC_SHA
ciperSuites[9]: SSL_DHE_RSA_WITH_DES_CBC_SHA
ciperSuites[10]: SSL_DHE_DSS_WITH_DES_CBC_SHA
ciperSuites[11]: SSL_RSA_EXPORT_WITH_RC4_40_MD5
ciperSuites[12]: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
ciperSuites[13]: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
ciperSuites[14]: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
ciperSuites[15]: TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Charlie

This will be addressed in Wowza Server 3. We are adding a new CipherSuites and Protocols elements to the SSLConfig element in [install-dir]/conf/VHost.xml.

Charlie

I have added this to Wowza Media Server 3 Preview 2 Patch 5:

WowzaMediaServer3.0.0-preview2-patch5.zip

On Windows when using Java 6 the default CipherSuites and Protocols values are:

<CipherSuites>SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV</CipherSuites>
<Protocols>SSLv2Hello,SSLv3,TLSv1</Protocols>

Charlie

I have added this to Wowza Media Server 3 Preview 2 Patch 5:

WowzaMediaServer3.0.0-preview2-patch5.zip

On Windows when using Java 6 the default CipherSuites and Protocols values are:

<CipherSuites>SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV</CipherSuites>
<Protocols>SSLv2Hello,SSLv3,TLSv1</Protocols>

Charlie

It is included in base Wowza Media Server 3. So no need for a patch.

Charlie

We do not plan to add this to Wowza 2.2.4.

Charlie

Install this patch. It will fix a problem with SSLConfig/CipherSuites and SSLConfig/Protocols:

WowzaMediaServer3.1.1-patch6.zip

See this forum post that describes how to use a few new properties for debugging and configuring SSLConfig/CipherSuites and SSLConfig/Protocols:

SSL configuration improvements in 3.1.106 or greater

Charlie

Hi Richard,

we are using SSL with wowza and want to implement something like below like how we do for apache in ssl.conf file.

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

I am not able to find such config file inside wowza. Do you know where we need to put the above statment inside wowza folder?

Thanks,

Kunal

Thanks, Charlie. Just to clarify, our corporate scan team ran a Qualys scan against our Wowza servers and we were dinged for allowing low encryption ciphers. Per their recommendation, we should only be allowing high ciphers. Please confirm that this is not possible. (Security is at the front of everyone’s mind here due to recent events). Thanks again

Kunal

Charlie, Is there a patch on this for 2.2.4 version too?

got it.

Our company will not allow us to upgrade to version 3 yet, so Is there a possibility that we can have this a patch to version 2.2.4?

Our security team reporting that our Wowza SSL listener is still accepting the low key ciphers.

It appears handshakes are successfully being exchanged using Cipher EDH-RSA-DES-CBC-SHA and TLSv1 protocol, even though the VHost.xml is configured to allow only high key cipher.

Any one had success in getting the Qualys scan through with only high key ciphers?

Just to confirm, all SSL ciphers would be available for use in versions of Wowza previous to version 3? There is no other workaround in Wowza 2 to only make strong ciphers available?