Wowza Community

Problem Streaming Over SSL

I have created a keystore for Wowza and configured Wowza for port 8443 however I am not able to stream or connect from a browser to https://servername.domain.edu:8443. I have ‘openssl s_connect servername.domain.edu:8443 -showcerts’ to the server at 8443 and I am receiving the certificate and chain. Below are the related log entries from startup.

2017-10-23	10:13:25	EDT	comment	vhost	INFO	200	_defaultVHost_	SSL ([any]:8443): keyStorePath:/usr/local/WowzaStreamingEngine/conf/video-stream.jks--	-	7.772	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	--	-	-	-	-
2017-10-23	10:13:25	EDT	comment	server	INFO	200	-	SSLInfo.CipherSuitesSupported: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,TLS_DH_anon_WITH_AES_128_GCM_SHA256,TLS_DH_anon_WITH_AES_128_CBC_SHA256,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_DH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA,SSL_DH_anon_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_ECDHE_ECDSA_WITH_NULL_SHA,TLS_ECDHE_RSA_WITH_NULL_SHA,SSL_RSA_WITH_NULL_SHA,TLS_ECDH_ECDSA_WITH_NULL_SHA,TLS_ECDH_RSA_WITH_NULL_SHA,TLS_ECDH_anon_WITH_NULL_SHA,SSL_RSA_WITH_NULL_MD5,TLS_KRB5_WITH_3DES_EDE_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_MD5,TLS_KRB5_WITH_DES_CBC_SHA,TLS_KRB5_WITH_DES_CBC_MD5,TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5	-	-	-	7.809	-	-	-	-	--	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-
2017-10-23	10:13:25	EDT	comment	server	INFO	200	-	SSLInfo.CipherSuitesEnabled: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256	-	-	-	7.809	-	-	-	-	-	-	-	-	-	-	-	-	--	-	-	-	-	-	-	-	-	-	-	-
2017-10-23	10:13:25	EDT	comment	server	INFO	200	-	SSLInfo.ProtocolsSupported: SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2	-	-	-	7.81	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	--	-	-
2017-10-23	10:13:25	EDT	comment	server	INFO	200	-	SSLInfo.ProtocolsEnabled: TLSv1.1,TLSv1.2	-	-	-	7.811	-	-	--	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-
2017-10-23	10:13:25	EDT	comment	vhost	INFO	200	_defaultVHost_	Bind attempt ([any]:8443:8)	-	-	-	7.811	-	-	-	--	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-	-
2017-10-23	10:13:25	EDT	comment	vhost	INFO	200	_defaultVHost_	Bind successful ([any]:8443)

Hello,

It looks like your SSL is starting and binding correctly. If you try to view the Wowza Streaming Engine Version info by browsing to https://servername.domain.edu:8443 do you get an error message that you can share?

Best regards,
Andrew

Yes, Firefox returns the following:

An error occurred during a connection to servername.domain.edu:8443. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

curl returns:

<html><head><title>Wowza Streaming Engine 4 Perpetual Edition 4.7.1 build20635</title></head><body>Wowza Streaming Engine 4 Perpetual Edition 4.7.1 build20635</body></html>

Hello,

Sounds like it might be an issue finding a compatible Cipher Suite/Protocol between the browser and WSE. The log entries above seen to indicate that this list of supported Cipher Suites/Protocols has been restricted from the default Java JRE supported set. You may want to try removing the CipherSuites and Protocols defined in your [wowza-install]/conf/VHost.xml file under the SSL HostPort as such:


This should allow all CipherSuites/Protocols supported by the Java JRE and may fix the issue.

Best regards,
Andrew

Thank you. Removing specific CipherSuite/Protocol entries worked.