Improve SSL configuration for Wowza Streaming Engine

This article describes how to configure SSL-related properties, specifically the sslLogProtocolInfosslLogConnectionInfo, sslCipherSuites, and sslProtocols properties, in Wowza Streaming Engine™ media server software.

Before starting, make sure you've obtained or created an SSL certificate and modified the [install-dir]/conf/VHost.xml file to make port 443 use this certificate. For information, see Request an SSL certificate for Wowza Streaming Engine from a certificate authority.

Log SSL cipher and protocol information


The sslLogProtocolInfo property instructs Wowza Streaming Engine to log SSL cipher and protocol information on startup. This information helps build a list of ciphers and protocols for the HostPort SSLConfig/CipherSuites and SSLConfig/Protocols filters in the virtual host.

  1. In Wowza Streaming Engine Manager, click the Server tab, and then click Server Setup.
     
  2. In the Server Setup page, click the Properties tab and then click Custom in the Quick Links bar.
     
    Note: Access to the Properties tab is limited to administrators with advanced permissions. For more information, see Manage credentials.
  3. In the Custom area, click Edit.
     
  4. Click Add Custom Property, specify the following settings in the Add Custom Property dialog box, and then click Add:
     
    • Path - Select /Root/Server.
       
    • Name - Enter sslLogProtocolInfo.
       
    • Type - Select Boolean.
       
    • Value - Enter true.
  5. Click Save, and then restart the server to apply the changes.

Setting sslLogProtocolInfo to true yields log messages similar to the following:

SSLInfo.CipherSuitesSupported: TLS_ECDH_ECDSA_WITH_NULL_SHA,TLS_DH_anon_WITH_AES_128_CBC_SHA256,TLS_ECDH_anon_WITH_RC4_128_SHA,TLS_
DH_anon_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,SS
L_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_SHA
,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,T
LS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_KRB5_EXPORT_WITH_RC4_40_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_anon_WITH_NULL_SHA,TLS_E
CDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_ECDH_ano
n_WITH_3DES_EDE_CBC_SHA,TLS_KRB5_WITH_RC4_128_MD5,SSL_RSA_WITH_DES_CBC_SHA,TLS_ECDHE_ECDSA_WITH_NULL
_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_EMPTY_RENEGOTIATION_INF
O_SCSV,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_MD5,TLS_KRB5_WITH_RC4_128_SHA,SS
L_DH_anon_WITH_DES_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_NULL_SHA,TLS_ECDH_RS
A_WITH_AES_128_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,TLS_KRB5_WITH_DES_CBC_MD5,TLS_KRB5_EXPORT_WITH
_RC4_40_MD5,TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_ECDH_anon_
WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,SSL_DHE
_DSS_WITH_DES_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_KRB5_WITH_DES_CBC_SHA,SSL_RSA_WITH_N
ULL_MD5,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_1
28_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_NULL_SHA,TLS_ECDHE_RSA_WITH_NULL_S
HA,SSL_DH_anon_WITH_RC4_128_MD5,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_
WITH_3DES_EDE_CBC_SHA SSLInfo.CipherSuitesDefault: TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_S
HA,SSL_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_
ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_
ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,TL
S_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_
SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_DH
E_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA SSLInfo.ProtocolsSupported: SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2 SSLInfo.ProtocolsDefault: SSLv3,T
LSv1

Where:
 
  • SSLInfo.CipherSuitesSupported is the full list of cipher suites supported by the Java VM.
     
  • SSLInfo.CipherSuitesDefault is the default list of cipher suites that will be used if the SSLConfig/CipherSuites property is empty.
     
  • SSLInfo.ProtocolsSupported is the full list of protocols supported by the Java VM.
     
  • SSLInfo.ProtocolsDefault is the default list of protocols that will be used if the SSLConfig/Protocols property is empty.
You can use these cipher suites and protocols to build your SSL encryption configuration.
 
Note: When inspecting SSL connection exchanges using Wireshark, Wowza Streaming Engine always shows the same list of 12 cipher suites, even if you've removed a particular cipher suite from the available cipher suites. Any removed cipher suites are not used during encryption negotiation.

Debug SSL connection filtering


The sslLogConnectionInfo property can be used to debug SSL connection filtering by instructing Wowza Streaming Engine to log SSL connection information (protocol and cipher suite) for each SSL/HTTPS connection.

  1. In Wowza Streaming Engine Manager, click the Server tab, and then click Virtual Host Setup.
     
  2. In the Virtual Host Setup page, click the Properties tab and then click Custom in the Quick Links bar.
     
    Note: Access to the Properties tab is limited to administrators with advanced permissions. For more information, see Manage credentials.
  3. In the Custom area, click Edit.
     
  4. Click Add Custom Property, specify the following settings in the Add Custom Property dialog box, and then click Add:
     
    • Path - Select /Root/VHost.
       
    • Name - Enter sslLogConnectionInfo.
       
    • Type - Select Boolean.
       
    • Value - Enter true.
  5. Click Save, and then restart the virtual host to apply the changes.

Setting sslLogConnectionInfo to true yields log messages similar to the following:

SSLHandler.connectionInfo: protocol:TLSv1.2 cipher:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Modify your SSL configuration settings


Using the information obtained with the sslLogProtocolInfo and sslLogConnectionInfo properties described above, you can update your SSL configuration to allow only specified protocols and cipher suites. 

  1. Open [install-dir]/conf/VHost.xml in a text editor.
  2. Uncomment the <HostPort> section, and then modify the <CipherSuites> and <Protocols> properties to specify only those cipher suites and protocols you wish to allow.
  3. Save your changes and restart the virtual host so your changes take effect.

More resources