This article provides an overview of how to use the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols with Wowza Streaming Engine™ media server software.
SSL and TLS are security protocols for establishing secure network connections between two systems, for example, Wowza Streaming Engine and a video player.
The secure connection is established via what is commonly called the SSL/TLS handshake. During the handshake, information is exchanged between the server and client to confirm the authenticity of the server’s SSL/TLS certificate. If the server passes the test, an agreement is made regarding how the site content will be encrypted.
Note: The terms SSL and TLS are often used interchangeably. SSL was developed by Netscape in 1995. Due to security concerns, it received a much-needed makeover by the Internet Engineering Task Force (IETF) in 1999. The IETF standardized the protocol and changed the name from SSL to TLS.
Installing SSL/TLS certificates
An SSL/TLS certificate is a file that’s stored on the origin server of the site you're visiting. When you navigate to an HTTPS website, the SSL/TLS certificate verifies that your browser is communicating with the server that owns the website domain. Each certificate contains information such as:
- The domain name for which the certificate was issued
- The person, organization, or device to whom it was issued
- The Certificate Authority that issued it
- The Certificate Authority’s digital signature
- Any associated subdomains
- The issue date of the certificate
- The expiration date of the certificate
- The public key
SSL/TLS certificates should be installed on the Wowza Streaming Engine server. To install a certificate, do one of the following:
- Request a Wowza StreamLock certificate – Wowza StreamLock™ service is a security option for network encryption that provides near-instant provisioning of free 2048-bit SSL/TLS certificates for use with Wowza Streaming Engine. For more information, see Get SSL/TLS certificates from the Wowza Streaming Engine StreamLock service.
Note: Wowza StreamLock certificates are available for Wowza Streaming Engine licenses with active maintenance and support, including trial licenses.
- Request a certificate from a third-party certificate authority – SSL/TLS certificates can also be obtained from a third-party certificate authority. To request a certificate, use the keytool utility that comes with the Java JRE that installs with Wowza Streaming Engine to create a keystore and certificate signing request. After you receive the certificate, import it into the keystore. For more information, see Request an SSL certificate for Wowza Streaming Engine from a certificate authority.
- Import an existing SSL/TLS certificate – If you already have an SSL/TLS certificate, you can use the keytool utility to import it into the keystore. For more information, see Import an existing SSL certificate and private key for Wowza Streaming Engine.
- Generate a self-signed certificate – Another option is to generate a self-signed SSL/TLS certificate using your own method and keys for encryption. For more information, see Create a self-signed SSL certificate for Wowza Streaming Engine.
Note: Self-signed certificates are considered untrustworthy by most browsers. We recommend using a signed certificate from Wowza or another trusted certificate authority.
SSL/TLS and Wowza Streaming Engine
Wowza Streaming Engine supports SSL and some versions of TLS for secure publish and playback of streams over HTTPS (HTTP over SSL/TLS), RTMPS (RTMP over SSL/TLS), encrypted RTMP (RTMPE), RTSPS (RTSP over SSL/TLS), WOWZS (WOWZ over SSL/TLS), and WSS (WebSocket Secure).
Note: SSL/TLS only protects streams during transit. For additional security, we recommend using SecureToken for playback protection. For more information, see Protect streaming using SecureToken in Wowza Streaming Engine.
SSL/TLS can also be configured for use with Wowza Streaming Engine as follows:
- Live stream repeaters – Enable RTMPS and WOWZS connections in a live stream repeater (origin/edge) configuration. For more information, see Configure a live stream repeater in Wowza Streaming Engine.
- Facebook Live – RTMPS is required when streaming to Facebook Live. For more information, see Stream to Facebook Live using Wowza Streaming Engine.
- JConsole – Use SSL/TLS to monitor Wowza Streaming Engine from a remote computer. For more information, see Use JConsole with Wowza Streaming Engine.
- Low-Latency HLS (LL-HLS) – SSL/TLS is required for LL-HLS playback. For more information, see Deliver Low-Latency HLS live streams using Wowza Streaming Engine.
- Media Cache – Enable HTTPS connections to Media Cache HTTP sources. For more information, see Scale video-on-demand streaming with Wowza Streaming Engine Media Cache.
- REST API – Use SSL/TLS to send HTTPS requests to the Wowza Streaming Engine REST API. For more information about the REST API, see Query the Wowza Streaming Engine REST API.
- WebRTC – SSL/TLS is required for WebRTC publishing and playback. For more information, see WebRTC workflows in Wowza Streaming Engine.
- Wowza Streaming Engine Manager – Enable HTTPS connections to Wowza Streaming Engine Manager (version 4.7.3 and later). For more information, see Connect to Wowza Streaming Engine Manager over HTTPS.