• How to improve SSL configuration

    This article describes how to configure SSL-related properties, including the SSLConfig/CipherSuites and SSLConfig/Protocols filters, used by Wowza Streaming Engine™ media server software.

    Contents


    Requirements
    Configuring SSL properties
    More resources

    Requirements


    To implement the property configuration instructions in this article, make sure you have:

    • Installed Wowza Streaming Engine software or Wowza Media Server™ software (version 3.2 or greater). If necessary, download or update to the latest version of Wowza Streaming Engine software from the Production Builds page.

    • Obtained or created an SSL certificate and modified the [install-dir]/conf/VHost.xml file to make port 443 use this certificate. For more information, see How to request an SSL certificate from a certificate authority.

    Configuring SSL properties


    Logging SSL cipher and protocol information

    The sslLogProtocolInfo property instructs the media server to log SSL cipher and protocol information on startup. This information helps build a list of ciphers and protocols for the HostPort SSLConfig/CipherSuites and SSLConfig/Protocols filters in the Virtual Host.

    Wowza Streaming Engine Manager configuration

    1. In Wowza Streaming Engine Manager, click the Server tab, and then click Server Setup.

    2. In the Server Setup page, click the Properties tab and then click Custom in the Quick Links bar.

      Note: Access to the Properties tab is limited to administrators with advanced permissions. For more information, see Manage credentials.
    3. In the Custom area, click Edit.

    4. Click Add Custom Property, specify the following settings in the Add Custom Property dialog box, and then click Add:

      • Path - Select /Root/Server.

      • Name - Enter sslLogProtocolInfo.

      • Type - Select Boolean.

      • Value - Enter true.

    5. Click Save, and then restart the server to apply the changes.

    XML configuration

    1. Use a text editor to open the [install-dir]/conf/Server.xml file and add the following property to the <Properties> container. Be sure to add the property to the correct <Properties> container in Server.xml as there are several such containers in the file.
      <Property>
      	<Name>sslLogProtocolInfo</Name>
      	<Value>true</Value>
      	<Type>Boolean</Type>
      </Property>
    2. Restart the Wowza media server software to apply the changes.

    Setting sslLogProtocolInfo to true yields log messages similar to the following:
    SSLInfo.CipherSuitesSupported: TLS_ECDH_ECDSA_WITH_NULL_SHA,TLS_DH_anon_WITH_AES_128_CBC_SHA256,TLS_ECDH_anon_WITH_RC4_128_SHA,TLS_DH_anon_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_KRB5_EXPORT_WITH_RC4_40_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_anon_WITH_NULL_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_KRB5_WITH_RC4_128_MD5,SSL_RSA_WITH_DES_CBC_SHA,TLS_ECDHE_ECDSA_WITH_NULL_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_MD5,TLS_KRB5_WITH_RC4_128_SHA,SSL_DH_anon_WITH_DES_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_NULL_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,TLS_KRB5_WITH_DES_CBC_MD5,TLS_KRB5_EXPORT_WITH_RC4_40_MD5,TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,SSL_DH_anon_EXPORT_WITH_RC4_40_MD5,SSL_DHE_DSS_WITH_DES_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_KRB5_WITH_DES_CBC_SHA,SSL_RSA_WITH_NULL_MD5,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,SSL_RSA_WITH_NULL_SHA,TLS_ECDHE_RSA_WITH_NULL_SHA,SSL_DH_anon_WITH_RC4_128_MD5,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA
    SSLInfo.CipherSuitesDefault: TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA
    SSLInfo.ProtocolsSupported: SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2
    SSLInfo.ProtocolsDefault: SSLv3,TLSv1
    Where:

    • SSLInfo.CipherSuitesSupported is the full list of cipher suites supported by the Java VM.

    • SSLInfo.CipherSuitesDefault is the default list of cipher suites that will be used if the SSLConfig/CipherSuites property is empty.

    • SSLInfo.ProtocolsSupported is the full list of protocols supported by the Java VM.

    • SSLInfo.ProtocolsDefault is the default list of protocols that will be used if the SSLConfig/Protocols property is empty.

    You can use these cipher suites and protocols to build your SSL encryption configuration.

    Note: When inspecting SSL connection exchanges using Wireshark, Wowza Streaming Engine always shows the same list of 12 cipher suites, even if you've removed a particular cipher suite from the available cipher suites. Any removed cipher suites are not used during encryption negotiation.

    Debugging SSL connection filtering

    The sslLogConnectionInfo property can be used to debug SSL connection filtering by instructing the media server to log SSL connection information (protocol and cipher suite) for each SSL/HTTPS connection.

    Wowza Streaming Engine Manager configuration

    1. In Wowza Streaming Engine Manager, click the Server tab, and then click Virtual Host Setup.

    2. In the Virtual Host Setup page, click the Properties tab and then click Custom in the Quick Links bar.

      Note: Access to the Properties tab is limited to administrators with advanced permissions. For more information, see Manage credentials.
    3. In the Custom area, click Edit.

    4. Click Add Custom Property, specify the following settings in the Add Custom Property dialog box, and then click Add:

      • Path - Select /Root/VHost.

      • Name - Enter sslLogConnectionInfo.

      • Type - Select Boolean.

      • Value - Enter true.

    5. Click Save, and then restart the virtual host to apply the changes.

    XML configuration

    1. In a text editor, open the [install-dir]/conf/[application]/VHost.xml file for your live application and add the following properties to the <Properties> container at the bottom of the file.
      <Property>
      	<Name>sslLogConnectionInfo</Name>
      	<Value>true</Value>
      	<Type>Boolean</Type>
      </Property>
    2. Restart the Wowza media server software to apply the changes.

    Setting sslLogConnectionInfo to true yields log messages similar to the following:
    SSLHandler.connectionInfo: protocol:TLSv1.2 cipher:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    More resources




    Originally published: 09-21-2015.

    If you're having problems or want to discuss this article, post in our forum.