Results 1 to 4 of 4

Thread: Cupertino on port 443... IP and certificate help

  1. #1

    Question Cupertino on port 443... IP and certificate help

    To set Cupertino up on port 443, I understand it will need it's own IP address. I asked my hosting company about setting this up.

    They replied: "You would have to move the wowza site to the new IP before we can proceed with the SSL certificate. SSL certificates are $99 /yr"

    What do they mean by "moving the wowza site to the new IP"?

    Also, I'm confused about them charging me for a certificate. Can't I make my own certificate, and if so, why would I need to pay them for one?

    Help is much appreciated!

  2. #2
    Join Date
    Sep 2011


    You mentioned Cupertino on port 443 and it needing it's own IP address,
    If you have Wowza already that would be - [Wowza-IP]:[Port] (If you have configured it to use that port)

    Port 443 is the default for RTSP.

    Most users have Cupertino on the default port of 1935 giving a URL of,

    You also asked if you could make your own SSL certificates and the answer is no.

    Info on SSL was found through a quick Google search,

    As you are reading this article you will most likely be aware that SSL or Secure Socket Layer is a protocol used to encrypt data between the user’s web browser and the web server that it is communicating with. You will also know that a typical web user will very rarely trust their credit card, private personal or confidential business details without their browser session being protected by SSL and that all important gold padlock at the bottom of the browser status bar. But just what is SSL and why is it so important? This article attempts to explain without going into too much technical depth.

    Unencrypted web communication

    When a web browser or other web client initiates a normal HTTP session with a web server the information is sent in the form of “packets” of information. If an attacker has access to any of the many routers and networks between your PC and the web server they may be able to carry out what is know as “packet sniffing” (see for an in depth explanation of packet sniffing). A computer that has been attacked and compromised or even a malicious insider at an ISP would allow this kind of attack. As these packets are in clear text it is a relatively trivial job for an experienced hacker to collect usernames, passwords, credit card details and business information. They can even inject their own packets into the return transmission, perhaps asking the web user for more information than they would normally divulge. Clearly, a more secure way of transmitting confidential data across what is a potentially insecure medium is needed.

    Using SSL

    In almost all cases the answer to the problem is encryption, a procedure that has been used for centuries to allow encoded information to be passed from one party to the other without a third party being able to interpret it. The Secure Socket Layer (SSL) was developed by Netscape to allow two machines encrypted, secured communications regardless of the number of network "hops" between them. The Internet Engineering Task Force (IETF) drafted a standard based on Netscape's SSL and the lesser-known Transport Layer Security (TLS). These protocols are supported by nearly every major web browser, web server, and email client.


  3. #3



    Thanks for the info and history lesson. Maybe I still am misunderstanding. I had started by reading this article:

    "Note: For delivery of the encryption key, it is best to configure a <HostPort> in [install-dir]/conf/VHost.xml that uses SSL encryption. This will protect the encryption key from being intercepted in transit. See the User's Guide for more information on SSL configuration"

    Isn't this recommending the use of port 443? If so, why would most people not set up this it a bit over board for general security?


  4. #4
    Join Date
    Feb 2012


    We've got Cupertino setup using the "internal-method" (SSL). The article has almost everything you'll need to get it working. Be sure to also read and use the "keytool" application to generate your certificate request. Unless you plan to self-sign your certificate, converting between Apache or other formats and the ones needed by Wowza with java is a pain.

    I'd recommend that you use port 443 (https) as the article says. Your external users will most likely have port 443 already open and it's easier to explain to your friends in IT.

    Your corporate IT policy sounds somewhat restrictive. You'll only need a "domain validation certificate" so that your external users are assured that they are connecting to your server and traffic is encrypted. PositiveSSL sells single year certificates for $9/year (one year term) or $8/year (3 year term). Not as fancy as a Thawte certificate, but good enough. Namecheap is another inexpensive SSL option. Maybe your IT folks aren't comfortable with the discount providers.

    With a "domain validation certificate", you don't need to worry about the IP unless your IT needs to change the server name for the IP change. All that matters is that the names match. We don't put our Wowza server on the public side of our firewall since the security footprint is too large for our comfort level. We simply have another public IP address for our Wowza server. Our firewall redirects port 443 from this external address to the Wowza server on the internal network. That way, we can test and stage internally using the internal IP address, and then make the new content available externally when it's ready using stream aliases we share with our users.

Similar Threads

  1. Cannot change Wowza port from 443 to 80
    By bobmane in forum General Forum
    Replies: 4
    Last Post: 11-27-2012, 09:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts