Results 1 to 8 of 8

Thread: CipherSuites setting doesn't work?

  1. #1
    Join Date
    May 2012
    Posts
    3

    Default CipherSuites setting doesn't work?

    The new CipherSuites and Protocols settings don't seem to work. No matter what value I set in these config fields, the server seems to behave the same. This is tested with both 3.0.3 and 3.1.1.

    As mentioned on http://www.wowza.com/forums/showthre...-ciphers/page2, the poster didn't seem to be able to restrict the server from using certain ciphers. In my tests, I've set <CipherSuites>TLS_RSA_WITH_AES_128_CBC_SHA</CipherSuites>, but when analyzing the network traffic with Wireshark, the server still responds with Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (which is a different cipher). No matter what value I set, the server responds with the same cipher suite - similarly, no matter what value I set in <Protocols>, the server responds with TLS 1.0 (to this particular client). Even if I set invalid values, the server just behaves the same.

    Do these settings work at all? Is there any example config on how to set them for them to have any effect?

  2. #2

    Default

    We will look into. It might take us some time to test this. What Java VM are you using (make and version)?

    Charlie

  3. #3
    Join Date
    May 2012
    Posts
    3

    Default

    I'm using Apple's latest JVM on OS X Snow Leopard, more details from the startup log:

    INFO server comment - OS Name: Mac OS X
    INFO server comment - OS Version: 10.6.8
    INFO server comment - OS Architecture: x86_64
    INFO server comment - Java Name: Java HotSpot(TM) 64-Bit Server VM
    INFO server comment - Java Vendor: Apple Inc.
    INFO server comment - Java Version: 1.6.0_31
    INFO server comment - Java VM Version: 20.6-b01-415
    INFO server comment - Java Spec Version: 1.6

  4. #4

    Default

    I found the problem. Will release a fix in the next day or so. It requires a bit of a write up. I added some additional debugging and information logging to help in setting up filtered SSL.

    Charlie

  5. #5

    Default

    Install this patch. It will fix a problem with SSLConfig/CipherSuites and SSLConfig/Protocols:

    WowzaMediaServer3.1.1-patch6.zip

    See this forum post that describes how to use a few new properties for debugging and configuring SSLConfig/CipherSuites and SSLConfig/Protocols:

    SSL configuration improvements in 3.1.106 or greater

    Charlie

  6. #6
    Join Date
    May 2012
    Posts
    3

    Default

    Thanks, this seems to fix the issue for me!

    // Martin

  7. #7
    Join Date
    Jan 2013
    Posts
    1

    Default

    Hi We have Wowza Media Server 3 Perpetual Edition 3.0.2 build866.

    We are getting flagged by PCI "Messages encrypted with LOW encryption ciphers are easy to decrypt. Commercial SSL servers should only support MEDIUM or HIGH strength
    ciphers to guarantee transaction security"

    3
    HIGH - key length larger than 128 bits
    MEDIUM - key length equal to 128 bits
    LOW - key length smaller than 128 bits
    Messages encrypted with LOW encryption ciphers are easy to decrypt. Commercial SSL servers should only support MEDIUM or HIGH strength
    ciphers to guarantee transaction security.
    The following link provides more information about this vulnerability:
    Analysis of the SSL 3.0 protocol (http://www.schneier.com/paper-ssl-revised.pdf)
    Please note that this detection only checks for weak cipher support at the SSL layer. Some servers may implement additional protection at the data
    layer. For example, some SSL servers and SSL proxies (such as SSL accelerators) allow cipher negotiation to complete but send back an error
    message and abort further communication on the secure channel. This vulnerability may not be exploitable for such configurations.
    IMPACT:
    An attacker can exploit this vulnerability to decrypt secure communications without authorization.
    SOLUTION:
    Disable support for LOW encryption ciphers.


    Here is what we have vhosts.xml.

    <CipherSuites>SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA</CipherSuites>
    <Protocols>SSLv3</Protocols>


    Does the bug being discussed above impacting us. Do we have any patch for 3.0.3 which fixes the issue?

  8. #8
    Join Date
    Dec 2007
    Posts
    21,962

    Default

    Please try upgrading to 3.5 with this patch:

    http://www.wowza.com/downloads/Wowza....x.x-3.5.0.zip

    Make sure you review the files in the patch to be sure that none are overwriting files you have customized. If there are you should use the new files and remake your configuration options.

    Richard

Similar Threads

  1. Replies: 5
    Last Post: 06-12-2014, 07:17 AM
  2. Setting DVR properties using code in wowza 3.6.4 doesn't work?
    By jordi.cenzano@gmail.com in forum Wowza nDVR
    Replies: 1
    Last Post: 03-03-2014, 10:32 AM
  3. best encoder setting?
    By cblzaccie1 in forum Live Streaming and Encoder Discussion
    Replies: 3
    Last Post: 07-08-2013, 11:41 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •