Results 1 to 6 of 6

Thread: TLS / SSL Renegotiation Vulnerability

  1. #1

    Default TLS / SSL Renegotiation Vulnerability

    Our firewall team performed a scan of our Wowza servers and informed us they are vulnerable to SSL/TLS renegotiation DoS attacks. See RFC 5746. We are running Wowza Media Server version 3.5.2. Is there a configuration change we can make or a patch available to limit the number of TLS renegotiation attempts?

  2. #2

    Default

    Holly,

    After looking into this it appears as though this vulnerability is built into the TLS protocol and everyone is scrambling to come up with a long term solution.
    In the mean time it is suggested that you disable all renegotiation.

    Another item to check is make sure you are using the minimum standard of 128 bits of encryption on your server.

    Salvadore

  3. #3

    Default

    Quote Originally Posted by salvadore View Post
    Holly,

    After looking into this it appears as though this vulnerability is built into the TLS protocol and everyone is scrambling to come up with a long term solution.
    In the mean time it is suggested that you disable all renegotiation.

    Another item to check is make sure you are using the minimum standard of 128 bits of encryption on your server.

    Salvadore
    Thank you, Salvadore. Is it possible to disable renegotiation in Wowza (i.e. VHost.xml) or is this a firewall setting?

  4. #4

    Default

    Holly,
    First off let me correct myself and say, it is not suggested to disable all renegotiation, but it is mentioned as one of the very few options.

    Disabling renegotiation could very well cause your stream to be in-accessible to some of your users.

    But depending on your server configuration there may be an available workaround, and the process of disabling is also dependent on your configuration.

    That is all I can come up with at this point, maybe someone else can help with this, or you might open a support ticket by emailing support@wowza.com

    Salvadore

  5. #5

    Default

    Has this been resolved in 4.x?

  6. #6
    Join Date
    Jun 2011
    Posts
    1,037

    Default

    Hi,
    There is no further update regarding this.

    Daren

Similar Threads

  1. Replies: 3
    Last Post: 04-11-2014, 08:28 AM
  2. /etc/pki/tls/cert.pem symlink missing in EC2 AMIs? (breaks wget)
    By aleonard in forum Wowza Media Server 3 for Amazon EC2 Discussion
    Replies: 6
    Last Post: 10-18-2013, 10:21 AM
  3. SSL certification
    By keithlai in forum General Forum
    Replies: 1
    Last Post: 12-21-2011, 07:08 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •