Hi Alex,
So I get the exact same results as your example:
SSLInfo.ProtocolsSupported: SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2
SSLInfo.ProtocolsEnabled: SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2
This doesn’t however show which OpenSSL library is used and where this library is loaded from, so it’s not helpful in finding the culprit in the vulnerability chain here.
Our OS & Java version are up-to-date on a test server, but this machine still shows the alert (CVE-2014-0224 - OpenSSL Out of Order Change Cipher Spec MiTM Vulnerability), so this would indicate that Wowza somehow includes an OpenSSL binary?
To see if this issue is related to Wowza you can uninstall Wowza on the test server, and then run the security scan again and see if you get the same report.
If you do, then the issue is not related to Wowza.
Let us know what you find.
Regards,
Alex