Wowza Community

HLS and mpeg dash over SSL

Hi !

I’m not able to connect on my stream over a https.

I have installed a SSL, imported with keytool and modified the vhost.xml

The port 443 is listen, but I’m not able to see my stream. What I forgot ?

Thanks!

https://[DOMAINE]/live/sample1/playlist.m3u8

Default SSL Streaming

Streaming

${com.wowza.wms.TuningAuto}

*

443

${com.wowza.wms.context.VHostConfigHome}/conf/[DOMAIN].jks

agadou

JKS

TLS

SunX509

true

65000

65000

65000

true

100

cupertinostreaming,smoothstreaming,sanjosestreaming,dvrchunkstreaming,mpegdashstreaming

com.wowza.wms.http.HTTPCrossdomain

*crossdomain.xml

none

com.wowza.wms.http.HTTPClientAccessPolicy

*clientaccesspolicy.xml

none

com.wowza.wms.http.HTTPProviderMediaList

*jwplayer.rss|*jwplayer.smil|*medialist.smil|*manifest-rtmp.f4m

none

com.wowza.wms.http.HTTPServerVersion

*

none

What error are you getting when trying to playback the stream? Is there any error reported in wowza logs?

Restart Wowza and then copy the log lines that contain “SSL” (such as “defaultVHost SSL ([any]:443):” or “SSLInfo.CipherSuitesSupported:”, etc.).

Hello,

A common issue is a host.domain missmatch. Please ensure that your DNS entry used, for example video.mygreatmovie.com matches the CN=video.mygreatmovie.com on your certificate exactly or you may need a wildcard certificate for the domain if the certificate is shared among other hosts in the domain. Wowza Streaming Engine does not currently support Alternative Subject Name listings, so if you’re domain utilizes these for the hostname used, this won’t currently be recognized by Wowza Streaming Engine. Support for Subject Alternative Names is currently in our feature request backlog.

You can verify this information using something like ‘keytool -printcert -v -file video.mygreatmovie.crt’.

Best regards,

Andrew

You should get some error in your browser at least.

You should also see some log entry in wowza logs when you try to start playback. If nothing appears, it is usually related to SSL not properly configured (which doesn’t seem to be the case based on what you copied) or packets not arriving to the wowza server. Check if your firewall allows port 443 tcp. If it does, you can try to verify the packets are arriving with tcpdump or wireshark.

One more thing to try is to enable additional debugging - follow the “Debugging SSL connection filtering” section at this link: https://www.wowza.com/docs/how-to-improve-ssl-configuration

Inspect the logs again after applying these changes.

Try updating your browser to the newest version and/or installing a most recent version of some other browser, Chrome for example.

Are you using a self-signed certificate or an official one? If it is a self-signed, you need to install it as trusted in your client browser. It may also be wise to generate it again using some more up-to-date cyphers.

You can also take a look at these instructions:

https://support.mozilla.org/en-US/questions/974960

http://www.ryananddebi.com/2014/12/10/bypassing-the-ssl_error_no_cypher_overlap-error-in-firefox-34/

I don’t see error

2016-05-30 16:12:51 UTC comment vhost INFO 200 defaultVHost SSL ([any]:443): /usr/local/WowzaStreamingEngine/conf/[DOMAIN].jks - - - 2.887 - - - - - - - - - - - - - - - - - - - - - - - - -

2016-05-30 16:12:51 UTC comment server INFO 200 - SSLInfo.CipherSuitesSupported: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,TLS_DH_anon_WITH_AES_128_GCM_SHA256,TLS_DH_anon_WITH_AES_128_CBC_SHA256,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_DH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA,SSL_DH_anon_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_ECDHE_ECDSA_WITH_NULL_SHA,TLS_ECDHE_RSA_WITH_NULL_SHA,SSL_RSA_WITH_NULL_SHA,TLS_ECDH_ECDSA_WITH_NULL_SHA,TLS_ECDH_RSA_WITH_NULL_SHA,TLS_ECDH_anon_WITH_NULL_SHA,SSL_RSA_WITH_NULL_MD5,TLS_KRB5_WITH_3DES_EDE_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_MD5,TLS_KRB5_WITH_DES_CBC_SHA,TLS_KRB5_WITH_DES_CBC_MD5,TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - - - 2.928 - - - - - - - - - - - - - - - - - - - - - - - - -

2016-05-30 16:12:51 UTC comment server INFO 200 - SSLInfo.CipherSuitesEnabled: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV - - - 2.928 - - - - - - - - - - - - - - - - - - - - - - - - -

2016-05-30 16:12:51 UTC comment server INFO 200 - SSLInfo.ProtocolsSupported: SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2 - - - 2.928 - - - - - - - - - - - - - - - - - - - - - - - - -

2016-05-30 16:12:51 UTC comment server INFO 200 - SSLInfo.ProtocolsEnabled: SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2 - - - 2.928 - - - - - - - - - - - - - - - - - - - - - - - - -

2016-05-30 16:12:51 UTC comment vhost INFO 200 defaultVHost Bind attempt ([any]:443:4) - - - 2.929 - - - - - - - - - - - - - - - - - - - - - - - - -

2016-05-30 16:12:51 UTC comment vhost INFO 200 defaultVHost Bind successful ([any]:443) - - - 2.929 - - - - - - - - - - - - - - - - - - - - - - - - -

I don’t see any log of a connection to the wowza stream.

If I call the url in firefox, I get : SSL_ERROR_NO_CYPHER_OVERLAP

The firewall is open

With a wget, I get : OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure