Difference between revisions of "Wowza SSL/TLS Security Settings"
IVSWikiBlue (talk | contribs) (Created page with "Wowza, disable TLS 1.0 and explicitly allow v1.1 and v1.2 In Vhost.xml file, <Protocols>TLSv1.1,TLSv1.2</Protocols> Cipher Suites: https://github.com/ssllabs/research/wiki/S...") |
IVSWikiBlue (talk | contribs) |
||
Line 1: | Line 1: | ||
− | + | # Connect to the server via ssh or access the shell via the console. | |
− | + | # Type in the following, and then press Enter: <pre>sudo nano /usr/local/WowzaStreamingEngine/conf/VHost.xml</pre> | |
+ | # Locate the line in the file under the SSL section (approximately line 83) <pre><Protocols></Protocols></pre> | ||
+ | # Change the line to:<pre><Protocols>TLSv1.2</Protocols></pre> | ||
+ | # Locate the line in the file under the SSL section (it should be right above the protocols line) <pre><CipherSuites></CipherSuites></pre> | ||
+ | # Change the line to:<pre><CipherSuites>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</CipherSuites></pre> | ||
+ | # Type '''CTRL-X''' and then press Enter to exit. | ||
+ | # Enter '''Y''' to save changes. | ||
+ | # Do not change the name and press Enter to save the changes. | ||
+ | # Type in the following, and then press Enter: <pre>sudo service WowzaStreamingEngine restart</pre> | ||
+ | You can verify the active ciphers by running the following command: | ||
− | + | <pre>nmap -sV --script ssl-enum-ciphers -p 444 <host></pre> | |
− | |||
− | < |
Revision as of 09:19, 26 June 2020
- Connect to the server via ssh or access the shell via the console.
- Type in the following, and then press Enter:
sudo nano /usr/local/WowzaStreamingEngine/conf/VHost.xml
- Locate the line in the file under the SSL section (approximately line 83)
<Protocols></Protocols>
- Change the line to:
<Protocols>TLSv1.2</Protocols>
- Locate the line in the file under the SSL section (it should be right above the protocols line)
<CipherSuites></CipherSuites>
- Change the line to:
<CipherSuites>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</CipherSuites>
- Type CTRL-X and then press Enter to exit.
- Enter Y to save changes.
- Do not change the name and press Enter to save the changes.
- Type in the following, and then press Enter:
sudo service WowzaStreamingEngine restart
You can verify the active ciphers by running the following command:
nmap -sV --script ssl-enum-ciphers -p 444 <host>