Difference between revisions of "Wowza SSL/TLS Security Settings"

From IVS Wiki
Jump to: navigation, search
(Created page with "Wowza, disable TLS 1.0 and explicitly allow v1.1 and v1.2 In Vhost.xml file, <Protocols>TLSv1.1,TLSv1.2</Protocols> Cipher Suites: https://github.com/ssllabs/research/wiki/S...")
 
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
Wowza, disable TLS 1.0 and explicitly allow v1.1 and v1.2
+
# Connect to the server via ssh or access the shell via the console.
In Vhost.xml file, <Protocols>TLSv1.1,TLSv1.2</Protocols>
+
# Type in the following, and then press Enter: <pre>sudo nano /usr/local/WowzaStreamingEngine/conf/VHost.xml</pre>
 +
# Locate the line in the file under the SSL section (approximately line 83) <pre><Protocols></Protocols></pre>
 +
# Change the line to:<pre><Protocols>TLSv1.2</Protocols></pre>
 +
# Locate the line in the file under the SSL section (it should be right above the protocols line) <pre><CipherSuites></CipherSuites></pre>
 +
# Change the line to: <pre><CipherSuites>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</CipherSuites></pre>
 +
# Type '''CTRL-X''' and then press Enter to exit.
 +
# Enter '''Y''' to save changes.
 +
# Do not change the name and press Enter to save the changes.
 +
# Type in the following, and then press Enter: <pre>sudo service WowzaStreamingEngine restart</pre>
  
 +
You can verify the active ciphers by running the following command:
  
Cipher Suites:
+
<pre>nmap -sV --script ssl-enum-ciphers -p 444 <host></pre>
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites
 
<CipherSuites>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</CipherSuites>
 

Latest revision as of 09:27, 26 June 2020

  1. Connect to the server via ssh or access the shell via the console.
  2. Type in the following, and then press Enter:
    sudo nano /usr/local/WowzaStreamingEngine/conf/VHost.xml
  3. Locate the line in the file under the SSL section (approximately line 83)
    <Protocols></Protocols>
  4. Change the line to:
    <Protocols>TLSv1.2</Protocols>
  5. Locate the line in the file under the SSL section (it should be right above the protocols line)
    <CipherSuites></CipherSuites>
  6. Change the line to:
    <CipherSuites>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</CipherSuites>
  7. Type CTRL-X and then press Enter to exit.
  8. Enter Y to save changes.
  9. Do not change the name and press Enter to save the changes.
  10. Type in the following, and then press Enter:
    sudo service WowzaStreamingEngine restart

You can verify the active ciphers by running the following command:

nmap -sV --script ssl-enum-ciphers -p 444 <host>