Security Related
      Back to home
      1. Wowza Technical Support FAQ
      2. Wowza Streaming Engine
      3. Security Related

      How Do I Enable Specific TLS Version(s)

      This article will guide you through the setup and configuration of TLS support within the Wowza Streaming Engine. If needed, specific versions of TLS can be defined for a more tailored configuration.

      The general workflow is as below:

      1. Enable SSL protocol logging
      2. Review SSL protocol logging
      3. Modify VHost.xml SSL configuration
      4. Deploy and test changes

      Step 1 - Enable Logging of SSL Protocol

      First, we need to know which versions of TLS are supported by the Wowza Streaming Engine instance, and which of those are enabled.

      The sslLogProtocolInfo property instructs Wowza Streaming Engine to log SSL cipher and protocol information on startup. This information helps build a list of ciphers and protocols for the HostPort SSLConfig/CipherSuites and SSLConfig/Protocols filters in the virtual host.

      Configure sslLogProtocolInfo property

      1. In Wowza Streaming Engine Manager, click the Server tab, and then click Server Setup.  
      2. In the Server Setup page, click the Properties tab and then click Custom in the Quick Links bar. 
        Note: Access to the Properties tab is limited to administrators with advanced permissions. For more information, see Manage credentials.
      3. In the Custom area, click Edit.  
      4. Click Add Custom Property, specify the following settings in the Add Custom Property dialog box, and then click Add:
         
        • Path - Select /Root/Server.  
        • Name - Enter sslLogProtocolInfo.  
        • Type - Select Boolean.  
        • Value - Enter true.
      5. Click Save, and then restart the server to apply the changes.

      Step 2 - Review Logging of SSL Protocols

      As part of each startup/restart of WSE Setting, if sslLogProtocolInfo is defined and set to true, there will be log messages similar to the following:

      SSLInfo.ProtocolsEnabled: SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2
      SSLInfo.ProtocolsSupported: SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2

      [..]
      • SSLInfo.ProtocolsEnabled is the default list of protocols that will be used if the SSLConfig/Protocols property is empty.
      • SSLInfo.ProtocolsSupported is the full list of protocols supported by the Java VM.

      You can use these cipher suites and protocols to build your SSL encryption configuration.

      Notes:
      • To add support for TLS v1.3, you can install a Java 11 JRE. The SSL protocols supported in Wowza Streaming Engine are affected by the capabilities of the SSL Engine provided by your JRE. See Manually install and troubleshoot Java on Wowza Streaming Engine.
      • When inspecting SSL connection exchanges using Wireshark, Wowza Streaming Engine always shows the same list of 12 cipher suites, even if you've removed a particular cipher suite from the available cipher suites. Any removed cipher suites are not used during encryption negotiation.

      Step 3 - Modifying the Enabled TLS versions in VHost.xml

      To change the list of TLS versions that appear in SSLInfo.ProtocolsEnabled, edit the [install]/conf/VHost.xml in the desired SSL <HostPort>/<SSLConfigg>/<Protocols>

      *NOTE: The SSL HostPort must be uncommented to take effect if it has not been already.

      <HostPort>
        [..]
        <SSLConfig>
          [..]
          <SSLProtocol>TLS</SSLProtocol> //<- DO NOT CHANGE THIS
          <Algorithm>SunX509</Algorithm>
          <CipherSuites/>
          <Protocols>TLSv1.2,TLSv1.1</Protocols> //<-- LIST PROTOCOLS HERE
          [..]
        </SSLConfig>

      Step 4 - Deploy and Test changes

      After saving changes to the VHost.xml, restart the Wowza Streaming Engine & Manager services. Test with your player or client using a known Protocol and Version. If you do not know which protocol or version your client is using, please refer to the "Debug SSL connection filtering" section.

      Debug SSL connection filtering

      In the event, a client/player request is allowed/rejected by Wowza Streaming Engine on the basis of TLS versioning, the sslLogConnectionInfo property can be used to debug SSL connection filtering by instructing Wowza Streaming Engine to log SSL connection information (protocol, cipher suite, and provider) for each SSL/HTTPS connection.

      Configure sslLogConnectionInfo property

      1. In Wowza Streaming Engine Manager, click the Server tab, and then click Virtual Host Setup.  
      2. In the Virtual Host Setup page, click the Properties tab and then click Custom in the Quick Links bar.
         
        Note: Access to the Properties tab is limited to administrators with advanced permissions. For more information, see Manage credentials.
      3. In the Custom area, click Edit.  
      4. Click Add Custom Property, specify the following settings in the Add Custom Property dialog box, and then click Add:
        • Path - Select /Root/VHost.  
        • Name - Enter sslLogConnectionInfo.  
        • Type - Select Boolean.  
        • Value - Enter true.
      5. Click Save, and then restart the virtual host to apply the changes.

      Setting sslLogConnectionInfo to true yields log messages similar to the following.

      SSLHandler.connectionInfo: protocol:TLSv1.2 cipher:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 providerName:SunJSSE

       Knowing the TLS version used by the client, and cross-referencing it against the SSLInfo.ProtocolsEnabled and SSLInfo.ProtocolsSupported logging results, the client's TLS version can be allowed/blocked as needed.