1

Screenshot: Server with Wowza running using a SSL certificate with basis configuration

I get this result from the SSLLabs with the default configuration (see screenshot). The only places I can change the configuration is probably the VHost.xml where I can configure the following items:

<SSLConfig>
    <KeyStorePath></KeyStorePath>
    <KeyStorePassword>[REMOVED]</KeyStorePassword>
    <KeyStoreType>JKS</KeyStoreType>
    <DomainToKeyStoreMapPath>${com.wowza.wms.context.VHostConfigHome}/conf/jksmap.txt</DomainToKeyStoreMapPath>
    <SSLProtocol>TLS</SSLProtocol>
    <Algorithm>SunX509</Algorithm>
    <CipherSuites></CipherSuites>
    <Protocols></Protocols>
</SSLConfig>

I read this https://www.wowza.com/docs/how-to-improve-ssl-configuration, but I doesn't help a great deal.

Question: What can I add to the items “Cipher Suites” and “Protocols” to get a more up-to-date SSL-configuration? Or where can I read about it?

Thomas Ebert
  • 143
  • 5

1 Answers1

0

The documentation link you gave doesn't mention the server software used. But from the logged messages I conclude it understands the common OpenSSL terms.

I'm getting A to A+ ratings using the following settings in nginx:

ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH !DHE !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
ssl_protocols "TLSv1 TLSv1.1 TLSv1.2";

(Maybe you must supply comma separated lists. Depends on server software.)

This should be sufficient to get an B rating.

I also use the following statement:

ssl_prefer_server_ciphers on;

This prevents downgrading security from client side. Hopefully your provider does this by default because I don't see an option you could set in the configuration you posted.

If you can additionally implement HSTS you can improve the rating to A+. Implementing HSTS means to deliver a HTTP header like this: 

Strict-Transport-Security: max-age=31536000; includeSubDomains

This makes modern browsers refuse to make unsecured connections to the server that emitted this header within the last 31,536,000 seconds.

blafasel
  • 488
  • 4
  • 10
  • Thank you! This brought me on the right track. I still don't exactly know how to specify the cipher suite names, since Wowza is a Java application, but I asked in the product forums and will update here once I get an answer. – Thomas Ebert Dec 18 '17 at 14:34
  • 1
    I was finally able to configure something that works. Unfortunately, only a handful of suites work and I had to remove weaker ones because the strong counterparts wouldn't work. `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLSv1,TLSv1.1,TLSv1.2`. This gets an A rating. I'm working on HSTS. – Thomas Ebert Jan 24 '18 at 09:43