CipherSuites setting doesn't work?

The new CipherSuites and Protocols settings don’t seem to work. No matter what value I set in these config fields, the server seems to behave the same. This is tested with both 3.0.3 and 3.1.1.

As mentioned on how to secure the ciphers?, the poster didn’t seem to be able to restrict the server from using certain ciphers. In my tests, I’ve set TLS_RSA_WITH_AES_128_CBC_SHA, but when analyzing the network traffic with Wireshark, the server still responds with Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (which is a different cipher). No matter what value I set, the server responds with the same cipher suite - similarly, no matter what value I set in , the server responds with TLS 1.0 (to this particular client). Even if I set invalid values, the server just behaves the same.

Do these settings work at all? Is there any example config on how to set them for them to have any effect?

We will look into. It might take us some time to test this. What Java VM are you using (make and version)?

Charlie

I found the problem. Will release a fix in the next day or so. It requires a bit of a write up. I added some additional debugging and information logging to help in setting up filtered SSL.

Charlie

Install this patch. It will fix a problem with SSLConfig/CipherSuites and SSLConfig/Protocols:

WowzaMediaServer3.1.1-patch6.zip

See this forum post that describes how to use a few new properties for debugging and configuring SSLConfig/CipherSuites and SSLConfig/Protocols:

SSL configuration improvements in 3.1.106 or greater

Charlie

Please try upgrading to 3.5 with this patch:

https://www.wowza.com/downloads/WowzaMediaServer-3-5-0/WowzaMediaServer-3.x.x-3.5.0.zip

Make sure you review the files in the patch to be sure that none are overwriting files you have customized. If there are you should use the new files and remake your configuration options.

Richard

I’m using Apple’s latest JVM on OS X Snow Leopard, more details from the startup log:

INFO server comment - OS Name: Mac OS X

INFO server comment - OS Version: 10.6.8

INFO server comment - OS Architecture: x86_64

INFO server comment - Java Name: Java HotSpot™ 64-Bit Server VM

INFO server comment - Java Vendor: Apple Inc.

INFO server comment - Java Version: 1.6.0_31

INFO server comment - Java VM Version: 20.6-b01-415

INFO server comment - Java Spec Version: 1.6

Thanks, this seems to fix the issue for me!

// Martin

Hi We have Wowza Media Server 3 Perpetual Edition 3.0.2 build866.

We are getting flagged by PCI "Messages encrypted with LOW encryption ciphers are easy to decrypt. Commercial SSL servers should only support MEDIUM or HIGH strength

ciphers to guarantee transaction security"

3

HIGH - key length larger than 128 bits

MEDIUM - key length equal to 128 bits

LOW - key length smaller than 128 bits

Messages encrypted with LOW encryption ciphers are easy to decrypt. Commercial SSL servers should only support MEDIUM or HIGH strength

ciphers to guarantee transaction security.

The following link provides more information about this vulnerability:

Analysis of the SSL 3.0 protocol (http://www.schneier.com/paper-ssl-revised.pdf)

Please note that this detection only checks for weak cipher support at the SSL layer. Some servers may implement additional protection at the data

layer. For example, some SSL servers and SSL proxies (such as SSL accelerators) allow cipher negotiation to complete but send back an error

message and abort further communication on the secure channel. This vulnerability may not be exploitable for such configurations.

IMPACT:

An attacker can exploit this vulnerability to decrypt secure communications without authorization.

SOLUTION:

Disable support for LOW encryption ciphers.

Here is what we have vhosts.xml.

SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA

SSLv3

Does the bug being discussed above impacting us. Do we have any patch for 3.0.3 which fixes the issue?