Can someone post an example of the modifications required to the VHost.xml file discussed in this article (https://www.wowza.com/docs/how-to-improve-ssl-configuration#modify-your-ssl-configuration-settings). I understand that the and sections need to be modified to reflect just those cipher suites and protocols that want to be me used, but my VHost.xml does not currently contain these sections? Thanks in advance.
Hi @Rich Sokol, can remind me which version of Engine you are using? I can see it for last two versions ( 4.7.7 and 4.7.8) in that VHost.xml file, so just curious which one you have.
@Rose Power-Wowza Community Manager Huh, AWESOME! Maybe I am just missing it then, I like a simple resolution. We are running 4.7.7 in our three implementations. Can you please post an example of where the sections are and what they would look like to DISALLOW everything but TLS 1.1 and 1.2? Thanks in advance.
Sure thing. So, I have 4.7.7 that I use and I went into the config folder, then I scrolled down to the VHost.xml file. I then would need to scroll down in that file to the commented out section.
Uncomment that section
and put the correct info in the part I circled. I can try and get an example of how you enter the info there in cipher suites and protocols and to disallow what you requested. I will be back soon.
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256</Cipher
TLSv1.2,TLSv1.1
Thank you very much @Tom Ryan. Really appreciate it.