I’ve SSL configured and working for mpegdash streaming. When testing the SSL implementation using https://testssl.sh/ or https://www.ssllabs.com/ it is suggested to specify the cipher order on the server. In apache tomcat this can be done by setting SSLHonorCipherOrder to true.
For Wowza I would also like to specify this, however I don’t see a property for this in the SSLConfig section of VHost.xml.
How can I force Wowza to honor the cipher order?
We’re wondering the same, I assumed that the order of the in a VHost configuration would be used but testssl reports back that no order is specified…
There is no equivalent of “SSLHonorCipherOrder” with Wowza Streaming Engine.
You must manually configure your cipher suites in your VHost.xml file, but first you need to find what your cert supports. The article below will show you how to find those.
https://www.wowza.com/docs/how-to-improve-ssl-configuration
In your VHost.xml file you will see the following.
<CipherSuites></CipherSuites><Protocols></Protocols>
You can add what you found in your debug output to those sections. As every
cert is a bit different the information below is merely an example.
<CipherSuites>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</CipherSuites><Protocols>TLSv1,TLSv1.1,TLSv1.2</Protocols>
Specifically, you should only add what you want to use and the cipher suites and protocols chosen will be the only ones used.