How to deploy HTTPS in Wowza Streaming Engine

151124171726-paris-attacks-rekindle-encryption-debate-manhattan-district-attorney-intv-quest-qmb-00024509-super-169

HTTPS means HTTP implementation over Secure Sockets Layer (SSL) protocol. This protocol is able to encrypt HTTP streaming traffic such as HLS, HDS, and Smooth. I explained HTTPS deployment in webserver at my post, but media streaming field is a little bit different for this goal.

There are some milestones:

1. HTTPS doesn’t secure media streams by itself. Someone who wants to get your stream illegally will be still able to do it. SSL probably adds integrity property to your system. Stream packets will be protected from MITM attacks and any other third-party wiretapping. But stream won’t be protected from illegal end-user access and DDoS attacks including. SSL encryption just protects streaming connections more completely if it’s going to be used in conjunction with token-based authentication system. Wowza Core Security Module is one simple example of these systems.

2. Even if you have our own SSL certificate for your website – you can’t use this for Wowza streams precisely. We have to provide a Java KeyStore certificate (JKS) for Wowza API. JKS has a container-based structure combining whole certificate chain in a single file. Generally there is no JKS alternative to encrypt traffic from Java applications by HTTPS.  KeyStore file has a special format, served with .jks extension.

I’ll pay close attention about conversion from SSL-cert for web-application to SSL-cert for Wowza.

3. Obviously HTTPS doesn’t work with RTP and RTMP-packetized streams. They have a special network protocol for data exchange. To enable SSL encryption on RTMP, you can configure RTMPS with Wowza StreamLock service. For RTP encryption look at the RTSP implementation.

Generate a Java KeyStore (JKS)


There are 2 options.

1. Using StreamLock service owned by Wowza Streaming Engine. Suitable if you don’t have any SSL certificate yet. You can learn how to get it here.

2. Conversion from website SSL-certificate you have for your domain. Suitable if you have one and don’t want to generate anything more.

  • Create a PKCS#12 file using OpenSSL
openssl pkcs12 -export -in abc.crt -inkey abc.key -out abc.p12

You’ll be asked to enter password for this file. Don’t leave it empty. Otherwise you’ll get an error at the next step.

  • Generate a JKS keystore from PKCS#12 file using keytool.
keytool -importkeystore -srckeystore abc.p12 -srcstoretype PKCS#12 -destkeystore abc.jks -deststoretype JKS

You’ll have a prompt to enter password for this file. Don’t leave this step empty too. Also validate a password of PKCS#12 file.

  • Finally place a generated Java Keystore into [wowza_dir]/conf directory.

Configure Wowza Streaming Engine


1. Enable SSL protocol info adding new property at the bottom of file [wowza_dir]/conf/Server.xml

<Property>
	<Name>sslLogProtocolInfo</Name>
	<Value>true</Value>
	<Type>Boolean</Type>
</Property>

2. Ensure that you have a wildcard “*” in allow-access property ([wowza_dir]/conf/crossdomain.xml file)

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
	<allow-access-from domain="*" secure="false"/>
	<site-control permitted-cross-domain-policies="all"/>
</cross-domain-policy>

3. Ensure that you have https access enabled at the [wowza_dir]/conf/clientaccesspolicy.xml file

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
  <cross-domain-access>
    <policy>
      <allow-from http-request-headers="*">
        <domain uri="http://*"/>
     <domain uri="https://*"/>
      </allow-from>
      <grant-to>
        <resource path="/" include-subpaths="true"/>
      </grant-to>
    </policy>
  </cross-domain-access>
</access-policy>

4. Configure SSL settings at the [wowza_dir]/conf/VHost.xml file (SSLConfig block) opening new port for SSL. You can just comment out a second HostPort block at this file and customize it. Here I set 4443 port, because I planned to leave 443 port for website access at the same server.

<Name>Default SSL Streaming</Name>
<Type>Streaming</Type>
<ProcessorCount>${com.wowza.wms.TuningAuto}</ProcessorCount>
<IpAddress>*</IpAddress>
<Port>4443</Port>
<HTTPIdent2Response></HTTPIdent2Response>
<SSLConfig>
	<KeyStorePath>${com.wowza.wms.context.VHostConfigHome}/conf/abc.jks</KeyStorePath>
	<KeyStorePassword>[your_password_here]</KeyStorePassword>
	<KeyStoreType>JKS</KeyStoreType>
	<SSLProtocol>TLS</SSLProtocol>
	<Algorithm>SunX509</Algorithm>
	<CipherSuites>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256</CipherSuites>
	<Protocols>TLSv1,TLSv1.1,TLSv1.2</Protocols>
</SSLConfig>

5. Restart Wowza Streaming Engine. After boot Wowza API should print out records like these in your access log file:

2016-04-27 16:00:43 MSK comment vhost INFO 200 _defaultVHost_ SSL ([any]:4443): /usr/local/WowzaStreamingEngine/conf/wowza.jks
2016-04-27 16:00:44 MSK comment server INFO 200 - SSLInfo.CipherSuitesSupported: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256
2016-04-27 16:00:44 MSK comment server INFO 200 - SSLInfo.CipherSuitesEnabled: LS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256
2016-04-27 16:00:44 MSK comment server INFO 200 - SSLInfo.ProtocolsSupported: TLSv1,TLSv1.1,TLSv1.2
2016-04-27 16:00:44 MSK comment server INFO 200 - SSLInfo.ProtocolsEnabled: TLSv1,TLSv1.1,TLSv1.2

Check the SSL connection


Use existing Wowza application which is streaming something. The link to your HLS (or HDS) stream should look like this:

https://[your_domain_name]:[ssl_host_port]/[wowza_app_name]/[stream_name]/playlist.m3u8

Here is example for this configuration instance:

https://example.com:4443/live/test.stream/playlist.m3u8

If your connection was successful, you should find out in your access log the next kinds of messages:

2016-04-27 16:20:30 UTC comment server INFO 200 - SSLHandler.connectionInfo: protocol:TLSv1.2 cipher:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

That’s all steps of HTTPS configuration in WowzaStreamingEngine. Note that you’ll be still able to serve your media traffic through single HTTP protocol. To disable HTTP, you can remove <domain uri=”http://*”/> line at the [wowza_dir]/conf/clientaccesspolicy.xml config file.

Now we’re acquainted with one more special Java technology. Is it a great deal? I guess so. 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s