SSL/TLS support in Wowza Streaming Engine.

2022-11-24 12:28:00

SSL/TLS.

SSL and TLS are protocols for secure data transmission over an IP network. When a connection is established via the SSL/TLS protocol, through the use of authentication and encryption, a secure data transmission channel is formed for application protocols of network applications, in particular for streaming protocols: HTTP (Apple HLS, MPEG DASH) , RTP, RTMP.

Why you need to use SSL/TLS in Wowza Streaming Engine.

In addition to the main function - protecting the transmitted information, the use of SSL / TLS with the Wowza Streaming Engine media server can be mandatory, even when the information itself is not secret. The fact is that an HTML5 video player to view Apple HLS/MPEG-DASH streams and hosted on a website protected by SSL/TLS will not be able to play a video stream from a media server without support for an SSL/TLS connection. Appropriate security checks are performed by all browsers. Also, the WebRTC technology used to create interactive applications and minimize video transmission delay cannot work without SSL / TLS.

Types of SSL/TLS certificates in Wowza Streaming Engine.

Wowza Streaming En gine supports several methods to work with SSL certificates. First of all, Wowza offers to get a free StreamLock SSL certificate. To use such a certificate, the Wowza server may not even have a domain name, since StreamLock is also DNS hosting with your server registered in the streamlock.net domain. Such a certificate is issued instantly and installed on the server is very simple, you only need to copy the resulting file and write a couple of configuration lines. But there is also a significant limitation, the StreamLock certificate will only work while the Wowza Maintenance and Support Agreement (Wowza M&S) is active.

While it is not necessary to use a StreamLock certificate. You can use an SSL certificate issued by any Internet provider, paid or free. It is convenient to use a wildcard SSL certificate to install the same certificate on the web server and on the Wowza Streaming Engine server. The procedure for preparing and configuring your own SSL certificate will require a little more effort than the Wowza StreamLock certificate.

Preparing your own SSL certificate for installation in Wowza Streaming Engine.

The complexity of setting up your own certificate lies in the fact that you cannot install the .crt / .pem file received from the provider with an SSL certificate in X.509 format on Wowza as-is. Wowza, like other Java applications, supports SSL certificates stored in a .jks file. The X.509 certificate will need to be converted to PKCS12 format (.pfx file) and imported into a .jks file. In addition to a personal SSL certificate and key, to generate a .pfx file, you will need a .ca-bundle file containing the root and intermediate certificates of the certification authority. Sometimes the provider sends ready-made .ca-bundles, but if the root and intermediate certificates were obtained separately, then you can create the .ca-bundle yourself, in a text editor, by copying the contents of these files and placing the intermediate certificate first, and the root certificate second.

Next, for the Linux platform, you need to run two commands:


openssl pkcs12 -export -chain -CAfile .ca-bundle -in .crt -inkey .key -name -out .pfx /usr/local/WowzaStreamingEngine/java/bin/keytool -importkeystore -deststorepass -destkeystore .jks -srckeystore .pfx -srcstoretype PKCS12

The .jks obtained in this way should be written to /usr/local/WowzaStreamingEngine /conf/VHost.xml , specifying the path to the file, its name and password.