Documentation Downloads Knowledge How-To Hub Forums Cases Assets Warranty
Skip to main content
james_hicks_1llyvfrbnsmqe's profile
james_hicks_1llyvfrbnsmqe
75 Points

2 Messages

 • 

90 Points

Mon, Nov 12, 2018 12:16 PM

Answered

Is it possible to disable TLS 1.0 on the Zonedirector ZD1200 firmware version 10.1?

Is it possible to disable TLS 1.0 on the Zonedirector ZD1200 firmware version 10.1?

Question

 • 

Updated 

a month ago

112

3

Responses

ankush_ankush

Employee

 • 

94 Messages

 • 

2.1K Points

2 years ago

Hi James,

TLSv1.0 is disabled in 10.1.1.0.55.
<From Release notes Text>
TLSv1.0 has been disabled in this release due to security concerns, and ZoneDirector now supports only TLSv1.1 and v1.2.

Regards,
-Ankush

0

robert_lee_joc5dql7x865h

4 Messages

 • 

90 Points

a year ago

Our ZoneDirector 1200 on 10.3.0.0 build 398 but my nessus scan reports that it has the SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability (BEAST)

0

0

sanjay_kumar_gols5p74yq7mn

Official Rep

 • 

246 Messages

 • 

4.2K Points

a year ago

Hi,

To understand the TLS version currently used, SSH into the AP and check the TLS version with the command "get tls-version". If the output is as below then the TLS version 1.0 is been used.

rkscli: get tls-version
Minimum TLS Version: tlsv1
OK

To disable tls 1.0 on the AP, set the tls to 1.1 or 1.2 with the below command.
rkscli:set tls-version tlsv1.2

To disable the tls version 1.0 on the Zone director, use the below command.

ruckus> en
ruckus# debug
You have all rights in this mode.
ruckus(debug)# no support-tls 1.0
Are you sure you want to change whether support TLSv1.0, If yes, it will reboot ZoneDirector.[Y/n]

Note: ZD will reboot.

Regards,
Sanjay Kumar

5

0

robert_lee_joc5dql7x865h

4 Messages

 • 

90 Points

@sanjay_kumar_gols5p74yq7mn

I have a zone director 1200. 

get tls-version is not a recognized command.

I would like to turn off tlsv1.1 and only allow tlsv1.2, will this break the communication between the zone director and the ap's through ftp?

FYI, per NIST, effective June 2018, must cutover to tls 1.2 because tls 1.1 has multiple cryptographic flaws that can be exploited by a man-in-the-middle attack.

I followed your steps to disable tls 1.1 and verified it using openssl. It worked for 443 and shows only tls 1.2 is allowed but my nessus scan still shows that ftp is still using tls 1.1

Robert Lee 

(edited)

Like

a month ago

0

sanjay_kumar_e65725

Official Rep

 • 

2 Messages

 • 

20 Points

Hi Robert,

"get tls-version" is a AP command.

After disabling the tls1.1, could you please get us the output of this command from AP?

Like

a month ago

0

robert_lee_joc5dql7x865h

4 Messages

 • 

90 Points

rkscli: get tls-version
Minimum TLS Version: tlsv1
OK

Allowed me to
openssl s_client -connect x.x.x.x:22 -tls1

openssl s_client -connect x.x.x.x:22 -tls1_1
openssl s_client -connect x.x.x.x:22 -tls1_2

(edited)

Like

a month ago

0

robert_lee_joc5dql7x865h

4 Messages

 • 

90 Points

I was able to set tls-version tlsv1.2 on all my access points.

Thank you.

Like

a month ago

0

sanjay_kumar_e65725

Official Rep

 • 

2 Messages

 • 

20 Points

Hi Robert,

Thanks for the update. The below output showed that the TLS was still set to TLS1.0.

rkscli: get tls-version
Minimum TLS Version: tlsv1

However, now I see that you are able to set it correctly.

Glad to hear that the issue is resolved.

Like

a month ago

0

Was this helpful?