TOPICS
NEW POST
SIGN IN
2 Messages
•
90 Points
Mon, Nov 12, 2018 12:16 PM
Answered
Like
Comment
Follow
Employee
94 Messages
2.1K Points
2 years ago
4 Messages
a year ago
Official Rep
246 Messages
4.2K Points
@sanjay_kumar_gols5p74yq7mn
I have a zone director 1200.
get tls-version is not a recognized command.
I would like to turn off tlsv1.1 and only allow tlsv1.2, will this break the communication between the zone director and the ap's through ftp?FYI, per NIST, effective June 2018, must cutover to tls 1.2 because tls 1.1 has multiple cryptographic flaws that can be exploited by a man-in-the-middle attack.
I followed your steps to disable tls 1.1 and verified it using openssl. It worked for 443 and shows only tls 1.2 is allowed but my nessus scan still shows that ftp is still using tls 1.1
Robert Lee
(edited)
20 Points
Hi Robert,
"get tls-version" is a AP command.
After disabling the tls1.1, could you please get us the output of this command from AP?
rkscli: get tls-versionMinimum TLS Version: tlsv1OK
Allowed me to openssl s_client -connect x.x.x.x:22 -tls1
openssl s_client -connect x.x.x.x:22 -tls1_1openssl s_client -connect x.x.x.x:22 -tls1_2
I was able to set tls-version tlsv1.2 on all my access points.
Thank you.
Thanks for the update. The below output showed that the TLS was still set to TLS1.0.
rkscli: get tls-versionMinimum TLS Version: tlsv1
However, now I see that you are able to set it correctly.
Glad to hear that the issue is resolved.
How can we improve?