topic Re: Regarding the issue of ZD1200 TLS SSL in Wireless Questions and Best Practices

Regarding the issue of ZD1200 TLS SSL

lanwei — Wed, 17 Sep 2025 08:47:50 GMT

My model is ZD1200
I have upgraded to version 10.5.1.0 duild 282
Have the following issues been resolved in this version
Question 1 "Disable FTP plaintext authentication"
Question 2: Disable SSLv2, SSLv3, and TLS 1.0. Enable TLS 1.2 "
Question 3 "Disable any weak KBC algorithm in TLS configuration"
What command should I use to check that these issues have been fixed?
Alternatively, you can provide me with an official explanation that these issues have been fixed since 10.5.1.0.

Re: Regarding the issue of ZD1200 TLS SSL

ms264556 — Wed, 17 Sep 2025 22:55:23 GMT

Question 1:
https://support.ruckuswireless.com/documents/5698: "FTP will be disabled after upgrading to ZoneDirector 10.5.1.0.279, regardless of whether it was enabled or disabled prior to the upgrade"
You can check for yourself with e.g. nmap.

$ nmap -sV -p 21 192.168.0.2 PORT STATE SERVICE VERSION 21/tcp closed ftp

Question 2:
From the ZoneDirector CLI:-

ruckus> enable ruckus# debug ruckus(debug)# no support-tls 1.0-1.1 Are you sure you want to change whether support TLSv1.0 and TLSv1.1, If yes, it will reboot ZoneDirector.[Y/n] ruckus(debug)#

After a reboot you will have only TLSv1.2.
You can check this yourself with e.g. nmap.

(I don't show it, but you can also check ports 9998 and 11443 & see they also support only TLSv1.2).

Question 3:
You're out of luck here. You can see in the nmap output from Q2: "warnings: Forward Secrecy not supported by any cipher". This means it is impossible to disable weak KBC algorithms and still use the ZoneDirector.

Re: Regarding the issue of ZD1200 TLS SSL

lanwei — Thu, 18 Sep 2025 09:31:23 GMT

tkank you

I checked from the CLI that my firmware does not have TLS1.2, only 1.0 and 1.1, so I turned off 1.0. Can the problem be solved by only turning on 1.1 or above.

ruckus(debug)#show tls

TLs= Support Ts 1.0 and Ts 1.1

ruckus(debug)#no support-tls 1.0Are you sure you want to change whether support TLSv1.0,If yes, it will reboot &oneDirector.[Y/n]

ruckus (debug)#

thanks

Re: Regarding the issue of ZD1200 TLS SSL

ms264556 — Thu, 18 Sep 2025 09:34:05 GMT

Assuming you're on 10.5.1 then the syntax I gave you is correct & will result in TLSv1.2 being the only supported cipher

Re: Regarding the issue of ZD1200 TLS SSL

lanwei — Thu, 18 Sep 2025 09:46:20 GMT

I use CLI, why can't I see that my firmware supports TLS 1.2 in show tls? Only 1.0 and 1.1.

Re: Regarding the issue of ZD1200 TLS SSL

ms264556 — Thu, 18 Sep 2025 10:24:56 GMT

That command is for disabling deprecated ciphers. Forcing clients to use insecure ciphers makes no sense, which is why I assume the command doesn't allow it.

I gave you an nmap command which you can use to prove that TLS 1.2 is the only available cipher.

Re: Regarding the issue of ZD1200 TLS SSL

lanwei — Thu, 18 Sep 2025 10:54:48 GMT

thanks

thanks