This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Ruckus Wireless
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Regarding the issue of ZD1200 TLS SSL

lanwei
New Contributor

‎09-17-2025 01:47 AM

My model is ZD1200
I have upgraded to version 10.5.1.0 duild 282
Have the following issues been resolved in this version
Question 1 "Disable FTP plaintext authentication"
Question 2: Disable SSLv2, SSLv3, and TLS 1.0. Enable TLS 1.2 "
Question 3 "Disable any weak KBC algorithm in TLS configuration"
What command should I use to check that these issues have been fixed?
Alternatively, you can provide me with an official explanation that these issues have been fixed since 10.5.1.0.

0 Kudos
6 REPLIES 6

ms264556
Contributor III

‎09-17-2025 03:41 PM - edited ‎09-17-2025 03:55 PM

Question 1:
https://support.ruckuswireless.com/documents/5698: "FTP will be disabled after upgrading to ZoneDirector 10.5.1.0.279, regardless of whether it was enabled or disabled prior to the upgrade"
You can check for yourself with e.g. nmap.

$ nmap -sV -p 21 192.168.0.2

PORT   STATE  SERVICE VERSION
21/tcp closed ftp

Question 2:
From the ZoneDirector CLI:-

ruckus> enable
ruckus# debug
ruckus(debug)# no support-tls 1.0-1.1
Are you sure you want to change whether support TLSv1.0 and TLSv1.1, If yes, it will reboot ZoneDirector.[Y/n]
ruckus(debug)#

After a reboot you will have only TLSv1.2.
You can check this yourself with e.g. nmap.

$ nmap --script ssl-enum-ciphers -p 443 192.168.0.2

PORT      STATE SERVICE
443/tcp   open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       Forward Secrecy not supported by any cipher
|_  least strength: A

(I don't show it, but you can also check ports 9998 and 11443 & see they also support only TLSv1.2).

Question 3:
You're out of luck here. You can see in the nmap output from Q2: "warnings: Forward Secrecy not supported by any cipher". This means it is impossible to disable weak KBC algorithms and still use the ZoneDirector.

0 Kudos

lanwei
New Contributor
In response to ms264556

‎09-18-2025 02:31 AM

tkank you 

I checked from the CLI that my firmware does not have TLS1.2, only 1.0 and 1.1, so I turned off 1.0. Can the problem be solved by only turning on 1.1 or above.

ruckus(debug)#show tls

TLs= Support Ts 1.0 and Ts 1.1

ruckus(debug)#no support-tls 1.0Are you sure you want to change whether support TLSv1.0,If yes, it will reboot &oneDirector.[Y/n]

ruckus (debug)#

 

thanks

0 Kudos

ms264556
Contributor III
In response to lanwei

‎09-18-2025 02:34 AM

Assuming you're on 10.5.1 then the syntax I gave you is correct & will result in TLSv1.2 being the only supported cipher

lanwei
New Contributor
In response to ms264556

‎09-18-2025 02:46 AM

I use CLI, why can't I see that my firmware supports TLS 1.2 in show tls? Only 1.0 and 1.1.

0 Kudos
Copyright © 2025 Khoros, LLC