BH

Hi All,
I'm trying to pass a pci scan, I'm on Ubuntu 12.04 lts server and Nginx.
I've tried everything I know and did a lot of research... apparently seems
that need to disable a setting in OpenSSL which I can't find how to do.

This is the result of the scan:

SSL/TLS Protocol Initialization Vector Implementation Information
Disclosure Vulnerability www (443/tcp)

CVSS Score: Medium 4.3

Fail

CVE-2011-3389
   and this is the suggested fix:

  Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use
block ciphers. Apply patches if available.

OpenSSL uses empty fragments as a countermeasure unless the
'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is
initialized.
  I don't know how to do this, please help.
Note: tlsv1.1 and tlsv1.2 are not supported. I upgraded to latest verions
of all (Ubuntu, nginx and openssl) which I read it takes care of the tls
being not supported by default. But I'm getting the exact same report from
the scan.

-- 

Chaimy
786.277.8760

Reply via email to