BH Hi All, I'm trying to pass a pci scan, I'm on Ubuntu 12.04 lts server and Nginx. I've tried everything I know and did a lot of research... apparently seems that need to disable a setting in OpenSSL which I can't find how to do.
This is the result of the scan: SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability www (443/tcp) CVSS Score: Medium 4.3 Fail CVE-2011-3389 and this is the suggested fix: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available. OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized. I don't know how to do this, please help. Note: tlsv1.1 and tlsv1.2 are not supported. I upgraded to latest verions of all (Ubuntu, nginx and openssl) which I read it takes care of the tls being not supported by default. But I'm getting the exact same report from the scan. -- Chaimy 786.277.8760
