The SecurityMetrics PCI cops are after me again.
Resolution: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available. Note that additional configuration may be required after the installation of the MS12-006 security update in order to enable the split-record countermeasure. See http://support.microsoft.com/kb/2643584 for details. Risk Factor: Medium/ CVSS2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE: CVE-2011-3389
Checked my server at ssllabs.com (great tool to check your SSL by the way) and it reports:
Protocols TLS 1.2 No TLS 1.1 No TLS 1.0 Yes SSL 3.0 Yes SSL 2.0 No
SSL Labs seems to indicate that my current configuration is ok, and is "best practice":
• TLS v1.1 and v1.2 are without known security issues. Unfortunately, many server and client platforms do not support these newer protocol versions. The best practice is to use TLS v1.0 as your main protocol (making sure the BEAST attack is mitigated in configuration, as explained in subsequent sections) and TLS v1.1 and v1.2 if they are supported by your server platform. That way, the clients that support newer protocols will select them, and those that don’t will fall back to TLS v1.0. You should always use the most recent versions of the protocol for security and the oldest (yet still secure) versions for interoperability with your customer base.
However, SecurityMetrics thinks otherwise. How can I fix this to become PCI compliant without breaking my server?