A security company has recently failed our PCI compliance test on CVE-2011-3389 (BEAST attack). The tool at SSL Labs reports we are *not* vulnerable to BEAST.
The Apache options I have in place are recommended by Qualys to mitigate this attack:-
Even with this in place, we have still failed with the security company.
The security company's recommendations to fix are:-
1) Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
2) Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.
Obviously 1) is not really an option since it would make the site inaccessible for most users but I thought prioritising RC4 above block ciphers would be enough to pass on 2).
But they seem to be saying that we should disable block ciphers entirely as opposed to prioritising RC4 above CBC as per the Qualys recommendations.
Is it valid to fail us on this? Is disabling block ciphers entirely really a requirement for PCI compliance?
I would really appreciate some feedback on this since what the security company is recommending seems to be at odds with everything I've read about this subject.