A client of mine has recently failed his PCI compliance test on two areas:
1: SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)
Resolution: Disable SSLv3.
2: Microsoft Exchange Client Access Server Information Disclosure
Resolution: There is no known fix at this time.
Originally he failed the test a few months back because of the standard certificate his server was using, we managed to rectify this by installing a verified SSL cert. We also had to disable SSLv2 on the server as the test was also complaining about this.
Now can anybody advise if disabling SSLv3 is ok to do as I'm almost certain we need at least one variant of it running on the server.
As for the exchange error, if there is no known fix how can security metrics expect my client to pass the test?
Any help is greatly appreciated!