I’m running nginx/0.7.64, compiled from source.
The top of the changelog that came with the source says:
Changes with nginx 0.7.64 16 Nov
*) Security: now SSL/TLS renegotiation is disabled. Thanks to Maxim D..
Also http://nginx.org/en/security_advisories.html says:
The renegotiation vulnerability in SSL protocol
Not vulnerable: 0.8.23+, 0.7.64+
I also checked against http://sysoev.ru/nginx/patch.cve-2009-3555.txt
source I have does seem to contain that patch.
However, I’ve had a scanning vendor tell me I’m still vulnerable to the
" . . . service allows renegotiation of TLS / SSL connections."
and references CVE-2009-3555
What can I do in order to make sure this is fixed please?