We are checking some of our domains for POODLE vulnerability.
We have several servers that support SSL 3, use CBC cipher suites and don't support the TLS_FALLBACK_SCSV flag.
Now on some serves the SSL Report says "This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C"
However on others we are getting "This server uses SSL 3, with POODLE mitigated. Still, it's recommended that this protocol is disabled"
Considering the fact that all servers support SSL 3.0, CBC cipher suites and don't support TLS_FALLBACK_SCSV,
How come were getting different results?
Are there other factors at play here?