2 sites ("A and B") behind a Netscaler VPX load balancer, different FQDN for each, two servers behind the load balancer for each (A1 and A2, B1 and B2).
Getting inconsistent results with one of the sites "B", sometimes the scan will come up flagged for Zombie Poodle / OpenSSL, sometimes it will pass and flag as OK.
- Site A never has come up flagged for Zombie Poodle / OpenSSL, has same cipher suites as site B.
- Site B, has identical SSL/Cipher setup as site A in the Netscaler.
- Servers B1 and B2 behind the Netscaler have identical SSL/Cipher suites
All Servers behind the Netscaler and also the sites from external pass the TLS CBC Padding Oracle Scanner (GitHub - Tripwire/padcheck: TLS CBC Padding Oracle Checker )
- immuniweb.com/ssl/ website which scans for for Zombie Poodle / OpenSSL 0-Length passes each time without fail
- Netscaler VPN has current firmware (NS12.1 51.19.nc)
It appears that others are having similar issues as per:
It appears to me based on the above findings that their must be some inconsistency issue with the Qualys SSL scan as no other tool or website is showing our sites as vulnerable to Zombie Poodle /Open SSL 0-Length unless something proves otherwise.
Be interested to find out if others have the same issue or found a reason why