I have similar issue like in this topic: PCI scan failed: ROBOT information disclosure
However in my case i need to provide explanation to securitymetrics scan team in order to get test marked as false/positive.
Can you provide a detailed explanation to following answer:
The Cloudflare statement shows that the vulnerability is indeed mitigated so that the RSA Key isn’t exploitable. However, our scanner found that the padding for the RSA ciphertext is incorrect.
“The test sent a crafted RSA ciphertext and then sent a TLS Finished message with incorrect padding. The following differences in behaviour were seen by SecurityMetrics : - As a baseline with correct formatting : server sent TCP RST - With incorrect leading bytes : server sent TLS alert 20, server sent TCP FIN - With the 0x00 byte in incorrect place : server sent TLS alert 20, server sent TCP FIN - With the 0x00 byte missing : server sent TLS alert 20, server sent TCP FIN - With an incorrect version number : server sent TLS alert 20, server sent TCP FIN”
Essentially what we need is a reason as to why, mostly because this goes against the mitigation that Cloudflare says is in place.