We switched to nginx earlier this year, and just had our first penetration test against it. One issue they found is that the our setup is vulnerable to the "TLS renegotiation man-in-the-middle vulnerability." (SSLv3 / TLSv1 renegotiation). I verified this separately by checking our site against https://www.ssllabs.com/ssltest/index.html ("Secure Renegotiation" is flagged in orange as a DoS danger).

The pen test firm has guides for how to address this issue with Apache and IIS and some other web servers, but not nginx.

We are running the latest stable (1.2.4).

Can anyone give advice on how to address this security issue? (They have flagged it as a "medium" issue, and we do want to clear all issues that are medium and above).