1st of all thanks for this great web site and tools, good stuff.
I just want to get your opinion what it the best choice if one wants to support the IE on XP.
In Ivans blog post (section Configuring OpenSSL without RC4), he proposed to configure the server to allow RC4 as a last resort only by adding "+RC4 RC4" to the end of the configuration string.
Doesn't it make more sense to remove RC4 completely and to allow DES-CBC3-SHA for IE/XP as last resort?
What is the advantage from using RC4?
I clearly prefer security over performance and I don't consider BEAST as a threat here, so I think in this case DES-CBC3-SHA is the better choice, or is this one broken as well?