AnsweredAssumed Answered

BEAST attack and protocol support

Question asked by Andre N. Klingsheim on Sep 28, 2013
Latest reply on Nov 14, 2013 by Ivan Ristić

The SSL Server Test warns about the BEAST attack when SSL 3.0 and TLS 1.0 are enabled:

 

BEAST attack          Not mitigated server-side (more info)   SSL 3: 0x5, TLS 1.0: 0x2f

 

I tried disabling SSL 3.0 and TLS 1.0 and the test came out green for the BEAST attack. The test does not seem to reflect the advice given for the BEAST attack in the latest SSL/TLS deployment best practices:

 

"For a period of time, server-side mitigation of the BEAST attack was considered appropriate, even though the weakness is on the client side. Unfortunately, to mitigate server-side requires RC4, which we now recommend to disable. Because of that, and because the BEAST attack is by now largely mitigated client-side, we no longer recommend server-side mitigation"

 

IIRC, the SSL Server Test reported "mitigated client-side" for the BEAST attack until recently. Are the new test results expected or is there a bug lurking?

Outcomes