It's chicken and egg problem in TLS 1.0 concerning with BEAST attack.
Is it possible to configure Apache/IIS web server to:
- Set RC4 as server preferred cipher in TLS 1.0 and SSL v3.
- Disable RC4 in TLS 1.1 and above.
It's possible to do something similar: you can choose your suites so that there is a bunch of TLS 1.2-only suites at the top of your priority list, followed by RC4 suites. The former would be used by clients that support TLS 1.2, the latter by all other clients.
You have an example here: http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
You can do the above with any library that allows you to control which suites are enabled and in which order. I think PolarSSL allows per-protocol configuration.
Why OpenSSL developers don't add such opportunity to the API: to have different cipher suits lists for different versions of protocols? It will solve "BEAST&RC4" dilemma for TLS 1.1/1.2 wholly
Now it can be done only manually through biopar for example.
I've actually talked about that with them. It's possible that such a feature will be added.
It is probably, my humble opinion, that this kind of settings (chipher suites per SSL/TLS protocol version) is probably not going to have real priority. Why?
1. Latest versions of all major browsers (Chrome, Firefox, Internet Explorer, Safari and Opera) support TLS v1.2 by default and it will probably soon be possible to disable TLS v1.0 where problem appears. Before disabling, usage of TLS v1.0 should be monitored in web server request log (in Apache httpd see the setting CustomLog in httpd-ssl.conf file).
2. BEAST attack is less and less important, because it is browser problem in the first place and all of major browsers have already fixed this problem on a browser or operating system level. So it is more or less clear that BEAST attack is not real threat anymore and RC4 can be disabled (cipher suite - like RC4 - used by individual request can also be monitored using Apache request log).
3. Similar functionality can be achieved by ordering chipher suites and honour the cipher order.
Retrieving data ...