AnsweredAssumed Answered

Mitigate BEAST on Apache 2.2, Centos 6.5

Question asked by Mr P on Sep 3, 2014
Latest reply on Sep 5, 2014 by Ivan Ristić

First of all, thank you for this invaluable tool to test systems helping everyone be safe and secure.

 

For the past 2 days I've tried every setting under the sun to try and remove the message:

 

BEAST attackNot mitigated server-side (more info SSL 3: 0x39

 

My Apache settings are as follows:

Server version: Apache/2.2.15 (Unix) (CenOs 6.5 Final)

SSLProtocol ALL -SSLv2 -TLSv1

SSLHonorCipherOrder on

SSLCipherSuite AES256+EECDH:AES256+EDH

SSLInsecureRenegotiation off

 

This gives me an A score, but still doesn't remove the BEAST attack vulnerability.

 

Now from what I understand is that if I upgrade to Apache 2.4 there are some new settings that will allow me to explicitly select or deactivate specific protocols that would address the vulnerability. The problem is that this is currently not supported thus I would be on my own.

 

Is there any way to negate the BEAST attack with this server configuration (CentOS 6.5 + Apache 2.2) ?


Thank you

Outcomes