AnsweredAssumed Answered

Is it better to mitigate BEAST server side or use CBC ciphers?

Question asked by A. E. on Jan 21, 2015
Latest reply on Jan 23, 2015 by Adm Selec

Currently we are in a situation where we are not able to disable TLS 1.0.  We use a Windows Server 2012 with Remote Desktop and MS SQL server, where Microsoft recommends TLS 1.0 with RC4 for Remote Desktop over non-Network Level Authentication setups (Remote Desktop Protocol (Windows)), and there have been some posts regarding MS SQL not working with TLS 1.0 turned off.  On the Apache side, we use Apache 2.2 which will not allow TLS 1.0 to be turned off without preventing the web server from starting. 

 

In both setups we have TLS 1.1 and 1.2 turned on, and all TLS 1.2 ciphers, but we need at least one TLS 1.0 cipher ordered at the end of our cipher preference list.  Would it be more secure to use the RC4-SHA, or another cipher - since CBC appears to be insecure in TLS 1.0 configurations?  We are particularly concerned about mitigating BEAST server side for older clients that do not mitigate it client side.  In our Any suggestions about a best possible cipher scenario - or other solutions that may work here?

Outcomes