AnsweredAssumed Answered

How to mitigate BEAST test?

Question asked by Łukasz Filim on Nov 17, 2015
Latest reply on Nov 18, 2015 by Rob Moss

Hi,

 

I was trying to optimize Windows 2008 R2 server to block BEAST attack and also pass scan here - SSL Server Test (Powered by Qualys SSL Labs)

Default settings in IIS Crypt 1.6 from PCI button doens't migigate the BEAST attack scan.

 

I've ended up wiht following cipher suits order and still it doesn't work :

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_MD5

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

 

I'm attaching a screen shot from my scan where it shows the error : Not mitigated server-side   TLS 1.0: 0x2f ( what does this mean?)

I know I can't turn off TLS 1.0 as then remote desktop goes down which is not acceptable.


Please advise on how to resolve this problem.


Best Regards,

Lukas

Attachments

Outcomes