How to tame the B.E.A.S.T. in your SSL

Since I was looking the details how to tame the B.E.A.S.T. (Browser Exploit Against SSL/TLS) once again, I thought I write a few lines down about it. The exploit actually was discovered last year by Juliano Rizzo and Thai Duong. More details about the exploit can be found at h-online.com. To hinder the BEAST from attacking you, one way is to enable TLS 1.1 in your browser, but I plan to go another way.

I actually disable the vulnerable CBC modes. To archive this with apache and mod_ssl/mod_gnutls, do the following:

– mod_ssl:

SSLHonorCipherOrder on
SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL

– mod_gnutls:

GnuTLSPriorities NONE:+VERS-TLS1.0:+ARCFOUR-128:+RSA:+SHA1:+COMP-NULL

I found this information in the German IT-security forum over at XING.