How to tame the B.E.A.S.T. in your SSL

Since I was looking the details how to tame the B.E.A.S.T. (Browser Exploit Against SSL/TLS) once again, I thought I write a few lines down about it. The exploit actually was discovered last year by Juliano Rizzo and Thai Duong. More details about the exploit can be found at To hinder the BEAST from attacking you, one way is to enable TLS 1.1 in your browser, but I plan to go another way.

I actually disable the vulnerable CBC modes. To archive this with apache and mod_ssl/mod_gnutls, do the following:

– mod_ssl:

SSLHonorCipherOrder on

– mod_gnutls:


I found this information in the German IT-security forum over at XING.