I understand that BEAST is very hard to exploit and mostly fixed by modern browsers already.
Also, enabling RC4 will introduce other risks. So, if you still want to mitigate the almost impossible exploitable BEAST attack, at the server-side only! Is the only way to stop supporting TLS 1.0? Or would using TLS 1.0 on AES only, fix it as well?
In both solutions, which would cause the smallest reduce of browser compatibility while mitigating BEAST server-side.
Yes. Several years ago, Qualys covered mitigation techniques, and notably several methods that you might think would work (like "enabling the empty fragment technique server-side") are ineffective because the attack is client-side.
However, TLS 1.1+ is much more common these days. Additionally, most clients added mitigation years ago (even Apple, who was slow on the take). Between these two factors, BEAST really isn't much of a worry any more.
Most of the times disabling weak ciphers can solve the issue.
If you are using openssl : openssl ciphers -v 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS' will enable secure cipher suites for you.
You can find details in below link which i came across while researching. https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
