We are looking to mitigate BEAST (and similar) on our Cisco ACE appliance (running version A4(2.0)), which is the 'endpoint' for a handful of load-balanced services. Some of these service still run with SHA1-signed certificates (although we are working on having our clients test with SHA2-signed certs).
The ACE allows us to create a parameter-map
to prioritise the ciphers it supports (with priority 10 being the most-preferred and 1 being the least-preferred), but I am not fully aware of the intricacies of each cipher suite.
Would the following be a reasonable mitigation (essentially prioritising CBC-based ciphers lower, so as to prefer the non-CBC ciphers)? Are there any on this list I really shouldn't be accepting? We are obviously aiming to still be as compatible as reasonably possible.
Note that we are not trying specifically to meet PCI compliance, just attempting to 'do the right thing' (although if any of the below would violate such, it would be helpful to know in case it comes up in the future)
parameter-map type ssl PMAP_SSL_CIPHERS
cipher RSA_WITH_RC4_128_SHA priority 6
cipher RSA_WITH_RC4_128_MD5 priority 6
cipher RSA_EXPORT1024_WITH_RC4_56_SHA priority 6
cipher RSA_EXPORT1024_WITH_RC4_56_MD5 priority 6
cipher RSA_EXPORT_WITH_RC4_40_MD5 priority 6
cipher RSA_WITH_AES_256_CBC_SHA priority 2
cipher RSA_WITH_AES_128_CBC_SHA priority 2
cipher RSA_WITH_3DES_EDE_CBC_SHA priority 2
cipher RSA_WITH_DES_CBC_SHA priority 2
cipher RSA_EXPORT1024_WITH_DES_CBC_SHA priority 2
cipher RSA_EXPORT_WITH_DES40_CBC_SHA priority 2