I have an SSL Cert with EV and I am following Eric Martindale's instructions for mitigating the BEAST Attack, but I am still showing a vulnerability to the attack.
According to SSL Labs it only lists these ciphers and IGNORES the order even though I set honorCipherOrder:
Cipher Suites (sorted by strength; server has no preference)
TLS_RSA_WITH_RC4_128_SHA (0x5) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
BEAST attack Vulnerable INSECURE
Here's my code:
THE MODULE
module.exports = {
key: fs.readFileSync(__dirname + '/../vault/ssl/' + serverInfo.serverType + '.key'),
cert: fs.readFileSync(__dirname + '/../vault/ssl/' + serverInfo.serverType + '.pem'),
ciphers: 'ECDHE-RSA-AES256-SHA:AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM',
honorCipherOrder: true
};
THE SERVER.JS FILE
var sslOptions = require(__dirname + '/app_modules/ssl.js');
https.createServer(sslOptions, app).listen(securePort);
How can I protect against the BEAST attack? It seems like the order needs to be honored but it is not.