Mitigate BEAST vulnerable

tmm --clientciphers 'DEFAULT:!RC4:!RSA+3DES' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 3: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 4: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 5: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 6: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 8: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 9: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 10: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 11: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 12: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 13: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 14: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 15: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 16: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 17: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 18: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 19: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 20: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA

Disabling 3DES does not mitigate BEAST, but it is loosing popularity as being secure as it is considered to be effectively 112bit. The only way to mitigate BEAST server side is to disable TLSv1 if you also want to disable RC4. BEAST is considered to be "fixed" client side in all up-to-date browsers so it is considered to be the lesser of the two evils, RC4 and CBC TLSv1, if you need to still support TLSv1. What is your end goal with tweaking your cipher string?

Recommended vs required support can be two different things. If you are required to maintain support for TLSv1, allowing BEAST vulneraqble CBC ciphers is the better option vs RC4(SSL Labs grade will be higher). If you are not required to support TLSv1(PCI-DSS no longer allows TLSv1 for new implementations), then disabling TLSv1 and RC4 are the best course of action. Disabling 3DES, is something all on its own. If you can afford to disable TLSv1 then you can probably afford to disable 3DES as well as IE on windows XP will be left in the cold by disabling either one. 'DEFAULT:!RC4:!3DES:!TLSv1' will leave you in a good security posture, but users still wanting to use IE on windows XP will not be able to connect(they can still use chrome or firefox).

tmm --clientciphers 'DEFAULT:!RC4:!RSA+3DES' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 1: 53 AES256-SHA 256 TLS1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 3: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 4: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 5: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 6: 47 AES128-SHA 128 TLS1 Native AES SHA RSA 7: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 8: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 9: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 10: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 11: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1 Native AES SHA ECDHE_RSA 12: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 13: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 14: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 15: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1 Native AES SHA ECDHE_RSA 16: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 17: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 18: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1 Native DES SHA ECDHE_RSA 19: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 20: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA

Disabling 3DES does not mitigate BEAST, but it is loosing popularity as being secure as it is considered to be effectively 112bit. The only way to mitigate BEAST server side is to disable TLSv1 if you also want to disable RC4. BEAST is considered to be "fixed" client side in all up-to-date browsers so it is considered to be the lesser of the two evils, RC4 and CBC TLSv1, if you need to still support TLSv1. What is your end goal with tweaking your cipher string?

Recommended vs required support can be two different things. If you are required to maintain support for TLSv1, allowing BEAST vulneraqble CBC ciphers is the better option vs RC4(SSL Labs grade will be higher). If you are not required to support TLSv1(PCI-DSS no longer allows TLSv1 for new implementations), then disabling TLSv1 and RC4 are the best course of action. Disabling 3DES, is something all on its own. If you can afford to disable TLSv1 then you can probably afford to disable 3DES as well as IE on windows XP will be left in the cold by disabling either one. 'DEFAULT:!RC4:!3DES:!TLSv1' will leave you in a good security posture, but users still wanting to use IE on windows XP will not be able to connect(they can still use chrome or firefox).