How to fight BEAST vulnerability and maintain PFS for old clients?

Correct me if I'm wrong but BEAST is because of CBC in TLSv1.0, right? So to eliminate the threat of BEAST all CBC cipher suites which are SSLv3 or lower have to be disabled, right?

Lets jump into the real world example. See the Qualys SSL Test for my test domain. You'll see that I have disabled SSLv3 (and lower of course) with protocols. To maintain some old clients which do not support TLSv1.1 and at the same time maintain Perfect Forward Secrecy for those clients I have to use some CBC cipher suites that came with SSLv3 or TLSv1.0.

Here are some samples of clients I have to maintain (with link to Qualys SSL Client Info site).

• Java 7
• OpenSSL 0.9 (because of some routers)
• IE 8 / XP (IE 6 / XP support is dropped)
• Android 2.3

Here is my OpenSSL 1.0.1e cipher suite configuration:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:-DES:!RC4:!MD5:!PSK:!aECDH:EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Does anybody see a solution to fix BEAST and maintain Client/PFS? I only see max. TLSv1.0 and CBC only cipher suites on the client side.

To catch up with Michael Hampton: Yes, RC4 is not a solution. I forgot to mention that.