Article ID: 123165, created on Oct 15, 2014, last review on Jun 17, 2016

  • Applies to:
  • Virtuozzo 6.0
  • Virtuozzo containers for Linux 4.7
  • Virtual Automation


A CVE-2014-3566 vulnerability in SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.


It is necessary to keep security of HTTPS servers adequate to modern threats. Because new breaches and weaknesses in cryptographic algorithms and protocols are constantly discovered. Moreover, default settings of web servers and operating systems not always provide acceptable level of SSL/TLS security. This article aims to provide guidance about how to configure Linux and Windows web servers to provide good level of SSL/TLS security on Parallels Virtual Automation servers.

It is based on SSL/TLS Deployment Best Practices from Qualys SSLLabs.


This guide contains instructions how to configure SSL/TLS on PVA servers:

  • PVA Management Node
  • PVA Agent installed on a server hosting virtual environment

Vulnerability mitigation steps:

SSL/TLS Weakneses

The table below lists weaknesses which mitigations are addressed by this article.

Weakness Mitigation
Enabled SSLv3 is a weakness because it is broken due to CVE-2014-3566(POODLE attack). Disable SSLv3
Enabled SSLv2 is a weakness because it is broken. Disable SSLv2
Insecure/broken algorithms used in ciphers (RC4) Disable broken ciphers and algorithms
Small entropy ciphers (DES, 3DES)
* The entropy of 128bits for keys is recommended nowadays.
* 96bits entropy can be tolerable, though.
* 3DES/168 has actual entropy of 112bits.
Disable or de-prioritise ciphers
It is better to not disable 3DES/168bits in order to support IE on Windows XP
Anonymous key negotiation protocols (ADH) Rare situation. Specify proper ciphers to use in Apache
CRIME vulnerability (and its successors like TIME, etc) Disable TLS traffic compression
BEAST vulnerability Do nothing on server side
SSL insecure renegotiation (Apache) Check that latest update for used version of Apache is installed
FREAK vulnerabilityinstall updates and/or disable weak ciphers
DROWN vulnerabilityinstall openssl updates and restart all services that depend on openssl (or reboot the node)

Testing SSL/TLS Security

It is not necessary that all steps described in this article be applied to all servers. Test your web servers and fix those that actually demonstrate weaknesses or vulnerabilities.
The best and preferred way to assess security of SSL configuration of the web server is to use Qualys SSL Labs' test: The mark A denote reasonably good security level. Scores lower than B require appropriate mitigation steps.

Unfortunately, SSL Labs' test cannot be applied to web servers that are not available from Internet. Use TestSSLServer tool for testing ciphers strength and CRIME vulnerability on servers in your lab (requires Java).

Basic test recommendations for "offline" testing:

  • Ensure certificate is up-to-date and issued by trusted authority
  • Ensure SSLv2 is disabled
  • Ensure SSLv3 is disabled too
  • Check RC4 cipher is not used
  • Check DES cipher is not used
  • Check CRIME is mitigated


  1. TestSSLServer output for Windows 2008 R2 server with default configuration. The yellow-marked text points out to insecure protocols (SSLv2 and SSLv3) and ciphers (RC4) that should be disabled. It is no longer recommended to mitigate BEAST attack on server side so we do not pay attention to respective vulnerable mark.

    Supported versions: SSLv2 SSLv3 TLSv1.0
    Deflate compression: no
    Supported cipher suites (ORDER IS NOT SIGNIFICANT):
    Server certificate(s):
      0c6e6854baa0323d862c3e41787213e6d8e4006a: CN=, O=Parallels, C=US
    Minimal encryption strength:     strong encryption (96-bit or more)
    Achievable encryption strength:  strong encryption (96-bit or more)
    BEAST status: vulnerable
    CRIME status: protected
  2. Apache on CentOS 5.3 server. CRIME is not mitigated.

    Supported versions: SSLv3 TLSv1.0
    Deflate compression: YES
    Supported cipher suites (ORDER IS NOT SIGNIFICANT):
    (TLSv1.0: idem)
    Server certificate(s):
    d04135719197cefa8f601f2cf3d1ed055df41afd:, OU=EssentialSSL, OU=Domain Control Validated
    Minimal encryption strength:     strong encryption (96-bit or more)
    Achievable encryption strength:  strong encryption (96-bit or more)
    BEAST status: vulnerable
    CRIME status: vulnerable

Important note: Even if during initial deployment TestSSLServer was used it is still necessary to run ssltest when a web server become open into Internet. SSL Lab's test provides much more comprehensive checks, including server certificate strength and trustability, testing for compatibility with different browsers, more known vulnerabilities.

Windows 2008 Mitigations

Windows 2008 R2 allows broken SSLv2, SSLv3 and weak ciphers for server-side SSL/TLS connections by default.

Mitigation steps:

  1. Upload attached file onto web server machine.

  2. Extract the content and double click on it, and allow operating system to update registry.

  3. Restart computer.

For more information about meanings of registry settings used, see

Linux Mitigations

Weak Cipher and Protocols

Apply following steps, when you have encountered SSLv2, SSLv3, RC4, DES, ADH among list of supported protocols and ciphers by a server during testing.

  1. Add (or modify) following mod_ssl options in SSL/TLS configuration of Apache web server:

    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on

    For PVA Management Node, the following files should be checked and updated:

    • /etc/httpd/conf/httpd.conf
    • /etc/httpd/conf.d/ssl.conf
    • /etc/httpd/conf.d/

    For a node with PVA Agent, this should be done in the following files at least:

    • /etc/httpd/conf/httpd.conf
    • /etc/httpd/conf.d/ssl.conf
    • /etc/opt/pva/pp/plugins/httpd/include.ssl.conf
    • /etc/httpd/conf.d/z.pva.pp.20.plesk.conf
    • ‚Äč/etc/httpd/conf.d/parallels.conf
  2. Reload Apache configuration

CRIME Vuln. Mitigation

Here is mitigation steps for CentOS 5, 6 and CloudLinux 6:

  1. Add following variable into Apache environment (/etc/sysconfig/httpd):

  2. Restart Apache service

Search Words





SSL/TLS security

4434 adh-aes256-sha

vzpp poodle









pvaagent ssl vul

power panel poodle

319940068c5fa20655215d590b7be29b 2897d76d56d2010f4e3a28f864d69223 e8e50b42231236b82df27684e7ec0beb d02f9caf3e11b191a38179103495106f 0c05f0c76fec3dd785e9feafce1099a9 0dd5b9380c7d4884d77587f3eb0fa8ef c62e8726973f80975db0531f1ed5c6a2

Email subscription for changes to this article
Save as PDF