Article ID: 127925, created on Dec 28, 2015, last review on Dec 28, 2015

  • Applies to:
  • Plesk for Linux/Unix
  • Plesk for Windows


A CVE-2014-3566 vulnerability in the SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.

You can check if you are vulnerable using the following script. For the parameter, specify your server IP:

# wget
# unzip
# chmod +x
# for i in `echo 21 587 443 465 7081 8443 993 995 `; do /bin/sh /root/ <IP> $i; done


The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or the server (or both) will deflect a potential attack.

Operating system (OS) vendors released the following security advisories to address several recent OpenSSL vulnerabilities:





Please note the updates listed here do not actually fix the POODLE attack - they only use the TLS_FALLBACK_SCSV option to prevent triggering a fallback to SSLv3, and provide fixes for several other vulnerabilities.

It is strongly recommended you update the openssl package.

The best option is disabling SSLv3 support.

You can use the special scripts below to disable SSLv3 for all services:

  • for Linux - Disables Apache, nginx, proftpd, courier-imap, qmail, postfix, dovecot, Plesk server engine (for versions 11.5 and later).
  • for Windows - Disables SSLv3 server-wide (WARNING: A server reboot will be required).

See the following instructions on disabling SSLv3 for each service. The same instructions are applicable if your server has already been patched with pci_compliance_resolver.

Plesk service

As Plesk uses the same SSL engine, the sw-cp-server service should be configured to protect against the SSLv3 vulnerability.

NOTE: If you use Customer and Business Manager, see article #123706

Plesk 11.5 and later

Edit '/etc/sw-cp-server/config'. In the http section, add:

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


    sudo service sw-cp-server restart

Plesk 11.0

Edit /usr/local/psa/admin/conf/, adding echo 'ssl.use-sslv3 = "disable"' after the echo 'ssl.use-sslv2 = "disable"' directive. The file should look like:

    echo 'ssl.engine = "enable"'
    echo 'ssl.use-sslv2 = "disable"'
    echo 'ssl.use-sslv3 = "disable"'


    sudo service sw-cp-server restart

Plesk 9.x and 10.x

The solution for sw-cp-server backend in Plesk 10.x is to modify the list of available CIPHERS in /usr/local/psa/admin/conf/cipher.lst file to look like this, with no line breaks:


Once the /usr/local/psa/admin/conf/cipher.lst file has been modified, restart the backend:

    sudo service sw-cp-server restart

Plesk 8.6.0 and older

Parallels Plesk 8.6 uses Apache as the backend for the control panel.

Add the following line to the /usr/local/psa/admin/conf/httpsd.conf file:

SSLProtocol All -SSLv2 -SSLv3

Then restart the control panel:

sudo service psa restart

Apache HTTPD Server

If you are running Apache, change your Apache configuration file (listed below are the default locations):

RedHat/CentOS /etc/httpd/conf.d/ssl.conf

Debian/Ubuntu /etc/apache2/mods-available/ssl.conf

SuSE /etc/apache2/ssl-global.conf

Include or change the following line in your Apache configuration file among the other SSL directives:

SSLProtocol All -SSLv2 -SSLv3

Run the following command to change the SSL settings in the PCI Compliance template.

# mkdir -p /usr/local/psa/admin/conf/templates/custom/
# mkdir -p /usr/local/psa/admin/conf/templates/custom/server/
# cp /usr/local/psa/admin/conf/templates/pci_compliance/server/PCI_compliance.php /usr/local/psa/admin/conf/templates/custom/server/
# sed -i 's/SSLProtocol -ALL +SSLv3 +TLSv1/SSLProtocol All -SSLv2 -SSLv3/g' /usr/local/psa/admin/conf/templates/custom/server/PCI_compliance.php

Then restart the Apache webserver:

/usr/local/psa/admin/bin/websrvmng -r

Nginx server

If you are running Nginx, include the following line in your configuration among the other SSL directives in the /etc/nginx/nginx.conf:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Additionally, for all sites in Plesk 11.0 for Linux:

# mkdir -p /usr/local/psa/admin/conf/templates/custom/
# mkdir -p /usr/local/psa/admin/conf/templates/custom/domain/
# cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/

# sed -i 's/ssl_protocols               SSLv2 SSLv3 TLSv1;/ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

For all sites in Plesk 11.5 for Linux:

# mkdir -p /usr/local/psa/admin/conf/templates/custom/
# mkdir -p /usr/local/psa/admin/conf/templates/custom/domain/
# cp /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php /usr/local/psa/admin/conf/templates/custom/
# cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/

# sed -i 's/ssl_protocols               SSLv2 SSLv3 TLSv1;/ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/custom/nginxWebmailPartial.php
# sed -i 's/ssl_protocols               SSLv2 SSLv3 TLSv1;/ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

For all sites in Plesk 12.0 for Linux:

# mysqldump -uadmin -p`cat /etc/psa/.psa.shadow` psa > psa_backup.sql
# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa
mysql> insert into misc values('disablesslv3', 'true');

Then, reconfigure Apache and Nginx:

# /usr/local/psa/admin/bin/httpdmng --reconfigure-all

Reference: Nginx documentation

Dovecot IMAP/POP3 server

Include the following line in /etc/dovecot/dovecot.conf

ssl_protocols = !SSLv2 !SSLv3

Restart the service:

    sudo service dovecot restart

Courier IMAP

Edit the following files:



Add or modify the TLS_PROTOCOL and TLS_CIPHER_LIST directives so they look like:


Restart the services:

    sudo service courier-imaps restart
    sudo service courier-pop3s restart

Postfix SMTP

For 'opportunistic SSL' (where the encryption policy is not enforced and plain is acceptable), you do not need to make any changes. Even SSLv2 is better than plain, so if you need to secure your server you should be using 'mandatory SSL' mode anyway.

If you still want to disable SSLv3 for opportunistic encryption, add/change:


If 'mandatory SSL' mode is already configured, add/change the smtpd_tls_mandatory_protocols setting. Add the following string to the /etc/postfix/ file:


Then restart Postfix:

sudo service postfix restart

You can verify whether SSLv3 is disabled using the following command:

openssl s_client -connect  localhost:465 -ssl3

If you are not vulnerable (SSLv3 is disabled), your output should look something like:

139808606107464:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
139808606107464:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

If you are vulnerable, you should see a normal connection output, including the line:

220 ESMTP Postfix

Qmail MTA

Create (or edit) the /var/qmail/control/tlsserverciphers file so it looks like:


Note: disabling SSLv3 cipher makes it impossibile to use 465 (TLS) in Thunderbird.

ProFTPD server

Create and edit the /etc/proftpd.d/60-nosslv3.conf file by adding the following lines:

<IfModule mod_tls.c>
TLSProtocol TLSv1

Then make sure the created configuration file is included in proftpd configuration. If missed, add to /etc/proftpd.conf the following line:

Include /etc/proftpd.d/*.conf

Then restart the service daemon:

service xinetd restart

Microsoft Internet Information Services

There is an official Microsoft Knowledgebase article about disabling particular protocols in IIS: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services

Microsoft Windows Server stores information about different security-enhanced channel protocols that Windows Server supports. This information is stored in the registry key.

  1. Click Start, click Run, type regedt32 or regedit, then click OK.

  2. In Registry Editor, locate the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
  3. On the Edit menu, click Add Value.

  4. In the Data Type list, click DWORD.

  5. In the Value Name box, type Enabled then click OK.

    Note: If this value is present, double-click to edit it.

  6. Type 00000000 in Binary Editor to set the value of the new key equal to "0".

  7. Click OK. Restart the computer.

85a92ca67f2200d36506862eaa6ed6b8 56797cefb1efc9130f7c48a7d1db0f0c a914db3fdc7a53ddcfd1b2db8f5a1b9c 29d1e90fd304f01e6420fbe60f66f838

Email subscription for changes to this article
Save as PDF