Search Engine: Elastic

Article ID: 123164, created on Oct 15, 2014, last review on Mar 15, 2015

  • Applies to:
  • Odin Business Automation Standard 4.5


A CVE-2014-3566 vulnerability in the SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.

You can check if your website is vulnerable using curl:

curl -v3 -X HEAD

If you are NOT vulnerable, your output should look like:

curl: (35) SSL connect error

If you ARE vulnerable, you will see normal connection outputs, potentially including the line:

SSL 3.0 connection using ...


The part of Parallels Business Automation - Standard (PBA-S) plugins forcibly uses SSLv3 in communications with external systems. As a result, disabling it may disturb the system.

To avoid this, run the following command on the PBA-S server before disabling SSLv3:

# wget
# sh

This script downloads and installs the following packages with a hotfix applied against the POODLE vulnerability:

  • hspc-infstr-manager
  • hspc-plesk

The following packages are only downloaded if they are installed:

  • hspc-plugin-dm-mit
  • hspc-plugin-pp-op-anet
  • hspc-plugin-pp-op-protx
  • hspc-plugin-pp-op-pxpost
  • hspc-plugin-pp-op-securepay
  • hspc-plugin-pp-op-worldpayinv


The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol will completely mitigate it.

Please edit /etc/httpd/conf/hspc_ssl.conf, replacing:

SSLProtocol -ALL +SSLv3 +TLSv1


SSLProtocol -ALL +TLSv1

Restart the httpd service to apply your changes:

service httpd restart

400e18f6ede9f8be5575a475d2d6b0a6 caea8340e2d186a540518d08602aa065 624ca542e40215e6f1d39170d8e7ec75 70a5401e8b9354cd1d64d0346f2c4a3e

Email subscription for changes to this article
Save as PDF