Back to guides list

11.9. Controlling the Use of ADH Ciphers

To enhance security, anonymous ADH cipher suites are replaced with authenticated alternatives: ECDHE+AES, DHE+AES, and RSA+AES. These suites utilize auto-generated, self-signed RSA certificates to provide encrypted communication without requiring complex certificate management.

The implementation preserves backward compatibility via the ssl_allow_legacy_adh configuration parameter, which is enabled by default. You can explicitly disable ADH support. In secure mode, the system automatically generates 2048-bit RSA certificates and applies SSL_VERIFY_NONE, ensuring encrypted connections while simplifying deployment.

11.9.1. Security Advantages

This approach eliminates the zero-authentication risk inherent in ADH cipher suites, where attackers could perform man-in-the-middle (MITM) attacks without resistance. By using self-signed certificates with RSA/ECDHE ciphers, the system cryptographically authenticates the server identity.

Although the certificate chain is not verified by a trusted Certificate Authority—resulting in a “Medium” severity rating—this method aligns with industry-standard practices for internal communication. It is employed by platforms such as Red Hat Satellite, VMware vSphere, and Docker Swarm. Compared to ADH, this solution significantly improves security by requiring an active attack during the initial connection, rather than allowing passive interception at any time.

11.9.2. Disabling Insecure ADH Ciphers

To disable the use of old, insecure ADH ciphers:

  1. On the management node:

    1. Open the vzagent.conf file:

      # /var/opt/pva/mn/etc/vzagent.conf

    2. In the vzagent.conf file, add <ssl_allow_legacy_adh>0</ssl_allow_legacy_adh> as follows:

      <system>
<configuration>
<ssl_allow_legacy_adh>0</ssl_allow_legacy_adh>
<distribution>
<item>

      Setting ssl_allow_legacy_adh to 0 disables legacy ADH ciphers and enforces the use of more secure alternatives (RSA/ECDHE+AES).

    3. Restart the services:

      # systemctl restart va-cc.service va-mn.service httpd.service

  2. On agent nodes:

    1. Open the vzagent.conf file:

      # /var/opt/pva/agent/etc/vzagent.conf

    2. In the vzagent.conf file, add <ssl_allow_legacy_adh>0</ssl_allow_legacy_adh> as follows:

      <system>
<configuration>
<ssl_allow_legacy_adh>0</ssl_allow_legacy_adh>
<distribution>
<item>

      Apply the same configuration to all agent nodes.

      Note

      The value of ssl_allow_legacy_adh must be consistent across the management node and all agents. Mismatched settings will result in connection failures, causing affected servers to appear as “Offline” in the interface. You may encounter the following error message: “Error: The Hardware Node has the status “offline” and so cannot be managed at the moment.”

    3. Restart the agent service:

      # systemctl restart va-agent.service

  3. After restarting the services, verify that the nodes are online and communicating securely.

Version 7.2 — Oct 17, 2025
Edit Print