Chapter 25. Deprecated Functionality

This chapter provides an overview of functionality that has been deprecated, or in some cases removed, in all minor releases up to Red Hat Enterprise Linux 6.9.
Deprecated functionality continues to be supported until the end of life of Red Hat Enterprise Linux 6. Deprecated functionality will likely not be supported in future major releases of this product and is not recommended for new deployments. For the most recent list of deprecated functionality within a particular major release, refer to the latest version of release documentation.
Deprecated hardware components are not recommended for new deployments on the current or future major releases. Hardware driver updates are limited to security and critical fixes only. Red Hat recommends replacing this hardware as soon as reasonably feasible.
A package can be deprecated and not recommended for further use. Under certain circumstances, a package can be removed from a product.Product documentation then identifies more recent packages that offer functionality similar, identical, or more advanced to the one deprecated, and provides further recommendations.

Deprecated Insecure Algorithms and Protocols

Algorithms that provide cryptographic hashes and encryption as well as cryptographic protocols have a lifetime after which they are considered either too risky to use or plain insecure. See the Deprecation of Insecure Algorithms and Protocols in RHEL 6.9 article on the Red Hat Customer Portal for more information.
MD5, MD4, and SHA0 can no longer be used as signing algorithms in OpenSSL
With this update, support for verification of MD5, MD4, and SHA0 signatures in certificates, Certificate Revocation Lists (CRL) and message signatures are removed.
The system administrator can enable MD5, MD4, or SHA0 support by modifying the LegacySigningMDs option in the etc/pki/tls/legacy-settings policy configuration file, for example:
echo 'LegacySigningMDs algorithm' >> /etc/pki/tls/legacy-settings
To add more than one legacy algorithm, use a comma or any whitespace character except a new line. See the README.legacy-settings in the OpenSSL package for more information.
You can also enable MD5 verification by setting the OPENSSL_ENABLE_MD5_VERIFY environment variable.
OpenSSL clients no longer allow connections to servers with DH shorter than 1024 bits
This change prevents OpenSSL clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that allowed clients using OpenSSL are not vulnerable to attacks such as the LOGJAM attack.
The system administrator can enable shorter DH parameter support by modifying the MinimumDHBits option in the /etc/pki/tls/legacy-settings, for example:
echo 'MinimumDHBits 768' > /etc/pki/tls/legacy-settings
This option can also be used to raise the minimum if required by the system administrator.
EXPORT cipher suites in OpenSSL are deprecated
This change removes support for EXPORT cipher suites in the OpenSSL toolkit. Disabling these weak cipher suites prevents attacks such as the FREAK attack. EXPORT cipher suites are not required in any TLS protocol configuration.
GnuTLS clients no longer allow connections to servers with DH shorter than 1024 bits
This change prevents GNU Transport Layer Security (GnuTLS) clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that allowed clients using GnuTLS are not vulnerable to attacks such as the LOGJAM attack.
The system administrator can enable shorter DH parameter support by modifying the MinimumDHBits option in the /etc/pki/tls/legacy-settings, for example:
echo 'MinimumDHBits 768' > /etc/pki/tls/legacy-settings
This option can also be used to raise the minimum if required by the system administrator.
EXPORT cipher suites in GnuTLS are deprecated
This change removes support for EXPORT cipher suites in the GNU Transport Layer Security (GnuTLS) library. Disabling these weak cipher suites prevents attacks such as the FREAK attack. EXPORT cipher suites are not required in any TLS protocol configuration.
The GnuTLS EXPORT cipher suite priority string remains, but as an alias for the NORMAL priority string.
MD5 can no longer be used as a signing algorithm in NSS
This change prevents the Network Security Services (NSS) library from using MD5 as the signing algorithm in TLS. This change ensures that programs using NSS are not vulnerable to attacks such as the SLOTH attack.
The system administrator can enable MD5 support by modifying the /etc/pki/nss-legacy/nss-rhel6.config policy configuration file to:
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="allow=MD5"

Note that an empty line is required at the end of the file.
NSS clients using TLS no longer allow connections to servers with DH shorter than 1024 bits
This change prevents Network Security Services (NSS) clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that allowed clients using NSS are not vulnerable to attacks such as the LOGJAM attack.
The system administrator can enable shorter DH parameter support by modifying the /etc/pki/nss-legacy/nss-rhel6.config policy configuration file to:
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="allow=DH-MIN=767:DSA-MIN=767:RSA-MIN=767"

Note that an empty line is required at the end of the file.
EXPORT cipher suites in NSS are deprecated
This change removes support for EXPORT cipher suites in the Network Security Services (NSS) library. Disabling these weak cipher suites prevents attacks such as the FREAK attack. EXPORT cipher suites are not required in any TLS protocol configuration.
Deprecated algorithms in OpenSSH: RC4, hmac-md5, and hmac-md5-96
With this update, the arcfour256, arcfour128, arcfour ciphers and the hmac-md5, hmac-md5-96 Message Authentication Code (MAC) algorithms are deprecated. Note that this change does not affect any existing server configuration.
The system administrator can enable these deprecated algorithms by editing the ssh_config file, for example:
Host legacy-system.example.com
  Ciphers arcfour
  MACs hmac-md5
To completely restore all the deprecated algorithms, add the following snippet to the /etc/ssh/ssh_config file:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
GnuTLS no longer provides cryptographic back-end replacement APIs
The functions implementing cryptographic back-end replacement are considered obsolete and act as no-operation functions now. The following functions exported in the gnutls/crypto.h file are affected:
  • gnutls_crypto_single_cipher_register2
  • gnutls_crypto_single_mac_register2
  • gnutls_crypto_single_digest_register2
  • gnutls_crypto_cipher_register2
  • gnutls_crypto_mac_register2
  • gnutls_crypto_digest_register2
  • gnutls_crypto_rnd_register2
  • gnutls_crypto_pk_register2
  • gnutls_crypto_bigint_register2

Deprecated Drivers

Deprecated device drivers
  • 3w-9xxx
  • 3w-sas
  • 3w-xxxx
  • aic7xxx
  • i2o
  • ips
  • megaraid_mbox
  • mptbase
  • mptctl
  • mptfc
  • mptlan
  • mptsas
  • mptscsih
  • mptspi
  • sym53c8xx
  • qla3xxx
The following controllers from the megaraid_sas driver have been deprecated:
  • Dell PERC5, PCI ID 0x15
  • SAS1078R, PCI ID 0x60
  • SAS1078DE, PCI ID 0x7C
  • SAS1064R, PCI ID 0x411
  • VERDE_ZCR, PCI ID 0x413
  • SAS1078GEN2, PCI ID 0x78
The following controllers from the be2iscsi driver have been deprecated:
  • BE_DEVICE_ID1, PCI ID 0x212
  • OC_DEVICE_ID1, PCI ID 0x702
  • OC_DEVICE_ID2, PCI ID 0x703
Note that other controllers from the mentioned drivers that are not listed here remain unchanged.

Other Deprecated Components

cluster, luci components
The fence_sanlock agent and checkquorum.wdmd, introduced in Red Hat Enterprise Linux 6.4 as a Technology Preview and providing mechanisms to trigger the recovery of a node using a hardware watchdog device, are considered deprecated.
openswan component
The openswan packages have been deprecated, and libreswan packages have been introduced as a direct replacement for openswan to provide the VPN endpoint solution. openswan is replaced by libreswan during the system upgrade.
seabios component
Native KVM support for the S3 (suspend to RAM) and S4 (suspend to disk) power management states has been discontinued. This feature was previously available as a Technology Preview.
The zerombr yes Kickstart command is deprecated
In some earlier versions of Red Hat Enterprise Linux, the zerombr yes command was used to initialize any invalid partition tables during a Kickstart installation. This was inconsistent with the rest of the Kickstart commands due to requiring two words while all other commands require one. Starting with Red Hat Enterprise Linux 6.7, specifying only zerombr in your Kickstart file is sufficient, and the old two-word form is deprecated.
Btrfs file system
B-tree file system (Btrfs) is considered deprecated for Red Hat Enterprise Linux 6. Btrfs was previously provided as a Technology Preview, available on AMD64 and Intel 64 architectures.
eCryptfs file system
eCryptfs file system, which was previously available as a Technology Preview, is considered deprecated for Red Hat Enterprise Linux 6.
mingw component
Following the deprecation of Matahari packages in Red Hat Enterprise Linux 6.3, at which time the mingw packages were noted as deprecated, and the subsequent removal of Matahari packages from Red Hat Enterprise Linux 6.4, the mingw packages were removed from Red Hat Enterprise Linux 6.6 and later.
The mingw packages are no longer shipped in Red Hat Enterprise Linux 6 minor releases, nor will they receive security-related updates. Consequently, users are advised to uninstall any earlier releases of the mingw packages from their Red Hat Enterprise Linux 6 systems.
virtio-win component, BZ#1001981
The VirtIO SCSI driver is no longer supported on Microsoft Windows Server 2003 platform.
fence-agents component
Prior to Red Hat Enterprise Linux 6.5 release, the Red Hat Enterprise Linux High Availability Add-On was considered fully supported on certain VMware ESXi/vCenter versions in combination with the fence_scsi fence agent. Due to limitations in these VMware platforms in the area of SCSI-3 persistent reservations, the fence_scsi fencing agent is no longer supported on any version of the Red Hat Enterprise Linux High Availability Add-On in VMware virtual machines, except when using iSCSI-based storage. See the Virtualization Support Matrix for High Availability for full details on supported combinations: https://access.redhat.com/site/articles/29440.
Users using fence_scsi on an affected combination can contact Red Hat Global Support Services for assistance in evaluating alternative configurations or for additional information.
systemtap component
The systemtap-grapher package has been removed from Red Hat Enterprise Linux 6. For more information, see https://access.redhat.com/solutions/757983.
matahari component
The Matahari agent framework (matahari-*) packages have been removed from Red Hat Enterprise Linux 6. Focus for remote systems management has shifted towards the use of the CIM infrastructure. This infrastructure relies on an already existing standard which provides a greater degree of interoperability for all users.
distribution component
The following packages have been deprecated and are subjected to removal in a future release of Red Hat Enterprise Linux 6. These packages will not be updated in the Red Hat Enterprise Linux 6 repositories and customers who do not use the MRG-Messaging product are advised to uninstall them from their system.
  • python-qmf
  • python-qpid
  • qpid-cpp
  • qpid-qmf
  • qpid-tests
  • qpid-tools
  • ruby-qpid
  • saslwrapper
Red Hat MRG-Messaging customers will continue to receive updated functionality as part of their regular updates to the product.
fence-virt component
The libvirt-qpid is no longer part of the fence-virt package.
openscap component
The openscap-perl subpackage has been removed from openscap.