Chapter 53. Deprecated Functionality

This chapter provides an overview of functionality that has been deprecated in all minor releases of Red Hat Enterprise Linux 7 up to Red Hat Enterprise Linux 7.4.
Deprecated functionality continues to be supported until the end of life of Red Hat Enterprise Linux 7. Deprecated functionality will likely not be supported in future major releases of this product and is not recommended for new deployments. For the most recent list of deprecated functionality within a particular major release, refer to the latest version of release documentation.
Deprecated hardware components are not recommended for new deployments on the current or future major releases. Hardware driver updates are limited to security and critical fixes only. Red Hat recommends replacing this hardware as soon as reasonably feasible.
A package can be deprecated and not recommended for further use. Under certain circumstances, a package can be removed from a product. Product documentation then identifies more recent packages that offer functionality similar, identical, or more advanced to the one deprecated, and provides further recommendations.

Deprecated packages related to Identity Management

The following packages are deprecated and will not be included in a future major release of Red Hat Enterprise Linux:
Deprecated Packages Proposed Replacement Package or Product
authconfig authselect
pam_pkcs11 sssd (contains enhanced smart card functionality)
pam_krb5 sssd
openldap-server Depending on the use case, migrate to Identity Management included in Red Hat Enterprise Linux or to Red Hat Directory Server. [a]
[a] Red Hat Directory Server requires a valid Directory Server subscription.

Deprecated Insecure Algorithms and Protocols

Algorithms that provide cryptographic hashes and encryption as well as cryptographic protocols have a lifetime after which they are considered either too risky to use or plain insecure. See the Enhancing the Security of the Operating System with Cryptography Changes in Red Hat Enterprise Linux 7.4 Knowledgebase article on the Red Hat Customer Portal for more information.
Weak ciphers and algorithms are no longer used by default in OpenSSH
With this update, the OpenSSH library removes several weak ciphers and algorithms from default configurations. However, backward compatibility is ensured in most cases.
The following have been removed from the OpenSSH server and client:
  • Host key algorithms:
    • ssh-rsa-cert-v00@openssh.com
    • ssh-dss-cert-v00@openssh.com
  • Ciphers:
    • arcfour256
    • arcfour128
    • arcfour
    • rijndael-cbc@lysator.liu.se
  • MACs:
    • hmac-md5
    • hmac-md5-96
    • hmac-md5-96-etm@openssh.com
    • hmac-md5-etm@openssh.com
    • hmac-ripemd160
    • hmac-ripemd160-etm@openssh.com
    • hmac-ripemd160@openssh.com
    • hmac-sha1-96
    • hmac-sha1-96-etm@openssh.com
The following have been removed from the OpenSSH client:
  • Ciphers:
    • blowfish-cbc
    • cast128-cbc
    • 3des-cbc
OpenSSH no longer uses the SHA-1-based key exchange algorithms in FIPS mode
This update removes the SHA-1-based key exchange algorithms from the default list in FIPS mode. To enable those algorithms, use the following configuration snippet for the ~/.ssh/config and /etc/ssh/sshd_config files:
KexAlgorithms=+diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
The SSH-1 protocol has been removed from the OpenSSH server
SSH-1 protocol support has been removed from the OpenSSH server. For more information, see the The server-side SSH-1 protocol removal from RHEL 7.4 Knowledgebase article.
MD5, MD4, and SHA0 can no longer be used as signing algorithms in OpenSSL
With this update, support for verification of MD5, MD4, and SHA0 signatures in certificates, Certificate Revocation Lists (CRL) and message signatures has been removed.
Additionally, the default algorithm for generating digital signatures has been changed from SHA-1 to SHA-256. The verification of SHA-1 signatures is still enabled for legacy purposes.
The system administrator can enable MD5, MD4, or SHA0 support by modifying the LegacySigningMDs option in the etc/pki/tls/legacy-settings policy configuration file, for example:
echo 'LegacySigningMDs algorithm' >> /etc/pki/tls/legacy-settings
To add more than one legacy algorithm, use a comma or any whitespace character except for a new line. See the README.legacy-settings file in the OpenSSL package for more information.
You can also enable MD5 verification by setting the OPENSSL_ENABLE_MD5_VERIFY environment variable.
OpenSSL clients no longer allow connections to servers with DH shorter than 1024 bits
This update prevents OpenSSL clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that clients using OpenSSL are not susceptible to vulnerabilities, such as Logjam.
The system administrator can enable shorter DH parameter support by modifying the MinimumDHBits option in the /etc/pki/tls/legacy-settings, for example:
echo 'MinimumDHBits 768' > /etc/pki/tls/legacy-settings
This option can also be used to raise the minimum if required by the system administrator.
SSL 2.0 support has been completely removed from OpenSSL
The SSL protocol version 2.0, which is considered insecure for more than seven years, was deprecated by RFC 6176 in 2011. In Red Hat Enterprise Linux, support of SSL 2.0 was already disabled by default. With this update, SSL 2.0 support has been removed completely. The OpenSSL library API calls that use this protocol version now return an error message.
EXPORT cipher suites in OpenSSL have been deprecated
This change removes support for EXPORT cipher suites from the OpenSSL toolkit. Disabling these weak cipher suites ensures that clients using OpenSSL are not susceptible to vulnerabilities, such as FREAK. EXPORT cipher suites are no longer required in any TLS protocol configurations.
GnuTLS clients no longer allow connections to servers with DH shorter than 1024 bits
This change prevents GNU Transport Layer Security (GnuTLS) clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that clients using GnuTLS are not susceptible to vulnerabilities, such as Logjam.
In applications that accept a priority string from the user or configuration directly, this change can be reverted by appending the priority string %PROFILE_VERY_WEAK to the used priority string.
NSS clients using TLS no longer allow connections to servers with DH shorter than 1024 bits
This change prevents Network Security Services (NSS) clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that clients using NSS are not susceptible to vulnerabilities, such as Logjam.
The system administrator can enable shorter DH parameter support by modifying the /etc/pki/nss-legacy/nss-rhel7.config policy configuration file to:
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="allow=DH-MIN=767:DSA-MIN=767:RSA-MIN=767"

Note that an empty line is required at the end of the file.
EXPORT cipher suites in NSS have been deprecated
This change removes support for EXPORT cipher suites in the Network Security Services (NSS) library. Disabling these weak cipher suites protects against vulnerabilities, such as FREAK. EXPORT cipher suites are not required in any TLS protocol configuration.

Legacy CA certificates removed from the ca-certificates package

Previously, to allow older versions of the GnuTLS, OpenSSL, and glib-networking libraries to remain compatible with the Public Key Infrastructure (PKI), the ca-certificates package included a set of legacy CA certificates with 1024-bit RSA keys as trusted by default.
Since Red Hat Enterprise Linux 7.4, updated versions of OpenSSL, GnuTLS, and glib-networking are available, which are able to correctly identify a replacement of root CA certificates. Trusting these legacy CA certificates is no longer required for public web PKI compatibility.
The legacy configuration mechanism, which could previously be used to disable the legacy CA certificates, is no longer supported; the list of legacy CA certificates has been changed to empty.
The ca-legacy tool is still available and it also keeps current configuration settings for potential future reuse.

coolkey replaced with opensc

The OpenSC library implements the PKCS#11 API and replaces the coolkey packages. In Red Hat Enterprise Linux 7, the CoolKey Applet functionality is also provided by the opensc package.
The coolkey package will remain supported for the lifetime of Red Hat Enterprise Linux 7, but new hardware enablement will be provided through the opensc package.

FedFS has been deprecated

Federated File System (FedFS) has been deprecated because the upstream FedFS project is no longer being actively maintained. Red Hat recommends migrating FedFS installations to use autofs, which provides more flexible functionality.

Btrfs has been deprecated

The Btrfs file system has been in Technology Preview state since the initial release of Red Hat Enterprise Linux 6. Red Hat will not be moving Btrfs to a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux.
The Btrfs file system did receive numerous updates from the upstream in Red Hat Enterprise Linux 7.4 and will remain available in the Red Hat Enterprise Linux 7 series. However, this is the last planned update to this feature.

tcp_wrappers deprecated

The tcp_wrappers package, which provides a library and a small daemon program that can monitor and filter incoming requests for systat, finger, FTP, telnet, rlogin, rsh, exec, tftp, talk, sshd, and other network services, has been deprecated.

nautilus-open-terminal replaced with gnome-terminal-nautilus

Since Red Hat Enterprise Linux 7.3, the nautilus-open-terminal package has been deprecated and replaced with the gnome-terminal-nautilus package. This package provides a Nautilus extension that adds the Open in Terminal option to the right-click context menu in Nautilus. nautilus-open-terminal is replaced by gnome-terminal-nautilus during the system upgrade.

sslwrap() removed from Python

The sslwrap() function has been removed from Python 2.7. After the 466 Python Enhancement Proposal was implemented, using this function resulted in a segmentation fault. The removal is consistent with upstream. Red Hat recommends using the ssl.wrap_socket() function instead.

Windows guest virtual machine support limited

As of Red Hat Enterprise Linux 7, Windows guest virtual machines are supported only under specific subscription programs, such as Advanced Mission Critical (AMC).

libnetlink is deprecated

The libnetlink library contained in the iproute-devel package has been deprecated. The user should use the libnl and libmnl libraries instead.

S3 and S4 power management states for KVM have been deprecated

Native KVM support for the S3 (suspend to RAM) and S4 (suspend to disk) power management states has been discontinued. This feature was previously available as a Technology Preview.

The Certificate Server plug-in udnPwdDirAuth is discontinued

The udnPwdDirAuth authentication plug-in for the Red Hat Certificate Server was removed in Red Hat Enterprise Linux 7.3. Profiles using the plug-in are no longer supported. Certificates created with a profile using the udnPwdDirAuth plug-in are still valid if they have been approved.

Red Hat Access plug-in for IdM is discontinued

The Red Hat Access plug-in for Identity Management (IdM) was removed in Red Hat Enterprise Linux 7.3. During the update, the redhat-access-plugin-ipa package is automatically uninstalled. Features previously provided by the plug-in, such as Knowledgebase access and support case engagement, are still available through the Red Hat Customer Portal. Red Hat recommends to explore alternatives, such as the redhat-support-tool tool.

The Ipsilon identity provider service for federated single sign-on

The ipsilon packages were introduced as Technology Preview in Red Hat Enterprise Linux 7.2. Ipsilon links authentication providers and applications or utilities to allow for single sign-on (SSO).
Red Hat does not plan to upgrade Ipsilon from Technology Preview to a fully supported feature. The ipsilon packages will be removed from Red Hat Enterprise Linux in a future minor release.
Red Hat has released Red Hat Single Sign-On as a web SSO solution based on the Keycloak community project. Red Hat Single Sign-On provides greater capabilities than Ipsilon and is designated as the standard web SSO solution across the Red Hat product portfolio.

Several rsyslog options deprecated

The rsyslog utility version in Red Hat Enterprise Linux 7.4 has deprecated a large number of options. These options no longer have any effect and cause a warning to be displayed.
  • The functionality previously provided by the options -c, -u, -q, -x, -A, -Q, -4, and -6 can be achieved using the rsyslog configuration.
  • There is no replacement for the functionality previously provided by the options -l and -s

Deprecated symbols from the memkind library

The following symbols from the memkind library have been deprecated:
  • memkind_finalize()
  • memkind_get_num_kind()
  • memkind_get_kind_by_partition()
  • memkind_get_kind_by_name()
  • memkind_partition_mmap()
  • memkind_get_size()
  • MEMKIND_ERROR_MEMALIGN
  • MEMKIND_ERROR_MALLCTL
  • MEMKIND_ERROR_GETCPU
  • MEMKIND_ERROR_PMTT
  • MEMKIND_ERROR_TIEDISTANCE
  • MEMKIND_ERROR_ALIGNMENT
  • MEMKIND_ERROR_MALLOCX
  • MEMKIND_ERROR_REPNAME
  • MEMKIND_ERROR_PTHREAD
  • MEMKIND_ERROR_BADPOLICY
  • MEMKIND_ERROR_REPPOLICY

Options of Sockets API Extensions for SCTP (RFC 6458) deprecated

The options SCTP_SNDRCV, SCTP_EXTRCV and SCTP_DEFAULT_SEND_PARAM of Sockets API Extensions for the Stream Control Transmission Protocol have been deprecated per the RFC 6458 specification.
New options SCTP_SNDINFO, SCTP_NXTINFO, SCTP_NXTINFO and SCTP_DEFAULT_SNDINFO have been implemented as a replacement for the deprecated options.

Managing NetApp ONTAP using SSLv2 and SSLv3 is no longer supported by libstorageMgmt

The SSLv2 and SSLv3 connections to the NetApp ONTAP storage array are no longer supported by the libstorageMgmt library. Users can contact NetApp support to enable the Transport Layer Security (TLS) protocol.

dconf-dbus-1 has been deprecated and dconf-editor is now delivered separately

With this update, the dconf-dbus-1 API has been removed. However, the dconf-dbus-1 library has been backported to preserve binary compatibility. Red Hat recommends using the GDBus library instead of dconf-dbus-1.
The dconf-error.h file has been renamed to dconf-enums.h. In addition, the dconf Editor is now delivered in the separate dconf-editor package; see Chapter 8, Desktop for more information.

FreeRADIUS no longer accepts Auth-Type := System

The FreeRADIUS server no longer accepts the Auth-Type := System option for the rlm_unix authentication module. This option has been replaced by the use of the unix module in the authorize section of the configuration file.

Deprecated Device Drivers

  • 3w-9xxx
  • 3w-sas
  • mptbase
  • mptctl
  • mptsas
  • mptscsih
  • mptspi
  • mvsas
  • qla3xxx
  • The following controllers from the megaraid_sas driver have been deprecated:
    • Dell PERC5, PCI ID 0x15
    • SAS1078R, PCI ID 0x60
    • SAS1078DE, PCI ID 0x7C
    • SAS1064R, PCI ID 0x411
    • VERDE_ZCR, PCI ID 0x413
    • SAS1078GEN2, PCI ID 0x78
  • The following Ethernet adapter controlled by the be2net driver has been deprecated:
    • TIGERSHARK NIC, PCI ID 0x0700
  • The following controllers from the be2iscsi driver have been deprecated:
    • Emulex OneConnect 10Gb iSCSI Initiator (generic), PCI ID 0x212
    • OCe10101, OCm10101, OCe10102, OCm10102 BE2 adapter family, PCI ID 0x702
    • OCe10100 BE2 adapter family, PCI ID 0x703
  • The following Emulex boards from the lpfc driver have been deprecated:
    BladeEngine 2 (BE2) Devices
    • TIGERSHARK FCOE, PCI ID 0x0704
    Fibre Channel (FC) Devices
    • FIREFLY, PCI ID 0x1ae5
    • PROTEUS_VF, PCI ID 0xe100
    • BALIUS, PCI ID 0xe131
    • PROTEUS_PF, PCI ID 0xe180
    • RFLY, PCI ID 0xf095
    • PFLY, PCI ID 0xf098
    • LP101, PCI ID 0xf0a1
    • TFLY, PCI ID 0xf0a5
    • BSMB, PCI ID 0xf0d1
    • BMID, PCI ID 0xf0d5
    • ZSMB, PCI ID 0xf0e1
    • ZMID, PCI ID 0xf0e5
    • NEPTUNE, PCI ID 0xf0f5
    • NEPTUNE_SCSP, PCI ID 0xf0f6
    • NEPTUNE_DCSP, PCI ID 0xf0f7
    • FALCON, PCI ID 0xf180
    • SUPERFLY, PCI ID 0xf700
    • DRAGONFLY, PCI ID 0xf800
    • CENTAUR, PCI ID 0xf900
    • PEGASUS, PCI ID 0xf980
    • THOR, PCI ID 0xfa00
    • VIPER, PCI ID 0xfb00
    • LP10000S, PCI ID 0xfc00
    • LP11000S, PCI ID 0xfc10
    • LPE11000S, PCI ID 0xfc20
    • PROTEUS_S, PCI ID 0xfc50
    • HELIOS, PCI ID 0xfd00
    • HELIOS_SCSP, PCI ID 0xfd11
    • HELIOS_DCSP, PCI ID 0xfd12
    • ZEPHYR, PCI ID 0xfe00
    • HORNET, PCI ID 0xfe05
    • ZEPHYR_SCSP, PCI ID 0xfe11
    • ZEPHYR_DCSP, PCI ID 0xfe12
To check the PCI IDs of the hardware on your system, run the lspci -nn command.
Note that other controllers from the mentioned drivers that are not listed here remain unchanged.

Deprecated adapters

The following adapters have been deprecated:
  • 0x2422 -> ISP24xx
  • 0x2432 -> ISP24xx
  • 0x5422 -> ISP2422
  • 0x5432 -> QLE220
  • 0x8001 -> QLE81xx
  • 0xF000 -> QLE10000
  • 0x8044 -> QLE84xx
  • 0x8432 -> QLE8000

SFN4XXX adapters have been deprecated

Starting with Red Hat Enterprise Linux 7.4, SFN4XXX Solarflare network adapters have been deprecated. Previously, Solarflare had a single driver sfc for all adapters. Recently, support of SFN4XXX was split from sfc and moved into a new SFN4XXX-only driver, called sfc-falcon. Both drivers continue to be supported at this time, but sfc-falcon and SFN4XXX support is scheduled for removal in a future major release.

FCoE storage technologies have been deprecated

The Fibre Channel over Ethernet (FCoE) storage technologies have been deprecated due to limited customer adoption after several years of availability. FCoE storage technology will remain supported for the life of Red Hat Enterprise Linux 7. The deprecation notice indicates intent to remove FCoE support in a future major release of Red Hat Enterprise Linux.