Chapter 13. Servers and Services

The ErrorPolicy directive is now validated

The ErrorPolicy configuration directive was not validated on startup, and an unintended default error policy could be used without a warning. The directive is now validated on startup and reset to the default if the configured value is incorrect. The intended policy is used, or a warning message is logged.

CUPS now disables SSLv3 encryption by default

Previously, it was not possible to disable SSLv3 encryption in the CUPS scheduler, which left it vulnerable to attacks against SSLv3. To solve this issue, the cupsd.conf SSLOptions keyword has been extended to include two new options, AllowRC4 and AllowSSL3, each of which enables the named feature in cupsd. The new options are also supported in the /etc/cups/client.conf file. The default is now to disable both RC4 and SSL3 for cupsd.

cups now allows underscore in printer names

The cups service now allows users to include the underscore character (_) in local printer names.

Unneeded dependency removed from the tftp-server package

Previously, an additional package was installed by default when installing the tftp-server package. With this update, the superfluous package dependency has been removed, and the unneeded package is no longer installed by default when installing tftp-server.

The deprecated /etc/sysconfig/conman file has been removed

Before introducing the systemd manager, various limits for services could be configured in the /etc/sysconfig/conman file. After migrating to systemd, /etc/sysconfig/conman is no longer used and therefore it was removed. To set limits and other daemon parameters, such as LimitCPU=, LimitDATA=, or LimitCORE=, edit the conman.service file. For more information, see the systemd.exec(5) manual page. In addition, a new variable LimitNOFILE=10000 has been added to the systemd.service file. This variable is commented out by default. Note that after making any changes to the systemd configuration, the systemctl daemon-reload command must be executed for changes to take effect.

mod_nss rebase to version 1.0.11

The mod_nss packages have been upgraded to upstream version 1.0.11, which provides a number of bug fixes and enhancements over the previous version. Notably, mod_nss can now enable TLSv1.2, and SSLv2 has been completely removed. Also, support for the ciphers generally considered to be most secure has been added.

The vsftpd daemon now supports DHE and ECDHE cipher suites

The vsftpd daemon now supports cipher suites based on the Diffie–Hellman Exchange (DHE) and Elliptic Curve Diffie–Hellman Exchange (ECDHE) key-exchange protocol.

Permissions can now be set for files uploaded with sftp

Inconsistent user environments and strict umask settings could result in inaccessible files when uploading using the sftp utility. With this update, the administrator is able to force exact permissions for files uploaded using sftp, thus avoiding the described issue.

LDAP queries used by ssh-ldap-helper can now be adjusted

Not all LDAP servers use a default schema as expected by the ssh-ldap-helper tool. This update makes it possible for the administrator to adjust the LDAP query used by ssh-ldap-helper to get public keys from servers using a different schema. Default functionality stays untouched.

A new createolddir directive in the logrotate utility

A new logrotate createolddir directive has been added to enable automatic creation of the olddir directory. For more information, see the logrotate(8) manual page.

Error messages from /etc/cron.daily/logrotate are no longer redirected to /dev/null

Error messages generated by the daily cronjob of logrotate are now sent to the root user instead of being silently discarded. In addition, the /etc/cron.daily/logrotate script is marked as a configuration file in RPM.

SEED and IDEA based algorithms restricted in mod_ssl

The set of cipher suites enabled by default in the mod_ssl module of the Apache HTTP Server has been restricted to improve security. SEED and IDEA based encryption algorithms are no longer enabled in the default configuration of mod_ssl.

Apache HTTP Server now supports UPN

Names stored in the subject alternative name portion of SSL/TLS client certificates, such as the Microsoft User Principle Name, can now be used from the SSLUserName directive and are now available in mod_ssl environment variables. Users can now authenticate with their Common Access Card (CAC) or certificate with a UPN in it, and have their UPN used as authenticated user information, consumed by both the access control in Apache and using the REMOTE_USER environment variable or a similar mechanism in applications. As a result, users can now set SSLUserName SSL_CLIENT_SAN_OTHER_msUPN_0 for authentication using UPN.

The mod_dav lock database is now enabled by default in the mod_dav_fs module

The mod_dav lock database is now enabled by default if the Apache HTTP mod_dav_fs module is loaded. The default location ServerRoot/davlockdb can be overridden using the DAVLockDB configuration directive.

mod_proxy_wstunnel now supports WebSockets

The Apache HTTP mod_proxy_wstunnel module is now enabled by default and it includes support for SSL connections in the wss:// scheme. Additionally, it is possible to use the ws:// scheme in the mod_rewrite directives. This allows for using WebSockets as a target to mod_rewrite and enabling WebSockets in the proxy module.

A Tuned profile optimized for Oracle database servers has been included

A new oracle Tuned profile, which is specifically optimized for the Oracle databases load, is now available. The new profile is delivered in the tuned-profiles-oracle subpackage, so that other related profiles can be added in the future. The oracle profile is based on the enterprise-storage profile, but modifies kernel parameters based on Oracle database requirements and turns transparent huge pages off.