Chapter 53. Deprecated Functionality
Deprecated packages related to Identity Management
|Deprecated Packages||Proposed Replacement Package or Product|
|pam_pkcs11||sssd (contains enhanced smart card functionality)|
|openldap-server||Depending on the use case, migrate to Identity Management included in Red Hat Enterprise Linux or to Red Hat Directory Server. [a]|
[a] Red Hat Directory Server requires a valid Directory Server subscription.
Deprecated Insecure Algorithms and Protocols
- Weak ciphers and algorithms are no longer used by default in
- With this update, the
OpenSSHlibrary removes several weak ciphers and algorithms from default configurations. However, backward compatibility is ensured in most cases.The following have been removed from the
OpenSSHserver and client:
The following have been removed from the
- Host key algorithms:
OpenSSHno longer uses the SHA-1-based key exchange algorithms in FIPS mode
- This update removes the SHA-1-based key exchange algorithms from the default list in FIPS mode. To enable those algorithms, use the following configuration snippet for the
- The SSH-1 protocol has been removed from the
- SSH-1 protocol support has been removed from the
OpenSSHserver. For more information, see the The server-side SSH-1 protocol removal from RHEL 7.4 Knowledgebase article.
- MD5, MD4, and SHA0 can no longer be used as signing algorithms in
- With this update, support for verification of MD5, MD4, and SHA0 signatures in certificates, Certificate Revocation Lists (CRL) and message signatures has been removed.Additionally, the default algorithm for generating digital signatures has been changed from SHA-1 to SHA-256. The verification of SHA-1 signatures is still enabled for legacy purposes.The system administrator can enable MD5, MD4, or SHA0 support by modifying the
LegacySigningMDsoption in the
etc/pki/tls/legacy-settingspolicy configuration file, for example:
echo 'LegacySigningMDs algorithm' >> /etc/pki/tls/legacy-settingsTo add more than one legacy algorithm, use a comma or any whitespace character except for a new line. See the
README.legacy-settingsfile in the
OpenSSLpackage for more information.You can also enable MD5 verification by setting the
OpenSSLclients no longer allow connections to servers with DH shorter than 1024 bits
- This update prevents
OpenSSLclients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that clients using
OpenSSLare not susceptible to vulnerabilities, such as Logjam.The system administrator can enable shorter DH parameter support by modifying the
MinimumDHBitsoption in the
/etc/pki/tls/legacy-settings, for example:
echo 'MinimumDHBits 768' > /etc/pki/tls/legacy-settingsThis option can also be used to raise the minimum if required by the system administrator.
- SSL 2.0 support has been completely removed from
- The SSL protocol version 2.0, which is considered insecure for more than seven years, was deprecated by RFC 6176 in 2011. In Red Hat Enterprise Linux, support of SSL 2.0 was already disabled by default. With this update, SSL 2.0 support has been removed completely. The
OpenSSLlibrary API calls that use this protocol version now return an error message.
- EXPORT cipher suites in
OpenSSLhave been deprecated
- This change removes support for EXPORT cipher suites from the
OpenSSLtoolkit. Disabling these weak cipher suites ensures that clients using
OpenSSLare not susceptible to vulnerabilities, such as FREAK. EXPORT cipher suites are no longer required in any
GnuTLSclients no longer allow connections to servers with DH shorter than 1024 bits
- This change prevents GNU Transport Layer Security (GnuTLS) clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that clients using
GnuTLSare not susceptible to vulnerabilities, such as Logjam.In applications that accept a priority string from the user or configuration directly, this change can be reverted by appending the priority string
%PROFILE_VERY_WEAKto the used priority string.
TLSno longer allow connections to servers with DH shorter than 1024 bits
- This change prevents Network Security Services (NSS) clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that clients using
NSSare not susceptible to vulnerabilities, such as Logjam.The system administrator can enable shorter DH parameter support by modifying the
/etc/pki/nss-legacy/nss-rhel7.configpolicy configuration file to:
library= name=Policy NSS=flags=policyOnly,moduleDB config="allow=DH-MIN=767:DSA-MIN=767:RSA-MIN=767"Note that an empty line is required at the end of the file.
- EXPORT cipher suites in
NSShave been deprecated
- This change removes support for EXPORT cipher suites in the Network Security Services (NSS) library. Disabling these weak cipher suites protects against vulnerabilities, such as FREAK. EXPORT cipher suites are not required in any
Legacy CA certificates removed from the ca-certificates package
glib-networkinglibraries to remain compatible with the Public Key Infrastructure (PKI), the ca-certificates package included a set of legacy CA certificates with 1024-bit RSA keys as trusted by default.
glib-networkingare available, which are able to correctly identify a replacement of root CA certificates. Trusting these legacy CA certificates is no longer required for public web PKI compatibility.
coolkey replaced with opensc
OpenSClibrary implements the
PKCS#11API and replaces the coolkey packages. In Red Hat Enterprise Linux 7, the CoolKey Applet functionality is also provided by the opensc package.
FedFS has been deprecated
autofs, which provides more flexible functionality.
Btrfs has been deprecated
Btrfsfile system has been in Technology Preview state since the initial release of Red Hat Enterprise Linux 6. Red Hat will not be moving
Btrfsto a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux.
Btrfsfile system did receive numerous updates from the upstream in Red Hat Enterprise Linux 7.4 and will remain available in the Red Hat Enterprise Linux 7 series. However, this is the last planned update to this feature.
sshd, and other network services, has been deprecated.
nautilus-open-terminal replaced with gnome-terminal-nautilus
sslwrap() removed from Python
sslwrap()function has been removed from Python 2.7. After the 466 Python Enhancement Proposal was implemented, using this function resulted in a segmentation fault. The removal is consistent with upstream. Red Hat recommends using the
Windows guest virtual machine support limited
libnetlink is deprecated
libnetlinklibrary contained in the iproute-devel package has been deprecated. The user should use the
S3 and S4 power management states for KVM have been deprecated
The Certificate Server plug-in udnPwdDirAuth is discontinued
udnPwdDirAuthauthentication plug-in for the Red Hat Certificate Server was removed in Red Hat Enterprise Linux 7.3. Profiles using the plug-in are no longer supported. Certificates created with a profile using the
udnPwdDirAuthplug-in are still valid if they have been approved.
Red Hat Access plug-in for IdM is discontinued
The Ipsilon identity provider service for federated single sign-on
rsyslog options deprecated
rsyslogutility version in Red Hat Enterprise Linux 7.4 has deprecated a large number of options. These options no longer have any effect and cause a warning to be displayed.
- The functionality previously provided by the options
-6can be achieved using the
- There is no replacement for the functionality previously provided by the options
Deprecated symbols from the
memkindlibrary have been deprecated:
Options of Sockets API Extensions for SCTP (RFC 6458) deprecated
SCTP_DEFAULT_SEND_PARAMof Sockets API Extensions for the Stream Control Transmission Protocol have been deprecated per the RFC 6458 specification.
SCTP_DEFAULT_SNDINFOhave been implemented as a replacement for the deprecated options.
Managing NetApp ONTAP using SSLv2 and SSLv3 is no longer supported by
libstorageMgmtlibrary. Users can contact NetApp support to enable the Transport Layer Security (TLS) protocol.
dconf-dbus-1 has been deprecated and
dconf-editor is now delivered separately
dconf-dbus-1API has been removed. However, the
dconf-dbus-1library has been backported to preserve binary compatibility. Red Hat recommends using the
GDBuslibrary instead of
dconf-error.hfile has been renamed to
dconf-enums.h. In addition, the dconf Editor is now delivered in the separate dconf-editor package; see Chapter 8, Desktop for more information.
FreeRADIUS no longer accepts
Auth-Type := System
FreeRADIUSserver no longer accepts the
Auth-Type := Systemoption for the
rlm_unixauthentication module. This option has been replaced by the use of the
unixmodule in the
authorizesection of the configuration file.
Deprecated Device Drivers
- The following controllers from the
megaraid_sasdriver have been deprecated:
- Dell PERC5, PCI ID 0x15
- SAS1078R, PCI ID 0x60
- SAS1078DE, PCI ID 0x7C
- SAS1064R, PCI ID 0x411
- VERDE_ZCR, PCI ID 0x413
- SAS1078GEN2, PCI ID 0x78
- The following Ethernet adapter controlled by the
be2netdriver has been deprecated:
- TIGERSHARK NIC, PCI ID 0x0700
- The following controllers from the
be2iscsidriver have been deprecated:
- Emulex OneConnect 10Gb iSCSI Initiator (generic), PCI ID 0x212
- OCe10101, OCm10101, OCe10102, OCm10102 BE2 adapter family, PCI ID 0x702
- OCe10100 BE2 adapter family, PCI ID 0x703
- The following Emulex boards from the
lpfcdriver have been deprecated:
BladeEngine 2 (BE2) Devices
- TIGERSHARK FCOE, PCI ID 0x0704
Fibre Channel (FC) Devices
- FIREFLY, PCI ID 0x1ae5
- PROTEUS_VF, PCI ID 0xe100
- BALIUS, PCI ID 0xe131
- PROTEUS_PF, PCI ID 0xe180
- RFLY, PCI ID 0xf095
- PFLY, PCI ID 0xf098
- LP101, PCI ID 0xf0a1
- TFLY, PCI ID 0xf0a5
- BSMB, PCI ID 0xf0d1
- BMID, PCI ID 0xf0d5
- ZSMB, PCI ID 0xf0e1
- ZMID, PCI ID 0xf0e5
- NEPTUNE, PCI ID 0xf0f5
- NEPTUNE_SCSP, PCI ID 0xf0f6
- NEPTUNE_DCSP, PCI ID 0xf0f7
- FALCON, PCI ID 0xf180
- SUPERFLY, PCI ID 0xf700
- DRAGONFLY, PCI ID 0xf800
- CENTAUR, PCI ID 0xf900
- PEGASUS, PCI ID 0xf980
- THOR, PCI ID 0xfa00
- VIPER, PCI ID 0xfb00
- LP10000S, PCI ID 0xfc00
- LP11000S, PCI ID 0xfc10
- LPE11000S, PCI ID 0xfc20
- PROTEUS_S, PCI ID 0xfc50
- HELIOS, PCI ID 0xfd00
- HELIOS_SCSP, PCI ID 0xfd11
- HELIOS_DCSP, PCI ID 0xfd12
- ZEPHYR, PCI ID 0xfe00
- HORNET, PCI ID 0xfe05
- ZEPHYR_SCSP, PCI ID 0xfe11
- ZEPHYR_DCSP, PCI ID 0xfe12
- 0x2422 -> ISP24xx
- 0x2432 -> ISP24xx
- 0x5422 -> ISP2422
- 0x5432 -> QLE220
- 0x8001 -> QLE81xx
- 0xF000 -> QLE10000
- 0x8044 -> QLE84xx
- 0x8432 -> QLE8000
SFN4XXX adapters have been deprecated
sfcfor all adapters. Recently, support of SFN4XXX was split from
sfcand moved into a new SFN4XXX-only driver, called
sfc-falcon. Both drivers continue to be supported at this time, but
sfc-falconand SFN4XXX support is scheduled for removal in a future major release.