Chapter 53. Deprecated Functionality in Red Hat Enterprise Linux 7
Deprecated packages related to Identity Management
The following packages are deprecated and will not be included in a future major release of Red Hat Enterprise Linux:
|Deprecated Packages||Proposed Replacement Package or Product|
|openldap-servers||Depending on the use case, migrate to Identity Management included in Red Hat Enterprise Linux or to Red Hat Directory Server. [c]|
[a] System Security Services Daemon (SSSD) contains enhanced smart card functionality.
[c] Red Hat Directory Server requires a valid Directory Server subscription.
Deprecated Insecure Algorithms and Protocols
Algorithms that provide cryptographic hashes and encryption as well as cryptographic protocols have a lifetime after which they are considered either too risky to use or plain insecure. See the Enhancing the Security of the Operating System with Cryptography Changes in Red Hat Enterprise Linux 7.4 Knowledgebase article on the Red Hat Customer Portal for more information.
- Weak ciphers and algorithms are no longer used by default in
- With this update, the
OpenSSHlibrary removes several weak ciphers and algorithms from default configurations. However, backward compatibility is ensured in most cases.The following have been removed from the
OpenSSHserver and client:
The following have been removed from the
- Host key algorithms:
OpenSSHno longer uses the SHA-1-based key exchange algorithms in FIPS mode
- This update removes the SHA-1-based key exchange algorithms from the default list in FIPS mode. To enable those algorithms, use the following configuration snippet for the
- The SSH-1 protocol has been removed from the
- SSH-1 protocol support has been removed from the
OpenSSHserver. For more information, see the The server-side SSH-1 protocol removal from RHEL 7.4 Knowledgebase article.
- MD5, MD4, and SHA0 can no longer be used as signing algorithms in
- With this update, support for verification of MD5, MD4, and SHA0 signatures in certificates, Certificate Revocation Lists (CRL) and message signatures has been removed.Additionally, the default algorithm for generating digital signatures has been changed from SHA-1 to SHA-256. The verification of SHA-1 signatures is still enabled for legacy purposes.The system administrator can enable MD5, MD4, or SHA0 support by modifying the
LegacySigningMDsoption in the
etc/pki/tls/legacy-settingspolicy configuration file, for example:
echo 'LegacySigningMDs algorithm' >> /etc/pki/tls/legacy-settingsTo add more than one legacy algorithm, use a comma or any whitespace character except for a new line. See the
README.legacy-settingsfile in the
OpenSSLpackage for more information.You can also enable MD5 verification by setting the
OpenSSLclients no longer allow connections to servers with DH shorter than 1024 bits
- This update prevents
OpenSSLclients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that clients using
OpenSSLare not susceptible to vulnerabilities, such as Logjam.The system administrator can enable shorter DH parameter support by modifying the
MinimumDHBitsoption in the
/etc/pki/tls/legacy-settings, for example:
echo 'MinimumDHBits 768' > /etc/pki/tls/legacy-settingsThis option can also be used to raise the minimum if required by the system administrator.
- SSL 2.0 support has been completely removed from
- The SSL protocol version 2.0, which is considered insecure for more than seven years, was deprecated by RFC 6176 in 2011. In Red Hat Enterprise Linux, support of SSL 2.0 was already disabled by default. With this update, SSL 2.0 support has been removed completely. The
OpenSSLlibrary API calls that use this protocol version now return an error message.
- EXPORT cipher suites in
OpenSSLhave been deprecated
- This change removes support for EXPORT cipher suites from the
OpenSSLtoolkit. Disabling these weak cipher suites ensures that clients using
OpenSSLare not susceptible to vulnerabilities, such as FREAK. EXPORT cipher suites are no longer required in any
GnuTLSclients no longer allow connections to servers with DH shorter than 1024 bits
- This change prevents GNU Transport Layer Security (GnuTLS) clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that clients using
GnuTLSare not susceptible to vulnerabilities, such as Logjam.In applications that accept a priority string from the user or configuration directly, this change can be reverted by appending the priority string
%PROFILE_VERY_WEAKto the used priority string.
TLSno longer allow connections to servers with DH shorter than 1024 bits
- This change prevents Network Security Services (NSS) clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that clients using
NSSare not susceptible to vulnerabilities, such as Logjam.The system administrator can enable shorter DH parameter support by modifying the
/etc/pki/nss-legacy/nss-rhel7.configpolicy configuration file to:
library= name=Policy NSS=flags=policyOnly,moduleDB config="allow=DH-MIN=767:DSA-MIN=767:RSA-MIN=767"Note that an empty line is required at the end of the file.
- EXPORT cipher suites in
NSShave been deprecated
- This change removes support for EXPORT cipher suites in the Network Security Services (NSS) library. Disabling these weak cipher suites protects against vulnerabilities, such as FREAK. EXPORT cipher suites are not required in any
Legacy CA certificates removed from the ca-certificates package
Previously, to allow older versions of the
glib-networkinglibraries to remain compatible with the Public Key Infrastructure (PKI), the ca-certificates package included a set of legacy CA certificates with 1024-bit RSA keys as trusted by default.
Since Red Hat Enterprise Linux 7.4, updated versions of
glib-networkingare available, which are able to correctly identify a replacement of root CA certificates. Trusting these legacy CA certificates is no longer required for public web PKI compatibility.
The legacy configuration mechanism, which could previously be used to disable the legacy CA certificates, is no longer supported; the list of legacy CA certificates has been changed to empty.
The ca-legacy tool is still available and it also keeps current configuration settings for potential future reuse.
coolkey replaced with opensc
OpenSClibrary implements the
PKCS#11API and replaces the coolkey packages. In Red Hat Enterprise Linux 7, the CoolKey Applet functionality is also provided by the opensc package.
The coolkey package will remain supported for the lifetime of Red Hat Enterprise Linux 7, but new hardware enablement will be provided through the opensc package.
inputname option of the rsyslog
imudp module has been deprecated
inputnameoption of the
imudpmodule for the
rsyslogservice has been deprecated. Use the
FedFS has been deprecated
Federated File System (FedFS) has been deprecated because the upstream FedFS project is no longer being actively maintained. Red Hat recommends migrating FedFS installations to use
autofs, which provides more flexible functionality.
Btrfs has been deprecated
Btrfsfile system has been in Technology Preview state since the initial release of Red Hat Enterprise Linux 6. Red Hat will not be moving
Btrfsto a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux.
Btrfsfile system did receive numerous updates from the upstream in Red Hat Enterprise Linux 7.4 and will remain available in the Red Hat Enterprise Linux 7 series. However, this is the last planned update to this feature.
The tcp_wrappers package, which provides a library and a small daemon program that can monitor and filter incoming requests for
sshd, and other network services, has been deprecated.
nautilus-open-terminal replaced with gnome-terminal-nautilus
Since Red Hat Enterprise Linux 7.3, the nautilus-open-terminal package has been deprecated and replaced with the gnome-terminal-nautilus package. This package provides a Nautilus extension that adds the Open in Terminal option to the right-click context menu in Nautilus. nautilus-open-terminal is replaced by gnome-terminal-nautilus during the system upgrade.
sslwrap() removed from Python
sslwrap()function has been removed from Python 2.7. After the 466 Python Enhancement Proposal was implemented, using this function resulted in a segmentation fault. The removal is consistent with upstream.
Red Hat recommends using the
ssl.SSLContextclass and the
ssl.SSLContext.wrap_socket()function instead. Most applications can simply use the
ssl.create_default_context()function, which creates a context with secure default settings. The default context uses the system's default trust store, too.
Symbols from libraries linked as dependencies no longer resolved by
ldlinker resolved any symbols present in any linked library, even if some libraries were linked only implicitly as dependencies of other libraries. This allowed developers to use symbols from the implicitly linked libraries in application code and omit explicitly specifying these libraries for linking.
For security reasons,
ldhas been changed to not resolve references to symbols in libraries linked implicitly as dependencies.
As a result, linking with
ldfails when application code attempts to use symbols from libraries not declared for linking and linked only implicitly as dependencies. To use symbols from libraries linked as dependencies, developers must explicitly link against these libraries as well.
To restore the previous behavior of
ld, use the
-copy-dt-needed-entriescommand-line option. (BZ#1292230)
Windows guest virtual machine support limited
As of Red Hat Enterprise Linux 7, Windows guest virtual machines are supported only under specific subscription programs, such as Advanced Mission Critical (AMC).
libnetlink is deprecated
libnetlinklibrary contained in the iproute-devel package has been deprecated. The user should use the
S3 and S4 power management states for KVM have been deprecated
Native KVM support for the S3 (suspend to RAM) and S4 (suspend to disk) power management states has been discontinued. This feature was previously available as a Technology Preview.
The Certificate Server plug-in udnPwdDirAuth is discontinued
udnPwdDirAuthauthentication plug-in for the Red Hat Certificate Server was removed in Red Hat Enterprise Linux 7.3. Profiles using the plug-in are no longer supported. Certificates created with a profile using the
udnPwdDirAuthplug-in are still valid if they have been approved.
Red Hat Access plug-in for IdM is discontinued
The Red Hat Access plug-in for Identity Management (IdM) was removed in Red Hat Enterprise Linux 7.3. During the update, the redhat-access-plugin-ipa package is automatically uninstalled. Features previously provided by the plug-in, such as Knowledgebase access and support case engagement, are still available through the Red Hat Customer Portal. Red Hat recommends to explore alternatives, such as the
The Ipsilon identity provider service for federated single sign-on
The ipsilon packages were introduced as Technology Preview in Red Hat Enterprise Linux 7.2. Ipsilon links authentication providers and applications or utilities to allow for single sign-on (SSO).
Red Hat does not plan to upgrade Ipsilon from Technology Preview to a fully supported feature. The ipsilon packages will be removed from Red Hat Enterprise Linux in a future minor release.
Red Hat has released Red Hat Single Sign-On as a web SSO solution based on the Keycloak community project. Red Hat Single Sign-On provides greater capabilities than Ipsilon and is designated as the standard web SSO solution across the Red Hat product portfolio.
rsyslog options deprecated
rsyslogutility version in Red Hat Enterprise Linux 7.4 has deprecated a large number of options. These options no longer have any effect and cause a warning to be displayed.
- The functionality previously provided by the options
-6can be achieved using the
- There is no replacement for the functionality previously provided by the options
Deprecated symbols from the
The following symbols from the
memkindlibrary have been deprecated:
Options of Sockets API Extensions for SCTP (RFC 6458) deprecated
SCTP_DEFAULT_SEND_PARAMof Sockets API Extensions for the Stream Control Transmission Protocol have been deprecated per the RFC 6458 specification.
SCTP_DEFAULT_SNDINFOhave been implemented as a replacement for the deprecated options.
Managing NetApp ONTAP using SSLv2 and SSLv3 is no longer supported by
The SSLv2 and SSLv3 connections to the NetApp ONTAP storage array are no longer supported by the
libstorageMgmtlibrary. Users can contact NetApp support to enable the Transport Layer Security (TLS) protocol.
dconf-dbus-1 has been deprecated and
dconf-editor is now delivered separately
With this update, the
dconf-dbus-1API has been removed. However, the
dconf-dbus-1library has been backported to preserve binary compatibility. Red Hat recommends using the
GDBuslibrary instead of
dconf-error.hfile has been renamed to
dconf-enums.h. In addition, the dconf Editor is now delivered in the separate dconf-editor package; see Chapter 8, Desktop for more information.
FreeRADIUS no longer accepts
Auth-Type := System
FreeRADIUSserver no longer accepts the
Auth-Type := Systemoption for the
rlm_unixauthentication module. This option has been replaced by the use of the
unixmodule in the
authorizesection of the configuration file.
Deprecated Device Drivers
- The following controllers from the
megaraid_sasdriver have been deprecated:
- Dell PERC5, PCI ID 0x15
- SAS1078R, PCI ID 0x60
- SAS1078DE, PCI ID 0x7C
- SAS1064R, PCI ID 0x411
- VERDE_ZCR, PCI ID 0x413
- SAS1078GEN2, PCI ID 0x78
- The following adapters from the
qla2xxxdriver have been deprecated:
- ISP24xx, PCI ID 0x2422
- ISP24xx, PCI ID 0x2432
- ISP2422, PCI ID 0x5422
- QLE220, PCI ID 0x5432
- QLE81xx, PCI ID 0x8001
- QLE10000, PCI ID 0xF000
- QLE84xx, PCI ID 0x8044
- QLE8000, PCI ID 0x8432
- QLE82xx, PCI ID 0x8021
- The following Ethernet adapter controlled by the
be2netdriver has been deprecated:
- TIGERSHARK NIC, PCI ID 0x0700
- The following controllers from the
be2iscsidriver have been deprecated:
- Emulex OneConnect 10Gb iSCSI Initiator (generic), PCI ID 0x212
- OCe10101, OCm10101, OCe10102, OCm10102 BE2 adapter family, PCI ID 0x702
- OCe10100 BE2 adapter family, PCI ID 0x703
- The following Emulex boards from the
lpfcdriver have been deprecated:
BladeEngine 2 (BE2) Devices
- TIGERSHARK FCOE, PCI ID 0x0704
Fibre Channel (FC) Devices
- FIREFLY, PCI ID 0x1ae5
- PROTEUS_VF, PCI ID 0xe100
- BALIUS, PCI ID 0xe131
- PROTEUS_PF, PCI ID 0xe180
- RFLY, PCI ID 0xf095
- PFLY, PCI ID 0xf098
- LP101, PCI ID 0xf0a1
- TFLY, PCI ID 0xf0a5
- BSMB, PCI ID 0xf0d1
- BMID, PCI ID 0xf0d5
- ZSMB, PCI ID 0xf0e1
- ZMID, PCI ID 0xf0e5
- NEPTUNE, PCI ID 0xf0f5
- NEPTUNE_SCSP, PCI ID 0xf0f6
- NEPTUNE_DCSP, PCI ID 0xf0f7
- FALCON, PCI ID 0xf180
- SUPERFLY, PCI ID 0xf700
- DRAGONFLY, PCI ID 0xf800
- CENTAUR, PCI ID 0xf900
- PEGASUS, PCI ID 0xf980
- THOR, PCI ID 0xfa00
- VIPER, PCI ID 0xfb00
- LP10000S, PCI ID 0xfc00
- LP11000S, PCI ID 0xfc10
- LPE11000S, PCI ID 0xfc20
- PROTEUS_S, PCI ID 0xfc50
- HELIOS, PCI ID 0xfd00
- HELIOS_SCSP, PCI ID 0xfd11
- HELIOS_DCSP, PCI ID 0xfd12
- ZEPHYR, PCI ID 0xfe00
- HORNET, PCI ID 0xfe05
- ZEPHYR_SCSP, PCI ID 0xfe11
- ZEPHYR_DCSP, PCI ID 0xfe12
To check the PCI IDs of the hardware on your system, run the
Note that other controllers from the mentioned drivers that are not listed here remain unchanged.
SFN4XXX adapters have been deprecated
Starting with Red Hat Enterprise Linux 7.4, SFN4XXX Solarflare network adapters have been deprecated. Previously, Solarflare had a single driver
sfcfor all adapters. Recently, support of SFN4XXX was split from
sfcand moved into a new SFN4XXX-only driver, called
sfc-falcon. Both drivers continue to be supported at this time, but
sfc-falconand SFN4XXX support is scheduled for removal in a future major release.
Software initiated only FCoE storage technologies have been deprecated
The software initiated only portion of Fibre Channel over Ethernet (FCoE) storage technology has been deprecated due to limited customer adoption. The software initiated only storage technology will remain supported for the life of Red Hat Enterprise Linux 7. The deprecation notice indicates the intention to remove software-initiated-based FCoE support in a future major release of Red Hat Enterprise Linux. It is important to note that the hardware support and the associated userspace tools (such as drivers,
libfcoe) are unaffected by this deprecation notice.
Containers using the
libvirt-lxc tooling have been deprecated
The following libvirt-lxc packages are deprecated since Red Hat Enterprise Linux 7.1:
Future development on the Linux containers framework is now based on the docker command-line interface. libvirt-lxc tooling may be removed in a future release of Red Hat Enterprise Linux (including Red Hat Enterprise Linux 7) and should not be relied upon for developing custom container management applications.
For more information, see the Red Hat KnowledgeBase article.