Chapter 13. Servers and Services
The ErrorPolicy directive is now validated
The ErrorPolicy configuration directive was not validated on startup, and an unintended default error policy could be used without a warning. The directive is now validated on startup and reset to the default if the configured value is incorrect. The intended policy is used, or a warning message is logged.
CUPS now disables SSLv3 encryption by default
Previously, it was not possible to disable SSLv3 encryption in the CUPS scheduler, which left it vulnerable to attacks against SSLv3. To solve this issue, the
cupsd.conf SSLOptions keyword has been extended to include two new options, AllowRC4 and AllowSSL3, each of which enables the named feature in cupsd. The new options are also supported in the /etc/cups/client.conf file. The default is now to disable both RC4 and SSL3 for cupsd.
cups now allows underscore in printer names
The
cups service now allows users to include the underscore character (_) in local printer names.
Unneeded dependency removed from the tftp-server package
Previously, an additional package was installed by default when installing the tftp-server package. With this update, the superfluous package dependency has been removed, and the unneeded package is no longer installed by default when installing tftp-server.
The deprecated /etc/sysconfig/conman file has been removed
Before introducing the
systemd manager, various limits for services could be configured in the /etc/sysconfig/conman file. After migrating to systemd, /etc/sysconfig/conman is no longer used and therefore it was removed. To set limits and other daemon parameters, such as LimitCPU=, LimitDATA=, or LimitCORE=, edit the conman.service file. For more information, see the systemd.exec(5) manual page. In addition, a new variable LimitNOFILE=10000 has been added to the systemd.service file. This variable is commented out by default. Note that after making any changes to the systemd configuration, the systemctl daemon-reload command must be executed for changes to take effect.
mod_nss rebase to version 1.0.11
The mod_nss packages have been upgraded to upstream version 1.0.11, which provides a number of bug fixes and enhancements over the previous version. Notably,
mod_nss can now enable TLSv1.2, and SSLv2 has been completely removed. Also, support for the ciphers generally considered to be most secure has been added.
The vsftpd daemon now supports DHE and ECDHE cipher suites
The
vsftpd daemon now supports cipher suites based on the Diffie–Hellman Exchange (DHE) and Elliptic Curve Diffie–Hellman Exchange (ECDHE) key-exchange protocol.
Permissions can now be set for files uploaded with sftp
Inconsistent user environments and strict
umask settings could result in inaccessible files when uploading using the sftp utility. With this update, the administrator is able to force exact permissions for files uploaded using sftp, thus avoiding the described issue.
LDAP queries used by ssh-ldap-helper can now be adjusted
Not all LDAP servers use a default schema as expected by the
ssh-ldap-helper tool. This update makes it possible for the administrator to adjust the LDAP query used by ssh-ldap-helper to get public keys from servers using a different schema. Default functionality stays untouched.
A new createolddir directive in the logrotate utility
A new logrotate
createolddir directive has been added to enable automatic creation of the olddir directory. For more information, see the logrotate(8) manual page.
Error messages from /etc/cron.daily/logrotate are no longer redirected to /dev/null
Error messages generated by the daily cronjob of
logrotate are now sent to the root user instead of being silently discarded. In addition, the /etc/cron.daily/logrotate script is marked as a configuration file in RPM.
SEED and IDEA based algorithms restricted in mod_ssl
The set of cipher suites enabled by default in the
mod_ssl module of the Apache HTTP Server has been restricted to improve security. SEED and IDEA based encryption algorithms are no longer enabled in the default configuration of mod_ssl.
Apache HTTP Server now supports UPN
Names stored in the
subject alternative name portion of SSL/TLS client certificates, such as the Microsoft User Principle Name, can now be used from the SSLUserName directive and are now available in mod_ssl environment variables. Users can now authenticate with their Common Access Card (CAC) or certificate with a UPN in it, and have their UPN used as authenticated user information, consumed by both the access control in Apache and using the REMOTE_USER environment variable or a similar mechanism in applications. As a result, users can now set SSLUserName SSL_CLIENT_SAN_OTHER_msUPN_0 for authentication using UPN.
The mod_dav lock database is now enabled by default in the mod_dav_fs module
The
mod_dav lock database is now enabled by default if the Apache HTTP mod_dav_fs module is loaded. The default location ServerRoot/davlockdb can be overridden using the DAVLockDB configuration directive.
mod_proxy_wstunnel now supports WebSockets
The Apache HTTP
mod_proxy_wstunnel module is now enabled by default and it includes support for SSL connections in the wss:// scheme. Additionally, it is possible to use the ws:// scheme in the mod_rewrite directives. This allows for using WebSockets as a target to mod_rewrite and enabling WebSockets in the proxy module.
A Tuned profile optimized for Oracle database servers has been included
A new
oracle Tuned profile, which is specifically optimized for the Oracle databases load, is now available. The new profile is delivered in the tuned-profiles-oracle subpackage, so that other related profiles can be added in the future. The oracle profile is based on the enterprise-storage profile, but modifies kernel parameters based on Oracle database requirements and turns transparent huge pages off.
