このコンテンツは選択した言語では利用できません。
Chapter 25. Deprecated Functionality
This chapter provides an overview of functionality that has been deprecated, or in some cases removed, in all minor releases up to Red Hat Enterprise Linux 6.9.
Deprecated functionality continues to be supported until the end of life of Red Hat Enterprise Linux 6. Deprecated functionality will likely not be supported in future major releases of this product and is not recommended for new deployments. For the most recent list of deprecated functionality within a particular major release, refer to the latest version of release documentation.
Deprecated hardware components are not recommended for new deployments on the current or future major releases. Hardware driver updates are limited to security and critical fixes only. Red Hat recommends replacing this hardware as soon as reasonably feasible.
A package can be deprecated and not recommended for further use. Under certain circumstances, a package can be removed from a product.Product documentation then identifies more recent packages that offer functionality similar, identical, or more advanced to the one deprecated, and provides further recommendations.
Deprecated Insecure Algorithms and Protocols
Algorithms that provide cryptographic hashes and encryption as well as cryptographic protocols have a lifetime after which they are considered either too risky to use or plain insecure. See the Deprecation of Insecure Algorithms and Protocols in RHEL 6.9 article on the Red Hat Customer Portal for more information.
- MD5, MD4, and SHA0 can no longer be used as signing algorithms in
OpenSSL
- With this update, support for verification of MD5, MD4, and SHA0 signatures in certificates, Certificate Revocation Lists (CRL) and message signatures are removed.The system administrator can enable MD5, MD4, or SHA0 support by modifying the
LegacySigningMDs
option in theetc/pki/tls/legacy-settings
policy configuration file, for example:echo 'LegacySigningMDs algorithm' >> /etc/pki/tls/legacy-settings
To add more than one legacy algorithm, use a comma or any whitespace character except a new line. See theREADME.legacy-settings
in theOpenSSL
package for more information.You can also enable MD5 verification by setting theOPENSSL_ENABLE_MD5_VERIFY
environment variable. OpenSSL
clients no longer allow connections to servers with DH shorter than 1024 bits- This change prevents
OpenSSL
clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that allowed clients usingOpenSSL
are not vulnerable to attacks such as the LOGJAM attack.The system administrator can enable shorter DH parameter support by modifying theMinimumDHBits
option in the/etc/pki/tls/legacy-settings
, for example:echo 'MinimumDHBits 768' > /etc/pki/tls/legacy-settings
This option can also be used to raise the minimum if required by the system administrator. - EXPORT cipher suites in
OpenSSL
are deprecated - This change removes support for EXPORT cipher suites in the
OpenSSL
toolkit. Disabling these weak cipher suites prevents attacks such as the FREAK attack. EXPORT cipher suites are not required in anyTLS
protocol configuration. GnuTLS
clients no longer allow connections to servers with DH shorter than 1024 bits- This change prevents GNU Transport Layer Security (GnuTLS) clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that allowed clients using
GnuTLS
are not vulnerable to attacks such as the LOGJAM attack.The system administrator can enable shorter DH parameter support by modifying theMinimumDHBits
option in the/etc/pki/tls/legacy-settings
, for example:echo 'MinimumDHBits 768' > /etc/pki/tls/legacy-settings
This option can also be used to raise the minimum if required by the system administrator. - EXPORT cipher suites in
GnuTLS
are deprecated - This change removes support for EXPORT cipher suites in the GNU Transport Layer Security (GnuTLS) library. Disabling these weak cipher suites prevents attacks such as the FREAK attack. EXPORT cipher suites are not required in any
TLS
protocol configuration.TheGnuTLS
EXPORT cipher suite priority string remains, but as an alias for the NORMAL priority string. - MD5 can no longer be used as a signing algorithm in
NSS
- This change prevents the Network Security Services (NSS) library from using MD5 as the signing algorithm in
TLS
. This change ensures that programs usingNSS
are not vulnerable to attacks such as the SLOTH attack.The system administrator can enable MD5 support by modifying the/etc/pki/nss-legacy/nss-rhel6.config
policy configuration file to:library= name=Policy NSS=flags=policyOnly,moduleDB config="allow=MD5"
Note that an empty line is required at the end of the file. NSS
clients usingTLS
no longer allow connections to servers with DH shorter than 1024 bits- This change prevents Network Security Services (NSS) clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that allowed clients using
NSS
are not vulnerable to attacks such as the LOGJAM attack.The system administrator can enable shorter DH parameter support by modifying the/etc/pki/nss-legacy/nss-rhel6.config
policy configuration file to:library= name=Policy NSS=flags=policyOnly,moduleDB config="allow=DH-MIN=767:DSA-MIN=767:RSA-MIN=767"
Note that an empty line is required at the end of the file. - EXPORT cipher suites in
NSS
are deprecated - This change removes support for EXPORT cipher suites in the Network Security Services (NSS) library. Disabling these weak cipher suites prevents attacks such as the FREAK attack. EXPORT cipher suites are not required in any
TLS
protocol configuration. - Deprecated algorithms in
OpenSSH
: RC4, hmac-md5, and hmac-md5-96 - With this update, the
arcfour256
,arcfour128
,arcfour
ciphers and thehmac-md5
,hmac-md5-96
Message Authentication Code (MAC) algorithms are deprecated. Note that this change does not affect any existing server configuration.The system administrator can enable these deprecated algorithms by editing thessh_config
file, for example:Host legacy-system.example.com Ciphers arcfour MACs hmac-md5
To completely restore all the deprecated algorithms, add the following snippet to the/etc/ssh/ssh_config
file:Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
GnuTLS
no longer provides cryptographic back-end replacement APIs- The functions implementing cryptographic back-end replacement are considered obsolete and act as no-operation functions now. The following functions exported in the
gnutls/crypto.h
file are affected:- gnutls_crypto_single_cipher_register2
- gnutls_crypto_single_mac_register2
- gnutls_crypto_single_digest_register2
- gnutls_crypto_cipher_register2
- gnutls_crypto_mac_register2
- gnutls_crypto_digest_register2
- gnutls_crypto_rnd_register2
- gnutls_crypto_pk_register2
- gnutls_crypto_bigint_register2
Deprecated Drivers
- Deprecated device drivers
- 3w-9xxx
- 3w-sas
- 3w-xxxx
- aic7xxx
- i2o
- ips
- megaraid_mbox
- mptbase
- mptctl
- mptfc
- mptlan
- mptsas
- mptscsih
- mptspi
- sym53c8xx
- qla3xxx
The following controllers from themegaraid_sas
driver have been deprecated:- Dell PERC5, PCI ID 0x15
- SAS1078R, PCI ID 0x60
- SAS1078DE, PCI ID 0x7C
- SAS1064R, PCI ID 0x411
- VERDE_ZCR, PCI ID 0x413
- SAS1078GEN2, PCI ID 0x78
The following controllers from thebe2iscsi
driver have been deprecated:- BE_DEVICE_ID1, PCI ID 0x212
- OC_DEVICE_ID1, PCI ID 0x702
- OC_DEVICE_ID2, PCI ID 0x703
Note that other controllers from the mentioned drivers that are not listed here remain unchanged.
Other Deprecated Components
cluster
,luci
components- The
fence_sanlock
agent andcheckquorum.wdmd
, introduced in Red Hat Enterprise Linux 6.4 as a Technology Preview and providing mechanisms to trigger the recovery of a node using a hardware watchdog device, are considered deprecated. openswan
component- The openswan packages have been deprecated, and libreswan packages have been introduced as a direct replacement for openswan to provide the VPN endpoint solution. openswan is replaced by libreswan during the system upgrade.
seabios
component- Native KVM support for the S3 (suspend to RAM) and S4 (suspend to disk) power management states has been discontinued. This feature was previously available as a Technology Preview.
- The
zerombr yes
Kickstart command is deprecated - In some earlier versions of Red Hat Enterprise Linux, the
zerombr yes
command was used to initialize any invalid partition tables during a Kickstart installation. This was inconsistent with the rest of the Kickstart commands due to requiring two words while all other commands require one. Starting with Red Hat Enterprise Linux 6.7, specifying onlyzerombr
in your Kickstart file is sufficient, and the old two-word form is deprecated. - Btrfs file system
- B-tree file system (Btrfs) is considered deprecated for Red Hat Enterprise Linux 6. Btrfs was previously provided as a Technology Preview, available on AMD64 and Intel 64 architectures.
- eCryptfs file system
- eCryptfs file system, which was previously available as a Technology Preview, is considered deprecated for Red Hat Enterprise Linux 6.
mingw
component- Following the deprecation of Matahari packages in Red Hat Enterprise Linux 6.3, at which time the mingw packages were noted as deprecated, and the subsequent removal of Matahari packages from Red Hat Enterprise Linux 6.4, the mingw packages were removed from Red Hat Enterprise Linux 6.6 and later.The mingw packages are no longer shipped in Red Hat Enterprise Linux 6 minor releases, nor will they receive security-related updates. Consequently, users are advised to uninstall any earlier releases of the mingw packages from their Red Hat Enterprise Linux 6 systems.
virtio-win
component, BZ#1001981- The VirtIO SCSI driver is no longer supported on Microsoft Windows Server 2003 platform.
fence-agents
component- Prior to Red Hat Enterprise Linux 6.5 release, the Red Hat Enterprise Linux High Availability Add-On was considered fully supported on certain VMware ESXi/vCenter versions in combination with the fence_scsi fence agent. Due to limitations in these VMware platforms in the area of SCSI-3 persistent reservations, the
fence_scsi
fencing agent is no longer supported on any version of the Red Hat Enterprise Linux High Availability Add-On in VMware virtual machines, except when using iSCSI-based storage. See the Virtualization Support Matrix for High Availability for full details on supported combinations: https://access.redhat.com/site/articles/29440.Users usingfence_scsi
on an affected combination can contact Red Hat Global Support Services for assistance in evaluating alternative configurations or for additional information. systemtap
component- The systemtap-grapher package has been removed from Red Hat Enterprise Linux 6. For more information, see https://access.redhat.com/solutions/757983.
matahari
component- The Matahari agent framework (matahari-*) packages have been removed from Red Hat Enterprise Linux 6. Focus for remote systems management has shifted towards the use of the CIM infrastructure. This infrastructure relies on an already existing standard which provides a greater degree of interoperability for all users.
distribution
component- The following packages have been deprecated and are subjected to removal in a future release of Red Hat Enterprise Linux 6. These packages will not be updated in the Red Hat Enterprise Linux 6 repositories and customers who do not use the MRG-Messaging product are advised to uninstall them from their system.
- python-qmf
- python-qpid
- qpid-cpp
- qpid-qmf
- qpid-tests
- qpid-tools
- ruby-qpid
- saslwrapper
Red Hat MRG-Messaging customers will continue to receive updated functionality as part of their regular updates to the product. fence-virt
component- The libvirt-qpid is no longer part of the fence-virt package.
openscap
component- The openscap-perl subpackage has been removed from openscap.