1. Release Notes for Oracle Linux 8.10
  2. Deprecated Features
  3. Security

Security

The following security related features and functionalities are deprecated in Oracle Linux 8.

NSS SEED Ciphers

Support for TLS cipher suites that use a SEED cipher is deprecated in the Network Security Services (NSS) library from Mozilla. If your setup relies on SEED ciphers, you should enable support for other cipher suites in preparation for the complete removal of SEED ciphers from NSS.

TLS 1.0 and TLS 1.1

These two protocols are disabled in the DEFAULT system-wide cryptographic policy level. If you require these protocols, switch the policy to the LEGACY level as follows: 

sudo update-crypto-policies --set LEGACY

Dsa

Authentication mechanisms that are based on the deprecated Digital Signature Algorithm (DSA) keys no longer work in the default configuration. OpenSSH clients do not accept DSA host keys even when the system-wide cryptographic policy level is set to LEGACY.

fapolicyd.rules

Policies for allowing and denying execution rules used to be specified in the /etc/fapolicyd/fapolicyd.rules file. This file is being replaced by files inside the /etc/fapolicyd/rules.d directory.

The fagenrules script now merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file. Rules in /etc/fapolicyd/fapolicyd.trust are still processed by the fapolicyd framework but only for ensuring backward compatibility.

SSL2 Client Hello

Secure Socket Layer 2's Client Hello message used to be supported by earlier versions of the Transport Layer Security (TLS) protocol. Being deprecated in the NSS library, this feature is now disabled by default.

If your application requires support for Client Hello, enable the feature by using the SSL_ENABLE_V2_COMPATIBLE_HELLO API.

Runtime Disabling of SELinux

Setting the SELINUX=disabled option in /etc/selinux/config to disable SELinux at runtime has deprecated support. If you use only this option to disable SELinux, then SELinux remains enabled but with no loaded policy.

To completely disable SELinux, add the selinux=0 parameter to the kernel command line.

ipa SELinux Module

This module is no longer maintained and hence removed from the selinux-policy package. The functionality is now included in the ipa-selinux package.

TPM 1.2

The Trusted Platform Module (TPM) is updated to 2.0 with multiple improvements. However, the updated version is not backward compatible with earlier versions. Consequently, version 1.2 is deprecated.

crypto-policies

The introduction of scopes for crypto-policies directives in custom policies has resulted in the deprecation of the following derived properties of crypto-policies:

  • tls_cipher

  • ssh_cipher

  • ssh_group

  • ike_protocol

  • sha1_in_dnssec

Use of the protocol property now requires a scope. For more information, see the crypto-policies(7) manual page.