1. Release Notes for Oracle Linux 9.4
  2. Deprecated Features
  3. Security

Security

The following security related features and functionalities are deprecated in Oracle Linux 9.

SHA-1 Algorithm

The SHA1 algorithm is deprecated in Oracle Linux 9. Digital signatures using SHA-1 hash algorithm are no longer considered secure and therefore not allowed on Oracle Linux 9 systems by default. Oracle Linux 9 has been updated to avoid using SHA-1 in security-related use cases.

However, the HMAC-SHA1 message authentication code and the Universal Unique Identifier (UUID) values can still be created by using SHA-1.

In cases where you need SHA-1 to verify existing or third party cryptographic signatures, you can enable SHA-1 as follows: 

sudo update-crypto-policies --set DEFAULT:SHA1

As an alternative, you can switch the systemwide crypto policies to the LEGACY policy. However, this policy also enables other algorithms that are not secure, and therefore risks making the system vulnerable.

SCP Protocol

In the scp utility, secure copy protocol (SCP) is replaced by the SSH File Transfer Protocol (SFTP) by default. Likewise, SCP is deprecated in the libssh library.

Oracle Linux 9 doesn't use SCP in the OpenSSH suite.

OpenSSL Cryptographic Algorithms

  • MD2

  • MD4

  • MDC2

  • Whirlpool

  • RIPEMD160

  • Blowfish

  • CAST

  • DES

  • IDEA

  • RC2

  • RC4

  • RC5

  • SEED

  • PBKDF1

The implementations of these algorithms have been moved to the legacy provider in OpenSSL

For instructions on how to load the legacy provider and enable support for the deprecated algorithms, see the /etc/pki/tls/openssl.cnf configuration file.

Digest-MD5

The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) framework is deprecated.

/etc/system-fips File

The /etc/system-fips file was used to indicate the FIPS mode in the system. This file is removed in Oracle Linux 9.

To install Oracle Linux 9 in FIPS mode, add the fips=1 parameter to the kernel command line during the system installation. To check whether Oracle Linux 9 is operating in FIPS mode, use the fips-mode-setup --check command.

libcrypt.so.1

The libcrypt.so.1 cryptogarhic library is deprecated.

fapolicyd.rules File

The /etc/fapolicyd/fapolicyd.rules file is deprecated. You can store policy rules for fapolicyd in the /etc/fapolicyd/rules.d/ directory. The fagenrules script merges all component rule files in this directory to the /etc/fapolicyd/compiled.rules file.

Rules in /etc/fapolicyd/fapolicyd.trust continue to be processed by fapolicyd for backward compatibility.

OpenSSL RSA Encryption Without Padding

RSA encryption without padding for OpenSSL in FIPS mode is no longer accepted. However, key encapsulation with RSA (RSASVE) which doesn't use padding continues to be supported for OpenSSL.

OpenSSL Engines API

The Engines API is deprecated in the OpenSSL 3.0 TLS toolkit. Use the Providers API instead.

openssl-pkcs11

The openssl-pkcs11 (engine_pkcs11) package, which relates to the deprecated OpenSSL Engins API, is now deprecated. Use the pkcs11-provider package instead.