Security
The following security related features and functionalities are deprecated in Oracle Linux 9.
OVAL Data Format
The Open Vulnerability Assessment Language (OVAL) data format used by the OpenSCAP suite is deprecated. Declarative security data is now provided in the Common Security Advisory Framework (CSAF) format, which is the successor of OVAL.
Using update-ca-trust Without Arguments
Using the update-ca-trust command without arguments to update the CA trust
store is deprecated. Use the update-ca-trust extract command to update the CA
trust store.
Configuring STunnel Clients to Use the Trusted Root CA Files
The option to configure STunnel Clients CAFiles directive to point to a file
that contains trusted root certificates in the BEGIN TRUSTED CERTIFICATE format. If you use
CAfile = /etc/pki/tls/certs/ca-bundle.trust.crt, change the location to
CAfile = /etc/pki/tls/certs/ca-bundle.crt.
NSS Deprecated Algorithms
The following algorithms are deprecated in the Network Security Services (NSS) cryptographic library.
-
Digital Signature Algorithm (DSA)
-
SEED
Use RSA, ECDSA, SHB-DSA, ML-DSA, or FN-DSA instead.
/etc/system-fips
The /etc/system-fips file, that was used to indicate FIPS mode is
removed. To install Oracle Linux in FIPS mode, add the fips=1 parameter
to the kernel command line during the system installation. You can check whether Oracle
Linux operates in FIPS mode by using the fips-mode-setup --check
command.
SHA-1 Algorithm
The SHA1 algorithm is deprecated in Oracle Linux 9. Digital signatures using SHA-1 hash algorithm are no longer considered secure and therefore not allowed on Oracle Linux 9 systems by default. Oracle Linux 9 has been updated to avoid using SHA-1 in security-related use cases.
However, the HMAC-SHA1 message authentication code and the Universal Unique Identifier (UUID) values can still be created by using SHA-1.
In cases where you need SHA-1 to verify existing or third party cryptographic signatures, you can enable SHA-1 as follows:
sudo update-crypto-policies --set DEFAULT:SHA1 As an alternative, you can switch the systemwide crypto policies to the
LEGACY policy. However, this policy also enables other algorithms
that are not secure, and therefore risks making the system vulnerable.
Furthermore, use of the SHA-1 algorithm at SECLEVEL=2 is
deprecated in OpenSSL.
SCP Protocol
In the scp utility, secure copy protocol (SCP) is replaced by the SSH
File Transfer Protocol (SFTP) by default. Likewise, SCP is deprecated in the
libssh library.
Oracle Linux 9 doesn't use SCP in the OpenSSH suite.
OpenSSL Cryptographic Algorithms
-
MD2
-
MD4
-
MDC2
-
Whirlpool
-
RIPEMD160
-
Blowfish
-
CAST
-
DES
-
IDEA
-
RC2
-
RC4
-
RC5
-
SEED
-
PBKDF1
The implementations of these algorithms have been moved to the legacy provider in OpenSSL
For instructions on how to load the legacy provider and enable support for the deprecated
algorithms, see the /etc/pki/tls/openssl.cnf configuration file.
Digest-MD5
The Digest-MD5 authentication mechanism in the Simple Authentication Security Layer (SASL) framework is deprecated.
/etc/system-fips File
The /etc/system-fips file was used to indicate the FIPS mode in the
system. This file is removed in Oracle Linux 9.
To install Oracle Linux 9 in FIPS mode, add the fips=1 parameter to the
kernel command line during the system installation. To check whether Oracle Linux 9 is
operating in FIPS mode, use the fips-mode-setup --check command.
fapolicyd.rules
fapolicyd.rulesThe /etc/fapolicyd/fapolicyd.rules file is deprecated. You can store policy
rules for fapolicyd in the /etc/fapolicyd/rules.d/
directory. The fagenrules script merges all component rule files in
this directory to the /etc/fapolicyd/compiled.rules file.
Rules in /etc/fapolicyd/fapolicyd.trust continue to be processed by
fapolicyd for backward compatibility.
OpenSSL RSA Encryption Without Padding
RSA encryption without padding for OpenSSL in FIPS mode is no longer accepted. However, key encapsulation with RSA (RSASVE) which doesn't use padding continues to be supported for OpenSSL.