CentOS 7 vs CentOS 8 differences

I ran into several scripts that worked perfectly on CentOS 6 and 7, but failed when moved to CentOS 8. Below are a few real examples along with the fixes.

curl

A script I was using (originally inspired by 802.1x authentication on macOS and a GitHub example) contained:

# CentOS 7
curl --negotiate -u : ...
On CentOS 8, this failed until updated to:
# CentOS 8
curl --http1.1 --negotiate -u : ...
Why this happens:

Starting with newer versions of curl (7.47+), HTTP/2 support is enabled by default. In this case, the server negotiation attempt over HTTP/2 failed, then fallback behavior didn’t work as expected.

Forcing HTTP/1.1 with --http1.1 resolved the issue.

openssl

Running the same command on CentOS 7 vs 8 produces different output formats:

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
| openssl x509 -noout -issuer 2>/dev/null

CentOS 7 output:

issuer= /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
CentOS 8 output:
issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
Key differences:
  • Slashes replaced with commas
  • Spaces added around equals signs

This broke parsing logic in scripts.

Original (CentOS 7 only):

grep -o 'CN=.*' | cut -f2- -d"="
Updated (CentOS 7 + 8 compatible):
grep -o 'CN.*' | cut -f2- -d"=" | awk '{$1=$1};1'
The awk trims leading whitespace introduced in the newer format.

ClamAV

This one is less about CentOS itself and more about a major version jump in ClamAV.

Both CentOS 7 and 8 were previously using:

ClamAV 0.101.5
After an update, CentOS 8 moved to:
ClamAV 0.102.2-2
This introduced significant breaking changes:
  • ScanOnAccessdeprecated and non-functional
  • Replaced by: clamonacc (daemon-based)
  • Configuration behavior changed

Notable observations:

  • OnAccessMountPath works (despite documentation suggesting otherwise)
  • OnAccessIncludePath did not work in testing
  • LocalSocket could not be used successfully
  • TCPSocket / TCPAddr worked instead

This required reworking scripts and expectations around how on-access scanning is configured.

Takeaway

Even when commands look identical across versions, behavior can change due to:

  • Protocol defaults (HTTP/2 vs HTTP/1.1)
  • Output formatting differences (openssl)
  • Major upstream application changes (ClamAV)

When moving scripts between OS versions:

  • Always check tool versions (curl --version, openssl version, etc.)
  • Expect parsing logic to break
  • Be cautious of silent behavioral changes