View Issue Details

IDProjectCategoryView StatusLast Update
0007558Rocky-Linux-9opensslpublic2025-02-07 15:35
ReporterJohn Kennedy Assigned ToLouis Abel  
Status feedbackResolutionreopened 
Summary0007558: openssl-libs conflicts with file from package openssl-fips-provider (/usr/lib64/ossl-modules/
DescriptionThis is true for 3.0.7-27.el9.0.1, but also for the older 3.0.7-2.el9.

RHEL9 and OEL9 both yanked /usr/lib64/ossl-modules/ out of the openssl-libs RPM, but Rocky still has it in there.

[cached after failed update, below]
rpm -ql /var/cache/dnf/baseos-522ed8e2b2f761ff/packages/openssl-libs-3.0.7-27.el9.0.1.x86_64.rpm | grep

rpm -q openssl-fips-provider

rpm -ql openssl-fips-provider | grep

Steps To Reproduceyum update -y openssl-libs
Additional InformationThis also breaks the script when it tries to distro-sync
TagsNo tags attached.


John Kennedy

John Kennedy

2024-08-15 20:08

reporter   ~0008186

On a fresh Rocky 9 install, the dependencies are different. I'm not sure they're 1:1 with RHEL anymore, since I don't see openssl-fips-provider being available anymore, which would make this more of a post-migrate2rocky issue.

Rocky systemd (252-32.el9_4.6 ) doesn't require openssl-fips-provider, Doesn't look like openssl-fips-provider is even available in @baseos anymore.
Louis Abel

Louis Abel

2024-08-15 21:00

administrator   ~0008187

>RHEL9 and OEL9 both yanked /usr/lib64/ossl-modules/ out of the openssl-libs RPM, but Rocky still has it in there.

This is correct. We are not FIPS certified, and they are.

>Rocky systemd (252-32.el9_4.6 ) doesn't require openssl-fips-provider,

It never has, directly. You can verify this in the spec file.

The most it has ever required is openssl-libs and in the case of RHEL, openssl-fips-provider is brought in as a dependency of openssl-libs.

>Doesn't look like openssl-fips-provider is even available in @baseos anymore.

This is correct. openssl-libs and openssl-fips-provider conflict, and as such there is very little reason to have both. As we are not FIPS certified like our upstream (and likely oracle too), having openssl-fips-provider makes very little sense. In fact, let's look at the spec file and see why this conflict existed: - In this section, it states this:

%if ( %{defined rhel} && (! %{defined centos}) )
Requires: openssl-fips-provider

This says that if the %rhel macro is defined *and* the %centos macro is NOT defined, then require openssl-fips-provider.

%if ( %{defined rhel} && (! %{defined centos}) )
%define __spec_install_post \
    rm -rf $RPM_BUILD_ROOT/%{_libdir}/ossl-modules/ \
    %{?__debug_package:%{__debug_install_post}} \
    %{__arch_install_post} \
    %{__os_install_post} \
%define __spec_install_post \
    %{?__debug_package:%{__debug_install_post}} \
    %{__arch_install_post} \
    %{__os_install_post} \
    LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/ > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/ \
    objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/ $RPM_BUILD_ROOT%{_libdir}/ossl-modules/ $RPM_BUILD_ROOT%{_libdir}/ossl-modules/ \
    mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/ $RPM_BUILD_ROOT%{_libdir}/ossl-modules/ \
    rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/ \

Same thing here. Notice how in the "else" the fips library is being generated? This is what happens for us as define both %rhel and %centos in rocky-release. This is by design and helps us maintain compatibility with CentOS Stream SIG's and other related package building efforts.


It does not make sense for us to have both openssl-fips-provider and openssl-libs provide the same library. openssl-fips-provider is for RHEL (and Oracle it seems). CentOS Stream does not provide this package either. I would imagine the reason why is because CentOS Stream is/cannot be FIPS certified. This is, however, a guess.

With all of that said, the script has been changed to detect FIPS mode being enabled. If it is enabled, the script will stop. If it is not enabled, openssl-fips-provider will be removed, which means openssl-libs reinstallation should work normally.


If the updated script at is still not working for you, please open an issue there.
John Kennedy

John Kennedy

2024-08-15 21:13

reporter   ~0008188

Just trying to throw some extra notes in here....

FIPS mode wasn't enabled (verified by "fips-mode-setup --check", at least after the migrate2rocky9, but shouldn't have been set before either). Now, we do have a bunch of stuff set up for CIS hardening, so maybe we're triggering something.

Things seem happy running this:

rpm --erase --nodeps openssl-fips-provider
yum update openssl-libs

In my after-mgirate case, we had the old RHEL openssl-libs with the openssl-fips-provider dependency, but I could erase it and do the update, pulling in the Rockey openssl-libs that doesn't have that issue.

If you've tweaked migrate2rocky9, then we'll never end up in this situation (great!).
David Emmett

David Emmett

2025-02-07 15:35

reporter   ~0009538

I've just hit this issue using the official migration script available here:
I'll revert this instance to a snapshot and attempt the modification documented here:

Issue History

Date Modified Username Field Change
2024-08-01 19:16 John Kennedy New Issue
2024-08-15 20:08 John Kennedy Note Added: 0008186
2024-08-15 21:00 Louis Abel Assigned To => Louis Abel
2024-08-15 21:00 Louis Abel Status new => closed
2024-08-15 21:00 Louis Abel Resolution open => won't fix
2024-08-15 21:00 Louis Abel Note Added: 0008187
2024-08-15 21:13 John Kennedy Status closed => feedback
2024-08-15 21:13 John Kennedy Resolution won't fix => reopened
2024-08-15 21:13 John Kennedy Note Added: 0008188
2025-02-07 15:35 David Emmett Note Added: 0009538