2421797 – openssl3-3.5.1-6.1.el8 introduces unresolvable dependency on fips-provider-so

Bug 2421797 - openssl3-3.5.1-6.1.el8 introduces unresolvable dependency on fips-provider-so

Summary: openssl3-3.5.1-6.1.el8 introduces unresolvable dependency on fips-provider-so

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	openssl3
Sub Component:
Version:	epel8
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Michel Lind
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-12 17:57 UTC by Daniel Wang
Modified:	2025-12-24 01:32 UTC (History)
CC List:	9 users (show)
Fixed In Version:	openssl3-3.5.1-6.2.el8
Clone Of:
Environment:
Last Closed:	2025-12-24 01:32:58 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Daniel Wang 2025-12-12 17:57:06 UTC

The recent release of openssl3{,-devel,-libs}-3.5.1-6.1.el8 to EPEL 8 adds an unresolvable dependency on fips-provider-so, which was introduced in RHEL 9.

$ dnf install openssl3-libs
Extra Packages for Enterprise Linux 8 - x86_64                           11 MB/s |  14 MB     00:01
Last metadata expiration check: 0:00:04 ago on Fri Dec 12 17:30:59 2025.
Error:
 Problem: conflicting requests
  - nothing provides fips-provider-so needed by openssl3-libs-3.5.1-6.1.el8.x86_64 from epel
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

Comment 1 Ilias Yacoubi 2025-12-13 08:56:48 UTC

For now I have just skipped the update of openssl3, until this is fixed.
The openssl3 package was merged from CentOS stream, which includes a separate 'openssl-fips-provider' package https://rpmfind.net/linux/RPM/centos-stream/9/baseos/x86_64/openssl-fips-provider-3.5.1-5.el9.x86_64.html

The centos package provides 'fips-provider-so' and contains /usr/lib64/ossl-modules/fips.so
openssl3-fips-provider was never built or published for epel 8. Please build and publish openssl3-fips-provider for epel8.

Comment 2 Yooommmgg 2025-12-15 18:47:51 UTC

Saw the same issue here:

Error: 
 Problem 1: conflicting requests
  - nothing provides fips-provider-so needed by openssl3-libs-3.5.1-6.1.el8.x86_64 from epel
 Problem 2: package openssl3-devel-3.5.1-6.1.el8.x86_64 from epel requires openssl3-libs(x86-64) = 3.5.1-6.1.el8, but none of the providers can be installed
  - package openssl3-devel-3.5.1-6.1.el8.x86_64 from epel requires libcrypto.so.3()(64bit), but none of the providers can be installed
  - package openssl3-devel-3.5.1-6.1.el8.x86_64 from epel requires libssl.so.3()(64bit), but none of the providers can be installed
  - conflicting requests
  - nothing provides fips-provider-so needed by openssl3-libs-3.5.1-6.1.el8.x86_64 from epel

Comment 3 John G 2025-12-17 15:19:51 UTC

Optional resolution/worksround:
Build fips-provider-next package from RHEL9 src - https://access.cdn.redhat.com/content/origin/rpms/fips-provider-next/1.2.0/5.el9/fd431d51/fips-provider-next-1.2.0-5.el9.src.rpm?

mv  fips-provider-next-1.2.0-5.el9.src.rpm    fips-provider-next-1.2.0-5.el8.src.rpm
rpm -i  fips-provider-next-1.2.0-5.el8.src.rpm
vi SPEC/fips-provider-next.spec  (comment out line 11 - #%bcond check 1 - which is in rpm 1.17.1 and later - but not 4.14.3)
rpmbuild -bb SPEC/fips-provider-next.spec

Verified:
dnf  upgrade openssl3-3.5.1-6.1.el8.x86_64.rpm  openssl3-devel-3.5.1-6.1.el8.x86_64.rpm  openssl3-libs-3.5.1-6.1.el8.x86_64.rpm /root/rpmbuild/RPMS/x86_64/fips-provider-next-1.2.0-5.el8.x86_64.rpm
Dependencies resolved.
==================================================================================================================================================================================================================================================
 Package                                                         Architecture                                        Version                                                      Repository                                                 Size
==================================================================================================================================================================================================================================================
Upgrading:
 openssl3                                                        x86_64                                              3.5.1-6.1.el8                                                @commandline                                              1.4 M
 openssl3-devel                                                  x86_64                                              3.5.1-6.1.el8                                                @commandline                                              2.8 M
 openssl3-libs                                                   x86_64                                              3.5.1-6.1.el8                                                @commandline                                              2.3 M
Installing dependencies:
 fips-provider-next                                              x86_64                                              1.2.0-5.el8                                                  @commandline                                              2.2 M

Transaction Summary
==================================================================================================================================================================================================================================================
Install  1 Package
Upgrade  3 Packages

Comment 4 Michel Lind 2025-12-22 22:41:04 UTC

Ah, interesting. This package must be blocked somehow

On the mock chroot I used for testing local builds:

<mock-chroot> sh-4.4# rpm -q --provides openssl3-fips-provider
fips-provider-so
openssl3-fips-provider = 3.5.1-6.1.el8
openssl3-fips-provider(aarch-64) = 3.5.1-6.1.el8

But on a clean install

Error: 
 Problem: package openssl3-3.5.1-6.1.el8.aarch64 from epel requires openssl3-libs(aarch-64) = 3.5.1-6.1.el8, but none of the providers can be installed
  - package openssl3-3.5.1-6.1.el8.aarch64 from epel requires libcrypto.so.3()(64bit), but none of the providers can be installed
  - package openssl3-3.5.1-6.1.el8.aarch64 from epel requires libssl.so.3()(64bit), but none of the providers can be installed
  - package openssl3-3.5.1-6.1.el8.aarch64 from epel requires libcrypto.so.3(OPENSSL_3.0.0)(64bit), but none of the providers can be installed
  - package openssl3-3.5.1-6.1.el8.aarch64 from epel requires libssl.so.3(OPENSSL_3.0.0)(64bit), but none of the providers can be installed
  - package openssl3-3.5.1-6.1.el8.aarch64 from epel requires libcrypto.so.3(OPENSSL_3.0.1)(64bit), but none of the providers can be installed
  - package openssl3-3.5.1-6.1.el8.aarch64 from epel requires libcrypto.so.3(OPENSSL_3.0.9)(64bit), but none of the providers can be installed
  - package openssl3-3.5.1-6.1.el8.aarch64 from epel requires libcrypto.so.3(OPENSSL_3.2.0)(64bit), but none of the providers can be installed
  - package openssl3-3.5.1-6.1.el8.aarch64 from epel requires libcrypto.so.3(OPENSSL_3.3.0)(64bit), but none of the providers can be installed
  - package openssl3-3.5.1-6.1.el8.aarch64 from epel requires libcrypto.so.3(OPENSSL_3.4.0)(64bit), but none of the providers can be installed
  - package openssl3-3.5.1-6.1.el8.aarch64 from epel requires libcrypto.so.3(OPENSSL_3.5.0)(64bit), but none of the providers can be installed
  - package openssl3-3.5.1-6.1.el8.aarch64 from epel requires libssl.so.3(OPENSSL_3.2.0)(64bit), but none of the providers can be installed
  - package openssl3-3.5.1-6.1.el8.aarch64 from epel requires libssl.so.3(OPENSSL_3.4.0)(64bit), but none of the providers can be installed
  - conflicting requests
  - nothing provides fips-provider-so needed by openssl3-libs-3.5.1-6.1.el8.aarch64 from epel
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

I'll strip out fips-provider since it does not really make sense in EPEL anyway

Comment 5 Fedora Update System 2025-12-22 23:16:32 UTC

FEDORA-EPEL-2025-120a455170 (openssl3-3.5.1-6.2.el8) has been submitted as an update to Fedora EPEL 8.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-120a455170

Comment 6 Fedora Update System 2025-12-23 01:37:44 UTC

FEDORA-EPEL-2025-120a455170 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2025-120a455170

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2025-12-24 01:32:58 UTC

FEDORA-EPEL-2025-120a455170 (openssl3-3.5.1-6.2.el8) has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.