openssl 3.5.1 rpms released and added to all supported platforms (Alma Linux, Rocky Linux, RedHat Enterprise Linux RHEL, Oracle Linux).
Fix x509 application adds trusted use instead of rejected use (CVE-2025-4575)
OpenSSL 3.5.1 is a release featuring QUIC server support.
We continue to build libs with quic support as a separate non-conflicting package openssl-quic-libs, files have separate .so.81.3 suffix to avoid conflicts with the official .so.3.
Dear Alexander
CentOS 9:
Error: Transaction test failed:
The file /usr/lib64/libcrypto.so.3.5.1 conflicts with the installed openssl-quic-libs-1:3.5.1-1.codeit.el9.x86_64 and openssl-libs-1:3.5.1-1.el9.x86_64.
The file /usr/lib64/libssl.so.3.5.1 conflicts with the installed openssl-quic-libs-1:3.5.1-1.codeit.el9.x86_64 and openssl-libs-1:3.5.1-1.el9.x86_64.
Any release date or solution to fix this conflict?
Sincerely
Mateusz Kiczela
Dear Mateusz,
I am not able to see /usr/lib64/libcrypto.so.3.5.1 in RHEL 9 and AlmaLinux 9.
What OS do you use? Is it CentOS Stream 9?
Dear Alexander
«I am not able to see /usr/lib64/libcrypto.so.3.5.1 in RHEL 9 and AlmaLinux 9.
What OS do you use? Is it CentOS Stream 9?»
Yes, it’s a CentOS 9 Stream release.
«As you mentioned CentOS 9, I assume it is CentOS Stream 9. It is a rolling version release and contains its own openssl 3.5.1 that conflicts with our one.
I think there is no easy solution here, as we never supported and tested the repo on CentOS Stream. Only “classic” non-Stream CentOS, RHEL, AlmaLinux, Oracle Linux, Rocky Linux is supported.»
I have disabled codeit repo for testing purpose and I will use dnf update to install, then I will try enable codeit repo and use: dnf install openssl-quic-libs —allowerasing or —best —allowerasing and see if it overwrite this package.
Sincerely
Mateusz Kiczela
The easiest solution for now (to have non-vulnerable system openssl 3.5.1) is to downgrade our openssl-quic-libs to 3.0.16 (that also does not have known vulns) and nginx to 1.28.0.
We probably can update nginx and httpd to «require» our openssl-quic-libs >= 3.5.1 or CentOS Stream 9 openssl-libs >= 3.5.1, but later it will have new bugs with other libs we don’t expect to see in EL (that appeared suddenly).
You may switch to «Enterprise Linux» from CentOS Stream or avoid using CodeIT repo, as CentOS stream already aims to provide fresh packages. Instead, we focus on extremely stable basement of EL* and only have updated web server stack.
Dear Alexander
Great! 🙂 Thank you for your solution, I will try it soon. Thank you once more.
Sincerely
Mateusz Kiczela
It’s possible to build with another ssl engine ? like boringssl,libressl,quictls… to enable http3… like this i think will not be conflicts in the future …
Valentin,
I do not expect it to conflict: for OS that will have openssl 3.5+, we will use the baseos one. Until new features arrive of course 🙂
Quictls is unfortunately abandoned. I rebased last versions myself.
As you mentioned CentOS 9, I assume it is CentOS Stream 9. It is a rolling version release and contains its own openssl 3.5.1 that conflicts with our one.
I think there is no easy solution here, as we never supported and tested the repo on CentOS Stream. Only «classic» non-Stream CentOS, RHEL, AlmaLinux, Oracle Linux, Rocky Linux is supported.
Weee i fixed it…
QUIC is supported
HTTP/3 is supported
HTTP/3 Check established a QUIC connection for all attempts made with the given endpoint. See the metrics below for more information.
0-RTT h3 h3-29 h3-Q050 h3-Q046 h3-Q043 Q043 Q046
On CentOS Stream 9? How? :-O
I installed codeit nginx quic manually without dependencies, then i unpacked rpm for the openssl-quic in /opt/openssl-quic and create links for libs in /usr/lib64 and it’s work.
I hope it will be a fix like a custom names (currently the binaries have same name openssl.3.5.1 and conflict with the system one) for openssl-quic required by codeit-nginx-quic before it was running and installing like a charm in centos stream 9
Easy install:
1. download nginx rpm
2. run: sudo rpm -ivh —nodeps nginx-*.rpm (to install w/o deps)
3. run:
ln -s /etc/lib64/libcrypto.so.3.5.1 /etc/lib64/libcrypro.so.81.3
ln -s /etc/lib64/libssl.so.3.5.1 /etc/lib64/libssl.so.81.3
4. setup your nginx configuration
5. start your nginx server
6. ENJOY!!!!
Forgot to say openssl 3.5.1 shipped with centos 9 stream have quic enabled