diff --git a/salt/common/init.sls b/salt/common/init.sls
index f50f0c61b..37ea4239d 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -91,7 +91,6 @@ vimconfig:
 alwaysupdated:
   pkg.latest:
     - pkgs:
-      - openssl
       - openssh-server
       - bash
     - skip_suggestions: True
diff --git a/salt/common/packages.sls b/salt/common/packages.sls
index 8b54bdbf5..b4e97a81d 100644
--- a/salt/common/packages.sls
+++ b/salt/common/packages.sls
@@ -46,6 +46,32 @@ python-rich:
 {% endif %}
 
 {% if GLOBALS.os_family == 'RedHat' %}
+
+# install versionlock first so we can hold packages in the next states
+install_versionlock:
+  pkg.installed:
+    - name: python3-dnf-plugin-versionlock
+
+# holding these since openssl-devel-1:3.0.7-16.0.1.el9_2 seems to be a requirement for mariadb-devel-3:10.5.16-2.el9_0
+# https://github.com/Security-Onion-Solutions/securityonion/discussions/11443
+holdversion_openssl:
+  pkg.held:
+    - name: openssl
+    - version: 1:3.0.7-16.0.1.el9_2
+
+holdversion_openssl-libs:
+  pkg.held:
+    - name: openssl-libs
+    - version: 1:3.0.7-16.0.1.el9_2
+
+openssl_pkgs:
+  pkg.installed:
+    - skip_suggestions: True
+    - update_holds: True
+    - pkgs:
+      - openssl: 1:3.0.7-16.0.1.el9_2
+      - openssl-libs: 1:3.0.7-16.0.1.el9_2
+
 commonpkgs:
   pkg.installed:
     - skip_suggestions: True
@@ -65,9 +91,7 @@ commonpkgs:
       - mariadb-devel
       - net-tools
       - nmap-ncat
-      - openssl
       - procps-ng
-      - python3-dnf-plugin-versionlock
       - python3-docker
       - python3-m2crypto
       - python3-packaging
@@ -79,4 +103,5 @@ commonpkgs:
       - unzip
       - wget
       - yum-utils
+
 {% endif %}
diff --git a/setup/so-functions b/setup/so-functions
index 679142e2a..243e89c99 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -2443,7 +2443,9 @@ update_sudoers_for_testing() {
 update_packages() {
 	if [[ $is_oracle ]]; then
 		logCmd "dnf repolist"
-		logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
+		# holding openssl https://github.com/Security-Onion-Solutions/securityonion/discussions/11443
+		logCmd "dnf -y install openssl-1:3.0.7-16.0.1.el9_2 openssl-libs-1:3.0.7-16.0.1.el9_2 openssl-devel-1:3.0.7-16.0.1.el9_2"
+		logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*,openssl*"
 		RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo")
 		info "Removing repo files added by oracle-repos package update"
 		for FILE in ${RMREPOFILES[@]}; do