diff --git a/.gitignore b/.gitignore
index f331443..2674446 100644
--- a/.gitignore
+++ b/.gitignore
@@ -94,3 +94,5 @@ rsyslog-4.6.3.tar.gz
 /rsyslog-doc-8.2310.0.tar.gz
 /rsyslog-8.2312.0.tar.gz
 /rsyslog-doc-8.2312.0.tar.gz
+/rsyslog-8.2408.0.tar.gz
+/rsyslog-doc-8.2408.0.tar.gz
diff --git a/disable-openssl-engine.patch b/disable-openssl-engine.patch
index 5ea9884..b270eee 100644
--- a/disable-openssl-engine.patch
+++ b/disable-openssl-engine.patch
@@ -1,21 +1,72 @@
-diff -up rsyslog-8.2312.0/runtime/nsd_ossl.c.orig rsyslog-8.2312.0/runtime/nsd_ossl.c
---- rsyslog-8.2312.0/runtime/nsd_ossl.c.orig	2024-08-05 16:06:56.234410525 +0200
-+++ rsyslog-8.2312.0/runtime/nsd_ossl.c	2024-08-05 16:07:21.740650844 +0200
-@@ -35,7 +35,7 @@
+diff -up rsyslog-8.2408.0/runtime/net_ossl.c.orig rsyslog-8.2408.0/runtime/net_ossl.c
+--- rsyslog-8.2408.0/runtime/net_ossl.c.orig	2024-08-21 12:20:02.634846602 +0200
++++ rsyslog-8.2408.0/runtime/net_ossl.c	2024-08-21 12:23:59.487229756 +0200
+@@ -223,6 +223,7 @@ osslGlblInit(void)
+ PRAGMA_DIAGNOSTIC_PUSH
+ PRAGMA_IGNORE_Wdeprecated_declarations
+ 
++#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
+ 	// Initialize OpenSSL engine library
+ 	ENGINE_load_builtin_engines();
+ 	/* Register all of them for every algorithm they collectively implement */
+@@ -243,6 +244,7 @@ PRAGMA_IGNORE_Wdeprecated_declarations
+ 	}
+ 	// Free the engine reference when done
+ 	ENGINE_free(osslEngine);
++#endif
+ PRAGMA_DIAGNOSTIC_POP
+ }
+ 
+@@ -251,7 +253,10 @@ void
+ osslGlblExit(void)
+ {
+ 	DBGPRINTF("openssl: entering osslGlblExit\n");
++
++#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
+ 	ENGINE_cleanup();
++#endif
+ 	ERR_free_strings();
+ 	EVP_cleanup();
+ 	CRYPTO_cleanup_all_ex_data();
+@@ -638,7 +643,7 @@ net_ossl_chkonepeername(net_ossl_t *pThi
+ #endif
+ 	char *x509name = NULL;
+ 	DEFiRet;
+-	
++
+ 	if (certpeer == NULL) {
+ 		ABORT_FINALIZE(RS_RET_TLS_NO_CERT);
+ 	}
+@@ -1151,6 +1156,8 @@ net_ossl_init_engine(__attribute__((unus
+ 
+ PRAGMA_DIAGNOSTIC_PUSH
+ PRAGMA_IGNORE_Wdeprecated_declarations
++#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
++
+ 	// Get the default RSA engine
+ 	ENGINE *default_engine = ENGINE_get_default_RSA();
+ 	if (default_engine) {
+@@ -1188,6 +1195,7 @@ PRAGMA_IGNORE_Wdeprecated_declarations
+ 	} else {
+ 		DBGPRINTF("net_ossl_init_engine: use openssl default Engine");
+ 	}
++#endif
+ PRAGMA_DIAGNOSTIC_POP
+ 
+ 	RETiRet;
+diff -up rsyslog-8.2408.0/runtime/net_ossl.h.orig rsyslog-8.2408.0/runtime/net_ossl.h
+--- rsyslog-8.2408.0/runtime/net_ossl.h.orig	2024-08-21 12:19:42.902648065 +0200
++++ rsyslog-8.2408.0/runtime/net_ossl.h	2024-08-21 12:23:14.053772607 +0200
+@@ -31,7 +31,11 @@
  #if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
  #	include <openssl/bioerr.h>
  #endif
 -#include <openssl/engine.h>
-+// #include <openssl/engine.h>
- #include <errno.h>
- #include <sys/stat.h>
- #include <unistd.h>
-@@ -992,7 +992,7 @@ osslGlblExit(void)
- {
- 	DEFiRet;
- 	DBGPRINTF("openssl: entering osslGlblExit\n");
--	ENGINE_cleanup();
-+	// ENGINE_cleanup();
- 	ERR_free_strings();
- 	EVP_cleanup();
- 	CRYPTO_cleanup_all_ex_data();
++
++#ifdef ENABLE_OPENSSL_ENGINES_DOWNSTREAM
++#	include <openssl/engine.h>
++#endif
++
+ #include <openssl/rand.h>
+ #include <openssl/evp.h>
+ 
diff --git a/rsyslog.spec b/rsyslog.spec
index 9a0189e..5231415 100644
--- a/rsyslog.spec
+++ b/rsyslog.spec
@@ -36,8 +36,8 @@
 
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
-Version: 8.2312.0
-Release: 3%{?dist}
+Version: 8.2408.0
+Release: 1%{?dist}
 License: GPL-3.0-or-later AND Apache-2.0
 URL: http://www.rsyslog.com/
 Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@@ -57,7 +57,6 @@ BuildRequires: automake
 BuildRequires: bison
 BuildRequires: dos2unix
 BuildRequires: flex
-BuildRequires: libgcrypt-devel
 BuildRequires: libfastjson-devel >= 0.99.8
 BuildRequires: libestr-devel >= 0.1.9
 BuildRequires: libtool
@@ -526,7 +525,9 @@ autoreconf -if
 	--enable-snmp \
 %endif
 	--enable-unlimited-select \
-	--enable-usertools
+	--enable-usertools \
+	--disable-libgcrypt \
+	--enable-openssl_crypto_provider
 
 make V=1
 
@@ -652,7 +653,7 @@ done
 %files crypto
 %{_bindir}/rscryutil
 %{_mandir}/man1/rscryutil.1.gz
-%{_libdir}/rsyslog/lmcry_gcry.so
+%{_libdir}/rsyslog/lmcry_ossl.so
 
 %files doc
 %doc %{rsyslog_docdir}/html
@@ -766,6 +767,12 @@ done
 
 
 %changelog
+* Wed Aug 21 2024 Attila Lakatos <alakatos@redhat.com> - 8.2408.0-1
+- Rebase to 8.2408.0
+- Remove dependency on libgcrypt
+- Introduce new ossl crypto provider, replacement for gcry
+  Resolves: RHEL-22023
+
 * Mon Aug 05 2024 Attila Lakatos <alakatos@redhat.com> - 8.2312.0-3
 - Remove mmtaghostname subpackage
 - Do not build with openssl engine support
diff --git a/sources b/sources
index d55fac4..f364de8 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
 SHA512 (qpid-proton-0.39.0.tar.gz) = df5c5469ee82ba02de62dce15b73b81aab2aae07c7db668182df690cea4ff7584111bd12143fe5e3569469a9ddf4950ac68d60b53d1a7815da4748052948cd1b
-SHA512 (rsyslog-8.2312.0.tar.gz) = a65ca1c6fe2d9dd853d073d93cfd4d007c3533bd10c633113fcf94c4746192945ed0a2b2ff84f9174b55de90ade2a062a0bd556ffe375864fad3772ef8ce39e3
-SHA512 (rsyslog-doc-8.2312.0.tar.gz) = 2fe8ab0e37a6899a545c09ea2586c33ab89a3e3d93ff079f99b15e9b1743423bbe54931684ba8509ed4f578a4b55ea22f6306aca256ee2245f88115a5f44e400
+SHA512 (rsyslog-8.2408.0.tar.gz) = 86901f76290aa451dfc8dc3d2c7eb2ea82bdbf39875fe2872169a3aa44933aff064dd5ea9b80964881fd07c34c17da25ec6a0efc1c5b7f4d6884435639fa0338
+SHA512 (rsyslog-doc-8.2408.0.tar.gz) = 9982688880b8362ca2ecd5f076f12aaf31b966144bd9b291761e660307e4c31e8c3ccc17b6b2b0cb2ccf2e30ba81927126991f9539562c2f02966a59fd1624aa