Hi @hasshu, thanks for your helpful link!
i have looked into this page and found that some parts are missing in my fresh installation of fedora 43.
So I have tried to come up with a script for the affected region that new users can run to get both error-free updates and also efficient multimedia performance.
could all have a look at it to see if anything is ok or missing?
i will then enhance it and make available on github for easy installation:
# 1. Disable the Cisco repo that is blocking update chain:
sudo dnf config-manager setopt fedora-cisco-openh264.enabled=0
# 2. Replace openh264 with noopenh264:
sudo dnf swap '*openh264*' noopenh264 --allowerasing
# 3. Update the system:
sudo dnf update -y
# 4. Enable RPM Fusion (if not already)
sudo dnf install https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm
# 5. Replace limited ffmpeg-free with full-featured ffmpeg from RPM Fusion
sudo dnf swap ffmpeg-free ffmpeg --allowerasing
# 6. Install necessary GStreamer plugins and codecs
sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin
# 7. Add global exception for openh264 to the DNF config:
echo "exclude=openh264*" | sudo tee -a /etc/dnf/dnf.conf
# 8. Disable the Cisco codec that breaks Flatpak updates:
sudo flatpak mask org.freedesktop.Platform.openh264
# 9. Install relevant hardware drivers for ~30% better efficiency
GPU_VENDOR=$(lspci | grep -i "vga\|3d" | grep -oE "Intel|AMD|NVIDIA" | head -1)
if [ "$GPU_VENDOR" = "Intel" ]; then
sudo dnf install intel-media-driver libva-vdpau-driver -y
elif [ "$GPU_VENDOR" = "AMD" ]; then
sudo dnf install libva-mesa-driver -y
sudo dnf swap mesa-va-drivers mesa-va-drivers-freeworld -y
sudo dnf swap mesa-vdpau-drivers mesa-vdpau-drivers-freeworld -y
# 32-bit поддержка для Steam и т.д.
sudo dnf swap mesa-va-drivers.i686 mesa-va-drivers-freeworld.i686 2>/dev/null || true
sudo dnf swap mesa-vdpau-drivers.i686 mesa-vdpau-drivers-freeworld.i686 2>/dev/null || true
elif [ "$GPU_VENDOR" = "NVIDIA" ]; then
echo " ⚠️ manually install proprietary NVIDIA driver for better performance"
fi
# 10. Install VLC player (comes with audio/video codecs that play virtually anything)
sudo dnf install vlc -y
# 11. Make VLC default player for all video formats
grep "^MimeType=" /usr/share/applications/vlc.desktop | cut -d "=" -f 2 | xargs -d ';' -n 1 | grep -e "^video/" -e "^x-content/video" | xargs -n 1 -I '{}' xdg-mime default vlc.desktop '{}'
# 12. Make VLC default player for all audio formats
grep "^MimeType=" /usr/share/applications/vlc.desktop | cut -d "=" -f 2 | xargs -d ';' -n 1 | grep -e "^audio/" -e "^x-content/audio" | xargs -n 1 -I '{}' xdg-mime default vlc.desktop '{}'
Expected outcome of this script:
- DNF updates should be able to complete without errors;
- Flatpak apps will be able to install and update correctly;
- video playback should use ffmpeg from RPM Fusion;
- prevent any openh264 intallation attempts in future
- install VLC and make it default (plays virtually any audio/video formats)
- install hardware-optimized video drivers for better efficiency
That is awesome!
My personal opinion is to not include VLC though.
Let’s see…
Not really an issue, but update is an alias for upgrade under dnf5. Incidentally, upgrading offline is more safe.
Consider using a drop-in configuration file instead. Then again, this one’s not really needed with #1 in place.
thanks! the drop in concept is new for me. Did i get it right, should be implemented this way?
# 7. Add global exception for openh264 to the DNF config:
sudo tee /etc/dnf/libdnf5.conf.d/99-exclude-openh264.conf > /dev/null << 'EOF'
# Exclude openh264 packages due to regional 403 errors
# This prevents DNF update chain from breaking
[main]
exclude=openh264*
EOF
You could also do sudo dnf config-manager setopt exclude=openh264*
Edit:
I was also able to do this installing from the everything iso..
On a custom installation.
sudo dnf config-manager setopt fedora-cisco-openh264.enabed=0
sudo dnf install ffmpeg-free noopenh264 gdm gnome-shell ptyxis
Afterwards re-booted into the gnome installation and was able to install firefox. You’d still need to install codecs for video support.
Is it possible to just .zip the cisco files and use the local directory to search for packages? All files are signed anyway, so there is no security risks, right?
If you already have the .rpm files, it is probably easier to install them directly, but you can also setup a local repository to serve these files.
Yes, it doesn’t matter where the .rpm files come from, since they are signed, you will only be able to install them if your system trusts the key used to sign that package.
Note that this is not true for packages that are installed from the command line - those bypass PGP verification by default.
I had completely forgotten about that, thank you for pointing it out!
My apologies.
I’m not familiar with the syntax (am used to just piping echo -e with newlines into sudo tee), but that seems fine to me. Well, I’d add an extra wildcard to be sure: *openh264*.
As @grumpey said, you can also use config-manager setopt; main options added this way go to /etc/dnf/dnf.conf, which takes precedence over the drop-in configs.
Come to think of it, Joe’s suggestion for setopt is likely a better idea. I still have much to learn about dnf5…
I’ve this problem in GBR:
Therefore, I believe that this should be escalated to a Common Issues > Proposed Common Issues
@hasshu, because I am already utilising RPMFusion’s codecs, am I able to safely disable OpenH264’s repository? (I hope that nothing lists it as a mandatory dependency.)
To test for you, I disbled the Cisco repo,
sudo dnf config-manager setopt fedora-cisco-openh264.enabled=0
Ran dnf repoquery --whatrequires openh264 which returned 0 lines.
Then swapped to noopenh264
sudo dnf swap '*openh264*' noopenh264 --allowerasing
And tested youtube in Firefox and everything is working properly.
Note that going to the root of that domain seems to return access denied in general, so is not a valid test for being blocked.
See below requests, also from GB:
❯ curl -i --head https://ciscobinary.openh264.org
HTTP/2 403
content-type: application/xml
[other headers omitted]
❯ curl -i --head https://ciscobinary.openh264.org/openh264-2.6.0-2.fc43.x86_64.rpm
HTTP/2 200
content-type: binary/octet-stream
content-length: 432984
last-modified: Tue, 05 Aug 2025 03:42:52 GMT
[other headers omitted]
Lets not confuse the situation unnecessarily.
@tswsl1989, I should have cited this earlier, but someone else in one of those threads (I don’t recall which) [1] cited check-host.net/check-http?host=http%3A%2F%2Fciscobinary.openh264.org%2Flibopenh264-2.5.1-linux64.7.so.bz2, which returns:
That’s what I’ve based this upon, alongside:
RokeJulianLockhart@Beedell:~$ sudo dnf5 upgrade -y --refresh --offline Updating and loading repositories: warpdotdev-preview 100% | 3.7 KiB/s | 1.5 KiB | 00m00s Visual Studio Code 100% | 3.8 KiB/s | 1.5 KiB | 00m00s virtio-win builds roughly matching what was shipped in latest RHEL 100% | 3.7 KiB/s | 1.5 KiB | 00m00s RPM Fusion for Fedora 43 - Nonfree 100% | 470.0 B/s | 9.2 KiB | 00m20s RPM Fusion for Fedora 43 - Nonfree - Updates 100% | 432.0 B/s | 8.3 KiB | 00m20s RPM Fusion for Fedora 43 - Free tainted 100% | 433.0 B/s | 8.2 KiB | 00m19s Fedora 43 - Updates Source 100% | 394.0 B/s | 7.4 KiB | 00m19s Fedora 43 - x86_64 - Updates - Debug 100% | 424.0 B/s | 7.9 KiB | 00m19s Fedora 43 - Source 100% | 909.0 B/s | 16.6 KiB | 00m19s Fedora 43 - x86_64 - Debug 100% | 894.0 B/s | 15.6 KiB | 00m18s Fedora 43 openh264 (From Cisco) - x86_64 - Source 100% | 56.0 B/s | 983.0 B | 00m17s Fedora 43 - x86_64 - Updates 100% | 673.0 B/s | 8.2 KiB | 00m13s Fedora 43 - x86_64 100% | 3.7 KiB/s | 18.4 KiB | 00m05s RPM Fusion for Fedora 43 - Nonfree tainted 100% | 4.3 KiB/s | 8.3 KiB | 00m02s RPM Fusion for Fedora 43 - Free - Updates 100% | 5.2 KiB/s | 8.2 KiB | 00m02s RPM Fusion for Fedora 43 - Free 100% | 7.1 KiB/s | 9.0 KiB | 00m01s Fedora 43 openh264 (From Cisco) - x86_64 100% | 1.1 KiB/s | 986.0 B | 00m01s Copr repo for prismlauncher owned by g3tchoo 100% | 5.0 KiB/s | 1.5 KiB | 00m00s Copr repo for onedriver owned by jstaf 100% | 5.9 KiB/s | 1.5 KiB | 00m00s Copr repo for ventoy owned by karlisk 100% | 1.4 KiB/s | 632.0 B | 00m00s >>> Status code: 404 for https://download.copr.fedorainfracloud.org/results/karlisk/ventoy/fedora-43-x86_64/repodata/repomd.xml (IP: 143.204.68.70) - https://download.copr.fedorainfracloud.org/results/karlisk/ventoy/fedora-43-x86_64/repodata/repomd.xml >>> Status code: 404 for https://download.copr.fedorainfracloud.org/results/karlisk/ventoy/fedora-43-x86_64/repodata/repomd.xml (IP: 143.204.68.70) - https://download.copr.fedorainfracloud.org/results/karlisk/ventoy/fedora-43-x86_64/repodata/repomd.xml >>> Status code: 404 for https://download.copr.fedorainfracloud.org/results/karlisk/ventoy/fedora-43-x86_64/repodata/repomd.xml (IP: 143.204.68.70) - https://download.copr.fedorainfracloud.org/results/karlisk/ventoy/fedora-43-x86_64/repodata/repomd.xml >>> Status code: 404 for https://download.copr.fedorainfracloud.org/results/karlisk/ventoy/fedora-43-x86_64/repodata/repomd.xml (IP: 143.204.68.70) - https://download.copr.fedorainfracloud.org/results/karlisk/ventoy/fedora-43-x86_64/repodata/repomd.xml >>> Usable URL not found Fedora 43 openh264 (From Cisco) - x86_64 - Debug 100% | 274.5 KiB/s | 1.9 MiB | 00m07s >>> Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 (IP: 140.211.169.196) - https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 >>> Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 (IP: 140.211.169.196) - https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 >>> Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 (IP: 140.211.169.196) - https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 >>> Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 (IP: 140.211.169.196) - https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 >>> Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 (IP: 152.2.23.104) - https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 >>> Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 (IP: 152.2.23.104) - https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 >>> Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 (IP: 152.2.23.104) - https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 >>> Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 (IP: 152.2.23.104) - https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 >>> Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 (IP: 152.2.23.104) - https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 >>> Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 (IP: 152.2.23.104) - https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 >>> Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 (IP: 152.2.23.104) - https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 >>> Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 (IP: 152.2.23.104) - https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 >>> Cannot prepare internal mirrorlist: Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-43&arch=x86_64 (IP: 152.2.23.104) Repositories loaded.
Explanations might exist for any of these. However, sufficient correlation must eventually equate to causation. I’ll be glad for it to not be, however.
The server information page from that site shows that MaxMind have that IP located in Moscow, which would presumably be why it’s blocked (Click the server location in the table).
The dnf output shows that the server can’t find the debug repository information, which probably isn’t needed but in any case would be a different problem - status code 404 is “not found”, rather than 403 Forbidden which is what shows up for blocked requests.
If as a user located in the UK (or any other nation not covered by US restrictions) you can’t install updates because you can’t download the Cisco provided openh264 package, that’s probably worth moving to a separate thread/bug report.
The URL that’s being checked there works fine for me (also in the UK) when I curl it.
So I guess there isn’t a blanket block, but some UK IP addresses have somehow got sucked in.
In fact, on that page, if you click on the “UK (Coventry)” server in that table, you can see that one geolocation service thinks it’s in Moscow.
As far as I know, RPM Fusion’s FFmpeg does everything OpenH264 does (and much more), so yeah, that should be safe.
I have tried to come up with a user-friendly automated solution and created a script that has different logic for classic Fedora (DNF) versions and for Atomic (ostree) ones. It should work fine on Fedora versions 40 and newer.
I’ve uploaded it to my repo: GitHub - supertico/fedora-open264-geoblock-fix: Fedora Linux Cisco openH264 geoblock issue fix + multimedia codecs install solution / Решение для снятия блокировки обновлений Fedora Linux из-за геоблока + автоустановка мультимедиа кодеков
everyone is welcome to have a look and give it a try.
it completely removes problematic cisco dependencies for both dnf/ostree&flatpak and installs necessary codecs with hardware acceleration for video and audio.
hope this will help affected users.
it can be run directly from the terminal:
curl -sSL https://raw.githubusercontent.com/supertico/fedora-open264-geoblock-fix/main/fedora-cisco-403-mitigation.sh | sudo bash
let me know what you think.