diff --git a/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh
index 7f65a523..e4bdfd04 100755
--- a/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh
+++ b/.github/actions/openziti-tunnel-build-action/redhat-8/entrypoint.sh
@@ -47,7 +47,6 @@ cmake -E make_directory ./build
             --preset "${cmake_preset}" \
             -DCMAKE_BUILD_TYPE="${cmake_config}" \
             -DBUILD_DIST_PACKAGES=ON \
-            -DUSE_OPENSSL=ON \
             -S . \
             -B ./build 
     source scl_source enable gcc-toolset-10 \
diff --git a/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile
new file mode 100644
index 00000000..bb42556f
--- /dev/null
+++ b/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile
@@ -0,0 +1,52 @@
+ARG CMAKE_VERSION="3.26.3"
+
+FROM rockylinux:9
+
+ARG CMAKE_VERSION
+
+LABEL org.opencontainers.image.authors="support@netfoundry.io"
+
+USER root
+WORKDIR /root/
+
+ENV PATH="/usr/local/:${PATH}"
+ENV GIT_DISCOVERY_ACROSS_FILESYSTEM=1
+ENV TZ=UTC
+
+RUN dnf install -y \
+        "@Development Tools" \
+        dnf-plugins-core \
+        iproute \
+        python3 \
+        systemd-devel \
+        zlib-devel \
+        systemd-rpm-macros \
+        cmake-rpm-macros  \
+        openssl-devel \
+        libatomic \
+    && dnf config-manager --set-enabled crb \
+    && dnf install -y \
+        doxygen \
+        graphviz \
+        git \
+        ninja-build \
+    && dnf clean all 
+
+RUN curl -sSfL https://cmake.org/files/v${CMAKE_VERSION%.*}/cmake-${CMAKE_VERSION}-linux-$(uname -m).sh -o cmake.sh \
+    && (bash cmake.sh --skip-license --prefix=/usr/local) \
+    && rm cmake.sh
+
+ENV GIT_CONFIG_GLOBAL="/tmp/ziti-builder-gitconfig"
+
+ENV VCPKG_ROOT=/usr/local/vcpkg
+# this must be set on arm. see https://learn.microsoft.com/en-us/vcpkg/users/config-environment#vcpkg_force_system_binaries
+ENV VCPKG_FORCE_SYSTEM_BINARIES=yes
+
+RUN cd /usr/local \
+    && git clone --branch 2023.04.15 https://github.com/microsoft/vcpkg \
+    && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics \
+    && chmod -R ugo+rwX /usr/local/vcpkg
+
+WORKDIR /github/workspace
+COPY ./entrypoint.sh /root/
+ENTRYPOINT [ "/root/entrypoint.sh" ]
diff --git a/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh
new file mode 100755
index 00000000..e435407f
--- /dev/null
+++ b/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+#
+# RedHat 9
+#
+
+set -euo pipefail
+
+# these commands must be in the entrypoint so they are run after workspace is mounted on Docker workdir
+echo "INFO: GIT_DISCOVERY_ACROSS_FILESYSTEM=${GIT_DISCOVERY_ACROSS_FILESYSTEM}"
+echo "INFO: WORKDIR=${PWD}"
+echo "INFO: $(git --version)"
+
+# if first positional is an expected arch string then set cmake preset,
+# else use ci-linux-x64 (which actually just uses native/host tools - e.g. not cross compile)
+if [ ${#} -ge 1 ]; then
+    cmake_preset="${1}"
+else
+    cmake_preset="ci-linux-x64"
+fi
+
+if [ ${#} -ge 2 ]; then
+    cmake_config="${2}"
+else
+    cmake_config="Release"
+fi
+
+# workspace dir for each build env is added to "safe" dirs in global config e.g.
+# ~/.gitconfig so both runner and builder containers trust these dirs
+# owned by different UIDs from that of Git's EUID. This is made necessary
+# by newly-enforced directory boundaries in Git v2.35.2
+# ref: https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/
+for SAFE in \
+    /github/workspace \
+    /__w/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c \
+    /mnt ; do
+        git config --global --add safe.directory ${SAFE}
+done
+
+(
+    [[ -d ./build ]] && rm -r ./build
+    cmake -E make_directory ./build  
+    # allow unset for scl_source scripts
+    set +u
+    cmake \
+        --preset "${cmake_preset}" \
+        -DCMAKE_BUILD_TYPE="${cmake_config}" \
+        -DBUILD_DIST_PACKAGES=ON \
+        -S . \
+        -B ./build 
+    cmake \
+        --build ./build \
+        --config "${cmake_config}" \
+        --target package \
+        --verbose
+)
diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
index a1532c10..1fab2fa4 100644
--- a/.github/workflows/cmake.yml
+++ b/.github/workflows/cmake.yml
@@ -1,12 +1,9 @@
 name: CI build
 
 on:
-  push:
-    branches: [ '**' ]
-
   pull_request:
     branches: [ main ]
-
+  workflow_dispatch:
   workflow_call:
 
 jobs:
diff --git a/.github/workflows/cpack.yml b/.github/workflows/cpack.yml
index 12d641e1..ee7f236f 100644
--- a/.github/workflows/cpack.yml
+++ b/.github/workflows/cpack.yml
@@ -58,6 +58,11 @@ jobs:
             release_name: ${{ null }}
             type: rpm
             container: docker.io/library/rockylinux:8
+          - name: redhat
+            version: "9"
+            release_name: ${{ null }}
+            type: rpm
+            container: docker.io/library/rockylinux:9
         exclude:
           - distro:
               name: ubuntu
@@ -86,7 +91,7 @@ jobs:
     steps:
       # only focal-20.04 has >= 2.18, which is required by actions/checkout to clone
       # which enables cmake version discovery
-      - name: install Modern Git in runner container if Ubuntu
+      - name: install contemporary Git in runner container if Ubuntu
         if: ${{ matrix.distro.name == 'ubuntu' }}
         run: |
           apt -y update
@@ -96,14 +101,14 @@ jobs:
           apt -y install git
           git --version
 
-      - name: install Modern Git in runner container if RedHat 8
-        if: ${{ matrix.distro.name == 'redhat' && matrix.distro.version == '8' }}
+      - name: install contemporary Git in runner container if RedHat 8 or 9
+        if: ${{ matrix.distro.name == 'redhat' && (matrix.distro.version == '8' || matrix.distro.version == '9') }}
         run: |
           dnf -y update
           dnf -y install git
           git --version
 
-      - name: install Modern Git in runner container if RedHat 7
+      - name: install contemporary Git in runner container if RedHat 7
         if: ${{ matrix.distro.name == 'redhat' && matrix.distro.version == '7' }}
         run: |
           yum -y update
diff --git a/docker/linux-cross-build.sh b/docker/linux-cross-build.sh
index a69805e8..e96789e9 100755
--- a/docker/linux-cross-build.sh
+++ b/docker/linux-cross-build.sh
@@ -8,7 +8,6 @@ set -x
 
 DIRNAME=$(dirname $0)
 REPO_DIR=${DIRNAME}/..            # parent of the top-level dir where this script lives
-: ${USE_OPENSSL:="OFF"}
 : ${TARGET:="bundle"}
 : ${BUILD_DIST_PACKAGES:="OFF"}
 : ${DISABLE_LIBSYSTEMD_FEATURE:="OFF"}
@@ -16,12 +15,7 @@ REPO_DIR=${DIRNAME}/..            # parent of the top-level dir where this scrip
 if (( ${#} )); then
     for OPT in ${*}; do
         case $OPT in
-            --openssl)
-                USE_OPENSSL="ON"
-                shift
-            ;;
             --package)
-                USE_OPENSSL="ON"
                 TARGET="package"
                 BUILD_DIST_PACKAGES="ON"
                 shift
@@ -50,7 +44,6 @@ for ARCH in ${JOBS[@]}; do
         amd64)  { cmake \
                     -DCMAKE_BUILD_TYPE=Release \
                     -DCMAKE_TOOLCHAIN_FILE=${REPO_DIR}/toolchains/default.cmake \
-                    -DUSE_OPENSSL=${USE_OPENSSL} \
                     -DBUILD_DIST_PACKAGES=${BUILD_DIST_PACKAGES} \
                     -DDISABLE_LIBSYSTEMD_FEATURE=${DISABLE_LIBSYSTEMD_FEATURE} \
                     -S ${REPO_DIR} \
@@ -64,7 +57,6 @@ for ARCH in ${JOBS[@]}; do
         arm64)  { cmake \
                     -DCMAKE_BUILD_TYPE=Release \
                     -DCMAKE_TOOLCHAIN_FILE=${REPO_DIR}/toolchains/Linux-arm64.cmake \
-                    -DUSE_OPENSSL=${USE_OPENSSL} \
                     -DBUILD_DIST_PACKAGES=${BUILD_DIST_PACKAGES} \
                     -DDISABLE_LIBSYSTEMD_FEATURE=${DISABLE_LIBSYSTEMD_FEATURE} \
                     -S ${REPO_DIR} \
@@ -78,7 +70,6 @@ for ARCH in ${JOBS[@]}; do
         arm)    { cmake \
                     -DCMAKE_BUILD_TYPE=Release \
                     -DCMAKE_TOOLCHAIN_FILE=${REPO_DIR}/toolchains/Linux-arm.cmake \
-                    -DUSE_OPENSSL=${USE_OPENSSL} \
                     -DBUILD_DIST_PACKAGES=${BUILD_DIST_PACKAGES} \
                     -DDISABLE_LIBSYSTEMD_FEATURE=${DISABLE_LIBSYSTEMD_FEATURE} \
                     -S ${REPO_DIR} \
diff --git a/docker/linux-native-build.sh b/docker/linux-native-build.sh
index dfbb04eb..6b5352f4 100755
--- a/docker/linux-native-build.sh
+++ b/docker/linux-native-build.sh
@@ -8,7 +8,6 @@ set -x
 
 DIRNAME=$(dirname $0)
 REPO_DIR=${DIRNAME}/..            # parent of the top-level dir where this script lives
-: ${USE_OPENSSL:="OFF"}
 : ${TARGET:="bundle"}
 : ${BUILD_DIST_PACKAGES:="OFF"}
 : ${DISABLE_LIBSYSTEMD_FEATURE:="OFF"}
@@ -16,12 +15,7 @@ REPO_DIR=${DIRNAME}/..            # parent of the top-level dir where this scrip
 if (( ${#} )); then
     for OPT in ${*}; do
         case $OPT in
-            --openssl)
-                USE_OPENSSL="ON"
-                shift
-            ;;
             --package)
-                USE_OPENSSL="ON"
                 TARGET="package"
                 BUILD_DIST_PACKAGES="ON"
                 shift
@@ -41,7 +35,6 @@ mkdir ${CMAKE_BUILD_DIR}
 cmake \
     -DCMAKE_BUILD_TYPE=Release \
     -DCMAKE_TOOLCHAIN_FILE=${REPO_DIR}/toolchains/default.cmake \
-    -DUSE_OPENSSL=${USE_OPENSSL} \
     -DBUILD_DIST_PACKAGES=${BUILD_DIST_PACKAGES} \
     -DDISABLE_LIBSYSTEMD_FEATURE=${DISABLE_LIBSYSTEMD_FEATURE} \
     -S ${REPO_DIR} \
diff --git a/scripts/openwrt-build.sh b/scripts/openwrt-build.sh
index f007a42a..511fd49d 100755
--- a/scripts/openwrt-build.sh
+++ b/scripts/openwrt-build.sh
@@ -90,7 +90,7 @@ if [ -x /usr/bin/ninja ]; then
 fi
 
 if [ -f "$target_dir/usr/include/openssl/opensslv.h" ]; then
-  CMAKE_OPTS="$CMAKE_OPTS -DUSE_OPENSSL=on"
+  CMAKE_OPTS="$CMAKE_OPTS"
 fi
 
 if [ -f "$target_dir/usr/include/sodium.h" ]; then