diff --git a/openssl.rpmlintrc b/openssl.rpmlintrc
new file mode 100644
index 0000000..3539843
--- /dev/null
+++ b/openssl.rpmlintrc
@@ -0,0 +1,9 @@
+# capi.so is a dummy only used on Windows, it doesn't need dependency information
+addFilter("E: shared-lib(rary)?-without-dependency-information /usr/lib64/engines-3/capi.so")
+
+# The sources are hobbled and thus not a valid URL. That's expected.
+addFilter("W: invalid-url Source0: openssl-[0-9\\.]+-hobbled.tar.gz")
+
+# Technically this warning is correct, but in the case of the openssl binary we
+# want to allow SSL_CTX_set_cipher_list
+addFilter("W: crypto-policy-non-compliance-openssl /usr/bin/openssl SSL_CTX_set_cipher_list")
diff --git a/openssl.spec b/openssl.spec
index fb4de73..874c0f3 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -24,6 +24,7 @@ Source: openssl-%{version}-hobbled.tar.gz
 Source1: hobble-openssl
 Source2: Makefile.certificate
 Source3: genpatches
+Source4: openssl.rpmlintrc
 Source6: make-dummy-cert
 Source7: renew-dummy-cert
 Source9: configuration-switch.h
@@ -388,6 +389,9 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Apr 07 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.2-2
+- Silence a few rpmlint false positives.
+
 * Thu Apr 07 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.2-2
 - Allow disabling SHA1 signature creation and verification.
   Set rh-allow-sha1-signatures = no to disable.