ruby · rhenium · Sep 17, 2025 · Aug 29, 2025
diff --git a/Rakefile b/Rakefile
@@ -34,7 +34,6 @@ Rake::TestTask.new(:test_fips_internal) do |t|
     'test/openssl/test_ns_spki.rb',
     'test/openssl/test_ocsp.rb',
     'test/openssl/test_pkcs12.rb',
-    'test/openssl/test_ssl.rb',
     'test/openssl/test_ts.rb',
     'test/openssl/test_x509cert.rb',
     'test/openssl/test_x509crl.rb',

diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
@@ -685,6 +685,8 @@ def test_sslctx_set_params
   end
 
   def test_post_connect_check_with_anon_ciphers
+    # DH missing the q value on unknown named parameters is not FIPS-approved.
+    omit_on_fips
     omit "AWS-LC does not support DHE ciphersuites" if aws_lc?
 
     ctx_proc = -> ctx {
@@ -1747,6 +1749,9 @@ def test_sync_close_without_connect
   end
 
   def test_get_ephemeral_key
+    # kRSA is not FIPS-approved.
+    omit_on_fips
+
     # kRSA
     ctx_proc1 = proc { |ctx|
       ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
@@ -1863,6 +1868,8 @@ def test_fallback_scsv
   end
 
   def test_tmp_dh_callback
+    # DH missing the q value on unknown named parameters is not FIPS-approved.
+    omit_on_fips
     omit "AWS-LC does not support DHE ciphersuites" if aws_lc?
 
     dh = Fixtures.pkey("dh-1")
@@ -2131,6 +2138,8 @@ def test_connect_works_when_setting_dh_callback_to_nil
   end
 
   def test_tmp_dh
+    # DH missing the q value on unknown named parameters is not FIPS-approved.
+    omit_on_fips
     omit "AWS-LC does not support DHE ciphersuites" if aws_lc?
 
     dh = Fixtures.pkey("dh-1")