diff --git a/gsi_openssh/source/fips_mode_replacement.h b/gsi_openssh/source/fips_mode_replacement.h
index 293c3ec03..3af6f8b65 100644
--- a/gsi_openssh/source/fips_mode_replacement.h
+++ b/gsi_openssh/source/fips_mode_replacement.h
@@ -14,12 +14,16 @@
  * limitations under the License.
  */
 
+#ifndef FIPS_MODE_REPLACEMENT_H
+#define FIPS_MODE_REPLACEMENT_H
+
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 /*
- * OpenSSL version 3.0 and up no longer has FIPS_mode().
- * Making a replacement function is not feasible since FIPS would need to be
- * initialized differently in any case.
- * See https://www.openssl.org/docs/manmaster/man7/fips_module.html for details
+ * OpenSSL versions 3.0 and up no longer have FIPS_mode(). To support both
+ * OpenSSL 3.x and older versions for other OSes, we use the replacement
+ * function as shipped by Fedora/RHEL/CentOS in their OpenSSL 3.x packages.
  */
-# define FIPS_mode() 0
-#endif
\ No newline at end of file
+# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
+#endif
+
+#endif /* FIPS_MODE_REPLACEMENT_H */
diff --git a/gsi_openssh/source/kexgex.c b/gsi_openssh/source/kexgex.c
index 85fd4e848..8040a1320 100644
--- a/gsi_openssh/source/kexgex.c
+++ b/gsi_openssh/source/kexgex.c
@@ -34,7 +34,6 @@
 #include <signal.h>
 
 #include "openbsd-compat/openssl-compat.h"
-#include "fips_mode_replacement.h"
 
 #include "sshkey.h"
 #include "cipher.h"
diff --git a/gsi_openssh/source/kexgexc.c b/gsi_openssh/source/kexgexc.c
index 253573229..21c006a3d 100644
--- a/gsi_openssh/source/kexgexc.c
+++ b/gsi_openssh/source/kexgexc.c
@@ -39,6 +39,7 @@
 #include <signal.h>
 
 #include "openbsd-compat/openssl-compat.h"
+#include "fips_mode_replacement.h"
 
 #include "sshkey.h"
 #include "cipher.h"