diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index b9c95225a..1dfc760f9 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1806,6 +1806,12 @@ print_cipher(const cipher_kt_t *cipher)
     {
         printf(", TLS client/server mode only");
     }
+#ifdef OPENSSL_FIPS
+    if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
+    {
+        printf(", disabled by FIPS mode");
+    }
+#endif
 
     printf(")\n");
 }
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index b55d32b2c..419265a51 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -599,7 +599,17 @@ cipher_kt_get(const char *ciphername)
         return NULL;
     }
 
+#ifdef OPENSSL_FIPS
+    /* Rhel 8/CentOS 8 have a patched OpenSSL version that return a cipher
+     * here that is actually not usable if in FIPS mode */
 
+    if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
+    {
+        msg(D_LOW, "Cipher algorithm '%s' is known by OpenSSL library but "
+                    "currently disabled by running in FIPS mode.", ciphername);
+        return NULL;
+    }
+#endif
     if (EVP_CIPHER_key_length(cipher) > MAX_CIPHER_KEY_LENGTH)
     {
         msg(D_LOW, "Cipher algorithm '%s' uses a default key size (%d bytes) "