Fix broken sslapitest with old FIPS providers

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Apr 16 06:34:31 2026
(Merged from https://github.com/openssl/openssl/pull/30858)

diff --git a/test/sslapitest.c b/test/sslapitest.c
index 0cdb0f0a1b02f49527203b5f8f4af1ddd855dd00..411d0076812b2791e1e33c64a8d548c3bb500d4e 100644 (file)
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -9700,7 +9700,8 @@ static int cert_cb(SSL *s, void *arg)
 
         chain = sk_X509_new_null();
 #ifndef OPENSSL_NO_ML_DSA
-        if (SSL_version(s) >= TLS1_3_VERSION) {
+        if (SSL_version(s) >= TLS1_3_VERSION
+            && fips_provider_version_ge(libctx, 3, 5, 0)) {
             if (!TEST_ptr(chain)
                 || !TEST_true(load_chain("root-ml-dsa-44-cert.pem", NULL, NULL, chain))
                 || !TEST_true(load_chain("server-ml-dsa-44-cert.pem", NULL, &x509, NULL))