diff --git a/gsi_openssh/source/channels.c b/gsi_openssh/source/channels.c
index 7aec82aef..5e44b66e3 100644
--- a/gsi_openssh/source/channels.c
+++ b/gsi_openssh/source/channels.c
@@ -5024,7 +5024,7 @@ x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
 				if ((errno != EINVAL) && (errno != EAFNOSUPPORT)
 #ifdef EPFNOSUPPORT
 				    && (errno != EPFNOSUPPORT)
-#endif 
+#endif
 				    ) {
 					error("socket: %.100s", strerror(errno));
 					freeaddrinfo(aitop);
@@ -5196,7 +5196,7 @@ x11_connect_display(struct ssh *ssh)
 			debug("x11_connect_display: $DISPLAY is launchd");
 
 			/* Create a socket. */
-			sock = connect_local_xsocket_path(path);
+			sock = connect_local_xsocket_path(path, sizeof(path));
 			if (sock < 0)
 				return -1;
 
diff --git a/gsi_openssh/source/dh.c b/gsi_openssh/source/dh.c
index c10ca8873..73caa8955 100644
--- a/gsi_openssh/source/dh.c
+++ b/gsi_openssh/source/dh.c
@@ -36,7 +36,6 @@
 
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/fips.h>
 #include <openssl/evp.h>
 # if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #include <openssl/core_names.h>
diff --git a/gsi_openssh/source/fips_mode_replacement.h b/gsi_openssh/source/fips_mode_replacement.h
index d68cc571d..64d55f4f3 100644
--- a/gsi_openssh/source/fips_mode_replacement.h
+++ b/gsi_openssh/source/fips_mode_replacement.h
@@ -1,12 +1,12 @@
 /*
  * Copyright 2021- Grid Community Forum
- * 
+ *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  * http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,6 +17,7 @@
 #ifndef FIPS_MODE_REPLACEMENT_H
 #define FIPS_MODE_REPLACEMENT_H
 
+
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 /*
  * OpenSSL versions 3.0 and up no longer have FIPS_mode(). To support both
@@ -26,6 +27,8 @@
 # ifndef FIPS_mode
 #  define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL)
 # endif /* FIPS_mode */
+#elif /* openssl */
+#include <openssl/fips.h>
 #endif /* openssl */
 
 #endif /* FIPS_MODE_REPLACEMENT_H */
diff --git a/gsi_openssh/source/kex.c b/gsi_openssh/source/kex.c
index 62057fca4..8bc072d01 100644
--- a/gsi_openssh/source/kex.c
+++ b/gsi_openssh/source/kex.c
@@ -39,7 +39,6 @@
 
 #ifdef WITH_OPENSSL
 #include <openssl/crypto.h>
-#include <openssl/fips.h>
 #include <openssl/dh.h>
 # ifdef HAVE_EVP_KDF_CTX_NEW_ID
 # include <openssl/kdf.h>
@@ -1724,7 +1723,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
 
 #ifdef WITH_OPENSSL
 # if OPENSSL_VERSION_NUMBER >= 0x30000000L
-/* 
+/*
  * Creates an EVP_PKEY from the given parameters and keys.
  * The private key can be omitted.
  */
diff --git a/gsi_openssh/source/kexgen.c b/gsi_openssh/source/kexgen.c
index f01f456a5..c0a5c09d6 100644
--- a/gsi_openssh/source/kexgen.c
+++ b/gsi_openssh/source/kexgen.c
@@ -31,7 +31,6 @@
 #include <stdio.h>
 #include <string.h>
 #include <signal.h>
-#include <openssl/fips.h>
 
 #include "fips_mode_replacement.h"
 
diff --git a/gsi_openssh/source/kexgexc.c b/gsi_openssh/source/kexgexc.c
index 597c45a71..39cd15c0d 100644
--- a/gsi_openssh/source/kexgexc.c
+++ b/gsi_openssh/source/kexgexc.c
@@ -28,7 +28,6 @@
 
 #ifdef WITH_OPENSSL
 
-#include <openssl/fips.h>
 #include <sys/types.h>
 
 #include <openssl/dh.h>
diff --git a/gsi_openssh/source/readconf.c b/gsi_openssh/source/readconf.c
index 9df99551c..b543d1499 100644
--- a/gsi_openssh/source/readconf.c
+++ b/gsi_openssh/source/readconf.c
@@ -39,7 +39,6 @@
 #include <string.h>
 #include <stdarg.h>
 #include <unistd.h>
-#include <openssl/fips.h>
 #ifdef USE_SYSTEM_GLOB
 # include <glob.h>
 #else
diff --git a/gsi_openssh/source/servconf.c b/gsi_openssh/source/servconf.c
index 32557e1ea..2dd234088 100644
--- a/gsi_openssh/source/servconf.c
+++ b/gsi_openssh/source/servconf.c
@@ -38,7 +38,6 @@
 #include <limits.h>
 #include <stdarg.h>
 #include <errno.h>
-#include <openssl/fips.h>
 #ifdef HAVE_UTIL_H
 #include <util.h>
 #endif
diff --git a/gsi_openssh/source/ssh-ecdsa.c b/gsi_openssh/source/ssh-ecdsa.c
index 148bfc861..bd1bfedaf 100644
--- a/gsi_openssh/source/ssh-ecdsa.c
+++ b/gsi_openssh/source/ssh-ecdsa.c
@@ -49,6 +49,10 @@
 
 #include "openbsd-compat/openssl-compat.h"
 
+#ifdef ENABLE_PKCS11
+#include "ssh-pkcs11.h"
+#endif
+
 static u_int
 ssh_ecdsa_size(const struct sshkey *key)
 {
@@ -597,7 +601,7 @@ ssh_create_evp_ec(EC_KEY *k, int ecdsa_nid, EVP_PKEY **pkey)
 	OSSL_PARAM_BLD *param_bld = NULL;
 	EVP_PKEY_CTX *ctx = NULL;
   	BN_CTX *bn_ctx = NULL;
-  	uint8_t *pub_ser = NULL; 
+  	uint8_t *pub_ser = NULL;
   	const char *group_name;
   	const EC_POINT *pub = NULL;
   	const BIGNUM *priv = NULL;
diff --git a/gsi_openssh/source/ssh-ed25519.c b/gsi_openssh/source/ssh-ed25519.c
index c3e335a35..224e34feb 100644
--- a/gsi_openssh/source/ssh-ed25519.c
+++ b/gsi_openssh/source/ssh-ed25519.c
@@ -24,7 +24,6 @@
 
 #include <string.h>
 #include <stdarg.h>
-#include <openssl/fips.h>
 
 #include "fips_mode_replacement.h"
 
diff --git a/gsi_openssh/source/ssh-keygen.c b/gsi_openssh/source/ssh-keygen.c
index 78b189fd0..707ec592c 100644
--- a/gsi_openssh/source/ssh-keygen.c
+++ b/gsi_openssh/source/ssh-keygen.c
@@ -20,7 +20,6 @@
 
 #ifdef WITH_OPENSSL
 #include <openssl/evp.h>
-#include <openssl/fips.h>
 #include <openssl/pem.h>
 #include "openbsd-compat/openssl-compat.h"
 #endif
diff --git a/gsi_openssh/source/ssh-rsa.c b/gsi_openssh/source/ssh-rsa.c
index acb6392a4..0b0ee0b7e 100644
--- a/gsi_openssh/source/ssh-rsa.c
+++ b/gsi_openssh/source/ssh-rsa.c
@@ -27,7 +27,6 @@
 #include <openssl/core_names.h>
 #include <openssl/param_build.h>
 # endif
-#include <openssl/fips.h>
 
 #include "fips_mode_replacement.h"
 
@@ -43,6 +42,10 @@
 
 #include "openbsd-compat/openssl-compat.h"
 
+#ifdef ENABLE_PKCS11
+#include "ssh-pkcs11.h"
+#endif
+
 # if OPENSSL_VERSION_NUMBER >= 0x30000000L
 static int openssh_RSA_verify(int, const u_char *, size_t, u_char *, size_t, EVP_PKEY *);
 # else
diff --git a/gsi_openssh/source/ssh.c b/gsi_openssh/source/ssh.c
index bcf37dba2..51e26273f 100644
--- a/gsi_openssh/source/ssh.c
+++ b/gsi_openssh/source/ssh.c
@@ -77,7 +77,6 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #endif
-#include <openssl/fips.h>
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
 #include "fips_mode_replacement.h"
diff --git a/gsi_openssh/source/sshconnect2.c b/gsi_openssh/source/sshconnect2.c
index 6a3a13a1d..2561b476a 100644
--- a/gsi_openssh/source/sshconnect2.c
+++ b/gsi_openssh/source/sshconnect2.c
@@ -45,7 +45,6 @@
 #include <vis.h>
 #endif
 
-#include <openssl/fips.h>
 #include "fips_mode_replacement.h"
 
 #include "openbsd-compat/sys-queue.h"
diff --git a/gsi_openssh/source/sshd.c b/gsi_openssh/source/sshd.c
index cc5db938a..81ce10838 100644
--- a/gsi_openssh/source/sshd.c
+++ b/gsi_openssh/source/sshd.c
@@ -81,7 +81,6 @@
 #include <openssl/dh.h>
 #include <openssl/bn.h>
 #include <openssl/rand.h>
-#include <openssl/fips.h>
 #include "openbsd-compat/openssl-compat.h"
 #endif
 #include "fips_mode_replacement.h"
diff --git a/gsi_openssh/source/sshkey.c b/gsi_openssh/source/sshkey.c
index be7be22b7..e67417915 100644
--- a/gsi_openssh/source/sshkey.c
+++ b/gsi_openssh/source/sshkey.c
@@ -38,7 +38,6 @@
 #include <openssl/core_names.h>
 #include <openssl/param_build.h>
 # endif
-#include <openssl/fips.h>
 #endif
 #include "fips_mode_replacement.h"