diff --git a/002-fips-disable-ansi_cprng.patch b/002-fips-disable-ansi_cprng.patch
new file mode 100644
index 0000000..b7f2980
--- /dev/null
+++ b/002-fips-disable-ansi_cprng.patch
@@ -0,0 +1,74 @@
+From 873842046678d109d8e382ce2e2870909876bbfe Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Fri, 11 Aug 2023 12:20:22 +0200
+Subject: [PATCH] Disable test of obsolete ansi_cprng in FIPS mode
+
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+Signed-off-by: Stephan Mueller <smueller@chronox.de>
+---
+ test/kcapi-main.c | 45 ++++++++++++++++++++++-----------------------
+ 1 file changed, 22 insertions(+), 23 deletions(-)
+
+diff --git a/test/kcapi-main.c b/test/kcapi-main.c
+index 67fb53f..23fc8ed 100644
+--- a/test/kcapi-main.c
++++ b/test/kcapi-main.c
+@@ -652,8 +652,6 @@ static int is_fips_mode(void)
+ static int auxiliary_tests(void)
+ {
+ 	struct kcapi_handle *handle = NULL;
+-	const char *ansi_cprng_name = is_fips_mode() ? "fips(ansi_cprng)"
+-	                                             : "ansi_cprng";
+ 	int ret = 0;
+ 
+         if (kcapi_aead_init(&handle, "ccm(aes)", 0)) {
+@@ -711,27 +709,28 @@ static int auxiliary_tests(void)
+ 	if (aux_test_rng("drbg_nopr_ctr_aes256", NULL, 0))
+ 		ret++;
+ 
+-	/* X9.31 RNG must require seed */
+-	printf("X9.31 missing seeding: ");
+-	if (!aux_test_rng(ansi_cprng_name, NULL, 0))
+-		ret++;
+-	/* X9.31 seed too short */
+-	printf("X9.31 insufficient seeding: ");
+-	if (!aux_test_rng(ansi_cprng_name,
+-			  (uint8_t *)
+-			  "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
+-			  "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 16))
+-		ret++;
+-	/* X9.31 seed right sized short */
+-	if (aux_test_rng(ansi_cprng_name,
+-			 (uint8_t *)
+-			 "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
+-			 "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
+-			 "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
+-			 "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 32)) {
+-		printf("Error for %s: kernel module ansi_cprng present?\n",
+-		       ansi_cprng_name);
+-		ret++;
++	if (!is_fips_mode()) {
++		/* X9.31 RNG must require seed */
++		printf("X9.31 missing seeding: ");
++		if (!aux_test_rng("ansi_cprng", NULL, 0))
++			ret++;
++		/* X9.31 seed too short */
++		printf("X9.31 insufficient seeding: ");
++		if (!aux_test_rng("ansi_cprng",
++				  (uint8_t *)
++				  "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
++				  "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 16))
++			ret++;
++		/* X9.31 seed right sized short */
++		if (aux_test_rng("ansi_cprng",
++				 (uint8_t *)
++				 "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
++				 "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
++				 "\x00\x01\x02\x03\x04\x05\x06\x07\x08"
++				 "\x00\x01\x02\x03\x04\x05\x06\x07\x08", 32)) {
++			printf("Error for ansi_cprng: kernel module ansi_cprng present?\n");
++			ret++;
++		}
+ 	}
+ 
+ 	return ret;
diff --git a/libkcapi.spec b/libkcapi.spec
index 35ae3cf..e02f548 100644
--- a/libkcapi.spec
+++ b/libkcapi.spec
@@ -135,6 +135,7 @@ Source2:        sha512hmac-openssl.sh
 Source3:        fipshmac-openssl.sh
 
 Patch1:         001-tests-kernel-version.patch
+Patch2:         002-fips-disable-ansi_cprng.patch
 
 BuildRequires:  bash
 BuildRequires:  coreutils
@@ -516,6 +517,8 @@ popd
 * Wed Nov 01 2023 Zoltan Fridrich <zfridric@redhat.com> - 1.4.0-1
 - Update to new upstream release 1.4.0
   Resolves: RHEL-5366
+- Add a patch to fix auxiliary tests in FIPS mode
+  Resolves: RHEL-2406
 
 * Tue May 26 2020 Sahana Prasad <sahana@redhat.com> - 1.2.0-2
 - Fix double free issue in hasher()