diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
index f016e01b4b..08a2d47974 100644
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@@ -526,7 +526,7 @@ func (hs *clientHandshakeState) pickCipherSuite() error {
 		return errors.New("tls: server chose an unconfigured cipher suite")
 	}
 
-	if hs.c.config.CipherSuites == nil && rsaKexCiphers[hs.suite.id] {
+	if hs.c.config.CipherSuites == nil && !needFIPS() && rsaKexCiphers[hs.suite.id] {
 		tlsrsakex.IncNonDefault()
 	}
 
diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
index 8129e9c616..4e84aa9d8f 100644
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -370,7 +370,7 @@ func (hs *serverHandshakeState) pickCipherSuite() error {
 	}
 	c.cipherSuite = hs.suite.id
 
-	if c.config.CipherSuites == nil && rsaKexCiphers[hs.suite.id] {
+	if c.config.CipherSuites == nil && !needFIPS() && rsaKexCiphers[hs.suite.id] {
 		tlsrsakex.IncNonDefault()
 	}