diff --git a/internal/concierge/impersonator/impersonator_test.go b/internal/concierge/impersonator/impersonator_test.go
index 6eedd950..78e6e3f2 100644
--- a/internal/concierge/impersonator/impersonator_test.go
+++ b/internal/concierge/impersonator/impersonator_test.go
@@ -701,7 +701,7 @@ func TestImpersonator(t *testing.T) {
 			testKubeAPIServerWasCalled := false
 			var testKubeAPIServerSawHeaders http.Header
 			testKubeAPIServer := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				tlsserver.AssertTLS(t, r, ptls.Secure)
+				tlsserver.AssertTLS(t, r, ptls.Secure(nil))
 
 				switch r.URL.Path {
 				case "/api/v1/namespaces/kube-system/configmaps":
@@ -1780,7 +1780,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
 			testKubeAPIServerWasCalled := false
 			testKubeAPIServerSawHeaders := http.Header{}
 			testKubeAPIServer := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				tlsserver.AssertTLS(t, r, ptls.Secure)
+				tlsserver.AssertTLS(t, r, ptls.Secure(nil))
 
 				testKubeAPIServerWasCalled = true
 				testKubeAPIServerSawHeaders = r.Header
diff --git a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go
index c482c6d6..643ae03a 100644
--- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go
+++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go
@@ -59,7 +59,7 @@ func TestController(t *testing.T) {
 
 	mux := http.NewServeMux()
 	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		tlsserver.AssertTLS(t, r, ptls.Default)
+		tlsserver.AssertTLS(t, r, ptls.Default(nil))
 		mux.ServeHTTP(w, r)
 	}), tlsserver.RecordTLSHello)
 
diff --git a/internal/controller/kubecertagent/pod_command_executor_test.go b/internal/controller/kubecertagent/pod_command_executor_test.go
index 934f102d..f046f851 100644
--- a/internal/controller/kubecertagent/pod_command_executor_test.go
+++ b/internal/controller/kubecertagent/pod_command_executor_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package kubecertagent
@@ -19,7 +19,7 @@ import (
 func TestSecureTLS(t *testing.T) {
 	var sawRequest bool
 	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
-		tlsserver.AssertTLS(t, r, ptls.Secure)
+		tlsserver.AssertTLS(t, r, ptls.Secure(nil))
 		sawRequest = true
 	}), tlsserver.RecordTLSHello)
 
diff --git a/internal/net/phttp/phttp_test.go b/internal/net/phttp/phttp_test.go
index 83792df1..cb0f68a5 100644
--- a/internal/net/phttp/phttp_test.go
+++ b/internal/net/phttp/phttp_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package phttp
@@ -84,7 +84,7 @@ func TestClient(t *testing.T) {
 
 			var sawRequest bool
 			server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
-				tlsserver.AssertTLS(t, r, tt.configFunc)
+				tlsserver.AssertTLS(t, r, tt.configFunc(nil))
 				assertUserAgent(t, r)
 				sawRequest = true
 			}), tlsserver.RecordTLSHello)
diff --git a/internal/testutil/fakekubeapi/fakekubeapi.go b/internal/testutil/fakekubeapi/fakekubeapi.go
index 2b4e20c3..a1ba2793 100644
--- a/internal/testutil/fakekubeapi/fakekubeapi.go
+++ b/internal/testutil/fakekubeapi/fakekubeapi.go
@@ -56,7 +56,7 @@ func Start(t *testing.T, resources map[string]runtime.Object) (*httptest.Server,
 	}
 
 	server := tlsserver.TLSTestServer(t, httperr.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
-		tlsserver.AssertTLS(t, r, ptls.Secure)
+		tlsserver.AssertTLS(t, r, ptls.Secure(nil))
 
 		obj, err := decodeObj(r)
 		if err != nil {
diff --git a/internal/testutil/tlsserver/tlsserver.go b/internal/testutil/tlsserver/tlsserver.go
index 425c43c9..279540a5 100644
--- a/internal/testutil/tlsserver/tlsserver.go
+++ b/internal/testutil/tlsserver/tlsserver.go
@@ -1,4 +1,4 @@
-// Copyright 2021 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package tlsserver
@@ -66,7 +66,7 @@ func RecordTLSHello(server *httptest.Server) {
 	}
 }
 
-func AssertTLS(t *testing.T, r *http.Request, tlsConfigFunc ptls.ConfigFunc) {
+func AssertTLS(t *testing.T, r *http.Request, tlsConfig *tls.Config) {
 	t.Helper()
 
 	m, ok := getCtxMap(r.Context())
@@ -78,8 +78,6 @@ func AssertTLS(t *testing.T, r *http.Request, tlsConfigFunc ptls.ConfigFunc) {
 	info, ok := h.(*tls.ClientHelloInfo)
 	require.True(t, ok)
 
-	tlsConfig := tlsConfigFunc(nil)
-
 	supportedVersions := []uint16{tlsConfig.MinVersion}
 	ciphers := tlsConfig.CipherSuites
 
diff --git a/internal/upstreamldap/upstreamldap_test.go b/internal/upstreamldap/upstreamldap_test.go
index bb837339..44989552 100644
--- a/internal/upstreamldap/upstreamldap_test.go
+++ b/internal/upstreamldap/upstreamldap_test.go
@@ -1820,7 +1820,7 @@ func TestRealTLSDialing(t *testing.T) {
 				_, _ = recordFunc(info)
 				r, err := http.NewRequestWithContext(info.Context(), http.MethodGet, "/this-is-ldap", nil)
 				require.NoError(t, err)
-				tlsserver.AssertTLS(t, r, ptls.DefaultLDAP)
+				tlsserver.AssertTLS(t, r, ptls.DefaultLDAP(nil))
 				return nil, nil
 			}
 		})
diff --git a/test/integration/securetls_fips_test.go b/test/integration/securetls_fips_test.go
index c3449e1f..1a1c170c 100644
--- a/test/integration/securetls_fips_test.go
+++ b/test/integration/securetls_fips_test.go
@@ -52,7 +52,10 @@ func TestSecureTLSPinnipedCLIToKAS_Parallel(t *testing.T) {
 	t.Log("testing FIPs tls config")
 
 	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		tlsserver.AssertTLS(t, r, ptls.Secure) // pinniped CLI uses ptls.Secure when talking to KAS
+		// in fips mode the ciphers are nil, so we need to replace them with what we actually expect.
+		secure := ptls.Secure(nil)
+		secure.CipherSuites = defaultCipherSuitesFIPS
+		tlsserver.AssertTLS(t, r, secure) // pinniped CLI uses ptls.Secure when talking to KAS
 		w.Header().Set("content-type", "application/json")
 		fmt.Fprint(w, `{"kind":"TokenCredentialRequest","apiVersion":"login.concierge.pinniped.dev/v1alpha1",`+
 			`"status":{"credential":{"token":"some-fancy-token"}}}`)
@@ -83,7 +86,9 @@ func TestSecureTLSPinnipedCLIToSupervisor_Parallel(t *testing.T) {
 	_ = testlib.IntegrationEnv(t)
 
 	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		tlsserver.AssertTLS(t, r, ptls.Default) // pinniped CLI uses ptls.Default when talking to supervisor
+		defaultTLS := ptls.Default(nil)
+		defaultTLS.CipherSuites = defaultCipherSuitesFIPS
+		tlsserver.AssertTLS(t, r, defaultTLS) // pinniped CLI uses ptls.Default when talking to supervisor
 		w.Header().Set("content-type", "application/json")
 		fmt.Fprint(w, `{"issuer":"https://not-a-good-issuer"}`)
 	}), tlsserver.RecordTLSHello)
diff --git a/test/integration/securetls_test.go b/test/integration/securetls_test.go
index c8126162..0087232d 100644
--- a/test/integration/securetls_test.go
+++ b/test/integration/securetls_test.go
@@ -34,7 +34,7 @@ func TestSecureTLSPinnipedCLIToKAS_Parallel(t *testing.T) {
 	_ = testlib.IntegrationEnv(t)
 
 	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		tlsserver.AssertTLS(t, r, ptls.Secure) // pinniped CLI uses ptls.Secure when talking to KAS
+		tlsserver.AssertTLS(t, r, ptls.Secure(nil)) // pinniped CLI uses ptls.Secure when talking to KAS
 		w.Header().Set("content-type", "application/json")
 		fmt.Fprint(w, `{"kind":"TokenCredentialRequest","apiVersion":"login.concierge.pinniped.dev/v1alpha1",`+
 			`"status":{"credential":{"token":"some-fancy-token"}}}`)
@@ -65,7 +65,7 @@ func TestSecureTLSPinnipedCLIToSupervisor_Parallel(t *testing.T) {
 	_ = testlib.IntegrationEnv(t)
 
 	server := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		tlsserver.AssertTLS(t, r, ptls.Default) // pinniped CLI uses ptls.Default when talking to supervisor
+		tlsserver.AssertTLS(t, r, ptls.Default(nil)) // pinniped CLI uses ptls.Default when talking to supervisor
 		w.Header().Set("content-type", "application/json")
 		fmt.Fprint(w, `{"issuer":"https://not-a-good-issuer"}`)
 	}), tlsserver.RecordTLSHello)