diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch
index abb13e0..d2bea7f 100644
--- a/0045-FIPS-services-minimize.patch
+++ b/0045-FIPS-services-minimize.patch
@@ -697,6 +697,26 @@ diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c
 diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen openssl-3.0.1/providers/implementations/signature/rsa_sig.c
 --- openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen	2022-05-23 14:58:07.764281242 +0200
 +++ openssl-3.0.1/providers/implementations/signature/rsa_sig.c	2022-05-23 15:10:29.327993616 +0200
+@@ -692,6 +692,19 @@ static int rsa_verify_recover(void *vprs
+ {
+     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+     int ret;
++# ifdef FIPS_MODULE
++    size_t rsabits = RSA_bits(prsactx->rsa);
++
++    if (rsabits < 2048) {
++        if (rsabits != 1024
++            && rsabits != 1280
++            && rsabits != 1536
++            && rsabits != 1792) {
++            ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH);
++            return 0;
++        }
++    }
++# endif
+ 
+     if (!ossl_prov_is_running())
+         return 0;
 @@ -770,6 +770,19 @@ static int rsa_verify(void *vprsactx, co
  {
      PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
diff --git a/openssl.spec b/openssl.spec
index e178aac..4da5cec 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -523,6 +523,8 @@ install -m644 %{SOURCE9} \
   Resolves: rhbz#2187429
 - Certificate policy check not enabled
   Resolves: rhbz#2187431
+- OpenSSL rsa_verify_recover key length checks in FIPS mode
+  Resolves: rhbz#2186819
 
 * Fri Mar 24 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-12
 - Change explicit FIPS indicator for RSA decryption to unapproved