And BTW I tried native PKCS#11 code with an OpenSSL
backend in FIPS mode. It failed to run all the system
tests with (too) small parameters as expected,
and not expected it failed to verify the .org signature
because I falled at the exact time a 1023 (1024 - 1)
RSA modulus was used for .org...
 My conclusion was the experiment was funny but
clearly it was not the best idea to do production
with a crypto in FIPS mode.
 BTW it was some years ago and I am sure that
at this time Fedora had no FIPS capable OpenSSL
(i.e I had to build an OpenSSL FIPS module from
sources, etc. Something which required a lot of
free time).

Another point:

Do you need something about PKCS#11 native mode?