diff --git a/src/ssl.c b/src/ssl.c
index e58936265..274ece9fc 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -15785,10 +15785,13 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
                 idx += (int)iov[i].iov_len;
             }
 
-           /* myBuffer may not initialized fully, but the sending length will be */
-            PRAGMA_GCC_IGNORE("GCC diagnostic ignored \"-Wmaybe-uninitialized\"");
+           /* myBuffer may not be initialized fully, but the span up to the
+            * sending length will be.
+            */
+            PRAGMA_GCC_DIAG_PUSH;
+            PRAGMA_GCC("GCC diagnostic ignored \"-Wmaybe-uninitialized\"");
             ret = wolfSSL_write(ssl, myBuffer, sending);
-            PRAGMA_GCC_POP;
+            PRAGMA_GCC_DIAG_POP;
 
             if (dynamic)
                 XFREE(myBuffer, ssl->heap, DYNAMIC_TYPE_WRITEV);
@@ -56166,8 +56169,10 @@ static int wolfssl_conf_value_cmp(const WOLFSSL_CONF_VALUE *a,
 unsigned long wolfSSL_LH_strhash(const char *str)
 {
     unsigned long ret = 0;
+#ifndef NO_MD5
     int strLen;
     byte digest[WC_MD5_DIGEST_SIZE];
+#endif
     WOLFSSL_ENTER("wolfSSL_LH_strhash");
 
     if (!str)
diff --git a/src/tls13.c b/src/tls13.c
index 8431dcc82..4d8444c2e 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -308,12 +308,21 @@ static int DeriveKey(WOLFSSL* ssl, byte* output, int outputLen,
     if (includeMsgs)
         hashOutSz = hashSz;
 
-    /* myBuffer may not initialized fully, but the sending length will be */
-    PRAGMA_GCC_IGNORE("GCC diagnostic ignored \"-Wmaybe-uninitialized\"");
+    /* hash buffer may not be fully initialized, but the sending length won't
+     * extend beyond the initialized span.
+     */
+    PRAGMA_GCC_DIAG_PUSH;
+    PRAGMA_GCC("GCC diagnostic ignored \"-Wmaybe-uninitialized\"");
+    #if defined(HAVE_FIPS) && defined(wc_Tls13_HKDF_Expand_Label)
+    return wc_Tls13_HKDF_Expand_Label_fips(output, outputLen, secret, hashSz,
+                             protocol, protocolLen, label, labelLen,
+                             hash, hashOutSz, digestAlg);
+    #else
     return wc_Tls13_HKDF_Expand_Label(output, outputLen, secret, hashSz,
                              protocol, protocolLen, label, labelLen,
                              hash, hashOutSz, digestAlg);
-    PRAGMA_GCC_POP;
+    #endif
+    PRAGMA_GCC_DIAG_POP;
 }
 
 /* Convert TLS mac ID to a hash algorithm ID
diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
index 6646d3049..699a37fb9 100644
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@@ -1136,11 +1136,13 @@ decouple library dependencies with standard string, memory and so on.
     #endif
 
     #if defined(__GNUC__) && __GNUC__ > 5
-        #define PRAGMA_GCC_IGNORE(str) _Pragma(str);
-        #define PRAGMA_GCC_POP         _Pragma("GCC diagnostic pop");
+        #define PRAGMA_GCC_DIAG_PUSH _Pragma("GCC diagnostic push")
+        #define PRAGMA_GCC(str) _Pragma(str)
+        #define PRAGMA_GCC_DIAG_POP _Pragma("GCC diagnostic pop")
     #else
-        #define PRAGMA_GCC_IGNORE(str)
-        #define PRAGMA_GCC_POP
+        #define PRAGMA_GCC_DIAG_PUSH
+        #define PRAGMA_GCC(str)
+        #define PRAGMA_GCC_DIAG_POP
     #endif
 
     #ifdef __clang__