Perhaps maintaining FIPS support as a patch set, much like how "features" such as acl, slp, openssl, etc are added to rsync, would be a suitable approach. This would keep the extra crap like FIPS out of LibreSSL then if someone "needs" FIPS mode they could apply the patch set, open their wallets, and seek validation.