I added christian.heimes to the nosy list; I hope that's OK
usedforsecurity flag is based on setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag. However this flag has no effect in OpenSSL 3.0.0.
[root@lambada ~]# /opt/opsware/bin/python3
Python 3.10.0 (default, Dec 8 2021, 17:05:23) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux-x86_64
Type "help", "copyright", "credits" or "license" for more information.
>>> import _hashlib
>>> _hashlib.get_fips_mode()
1
>>> import hashlib
>>> hashlib.md5(b'ceva', usedforsecurity=False).hexdigest()
'970c7956028654ac329b12c10b112058'
>>> hashlib.md5(b'ceva', usedforsecurity=True).hexdigest()
'970c7956028654ac329b12c10b112058'
The last call, when usedforsecurity is True, should fail because MD5 is not allowed in FIPS mode.
I will add a GitHub pull request for this issue.