What were you trying to do that didn't work?

This originally comes from https://bugzilla.redhat.com/show_bug.cgi?id=2362307

We are observing the issue on RHEL-10.1 now.

openssl-3.5.0-2.el10

—
I am getting Error initializing keygen ctx for DSA-SHA1. when running openssl speed on a Fedora Rawhide machine with openssl-3.5.0-3.fc43.s390x. There is no such error in Fedora 42 with openssl-3.2.4-3.fc42.s390x.

...
Doing dsa1024 signs ops for 1s: 2485 dsa1024 signature sign ops in 1.00s
Doing dsa1024 verify ops for 1s: 3462 dsa1024 signature verify ops in 0.99s
Doing dsa2048 keygen ops for 1s: 487 dsa2048 signature keygen ops in 1.00s
Doing dsa2048 signs ops for 1s: 842 dsa2048 signature sign ops in 1.00s
Doing dsa2048 verify ops for 1s: 1071 dsa2048 signature verify ops in 1.00s
Error initializing keygen ctx for DSA-SHA1.
000003FFA8778300:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (DSA-SHA1 : 104), Properties (<null>)
version: 3.5.0
built on: Tue Apr 15 00:00:00 2025 UTC
options: bn(64,64)
compiler: gcc fPIC -pthread -m64 -Wa,noexecstack -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=z13 -mtune=z14 -fasynchronous-unwind-tables -fstack-clash-protection -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Wno-complain-wrong-lang -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=z13 -mtune=z14 -fasynchronous-unwind-tables -fstack-clash-protection -Wa,noexecstack -Wa,-generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -DOPENSSL_USE_NODELETE -DB_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DZLIB -DNDEBUG -D_GNU_SOURCE -DPURIFY -DDEVRANDOM="\\"/dev/urandom
"" -DOPENSSL_PEDANTIC_ZEROIZATION -DREDHAT_FIPS_VENDOR="
"Red Hat Enterprise Linux OpenSSL FIPS Provider
"" -DREDHAT_FIPS_VERSION="\\"3.5.0-20d8d2ad7758c946
"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/opensslcnf.config"
CPUINFO: OPENSSL_s390xcap=stfle:0xfbfffffbfefdfe78:0xc5fee00000000000:0x7738300800000000:0x0:kimd:0xf0000000fc000000:0x4000000000000000:klmd:0xf0000000fc000000:0x0:km:0xf070383800002828:0x0:kmc:0xf070383800000000:0x1000000000000000:kmac:0xf070383800000000:0x0:kmctr:0xf070383800000000:0x0:kmo:0xf070383800000000:0x0:kmf:0xf070383800000000:0x0:prno:0x9000000000000000:0xa000:kma:0x8000383800000000:0x0:pcc:0xf070383800002828:0x0:kdsa:0x0:0x0
...

The "openssl speed" finishes with a zero return code, so this is good, but the output contains an "error" string and there are tests that check for the presence of words like "error" and set the test result as "fail". I have learned that disabling SHA1 is a downstream decision, but it would be nice if the disabling would be more graceful, eg. the output would omit the "Error initializing keygen" or similar messages.

Reproducible: Always

Steps to Reproduce:
1. run "openssl speed"
Actual Results:
...
Doing dsa2048 verify ops for 1s: 1071 dsa2048 signature verify ops in 1.00s
Error initializing keygen ctx for DSA-SHA1.
000003FFA8778300:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:375:Global default library context, Algorithm (DSA-SHA1 : 104), Properties (<null>)

Expected Results:
perhaps print "Skipping DSA-SHA1" or even no output at all