diff --git a/ci/fedora-41/Dockerfile b/ci/fedora-41/Dockerfile
index e98cd500bd..e3d737a562 100644
--- a/ci/fedora-41/Dockerfile
+++ b/ci/fedora-41/Dockerfile
@@ -2,7 +2,7 @@ FROM fedora:41
 
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION 20241115
+ENV DOCKERFILE_VERSION 20250203
 
 RUN dnf -y install \
     bison \
@@ -33,7 +33,3 @@ RUN dnf -y install \
   && dnf clean all && rm -rf /var/cache/dnf
 
 RUN pip3 install websockets junit2html
-
-# Required to allow validation of certificates with SHA1 signatures
-# See: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
-RUN update-crypto-policies --set FEDORA40
diff --git a/testing/btest/bifs/x509_verify.zeek b/testing/btest/bifs/x509_verify.zeek
index cb59d3f4aa..59291bcae2 100644
--- a/testing/btest/bifs/x509_verify.zeek
+++ b/testing/btest/bifs/x509_verify.zeek
@@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
+#
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT
 
 # This is a hack: the results of OpenSSL 1.1's vs 1.0's
 # X509_verify_cert() -> X509_STORE_CTX_get1_chain() calls
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
index 4e5a20a2ce..6b5992f640 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
@@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -b -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
+#
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 @load base/protocols/ssl
diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek b/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek
index f878ead3db..763c2fa24f 100644
--- a/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek
@@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -b -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.zeek %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
+#
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.zeek %INPUT
 # @TEST-EXEC: cat ssl.log > ssl-all.log
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.zeek %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-all.log
diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek
index c3a32da70d..835261172d 100644
--- a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek
@@ -1,6 +1,8 @@
-# @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
+#
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
 # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log
-# @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT
 # @TEST-EXEC: mv ssl.log ssl-twimg.log
 # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-twimg.log
 # @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT