openssl: fix SHA1 and NO-ENFORCE-EMS interaction
Without the change, Options = RHNoEnforceEMSinFIPS
is misplaced when SHA-1 is enabled.
Which shouldn't really happen because it's FIPS-only, and FIPS users aren't supposed to enable SHA-1, but still
[evp_properties]
rh-allow-sha1-signatures = yes
Options = RHNoEnforceEMSinFIPS
Fedora doesn't seem to have such a bug, it's an issue introduced during backporting NO-ENFORCE-EMS to RHEL.