Does TW not have these because they are too strong or because they are too insecure? In the former case, I suggest to keep the tests intact, and use a distribution specific patch to disable those test. In the latter case, I suggest to make the tests fail, if the library was compiled with insecure methods enabled.

SSL 3 is deprecated: http://disablessl3.com/

So openSUSE disables it completely in openSSL 1.1.0 itself. openSSL 1.0.0 seems to still support SSL 3.

Note that the list of supported ciphers does not come from QCA, but openSSL itself.
So what you're suggesting is to make the QCA testsuite fail if openSSL was not compliled with specific flags, which seems unreasonable.

you probably what to check this with libressl as in most cases libressl should be excluded

I don't have libressl here, can you give it a try?

None free ops and ops->name. This function acts like a static one, but it's not. Can you see its usage? It ops needs to be alive outside class scope?

It looks like some kind of "optimization".
All instances of QCA_RSA_METHOD share the same RSA_METHOD (line 2738).

IMO this should be changed to be RAII-compatible and then moved into the QCA_RSA_METHOD class as static member. That's out-of-scope of this patch though.

I still don't understand the reference to openSUSE in the source code. Either the patch is specific to a distribution (then it should be made locally by the distribution), or it is applicable upstream. In that case, referencing a distribution is confusing. Simply mention that OpenSSL 1.1 does no longer support SSL 3, because it is deprecated.

Additionally, why not remove the code completely instead of commenting it? If you feel someone would have the need to enable them, add a proper if() around the code.

This is just for consistency, previous commits did the exact same: Comment out a couple of lines and add "Fedora does not support this".