diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2407bac4..e6e77c0d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -52,7 +52,11 @@ jobs:
         working-directory: ./wolfssl
         run: |
           ./autogen.sh
-          ./configure ${{ matrix.config }} ${{ matrix.sanitize }} --prefix=$GITHUB_WORKSPACE/build-dir
+          # Lower the WC_SIG_MIN_HASH_TYPE floor (default SHA-256 on master
+          # post-PR-10496) back to MD5 for test cases.
+          ./configure ${{ matrix.config }} ${{ matrix.sanitize }} \
+              CPPFLAGS="-DWC_SIG_MIN_HASH_TYPE=WC_HASH_TYPE_MD5" \
+              --prefix=$GITHUB_WORKSPACE/build-dir
           make -j
           make install
 
diff --git a/src/sign-verify/clu_dgst_setup.c b/src/sign-verify/clu_dgst_setup.c
index 40cfd21e..8989eff8 100644
--- a/src/sign-verify/clu_dgst_setup.c
+++ b/src/sign-verify/clu_dgst_setup.c
@@ -407,12 +407,18 @@ int wolfCLU_dgst_setup(int argc, char** argv)
 
     /* if not signing then do verification */
     if (ret == WOLFCLU_SUCCESS && signing == 0) {
-        if (wc_SignatureVerify(hashType, sigType, (const byte*)data, dataSz,
-                    (const byte*)sig, sigSz, key, keySz) == 0) {
+        int verifyRet = wc_SignatureVerify(hashType, sigType,
+                    (const byte*)data, dataSz, (const byte*)sig, sigSz,
+                    key, keySz);
+        if (verifyRet == 0) {
             WOLFCLU_LOG(WOLFCLU_L0, "Verify OK");
         }
         else {
             wolfCLU_LogError("Verification failure");
+            if (hashType == WC_HASH_TYPE_MD5 && verifyRet == BAD_FUNC_ARG) {
+                WOLFCLU_LOG(WOLFCLU_L0,
+                    "Note: MD5 below default min sig hash on wolfSSL > 5.9.1");
+            }
             ret = WOLFCLU_FATAL_ERROR;
         }
     }
@@ -446,11 +452,17 @@ int wolfCLU_dgst_setup(int argc, char** argv)
             }
         }
 
-        if (ret == WOLFCLU_SUCCESS &&
-                wc_SignatureGenerate(hashType, sigType, (const byte*)data,
-                    dataSz, sig, &sigSz, key, keySz, &rng) != 0) {
-            wolfCLU_LogError("Error getting signature");
-            ret = WOLFCLU_FATAL_ERROR;
+        if (ret == WOLFCLU_SUCCESS) {
+            int signRet = wc_SignatureGenerate(hashType, sigType,
+                    (const byte*)data, dataSz, sig, &sigSz, key, keySz, &rng);
+            if (signRet != 0) {
+                wolfCLU_LogError("Error getting signature");
+                if (hashType == WC_HASH_TYPE_MD5 && signRet == BAD_FUNC_ARG) {
+                    WOLFCLU_LOG(WOLFCLU_L0,
+                        "Note: MD5 below default min sig hash on wolfSSL > 5.9.1");
+                }
+                ret = WOLFCLU_FATAL_ERROR;
+            }
         }
 
         /* write out the signature */