All supported Tors (0.2.4+) require versions of openssl that can handle this. Now that our link certificates are RSA2048, this might actually help vs fingerprinting a little.
@@ -523,7 +523,8 @@ MOCK_IMPL(STATIC X509 *,
goto error;
if (!X509_set_pubkey(x509, pkey))
- if (!X509_sign(x509, sign_pkey, EVP_sha1()))
+
+ if (!X509_sign(x509, sign_pkey, EVP_sha256()))
goto done;