support multiple certfp methods simultaneously

sha1 is currently as broken as md5, and while it's impossible to guess when it'll become more broken, it'd be good to start the process of getting away from it. to do this in a way that's transparent to users, we need to get multiple fingerprints for the same connection into services, and then implement opportunistic migration there