Too late for 1.0.1 and too much work for 1.0.2 :) We fixed it in master (1.1) by saying "any supported digest" which isn't ideal, admittedly. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org