diff --git a/README.md b/README.md
index d6cae485b..bdd8747be 100644
--- a/README.md
+++ b/README.md
@@ -1044,7 +1044,7 @@ Optionally included keys are:
 * `DTLS-fingerprint`
 
 	Contains a string and is used to select the hashing function to generate the DTLS fingerprint
-	from the certificate. The default is SHA-1, or the same hashing function as was used by the
+	from the certificate. The default is SHA-256, or the same hashing function as was used by the
 	peer. Available are `SHA-1`, `SHA-224`, `SHA-256`, `SHA-384`, and `SHA-512`.
 
 * `SDES`
diff --git a/daemon/dtls.c b/daemon/dtls.c
index 685651d16..b080a9cc9 100644
--- a/daemon/dtls.c
+++ b/daemon/dtls.c
@@ -67,6 +67,11 @@ static unsigned int sha_512_func(unsigned char *, X509 *);
 
 
 static const struct dtls_hash_func hash_funcs[] = {
+	{
+		.name					= "sha-256",
+		.num_bytes				= 256 / 8,
+		.__func					= sha_256_func,
+	},
 	{
 		.name					= "sha-1",
 		.num_bytes				= 160 / 8,
@@ -77,11 +82,6 @@ static const struct dtls_hash_func hash_funcs[] = {
 		.num_bytes				= 224 / 8,
 		.__func					= sha_224_func,
 	},
-	{
-		.name					= "sha-256",
-		.num_bytes				= 256 / 8,
-		.__func					= sha_256_func,
-	},
 	{
 		.name					= "sha-384",
 		.num_bytes				= 384 / 8,
diff --git a/t/auto-daemon-tests-reorder.pl b/t/auto-daemon-tests-reorder.pl
index d659ee31e..ca612882a 100755
--- a/t/auto-daemon-tests-reorder.pl
+++ b/t/auto-daemon-tests-reorder.pl
@@ -3663,115 +3663,6 @@ SDP
 
 
 
-new_call;
-
-offer('fingerprint selection', {
-		ICE => 'remove',
-		flags => [],
-		'transport-protocol' => 'RTP/SAVP',
-		SDES => ['off'],
-	}, <<SDP);
-v=0
-o=Z 58440449 0 IN IP4 89.225.243.254
-s=Z
-c=IN IP4 89.225.243.254
-t=0 0
-m=audio 8000 RTP/AVP 0 101 8
-a=rtpmap:101 telephone-event/8000
-a=fmtp:101 0-16
-a=sendrecv
---------------------------------------
-v=0
-o=Z 58440449 0 IN IP4 89.225.243.254
-s=Z
-c=IN IP4 203.0.113.1
-t=0 0
-m=audio PORT RTP/SAVP 0 101 8
-a=rtpmap:0 PCMU/8000
-a=rtpmap:101 telephone-event/8000
-a=fmtp:101 0-16
-a=rtpmap:8 PCMA/8000
-a=sendrecv
-a=rtcp:PORT
-a=setup:actpass
-a=fingerprint:sha-1 FINGERPRINT
-SDP
-
-new_call;
-
-offer('fingerprint selection', {
-		ICE => 'remove',
-		flags => [],
-		'transport-protocol' => 'RTP/SAVP',
-		SDES => ['off'],
-		'DTLS-fingerprint' => 'SHA-256',
-	}, <<SDP);
-v=0
-o=Z 58440449 0 IN IP4 89.225.243.254
-s=Z
-c=IN IP4 89.225.243.254
-t=0 0
-m=audio 8000 RTP/AVP 0 101 8
-a=rtpmap:101 telephone-event/8000
-a=fmtp:101 0-16
-a=sendrecv
---------------------------------------
-v=0
-o=Z 58440449 0 IN IP4 89.225.243.254
-s=Z
-c=IN IP4 203.0.113.1
-t=0 0
-m=audio PORT RTP/SAVP 0 101 8
-a=rtpmap:0 PCMU/8000
-a=rtpmap:101 telephone-event/8000
-a=fmtp:101 0-16
-a=rtpmap:8 PCMA/8000
-a=sendrecv
-a=rtcp:PORT
-a=setup:actpass
-a=fingerprint:sha-256 FINGERPRINT256
-SDP
-
-new_call;
-
-offer('fingerprint selection', {
-		ICE => 'remove',
-		flags => [],
-		'transport-protocol' => 'RTP/SAVP',
-		SDES => ['off'],
-		'DTLS-fingerprint' => 'sha-256',
-	}, <<SDP);
-v=0
-o=Z 58440449 0 IN IP4 89.225.243.254
-s=Z
-c=IN IP4 89.225.243.254
-t=0 0
-m=audio 8000 RTP/AVP 0 101 8
-a=rtpmap:101 telephone-event/8000
-a=fmtp:101 0-16
-a=sendrecv
---------------------------------------
-v=0
-o=Z 58440449 0 IN IP4 89.225.243.254
-s=Z
-c=IN IP4 203.0.113.1
-t=0 0
-m=audio PORT RTP/SAVP 0 101 8
-a=rtpmap:0 PCMU/8000
-a=rtpmap:101 telephone-event/8000
-a=fmtp:101 0-16
-a=rtpmap:8 PCMA/8000
-a=sendrecv
-a=rtcp:PORT
-a=setup:actpass
-a=fingerprint:sha-256 FINGERPRINT256
-SDP
-
-
-
-
-
-
 # GH 1058
 
 new_call;
diff --git a/t/auto-daemon-tests.pl b/t/auto-daemon-tests.pl
index 0224ea56c..6334c59ba 100755
--- a/t/auto-daemon-tests.pl
+++ b/t/auto-daemon-tests.pl
@@ -3705,7 +3705,7 @@ a=rtpmap:8 PCMA/8000
 a=sendrecv
 a=rtcp:PORT
 a=setup:actpass
-a=fingerprint:sha-1 FINGERPRINT
+a=fingerprint:sha-256 FINGERPRINT256
 SDP
 
 new_call;
@@ -3715,7 +3715,7 @@ offer('fingerprint selection', {
 		flags => [],
 		'transport-protocol' => 'RTP/SAVP',
 		SDES => ['off'],
-		'DTLS-fingerprint' => 'SHA-256',
+		'DTLS-fingerprint' => 'SHA-1',
 	}, <<SDP);
 v=0
 o=Z 58440449 0 IN IP4 89.225.243.254
@@ -3740,7 +3740,7 @@ a=rtpmap:8 PCMA/8000
 a=sendrecv
 a=rtcp:PORT
 a=setup:actpass
-a=fingerprint:sha-256 FINGERPRINT256
+a=fingerprint:sha-1 FINGERPRINT
 SDP
 
 new_call;
@@ -3827,7 +3827,7 @@ a=crypto:10 F8_128_HMAC_SHA1_32 inline:CRYPTO128
 a=crypto:11 NULL_HMAC_SHA1_80 inline:CRYPTO128
 a=crypto:12 NULL_HMAC_SHA1_32 inline:CRYPTO128
 a=setup:actpass
-a=fingerprint:sha-1 FINGERPRINT
+a=fingerprint:sha-256 FINGERPRINT256
 SDP
 
 rtpe_req('delete', 'GH 1086', { 'from-tag' => ft() });
@@ -3872,7 +3872,7 @@ a=crypto:10 F8_128_HMAC_SHA1_32 inline:CRYPTO128
 a=crypto:11 NULL_HMAC_SHA1_80 inline:CRYPTO128
 a=crypto:12 NULL_HMAC_SHA1_32 inline:CRYPTO128
 a=setup:actpass
-a=fingerprint:sha-1 FINGERPRINT
+a=fingerprint:sha-256 FINGERPRINT256
 SDP
 
 
@@ -4451,7 +4451,7 @@ a=crypto:10 F8_128_HMAC_SHA1_32 inline:CRYPTO128
 a=crypto:11 NULL_HMAC_SHA1_80 inline:CRYPTO128
 a=crypto:12 NULL_HMAC_SHA1_32 inline:CRYPTO128
 a=setup:actpass
-a=fingerprint:sha-1 FINGERPRINT
+a=fingerprint:sha-256 FINGERPRINT256
 a=ptime:20
 SDP
 
@@ -4569,7 +4569,7 @@ a=crypto:10 F8_128_HMAC_SHA1_32 inline:CRYPTO128
 a=crypto:11 NULL_HMAC_SHA1_80 inline:CRYPTO128
 a=crypto:12 NULL_HMAC_SHA1_32 inline:CRYPTO128
 a=setup:actpass
-a=fingerprint:sha-1 FINGERPRINT
+a=fingerprint:sha-256 FINGERPRINT256
 a=ptime:20
 SDP