Hi,
I've seen the successor SHA-2 is already available as part of TclLib:
/usr/local/ns/lib/tcllib1.17/sha1/sha256c.tcl
My naive understanding is that you could basically do a find-replace of ns_sha1 with the TclLib version and there shouldn't be any major issues, except that you would have to ask all users to change there passwords...
You would also have to convert users.password and users.salt from character(40) to text or similar...
Maybe it would be interesting to create a ns_sha2 or ns_sha3 function with a C implementation for speed optimization...
Cheers
Frank