diff --git a/server/devpi_server/__init__.py b/server/devpi_server/__init__.py
index b8fc882cc..3a8106870 100644
--- a/server/devpi_server/__init__.py
+++ b/server/devpi_server/__init__.py
@@ -1 +1 @@
-__version__ = '6.9.2'
+__version__ = '6.9.3.dev0'
diff --git a/server/devpi_server/mirror.py b/server/devpi_server/mirror.py
index 684341387..162ec5241 100644
--- a/server/devpi_server/mirror.py
+++ b/server/devpi_server/mirror.py
@@ -174,7 +174,7 @@ def parse_index_v1_json(disturl, text):
         if 'sha256' in hashes:
             url = url.replace(fragment=f"sha256={hashes['sha256']}")
         elif hashes:
-            url = url.replace(fragment="=".join(next(hashes.items())))
+            url = url.replace(fragment="=".join(next(iter(hashes.items()))))
         # the BasenameMeta wrapping essentially does link validation
         result.append(BasenameMeta(Link(
             url,
diff --git a/server/news/996.bugfix b/server/news/996.bugfix
new file mode 100644
index 000000000..b8f174da7
--- /dev/null
+++ b/server/news/996.bugfix
@@ -0,0 +1 @@
+Fix #996: support hashes other than sha256 in application/vnd.pypi.simple.v1+json responses.
\ No newline at end of file
diff --git a/server/setup.py b/server/setup.py
index 1d04eb811..d17d86a53 100755
--- a/server/setup.py
+++ b/server/setup.py
@@ -57,7 +57,7 @@ def get_changelog():
         'Documentation': 'https://doc.devpi.net',
         'Source Code': 'https://github.com/devpi/devpi'
       },
-      version='6.9.2',
+      version='6.9.3.dev0',
       maintainer="Florian Schulze",
       maintainer_email="mail@pyfidelity.com",
       packages=[
diff --git a/server/test_devpi_server/test_mirror.py b/server/test_devpi_server/test_mirror.py
index 8cd327eb7..3307eba36 100644
--- a/server/test_devpi_server/test_mirror.py
+++ b/server/test_devpi_server/test_mirror.py
@@ -306,6 +306,27 @@ def test_parse_pep691_data(self, pypistage):
         assert link.yanked == "brownbag"
         assert link.require_python == ">=3.6"
 
+    def test_parse_pep691_md5(self, pypistage):
+        pypistage.mock_simple_projects(["devpi"])
+        pypistage.xom.httpget.mockresponse(
+            URL(pypistage.mirror_url).joinpath("devpi").asdir().url, code=200,
+            content_type="application/vnd.pypi.simple.v1+json",
+            text="""{
+                "meta": {"api-version": "1.0"},
+                "name": "devpi",
+                "files": [
+                    {
+                        "filename":"devpi-0.9.tar.gz",
+                        "hashes":{
+                            "md5":"dbb53f3699703c028483658773628452"},
+                        "requires-python":null,
+                        "url":"https://files.pythonhosted.org/packages/40/b6/45e98504eba446c8e97ce946760893072cdf3bf6cdd18c296394a55621f9/devpi-0.9.tar.gz",
+                        "yanked":false}]}""")
+        (link,) = pypistage.get_releaselinks("devpi")
+        assert link.hash_spec == 'md5=dbb53f3699703c028483658773628452'
+        assert link.yanked is None
+        assert link.require_python is None
+
     def test_parse_project_nomd5(self, pypistage):
         pypistage.mock_simple("pytest", pkgver="pytest-1.0.zip")
         links = pypistage.get_releaselinks("pytest")