Upgrade Hidden Service circuits to ntor using keys from the consensus
Split off #17178 (moved) and #19163 (moved), depends on both.
Single Onion Services build a one-hop path to the client-provided rendezvous point. This circuit is only secured using SSL and TAP, as the INTRODUCE cell only contains TAP onion keys.
But in most cases, the Single Onion Service can look up the ntor onion key for the rendezvous point in the consensus, and therefore it can upgrade to ntor. (If it doesn't find the rendezvous point in the consensus, it simply continues with TAP.)
My suggested solution is to replace the entire rendezvous point extend_info with the extend_info from the consensus (if found). We should do this for both clients and services, whether using Single Onion Services or Tor2web or not (to avoid introducing new fingerprinting mechanisms).