TLSv1.3 RSA-PSS allows truncated salt in violation of RFC8446
RFC8446 §4.2.3 says for the RSASSA-PSS algorithms:
The length of the Salt MUST be equal to the length of the output of the digest algorithm.
However, in the case of a 1024-bit RSA key using RSA-PSS+SHA512, the maximum possible salt length is only 62 bytes.
I originally filed an OpenSSL issue for this not working in OpenSSL: https://github.com/openssl/openssl/issues/16167
But now after referring to RFC8446 I think the bug is that it does work in GnuTLS, and it shouldn't.
And I should fix my PSS padding code in OpenConnect too, to fail when there isn't enough room for
salt_len == hash_len instead of truncating the salt.