GnuTLS ignores the signature algorithms order when selecting certificate in TLSv1.3
Description of problem:
When a TLSv1.3 Client Hello includes just two signature schemes ecdsa_secp256r1_sha256 and rsa_pss_pss_sha256, in this order, it will select the rsassa-pss certificate.
Version of gnutls used:
Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
manual compile on Fedora 27
How reproducible:
Steps to Reproduce:
- compile gnutls
cd gnutls/doc/credentials
./gnutls-http-serv --priority NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+DHE-PSK:+PSK -p 4433 -a -d 6
- using openssl 1.1.1-dev (358ffa05cd3a0)
openssl s_client -connect localhost:4433 -no_tls1_3 -sigalgs ecdsa_secp256r1_sha256:rsa_pss_pss_sha256 -CAfile gnutls/doc/credentials/x509/ca.pem
Actual results:
- Given server name[1]: localhost
No certificates found!
- Ephemeral EC Diffie-Hellman parameters
- Using curve: X25519
- Curve size: 256 bits
- Version: TLS1.3
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-PSS-SHA256
- Cipher: AES-256-GCM
- MAC: AEAD
Expected results:
- Given server name[1]: localhost
No certificates found!
- Ephemeral EC Diffie-Hellman parameters
- Using curve: X25519
- Curve size: 256 bits
- Version: TLS1.3
- Key Exchange: ECDHE-RSA
- Server Signature: ECDSA-SECP256R1-SHA256
- Cipher: AES-256-GCM
- MAC: AEAD