[gnutls-devel] GnuTLS | Fix TLS 1.3 handshake (!2095)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Fri Apr 17 21:53:52 CEST 2026 



Romain Tartière commented: https://gitlab.com/gnutls/gnutls/-/merge_requests/2095#note_3262702957


> Note that the `signature_algorithms_cert` extension is not widely used; none of OpenSSL, NSS, and GnuTLS handles the extension (OpenSSL does send it, but doesn't recognize it).

Ah…  That is the kind of basic things I am not aware of, I may have followed tracks that don't make sense during my investigation, and I also feel like I am mixing-up a lot of stuff, so all this is quite tough to me :sweat:

> According to your comment on #1842, the server wants either `ecdsa_*`, `ed25519`, `ed448`, or `rsa_pss*`. If the server is indicating `rsa_pss_rsae_*` (not `rsa_pss_pss_*`), the client should be able to present the (non-restricted) RSA certificates. Could you check that, maybe using wireshark (see https://wiki.wireshark.org/TLS)?

If I am looking at the right thing, I see both:

![screenshot-2026-04-17T09_51_02-1000](/uploads/824ea6345116cc9a975a7eacdc522578/screenshot-2026-04-17T09_51_02-1000.png){width=607 height=600}


In order to make it easier for anybody to test, I setup a public-facing riemann server that can be used against the client to reproduce the issue. [Also, all certificates are available here](https://agrajag.blogreen.org/~romain/riemann) in case there is an issue with them.  If it can help, this should put you on track:

```
git clone https://git.madhouse-project.org/algernon/riemann-c-client/
cd riemann-c-client
autoreconf -is
mkdir build
cd build
../configure
make
curl https://agrajag.blogreen.org/~romain/riemann/ca.crt > /tmp/ca.crt
curl https://agrajag.blogreen.org/~romain/riemann/gnutls-client.crt > /tmp/gnutls-client.cr
curl https://agrajag.blogreen.org/~romain/riemann/gnutls-client.key > /tmp/gnutls-client.key
./src/riemann-client send -D hello --tls -o cafile=/tmp/ca.crt -o certfile=/tmp/gnutls-client.crt -o keyfile=/tmp/gnutls-client.key agrajag.blogreen.org 5555
```

No output and and exit code of 0 means it is fine.  Otherwise, you will probably have a return code of 1 and a message "Error when asking for a message receipt: Protocol error".

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2095#note_3262702957
You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-9cx7tkiphe91t5a4xbivyex8o-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260417/0f25a2f2/attachment.html>

More information about the Gnutls-devel mailing list