}
if hello.vers >= VersionTLS12 {
- hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms
+ // The non-BoringCrypto behavior here is to use the full set of
+ // signature algorithms, even if TLS 1.3 is not being negotiated. It's
+ // debatable if this is correct or not, because on one hand it allows
+ // RSA-PSS as a client with TLS 1.2, but on the other hand we can't
+ // predict what the server will pick when we do advertise TLS 1.3, so we
+ // might end up with TLS 1.2 + RSA-PSS anyway. Anyway, it will go away soon.
+ hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms(VersionTLS13)
+ }
+ if testingOnlyForceClientHelloSignatureAlgorithms != nil {
+ hello.supportedSignatureAlgorithms = testingOnlyForceClientHelloSignatureAlgorithms
}
var params ecdheParameters
if !c.config.InsecureSkipVerify {
opts := x509.VerifyOptions{
+ IsBoring: isBoringCertificate,
+
Roots: c.config.RootCAs,
CurrentTime: c.config.time(),
DNSName: c.config.ServerName,