UnsupportedSignatureAlgorithmForPublicKeyContext when connecting to wiki.dn42

[lilydjwg]

Checklist

• I've searched the issue tracker for similar bugs.

Describe the bug
I tried to send a request to wiki.dn42 with reqwest, which recently switched to use rustls by default. And I got back an error:

Error: Custom { kind: InvalidData, error: InvalidCertificate(UnsupportedSignatureAlgorithmForPublicKeyContext { signature_algorithm_id: [6, 8, 42, 134, 72, 206, 61, 4, 3, 4], public_key_algorithm_id: [6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34] }) }

Later it turned out that I can reproduce the issue without using reqwest.

To Reproduce
Steps to reproduce the behavior:

1. Connect to the dn42 network, and get its root CA certificate working. (I've only seen this error with wiki.dn42; it works fine with e.g. github.com.)
2. Run the example program below
3. See error

I don't know a lot of rustls or TLS, and this program is written by an LLM but verified by me:

use std::io::{stdout, Read, Write};
use std::net::TcpStream;
use std::sync::Arc;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // let hostname = "github.com";
    let hostname = "wiki.dn42";
    let port = 443;

    // 1. Load the system's native root certificates
    let mut root_store = rustls::RootCertStore::empty();
    let native_certs = rustls_native_certs::load_native_certs().unwrap();
    
    for cert in native_certs {
        root_store.add(cert).ok(); // Add valid certs, ignore errors
    }

    // 2. Create the Client Configuration
    let mut config = rustls::ClientConfig::builder()
        .with_root_certificates(root_store)
        .with_no_client_auth();
    config.key_log = Arc::new(rustls::KeyLogFile::new());
    let arc_config = Arc::new(config);

    // 3. Connect via TCP
    let mut sock = TcpStream::connect((hostname, port))?;

    // 4. Wrap TCP stream in TLS
    let server_name = hostname.try_into()?;
    let mut conn = rustls::ClientConnection::new(arc_config, server_name)?;
    
    // rustls::Stream handles the encryption logic over the socket
    let mut tls_stream = rustls::Stream::new(&mut conn, &mut sock);

    // 5. Send a simple HTTP GET request
    let request = format!(
        "GET / HTTP/1.1\r\n\
         Host: {}\r\n\
         Connection: close\r\n\
         User-Agent: rustls-client\r\n\
         \r\n",
        hostname
    );
    tls_stream.write_all(request.as_bytes())?;

    // 6. Read and print the response
    let mut plaintext = Vec::new();
    tls_stream.read_to_end(&mut plaintext)?;
    
    stdout().write_all(&plaintext)?;

    Ok(())
}

Applicable Version(s)
Arch Linux x86_64, with rustls 0.23.35.

Expected behavior
No error like other programs e.g. curl, wget, Firefox and Chromium.

Additional context

Packet capture (with keys):
wikidn42.zip

I originally reported this to reqwest: seanmonstar/reqwest#2925.

[ctz]

Hello, thanks for the detailed report.

Unfortunately this server is misconfigured. The client and server negotiate TLS1.3, and the client offers SignatureScheme codepoints 0x0403, 0x0503, 0x0603 which are ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384 and ecdsa_secp521r1_sha512 respectively. But then the server's certificate chain requires ECDSA with SECP384r1 and SHA512. This is not a defined algorithm in TLS1.3.

Therefore, either this server should change its certificate chain to be compatible with TLS1.3, or it must not negotiate TLS1.3 with any client. This server will likely work with rustls if TLS1.2 is negotiated, but naturally disabling TLS1.3 on the client side is a nuclear option.

Going to close this, as I believe it's not actionable on our side.

[ctz]

Reopening this as I think we're still discussing this.

[djc]

So:

• The client offers 3 signature schemes, but the server decides to send a certificate that does not match any of these. That seems like a problem with the server. I'm pretty sure rustls servers would not do this.

• The server negotiates TLS 1.3 with a certificate chain that requires ecdsa_secp384r1_sha512. Apparently rustls-as-the-server might do this too and fixing it in the general case would be hard because you'd need to do path building in the server, but maybe rustls servers should restrict themselves to versions that support the end entity certificate's signature scheme?

• Even if we added support for ecdsa_secp384r1_sha512, rustls clients could not advertise support for it in TLS 1.3 since there is no defined SignatureScheme. Even our 1.2 signature support is defined via SignatureScheme, so I think adding support for this might be non-trivial (and thus, probably not worth it?).

[ctz]

http://crates.io/crates/rustls/0.23.36 released which should fix this.

[lilydjwg]

Yes, it's fixed. Thanks!