I know it is possible to use RSASSA-PKCS1-v1_5 with client certificates in TLS 1.3. But what about the other way around: using RSASSA-PSS with client certificates in TLS 1.2?
Is it possible to use RSASSA-PSS signed certificates with TLS 1.2 at all? Do I have to fall-back to RSASSA-PKCS1-v1_5 during handshake?
I searched through the RFC5246 but was not able to find anything that answers my questions.
If the client announces in the Signature Algorithm Extension that it supports one of the RSA-PSS:
rsa_pss_rsae_sha256(0x0804),
rsa_pss_rsae_sha384(0x0805),
rsa_pss_rsae_sha512(0x0806),
then server may choose this even in TLS1.2. => Yes, it's possible to use RSA-PSS with TLS1.2.
The main difference beside the different preencoding is, that RSA-PSS in TLS1.2 needs the handshake message content instead of the constructed data (containing TLS 1.3, server CertificateVerify).
If the client does not announce these RSA-PSS signature algorithms, the server must not use these.
