using fetch - error trying to connect: peer misbehaved: received unadvertised sig scheme RSA_PKCS1_SHA1

[joebartels-tw]

When I try to use fetch to get data from 3rd party API I run into this error:

DEBUG RS - reqwest::connect:561 - starting new connection: https://some-3rd-partywebsite.com
DEBUG RS - rustls::client::hs:89 - No cached session for DNSNameRef("some-3rd-partywebsite.com")
DEBUG RS - rustls::client::hs:211 - Not resuming any session
DEBUG RS - rustls::client::hs:430 - ALPN protocol is None
DEBUG RS - rustls::client::hs:598 - Using ciphersuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
DEBUG RS - rustls::client::tls12:209 - ECDHE curve is ECParameters { curve_type: NamedCurve, named_group: secp256r1 }
DEBUG RS - rustls::client::tls12:508 - Server DNS name is DNSName("some-3rd-partywebsite.com")
Sending fatal alert IllegalParameter
DEBUG RS - deno::proc_state:501 - specifier: deno:ext/fetch/26_fetch.js maybe_referrer: <none> is_dynamic: false

error trying to connect: peer misbehaved: received unadvertised sig scheme RSA_PKCS1_SHA1
    at async mainFetch (deno:ext/fetch/26_fetch.js:280:14)

It's just a simple fetch, and with the flag --unsafely-ignore-certificate-errors, the error message is slightly different:

error trying to connect: tls handshake eof
    at async mainFetch (deno:ext/fetch/26_fetch.js:280:14)

I looked into it a bit and found these seemingly related issues but not 100% sure how related...
#11482
and #6427

I've connected to this API using many other ways (Postman, curl, a Java client, even Google App Scripts) without issues.

[joebartels-tw]

using curl -v showing the TLS information:

* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
* ALPN, server did not agree to a protocol

[bnoordhuis]

This is unfortunately an issue with the server you're talking to, it's misconfigured or outdated.

rustls doesn't support RSA_PKCS1_SHA1 because it's insecure. Most of the internet moved to SHA-256 or stronger years ago.

Your curl is probably linked to openssl, which is a bit more forgiving, but I expect even they will eventually phase out support.

[joebartels-tw]

Thanks for explaining! I did some more digging and Chrome gives a nice description wrt their certificate that further validates what you've already said:

Connection - obsolete connection settings
The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_256_CBC with HMAC-SHA1.
AES_256_CBC is obsolete. Enable an AES-GCM-based cipher suite.
The server signature uses SHA-1, which is obsolete. Enable a SHA-2 signature algorithm instead. (Note this is different from the signature in the certificate.)

I appreciate the security but, I still wish there was a flag or another way to talk to this server via deno.. I'll notify the vendor and hopefully they'll be responsive to the issue. 🙇