Update code base on comments

Change run title
Remove dedicate ciphersuite and sig alg
Update test cases

Change-Id: Ic0e9adf56062e744f7bafbc6bb562baeaafd89f0
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
diff --git a/tests/opt-testcases/tls13-compat.sh b/tests/opt-testcases/tls13-compat.sh
index 59f5fff..4c1dbe2 100755
--- a/tests/opt-testcases/tls13-compat.sh
+++ b/tests/opt-testcases/tls13-compat.sh
@@ -20,7 +20,7 @@
 # Purpose
 #
 # List TLS1.3 compat test cases. They are generated by
-# `./tests/scripts/generate_tls13_compat_tests.py -a -o tests/opt-testcases/tls13-compat.sh`.
+# `generate_tls13_compat_tests.py -a -o tls13-compat.sh`.
 #
 # PLEASE DO NOT EDIT THIS FILE. IF NEEDED, PLEASE MODIFY `generate_tls13_compat_tests.py`
 # AND REGENERATE THIS FILE.
@@ -3470,21 +3470,24 @@
          0 \
          -c "HTTP/1.0 200 OK" \
          -c "server hello, chosen ciphersuite: ( 1305 ) - TLS1-3-AES-128-CCM-8-SHA256" \
+         -c "Certificate Verify: Signature algorithm ( 0804 )" \
          -c "NamedGroup: x448 ( 1e )" \
          -c "Verifying peer X.509 certificate... ok" \
+         -C "received HelloRetryRequest message"
 
 requires_openssl_tls1_3
 requires_config_enabled MBEDTLS_DEBUG_C
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp384r1,secp256r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1,secp384r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR secp256r1 -> secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp256r1,secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp256r1" \
+         -c "NamedGroup: secp384r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3495,13 +3498,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp384r1,secp256r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP384R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1,secp384r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR secp256r1 -> secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP384R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp256r1,secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp256r1" \
+         -c "NamedGroup: secp384r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3510,13 +3514,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp521r1,secp256r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1,secp384r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR secp256r1 -> secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp256r1,secp384r1,secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp256r1" \
+         -c "NamedGroup: secp521r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3527,13 +3532,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp521r1,secp256r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP521R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1,secp384r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR secp256r1 -> secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP521R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp256r1,secp384r1,secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp256r1" \
+         -c "NamedGroup: secp521r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3542,13 +3548,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x25519,secp256r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1,secp384r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR secp256r1 -> x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp256r1,secp384r1,x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp256r1" \
+         -c "NamedGroup: x25519" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3559,13 +3566,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x25519,secp256r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X25519:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1,secp384r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR secp256r1 -> x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-X25519:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp256r1,secp384r1,x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp256r1" \
+         -c "NamedGroup: x25519" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3574,13 +3582,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x448,secp256r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1,secp384r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR secp256r1 -> x448" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp256r1,secp384r1,x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp256r1" \
+         -c "NamedGroup: x448" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3591,13 +3600,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x448,secp256r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X448:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp256r1,secp384r1,secp384r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR secp256r1 -> x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-X448:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp256r1,secp384r1,x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp256r1" \
+         -c "NamedGroup: x448" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3606,13 +3616,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp256r1,secp384r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1,secp256r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR secp384r1 -> secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp384r1,secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp384r1" \
+         -c "NamedGroup: secp256r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3623,13 +3634,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp256r1,secp384r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP256R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1,secp256r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR secp384r1 -> secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP256R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp384r1,secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp384r1" \
+         -c "NamedGroup: secp256r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3638,13 +3650,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp521r1,secp384r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1,secp256r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR secp384r1 -> secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp384r1,secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp384r1" \
+         -c "NamedGroup: secp521r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3655,13 +3668,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp521r1,secp384r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP521R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1,secp256r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR secp384r1 -> secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP521R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp384r1,secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp384r1" \
+         -c "NamedGroup: secp521r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3670,13 +3684,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x25519,secp384r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1,secp256r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR secp384r1 -> x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp384r1,x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp384r1" \
+         -c "NamedGroup: x25519" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3687,13 +3702,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x25519,secp384r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X25519:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1,secp256r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR secp384r1 -> x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-X25519:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp384r1,x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp384r1" \
+         -c "NamedGroup: x25519" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3702,13 +3718,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x448,secp384r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1,secp256r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR secp384r1 -> x448" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp384r1,x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp384r1" \
+         -c "NamedGroup: x448" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3719,13 +3736,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x448,secp384r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X448:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp384r1,secp256r1,secp521r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR secp384r1 -> x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-X448:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp384r1,x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp384r1" \
+         -c "NamedGroup: x448" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3734,13 +3752,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp256r1,secp521r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1,secp256r1,secp384r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR secp521r1 -> secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp521r1,secp384r1,secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp521r1" \
+         -c "NamedGroup: secp256r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3751,13 +3770,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp256r1,secp521r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP256R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1,secp256r1,secp384r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR secp521r1 -> secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP256R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp521r1,secp384r1,secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp521r1" \
+         -c "NamedGroup: secp256r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3766,13 +3786,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp384r1,secp521r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1,secp256r1,secp384r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR secp521r1 -> secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp521r1,secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp521r1" \
+         -c "NamedGroup: secp384r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3783,13 +3804,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp384r1,secp521r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP384R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1,secp256r1,secp384r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR secp521r1 -> secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP384R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp521r1,secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp521r1" \
+         -c "NamedGroup: secp384r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3798,13 +3820,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x25519,secp521r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1,secp256r1,secp384r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR secp521r1 -> x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp521r1,secp384r1,x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp521r1" \
+         -c "NamedGroup: x25519" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3815,13 +3838,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x25519,secp521r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X25519:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1,secp256r1,secp384r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR secp521r1 -> x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-X25519:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp521r1,secp384r1,x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp521r1" \
+         -c "NamedGroup: x25519" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3830,13 +3854,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x448,secp521r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1,secp256r1,secp384r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR secp521r1 -> x448" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp521r1,secp384r1,x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp521r1" \
+         -c "NamedGroup: x448" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3847,13 +3872,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x448,secp521r1,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X448:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=secp521r1,secp384r1,secp256r1,secp384r1,x25519,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR secp521r1 -> x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-X448:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=secp521r1,secp384r1,x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: secp521r1" \
+         -c "NamedGroup: x448" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3862,13 +3888,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp256r1,x25519,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1,secp256r1,secp384r1,secp521r1,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR x25519 -> secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x25519,secp384r1,secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x25519" \
+         -c "NamedGroup: secp256r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3879,13 +3906,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp256r1,x25519,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP256R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1,secp256r1,secp384r1,secp521r1,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR x25519 -> secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP256R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x25519,secp384r1,secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x25519" \
+         -c "NamedGroup: secp256r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3894,13 +3922,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp384r1,x25519,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1,secp256r1,secp384r1,secp521r1,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR x25519 -> secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x25519,secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x25519" \
+         -c "NamedGroup: secp384r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3911,13 +3940,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp384r1,x25519,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP384R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1,secp256r1,secp384r1,secp521r1,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR x25519 -> secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP384R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x25519,secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x25519" \
+         -c "NamedGroup: secp384r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3926,13 +3956,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp521r1,x25519,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1,secp256r1,secp384r1,secp521r1,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR x25519 -> secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x25519,secp384r1,secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x25519" \
+         -c "NamedGroup: secp521r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3943,13 +3974,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp521r1,x25519,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP521R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1,secp256r1,secp384r1,secp521r1,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR x25519 -> secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP521R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x25519,secp384r1,secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x25519" \
+         -c "NamedGroup: secp521r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3958,13 +3990,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x448,x25519,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1,secp256r1,secp384r1,secp521r1,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR x25519 -> x448" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups X448 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x25519,secp384r1,x448" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x25519" \
+         -c "NamedGroup: x448" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3975,13 +4008,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x448,x25519,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X448:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x25519,secp384r1,secp256r1,secp384r1,secp521r1,x448" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR x25519 -> x448" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-X448:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x25519,secp384r1,x448" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x25519" \
+         -c "NamedGroup: x448" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -3990,13 +4024,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp256r1,x448,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1,secp256r1,secp384r1,secp521r1,x25519" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR x448 -> secp256r1" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x448,secp384r1,secp256r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x448" \
+         -c "NamedGroup: secp256r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -4007,13 +4042,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp256r1,x448,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP256R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1,secp256r1,secp384r1,secp521r1,x25519" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR x448 -> secp256r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP256R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x448,secp384r1,secp256r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x448" \
+         -c "NamedGroup: secp256r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -4022,13 +4058,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp384r1,x448,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1,secp256r1,secp384r1,secp521r1,x25519" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR x448 -> secp384r1" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups P-384 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x448,secp384r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x448" \
+         -c "NamedGroup: secp384r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -4039,13 +4076,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp384r1,x448,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP384R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1,secp256r1,secp384r1,secp521r1,x25519" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR x448 -> secp384r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP384R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x448,secp384r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x448" \
+         -c "NamedGroup: secp384r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -4054,13 +4092,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,secp521r1,x448,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1,secp256r1,secp384r1,secp521r1,x25519" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR x448 -> secp521r1" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups P-521 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x448,secp384r1,secp521r1" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x448" \
+         -c "NamedGroup: secp521r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -4071,13 +4110,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,secp521r1,x448,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-SECP521R1:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1,secp256r1,secp384r1,secp521r1,x25519" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR x448 -> secp521r1" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-SECP521R1:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x448,secp384r1,secp521r1" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x448" \
+         -c "NamedGroup: secp521r1" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -4086,13 +4126,14 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->O: TLS_AES_256_GCM_SHA384,x25519,x448,ecdsa_secp384r1_sha384, force hrr" \
-         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -accept $SRV_PORT -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp384r1_sha384 -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1,secp256r1,secp384r1,secp521r1,x25519" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->O: HRR x448 -> x25519" \
+         "$O_NEXT_SRV_NO_CERT -cert data_files/ecdsa_secp256r1.crt -key data_files/ecdsa_secp256r1.key -cert data_files/ecdsa_secp384r1.crt -key data_files/ecdsa_secp384r1.key -cert data_files/ecdsa_secp521r1.crt -key data_files/ecdsa_secp521r1.key -cert data_files/server2-sha256.crt -key data_files/server2.key -accept $SRV_PORT -groups X25519 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x448,secp384r1,x25519" \
          0 \
          -c "HTTP/1.0 200 ok" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x448" \
+         -c "NamedGroup: x25519" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
 
@@ -4103,12 +4144,13 @@
 requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
-run_test "TLS 1.3 m->G: TLS_AES_256_GCM_SHA384,x25519,x448,ecdsa_secp384r1_sha384, force hrr" \
-         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --priority=NONE:+AEAD:+AES-256-GCM:+GROUP-X25519:+SHA384:+SIGN-ECDSA-SECP384R1-SHA384:+VERS-TLS1.3:%NO_TICKETS" \
-         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt force_ciphersuite=TLS1-3-AES-256-GCM-SHA384 sig_algs=ecdsa_secp384r1_sha384 curves=x448,secp384r1,secp256r1,secp384r1,secp521r1,x25519" \
+requires_config_enabled MBEDTLS_X509_RSASSA_PSS_SUPPORT
+run_test "TLS 1.3 m->G: HRR x448 -> x25519" \
+         "$G_NEXT_SRV_NO_CERT --http --disable-client-cert --debug=4 --x509certfile data_files/ecdsa_secp256r1.crt --x509keyfile data_files/ecdsa_secp256r1.key --x509certfile data_files/ecdsa_secp384r1.crt --x509keyfile data_files/ecdsa_secp384r1.key --x509certfile data_files/ecdsa_secp521r1.crt --x509keyfile data_files/ecdsa_secp521r1.key --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --priority=NONE:+CIPHER-ALL:+GROUP-X25519:+MAC-ALL:+SIGN-ALL:+VERS-TLS1.3:%NO_TICKETS" \
+         "$P_CLI server_addr=127.0.0.1 server_port=$SRV_PORT debug_level=4 force_version=tls13 ca_file=data_files/test-ca2.crt curves=x448,secp384r1,x25519" \
          0 \
          -c "HTTP/1.0 200 OK" \
-         -c "server hello, chosen ciphersuite: ( 1302 ) - TLS1-3-AES-256-GCM-SHA384" \
-         -c "Certificate Verify: Signature algorithm ( 0503 )" \
+         -c "NamedGroup: x448" \
+         -c "NamedGroup: x25519" \
          -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
          -c "Verifying peer X.509 certificate... ok"
diff --git a/tests/scripts/generate_tls13_compat_tests.py b/tests/scripts/generate_tls13_compat_tests.py
index 2656f1d..4c0ee35 100755
--- a/tests/scripts/generate_tls13_compat_tests.py
+++ b/tests/scripts/generate_tls13_compat_tests.py
@@ -83,11 +83,12 @@
     Base class for generate server/client command.
     """
     # pylint: disable=too-many-arguments
-    def __init__(self, ciphersuite=None, signature_algorithm=None, named_group=None,
+    def __init__(self, ciphersuite=None, signature_algorithm=None, named_group=None, peer_named_group=None,
                  is_hrr=False, cert_sig_alg=None, compat_mode=True):
         self._ciphers = []
         self._sig_algs = []
         self._named_groups = []
+        self._peer_named_group = peer_named_group
         self._is_hrr = is_hrr
         self._cert_sig_algs = []
         if ciphersuite:
@@ -154,15 +155,16 @@
             ret += ['-cert {cert} -key {key}'.format(cert=cert, key=key)]
         ret += ['-accept $SRV_PORT']
 
-        if self._ciphers:
-            ciphersuites = ':'.join(self._ciphers)
-            ret += ["-ciphersuites {ciphersuites}".format(ciphersuites=ciphersuites)]
+        if not self._is_hrr:
+            if self._ciphers:
+                ciphersuites = ':'.join(self._ciphers)
+                ret += ["-ciphersuites {ciphersuites}".format(ciphersuites=ciphersuites)]
 
-        if self._sig_algs:
-            signature_algorithms = set(self._sig_algs + self._cert_sig_algs)
-            signature_algorithms = ':'.join(signature_algorithms)
-            ret += ["-sigalgs {signature_algorithms}".format(
-                signature_algorithms=signature_algorithms)]
+            if self._sig_algs:
+                signature_algorithms = set(self._sig_algs + self._cert_sig_algs)
+                signature_algorithms = ':'.join(signature_algorithms)
+                ret += ["-sigalgs {signature_algorithms}".format(
+                    signature_algorithms=signature_algorithms)]
 
         if self._named_groups:
             named_groups = ':'.join(
@@ -248,18 +250,22 @@
                     if i not in priority_string_list:
                         yield i
 
-        if self._ciphers:
-            priority_string_list.extend(update_priority_string_list(
-                self._ciphers, self.CIPHER_SUITE))
+        if self._is_hrr:
+            priority_string_list.extend(
+                        ['CIPHER-ALL', 'SIGN-ALL', 'MAC-ALL'])
         else:
-            priority_string_list.append('CIPHER-ALL')
+            if self._ciphers:
+                priority_string_list.extend(update_priority_string_list(
+                    self._ciphers, self.CIPHER_SUITE))
+            else:
+                priority_string_list.append('CIPHER-ALL')
 
-        if self._sig_algs:
-            signature_algorithms = set(self._sig_algs + self._cert_sig_algs)
-            priority_string_list.extend(update_priority_string_list(
-                signature_algorithms, self.SIGNATURE_ALGORITHM))
-        else:
-            priority_string_list.append('SIGN-ALL')
+            if self._sig_algs:
+                signature_algorithms = set(self._sig_algs + self._cert_sig_algs)
+                priority_string_list.extend(update_priority_string_list(
+                    signature_algorithms, self.SIGNATURE_ALGORITHM))
+            else:
+                priority_string_list.append('SIGN-ALL')
 
 
         if self._named_groups:
@@ -303,23 +309,25 @@
         ret += ['ca_file={cafile}'.format(
             cafile=CERTIFICATES[self._cert_sig_algs[0]].cafile)]
 
-        if self._ciphers:
-            ciphers = ','.join(
-                map(lambda cipher: self.CIPHER_SUITE[cipher], self._ciphers))
-            ret += ["force_ciphersuite={ciphers}".format(ciphers=ciphers)]
+        if not self._is_hrr:
+            if self._ciphers:
+                ciphers = ','.join(
+                    map(lambda cipher: self.CIPHER_SUITE[cipher], self._ciphers))
+                ret += ["force_ciphersuite={ciphers}".format(ciphers=ciphers)]
 
-        if self._sig_algs + self._cert_sig_algs:
-            ret += ['sig_algs={sig_algs}'.format(
-                sig_algs=','.join(set(self._sig_algs + self._cert_sig_algs)))]
+            if self._sig_algs + self._cert_sig_algs:
+                ret += ['sig_algs={sig_algs}'.format(
+                    sig_algs=','.join(set(self._sig_algs + self._cert_sig_algs)))]
 
         if self._named_groups:
-            named_groups = ','.join(self._named_groups)
             if self._is_hrr:
-                named_groups += ','
-                self_group_list = list(NAMED_GROUP_IANA_VALUE.keys())
-                self_group_list.remove(self._named_groups[0])
-                self_group = ','.join(self_group_list)
-                named_groups += (self_group)
+                for sig_alg in self._sig_algs:
+                    if sig_alg in ('ecdsa_secp256r1_sha256',
+                                   'ecdsa_secp384r1_sha384',
+                                   'ecdsa_secp521r1_sha512'):
+                        self.add_named_groups(sig_alg.split('_')[1])
+                self.add_named_groups(self._peer_named_group)
+            named_groups = ','.join(self._named_groups)
             ret += ["curves={named_groups}".format(named_groups=named_groups)]
 
         ret = ' '.join(ret)
@@ -360,12 +368,9 @@
 
     # pylint: disable=C0330
     def post_hrr_checks(self):
-        check_strings = ["server hello, chosen ciphersuite: ( {:04x} ) - {}".format(
-                            CIPHER_SUITE_IANA_VALUE[self._ciphers[0]],
-                            self.CIPHER_SUITE[self._ciphers[0]]),
-                         "Certificate Verify: Signature algorithm ( {:04x} )".format(
-                             SIG_ALG_IANA_VALUE[self._sig_algs[0]]),
-                         "<= ssl_tls13_process_server_hello ( HelloRetryRequest )",
+        check_strings = ["NamedGroup: {group}".format(group=self._named_groups[0]),
+                         "NamedGroup: {group}".format(group=self._named_groups[-1]),
+                        "<= ssl_tls13_process_server_hello ( HelloRetryRequest )",
                          "Verifying peer X.509 certificate... ok", ]
         return ['-c "{}"'.format(i) for i in check_strings]
 
@@ -405,12 +410,10 @@
     """
     Generate test case with `ssl-opt.sh` format.
     """
-    name = 'TLS 1.3 {client[0]}->{server[0]}: {cipher},{server_named_group},'.format(
-            client=client, server=server, cipher=cipher, server_named_group=server_named_group)
-    name += '{client_named_group},{sig_alg}, force hrr'.format(
-            client_named_group=client_named_group, sig_alg=sig_alg)
-    server_object = SERVER_CLASSES[server](cipher, sig_alg, server_named_group)
-    client_object = CLIENT_CLASSES[client](cipher, sig_alg, client_named_group, True)
+    name = 'TLS 1.3 {client[0]}->{server[0]}: HRR {client_named_group} -> {server_named_group}'.format(
+            client=client, server=server, client_named_group=client_named_group, server_named_group=server_named_group)
+    server_object = SERVER_CLASSES[server](cipher, sig_alg, server_named_group, client_named_group, True)
+    client_object = CLIENT_CLASSES[client](cipher, sig_alg, client_named_group, server_named_group, True)
 
     cmd = ['run_test "{}"'.format(name), '"{}"'.format(
         server_object.cmd()), '"{}"'.format(client_object.cmd()), '0']