TLS1.2 Handshake fails with Brainpool Curves

[strauss115]

Hi,

I would like to use a certificate which has a brainpoolP256r1 curve, same as discussed in issue 21346. That is recommened by e.g. BSI TR-03116 Part 3 Chapter 4.1.
Currently, OpenSSL (tested with 3.0.8, 3.0.11 & 3.2.2) does not allow to establish a connection using TLS1.2 with a certificate using a brainpool curve without forcing the client to announce that it supports brainpool.

As stated in the other issue it works fine with TLS1.3 and OpenSSL >=3.2. However, TLS1.2 (any of the tested OpenSSL versions) only works if the client is explicitly told to use/announce brainpoolP256r1 with

$ openssl s_client -connect [hostname] -tls1_2 -curves brainpoolP256r1 -trace

This adds "brainpoolP256r1" to the client handshake

extension_type=supported_groups(10), length=4
          brainpoolP256r1 (26)

Forcing only TLS1.2 the client sends these supported groups (in this example output is genereated by OpenSSL 3.0.11)
$ openssl s_client -connect [hostname] -tls1_2 -trace

     extension_type=supported_groups(10), length=12
          ecdh_x25519 (29)
          secp256r1 (P-256) (23)
          ecdh_x448 (30)
          secp521r1 (P-521) (25)
          secp384r1 (P-384) (24)

In my understanding using secp256r1 should be compliant in that situation according to RFC8446 , but OpenSSL 3.2.2 and 3.0.11 refuse the TLS1.2 handshake with "no shared cipher" error.

Unfortunately, there seems to be no way to configure the server/OpenSSL like that. Should the behaviour be adapted to maximize compatibility?