When using an EC certificate with the secp521r1 curve for the xDS gRPC interface, the TLS handshake fails because Envoy does not advertise secp521r1 in the signature_algorithms extension, due to BoringSSL’s default settings.

Please add support for the secp521r1 signature algorithm to enable compatibility for this use case.