Sha2-signed certificate is interpreted as Sha1-signed and wrongly rejected ?|OPC UA Implementation: Stacks, Tools, and Samples|Forum|OPC Foundation

The .NETstandard OPC-UA server now rejects the weak Sha1-signed certificates. However, my newly minted Sha2-signature seems to be interpreted as a Sha1-signed signature and gets rejected as a consequence. 

I generated a Sha2-signed key and self-signed certificated by this means:

openssl req -x509 -config ssl.cnf -newkey rsa:2048 -sha256 -new -nodes -days 365 -keyout id_rsa_opcua_client_private_key.pem -outform DER -out id_rsa_opcua_client_cert.der
openssl x509 -in id_rsa_opcua_client_cert.der -inform DER -text -noout

When connecting to the .NETstandard console server, the logged response is this

26-7-2019 09:51:09.652 Channel 2 in Opening state.
26-7-2019 09:51:09.719 Security Policy: https://opcfoundation.org/UA/S.....c256Sha256
26-7-2019 09:51:09.720 Sender Certificate: E=me@somewhere.com, CN=hors-pair, O=CasseCroute, L=Volksrust, S=ZH, C=NL
26-7-2019 09:51:09.721 Token #0 created. CreatedAt = 07:51:09.721 . Lifetime = 3600000
26-7-2019 09:51:09.725 SECURE CHANNEL CREATED [.NetStandard ServerChannel UA-TCP 1.4.354.0] [ID=2] Connected To: opc.tcp://hors-pair:51210/UA/SampleServer [SignAndEncrypt/Basic256Sha256/Binary] Client Certificate: [E=me@somewhere.com, CN=hors-pair, O=CasseCroute, L=Zoetermeer, S=ZH, C=NL] [AE41B8B60167D4DAF809E3629AE782711A5FB3C0] Server Certificate: [CN=Zevenaar-opcuaserver-ebs, C=NL, L=Zoetermeer, O=Siemens Mobility B.V., DC=hors-pair] [CAF410AB9955B74BBC231C043CE325249AC75BB5]
26-7-2019 09:51:09.732 Token #1 activated. CreatedAt = 07:51:09.721 . Lifetime = 3600000
26-7-2019 09:51:09.733 Channel 2 in Open state.
26-7-2019 09:51:09.734 Channel 2: SendOpenSecureChannelResponse()
26-7-2019 09:51:09.771 Channel 2: ProcessRequestMessage 2
26-7-2019 09:51:09.882 Session CREATED, Id=ns=4;i=1832884893, Name=Pure Python Client Session1, ChannelId=6258a10f-2074-48d1-9eb0-3ae348d61578-2, User=Anonymous
26-7-2019 09:51:09.898 Server - SESSION CREATED. SessionId=ns=4;i=1832884893
26-7-2019 09:51:09.901 Channel 2: SendResponse 2
26-7-2019 09:51:09.910 Channel 2: ProcessRequestMessage 3
26-7-2019 09:51:09.930 Server - SESSION ACTIVATE failed. Unexpected signature algorithm for Basic256Sha256/Aes128_Sha256_RsaOaep: http://www.w3.org/2000/09/xmldsig#rsa-sha1
Expected signature algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
26-7-2019 09:51:09.955 Channel 2: SendResponse 3
26-7-2019 09:51:38.300 Channel 0 in Connecting state.
26-7-2019 09:51:39.311 Channel 0: Close

A check of the certificate by means of 

 openssl x509 -in id_rsa_opcua_client_cert.der -inform DER -text -noout                                                                      

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:12:bd:82:dd:8a:49:44:0f:d8:a6:fe:74:a7:5f:fb:f5:7b:78:13
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = NL, ST = ZH, L = Volksrust, O = CasseCroute, CN = hors-pair, emailAddress = me@somewhere.com
Validity
Not Before: Jul 25 08:45:41 2019 GMT
Not After : Jul 24 08:45:41 2020 GMT
Subject: C = NL, ST = ZH, L = Volksrust, O = CasseCroute, CN = hors-pair, emailAddress = me@somewhere.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
…. cut …. cut

X509v3 extensions:
X509v3 Subject Key Identifier:
46:80:03:29:4F:13:0E:95:F6:A7:0F:C9:EA:C3:E3:60:9C:FE:B0:31
X509v3 Authority Key Identifier:
keyid:46:80:03:29:4F:13:0E:95:F6:A7:0F:C9:EA:C3:E3:60:9C:FE:B0:31

X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign
X509v3 Subject Alternative Name:
URI:urn:freeopcua:client
Netscape Comment:
OpenSSL certificaat voor opc-ua server

And the final client-side check of the certificate, the fingerprint matches the one reported by the server (ae41b8b60167d4daf809e3629ae782711a5fb3c0)

[Image Can Not Be Found]

Finally, I run the UA-.NETStandard master branch 50c9a677350b378cb5b84584dc3df9642c2541cc from march 22, 2019.