TLS hanshake fails when the server chain contains certificate with tpm not supported key (0x000002c4 esys error)

[banatm]

Establishing tls session shows issue with server chain verification if tpm2 provider is used:

# openssl s_client -provider tpm2 -provider default -connect www.google.com:443

CONNECTED(00000008)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
WARNING:esys:../tpm2-tss-3.2.2/src/tss2-esys/api/Esys_LoadExternal.c:314:Esys_LoadExternal_Finish() Received TPM Error 
ERROR:esys:../tpm2-tss-3.2.2/src/tss2-esys/api/Esys_LoadExternal.c:108:Esys_LoadExternal() Esys Finish ErrorCode (0x000002c4) 
depth=1 C = US, O = Google Trust Services, CN = WR2
verify error:num=7:certificate signature failure
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WR2
verify return:1
depth=0 CN = www.google.com
verify return:1
---
Certificate chain
 0 s:CN = www.google.com
   i:C = US, O = Google Trust Services, CN = WR2
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 13 07:36:13 2024 GMT; NotAfter: Aug  5 07:36:12 2024 GMT
 1 s:C = US, O = Google Trust Services, CN = WR2
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---

Mentioned also in tpm-2-0-based-tls-handshake-fails-against-rsa-4k-server-keys-out-of-range stack overflow post