signature: on client side, refuse to negotiate non-enabled signature schemes

That amends/reverts commit 6aa8c390b08a25b18c0799fbd42bd0eec703fae4: "On client side allow signing with the signature algorithm of our cert"

Previously, when we initially disabled DSA, we allowed client certificates which can do DSA-SHA1 to be utilized to ease migration from these certificates.