I got that working by adding the fields for the CA certificate and path, as well as the client sider crtificate and client key.

In perl, I used SSL_ca_file, SSL_ca_path, , SSL_cert_file, SSL_key_file, with the appropriate values, passed to UserAgent's function ssl_opts.

I noticed, in Wireshark, that there are a couple differences between the handshaking between workstation and client.
1) Frame 4, there was more data sent from my workstation to the server: 371 (successful connection) vs 201 (unsuccessful)
2) Frame 10, there was a lot more data sent from the server to the client when the hand shaking was successful: 949 (successful) vs 339 (unsuccessful).
After that, there are a couple acknowledgements, but at that point the unsuccessful died a nasty death, returning the error that the function GET_SERVER_CERTIFICATE failed, while the successful connect proceeded to have my workstation send the client certificate to the server.

I wonder if the difference in data in frame #4 is responsible for the server not sending the certificate. But, if that is the case, what if the Perl module doing differently from what openssl is doing?

Thanks

Ted

It's hard to get just from the number of bytes and the frame number what the difference is. IO::Socket::SSL announces less ciphers then s_client to work around bugs in older F5 appliances, which might explain the difference in the packets from clint to server. And the server sends more data on successful connection because it sends the certificate. Another difference might be that IO::Socket::SSL tries SNI whereas s_client not. You might switch off SNI with setting SSL_hostname to ''. If this does not help it might be better to contact me directly at sullr AT cpan.org and send me the full packet dump for successful and unsuccessful connection.