I tried:

SSL_verify_mode => SSL_VERIFY_PEER,
[download]

SSL_verify_mode => SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
[download]

SSL_verify_mode => SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
[download]

All three of these variants allow authentication via certificate and yet even if a client certificate is not presented, the server still sends the string.

I should be able to tell the server *not* to return anything if a client certificate is not presented.

Try adding

  SSL_verify_callback => <Sub-ref>
[download]

To see what cert info and string you get when the client cert is absent.

  SSL_verify_mode => SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT
+,
[download]

on the server should have worked - i.e. it should drop the SSL handshake when the client cert is absent.

Another option is to do a "tcpdump" to verify if the connection actually occurs when the client cert is absent.

        ...it is unhealthy to remain near things that are in the process of blowing up.     man page for WARP, by Larry Wall

> SSL_verify_mode => SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,

I cannot reproduce the problem in this case. The server reliably fails with the handshake in this case and no output can be seen at the wget client.

As for the cases w/o SSL_VERIFY_PEER: in this case no client certificate will be requested and thus no certificate checked, i.e. SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_VERIFY_PEER will be ignored. See also SSL_CTX_set_verify where it explicitly states that SSL_VERIFY_FAIL_IF_NO_PEER_CERT must be used with SSL_VERIFY_PEER. And note that the documentation of IO::Socket::SSL explicitly refers to the documentation of SSL_CTX_set_verify for how to use these flags.

> All three of these variants allow authentication via certificate ...

This cannot be reproduced either. If SSL_VERIFY_PEER is not then set the server will not send a CertificateRequest inside the TLS handshake which means that the client will not send a certificate even if it has one.