If a client has more than one key available for an SSL handshake with mutual authentication, it has two means available to choose which one to send to the server:
- the list of key types supported by the server (e.g., RSA, DSA)
- the list of supported certificate issuers
The client should send a key only if is is one of the types listed, and issued by one of the issuers listed.
It appears that the server is not sending the client the list of certificate issuers.