During investigation of a Mutual SSL Authentication problem for webservice, I've traced with wireshark a working behaviour between a SOAP UI client and the server in order to understand how it behaved as I noticed something weird.
I still notice the same weird behaviour when handshake and communication is correct between client and server; which is the following:
37. Client -> Server: Client Hello
54. Server -> Client: Server Hello, Certificate
61. Server -> Client: Encrypted Handshake Message
62. Client -> Server: Certificate, Client Key Exchange
64. Client -> Server: Certificate Verify
65. Client -> Server: Change Cipher Spec
66. Client -> Server: Encrypted Handshake Message
69. Server -> Client: Change Cipher Spec
74. Server -> Client: Encrypted Handshake Message
75. Client -> Server: Application Data
...
434. Server -> Client: Application Data
686. Server -> Client: Encrypted Alert
Everything seems pretty normal to me except line 61 which is encrypted. It surely contains "Certificate Request" and "Server Hello Done" since everything works fine (and client provides its own certificate line 62), but I have absolutely no understanding how message line 61 can be encrypted since I do not understand how client and server could have exchanged sufficient data to encrypt anything so soon.
Cipher Suite used by server is TLS_RSA_WITH_AES_128_CBC_SHA.
Any insight about how it could be encrypted so early may help me solve the problem I'm investigating, since the non-working client sends TCP RST right after receiving the Encrypted Handshake Message.
