I am using TLS 1.2 mutual authentication with Apache www server and self-signed CA. The authentication works fine, except iOS and MacOS ignore the "Acceptable client certificate CA names" returned by the server in the CertificateRequest. On my iOS app, I see empty distinguishedNames field on the AuthenticationChallenge, and on MacOS Safari I am given a choice of all installed user certificates.
Detailed logging on Apache shows it is writing the CertificateRequest. Logging is raw so I can't see what all the encoded parameters are, but see the right ASCII for subject, etc. Are some special certificate attributes needed? I have: X509v3 Basic Constraints: CA:TRUE