NSURLSession connection failure on OS X 10.10.x with error NSURLErrorDomain Code=-1200

I'm using NSURLSession for HTTPS traffic.

I'm doing custom certificate validation and support Client Identity Certificate.

On OS X 10.12.4 everything works fine, but on OS X 10.10.5 I've got strange error report (Those are OS X version where I personaly did verification of the bug).

Error Domain=NSURLErrorDomain Code=-1200 "The operation couldn’t be completed. (NSURLErrorDomain error -1200.)" UserInfo=0x6000001baf60 {_kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9824, NSUnderlyingError=0x600000459b60 "The operation couldn’t be completed. (kCFErrorDomainCFNetwork error -1200.)", NSErrorPeerCertificateChainKey=(
), NSErrorFailingURLKey=https://esg3202.tma.com.vn:8443/ups/resources/tenants/default, NSErrorFailingURLStringKey=https://esg3202.tma.com.vn:8443/ups/resources/tenants/default, NSErrorClientCertificateStateKey=0}

Issue is reproducible on multiple servers (different customers) but applies to singe service.

Based on debugging and logs I've found:

1. delegate method URLSession:task:didReceiveChallenge:completionHandler: is invoked to verify server certificate
2. completion handler is invoked to accept connection with this certificate
3. delegate method URLSession:task:didCompleteWithError: is invoked with problematic error
4. delegate method URLSession:task:didReceiveChallenge:completionHandler: is NOT invoked for authentication method NSURLAuthenticationMethodClientCertificate!

From wireshark capture I can see that:

1. TCP connection is established,
2. SSL client and server hello is exchange successfully
3. In packet 15 server requests client identity certificate (but as I point out earlier NSURLSESSion doesn't report that)
4. In server certificate chain last item (CA) is duplicated for some reason (maybe this is source of the problem)
5. Connection is dropped by the client
6. Didn't notice anything else unusual in this capture

I've found exact same issue reported by someone else: https://discussions.agilebits.com/discussion/66431/i-cannot-create-an-account-for-our-team-on-my-local-mac-1password-app, but this was the only thing what matched my problem and there is no solution besides upgrade of OS X.

Problem is that I have to support OS X 10.10 for at least a year and I'm looking for workaround for this issue.

Pointing out in release notes where this issue was fixed would be helpful too.

Software on other platforms doesn't exprience this issue.

Here is wireshark capture if more details are needed: https://drive.google.com/file/d/0B-M1AmQEl5CuZkY1OUZ3WlppYVU/view?usp=sharing